audit dan evaluasi ti 3
DESCRIPTION
Mata Kuliah CIO : AUDIT TI, Pak DaniTRANSCRIPT
Audit dan EvaluasiTeknologi Informasi
Sesi 3
MTI-CIO2012
Audit Universe
The Universe• Inventory all potential audit areas in organization• Building audit universe documents the key business processes and risks• Best practice: incorporating enterprise wide risk assessments into audit plans
– Internal Auditors’ (IIA) Standard 2010• Analyze risks exposures• Priorities for internal audit activity• Organization objectives, supporting process, risks unachieved objectives,
control to mitigate risks– Annual audit schedules
• Process, duration, personnel– Planning
• Organizational changes, risks changes, new regulations introduction• Re-prioritizing• External auditors to support/supplement internal staff
Risk Assessment
Fast pace of IT environment in business• Company must be aware of and deal with the risks it faces.• Set objectives so that the organization is operating in concert.• Risk assessment is important to provide a framework for allocating audit resources
to achieve maximum benefits– a technique to examine potential projects in the audit universe and– choose projects that have the greatest risk exposure.– Unlimited potential audit projects, require prioritization– Provides explicit criteria for systematic evaluation and selection of audit projects
Risk Assessment Process
Risk A
ssessm
ent P
roce
ss
Step 1Goals Key Questions Examples
Set Objectives What are we trying to achieve?Produce reliable financial
statements
Step 2Goals Key Questions Examples
Identify risks to achieving those
objectivesWhat could happen that would
affect our objectives
A natural disaster could destroy computer systems
and data
Step 3Goals Key Questions Examples
Assess Risk
What are the consequences of risk? What is likelihood event
will occur?Consequences are severe;
likelihood is slight
Step 4Goals Key Questions Examples
Manage Risk
In light of the assessment, what is the most cost-effective way
to manage the risk>
Insure against loss. Develop business recovery
plan. Self-insure
Step 5Goals Key Questions Examples
Define Control Objective
For risks to managed through internal control, what are the
control objectives?
Implement recovery plan that reduces the impact of
a natural disaster.
Step 6Goals Key Questions Examples
Design Control
How should the control be designed to prevent or detect
identified risk?
Design recovery plan. Implement plan.
Test on a regular basis.
CONTROL ACTIVITIES
Audit Plan
• Define scope according to organizational goals and policies– Budgets of time and costs
• State objectives– Priorities
• Structure an orderly approach• Provide for measurement of achievement• Assure reasonable comprehensiveness• Provide flexibility in approach
Audit Scheduling
• Create annual schedule– agreement from the board on audit areas– communicate the audit areas with the functional departments
• linked to current business objectives and risks– Costs
• potential loss of goodwill• loss of revenue• Noncompliance with laws and regulations.
– Time availability• High-risk prioritization
• Schedule changes– Informed/communicated
Audit Budgeting
• Budget Coordination– Human resource
• Training (for error-correction action/recommendation) – Understand the capabilities and availabilities
• High-level auditing areas, sensitive areas• Preparation• Scope Objectives clearly state
– process areas– controls– functional area– time period– other specifics– including
• Prioritization– High priority – must be performed– Lowest priority – may be scrapped
Audit Workflow
Internal Controls
• Sets the tone of the Company
• Senior Management must set an appropriate “Tone at the Top” that positively influences the control consciousness of the personnel.
• This is the foundation for all other components of internal controls and provides discipline and structure.
• Factors that contribute to an effective control environment
– Integrity and Ethical Values
– Commitment to Competence
– Management’s Philosophy and Operating Style
– Organizational Structure
– Assignment of Authority and Responsibility
– Human Resources Policies and Practices
– IT Considerations
• Control Policies and Procedures must be established and executed to help ensure the actions identified by management to address risks are carried out.
