Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

4428 Reconsidering our audit approach

based on our understanding of processes
and IT
This guidance explains how the auditor should reconsider his/her audit approach based on his/her
understanding of the clients processes and IT systems. This includes also how, and for which areas the
auditor should consider involving SPA-resources on the audit team.
On one hand the audit approach might be altered due to characteristics of the processes and ITsystems. On the other hand the auditor might need to extend his/her focus on IT due to reliance on
computer based controls and computer based information.
When SPA specialists are included on the audit team it is important that resources cooperate
effectively, and that any conclusion drawn by the SPA specialists are an integrated and relevant part of
the audit approach. To this end it is important that SPA-involvement is initiated at an early stage of
planning.
The general guidance that follows is based on the flowchart below which indicates the main issues to
consider.
Start your evaluation at the top (red arrow), and work through each point, step by step. The evaluation
and adjustments made should be documented in the table included below.
For most clients the procedure will have to be repeated for each main process, and for each main ITsystem (or portfolio of systems). This is due to the fact that complexity of processes and systems vary
and that the audit approach also will vary based on the risk of each financial area/process.

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

The evaluation, documentation and testing of relevant IT general controls depends mainly on whether
or not we assess there to exist a key Risk related to IT, and substantive testing will not be efficient in
controlling this risk. Also, we need to evaluate if we are planning to gain comfort from automated
application controls or manual controls/business process reviews that uses computer generated
information.

1. Evaluation of process complexity

Procedures
1. Evaluate and conclude whether or not each business process is complex. The evaluation could
be based on show-me meetings or previous experience with the company. Each process should
be named and an overall evaluation documented in the table below. The conclusion should be
clearly stated as "yes" or "no".
2. If complex processes exist, these processes should be flowcharted together with relevant
systems and outputs. You must therefore accommodate the necessary audit steps to ensure that
the relevant processes are flowcharted. Enter a link to the steps in the table.

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Consider documenting the procedures performed in the following table:
1. Evaluate and conclude whether or not the company has complex
business processes.

Process
name

Process evaluation (short)

Complex 2. Link to
process
flowcharting
(Y/N)
Enter process Enter a description of the
Enter link to
name,
e.g.: process that focus on elements
relevant
Invoicing
that might imply complexity, or
steps
non-complexity
of
the
process
Salary
Purchasing
Etc

Guidance
When is a business process complex?
Evaluation of business process complexity is not an objective science, but will depend on the auditors'
professional judgment. It might be helpful to think in terms of complexity indicators, and these might
e.g. include
The process involves:

many persons and departments and the relation between these are unclear or complex
a large number of actions and decisions in a process flow
a large number of manual procedures to be performed
advanced processing of data based on complex formulas and large number of data inputs

Why evaluate process complexity?

In planning an audit approach it is vital to understand the client's processes, and how they are
implemented. This is because internal controls will be implemented through these processes, and their
efficiency will affect our choice of audit approach.
When a business process becomes complex, it is useful to use flowcharting as a tool to document and
evaluate the process, including controls, systems and outputs.

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Why perform flowcharting?
Flowcharting is primarily a tool for workshops and communication about processes, but at the same
time we produce easy to read documentation that can be carried forward in our audit file from year to
year. Very often our clients find it useful and valuable to participate in flowcharting, because it gives a
clearer view of their internal processes, and might reveal improvement opportunities.

2. Evaluation of system complexity

Procedures

Evaluate and conclude whether or not the company has complex IT systems. Enter each
relevant system into the table below. For each system document an overall evaluation of
system complexity. The conclusion for each system should be clearly stated as "yes" or "no".
If complex systems are present you should involve SPA personnel. Make sure that SPA
involvement is included in the audit planning. Confirm SPA involvement in the table, and link
to relevant planning steps.

Further guidance on SPA personnel involvement is given in section 5.

Document procedures in the table:
1. Evaluate and conclude whether or not the company has complex
IT systems.

System name System evaluation (short)

Complex
(Y/N)

Enter system Enter a description of the system

name
that focus on elements that
might imply complexity, or noncomplexity of the system

2. SPA personnel involvement.

Confirm SPA personnel involvement, and link to relevant planning
steps:

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Guidance
Criteria for evaluating a complexity of systems:
An evaluation of the client's complexity level in the IT system is not purely objective. This evaluation
contains a certain amount of judgement and is decided on basis of a number of qualitative criteria in
addition to objective ones. The criteria mentioned below can be used as guidance for evaluation of the
systems' complexity
Standard systems versus in-house systems
Standard systems

system complexity
market share
scope of parameter settings for implementation and operation
new implementation
level of customization (changes from the vendors original layout and type of changes i.e.: just
report changes or changes on the data treatment)

