Memahami Sistem Aplikasiftp.gunadarma.ac.id/handouts/S1_Akuntansi/Audit... · © 2010 – CHANDRA YULISTIA, CISA 4 Faktorisasi Fungsi (Function Factoring) Fungsi-fungsi TI Sistem

Memahami Sistem Aplikasi

© 2010 – CHANDRA YULISTIA, CISA 2

Pemahaman Sistem

System Factoring

Breaking a system up into subsystems

A subsystem is logical component rather than physical component

Function Factoring

Management function

Development, implementation, operation, maintenance

Application function

Accounting cycles

– Sales & collections

– Payroll & personnel

– Acquisitions & payments

– Inventoty & warehousing

– Treasury


Memahami Sistem

Faktorisasi Sistem (System Factoring)

Sistem

Subsistem Subsistem

Subsubsistem Subsubsistem Subsubsistem Subsubsistem Subsubsistem

Level 0

Level 1

Level 2


Faktorisasi Fungsi (Function Factoring)

Fungsi-fungsi TI

Sistem Manajemen Siklus Akuntansi

Subsistem Manajemen Sistem Aplikasi

Subsistem Aplikasi

Memahami Sistem


Memahami Sistem

Teknik-teknik

Wawancara, Observasi, Tinjauan Lapangan

Data Flow Diagram (DFD)

Document Flowchart


Data Flow Diagram

Empat gambar digunakan dalam DFD yang masing masing

mencerminkan:

Entity

Entitas di luar sistem yang sedang dipelajari

Dapat mengirimkan atau menerima data ke/dari sistem

Proses

Selalu menunjukkan terjadinya perubahan data

Data flow yang masuk ke suatu Proses, berbeda dari Data flow

yang keluar dari Proses tersebut.

Data Store

Data Flow

Dimungkinkan terjadi 2 data flow yang bersamaan

Masing-masing harus diberi label yang sesuai

Data Store

Entity

Proses

Data flow


Decision Tree

Customer

Tipe B

Tipe A

Tidak Pernah menunggak

Pernah menunggak

Tipe Credit History Diskon

Tidak Pernah menunggak

Pernah menunggak

10%

7.5%

5%

2%

Tipe lainnya 0 %


Decision Tables

Ada 4 bagian:

1. condition stub

– berisikan kondisi yang akan dipilih

2. condition entry

– berisikan kemungkinan dari kondisi yang akan dipilih

3. action stub

– berisikan tindakan yang akan dilakukan, baik bila kondisi

terpenuhi atau tidak

4. action entry

– berisikan tindakan mana yang akan dilakukan dan yang tidak

dilakukan untuk masing masing kombinasi kondisi

Bila jumlah condition stub ada x, maka jumlah kemungkinan tindakan

ada N=2x

Decision tables sangat penting bagi auditor bila melakukan

substantive test untuk mengetahui apakah ada kemungkinan kondisi

yang belum di cakup dalam logika program aplikasi


Decision Tables

Condition 1 2 3 4

Customer Utama ? Y Y T T

Pernah Menunggak ? Y T Y T

Action

Diskon 8% 10.00% 0.00% 5%

Order dikirim 1 hari? Y Y N N

Contoh – Decision Tables:

Konsep

Pengendalian Aplikasi


Risiko pada Aplikasi

Risiko Risiko Risiko Risiko Risiko Risiko Risiko Risiko

Risiko Risiko Risiko Risiko Risiko Risiko Risiko






Pengendalian TI

Operation Management

Application System Control

IS Management

System Development Management

Programming Management

Data Management

Quality Assurance Management

Security Management

Top Management


Pengendalian TI


Pengendalian Aplikasi TI

AC1 Source Data Preparation and Authorisation

AC2 Source Data Collection and Entry

AC3 Accuracy, Completeness and Authenticity Checks

AC4 Processing Integrity and Validity

AC5 Output Review, Reconciliation and Error Handling

AC6 Transaction Authentication and Integrity

© 2010 – CHANDRA YULISTIA, CISA 17 1

7

Application Controls Overview

Application Controls

Boundary Controls

Input Controls

Communication Controls

Processing Controls

Database Controls

Output Controls


8


Boundary Controls

Comprise the components that establish the interface with the user

and the system

Input Controls

Comprise the components that capture, prepare, and enter

commands and data into systems


Comprise the components that transmit data among subsystems and

systems


9


Processing Controls

Comprise the components that perform decision making,

computation, classification, ordering, and summarization of data in

the system

Database Controls

Comprise the components that define, add, access, modify and

delete data in the system


Comprise the components that retrieve and present data to user of

the system

Audit

Pengendalian Aplikasi


1

Input

Controls


2

Input Controls

Introduction

Components in the input subsystem are responsible for bringing both data

and instructions into the system

Input controls are critical because :

