Upload
septi-saraswati
View
222
Download
0
Embed Size (px)
Citation preview
8/13/2019 introduction is audit
1/35
Information TechnologyRisk and ControlsInformation System Audit Course
Agenda1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
8/13/2019 introduction is audit
2/35
BackgroundsBackgrounds
1. Return on Investment & IT Business risks Significant portion of Companys investment in
Information Technology Companies implement new system (ERP, e-Commerce) or
significant modification (changed business requirements)
Will the business requirement be met by IT solutions ?
Return on Investment ?
Computer/EDP related errors and irregularities Incorrect processing/calculation, e.g. Billing systems, Phone
banking, Internet banking, etc.
Discontinuity of IT function due to disaster, viruses etc..
Computer Fraud
8/13/2019 introduction is audit
3/35
Backgrounds (contd)Backgrounds (contd)
2. Complex system & Assurance needs Highly integrated-computerized processing of
business transactions Needs to have certain level of understanding and assurance of
complex accounting transactions processing system.
Introduction of new advanced technology e-Commerce, EDI (Electronic Data Interchange)
SWIFT
Audit evidence: electronic and hardcopyevidence
Use of password for authorization No print-out of transaction listing
8/13/2019 introduction is audit
4/35
Backgrounds (contd)Backgrounds (contd)
3. Quality and Career
Maintain individual competitiveness (globalization)
Focus and specialization in managing IT risk and
audit
4. Audit Requirements
For External Auditor SA Seksi 314 Risk Assessment and internal control - consideration
and EDP characteristics
SA Seksi 335 Auditing in EDP environment
For Internal Auditor SPFAIB for Banking Industry
8/13/2019 introduction is audit
5/35
Defini tion: Information Systems Auditing
The process of collecting and evaluating evidence to
determine whether a Computer Systems (Information
Systems) safeguards assets, maintains data integrity,
allows organizational goals to be achieved effectively,
and uses resources efficiently.
(Ron Webber)
8/13/2019 introduction is audit
6/35
IS Audit Objectives
Asset SafeguardingAsset Safeguarding
Data IntegrityData Integrity
System Effectiveness and EfficiencySystem Effectiveness and Efficiency
The assets of a computer installation include hardware, software, people,
data files, system documentation, and supplies must be protected by system
of internal control.
Evaluating effectiveness implies knowledge of user needs.
An efficient data processing system uses minimum resources to achieve
its required output.
Data integri ty is a fundamental concept in IS auditing. It is a state implying
data has certain attributes: completeness, soundness, purity, veracity.
8/13/2019 introduction is audit
7/35
Information System Auditor vs Financial/Internal Auditor
Matters Information SystemAudi tor Financial/InternalAudi tor
Standards General Accepted IT
Controls Principle (COBiT)
GAAP/SAS 78: Internal
Control
Auditee IT Division Mostly Finance &
Accounting Dept/All
Functions of Organization
Professional
Organization
ISACA AICPA/IIA
Qualification CISA CPA/CIA
Career Objectives Chief Information Officer,Consultants: Auditor/Advisor
for Information
Systems/Technology Control
Chief Financial Officer,Head of Internal Audit
Division
8/13/2019 introduction is audit
8/35
Information Systems Audit and Control Association (ISACA) is arecognized global leader in IT governance, control and assurance. ISACA
sponsors international conferences, administers the globally respected
CISA
Founded in 1969,
Now more than 110,000 constituents in over 180 countries,
Its members include internal and external auditors, CEOs, CFOs, CIOs,
educators, information security and control professionals, business
managers, students, and IT consultants
Develops globally-applicable Information Systems (IS) Auditing and
Control Standards.
Certify professionals with CISA (Certified Information Systems Auditor)
More than 103,000 have earned the CISA designation since its inception
in 1978.