In-house systems

system complexity
period since last significant change in logistics/structure
what consequences have changes to the accounting system
new implementation and period in operation

Size and complexity of IT environment

(Please note that a complex environment does not necessarily mean that the systems are complex, or
vice versa.)

number of applications producing accounting data

network size
LAN versus WAN
number of servers/clients
number of users
Processing outsourced to an ASP supplier (Application Service Provider)
Data/Connectivity outsourced to an ISP supplier (Infrastructure Service Provider)

Sensitivity in accounting data and risk of non-compliance

stock exchange listing or pending listing

concession terms from the Data Inspectorate
assurance of values reflected in the accounting data

Number of transactions

is the number of transactions so high that it would be difficult for the users to identify and
correct errors in the data processing?

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Volume of systems generated items and complex calculations

volume
complex calculations
how easily can the auditor verify the calculations?
volume of systems generated transactions versus manual transactions

Transactions generated from Internet or EDI

significance and volume of such transactions via internet and/or EDI

Lack of- or complex audit trail

can the client document a clear and reliable audit trail, or is the audit trail complex, unclear or
lacking? (If the client has problems in documenting the audit trail, the auditor can carry this out
as assistance).

3. Evaluate risk of material misstatement related to IT

Procedures
1. Document significant changes, known problems or other issues relating to existing information
systems and technology that may influence our approach in the table below.
2. Evaluate if the issues, changes or problems imply any risk of material misstatement in the
Entity. Document your conclusion on risk in the table.
3. Decide if a substantive testing approach will be efficient in controlling this risk. Document
your conclusion in the table.
4. Document the chosen approach based
Guidance
Factors that may be included in this evaluation are presented below.
This documentation should be linked to the SoC Summary of Comfort, whether or not it was a
change to a planned step or a new step to the original plan. In addition, when a risk of material
misstatement is identified, which is likely to be a Key risk, this risk should be linked to the Audit
Comfort Matrix ACM as well.
System changes:

Have any new database or systems, including operational systems, been implemented? How
significant are these new databases or systems for the business and it's financial statements?
(for instance, has management implemented systems for electronic handling of key processes,
for instance internet based? If so, is maintenance of the system carried out internally or
externally?)
Was the implementation successful? Which problems have been found in the systems and how
were the problems solved?

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Has a conversion of data been made as a result of the new database / systems / maintenance?
Which data were converted? Have problems arisen as a result of the conversion?
What is the routine for making changes to the existing systems? Have significant changes been
made?
Have changes been made to the automatic control of the systems?
Have data been moved to new IT environments such as internet based solutions?
Have the system-programmes been significantly upgraded?
Have significant changes been made to the network? (such as installation of wireless
technology)
Have final users been involved in design of changes or in the testing and acceptance process of
changes?
Has the internal audit been involved in the systems changes? Has a review of the systems been
made before or after implementation? If so, obtain copies these reports.
Generally, which changes in the information systems and technology have been planned, long
term and for the next 12 months?

Known problems:

How does management obtain information relating to systems problems?

Do any significant problems or inadequacies exist in systems functionality? If so, are there any
bypassing procedures (fix-it programmes etc)?
Have there been significant problems relating to operational failure, security incidents or
changes to fixed data? If so, what was management's response to these problems and how does
management obtain assurance of the solution?
Have internal audit or others issued reports concerning known problems relating to information
systems, data environment or applications?
Which are the most common systems problems reported?

4. Conclude on testing approach

Procedures
1. Based on your knowledge of control environment, processes and IT, document your testing
approach, and whether or not you plan to get comfort from testing of control activities.
1. For areas where you plan to rely on IT based controls: Document your testing approach and
your approach to ITGC`s and process flowcharting.
2. For areas where you plan to rely on non-IT based controls: Document your approach.
3. For areas where you will not rely on testing of controls: Evaluate if substantive testing will
include computer based information. If yes: document your approach to ITGC`S .

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Document procedures in the table:
Area

1. Testing approach
(short description):

Categorize approach:
a) IT based controls
b) Non-IT controls

Enter Enter short description of

area testing approach for this
name area

Document revisions to audit

planning. Specify approach to
ITGC`s and process flowcharting.
For c): specify computer based
testing.

c) Substantive
Enter category a), b) or
c)

5. Consider involving SPA personnel in audit assignments

Consider whether SPA personnel should be involved in the audit assignment
Involving SPA specialists are mandatory on:

Clients with complex IT systems

Clients where the risk of material errors has been identified in significant systems and where
substantial testing is not possible or practical

The table below is used as guidance to determine appropriate SPA involvement.