In many systems, the largest number of controls exist in the input subsystem

Input subsystem sometimes involve large amounts of routine, monotonous

human intervention and error prone

Input subsystem is often become the target of fraud


3

Input Controls

Data Input Methods

State

or

Event

Recording

Medium

Keyboarding

Direct

Reading

Direct

Entry

Personal Computer

Optical Character Recognition

Magnetic Ink Character Recognition

Mark Sensing

Digitizer

Image Reader

Point-of-sales Device

Automatic Teller Machine

Personal Computer

Touch Screen

Mice, Joystick, Trackball

Voice, Sound

Video


4

Input Controls

Source Document Design - Reasons

It reduces the likelihood of data recording errors

It increases the speed with which data can be recorded

It controls the work flow

It facilitates data entry into a computer system

For pattern recognition devices, it increases the speed and the accuracy

with which data can be read

It facilities subsequent reference checking

Discussion

Who should design the source document and when ?


5

Input Controls

Source Document Design - Guidelines

Preprint wherever possible

Provide titles, headings, notes and instructions

Use techniques for emphasis and to highlight differences

Arrange fields for ease of use

Use the “caption above fill-in area” approach for captions and data fields

When possible, provide multiple-choice answer to questions to avoid

omissions

Use tick mark or indicator values to identify field-size errors

Combine instructions with question

Space items appropriately on forms

Design for easy keying

Prenumber source documents

Conform to organizational standards


6

Input Controls

Data-Entry Screen Design

Screen Organization

Screen should be designed so they are uncluttered and symmetrically balanced

Data-entry Field Design

Data-entry fields should immediately follow their associated caption either in the

same line or, in the case of a repeating field, on several lines immediately below

the caption

Caption Design

Caption indicate the nature of the data to be entered in a field on a screen.

Consider the structure, size, font type, display density, format, alignment,

justification and spacing

Tabbing & Skipping

Avoid automatic skipping, use manual tabbing, maintain keying rhythm


7

Input Controls

Data-Entry Screen Design

Color

Data-entry screen color can be used to aid in locating a particular caption or data

item, to separate areas on the display, or to indicate a changed status.

Response Time

Response time during data entry is the interval that elapses between entry of a

data item and the system’s indication it is ready to accept a new data item.

Display Rate

Display rate is the rate at which characters or images on a screen are displayed

Prompting and Help Facilities

A prompting facility provides immediate advice or information about actions

users should take when they work with data-entry screen


8

Input Controls

Data Code Controls

Data Coding Errors Types

Addition 87942 879142

Truncation 87942 8792

Transcription 87942 81942

Transposition 87942 78942

Double Transposition 87942 84972

Data Coding Errors Factors

Length of the code

Alphabetic / numeric mix

Choice of characters

Mixing uppercase / lowercase fonts

Predictability of character sequence


9

Input Controls

Check Digits

A check digit is a redundant digit(s) added to a code that enables the

accuracy of other characters in the code to be checked.

Batch Controls

Types of batch

Physical - constitute a physical unit

Logical - bound together on some logical basis

Type of control in batch

Financial Totals

Hash Totals

Document / record counts


0

Input Controls

Validation of Data Input

Field Checks

Missing data or blanks

Alphabetic or numeric

Range

Set membership

Check digit

Master reference

Size

Format mask

Record Checks

Reasonableness

Valid sign-numerics

Size

Sequence check

Batch Checks

Control totals

Transaction type

Batch serial number

Sequence check


1

Input Controls

Audit Trails

Identity of the person (organization) who was the source of data

Identity of the person (organization) who entered the data into the

system.

