Auditor Sistem Informasi dalam Kurikulum MSI

Dr. Yeffry Handoko Putra, M.TSeminar Auditor Sistem Informasi

Program Studi Sistem Informasi UNIKOM

2 November 2015, Aula Auditorium UNIKOM

2

Dr. Yeffry Handoko Putra, M.T

E-mail : yeffryhp@unikom.ac.id

Ketua Prodi Magister Sistem InformasiUNIKOM

Peneliti Tata Kelola dan Kerangka Kerja Teknologi Informasi (PSTK3TI) UNIKOM

Trainer di bidang Audit SistemInformasi (CISA), dan Tata Kelola Sistem Informasi (CGEIT), Lean Six Sigma, Agile Management

Auditor Program Aplikasi Penatausahaan pada Kantor Layanan Pengadaan Kabupaten Musi Banyuasin, Provinsisi Sumatera Selatan

Isi Pemaparan

• Sekilas Mengenai Auditor• Penerapan Kurikulum ISACA pada MSI• SKKNI 2014 Kepmen Tenaga Kerja dan

Transmigrasi RI• Tool COBIT• Internal Audit

Dasar Audit

Siapakah Auditor Sistem Informasi

Area auditTipe Auditor

Mengapa Perlu Audit Sistem Informasi

Supp

ort

busin

ess

serv

ice

qual

ityse

rvic

eco

st

IT ri

sks

deliv

ery

time

time

time

time

time

time

Skills for IS Auditors

• Analytical skills• Client maintenance• Managerial communications and/or public speaking• Interviewing skills• Negotiation skills and/or personal selling• Business writing• Industrial psychology and/or behavioral science• Project management/time budgeting• Team building and team leading

Auditor di Indonesia• Ernst & Young (UK)• Deloitte Touche Tohmatsu (USA)• PricewaterhouseCoopers (UK)• KPMG (Dutch) (KAP Siddharta & Widjaja)

Financial

IT and IS ISACA Chapter (Wisma GKBI 35 Floor, Jakarta) Ikatan Audit Sistem Informasi Indonesia (IASII)

http://iasii.or.id

Apa yang di Audit

SKKNI 2014Kepmen Tenaga Kerja dan Transmigrasi RI

Komponen Audit (sumber CISA)1. Classification of Audit2. Audit Program3. Audit Methodology4. Fraud Detection5. Risk-based Auditing6. Audit Risk and Materiality7. Risk Assessment and treatment8. Risk Assessment Technique9. Audit Objectives 10. Compliance vs. substantive testing11. Evidence

12.Interviewing and Observing Personal in perform their duties

13.Sampling14.Using the other services of auditors

and Experts15.Computer-assisted audit

Techniques(CAAT)16.Evaluation of strength and weakness 17.Communication audit result18.Management Implementation and

recommendation 19.Audit documentation

CISA STANDARD, GUIDANCE AND TOOLS

Audit charter

Independence

Professional Ethics and Standards

Competence

Auditing Standards

Planning

Performance of audit work

Reporting

Follow-up activities

Auditing Standards

Memperoleh Sertifikasi CISA1. Lulus Ujian CISA2. Registrasi Aplikasi CISA Certification

Syarat:Min 5 tahun CISA job (auditing, control, security)

Untuk maximum 3 thn dapat digantikan dari: – Max 1 thn Pengalaman di Sistem Informasi atau Non IS Auditing

substitusi untuk 1 thn pengalaman– 60-120 sks substitusi untuk 1-2 tahun pengalaman– Sarjana dengan kurikulum ISACA subsitusi untuk 1 tahun– Master Sistem informasi substitusi untuk 1 tahun– Dosen / instruktur dengan pengalaman 2 thn pada bidang (KA,

Audit, Komputer) substitusi untuk 1 tahun

Regulasi Auditor Sistem Informasi

• Peraturan Pemerintah (PP) No. 82 tahun 2012 tentang Penyelenggaraan Sistem dan Transaksi Elektronik (PSTE)

• Standar Kompetensi Auditor Teknologi Informasi (Kepmen Tenaga Kerja dan Transmigrasi RI)

• Standar Audit Sistem Informasi• CISA Standar as reference

Some Control Definitions...

1. IT Risk

2. Control

3. Control Objectives

4. Control Practices

Control classification

Preventive

Detective

Corrective

Controls

Analisa Bukti

Pengumpulan Bukti Audit

SKKNI 2014

SKKNI 2014

SKKNI 2014

Referensi Kurikulum

Computing Curricula

IS 2000 ACM ISACA

ASA

ISO

Kurikulum MSI

Stakeholder Analysis pada kurikulum

Standard

ISACAISO, IECSaboxTogaff, Zachman

Technology• Trend• Forecasting• Strategic •Program Vendor : SAP

Demand Pengguna Lulusan

• IT Governance•Risk management•Enterprise IS•Investment Eval.•Decision Maker•Knowledge Manag.

