Audit dan EvaluasiTeknologi Informasi

MTI-CIO2012

Introduction

• Definition“Examine carefully for accuracy with the intent of verification”“A methodical examination or review of a condition or situation”

• Why Audit?• Who?

Informasi

Management

SystemInformasi

Management

System

Organization

Linked System Internal System

IS/IT Audit

• Information Systems (IS) – Involve more than just computers– Success application requires understanding

• Business• Environment

• Computer-Based Information Systems (CBIS) – Computer utilization (hardware/software/database/network)– Technology to perform tasks (procedures/people/etc)

• Collection of IS and often times interchangeable in terminology with Information Technology (IT)

IT Audit• Independent review and examination of records and activities to assess the

adequacy of internal controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures

• The process of collecting and evaluating evidence to determine whether computer system safeguards assets, maintain data availability/integrity/confidentiality, achieves organisational goals effectively and consumes resources effectively.– involves evaluating the computer’s role in achieving

• audit objectives• control objectives

– means proving data and information are • reliable• confidential• secure• available

– includes attest objectives like• safeguarding of assets and data integrity, • operational effectiveness

Standards

• Auditors are guided in their professional responsibility by the generally accepted auditing standards (GAAS)

Generally Accepted Auditing Standards

General Standards Standards of Field Work Standards of Reporting

The auditor must have adequate technical training and proficiency to perform the audit.

Audit work must be adequately planned

The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles.

The auditor must maintain independence in mental attitude in all matters related to the audit.

The auditor must gain a sufficient understanding of the internal control structure

The report must identify those circumstances in which generally accepted accounting principles were not applied

The auditor must use due professional care during the performance of the audit and the preparation of the report.

The auditor must obtain sufficient, competent evidence

The report must identify any items that do not have adequate informative disclosures

The report shall contain an expression of the auditor’s opinion on the financial statements as a whole

Auditing Aims

Internal• Responsibility of Performance

– Company’s own employees– External of the department being audited

• Audit Purpose– Employee compliance with policies and procedures– Development and evaluation of internal controls

External• Responsibility of Performance

– Those outside the organization– Accountants working for independent CPA

• Audit Purpose– Performance of the attest function– Evaluate the accuracy and fairness of the financial statements relative to GAAP

Audit Type

Internal audit• company personnel reporting to

– top management and/or– the Audit Committee of the Board of

Directors• external to the corporate department or

division being audited• concerns employee adherence to

– company policies and procedures, evaluation of internal controls

• relatively broad in scope, including– auditing for fraud, – ensuring that employees are not

copying software programs illegally• provide assurance to a company’s top

management about – the efficiency of its organization and – effectiveness of its organization

External audit • Independent• evaluate the risks

– the integrity of accounting data• make recommendations

– to managers– to improve these controls

• conducted in the context of GAAP• check if financial statements

– are free of erroneous materials– do not contain fraudulent

misstatements• includes a variety of assurance services

IT Audit Function

Scope

IT/IS Audit

Safeguarding of Assets

Improved Data Integrity

Improved System Effectiveness

Improved System

Efficiency

Objectives

Elements1. Physical and Environmental2. System Administration3. Application Software 4. Application Development5. Network Security6. Business Continuity7. Data Integrity

Policies, Standards, Guidelines, and Procedures

Organizations typically have four types of documents in place: – Policy– Standard– Guideline– Procedure

Policy• Provide emphasis• Sets directions• Signed by management

authority

Standard• Specifies uniform method

of support for policy• Compliance as mandatory

Guideline• Suggested actions to consider in

absence of applicable standard• Discretionary usage• Can be used to create new standard

Procedure• Step-by-step instruction to perform

desired actions• Provides support for standard• Compliance is mandatory

Change control process to review and revise

IneffectiveResult?

IT Governance

• The process for controlling an organization’s IT resources, including information and communication systems, and technology.