Time and date when the data was captured

Identifier of the physical device used to enter the data into the system

Account or record to be updated by the transaction

Standing data to be updated by the transaction

Details of transaction

Number of physical or logical batch to which the transaction belongs

Time to key in a source document or an instruction at a terminal

Number of read errors made by an optical scanning device

Number of keying errors identified during verification


2

Processing

Controls


3

Processing Controls

Introduction

The processing subsystem is responsible for

computing, sorting, classifying, and summarizing data

Major components in processing subsystem

Central processor

Real/ virtual memory

Operating system

Application programs


4

Processing Controls

Processor Controls

Error detection and correction

The control unit might fetch an instruction from main memory, so

the control unit should reflects the instruction (perhaps multiple

times) & evaluate once again

The execution of an instruction fails. Various types of code can be

used

The data in a register is corrupted. Simple parity checks are often

used to detect an error in a register

Multiple execution states

Supervisor State

Problem State

Timing Controls

Component Replication


5

Processing Controls

Memory Controls

The real memory of a computer system comprises the fixed

amount of primary storage in which programs/ data must reside

for them to be executed/ referenced by the central processor

Error Detection & Correction

Access Controls


6

Processing Controls

Operating System integrity

The operating system is the set of programs

implemented in software, firmware, or hardware

that permits sharing & use of resources within a

computer system

Auditors often pay little attention to the

evaluation of operating system controls

Nature of a reliable operating system


7

Processing Controls

Penetration

technique

Explanation

Browsing Involves searching residue to gain unauthorized access to information

Masquerading Involves carrying out unauthorized activities by impersonating a legitimate

user of the system/ impersonating the system itself

Piggybacking Involves intercepting communications between the operating system and

the user still is connected to the system but is inactive

Between-lines entry A penetrator takes advantage of the time during which a legitimate user still

is connected to the system but is inactive

Spoofing A penetrator fools users into thinking they are interacting with the operating

system

Backdoors/ trapdoors A backdoor/ trapdoor allows a user to employ the facilities of the operating

system without being subject to the normal controls

Trojan horse Users execute a program written by the penetrator

Operating System Threats


8

Processing Controls

Integrity Flaw Explanation

Incomplete parameter

validation

The system doesn’t check the validity of all attributes of a user’s request

Inconsistent parameter

validation

The system applies different validation criteria to the same construct within

the system

Implicit sharing of data The operating system uses a common area to service two/ more user

processes

Asynchronous

validation

If the operating system permits asynchronous processes. Users take

advantage of timing inadequacies to violate integrity

Inadequate access

control

The operating system performs incomplete checking, or one part of the

system assumes another part has performed the checking

Violable limits System documentation states limits, e.g., the maximum size of a buffer

Operating System Integrity Flaw


9

Processing Controls

Application Software Controls - Validation checks

Level of

check

Type of check Explanation

Field Overflow Can occur if a field used for computation isn’t

zeroized initially, some error in computation

occurs, or unexpected high values occurs

Range An allowable value range can apply to a field

Record Reasonableness The contents of one field can determine the

allowable value for another

Sign The contents of one field might determine

which sign is valid for a numeric field

File Crossfooting Separate control totals can be developed for

related fields & crossfooted at the end of a

run

Control totals Run-to-run control totals can be developed &

compared with the results of a run


0

Processing Controls

Application Software Controls - Programming style

Handle rounding correctly

Print run-to-run control totals

Minimize human intervention

Understand hardware/ software numerical hazards

Use redundant calculations

Avoid closed routines


1

Database

Controls


2

Database Controls

Introduction

The database subsystem is responsible for defining, creating,

modifying, deleting, and reading data in an information system

The major components in the database subsystem

The data base management system

The applications programs

The central processor & primary storage

The storage media


3

Database Controls

Access Controls

Access controls in the database subsystem seek to prevent

unauthorized access to and use of data

Discretionary access controls

In the database subsystem, discretionary access controls can vary

considerably

Mandatory access controls

Under this approach, resources are assigned a classification level &

users are assigned a clearance level

User access to a resource is governed by a security policy


4

Database Controls

Integrity Controls

Established to maintain the accuracy,

completeness, & uniqueness of instances of the

constructs used within the conceptual modelling/

data modelling approach

Used to represent the real-world phenomena

about which data is to be stored in the data

subsystem

Controls

Entity Relationship Model Integrity Constraints

Relational Data Model Integrity Constraint

Object Data Model Constraint


5

Database Controls

Application Software Controls

Update Protocols

Sequence check transaction & master files

Ensure all records on files are processed

Process multiple transaction for a single record in the correct order

Maintain a suspense account

Report Protocols

Print control data for internal tables (standing data)

Print run-to-run control totals

Print suspense account entries


6

Database Controls

Concurrency Controls - Deadlock

Process P Process Q

Data

Resource

1

Data

Resource

2

Time t Time t

Time t+1 Time t+1


7

Topic Seven

Output

Controls


8

Output Controls

Introduction

Output subsystem determine the content of data that will be provided to

users, the ways data will be formatted and presented to users, and the ways

data will be prepared for and routed to user.

