Upload
yusupd
View
225
Download
0
Embed Size (px)
Citation preview
7/30/2019 9. Penerapan Audit TI
1/34
The Role of IT Audit
At Cornell University
Presented by:
Craig Adams, CISA, CISM
Clayton Dow, CPA, CISA, CIA
Geoffrey Yearwood, CISA
7/30/2019 9. Penerapan Audit TI
2/34
February 14, 2007 2
Agenda
Stakeholders
Auditing in General
University Audit Office
Information Technology Audit
IT Policies
The Changing Face of IT Audit
IT Controls
7/30/2019 9. Penerapan Audit TI
3/34
February 14, 2007 3
Stakeholders
Board of Directors
Audit Committee
Senior Management
External Audit
Internal Audit
Audit Clients
7/30/2019 9. Penerapan Audit TI
4/34
7/30/2019 9. Penerapan Audit TI
5/34
February 14, 2007 5
Definition of Internal Audit
Institute of Internal Auditors (IIA) Standard
effective January 2002
Internal auditing is an independent, objective
assurance and consulting activity designed to addvalue and improve an organizations operations. Ithelps an organization accomplish its objectives bybringing a systematic, disciplined approach to
evaluate and improve the effectiveness ofriskmanagement, control, and governance processes.
7/30/2019 9. Penerapan Audit TI
6/34
February 14, 2007 6
University Audit Office
7/30/2019 9. Penerapan Audit TI
7/34
February 14, 2007 7
University Audit Office CharterThe University Audit Office exists to assist university management and the Audit Committee
of the Board of Trustees in the effective discharge of their responsibilities. The University
Audit Office is responsible for examining and evaluating the adequacy and effectiveness of
(1) the systems of internal control and their related accounting, financial, computer, and
operational policies and (2) the procedures for financial and compliance monitoring and
reporting and to make recommendations for the improvement thereof.
The scope of the University Audit Office's responsibilities includes examining and evaluating
the policies, procedures, and systems which are in place to ensure:
reliability and integrity of information;
compliance with policies, plans, procedures, laws, and regulations;
safeguarding of assets; and
economical and efficient use of resources.
The University Audit Office shall have direct access to all university books and records
necessary for the effective discharge of its responsibilities. The reporting relationships
duties, and responsibilities of the University Auditor (Audit Director) are contained in the
University Bylaws Article XI.
7/30/2019 9. Penerapan Audit TI
8/34
February 14, 2007 8
University Audit Office Mission
The Audit Office supports the mission of the
university by helping protect its assets and
reputation. We provide objective assurance and advice
on behalf of the Board of Trustees and
Cornell University.
We review operations and controls, provide
relevant analyses, recommend
improvements, and promote ethical behavior
and compliance with policies andregulations.
7/30/2019 9. Penerapan Audit TI
9/34
February 14, 2007 9
University Audit Office Responsibilities
The scope of the University Audit Offices responsibilitiesincludes examining and evaluating the policies,procedures, and systems to ensure:
Reliability and integrity of information;
Compliance with policies, plans, procedures, laws,and regulations;
Safeguarding of assets; and
Economical and efficient use of resources.
7/30/2019 9. Penerapan Audit TI
10/34
February 14, 2007 10
Cornell University Audit Office
7/30/2019 9. Penerapan Audit TI
11/34
7/30/2019 9. Penerapan Audit TI
12/34
February 14, 2007 12
Information Technology
Risk Ranking Results
RANK UNIT RANKING RANK UNIT RANKING
1 WMC-EPIC System 394.6 17 System, User and Production Documentation 320.4
2 Access Security Authentication/Authorization 391.3 18 Veterinary Medicine 320.33 WMC-Office of Academic Computing 384.9 19 Data Marts 316.0
4 Sponsored Programs 375.1 20 Computer Science 312.0
5 Systems Development Methodology 368.1 21 Network and Server Environment 310.6
6 OIT-Business Information Systems 364.5 22 Network Operations Center 308.1
7 OIT-Network and Communications Services 359.1 23 Johnson School of Management-Parker Center 304.3
8 Wireless Network 353.2 24 University Library 304.1
9 PeopleSoft Application and Security 347.8 25 Cornell Nanoscale Facility 293.110 Program, Data, & Transaction Security 343.8 26 Software Piracy 288.4
11 OIT-Distributed Learning Services and ATA 338.1 27 Mainframe Security 281.8
12 Computing & Info Science 336.0 28 Gannett Health Center 277.0
13 Change Control & Change Management 333.4 29 Adabas Database 277.014 OIT-Systems and Operations 333.2 30 OIT-Customer Service and Marketing 269.4
15 OIT-Integration and Delivery 328.9 31 CU Police 229.9
16 Oracle Database 322.7 32 Geneva Agricultural Experiment Station 226.4
Legend: Bold = Business Process
Blue = Institutional ConcernsRed = Senior Staff Concerns
7/30/2019 9. Penerapan Audit TI
13/34
February 14, 2007 13
Information Technology Audit
7/30/2019 9. Penerapan Audit TI
14/34
February 14, 2007 14
IT Audit Role
Advising the Audit Committee and senior
management on IT internal control issues
Performing IT Risk Assessments
Performing:
Institutional Risk Area Audits
General Controls Audits
Application Controls Audits
Technical IT Controls Audits
Internal Controls advisors during systemsdevelopment and analysis activities.