ISACA Information Systems Audit and Control Association
8/13/2019 introduction is audit
9/35
Information TechnologyRisk and ControlsInformation System Audit Course
Agenda1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
8/13/2019 introduction is audit
10/35
Specific Industry Application
Banking (Internet and Mobile banking)
Insurance (Agency Systems)
Telecommunication (Billing systems)
Oil and Gas (Purchasing and Inventory systems)
Manufacturing (Product costing)
Retail (Point Of sales)
Banking (Internet and Mobile banking)
Insurance (Agency Systems)
Telecommunication (Billing systems)
Oil and Gas (Purchasing and Inventory systems)
Manufacturing (Product costing)
Retail (Point Of sales)
8/13/2019 introduction is audit
11/35
Non Specific Industry Application
Reporting Systems
Call Center
Enterprise Resource Planning
Office Automation
Cloud Computing
Reporting Systems
Call Center
Enterprise Resource Planning
Office Automation
Cloud Computing
8/13/2019 introduction is audit
12/35
The Need for Control and IS Audit
Your business processes depend on the computer applicationsand data that support them - so you need to be sure that your data
and systems are secure. Yet, all the time, rapid changes in
business and technology keep increasing your organization's
control and security challenges - and reducing your reaction time.
Source: Ernst & Young website www.ey.com
8/13/2019 introduction is audit
13/35
Although technology provides opportunities forgrowth and development, it also represents
threats, such as disruption, deception, theft,
and fraud. Research shows that outside attackers
threaten organizations, yet trusted insiders are a
far greater threat.
IT Business Risk
IT controls are essential to protect assets, customers,
partners, and sensit ive information; demonstrate safe,
efficient, and ethical behavior ; and preserve brand,
reputation, and trust. In todays global market andregulatory environment, these things are too easy to
lose.
8/13/2019 introduction is audit
14/35
Information Security Risk
Information
Security
Confidentiality
Availab il ity
Integrity
Unauthorizeddisclosure theft
UnauthorizedUse
Unauthorizeddestruction denial
Unauthorizedmodification
8/13/2019 introduction is audit
15/35
1
3
Why should I understand IT Risk and Control?
Executives View about IT Risk and Control
Two words: assurance and reliability
Where are IT contro ls appl ied?
Everywhere. IT includes technology
components, processes, people, organization,and architecture, as well as the information
itself
22 What is to be protected?
Trust should be protected because it ensuresbusiness efficiency
8/13/2019 introduction is audit
16/35
4
6
Who is responsible?
Executives View (contd)
Everyone. However, control ownership and responsibili ties
must be defined and disseminated by management.
How much control is enough?
Management must decide based on riskappetite, tolerance and mandatory regulations.
25 When should IT risk and controls be assessed?Always. IT is a rapidly changing env ironment that
promotes process and organizational change.
8/13/2019 introduction is audit
17/35
View of IT Controls
IT Governance Another View
General Contro l
Appli cat ion Control
General IT controls are
typically pervasive
in nature and are
addressed through various
audit avenues.
Application controls provide
another category of controls
and include controls withinan application around input,
processing, and output.
Information system auditors need to understand the range of controlsavailable for mitigating IT risks.
The controls can be thought
of as existing within ahierarchy that relies on the
operating effectiveness
interconnectivity of the
controls as well as the
reali zation that fai lure of a
set of controls can lead to
increased reliance and
necessary examinat ion of
other control groups
8/13/2019 introduction is audit
18/35
IT Governance
When addressing the topic of IT controls, an
important consideration is IT governance, which
provides the framework to ensure that IT can
support the organizations overall business needs.
IT Governance is not only composed of the control needed
to address identified risk but also is an integrated structure
of IT practices and personnel that must be aligned closely
with and enable achievement of the organizations
overall strategies and goals.