Recommended SPA Participation

Complex Systems
Auditors
SPA
Identify and document significant Combined team
processes and systems
Document and evaluate controls Combined team
other than general computer
controls, for example application
controls
Validate controls
Combined team
Document, evaluate and validate
X
general computer controls

Less Complex Systems

Auditors
SPA
X
*
X

X
*
Combined team

*SPA personnel should be involved if there is uncertainty about the complexity level and the
approach, or if assistance is required for documentation, evaluation and testing of controls.
If involving SPA personnel is considered necessary based on the above criteria but Engagement
Leader still decides to not involve them, this decision must be made in consultation with SPA

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

personnel. The conclusion and discussion must be documented in Engagement Leader Sign-Off step in
section 1800. In such a situation the engagement leader sign-off on the competence of the team should
include a comment on this, and it should be expected that the audit team includes someone who has
the capability to address the work otherwise performed by SPA resources.
The audit team may evaluate and, when applicable, test the IT general controls if the system is simple
(not complex). However this requires that the audit team include personnel with sufficient knowledge
to perform these procedures.
If we do not plan to obtain comfort from the client's automated application controls or manual
controls/business process reviews based on computer generated information, we do not need evaluate
and, when applicable, test the general IT controls.
However, if our substantive testing will somehow be based on computer generated information,
basically reports or documents, we do need to evaluate and, when applicable, validate IT general
controls.
How do we work with SPA personnel?

SPA personnel must be an integrated part of the audit team

SPA personnel must take part in the start-up and planning phase in order to fully utilize the
skills and availability, participate in kick-off meeting
Team Manager (and others) must familiarize themselves with the client's IT systems and
factors that may influence the risk of material misstatements related to IT
We must clarify expectations and division of duties between SPA and the audit team, and SPA
personnel should participate in Taking Stock meetings

When SPA personnel participate in the audit, the Team Manager and responsible SPA personnel
should always agree on the following:

type, timing and scope of SPA involvement on the assignment

issues that should receive special attention
how identified weaknesses in internal control routines should be documented and reported to
the client
how SPA personnel and Team Manager should perform review of work carried out
how SPA should contribute by reviewing the SoC Summary of Comfort
how SPA should contribute on the Internal Control Framework Components and ITGC's work
(coaching, consulting, completing)

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

4423.0.1 Contribution of ITGCs to Audit

Comfort
Information Technology General Controls (ITGCs) will often contribute indirectly to the achievement
of many or all financial statement assertions. In some instances, ITGCs may contribute directly to the
achievement of information processing objectives and financial statement assertions. This is because
effective ITGCs ensure the continued effective operation of application controls and automated
accounting procedures that depend on computer processes. ITGCs are also important when manual
controls depend on application-generated information. If the controls to be tested depend upon other
controls (indirect controls), we should consider if it is necessary to validate those indirect controls.
Thus, if reliance on automated application controls, automated accounting procedures, or controls that
depend on application-generated information is planned, validation of relevant ITGCs is required.
Audit teams should document a clear link between key ITGCs and:

Key automated application controls and interfaces,

Key automated accounting procedures, and
System generated data and reports used in key manual controls or in the generation of manual
journal entries

Because controls over program changes, computer operations and access to programs and data impact
the continued effective operation of the application-driven components, testing of controls in these
three areas is required.
Example Linkage of Automated Application Controls to ITGCs
Automated application controls are controls designed into a computer application that help to achieve
information processing objectives. For example, many applications include a number of edit checks designed
to help ensure that input data is accurate. These edit checks might include format checks (i.e., date or number),
existence checks (i.e., customer number exists on customer master file), or reasonableness checks (i.e.,
maximum payment amount). When an input data element fails an edit check, that input data may be rejected
or it may be pulled into an application-generated exception report for subsequent follow-up and resolution.
If ITGC weaknesses are noted in the computing environment supporting an application with key edit checks,
we may be unable to rely on those edit checks continuing to operate as intended. For example, a program
change deficiency could result in an unauthorized change to the programming logic that checks the format of
an input data field such that inaccurate data is allowed into the application. Furthermore, a deficiency related
to security and access rights could allow inappropriate bypassing of a reasonableness check that would
otherwise prevent the processing of payments in excess of a maximum tolerable threshold.

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Figure 1 Overview of Linkage of Information Technology General Controls to Audit Comfort

Legend
1. Management implies certain assertions about its financial statements by publishing those
statements.
2. Financial statement line items represent account balances that have been derived from one or
more transactions.
3. Transactions are often grouped into sub-processes when common processing exists for
different transaction types.
4. Sub-processes are grouped into processes to enable effective management oversight.
5. Management has objectives regarding the processing of its transactions.
6. There are risks to the achievement of information processing objectives.
7. Management implements application controls to mitigate risks to the information processing
objectives.
8. Management implements business performance reviews to identify potential anomalies in
financial results.
9. Management evaluates whether financial anomalies are the result of application control
breakdowns.
10. Certain manual application controls and business performance reviews use reports generated
by computer applications.

