introduction is audit

8/13/2019 introduction is audit

1/35

Information TechnologyRisk and ControlsInformation System Audit Course

Agenda1. Introduction to Information System Auditing

2. Introduction to the Basis of IT-related Business Risks and Controls3. Integration of Financial Audit and IS Audit

4. Application of IS Audit and Web Trust


2/35

BackgroundsBackgrounds

1. Return on Investment & IT Business risks Significant portion of Companys investment in

Information Technology Companies implement new system (ERP, e-Commerce) or

significant modification (changed business requirements)

Will the business requirement be met by IT solutions ?

Return on Investment ?

Computer/EDP related errors and irregularities Incorrect processing/calculation, e.g. Billing systems, Phone

banking, Internet banking, etc.

Discontinuity of IT function due to disaster, viruses etc..

Computer Fraud


3/35

Backgrounds (contd)Backgrounds (contd)

2. Complex system & Assurance needs Highly integrated-computerized processing of

business transactions Needs to have certain level of understanding and assurance of

complex accounting transactions processing system.

Introduction of new advanced technology e-Commerce, EDI (Electronic Data Interchange)

SWIFT

Audit evidence: electronic and hardcopyevidence

Use of password for authorization No print-out of transaction listing


4/35

Backgrounds (contd)Backgrounds (contd)

3. Quality and Career

Maintain individual competitiveness (globalization)

Focus and specialization in managing IT risk and

audit

4. Audit Requirements

For External Auditor SA Seksi 314 Risk Assessment and internal control - consideration

and EDP characteristics

SA Seksi 335 Auditing in EDP environment

For Internal Auditor SPFAIB for Banking Industry


5/35

Defini tion: Information Systems Auditing

The process of collecting and evaluating evidence to

determine whether a Computer Systems (Information

Systems) safeguards assets, maintains data integrity,

allows organizational goals to be achieved effectively,

and uses resources efficiently.

(Ron Webber)


6/35

IS Audit Objectives

Asset SafeguardingAsset Safeguarding

Data IntegrityData Integrity

System Effectiveness and EfficiencySystem Effectiveness and Efficiency

The assets of a computer installation include hardware, software, people,

data files, system documentation, and supplies must be protected by system

of internal control.

Evaluating effectiveness implies knowledge of user needs.

An efficient data processing system uses minimum resources to achieve

its required output.

Data integri ty is a fundamental concept in IS auditing. It is a state implying

data has certain attributes: completeness, soundness, purity, veracity.


7/35

Information System Auditor vs Financial/Internal Auditor

Matters Information SystemAudi tor Financial/InternalAudi tor

Standards General Accepted IT

Controls Principle (COBiT)

GAAP/SAS 78: Internal

Control

Auditee IT Division Mostly Finance &

Accounting Dept/All

Functions of Organization

Professional

Organization

ISACA AICPA/IIA

Qualification CISA CPA/CIA

Career Objectives Chief Information Officer,Consultants: Auditor/Advisor

for Information

Systems/Technology Control

Chief Financial Officer,Head of Internal Audit

Division


8/35

Information Systems Audit and Control Association (ISACA) is arecognized global leader in IT governance, control and assurance. ISACA

sponsors international conferences, administers the globally respected

CISA

Founded in 1969,

Now more than 110,000 constituents in over 180 countries,

Its members include internal and external auditors, CEOs, CFOs, CIOs,

educators, information security and control professionals, business

managers, students, and IT consultants

Develops globally-applicable Information Systems (IS) Auditing and

Control Standards.

Certify professionals with CISA (Certified Information Systems Auditor)

More than 103,000 have earned the CISA designation since its inception

in 1978.

ISACA Information Systems Audit and Control Association


9/35






10/35

Specific Industry Application

Banking (Internet and Mobile banking)

Insurance (Agency Systems)

Telecommunication (Billing systems)

Oil and Gas (Purchasing and Inventory systems)

Manufacturing (Product costing)

Retail (Point Of sales)

Banking (Internet and Mobile banking)

Insurance (Agency Systems)

Telecommunication (Billing systems)

Oil and Gas (Purchasing and Inventory systems)

Manufacturing (Product costing)

Retail (Point Of sales)


11/35

Non Specific Industry Application

Reporting Systems

Call Center

Enterprise Resource Planning

Office Automation

Cloud Computing

Reporting Systems

Call Center

Enterprise Resource Planning

Office Automation

Cloud Computing


12/35

The Need for Control and IS Audit

Your business processes depend on the computer applicationsand data that support them - so you need to be sure that your data

and systems are secure. Yet, all the time, rapid changes in

business and technology keep increasing your organization's

control and security challenges - and reducing your reaction time.

Source: Ernst & Young website www.ey.com


13/35

Although technology provides opportunities forgrowth and development, it also represents

threats, such as disruption, deception, theft,

and fraud. Research shows that outside attackers

threaten organizations, yet trusted insiders are a

far greater threat.

IT Business Risk

IT controls are essential to protect assets, customers,

partners, and sensit ive information; demonstrate safe,

efficient, and ethical behavior ; and preserve brand,

reputation, and trust. In todays global market andregulatory environment, these things are too easy to

lose.


