Upload
yeffry-handoko
View
216
Download
7
Embed Size (px)
Citation preview
Auditor Sistem Informasi dalam Kurikulum MSI
Dr. Yeffry Handoko Putra, M.TSeminar Auditor Sistem Informasi
Program Studi Sistem Informasi UNIKOM
2 November 2015, Aula Auditorium UNIKOM
2
Dr. Yeffry Handoko Putra, M.T
E-mail : [email protected]
Ketua Prodi Magister Sistem InformasiUNIKOM
Peneliti Tata Kelola dan Kerangka Kerja Teknologi Informasi (PSTK3TI) UNIKOM
Trainer di bidang Audit SistemInformasi (CISA), dan Tata Kelola Sistem Informasi (CGEIT), Lean Six Sigma, Agile Management
Auditor Program Aplikasi Penatausahaan pada Kantor Layanan Pengadaan Kabupaten Musi Banyuasin, Provinsisi Sumatera Selatan
Isi Pemaparan
• Sekilas Mengenai Auditor• Penerapan Kurikulum ISACA pada MSI• SKKNI 2014 Kepmen Tenaga Kerja dan
Transmigrasi RI• Tool COBIT• Internal Audit
Dasar Audit
Siapakah Auditor Sistem Informasi
Area auditTipe Auditor
Mengapa Perlu Audit Sistem Informasi
Supp
ort
busin
ess
serv
ice
qual
ityse
rvic
eco
st
IT ri
sks
deliv
ery
time
time
time
time
time
time
Skills for IS Auditors
• Analytical skills• Client maintenance• Managerial communications and/or public speaking• Interviewing skills• Negotiation skills and/or personal selling• Business writing• Industrial psychology and/or behavioral science• Project management/time budgeting• Team building and team leading
Auditor di Indonesia• Ernst & Young (UK)• Deloitte Touche Tohmatsu (USA)• PricewaterhouseCoopers (UK)• KPMG (Dutch) (KAP Siddharta & Widjaja)
Financial
IT and IS ISACA Chapter (Wisma GKBI 35 Floor, Jakarta) Ikatan Audit Sistem Informasi Indonesia (IASII)
http://iasii.or.id
Apa yang di Audit
SKKNI 2014Kepmen Tenaga Kerja dan Transmigrasi RI
Komponen Audit (sumber CISA)1. Classification of Audit2. Audit Program3. Audit Methodology4. Fraud Detection5. Risk-based Auditing6. Audit Risk and Materiality7. Risk Assessment and treatment8. Risk Assessment Technique9. Audit Objectives 10. Compliance vs. substantive testing11. Evidence
12.Interviewing and Observing Personal in perform their duties
13.Sampling14.Using the other services of auditors
and Experts15.Computer-assisted audit
Techniques(CAAT)16.Evaluation of strength and weakness 17.Communication audit result18.Management Implementation and
recommendation 19.Audit documentation
CISA STANDARD, GUIDANCE AND TOOLS
Audit charter
Independence
Professional Ethics and Standards
Competence
Auditing Standards
Planning
Performance of audit work
Reporting
Follow-up activities
Auditing Standards
Memperoleh Sertifikasi CISA1. Lulus Ujian CISA2. Registrasi Aplikasi CISA Certification
Syarat:Min 5 tahun CISA job (auditing, control, security)
Untuk maximum 3 thn dapat digantikan dari: – Max 1 thn Pengalaman di Sistem Informasi atau Non IS Auditing
substitusi untuk 1 thn pengalaman– 60-120 sks substitusi untuk 1-2 tahun pengalaman– Sarjana dengan kurikulum ISACA subsitusi untuk 1 tahun– Master Sistem informasi substitusi untuk 1 tahun– Dosen / instruktur dengan pengalaman 2 thn pada bidang (KA,
Audit, Komputer) substitusi untuk 1 tahun
Regulasi Auditor Sistem Informasi
• Peraturan Pemerintah (PP) No. 82 tahun 2012 tentang Penyelenggaraan Sistem dan Transaksi Elektronik (PSTE)
• Standar Kompetensi Auditor Teknologi Informasi (Kepmen Tenaga Kerja dan Transmigrasi RI)
• Standar Audit Sistem Informasi• CISA Standar as reference
Some Control Definitions...
1. IT Risk
2. Control
3. Control Objectives
4. Control Practices
Control classification
Preventive
Detective
Corrective
Controls
Analisa Bukti
Pengumpulan Bukti Audit
SKKNI 2014
SKKNI 2014
SKKNI 2014
Referensi Kurikulum
Computing Curricula
IS 2000 ACM ISACA
ASA
ISO
Kurikulum MSI
Stakeholder Analysis pada kurikulum
Standard
ISACAISO, IECSaboxTogaff, Zachman
Technology• Trend• Forecasting• Strategic •Program Vendor : SAP
Demand Pengguna Lulusan
• IT Governance•Risk management•Enterprise IS•Investment Eval.•Decision Maker•Knowledge Manag.