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

11. Effective Information Technology General Controls support management's reliance on
automated application controls, automated accounting procedures, or manual controls that use
application-generated reports.
12. Effective application controls contribute directly to comfort over financial statement
assertions.
Example Linkage of Automated Accounting Procedures to ITGCs
Automated accounting procedures are calculations, classifications, estimates, or other accounting procedures
that are performed by a computer application instead of a person. For example, an investment accounting
application may be programmed to calculate market value for different types of investments according to the
business rules for that type of investment, a loan application may automatically calculate amortization
schedules based on the loan terms entered by the user, or an accounts receivable application may be
programmed to classify receivables into their appropriate aging categories.
ITGC weaknesses may impact our ability to rely on automated accounting procedures designed into the
client's application. For example, if critical program development controls are missing, it may be difficult to
establish whether management has adequately tested that an automated accounting procedure works as
intended without substantively validating the calculation. As another example, control weaknesses that
permit unauthorized program access could provide the opportunity for management to override the results of
automated accounting procedures, which could have an impact on our assessment of fraud risk at the client.
Example Linkage of Application-Generated Reports to ITGCs
Application-generated reports are often used in the execution of a manual control, including business
performance reviews. In order to assess the effectiveness of manual controls that use application-generated
reports, it is necessary to understand the effectiveness of ITGCs related to the computing environment that
produces the reports and protects the data that feeds them. One example of such a control is a completeness
control that involves the use of pre-numbered documents. As transactions are input, missing and duplicate
document numbers are identified and pulled into an exception report for follow-up and resolution.
To affect this control, a user may receive a report of all missing or duplicate items that is used in support of a
key account reconciliation. Weaknesses in computer operations may impact our ability to rely on the
reconciliation control because the integrity of the data being used is in question. For example, weak batch
processing controls may result in the wrong input file being used, which could potentially lead to inaccurate
presentation of missing or duplicate documents in the exception report. In addition, program change
weaknesses could result in unauthorized or unintended changes to the programming logic that results in
exceptions not being accurately reflected in the report.
These are a few simple examples that illustrate how weaknesses in ITGCs can impact our ability to
rely on automated application controls, automated accounting procedures, and system generated data
and reports used in key manual controls or in the generation of manual journal entries. As these
examples highlight, evaluation of the design and operating effectiveness of ITGCs is an important
contribution to our audit comfort when these situations exist.
If the audit team intends to place continuous reliance on automated controls or to assume a controls
reliance strategy in the financial statement audit, the team must assess the potential impact of all
known ITGC weaknesses on the integrity of each underlying application control that the ITGCs were
designed to protect.

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

4423.0.2 Managements Internal Control

Framework - Information Technology
As described in PwC Audit 4220, an entity's internal control framework comprises of interrelated
components that exist at any level of the organisation (i.e., at the entity, management unit and/or
business process level). The internal control components, excluding control activities, may have less
tangible elements or controls such as "tone at the top." Consequently, these components are more
judgmental in nature and may have a pervasive effect on the overall system of control activities. The
evaluation and testing of these components should be considered first to determine the impact on the
extent of testing of control activities as well as the impact on our audit strategy and plan as early in the
audit process as practical.
As described in PwC Audit 4220, the audit team should document an understanding and evaluate the
design of the programs and controls implemented to address the internal control components that it has
determined are relevant to financial reporting at the entity and business unit level to the extent
necessary to assess the risk of material misstatement and plan the audit.
When information technology general controls (ITGCs) are relevant to preserving the integrity of data
and key application controls in a system of internal controls over financial reporting, we should
evaluate the effectiveness of the internal control components, other than control activities, over IT and
consider the results of that work when planning our approach for evaluating ITGCs.
No two entities will approach internal controls in exactly the same way. Programs or controls
implemented over IT to address the relevant internal control components should reflect how
management approaches the entity's information technology needs and should serve to promote the
ongoing effectiveness of ITGCs that, in turn, preserve the integrity of key financial applications and
data.
The quality and effectiveness of these programs or controls over IT are factors to be considered (along
with other factors, such as inherent risks and the scope of key automated application controls) when
determining the nature, timing and extent of our testing of ITGCs.
The types of activities and controls that might be relevant to our evaluation of these components over
IT include:
1. The manner in which IT roles and responsibilities are defined and understood including
ownership and accountability for internal control
2. How proper segregation of duties among key IT functions is accomplished
3. The nature of IT management's operating style and attitude towards internal control
4. The means by which the IT organisation and its leadership promote a strong control
environment, including adoption of or participation in broader entity-level control activities
5. Human resource practices in IT that promote integrity and reflect a commitment to
competence
6. The manner of governance and oversight of the IT function, including the level of interaction
with executive management, the Board, and the Audit Committee regarding the results of
monitoring activities and identified IT control weaknesses