Some issues

Inference Controls

Batch Output and Distribution Controls

Batch Report Design Controls

Online Output Production & Distribution Contols

Audit Trails


9

Output Controls

Inference Controls

Used to prevent compromise of statistical databases : Database from

which user can obtain only aggregate statistic rather than the values of

individual data item

Type of Compromise

Positive Compromise, whereby users determine that a person has a particular

attribute value

Negative Compromise, whereby users determine that a person does not have a

particular attribute value

Exact Compromise, whereby users determine the precise value of an attribute

possessed by a person

Approximate Compromise, whereby users determine within range the attribute

value possessed by a person


0

Output Controls

Inference Controls

Restriction Control

Limit the set of responses that will be provided to users to try to protect the

confidentiality of data about persons in the database

Types

Order Control

Relative Table Size Control

Query Set Overlap Control

Cell Suppression

Grouping or Rolling Control

Partitioning


1

Output Controls

Inference Controls

Perturbation Control

Giving some type of noise into the statistics calculated on the basis of records

retrieved from the database

Implemented Records-Based or Results-Based

Types

Records-Based

– Query Set Sampling

– Data Perturbation

– Data Swapping

Results-Based

– Put an error term after the true statistic has been calculated


2

Output Controls

Batch Output Production & Distribution Controls

Batch Output that is produced at some operation facility and subsequently

distributed to or collected by custodians or users of the output.

The production & distribution of batch output are controlled to ensure that

accurate, complete and timely output is provided only to authorized

custodians or users.

Controls are implemented in various phases in the production and

distribution of batch output


3

Output Controls

Batch Output Production & Distribution Controls

Some Controls

Securing the storage of any special stationery used to produce batch output

Ensuring only authorized users are permitted to execute batch report

programs

Ensuring that the contents of spooling/printer files cannot be altered

Preventing unauthorized parties from viewing the contents of confidential

reports as they are printed

Collecting reports promptly to prevent their loss

Having client services staff to review batch output for obvious errors prior to

distribution to users

Ensuring batch output is distributed to the correct user

Having end users to review output for errors or irregularities,

Storing batch output securely

Determining an appropriate retention period for batch output

Shredding batch output when is no longer required


4

Output Controls

Batch Report Design Controls

Batch output reports can be designed to facilitate exercising effective

and efficient controls over them.

Some information need to be included in the report :

Report name

Time & date of production

Distribution list, including number of copies

Processing period covered

Program, including version number, that produce the report

Contact person

Security classification

Retention date

Method of destruction

Page heading

Page number

End-of-job marker


5

Output Controls

Online Output Production & Distribution Controls

Online Output is output that is delivered electronically to the terminal

employed by a user to gain access to a system

The production & distribution of online output are controlled to ensure that

accurate, complete and timely output is provided only to authorized

custodians or users.

Controls are implemented in various phases in the production and

distribution of online output


6

Output Controls

Online Output Production & Distribution Controls

Some Controls

Ensuring that the output that can be accessed online is authorized, accurate, and

complete

Ensuring that online output is distributed to the correct network address

Preserving the integrity of privacy of online output transmitted over

communication line

Checking that data has been received by the intended user

Determining whether the intended user has read and considered properly the

contents of online output

Ensuring that disposition of the online output is appropriate

Determining an appropriate retention period for online output

Deleting online output completely when is no longer required


7

Output Controls

Audit Trails

What output was presented to user

Who received the output

When the output was received

What actions were subsequently taken with output

Records of the resources consumed to produce various types of output

Discussion

How to control the data reporting tools ?

Documents

Memahami Sistem Aplikasiftp.gunadarma.ac.id/handouts/S1_Akuntansi/Audit... · © 2010 – CHANDRA YULISTIA, CISA 4 Faktorisasi Fungsi (Function Factoring) Fungsi-fungsi TI Sistem