Audit dan EvaluasiTeknologi Informasi Sesi 2 MTI-CIO 2012
Law of Requisite Variety (Hukum Ragam Persyaratan/Kebutuhan)Ross Ashby 1963: The Law of Requisite Variety “when the variety or complexity of the environment exceeds the capacity of a system (natural or artificial) the environment will dominate and ultimately destroy that system”Inadequate variety If your environment is more sophisticated in terms of complexity than your teams available responses then the moves will be simplistic and ineffective.Excessive variety If however your team has too much structure then it wont be agile or fast enough to react to changes in its environment.
Auditing Purpose• Is our purpose to issue reports? To raise issues?• To make people look bad?• To show how smart we are and how dishonest, incompetent, and corrupt the rest of the company is?• To flex our muscles and show that we can do anything and tell on anyone because we report to the board of directors?(Chris Davis, 2007)
Why Audit?IT Today and Tomorrow• Information Integrity, Reliability, and Validity:• Importance in Today’s Global Business Environment• E-Commerce and Electronic Funds Transfer• Future of Electronic Payment Systems• Legal Issues Impacting ITIT Environment• Privacy on the Information Superhighway• Security, Privacy, and Audit• Federal Financial Integrity Legislation• Federal Security Legislation
Internal AuditingPartnering vs Policing• How to build a good relationship• An effective internal audit department considers the audit to be a partnership with fellow employees and not a policing function.• Adversarial relationships get in the way of the core objective of the audit departmentEstablish Relationships• Be intentional about regular updates and meetings with IT management.• Establish formal audit liaisons with different IT organizations.• Get yourself invited to key meetings.• Cultivate an attitude of collaboration and cooperation.
Relationships• Building and maintaining good relationships with the IT organization are critical elements of the IT audit teams success.• The most effective IT audit teams ensure that every layer of the stack is covered, not just the application layer.• Successful IT audit teams generally will consist of a combination of career auditors and IT professionals.• It is critical to develop methods for maintaining the technical expertise of the IT audit team.• A healthy relationship should be developed with external IT auditors.
Internal Audit Mission• The real mission of the internal audit department is to help improve the state of internal controls at the company.• Internal auditors are not truly independent, but they should be objective.• It is important to find ways to accomplish the departments mission outside formal audits (important tools) – Early involvement – Informal audits – Knowledge sharing – Self-assessments
Consulting and Early Involvement• Early involvement – Add more value to the company than by early involvement. – Its just like planning an audit. You need to spend time understanding the system, technology, or process being implemented• Informal audits – Normal Audit is time consuming, lots of documents and sample – Informal audit -> more like consulting• Knowledge sharing – Common issue, best practices, innovation• Self-assessments
IT Auditor GoalsEvidence collection and evaluation• Competencies – Generalist IT • Auditing skill, IT management, behavioral knowledge, legal/law/regulation, etc – Specific IT areas specialist • Network security, database administrator, electronic financial transaction, etcGoals• Improvements in – Assets safeguarding • H/W, S/W, facilities, people, data, documentation, supplies – Data integrity – System effectiveness – System efficiencies
Good IT AuditorIT Auditors• Ability to dig into technical details without getting lost in those details• Analytical skills• Communication skills• Quick Learner• Not busy with a specific technology daily• Exposure to a wide variety of technologies• Opportunity to work with many levels of management• Broad view of the company and other IT groupsIT Professionals• people who are subject matter experts on technology but have no experience with auditing• Sometimes IT professionals never really "get it." They never really develop the ability to perform complex risk assessmentSuccessful IT audit shops have a mixture of these types of auditors
Career IT Auditor• Generally will have Certified Information Systems Auditor (CISA) and/or Certified Information Systems Security Professional (CISSP) certifications• Tend to understand IT in theory, but they usually never have been responsible for day-to-day operations of an IT environment• Their depth of technical understanding is therefore often fairly light
