Audit dan evaluasi ti 3

Audit dan EvaluasiTeknologi Informasi

Sesi 3

MTI-CIO2012

Audit Universe

The Universe• Inventory all potential audit areas in organization• Building audit universe documents the key business processes and risks• Best practice: incorporating enterprise wide risk assessments into audit plans

– Internal Auditors’ (IIA) Standard 2010• Analyze risks exposures• Priorities for internal audit activity• Organization objectives, supporting process, risks unachieved objectives,

control to mitigate risks– Annual audit schedules

• Process, duration, personnel– Planning

• Organizational changes, risks changes, new regulations introduction• Re-prioritizing• External auditors to support/supplement internal staff

Risk Assessment

Fast pace of IT environment in business• Company must be aware of and deal with the risks it faces.• Set objectives so that the organization is operating in concert.• Risk assessment is important to provide a framework for allocating audit resources

to achieve maximum benefits– a technique to examine potential projects in the audit universe and– choose projects that have the greatest risk exposure.– Unlimited potential audit projects, require prioritization– Provides explicit criteria for systematic evaluation and selection of audit projects

Risk Assessment Process

Risk A

ssessm

ent P

roce

ss

Step 1Goals Key Questions Examples

Set Objectives What are we trying to achieve?Produce reliable financial

statements


Identify risks to achieving those

objectivesWhat could happen that would

affect our objectives

A natural disaster could destroy computer systems

and data


Assess Risk

What are the consequences of risk? What is likelihood event

will occur?Consequences are severe;

likelihood is slight


Manage Risk

In light of the assessment, what is the most cost-effective way

to manage the risk>

Insure against loss. Develop business recovery

plan. Self-insure


Define Control Objective

For risks to managed through internal control, what are the

control objectives?

Implement recovery plan that reduces the impact of

a natural disaster.


Design Control

How should the control be designed to prevent or detect

identified risk?

Design recovery plan. Implement plan.

Test on a regular basis.

CONTROL ACTIVITIES

Audit Plan

• Define scope according to organizational goals and policies– Budgets of time and costs

• State objectives– Priorities

• Structure an orderly approach• Provide for measurement of achievement• Assure reasonable comprehensiveness• Provide flexibility in approach

Audit Scheduling

• Create annual schedule– agreement from the board on audit areas– communicate the audit areas with the functional departments

• linked to current business objectives and risks– Costs

• potential loss of goodwill• loss of revenue• Noncompliance with laws and regulations.

– Time availability• High-risk prioritization

• Schedule changes– Informed/communicated

Audit Budgeting

• Budget Coordination– Human resource

• Training (for error-correction action/recommendation) – Understand the capabilities and availabilities

• High-level auditing areas, sensitive areas• Preparation• Scope Objectives clearly state

– process areas– controls– functional area– time period– other specifics– including

• Prioritization– High priority – must be performed– Lowest priority – may be scrapped

Audit Workflow

Internal Controls

• Sets the tone of the Company

• Senior Management must set an appropriate “Tone at the Top” that positively influences the control consciousness of the personnel.

• This is the foundation for all other components of internal controls and provides discipline and structure.

• Factors that contribute to an effective control environment

– Integrity and Ethical Values

– Commitment to Competence

– Management’s Philosophy and Operating Style

– Organizational Structure

– Assignment of Authority and Responsibility

– Human Resources Policies and Practices

– IT Considerations

• Control Policies and Procedures must be established and executed to help ensure the actions identified by management to address risks are carried out.

Monitoring

• The entire control process must be monitored.• A process that assesses the quality of internal control performance over

time.• Examples monitoring activities

– The regular management and supervisory activities carried out in the normal course of business

– Communications from external parties, which can corroborate internally generated information or indicate problems• Customers corroborate billing data• Customer complaints

– External Auditors regularly provide recommendations on the way internal controls can be strengthened.

– Employees may be required to “sign off” to evidence performance of control functions.

IT Audit Standards

• COSO• COBIT• ITIL• ISO

Background• When the savings and loan industry collapsed in the mid-1980s →

US government wants more control• In an effort to deter governmental intervention, an independent

private-sector initiative, later called COSO, was initiated in 1985 to assess how best to improve the quality of financial reporting.

Committee of Sponsoring Organizations

• COSO formalized the concepts of internal control and framework in 1992 when it issued the landmark publication Internal Control-Integrated Framework.

• Boeing uses COSO as the internal audit foundation• Since that time, other professional associations have continued to develop

additional frameworks• Sponsors

– American Institute of Certified Public Accountants (AICPA)– American Accounting Association (AAA)– Financial Executives Institute (FEI)– Institute of Internal Auditors (IIA)– Institute of Management Accountants (IMA)

Scoping – The COSO Framework

Control ActivitiesMonitoring Assessment of a control

system’s performance over time

Combination of ongoing and separate evaluation

Management and supervisory activities

Internal audit activities

Information & Communication Pertinent information

identified, captured and communicated in a timely manner

Access to internally and externally generated information

Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action

Control Environment Sets tone of organization, influencing control

consciousness of its people Factors include integrity, ethical values,

competence, authority, responsibility, organization structure, HR policies and IT control environment

Foundation for all other components of control

Policies/procedures that ensure management directives are carried out

Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties

Risk Assessment Risk assessment is the

identification and analysis of relevant risks to achieving the entity’s objectives – forming the basis for determining control activities

What Does the Future Hold?

The New Box

Internal Environment

Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Information & Communication

Monitoring

Entit

y-Le

vel

Divis

ion

Busin

ess

Unit

Subs

idia

ry

Internal Environment

Objective Setting

Risk Response

Event Identification

Strategic

COSO & IT Control

• COSO introduces the concept of controls over information systems.• classifies information systems control activities:

– General computer control• IT management, IT infrastructure, and software acquisition,

development, and maintenance– Application control

International Standard Organization

ISO 27001/ISO 17799/BS 7799

• Mainly for management of information security

• ISO 17799 adress 11 major areas within the information security discipline:

– Security policy

– Organization of information security

– Asset management

– Human resources security

– Physical and environmental security

– Communications and operations management

– Access control

– Information systems acquisition, development, and maintenance

– Information security incident management

– Business continuity management

– Compliance

Control Objectives for Informationand Related Technologies

CoBIT

• First published in April 1996

• The foremost internationally recognized framework for IT governance and control. The most recent version, CoBIT 4.0, was released in 2005.

• Developed by the IT Governance Institute (ITGI) of ISACA using a worldwide panel of experts from industry, academia, government, and the IT security and control profession.

• In-depth research was conducted across a wide variety of global sources in order to pull together the best ideas from all germane technical and professional standards.

– represents a generally applicable and internationally accepted standard of good practice for IT controls.

– independent of technical platform.

– management and business process owner-oriented.

– the international de facto standard for IT governance

COBIT Framework

IT Infrastructure Library

• ITIL– The IT Infrastructure Library (ITIL) was developed by the U.K.

government in the mid-1980s – Become a de facto standard for best practices in the provision of IT

infrastructure management and service delivery

Auditing Web Applications

• The best compilation of common web application issues is maintained by the Open Web Application Security Project (OWASP).

• According to its website, it is "dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted."

• The OWASP "top ten" have made their way into standards, such as the Payment Card Industry (PCI) standard, and these "top ten" are regarded as a set of minimum standards you should examine during an audit.

Web Audit Example?

• Coverage/Scope– Platform– Server– Application– Audit Aspects

• Functional• Services• Performance• Security

Quick Exercise

• Create brief risk assessments

– Web Services

– Comments on which standard to select

Audit dan evaluasi ti 3

Documents