Your SlideShare is downloading. ×
  • Like
Audit dan evaluasi ti   3
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Audit dan evaluasi ti 3


Mata Kuliah CIO : AUDIT TI, Pak Dani

Mata Kuliah CIO : AUDIT TI, Pak Dani

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Audit dan EvaluasiTeknologi Informasi Sesi 3 MTI-CIO 2012
  • 2. Audit UniverseThe Universe• Inventory all potential audit areas in organization• Building audit universe documents the key business processes and risks• Best practice: incorporating enterprise wide risk assessments into audit plans – Internal Auditors’ (IIA) Standard 2010 • Analyze risks exposures • Priorities for internal audit activity • Organization objectives, supporting process, risks unachieved objectives, control to mitigate risks – Annual audit schedules • Process, duration, personnel – Planning • Organizational changes, risks changes, new regulations introduction • Re-prioritizing • External auditors to support/supplement internal staff
  • 3. Risk AssessmentFast pace of IT environment in business• Company must be aware of and deal with the risks it faces.• Set objectives so that the organization is operating in concert.• Risk assessment is important to provide a framework for allocating audit resources to achieve maximum benefits – a technique to examine potential projects in the audit universe and – choose projects that have the greatest risk exposure. – Unlimited potential audit projects, require prioritization – Provides explicit criteria for systematic evaluation and selection of audit projects
  • 4. Risk Assessment Process Step 1 Goals Key Questions Examples Produce reliable financial Set Objectives What are we trying to achieve? statements Step 2 Goals Key Questions Examples Identify risks to A natural disaster could achieving those What could happen that would destroy computer systems objectives affect our objectives and data Step 3 Goals Key Questions Examples What are the consequences of risk? What is likelihood event Consequences are severe; Assess Risk will occur? likelihood is slight Risk Assessment Process Step 4 Goals Key Questions Examples In light of the assessment, what Insure against loss. is the most cost-effective way Develop business recovery Manage Risk to manage the risk> plan. Self-insure CONTROL ACTIVITIES Step 5 Goals Key Questions Examples For risks to managed through Implement recovery plan Define Control internal control, what are the that reduces the impact of Objective control objectives? a natural disaster. Step 6 Goals Key Questions Examples How should the control be Design recovery plan. designed to prevent or detect Implement plan. Design Control identified risk? Test on a regular basis.
  • 5. Audit Plan• Define scope according to organizational goals and policies – Budgets of time and costs• State objectives – Priorities• Structure an orderly approach• Provide for measurement of achievement• Assure reasonable comprehensiveness• Provide flexibility in approach
  • 6. Audit Scheduling• Create annual schedule – agreement from the board on audit areas – communicate the audit areas with the functional departments• linked to current business objectives and risks – Costs • potential loss of goodwill • loss of revenue • Noncompliance with laws and regulations. – Time availability • High-risk prioritization• Schedule changes – Informed/communicated
  • 7. Audit Budgeting• Budget Coordination – Human resource • Training (for error-correction action/recommendation) – Understand the capabilities and availabilities • High-level auditing areas, sensitive areas• Preparation• Scope Objectives clearly state – process areas – controls – functional area – time period – other specifics – including • Prioritization – High priority – must be performed – Lowest priority – may be scrapped
  • 8. Audit Workflow
  • 9. Internal Controls• Sets the tone of the Company• Senior Management must set an appropriate “Tone at the Top” that positively influences the control consciousness of the personnel.• This is the foundation for all other components of internal controls and provides discipline and structure.• Factors that contribute to an effective control environment – Integrity and Ethical Values – Commitment to Competence – Management’s Philosophy and Operating Style – Organizational Structure – Assignment of Authority and Responsibility – Human Resources Policies and Practices – IT Considerations• Control Policies and Procedures must be established and executed to help ensure the actions identified by management to address risks are carried out.
  • 10. Monitoring• The entire control process must be monitored.• A process that assesses the quality of internal control performance over time.• Examples monitoring activities – The regular management and supervisory activities carried out in the normal course of business – Communications from external parties, which can corroborate internally generated information or indicate problems • Customers corroborate billing data • Customer complaints – External Auditors regularly provide recommendations on the way internal controls can be strengthened. – Employees may be required to “sign off” to evidence performance of control functions.