7/30/2019 9. Penerapan Audit TI
15/34
7/30/2019 9. Penerapan Audit TI
16/34
February 14, 2007 16
IT General Controls
IT ControlsIT ControlsIT Controls
GeneralControls
GeneralGeneral
ControlsControls
IT Concerns and Issues
Disaster Recovery
Business Resumption Plans
BRP Testing Alternate Processing
Physical Security
Physical Access
HVAC
Fire Protection UPS
Backup/Contingency Planning
Data Backups
Restore Procedures Offsite Storage
Change Management
Program Change Controls
Tracking Change Approvals
7/30/2019 9. Penerapan Audit TI
17/34
February 14, 2007 17
IT Application Controls
IT ControlsIT ControlsIT Controls
ApplicationControls
ApplicationApplication
ControlsControls
IT Concerns and Issues
Output Controls
Reconciliation
Distribution
Access
Processing Controls
Audit Trails
Interface Controls
Control Totals
Access Controls
User-IDs/Passwords
Data Security Network Security
Security Administration
Access Authorization
GeneralControls
GeneralGeneral
ControlsControls
Input Controls
Data Entry Controls System Edits
Segregation of Duties
Transaction Authorization
7/30/2019 9. Penerapan Audit TI
18/34
February 14, 2007 18
IT Policies
7/30/2019 9. Penerapan Audit TI
19/34
February 14, 2007 19
Cornell University IT Policies Interim Policies:
Authentication of IT Resources
Privacy of the Network
Established Policies: In the University Library of Policies, information
technologies occupies Volume 5. Abuse of Computers and Network Systems, June 1990
Policy 5.1 Responsible Use of Electronic Communications, October 1995
Policy 5.2 Mass Electronic Mailing, January 2003
Policy 5.3 Use of Escrowed Encryption Keys, January 2003
Policy 5.4.1 Security of Information Technology Resources, June 2004
Policy 5.4.2 Reporting Electronic Security Incidents, June 2004
Policy 5.5 Stewardship and Custodianship of Electronic Mail, Feb. 2005
Policy 5.6 Recording and Registration of Domain Names, April 2004
Policy 5.7 Network Registry, June 2004 Related Policy:
Policy 4.12 Data Stewardship and Custodianship, May 2003
7/30/2019 9. Penerapan Audit TI
20/34
February 14, 2007 20
The Changing Faceof IT Audit
7/30/2019 9. Penerapan Audit TI
21/34
7/30/2019 9. Penerapan Audit TI
22/34
February 14, 2007 22
Emerging & Prevalent IT Audit Issues
Inadequate or Lack of Management Oversight
Poor Segregation of Duties
Inadequate or Lack of Supporting DocumentationNo Business Continuity/Disaster Recovery Plan
Change Management
Data SecurityData Loss Incidents
7/30/2019 9. Penerapan Audit TI
23/34
February 14, 2007 23
What you can do to prepare
for an IT Audit?Read all relevant University IT Policies
Perform a risk assessment
Know your IT vulnerabilities
Identify the internal controls that wouldmitigate inherent risk
Document your business processes, systems,policies and procedures
Keep Current on the Laws and Regulations
Call the Audit Office for advice
7/30/2019 9. Penerapan Audit TI
24/34
February 14, 2007 24
IT Controls
7/30/2019 9. Penerapan Audit TI
25/34
February 14, 2007 25
Understanding IT Controls
A top-down approach -
used when considering
IT controls.
7/30/2019 9. Penerapan Audit TI
26/34
February 14, 2007 26
IT control is a process thatprovides assurance for
information and information
services, and help to mitigate
risks associated with use of
technology.
Understanding IT Controls
7/30/2019 9. Penerapan Audit TI
27/34
February 14, 2007 27
Importance of IT Controls Needs for IT controls, such as
controlling cost
protecting information assets
complying with laws and
regulations
Implementing effective IT
controls will improve efficiency,reliability, and flexibility.
7/30/2019 9. Penerapan Audit TI
28/34
February 14, 2007 28
Roles and Responsibilities Board of Directors /Governing
Body
Management define, approve,
implement IT controls
Auditor
7/30/2019 9. Penerapan Audit TI
29/34
February 14, 2007 29
Based On Risk
Analyzing Risk Identify and prioritize risks
Consider risk indetermining the adequacyof IT controls
Define risk mitigation
strategy accept/mitigate/share
7/30/2019 9. Penerapan Audit TI
30/34
February 14, 2007 30
Monitoring
Monitoring IT Controls
Ongoing monitoring/specialreview/automated
continuous auditing
7/30/2019 9. Penerapan Audit TI
31/34
February 14, 2007 31
Assessment
Assessing IT controls is an
ongoing process
Technology continues to
advance
New vulnerabilities emerge
7/30/2019 9. Penerapan Audit TI
32/34
February 14, 2007 32
How can I determine if the Internal
Controls in my area are adequate?The central theme of internal control is (1) to identifyrisks to the achievement of the organizations
objectives, and (2) to do what is necessary to managethese risks.
1. Identify the business objectives of your area.
2. Identify the risks that could prevent your department
from achieving these objectives.3. Identify the controls that will manage the risks
identified above.
4. Implement the controls that were identified which
minimize risk in a cost effective manner.5. Periodic review of objectives and controls to determine
if they still apply
7/30/2019 9. Penerapan Audit TI
33/34
February 14, 2007 33
A car has brakesto allow it to go faster
7/30/2019 9. Penerapan Audit TI
34/34
February 14, 2007 34
University Audit Office
Contact Information
Phone: 255-9300
email: [email protected]
Web Page: http://audit.cornell.edu/