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

7. The means by which IT and Finance communicate and collaborate on matters relevant to
internal control over financial reporting
8. Policies and procedures designed to preserve the integrity of key financial applications and
data, both within IT and outside the IT function where applicable
9. How the company distinguishes routine program maintenance from program development
activities and their related ITGCs
10. How changes in people, processes, systems, technologies and business conditions are
monitored and addressed from an overall IT controls perspective
11. How management tracks, responds and ensures appropriate resolution to incidents that reflect
possible control issues, such as significant security breaches or data corruption problems.
Internal control components related to IT include the means by which ITGCs are monitored for
ongoing effectiveness (e.g., through some combination of direct supervisory controls, quality
assurance reviews, internal audits, regulatory reviews, or others).

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

4423.1 Understand, evaluate and validate:

program development
The domain objective for program development is: "To ensure that systems are developed, configured,
and implemented to achieve management's application control objectives." The typical subcomponents
of program development include:

Management of development and implementation activities

Project initiation, analysis and design
Construction / package selection
Testing and quality assurance
Data conversion
Program implementation
Documentation and training
Segregation of duties

This domain is relevant only where significant development, implementation, or conversion projects
exist or are anticipated. The following points of focus may be helpful for identifying ITGCs in this
domain that are relevant to internal controls over financial reporting at your client. Note: Not all points
of focus are relevant to every entity, and other risk factors may exist that will need to be considered. It
is necessary to determine relevant activities and controls based on the entity's unique IT environment.

Overall Management of Program Development Activities

Management should establish a process for controlling program development activities, including
major system enhancements, and should monitor the effectiveness of that process. Consider the
following:

Does the company employ a formal methodology and/or clear policies and procedures that
govern program development activities?
How does management ensure that comprehensive implementation plans are developed and
executed upon for all significant projects, including consideration of desired system
functionality, internal controls over financial reporting, and proper security and access
controls?
How has management documented and communicated roles and responsibilities to individuals
engaged in program development activities?
How does management ensure that appropriate business sponsors and IT project leads are
involved in defining business requirements, test plans, and test results?
How does management monitor program development activities and related controls?

Project Initiation, Analysis and Design

Project initiation controls should ensure that projects are planned, resourced, and mobilized to support
the achievement of management's application control objectives. Consider the following:

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

How does management ensure that development efforts are aligned with overall business and
internal control objectives?
How does management ensure that each project team contains the requisite business and
technology skills, including knowledge of internal controls?
How does management ensure that business sponsors and data owners are identified for all
projects?
How does management ensure that system requirements are consistently developed in
sufficient detail?
How does management ensure that project teams consider system and interface dependencies,
internal control requirements and security requirements for every project?
How does management ensure that business sponsor approval has been obtained prior to
moving to the construction phase of the project?

Construction/Package Selection
Construction and package selection controls should ensure that in-house program development
activities and the selection of packaged software are performed to support the achievement
management's application control objectives. Consider the following:

How does management ensure use of programming standards for in-house developed
applications?
How does management ensure consistent application of control over the selection,
customization and implementation of purchased software packages?
How does management ensure that version control is in place for all systems?
How does management ensure that dependencies between and among integrated applications
and data files are identified and considered?

Testing and Quality Assurance

Testing and quality assurance controls should ensure that an adequate level oftesting is performed by
appropriate personnel to determine that the new system functions as intended and achieves
management's application control objectives. Consider the following:

How does management ensure that test plans are sufficient to address requirements defined in
the analysis and design phase?
How does management determine the nature and extent of testing (i.e. unit, user, regression
testing)?
How does management ensure that appropriate testing is performed and approved by relevant
IT and / or business unit personnel
How does management ensure that the design and operating effectiveness of new or changed
internal controls over financial reporting have been sufficiently addressed during testing?
How does management ensure that programs are not modified after testing before
implementation in production?
How does management ensure the controlled migration of code between logical environments?
How does management ensure that configuration options selected for packaged applications
achieve business and control requirements?

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Data Conversion
Data conversion controls should ensure that data is converted completely and accurately to new
systems. Consider the following:

How does management ensure data fields are properly mapped from legacy to target systems?
How does management ensure that converted data remains complete, accurate, and valid?
How does management ensure that critical system interfaces are considered in data conversion
plans?

