Documente Academic
Documente Profesional
Documente Cultură
Teknologi Informasi
Sesi 3
DTETI
2016
Audit Universe
The Universe
Inventory all potential audit areas in organization
Building audit universe documents the key business processes and
risks
Best practice: incorporating enterprise wide risk assessments into
audit plans
Internal Auditors (IIA) Standard 2010
Analyze risks exposures
Priorities for internal audit activity
Organization objectives, supporting process, risks
unachieved objectives, control to mitigate risks
Annual audit schedules
Process, duration, personnel
Planning
Organizational changes, risks changes, new regulations
introduction
Re-prioritizing
Risk Assessment
Fast pace of IT environment in business
Company must be aware of and deal with the risks it faces.
Set objectives so that the organization is operating in concert.
Key Questions
Examples
Produce reliable nancial
Set Objectives What are we trying to achieve?
statements
Step 2
Goals
Key Questions
Examples
Identify risks to
A natural disaster could
achieving those What could happen that would destroy computer systems
objectives
afect our objectives
and data
Step 3
Goals
Assess Risk
Key Questions
Examples
What are the consequences of
risk? What is likelihood event Consequences are severe;
will occur?
likelihood is slight
Step 4
Goals
Manage Risk
Key Questions
Examples
CONTROL ACTIVITIES
Step 5
Goals
Dene Control
Objective
Step 6
Goals
Design Control
Key Questions
Examples
For risks to managed through Implement recovery plan
internal control, what are the that reduces the impact of
control objectives?
a natural disaster.
Key Questions
How should the control be
designed to prevent or detect
identied risk?
Examples
Design recovery plan.
Implement plan.
Test on a regular basis.
Audit Plan
Audit Scheduling
Audit Budgeting
Budget Coordination
Human resource
Training (for error-correction action/recommendation)
Understand the capabilities and availabilities
High-level auditing areas, sensitive areas
Preparation
Scope Objectives clearly state
process areas
controls
functional area
time period
other specics
including
Prioritization
High priority must be performed
Lowest priority may be scrapped
Audit Workow
Internal Controls
Sets the tone of the Company
Senior Management must set an appropriate Tone at the Top that
positively inuences the control consciousness of the personnel.
This is the foundation for all other components of internal controls and
provides discipline and structure.
Factors that contribute to an efective control environment
Integrity and Ethical Values
Commitment to Competence
Managements Philosophy and Operating Style
Organizational Structure
Assignment of Authority and Responsibility
Human Resources Policies and Practices
IT Considerations
Control Policies and Procedures must be established and executed to help
ensure the actions identied by management to address risks are carried
out.
Monitoring
IT Audit Standards
COSO
COBIT
ITIL
ISO
Background
When the savings and loan industry collapsed in the mid1980s US government wants more control
In an efort to deter governmental intervention, an
independent private-sector initiative, later called COSO,
was initiated in 1985 to assess how best to improve the
quality of nancial reporting.
Committee of Sponsoring
Organizations
COSO formalized the concepts of internal control and
framework in 1992 when it issued the landmark publication
Internal Control-Integrated Framework.
Boeing uses COSO as the internal audit foundation
Since that time, other professional associations have
continued to develop additional frameworks
Sponsors
American Institute of Certied Public Accountants (AICPA)
American Accounting Association (AAA)
Financial Executives Institute (FEI)
Institute of Internal Auditors (IIA)
Institute of Management Accountants (IMA)
Control
Policies/procedures
Activities
Assessment of a control
systems performance
over time
Combination of ongoing
and separate evaluation
Management and
supervisory activities
Internal audit activities
Information &
Communication
Pertinent information
identied, captured and
communicated in a
timely manner
Access to internally and
externally generated
information
Flow of information that
allows for successful
control actions from
instructions on
responsibilities to
summary of ndings for
management action
Control Environment
that ensure
management
directives are carried
out
Range of activities
including approvals,
authorizations,
verications,
recommendations,
performance reviews,
asset security and
segregation of duties
Risk
Risk
assessment is
Assessment
Risk Response
Division
Risk Assessment
Entity-Level
Event Identification
Subsidiary
Objective Setting
Business Unit
Internal Environment
Control Activities
Information & Communication
Monitoring
Objective Setting
Internal Environment
Event Identication
Risk Response
COBIT Framework
IT Infrastructure Library
ITIL
The IT Infrastructure Library (ITIL) was developed by the
U.K. government in the mid-1980s
Become a de facto standard for best practices in the
provision of IT infrastructure management and service
delivery
Coverage/Scope
Platform
Server
Application
Audit Aspects
Functional
Services
Performance
Security
Quick Exercise