Demand Alumni

• Gelar diakui• rasio teori dan skill berimbang•Cepat Lulus•Pengalaman penelitian

• Studi lanjut Doctor•PTN/PTS Sejenis nasional dan internasional

Level Pekerja

• Project Manag• System Analyst • Planning Designer •CIO, CKO•Manager

KurikulumMagster Sistem

Informasi

Kompetensi

Minat

Practical Skill• Project Manag.• Business Intell.• Auditor

Benchmarking

Topik Keilmuan Auditor SI 250 jam

1. Risk-based IT audit strategy – 7 jam 2. Specific audit planning – 8 jam3. IT audit standards – 18 jam4. Audit reporting and communications and

follow-up – 7 jam

Profesi

Kurikulum MSI berdasarkan Kompetensi

SKKNI 2014 Level 8 (S2)

Kompetensi Dasar

Audit & Control

Kompetensi UtamaPlan,

Governance,Audit & COntrol

Komptensi Keminatan

Kuri

kulu

m

LO & PO

LO & PO

Company Logo

Kompetensi Dasar

Enterprise Architecture

Business Process and Management

Project Management

System Analysis and Design

IT infrastructure

Kompetensi Utama Keilmuan MSI

Perencanaan

• proses perencanaan• menyusun model bisnis• model sistem informasi

berdasarkan kerangka kerja Teknologi Informasi seperti Togaf, Zachman, Calde Moir.

Pengelolaan

IT Governance:• value delivery• strategic alignment• resource management,

risk management • performance analysis

IT Strategy and Policy

Audit

Proses Audit Sistem Informasi :• Infrastruktur• Security• Asset• IT Governance• Business Continuity and

Disaster Recovery.• SLA

Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition

Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition

Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition

Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition

Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition

Control Objectives for Information and related Technology

IT control objectives and standards of good practice

34 high-level control objectives

COBIT

Perangkat Audit : COBIT

Perangkat untuk Mengaudit Sistem Informasi

CobiT Framework IT Domains

PLANNING&

ORGANISATION

ACQUISITION&

IMPLEMENTATION

DELIVERY&

SUPPORT

MONITORING

BUSINESS OBJECTIVES

INFORMATION

IT RESOURCES

PLANNING & ORGANISATION

1. Define a strategic IT plan2. Define the information architecture3. Determine the technological direction4. Define the IT organisation and relationships5. Manage the investment6. Communicate management aims and directions7. Manage human resources8. Ensure compliance with external requirements9. Assess risks10. Manage project11. Manage quality

PLANNING&

ORGANISATION

CobiT IT Domains Processes

ACQUISITION & IMPLEMENTATION

1. Identify solutions2. Acquire and maintain application software3. Acquire and maintain technology architecture4. Develop and maintain IT procedures5. Install and accredit systems6. Manage changes

ACQUISITION&

IMPLEMENTATION

CobiT IT Domains Processes

DELIVERY & SUPPORT

1. Define Service Levels2. Manage third-party services3. Manage performance and capacity4. Ensure continuous service5. Ensure system security6. Identify and attribute costs7. Educate and train users8. Assist and advise IT customers9. Manage the configuration10. Manage problems and incidents11. Manage data12. Manage facilities13. Manage operations

DELIVERY&

SUPPORT

CobiT IT Domains Processes

MONITORING

1. Monitor the processes2. Assess the internal control adequacy3. Obtain independent assurance4. Provide for independent audit

MONITORING

CobiT IT Domains Processes

DEMO COBIT 4.1Silakan coba file excel dari cobit 4.1

YANG BARU DARI COBIT 5

Maturity Models and Balanced Scorecard Frameworks

For Internal Auditing

WHY - Maturity Models and Balanced Scorecard Frameworks ?

The STRATEGIC Question The VALUE Question

Are we delivering the right benefits ?

Are we doing the right things ?

Are we doing things the right way ?

Are we doing things of right quality?