Monitoring
• The entire control process must be monitored.• A process that assesses the quality of internal control performance over
time.• Examples monitoring activities
– The regular management and supervisory activities carried out in the normal course of business
– Communications from external parties, which can corroborate internally generated information or indicate problems• Customers corroborate billing data• Customer complaints
– External Auditors regularly provide recommendations on the way internal controls can be strengthened.
– Employees may be required to “sign off” to evidence performance of control functions.
IT Audit Standards
• COSO• COBIT• ITIL• ISO
Background• When the savings and loan industry collapsed in the mid-1980s →
US government wants more control• In an effort to deter governmental intervention, an independent
private-sector initiative, later called COSO, was initiated in 1985 to assess how best to improve the quality of financial reporting.
Committee of Sponsoring Organizations
• COSO formalized the concepts of internal control and framework in 1992 when it issued the landmark publication Internal Control-Integrated Framework.
• Boeing uses COSO as the internal audit foundation• Since that time, other professional associations have continued to develop
additional frameworks• Sponsors
– American Institute of Certified Public Accountants (AICPA)– American Accounting Association (AAA)– Financial Executives Institute (FEI)– Institute of Internal Auditors (IIA)– Institute of Management Accountants (IMA)
Scoping – The COSO Framework
Control ActivitiesMonitoring Assessment of a control
system’s performance over time
Combination of ongoing and separate evaluation
Management and supervisory activities
Internal audit activities
Information & Communication Pertinent information
identified, captured and communicated in a timely manner
Access to internally and externally generated information
Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action
Control Environment Sets tone of organization, influencing control
consciousness of its people Factors include integrity, ethical values,
competence, authority, responsibility, organization structure, HR policies and IT control environment
Foundation for all other components of control
Policies/procedures that ensure management directives are carried out
Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties
Risk Assessment Risk assessment is the
identification and analysis of relevant risks to achieving the entity’s objectives – forming the basis for determining control activities
What Does the Future Hold?
The New Box
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Entit
y-Le
vel
Divis
ion
Busin
ess
Unit
Subs
idia
ry
Internal Environment
Objective Setting
Risk Response
Event Identification
Strategic
COSO & IT Control
• COSO introduces the concept of controls over information systems.• classifies information systems control activities:
– General computer control• IT management, IT infrastructure, and software acquisition,
development, and maintenance– Application control
International Standard Organization
ISO 27001/ISO 17799/BS 7799
• Mainly for management of information security
• ISO 17799 adress 11 major areas within the information security discipline:
– Security policy
– Organization of information security
– Asset management
– Human resources security
– Physical and environmental security
– Communications and operations management
– Access control
– Information systems acquisition, development, and maintenance
– Information security incident management
– Business continuity management
– Compliance
Control Objectives for Informationand Related Technologies
CoBIT
• First published in April 1996
• The foremost internationally recognized framework for IT governance and control. The most recent version, CoBIT 4.0, was released in 2005.
• Developed by the IT Governance Institute (ITGI) of ISACA using a worldwide panel of experts from industry, academia, government, and the IT security and control profession.
• In-depth research was conducted across a wide variety of global sources in order to pull together the best ideas from all germane technical and professional standards.
– represents a generally applicable and internationally accepted standard of good practice for IT controls.
– independent of technical platform.
– management and business process owner-oriented.
– the international de facto standard for IT governance
COBIT Framework
IT Infrastructure Library
• ITIL– The IT Infrastructure Library (ITIL) was developed by the U.K.
government in the mid-1980s – Become a de facto standard for best practices in the provision of IT
infrastructure management and service delivery
Auditing Web Applications
• The best compilation of common web application issues is maintained by the Open Web Application Security Project (OWASP).
• According to its website, it is "dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted."
• The OWASP "top ten" have made their way into standards, such as the Payment Card Industry (PCI) standard, and these "top ten" are regarded as a set of minimum standards you should examine during an audit.
Web Audit Example?
• Coverage/Scope– Platform– Server– Application– Audit Aspects
• Functional• Services• Performance• Security
Quick Exercise
• Create brief risk assessments
– Web Services
– Comments on which standard to select