14/35

Information Security Risk

Information

Security

Confidentiality

Availab il ity

Integrity

Unauthorizeddisclosure theft

UnauthorizedUse

Unauthorizeddestruction denial

Unauthorizedmodification


15/35

1

3

Why should I understand IT Risk and Control?

Executives View about IT Risk and Control

Two words: assurance and reliability

Where are IT contro ls appl ied?

Everywhere. IT includes technology

components, processes, people, organization,and architecture, as well as the information

itself

22 What is to be protected?

Trust should be protected because it ensuresbusiness efficiency


16/35

4

6

Who is responsible?

Executives View (contd)

Everyone. However, control ownership and responsibili ties

must be defined and disseminated by management.

How much control is enough?

Management must decide based on riskappetite, tolerance and mandatory regulations.

25 When should IT risk and controls be assessed?Always. IT is a rapidly changing env ironment that

promotes process and organizational change.


17/35

View of IT Controls

IT Governance Another View

General Contro l

Appli cat ion Control

General IT controls are

typically pervasive

in nature and are

addressed through various

audit avenues.

Application controls provide

another category of controls

and include controls withinan application around input,

processing, and output.

Information system auditors need to understand the range of controlsavailable for mitigating IT risks.

The controls can be thought

of as existing within ahierarchy that relies on the

operating effectiveness

interconnectivity of the

controls as well as the

reali zation that fai lure of a

set of controls can lead to

increased reliance and

necessary examinat ion of

other control groups


18/35

IT Governance

When addressing the topic of IT controls, an

important consideration is IT governance, which

provides the framework to ensure that IT can

support the organizations overall business needs.

IT Governance is not only composed of the control needed

to address identified risk but also is an integrated structure

of IT practices and personnel that must be aligned closely

with and enable achievement of the organizations

overall strategies and goals.


19/35

IT Controls

Appli cat ion

Controls

Application

Systems

Development/

ChangesGeneral

ControlsComputer

Service Center(Operations

and Securi ty)

Computer

Appli cat ion

Systems and

Program

INTERNAL

CONTROLS


20/35

IT Controls and Financial Reporting


21/35






22/35

Financial Audit Objective and External

Auditors Responsibility

The primary objective of an audit of financial statement

is to express an opinion as to whether financial

statements are fairly presented, in all material respects,

at a specified date. It is external auditors responsibility to design the audit

engagement to provide reasonable assurance that the

financial statements are fairly stated in all material

respects.


23/35

When an IS Audit is or is not required?

Importance to the clients business activities: limited /moderate / very important

Complexity of the computer environment: simple /moderate / complex

Extend of use in the business: limited / moderate /pervasive

Overall classification: minor / significant / dominant

An IS auditor will be involved if the overall classificationis significant or dominant.

Does size of a company also determine the involvementof an IS auditor?


24/35

SPAP* related to IS Audit

SA 314: Penentuan Risiko dan Pengendalian Intern -Pertimbangan dan Karakteristik Sistem InformasiKomputer (SIK)

SA 319: Pertimbangan atas Pengendalian Intern dalamAudit Laporan Keuangan

SA 324: Pelaporan atas Pengolahan Transaksi olehOrganisasi Jasa

SA 327: Teknik Audit Berbantuan Komputer

SA 335: Auditing dalam Lingkungan SIK

* SPAP = Standar Profesional Akuntan Publik (issued by Institut Akuntan Publik

Indonesia/IAPI)


25/35

Conclusion

An IS audit is very relevant when externalauditors are engaged in auditing a client having

significant or dominant computer processing

environment(s).

From external auditors point of view, an ISaudit will help them to determine whether

control assurance and substantive assurance

can be obtained in order to achieve effective

and efficient audit.


26/35




4. Application of IS Audit and WebTrust


27/35

Agenda 4:Appl ication of IS Audit and Web Trust

WebTrustSysTru

stCertification


28/35

Catatan

pemenuhan prinsip

PROCESSING

INTEGRITY

Melalui Systrust(lihat slide berikut)

WebTrustD

efined



29/35

Ernst&You

ngsseal-CyberProcessCertific

ation



30/35

Report of Management

ContohPenerapa

nWebTrust



31/35

Report of Independent

Accountants

Microsoft

werPoint Presentati

Rep

ortofIndependentAccountant



32/35

SertifikasiPadaInt

ernetBanking

VeriSign

Certificate



33/35

Agenda 4: Contoh Penerapan: Audit Laporan Keuangan & Web Trust

SertifikasiPadaInt

ernetBanking


34/35

Product Cost

Privacy of

Data

Security of

Data

Business

Policies

Transaction

Processing

Integrity

BBBOnline Low NO NO Lightly

Covered

NO

TRUSTe Low YES NO NO NO

Veri-Sign Low to

Medium

NO YES: Data

Transmittal

NO: Data

Storage

NO NO

ICSA High YES YES SomewhatCovered

LightlyCovered

WebTrust High YES YES YES YES

Comparison of Seals


35/35

L/O/G/O

End of Presentation

Thank You!

Documents

introduction is audit