• The utilization of IT is to promote an organization’s objectives and enable business processes and to manage and control IT related risks.

• General Controls– The concept is relatively new– Ensuring that effective IT management and security principles, policies and processes with

appropriate compliance measurement tools are in place– Require an active audit committee

• Control Objectives for Information and Related Technology/COBIT Guideline– Identifies critical success factors, key goal and performance indicators, and an IT

governance maturity model.– IT governance framework begins with setting IT objectives and measures and compares

performance against them– Assessing business risks, – Controlling for business risks, and– Evaluating the effectiveness of controls

Controls Hierarchy

• General and Application of Information Technology

Policies

IT Standards

Management and Organization

Physical and Environmental Controls

Systems Software Controls

Systems Development Controls

Application – based controls

Governance

Managem

ent

Tech

nic

al

Auditing Structure

CEO/CIO

Board Audit Committee

Head of Audit Dept

Head of Non-IT Audit

Head of IT Audit

IT Audit Team Members

Non-IT Audit Team

Members

Entity-Level Controls

Physical Facility

Network Intra

Operating System

Middleware

Database

Application

IT Auditor

Information Systems Auditor

Support for Financial Auditors

Financial Auditor

IT Auditors Specialist

Member of Enterprise Audit Organization• Follows and adhere standards and principles of Institute of Internal Auditors

(IIA) and Information Systems Audit and Control Association (ISACA)Professional Certification• Certified Information Systems Auditor CISA certification

– by completing an examination given by ISACA– meeting specific experience requirements – complying with a Code of Professional Ethics– undergoing continuing professional education– complying with the Information Systems Auditing Standards

• Certified Information Security Managers (CISM)– granted by ISACA– evaluates knowledge

• in information security governance• information security program management• risk management• information security management• response management.

Auditors Must Have

• Knowledge, skill and abilities– Knowledge of auditing, IS and network security– Investigation and process flow analysis skills– Interpersonal/human relation skills– Verbal and written communications skills– Ability to exercise good judgment– Ability to maintain confidentiality– Ability to use IT desktop office tools, vulnerability analysis tools, and other IT

tools• Many of the audit steps are nontechnical

– Ability to work in a team and other auditors– Ability to interact with clients and require strong interpersonal relationships– Will need to interview the CIO

Auditors Roles and Responsibilities

• Ensure IT governance by assessing risks and monitoring controls over those risks• Works as either internal or external auditor• Works on many kind of audit engagements• Reviewing and assessing enterprise management controls• Review and perform test of enterprise internal controls• Report to management• Job Tasks

– Design a technology-based audit approaches; analyzes and evaluates enterprise IT processes

– Works independently or in a team to review enterprise IT controls– Examines the effectiveness of the information security policies and procedures– Develops and presents training workshops for audit staff– Conduct and oversees investigation of inappropriate computer use– Performs special projects and other duties as assigned

Financial vs IT Audit

• IT auditors may work on financial audit engagements

• IT auditors may work on every step of the financial audit engagement

• Standards, such as SAS No. 94, guide the work of IT auditors on financial audit engagements

• IT audit work on financial audit engagements is likely to increase as internal control evaluation becomes more important

Develop an understanding and perform preliminary

audit work

Develop audit plan

Conduct follow-up work

Review work and issue audit report

Perform substantive testing

Determine degree of reliance on internal

controls

Evaluate the internal control system

The Role of IT Auditors in the Financial Audit Process

Effective IT Audit

• Early involvement• Informal audits• Knowledge sharing• Self-assessments

Computers Roles on Internal Controls

• Separation of duties• Delegation of authority and responsibility• Competent and trustworthy personnel• System of authorizations• Adequate documents and records• Physical control over asset and records• Adequate management supervision• Independent check on performance• Comparing recorded accountability with assets

Ultimate Goal

At the end of the day,it is all about the ‘Bottom Line’

Profit, profit, and profit

Happyness?