8/13/2019 introduction is audit
19/35
IT Controls
Appli cat ion
Controls
Application
Systems
Development/
ChangesGeneral
ControlsComputer
Service Center(Operations
and Securi ty)
Computer
Appli cat ion
Systems and
Program
INTERNAL
CONTROLS
8/13/2019 introduction is audit
20/35
IT Controls and Financial Reporting
8/13/2019 introduction is audit
21/35
Information TechnologyRisk and ControlsInformation System Audit Course
Agenda1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
8/13/2019 introduction is audit
22/35
Financial Audit Objective and External
Auditors Responsibility
The primary objective of an audit of financial statement
is to express an opinion as to whether financial
statements are fairly presented, in all material respects,
at a specified date. It is external auditors responsibility to design the audit
engagement to provide reasonable assurance that the
financial statements are fairly stated in all material
respects.
8/13/2019 introduction is audit
23/35
When an IS Audit is or is not required?
Importance to the clients business activities: limited /moderate / very important
Complexity of the computer environment: simple /moderate / complex
Extend of use in the business: limited / moderate /pervasive
Overall classification: minor / significant / dominant
An IS auditor will be involved if the overall classificationis significant or dominant.
Does size of a company also determine the involvementof an IS auditor?
8/13/2019 introduction is audit
24/35
SPAP* related to IS Audit
SA 314: Penentuan Risiko dan Pengendalian Intern -Pertimbangan dan Karakteristik Sistem InformasiKomputer (SIK)
SA 319: Pertimbangan atas Pengendalian Intern dalamAudit Laporan Keuangan
SA 324: Pelaporan atas Pengolahan Transaksi olehOrganisasi Jasa
SA 327: Teknik Audit Berbantuan Komputer
SA 335: Auditing dalam Lingkungan SIK
* SPAP = Standar Profesional Akuntan Publik (issued by Institut Akuntan Publik
Indonesia/IAPI)
8/13/2019 introduction is audit
25/35
Conclusion
An IS audit is very relevant when externalauditors are engaged in auditing a client having
significant or dominant computer processing
environment(s).
From external auditors point of view, an ISaudit will help them to determine whether
control assurance and substantive assurance
can be obtained in order to achieve effective
and efficient audit.
8/13/2019 introduction is audit
26/35
Information TechnologyRisk and ControlsInformation System Audit Course
Agenda1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and WebTrust
8/13/2019 introduction is audit
27/35
Agenda 4:Appl ication of IS Audit and Web Trust
WebTrustSysTru
stCertification
8/13/2019 introduction is audit
28/35
Catatan
pemenuhan prinsip
PROCESSING
INTEGRITY
Melalui Systrust(lihat slide berikut)
WebTrustD
efined
Agenda 4:Appl ication of IS Audit and Web Trust
8/13/2019 introduction is audit
29/35
Ernst&You
ngsseal-CyberProcessCertific
ation
Agenda 4:Appl ication of IS Audit and Web Trust
8/13/2019 introduction is audit
30/35
Report of Management
ContohPenerapa
nWebTrust
Agenda 4:Appl ication of IS Audit and Web Trust
8/13/2019 introduction is audit
31/35
Report of Independent
Accountants
Microsoft
werPoint Presentati
Rep
ortofIndependentAccountant
Agenda 4:Appl ication of IS Audit and Web Trust
8/13/2019 introduction is audit
32/35
SertifikasiPadaInt
ernetBanking
VeriSign
Certificate
Agenda 4:Appl ication of IS Audit and Web Trust
8/13/2019 introduction is audit
33/35
Agenda 4: Contoh Penerapan: Audit Laporan Keuangan & Web Trust
SertifikasiPadaInt
ernetBanking
8/13/2019 introduction is audit
34/35
Product Cost
Privacy of
Data
Security of
Data
Business
Policies
Transaction
Processing
Integrity
BBBOnline Low NO NO Lightly
Covered
NO
TRUSTe Low YES NO NO NO
Veri-Sign Low to
Medium
NO YES: Data
Transmittal
NO: Data
Storage
NO NO
ICSA High YES YES SomewhatCovered
LightlyCovered
WebTrust High YES YES YES YES
Comparison of Seals
8/13/2019 introduction is audit
35/35
L/O/G/O
End of Presentation
Thank You!