Program Implementation
Program implementation controls should ensure that new systems are implemented in the live
environment only after adequate testing has been performed, business sponsor approval has been
obtained, and proper implementation and back-out plans have been developed. Consider the following:

How does management ensure that all program implementations are approved by appropriate
business sponsors and IT management?
How does management ensure that a consistent process is followed when making all go- live
decisions (i.e., implementation plans, back-out procedures, etc.)?
How does management ensure that the version of the program implemented in production is
the most recent version that had been tested and approved by the business sponsors?
If the program is run at multiple sites, how does management ensure that all copies of the
program have been updated with the correct version?
How does management ensure that significant implementation risks, particularly in a complex
implementation, are addressed in the post-implementation period (e.g. post-implementation
reviews, shake- down controls, etc.)?

Documentation and Training

Documentation and training controls should ensure that end users and technical support personnel are
provided with adequate documentation and training concurrently with program implementation.
Consider the following:

How does management ensure that user and technical documentation are developed and
communicated in a timely manner for all new systems?
How does management ensure that users and IT personnel receive adequate training on all new
systems and related internal controls?

Segregation of duties
Segregation of duties controls should ensure that the roles and responsibilities throughout the program
development process have been appropriately restricted and segregated. Consider the following:

How does management ensure that responsibilities throughout the program development
process are adequately segregated?
How does management ensure that separate environments are maintained for development,
testing and production, and that only appropriately authorized individuals have access to each
of those environments?

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

4423.2 Understand, evaluate and validate:

program changes
The domain objective for program changes is: "To ensure that changes to programs and related
infrastructure components are requested, authorized, performed, tested, and implemented to achieve
management's application control objectives." The typical subcomponents of program change include:

Management of maintenance activities

Specification, authorization and tracking of change requests
Construction
Testing and quality assurance
Program implementation
Documentation and training
Segregation of duties

Once financially significant applications have been identified in scoping, the following points of focus
may be helpful for identifying ITGCs in this domain that are relevant to internal controls over
financial reporting at your client. Note: Not all points of focus are relevant to every entity, and other
risk factors may exist that will need to be considered. It is necessary to determine relevant activities
and controls based on the entity's unique IT environment.

Management of Maintenance Activities

Management should establish a process for controlling program changes and should monitor the
effectiveness of that process. Consider the following:

How does management ensure that a controlled process is followed for all system changes
across application programs, infrastructure components, management units, and locations?
How has management documented and communicated change management policies and
procedures?
How has management documented and communicated change management roles and
responsibilities?
How does management monitor compliance with implemented program change controls?

Specification, Authorization and Tracking of Change Requests

Change request controls should ensure that user requests are captured, authorized, and prioritized to
support the achievement of management's application control objectives. Consider the following:

How does management ensure that all user requests for changes are captured?
How does management ensure that all user change requests are evidenced as authorized by an
appropriate level of management?
How does management ensure that requests identified as a result of problem management
activities are considered along with user change requests?

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

How does management consider the potential impact of requested changes on internal controls
over financial reporting?

Construction
Construction controls should ensure that changes are developed and performed to support the
achievement of management's application control objectives. Consider the following:

How does management ensure use of programming standards for in-house developed
applications?
How does management ensure that version control is in place for all systems?
How does management ensure that dependencies between and among integrated applications
and data files are identified and considered?

Testing and Quality Assurance

Testing and quality assurance controls should ensure that an adequate level of testing is performed by
appropriate personnel to determine that the program continues to work as intended and achieve
management's application control objectives. Consider the following:

How does management determine the nature and extent of testing for each change (i.e. unit,
user, regression)?
How does management ensure that testing performed addresses both the change made, as well
as significant functionality within the system that should not have changed?
How does management ensure the appropriate users and management are involved in testing to
properly address the impact of changes on internal controls over financial reporting?
How does management obtain evidence of user acceptance of the change prior to
implementation in production?
How does management ensure the controlled migration of code between logical environments?
How does management ensure that modified configuration options continue to achieve
business and control requirements?

Program Implementation
Program implementation controls should ensure that changes are implemented in the live environment
by appropriate personnel only after adequate testing has been performed and the proper business user
management approvals have been obtained. Consider the following:

How does management ensure that all program implementations are approved by business
users and / or IT management prior to implementation?
How does management ensure that a controlled process is followed when implementing
changes in production?
How does management ensure that emergency changes are captured, documented, and
approved subsequent to production implementation?
How does management ensure that only appropriate and authorized personnel have access to
move program changes into the production environment?