  • 11. IT Audit Standards• COSO• COBIT• ITIL• ISOBackground• When the savings and loan industry collapsed in the mid-1980s → US government wants more control• In an effort to deter governmental intervention, an independent private-sector initiative, later called COSO, was initiated in 1985 to assess how best to improve the quality of financial reporting.
  • 12. Committee of Sponsoring Organizations• COSO formalized the concepts of internal control and framework in 1992 when it issued the landmark publication Internal Control-Integrated Framework.• Boeing uses COSO as the internal audit foundation• Since that time, other professional associations have continued to develop additional frameworks• Sponsors – American Institute of Certified Public Accountants (AICPA) – American Accounting Association (AAA) – Financial Executives Institute (FEI) – Institute of Internal Auditors (IIA) – Institute of Management Accountants (IMA)
  • 13. Scoping – The COSO FrameworkMonitoring Control Activities Assessment of a control  Policies/procedures that system’s performance over ensure management time directives are carried out Combination of ongoing and  Range of activities separate evaluation including approvals, authorizations, Management and supervisory verifications, activities recommendations, Internal audit activities performance reviews, asset security and segregation of dutiesInformation &Communication Pertinent information identified, captured and Risk Assessment communicated in a timely  Risk assessment is the manner Control Environment identification and analysis  Sets tone of organization, influencing control of relevant risks to Access to internally and achieving the entity’s externally generated consciousness of its people objectives – forming the information  Factors include integrity, ethical values, basis for determining Flow of information that competence, authority, responsibility, control activities allows for successful control organization structure, HR policies and IT actions from instructions on control environment responsibilities to summary of  Foundation for all other components of findings for management control action
  • 14. The New Box StrategicWhat Does the Future Hold? Internal Environment Objective Setting Subsidiary Business Unit Event Identification Division Entity-Level Risk Assessment Risk Response Control Activities Information & Communication Monitoring Objective Setting Event Identification Internal Environment Risk Response
  • 15. COSO & IT Control• COSO introduces the concept of controls over information systems.• classifies information systems control activities: – General computer control • IT management, IT infrastructure, and software acquisition, development, and maintenance – Application control
  • 16. International Standard OrganizationISO 27001/ISO 17799/BS 7799• Mainly for management of information security• ISO 17799 adress 11 major areas within the information security discipline: – Security policy – Organization of information security – Asset management – Human resources security – Physical and environmental security – Communications and operations management – Access control – Information systems acquisition, development, and maintenance – Information security incident management – Business continuity management – Compliance
  • 17. Control Objectives for Information and Related TechnologiesCoBIT• First published in April 1996• The foremost internationally recognized framework for IT governance and control. The most recent version, CoBIT 4.0, was released in 2005.• Developed by the IT Governance Institute (ITGI) of ISACA using a worldwide panel of experts from industry, academia, government, and the IT security and control profession.• In-depth research was conducted across a wide variety of global sources in order to pull together the best ideas from all germane technical and professional standards. – represents a generally applicable and internationally accepted standard of good practice for IT controls. – independent of technical platform. – management and business process owner-oriented. – the international de facto standard for IT governance
  • 18. COBIT Framework
  • 19. IT Infrastructure Library• ITIL – The IT Infrastructure Library (ITIL) was developed by the U.K. government in the mid-1980s – Become a de facto standard for best practices in the provision of IT infrastructure management and service delivery
  • 20. Auditing Web Applications• The best compilation of common web application issues is maintained by the Open Web Application Security Project (OWASP).• According to its website, it is "dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted."• The OWASP "top ten" have made their way into standards, such as the Payment Card Industry (PCI) standard, and these "top ten" are regarded as a set of minimum standards you should examine during an audit.
  • 21. Web Audit Example?• Coverage/Scope – Platform – Server – Application – Audit Aspects • Functional • Services • Performance • Security
  • 22. Quick Exercise• Create brief risk assessments – Web Services – Comments on which standard to select