Auditor IndependenceInternal Auditor• The bottom line is this: You work for the company and report to its management; therefore, you are not independent.• The most successful audit departments will have at least some people who have rotated into the department from other areas in the company• Objective is perhaps a more appropriate word ("not influenced by personal feelings or prejudice; unbiased” )• Just like quality, internal controls need to be built in up front.• Unfortunately, many auditors use independence as an excuse to not add value and to not provide opinions.• Do not sit in an ivory tower and pretend that theyre not part of things, they should leverage their knowledge of the business• Otherwise, just outsource it
Internal Control• The internal audit department is to help improve the state of internal controls at the company• Internal Controls – mechanisms that ensure the proper functioning of processes within the companyControl Examples• Software Change Controls – Limit programmer access – Testing and approval• Access Controls – ID and password• Backups and Disaster-Recovery Plans – Back up regularly – Shifting the back up tape off site – Disaster recovery plan documents
IT Audit ExamplesIT auditing is an integral part of the audit function because it supports theauditor’s judgment on the quality of the information processed by computersystems• Examples of IT auditing – Organizational IT audits (management control over IT), – Technical IT audits (infrastructure, data centers, data communication), – Application IT audit (business/financial/operational), – Development/implementation IT audits (specification/requirements, design, development, and post-implementation phases), – Compliance IT audits involving national or international standards
IT Audit Types and Implementations• Preventive controls stop a bad thing from happening. – A user ID and password, it prevents (theoretically) unauthorized people from accessing the system.• Detective Controls – Record a bad thing after it has happened (logging)• Reactive Controls – Systematic way for detecting when those bad things have happened and correcting the situation – Ex: worm is found in the network, shutdown the port
IT Auditing Areas• Specific Layers Potential IT Auditing Area
Auditor Examples• Information systems auditors – Focus on Application Layer – Access is properly controlled – Integrity of data being entered• Support for the financial auditors – Experts at data extraction – Example: a list of all invoices greater than 90 days past due• IT auditors – seems to be the most thorough and effective because it ensures that all layers are being covered and that they are being covered by the people with the highest level of subject matter knowledge.
Potential Ranks• Business Applications• Regulatory Compliance• Methodology for ranking those potential audits
Audit Stages• Planning – The goal: determine objective and scope – Basic sources • Preliminary survey • Customer requests • Standard checklists (see books) • Research (Internet, library, etc)• Fieldwork and Documentation – the acquiring data and performing interviews that will help team members to analyze the potential risks and determine which risks have not been mitigated appropriately – Heres what I did, heres what I found, heres my conclusion, and heres why I reached that conclusion.“ – Tedious but necessary• Issue Discovery and Validation – List of concern – Validate with customer early
Audit Stages (cont)• Solution Development – Just raising the issues does your company no good unless those issues are actually addressed – Common approach for addressing audit issues: • The recommendation approach • The management-response approach • The solution approach• Report Drafting and Issuance – For you and the audit customers, it serves as a record of the audit, its results, and the resulting action plans. – For senior management and the audit committee, it serves as a "report card" on the area that was audited.• Issue Tracking – The audit department must develop a process whereby its members are able to track and follow up on issues until they are resolved
Planning, Fieldwork, Documentation, Validation• Some basic sources that should be referenced as part of each audits planning process: – Handoff from the audit manager – Preliminary survey – Customer requests – Standard checklists – Research.• During fieldwork and documentation: – Ways to independently validate the information given – Effectiveness of the control environment• If you work with your customers throughout the audit to validate issues and come to agreement on the risks those issues represent, then the conclusion of the audit will go much more smoothly and quickly.
Approaches, Reporting, Resolution• Three common approaches for developing and assigning action items for addressing audit issues: – Recommendation approach – Management-response approach – Solution approach.• The essential elements of an audit report: – Statement of the audit scope – List of issues along with action plans for resolving them – Executive summary.• The audit is not truly complete until the issues raised in the audit are resolved