Pengenalan Konsep Pemeriksaan Sistem Informasi

S1 Akuntansi FE Untar

Learning Objectives
1.

2.
3. 4. 5. 6.

7.

Definition of IS Audit Steps in Conducting an Audit Due Professional Care Management of the IS Audit Function Risk Analysis Internal Control Performing an IS Audit

Definition by Ron Weber

IS Audit is the process of collecting and evaluating evidence to determine whether computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently
3

Objectives of IS Auditing

Asset safeguarding Data integrity

System effectiveness
System efficiency

Steps in Conducting an Audit

Planning the audit Tests of controls

Tests of transactions
Tests of balances of overall results Completion of the audit
5

Due Professional Care

Attestation and PSAP Standard ISACA CObIT

Attestation and PSAP Standard

Standar Audit Umum, pekerjaan lapangan, pelaporan

PSA No.57 Audit dalam lingkungan sistem berbasis komputer

PSA No.59 Teknik audit berbantuan komputer PSA No.63 Lingkungan sistem informasi komputer PSA No.64 Lingkungan sistem informasi komputer secara online PSA No.65 Lingkungan sistem informasi komputer dengan sistem database
7

ISACA

Audit chapter : Responsibility, authority, and accountability Independence Professional independence Organizational relationship Professional ethics and standards Code of professional ethics Due professional care Competence Continuing professional education

ISACA (cont)

Planning Audit planning Performance of audit work Supervision Evidence Reporting Report content and form Follow up activities Follow up
9

CObIT Guidelines

Control objectives Audit guidelines Management guidelines

10

Management of the IS Audit Function

Organization of the IS Audit Function IS Audit Resource Management Audit Planning Effect of Laws and Regulations on IS Audit Planning

11

Organization of the IS Audit Function

IS audit services can be provided externally or internally If internally : The role should be established by an audit charter Can be part of internal audit, function as an independent or integrated group within financial and operational audit The charter should clearly state managements responsibility, objectives, and authority 12

Organization of the IS Audit Function

If externally : The scope and objectives of these services should be documented in a formal contract or statement of work between the contracting organization and the service provider Should be independent and report to an audit committee, if available, or to the highest management level such as the board of directors

13

IS Audit Resource Management

Maintain their competency through updates of existing skills and obtain training directed toward new audit techniques and technological areas Having the skills and knowledge necessary to perform the auditor's work Maintain technical competence through appropriate continuing professional education IS audit management should also provide the necessary IT resources to properly perform IS audits of a highly specialized nature

14

Audit Planning

Consists of both short- and long-term planning Analysis of short- and long-term issues should occur at least annually, for : New control issues; Changes in the risk environment, technologies and business processes; and Enhanced evaluation techniques

The results reviewed by senior audit management and approved by the audit committee, if available, or alternatively by the board of directors and communicated to relevant levels of management.
15

Audit Planning (cont)

Each individual audit assignment must be adequately planned, Steps to perform audit planning : Gain an understanding of the business Identify policies, standards and required guidelines, procedures, and organization structure Perform a risk analysis Set the audit scope and audit objectives Develop audit strategy Assign personnel resources Address engagement logistics
16

Effect of Laws and Regulations on IS Audit Planning

Business regulations can impact the way data are processed, transmitted and stored IS auditors should review management's privacy policy to ascertain whether it takes into account the requirements of applicable privacy laws and regulations Two major areas of concern: Legal requirements (laws, regulatory and contractual agreements) placed on audit or IS audit, and Legal requirements placed on the auditee and its systems, data management, reporting, etc
17

Risk Analysis

Risk analysis is part of audit planning and help to determine the controls needed to mitigate the risks Must have knowledge of common business risks, related technology risks and relevant controls.

Must also be able to evaluate the risk assessment and management techniques used by business managers, and to make assessments of risk to help focus and plan
18

Risk Analysis (cont)

The risk assessment process : Identifying business objectives, information assets, and the underlying systems or information resources Identify threats and determine the probability of occurrence, and the resulting impact and additional safeguards Identify controls for mitigating identified risks Cost-benefit analysis : The cost of the control compared to the benefit Management's appetite for risk Preferred risk-reduction methods
19

Risk Analysis (cont)

Purposes of risk analysis from IS auditors perspective : Assists the IS auditor in identifying risks and threats Helps the IS auditor in his/her evaluation of controls in audit planning Assists the IS auditor in determining audit objectives Supports risk-based audit decision making

20

Internal Controls

Normally composed of policies, procedures, practices and organizational structures which are implemented to reduce risks to the organization Controls :
Preventive Detective Corrective
21

Internal Control Objectives

Internal accounting controls Primarily directed at accounting operations such as the safeguarding of assets and the reliability of financial records. Operational controls Directed at day-to-day operations, functions and activities to ensure that the operation is meeting the business objectives Administrative controls Concerned with operational efficiency in a functional area and adherence to management policies including operational controls
22

IS Control Objectives (cont)

Ensuring availability of IT services by developing efficient business continuity (BCP) and disaster recovery plans (DRP) Enhancing protection of data and systems by developing an incident response plan Ensuring integrity and reliability of systems by implementing effective change management procedures

23

IS Control Objectives

Safeguarding assets Ensuring integrity of general operating system (OS) environments

Ensuring integrity of sensitive and critical application system environments

Ensuring appropriate identification and authentication of users of IS resources

Ensuring the efficiency and effectiveness of operations

24

Control Objectives for Information and Related Technology (CObIT)

Supports IT governance by : Ensure that IT is aligned with the business IT resources are used responsibly IT risks are managed appropriately 4 domains : Plan & Organize identification and strategy on IT Investment Acquire & Implement integrated realization on IT planning and application Deliver & Support IT support on business operation Monitor & Evaluate scheduled evaluation on IT

25

IS Control Procedures

Strategy and direction

General organization and management

Access to IT resources, including data and programs

Systems development methodologies and change control

Operations procedures
Systems programming and technical support

functions

26

IS Control Procedures

Quality assurance (QA) procedures

Physical access controls

Business continuity (BCP)/disaster recovery planning (DRP)

Networks and communications Database administration Protection and detective mechanisms against internal and external attacks
27

Performing an IS Audit

Classification of Audits

Audit Programs
Audit Methodology Audit Risk and Materiality Risk Assessment and Treatment Risk Assessment Techniques Audit Objectives Compliance VS Substantive Testing
28

Performing an IS Audit

Evidence

Interviewing and Observing Personnel in Action

Sampling Computer-Assisted Audit Techniques Evaluation of Audit Strengths and Weaknesses Communicating Audit Results Management Implementation of Recommendations Audit Documentation
29

Assignment for Students

Describe and give an example for each steps on performing an IS audit You can search internet or other sources for help you

30