Demand Alumni
• Gelar diakui• rasio teori dan skill berimbang•Cepat Lulus•Pengalaman penelitian
• Studi lanjut Doctor•PTN/PTS Sejenis nasional dan internasional
Level Pekerja
• Project Manag• System Analyst • Planning Designer •CIO, CKO•Manager
KurikulumMagster Sistem
Informasi
Kompetensi
Minat
Practical Skill• Project Manag.• Business Intell.• Auditor
Benchmarking
Topik Keilmuan Auditor SI 250 jam
1. Risk-based IT audit strategy – 7 jam 2. Specific audit planning – 8 jam3. IT audit standards – 18 jam4. Audit reporting and communications and
follow-up – 7 jam
Profesi
Kurikulum MSI berdasarkan Kompetensi
SKKNI 2014 Level 8 (S2)
Kompetensi Dasar
Audit & Control
Kompetensi UtamaPlan,
Governance,Audit & COntrol
Komptensi Keminatan
Kuri
kulu
m
LO & PO
LO & PO
Company Logo
Kompetensi Dasar
Enterprise Architecture
Business Process and Management
Project Management
System Analysis and Design
IT infrastructure
Kompetensi Utama Keilmuan MSI
Perencanaan
• proses perencanaan• menyusun model bisnis• model sistem informasi
berdasarkan kerangka kerja Teknologi Informasi seperti Togaf, Zachman, Calde Moir.
Pengelolaan
IT Governance:• value delivery• strategic alignment• resource management,
risk management • performance analysis
IT Strategy and Policy
Audit
Proses Audit Sistem Informasi :• Infrastruktur• Security• Asset• IT Governance• Business Continuity and
Disaster Recovery.• SLA
Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition
Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition
Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition
Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition
Kurikulum MSI menyesuaikan dengan ISACA® Model Curriculum for IS Audit and Control, 3rd Edition
Control Objectives for Information and related Technology
IT control objectives and standards of good practice
34 high-level control objectives
COBIT
Perangkat Audit : COBIT
Perangkat untuk Mengaudit Sistem Informasi
CobiT Framework IT Domains
PLANNING&
ORGANISATION
ACQUISITION&
IMPLEMENTATION
DELIVERY&
SUPPORT
MONITORING
BUSINESS OBJECTIVES
INFORMATION
IT RESOURCES
PLANNING & ORGANISATION
1. Define a strategic IT plan2. Define the information architecture3. Determine the technological direction4. Define the IT organisation and relationships5. Manage the investment6. Communicate management aims and directions7. Manage human resources8. Ensure compliance with external requirements9. Assess risks10. Manage project11. Manage quality
PLANNING&
ORGANISATION
CobiT IT Domains Processes
ACQUISITION & IMPLEMENTATION
1. Identify solutions2. Acquire and maintain application software3. Acquire and maintain technology architecture4. Develop and maintain IT procedures5. Install and accredit systems6. Manage changes
ACQUISITION&
IMPLEMENTATION
CobiT IT Domains Processes
DELIVERY & SUPPORT
1. Define Service Levels2. Manage third-party services3. Manage performance and capacity4. Ensure continuous service5. Ensure system security6. Identify and attribute costs7. Educate and train users8. Assist and advise IT customers9. Manage the configuration10. Manage problems and incidents11. Manage data12. Manage facilities13. Manage operations
DELIVERY&
SUPPORT
CobiT IT Domains Processes
MONITORING
1. Monitor the processes2. Assess the internal control adequacy3. Obtain independent assurance4. Provide for independent audit
MONITORING
CobiT IT Domains Processes
DEMO COBIT 4.1Silakan coba file excel dari cobit 4.1
YANG BARU DARI COBIT 5
Maturity Models and Balanced Scorecard Frameworks
For Internal Auditing
WHY - Maturity Models and Balanced Scorecard Frameworks ?
The STRATEGIC Question The VALUE Question
Are we delivering the right benefits ?
Are we doing the right things ?
Are we doing things the right way ?
Are we doing things of right quality?