The PROCESS QuestionThe QUALITY Question

2

Business GoalsInternal Audit

GoalsInternal Audit

Processes

Translate in toCheck Alignment with

Key ActivitiesControl

Objectives

MaturityModels

BalancedScore Card

InternalAudit

Strategy Maps

Control Practices

Responsibility and Accountability

Chart(s)

Activity Goals and Metrics

Broken into

Assessed by

Analyzed by

Assessed by

For Performance

Cause and effect illustrated by

Controlled ByIm

plemented by

For Maturity

Assessed for maturity by

Control Framework3

Business Goals Internal Audit Goals

Internal Audit Processes

Translate in toCheck Alignment with

Control Framework4

Internal Audit Goals

Internal Audit Processes

Control Objectives

Control Practices

Controlled ByIm

plemented by

Control Framework5

Internal Audit Goals

Internal Audit Processes

Key Activities

Responsibility and

Accountability Chart(s)

Activity Goals and

Metrics

Broken into

Assessed by

Analyzed by

Control Framework6

Internal Audit Goals

Internal Audit Processes

MaturityModels

BalancedScore Card

InternalAudit

Strategy Maps

Assessed by

For Performance

Cause and effect illustrated by

For Maturity

Control Framework7

Maturity Models -History

First released by Software Engineering Institute affiliated with Carnegie Mellon University in 1993 as Capability Maturity Models -CMM

Information System Audit and Control Association ISACA Adopted it for Internal Auditing as COBIT in 1996

Information System Audit and Control Association ISACA refined it further in 2007

Maturity levels rated from a scale of non–existent level 0 to optimized – level 5

8

Graphic Representation of Maturity Models

0 2 3 4 5

Non Existent

Initial /Ad hoc

Repeatablebut intuitive

DefinedProcess

Managed andMeasurable

Optimized

1

Maturity Levels

0 Lack of any recognizable processes / practices

1 Processes are ad hoc and disorganized2 Processes follow a regular pattern3 Processes are documented and

communicated4 Processes are monitored and measured5 Good Practices are followed and automated

9

Maturity Level

Characteristics

0 Non Existent

Complete lack of any recognizable processes

The enterprise has not even recognized that there is an issue to be addressed.

1 Initial /Ad Hoc

There is evidence that the enterprise has recognized that the issues exist and need to be addressed

There are however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis

The overall approach to management is disorganized.

Maturity Models 10

Maturity Level Characteristics

2 Repeat-able but Intuitive

Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely

3DefinedProcess

Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.

Maturity Models-cont’d11

Maturity Level

Characteristics

4Managed

And Measurable

Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively

Processes are under constant improvement and provide good practice Automation and tools are used in a limited or fragmented way

5 Optimized

Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modeling with other enterprises IT tools are used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

Maturity Models-cont’d12

Generic Maturity Model

ISACA has proposed tracking Maturity levels of following Six Generic Aspects / Dimensions / Planes

AWARENESS AND COMMUNICATION

POLICIES AND PROCEDURES

SKILLS AND EXPERTISE

RESPONSIBILITY AND ACCOUNTABILITY

GOAL SETTING AND MEASUREMENT

TOOLS, TEMPLATES AND AUTOMATION

Generic Maturity Model13

A Strategic Map for Internal Audit24

Expectations of Management from Internal AuditPartner in Governance

25

Risk Related Activities26

Internal Audit Role in ERM27

Terima kasih atas perhatiannya

Dr. Yeffry Handoko

Bagaimana Caranya Mengaudit Sistem Informasi

How we can achieve these IT goalsITIL

BS 7799 - limited

ISO 9001

CobiTISO 17799

ITIL- limited

ITILCobiT - limited

ISO 17799 - limited

CobiT v3

Bagaimana Menuju Harapan Itu? The assignment ofresponsibility for performingspecified activities to specificgroups or individuals

The people that supporteffective and efficientIT service management

The assignment of controls toIT processes to ensure that theydeliver efficiently andeffectively in line with clientsrequirements

The technology that issupporting the IT delivery

The interrelated series of activities that combine to produce products or services for internal & external clients

The assignment ofmeasurements to people,processes, technology andcontrols to ensure theycomply to what they areintended for

How can we achieve these IT goals:continuous IT improvement

BS15000ISO 17799CobiT compliant etc.

How well does IT support business?: Alignment assessmentHow controlled is IT?: CobiT compliance checkHow secure is IT?: ISO 17799 Health CheckHow cost effective is IT?: benchmarkingWhat does the user think of IT?: surveys

ITILISO 17799CobiT

CobiT v3 mngt guidelines

Organizational Certifications and Associated Subject AreasCertification Subject Area

CMMI for Services Maturity of service provider capabilities and processes

ISO 9001 Quality management systems ISO 14001 Environmental management systems ISO/IEC 15408 IT security evaluation of computer

systems and software ISO/IEC 20000 IT service management ISO/IEC 27001 Information security management

systems