audit dan evaluasi ti 1
DESCRIPTION
TRANSCRIPT
Audit dan EvaluasiTeknologi Informasi
MTI-CIO2012
Introduction
• Definition“Examine carefully for accuracy with the intent of verification”“A methodical examination or review of a condition or situation”
• Why Audit?• Who?
Informasi
Management
SystemInformasi
Management
System
Organization
Linked System Internal System
IS/IT Audit
• Information Systems (IS) – Involve more than just computers– Success application requires understanding
• Business• Environment
• Computer-Based Information Systems (CBIS) – Computer utilization (hardware/software/database/network)– Technology to perform tasks (procedures/people/etc)
• Collection of IS and often times interchangeable in terminology with Information Technology (IT)
IT Audit• Independent review and examination of records and activities to assess the
adequacy of internal controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures
• The process of collecting and evaluating evidence to determine whether computer system safeguards assets, maintain data availability/integrity/confidentiality, achieves organisational goals effectively and consumes resources effectively.– involves evaluating the computer’s role in achieving
• audit objectives• control objectives
– means proving data and information are • reliable• confidential• secure• available
– includes attest objectives like• safeguarding of assets and data integrity, • operational effectiveness
Standards
• Auditors are guided in their professional responsibility by the generally accepted auditing standards (GAAS)
Generally Accepted Auditing Standards
General Standards Standards of Field Work Standards of Reporting
The auditor must have adequate technical training and proficiency to perform the audit.
Audit work must be adequately planned
The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles.
The auditor must maintain independence in mental attitude in all matters related to the audit.
The auditor must gain a sufficient understanding of the internal control structure
The report must identify those circumstances in which generally accepted accounting principles were not applied
The auditor must use due professional care during the performance of the audit and the preparation of the report.
The auditor must obtain sufficient, competent evidence
The report must identify any items that do not have adequate informative disclosures
The report shall contain an expression of the auditor’s opinion on the financial statements as a whole
Auditing Aims
Internal• Responsibility of Performance
– Company’s own employees– External of the department being audited
• Audit Purpose– Employee compliance with policies and procedures– Development and evaluation of internal controls
External• Responsibility of Performance
– Those outside the organization– Accountants working for independent CPA
• Audit Purpose– Performance of the attest function– Evaluate the accuracy and fairness of the financial statements relative to GAAP
Audit Type
Internal audit• company personnel reporting to
– top management and/or– the Audit Committee of the Board of
Directors• external to the corporate department or
division being audited• concerns employee adherence to
– company policies and procedures, evaluation of internal controls
• relatively broad in scope, including– auditing for fraud, – ensuring that employees are not
copying software programs illegally• provide assurance to a company’s top
management about – the efficiency of its organization and – effectiveness of its organization
External audit • Independent• evaluate the risks
– the integrity of accounting data• make recommendations
– to managers– to improve these controls
• conducted in the context of GAAP• check if financial statements
– are free of erroneous materials– do not contain fraudulent
misstatements• includes a variety of assurance services
IT Audit Function
Scope
IT/IS Audit
Safeguarding of Assets
Improved Data Integrity
Improved System Effectiveness
Improved System
Efficiency
Objectives
Elements1. Physical and Environmental2. System Administration3. Application Software 4. Application Development5. Network Security6. Business Continuity7. Data Integrity
Policies, Standards, Guidelines, and Procedures
Organizations typically have four types of documents in place: – Policy– Standard– Guideline– Procedure
Policy• Provide emphasis• Sets directions• Signed by management
authority
Standard• Specifies uniform method
of support for policy• Compliance as mandatory
Guideline• Suggested actions to consider in
absence of applicable standard• Discretionary usage• Can be used to create new standard
Procedure• Step-by-step instruction to perform
desired actions• Provides support for standard• Compliance is mandatory
Change control process to review and revise
IneffectiveResult?
IT Governance
• The process for controlling an organization’s IT resources, including information and communication systems, and technology.
• The utilization of IT is to promote an organization’s objectives and enable business processes and to manage and control IT related risks.
• General Controls– The concept is relatively new– Ensuring that effective IT management and security principles, policies and processes with
appropriate compliance measurement tools are in place– Require an active audit committee
• Control Objectives for Information and Related Technology/COBIT Guideline– Identifies critical success factors, key goal and performance indicators, and an IT
governance maturity model.– IT governance framework begins with setting IT objectives and measures and compares
performance against them– Assessing business risks, – Controlling for business risks, and– Evaluating the effectiveness of controls
Controls Hierarchy
• General and Application of Information Technology
Policies
IT Standards
Management and Organization
Physical and Environmental Controls
Systems Software Controls
Systems Development Controls
Application – based controls
Governance
Managem
ent
Tech
nic
al
Auditing Structure
CEO/CIO
Board Audit Committee
Head of Audit Dept
Head of Non-IT Audit
Head of IT Audit
IT Audit Team Members
Non-IT Audit Team
Members
Entity-Level Controls
Physical Facility
Network Intra
Operating System
Middleware
Database
Application
IT Auditor
Information Systems Auditor
Support for Financial Auditors
Financial Auditor
IT Auditors Specialist
Member of Enterprise Audit Organization• Follows and adhere standards and principles of Institute of Internal Auditors
(IIA) and Information Systems Audit and Control Association (ISACA)Professional Certification• Certified Information Systems Auditor CISA certification
– by completing an examination given by ISACA– meeting specific experience requirements – complying with a Code of Professional Ethics– undergoing continuing professional education– complying with the Information Systems Auditing Standards
• Certified Information Security Managers (CISM)– granted by ISACA– evaluates knowledge
• in information security governance• information security program management• risk management• information security management• response management.
Auditors Must Have
• Knowledge, skill and abilities– Knowledge of auditing, IS and network security– Investigation and process flow analysis skills– Interpersonal/human relation skills– Verbal and written communications skills– Ability to exercise good judgment– Ability to maintain confidentiality– Ability to use IT desktop office tools, vulnerability analysis tools, and other IT
tools• Many of the audit steps are nontechnical
– Ability to work in a team and other auditors– Ability to interact with clients and require strong interpersonal relationships– Will need to interview the CIO
Auditors Roles and Responsibilities
• Ensure IT governance by assessing risks and monitoring controls over those risks• Works as either internal or external auditor• Works on many kind of audit engagements• Reviewing and assessing enterprise management controls• Review and perform test of enterprise internal controls• Report to management• Job Tasks
– Design a technology-based audit approaches; analyzes and evaluates enterprise IT processes
– Works independently or in a team to review enterprise IT controls– Examines the effectiveness of the information security policies and procedures– Develops and presents training workshops for audit staff– Conduct and oversees investigation of inappropriate computer use– Performs special projects and other duties as assigned
Financial vs IT Audit
• IT auditors may work on financial audit engagements
• IT auditors may work on every step of the financial audit engagement
• Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagements
• IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more important
Develop an understanding and perform preliminary
audit work
Develop audit plan
Conduct follow-up work
Review work and issue audit report
Perform substantive testing
Determine degree of reliance on internal
controls
Evaluate the internal control system
The Role of IT Auditors in the Financial Audit Process
Effective IT Audit
• Early involvement• Informal audits• Knowledge sharing• Self-assessments
Computers Roles on Internal Controls
• Separation of duties• Delegation of authority and responsibility• Competent and trustworthy personnel• System of authorizations• Adequate documents and records• Physical control over asset and records• Adequate management supervision• Independent check on performance• Comparing recorded accountability with assets
Ultimate Goal
At the end of the day,it is all about the ‘Bottom Line’
Profit, profit, and profit
Happyness?