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

How does management ensure that the version of the program implemented in production is
the most recent version that had been tested and approved by business user management?
If the program is run at multiple sites, how does management ensure that all copies of the
program have been updated with the correct version?

Documentation and Training

Documentation and training controls should ensure that end user and IT support documentation and
training is updated concurrently with implementation of program changes. Consider the following:

How does management ensure that user and technical documentation are timely updated for
significant changes to its systems?
How does management ensure that users and IT personnel receive adequate training on any
significant system changes, including any resulting changes to internal controls over financial
reporting?

Segregation of Duties
Segregation of duties controls should ensure that the roles and responsibilities throughout the program
change process have been appropriately restricted and segregated. Consider the following:

How does management ensure that responsibilities throughout the program change process are
adequately segregated?
How does management ensure that separate environments are maintained for development,
testing and production and only the appropriate individuals have access to each of those
environments?
How are segregation of duties controls maintained over time?

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

4423.3 Understand, evaluate and validate:

access to programs and data
The domain objective for access to programs and data is: "To ensure that only authorized access is
granted to programs and data upon authentication of a user's identity." The subcomponents of access to
programs and data typically include:

Management of security activities

Security administration
Data security
Operating system security
Network security
Physical security

Once financially significant applications have been identified in scoping, the following points of focus
may be helpful for identifying ITGCs in this domain that are relevant to internal controls over
financial reporting at your client. Note: Not all points of focus are relevant to every entity, and other
risk factors may exist that will need to be considered. It is necessary to determine relevant activities
and controls based on the entity's unique IT environment.
In addition to the following points of focus, also consider using any applicable technical platform
practice aids and work programs that are available in Guardian to assist in your evaluation of controls
over access to programs and data.

Management of Security Activities

A security function and related policies and procedures should be designed and implemented to
support the information integrity objectives of the entity. Consider the following:

How does management ensure that business unit management is appropriately included in the
information security function from a data ownership perspective?
How has management documented and communicated security roles and responsibilities?
How has management defined, documented, and communicated security policies and
procedures applicable all relevant technology components?
How does management ensure that security policies and procedures are updated on a regular
basis and as changes occur to technology components?
How does management periodically educate IT and business users regarding their security
responsibilities and related policies and procedures

Security administration
Security administration activities should ensure that access to applications, data, and operating systems
is appropriately restricted to only authorized individuals whose access rights are commensurate with
their job responsibilities and with management's control objectives. Consider the following:

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Have access rights been defined and established by appropriate levels of IT and business unit
management to achieve relevant control objectives, including segregation of duties objectives
in both IT and in business processes? Consider access to:
o Applications
o Application data outside applications.
o Operating system
How has management designed security administration controls to ensure that access rights in
the following areas are properly granted, changed and removed as needed, only upon approval
by appropriate management personnel?
o Applications;
o Application data outside applications;
o Operating system
How does the security administration function facilitate periodic reviews of user access by
business unit management to ensure that access remains commensurate with job
responsibilities over time:
o Applications;
o Application data outside applications;
o How has management defined and linked segregation of duties objectives within the
business processes to the approval and periodic reviews of access rights?

Data Security
Data security controls should ensure that direct access to data is limited to appropriate authorized
individuals and is monitored for potential unauthorized activity. Consider the following:

How does management ensure that all direct data access methods (i.e., access from outside of
an application) have been defined and considered in designing security administration and
security monitoring controls? Consider:
o Operating system commands that can be used to change information in data files or
databases,
o Operating system administrator, database administrator, and other powerful IDs that
can be used to change data, but would not appear in lists identifying users with access
to specific data files or databases,
o Operating system and database security administration capabilities that can be used to
grant access to specific data files and databases,
o Report writers and other utility programs that can be used to change data outside
application systems,
How does management ensure that data environments are configured to properly restrict access
to:
o Data files and databases of financially significant applications,
o Operating system commands that can be used to change information in data files or
databases,
o Operating system administrator, database administrator, and other powerful IDs that
can be used to change data, but would not appear in lists identifying users with access
to specific data files or databases,
o Operating system and database security administration capabilities that can be used to
grant access to specific data files and databases,
o Report writers and other utility programs that can be used to change data outside
application systems,

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

How does management ensure that changes to data access settings (i.e., data file permissions)
are completed in a controlled manner, including approval of business unit owners of access to
data?
How does management periodically review direct data access, considering the access methods
identified above, to ensure that the access remains commensurate with job responsibilities?
If direct data access is controlled using special system utilities, how does management ensure
that the use of such utilities is documented, logged and reviewed on a regular basis?
How does management monitor the data environment for potential unauthorised activity?