The PROCESS QuestionThe QUALITY Question
2
Business GoalsInternal Audit
GoalsInternal Audit
Processes
Translate in toCheck Alignment with
Key ActivitiesControl
Objectives
MaturityModels
BalancedScore Card
InternalAudit
Strategy Maps
Control Practices
Responsibility and Accountability
Chart(s)
Activity Goals and Metrics
Broken into
Assessed by
Analyzed by
Assessed by
For Performance
Cause and effect illustrated by
Controlled ByIm
plemented by
For Maturity
Assessed for maturity by
Control Framework3
Business Goals Internal Audit Goals
Internal Audit Processes
Translate in toCheck Alignment with
Control Framework4
Internal Audit Goals
Internal Audit Processes
Control Objectives
Control Practices
Controlled ByIm
plemented by
Control Framework5
Internal Audit Goals
Internal Audit Processes
Key Activities
Responsibility and
Accountability Chart(s)
Activity Goals and
Metrics
Broken into
Assessed by
Analyzed by
Control Framework6
Internal Audit Goals
Internal Audit Processes
MaturityModels
BalancedScore Card
InternalAudit
Strategy Maps
Assessed by
For Performance
Cause and effect illustrated by
For Maturity
Control Framework7
Maturity Models -History
First released by Software Engineering Institute affiliated with Carnegie Mellon University in 1993 as Capability Maturity Models -CMM
Information System Audit and Control Association ISACA Adopted it for Internal Auditing as COBIT in 1996
Information System Audit and Control Association ISACA refined it further in 2007
Maturity levels rated from a scale of non–existent level 0 to optimized – level 5
8
Graphic Representation of Maturity Models
0 2 3 4 5
Non Existent
Initial /Ad hoc
Repeatablebut intuitive
DefinedProcess
Managed andMeasurable
Optimized
1
Maturity Levels
0 Lack of any recognizable processes / practices
1 Processes are ad hoc and disorganized2 Processes follow a regular pattern3 Processes are documented and
communicated4 Processes are monitored and measured5 Good Practices are followed and automated
9
Maturity Level
Characteristics
0 Non Existent
Complete lack of any recognizable processes
The enterprise has not even recognized that there is an issue to be addressed.
1 Initial /Ad Hoc
There is evidence that the enterprise has recognized that the issues exist and need to be addressed
There are however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis
The overall approach to management is disorganized.
Maturity Models 10
Maturity Level Characteristics
2 Repeat-able but Intuitive
Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely
3DefinedProcess
Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
Maturity Models-cont’d11
Maturity Level
Characteristics
4Managed
And Measurable
Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively
Processes are under constant improvement and provide good practice Automation and tools are used in a limited or fragmented way
5 Optimized
Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modeling with other enterprises IT tools are used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
Maturity Models-cont’d12
Generic Maturity Model
ISACA has proposed tracking Maturity levels of following Six Generic Aspects / Dimensions / Planes
AWARENESS AND COMMUNICATION
POLICIES AND PROCEDURES
SKILLS AND EXPERTISE
RESPONSIBILITY AND ACCOUNTABILITY
GOAL SETTING AND MEASUREMENT
TOOLS, TEMPLATES AND AUTOMATION
Generic Maturity Model13
A Strategic Map for Internal Audit24
Expectations of Management from Internal AuditPartner in Governance
25
Risk Related Activities26
Internal Audit Role in ERM27
Terima kasih atas perhatiannya
Dr. Yeffry Handoko
Bagaimana Caranya Mengaudit Sistem Informasi
How we can achieve these IT goalsITIL
BS 7799 - limited
ISO 9001
CobiTISO 17799
ITIL- limited
ITILCobiT - limited
ISO 17799 - limited
CobiT v3
Bagaimana Menuju Harapan Itu? The assignment ofresponsibility for performingspecified activities to specificgroups or individuals
The people that supporteffective and efficientIT service management
The assignment of controls toIT processes to ensure that theydeliver efficiently andeffectively in line with clientsrequirements
The technology that issupporting the IT delivery
The interrelated series of activities that combine to produce products or services for internal & external clients
The assignment ofmeasurements to people,processes, technology andcontrols to ensure theycomply to what they areintended for
How can we achieve these IT goals:continuous IT improvement
BS15000ISO 17799CobiT compliant etc.
How well does IT support business?: Alignment assessmentHow controlled is IT?: CobiT compliance checkHow secure is IT?: ISO 17799 Health CheckHow cost effective is IT?: benchmarkingWhat does the user think of IT?: surveys
ITILISO 17799CobiT
CobiT v3 mngt guidelines
Organizational Certifications and Associated Subject AreasCertification Subject Area
CMMI for Services Maturity of service provider capabilities and processes
ISO 9001 Quality management systems ISO 14001 Environmental management systems ISO/IEC 15408 IT security evaluation of computer
systems and software ISO/IEC 20000 IT service management ISO/IEC 27001 Information security management
systems