Operating System Security

Operating system security controls should ensure that operating system access is limited to appropriate
authorized individuals and is monitored for potential unauthorized activity. Consider the following:

How does management ensure that security configuration settings are changed in a controlled
manner and remain consistent with the intended design (i.e., global security parameters,
password parameters, services running, etc.)?
How does management periodically review operating system access to ensure that the security
administration process is working as intended and access remains commensurate with job
responsibilities?
How does management monitor the environment for potential unauthorised activity?

Network Security
Internal and external network security controls might be necessary to protect financially significant
systems from unauthorized access. Depending on the effectiveness of other controls over access to
programs and data, also consider the following:

How does the network design (e.g., logical separation of domains, trust relationships, external
network connections, etc.) ensure the financially significant systems are appropriately
protected from unauthorized access (e.g., behind a firewall)
How does management ensure authentication controls (i.e. password controls, assignment of
users to groups, remote access, etc.) are built into the network configuration?
How does management ensure that appropriate security controls are considered for all changes
to the internal and external network design?
How does management monitor for and respond to potential security events on the internal and
external network?

Physical Security
Physical security controls might be necessary in certain environments to ensure that an organization's
systems are protected from unauthorized physical access. If relevant, consider how management
ensures physical access is restricted for facilities that provide logical access to financially significant
systems.

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

4423.4 Understand, evaluate and validate:

computer operations
The domain objective for computer operations is: "To ensure that production systems are processed
completely and accurately in accordance with management's control objectives, and that processing
problems are identified and resolved completely and accurately to maintain the integrity of financial
data."
Once financially significant applications have been identified in scoping, the following points of focus
may be helpful for identifying ITGCs in this domain that are relevant to internal controls over
financial reporting at your client. Note: Not all points of focus are relevant to every entity, and other
risk factors may exist that will need to be considered. It is necessary to determine relevant activities
and controls based on the entity's unique IT environment.

Overall Management of Computer Operations Activities

Management should establish processes for controlling computer operations and should monitor the
effectiveness of those processes. Consider the following:

How has management documented and communicated its computer operations policies and
procedures?
How has management documented and communicated computer operations roles and
responsibilities?
How has management organized the computer operations function to ensure a segregation of
duties?
How does management ensure that computer operations personnel have appropriate skills to
perform their duties?
How does management monitor the computing environment to ensure that potential operational
issues are identified and resolved?

Batch Scheduling and Processing

Batch scheduling and processing controls should ensure that authorized production jobs are
appropriately scheduled and monitored, and that exceptions are resolved completely and accurately in
support of management's application control objectives. Consider the following:

How does management ensure that additions, changes, and deletions to the job schedule are
authorized and completed in a timely manner?
How does management ensure that job dependencies and restart/recovery procedures are
documented for all jobs in the batch schedule?
How does management monitor the processing of jobs to ensure that they run in accordance
with the approved job schedule?
How does management ensure that only authorized personnel have access to the job scheduling
tool?

Pemeriksaan Sistem Informasi Appendix: Based on PwC Audit Guide

Real-time processing
Real-time processing controls should ensure that the ongoing transmission and recording of
transaction data occurs completely and accurately in support of management's application control
objectives. Consider the following:

How does management ensure that changes to the configuration of real-time processing
components (including middleware, where applicable) are authorized and completed in a
timely manner?
How does management ensure that real-time processing failures are captured and resolved in a
timely manner?
How does management ensure that only authorized personnel have access to configure any
technology components used to facilitate real-time processing?

Backup and Problem Management

Backup and recovery controls should ensure that backup requirements are defined so that data is
available when needed, problems requiring resolution are identified in a timely manner, and recovery
from those problems is performed completely and accurately. Consider the following:

How does management ensure that requirements for content and frequency of data backups are
consistent with business objectives?
How does management ensure that backup media would be available in the event of an
emergency (i.e., off-site rotation of media)?
How does management ensure that data can be recovered as intended from backup media when
needed?
How does management ensure that all significant operational failures are identified and
resolved completely and accurately in a timely manner?

Disaster Recovery
Disaster recovery controls are important operational controls that help to ensure that an organisation
will be able to continue operations in the event of a disaster. Evaluate and validate these controls only
if disaster recovery is considered relevant because of territory regulatory requirements and/or
significant impact on going concern issues. Determine the disaster recovery activities that are relevant
to the organisation's objectives. Consider the following:

How does management ensure that environmental risks (i.e., fire, smoke, water, power,
temperature, humidity, etc.) to all significant computing locations are appropriately mitigated?
How does management use a business impact analysis or similar risk assessment to ensure that
disaster recovery plans and related testing exist for all significant applications and underlying
technology components?
How does management ensure that plans are tested and updated on a regular basis?