Audit dan EvaluasiTeknologi Informasi Sesi 3 MTI-CIO 2012
Audit UniverseThe Universe• Inventory all potential audit areas in organization• Building audit universe documents the key business processes and risks• Best practice: incorporating enterprise wide risk assessments into audit plans – Internal Auditors’ (IIA) Standard 2010 • Analyze risks exposures • Priorities for internal audit activity • Organization objectives, supporting process, risks unachieved objectives, control to mitigate risks – Annual audit schedules • Process, duration, personnel – Planning • Organizational changes, risks changes, new regulations introduction • Re-prioritizing • External auditors to support/supplement internal staff
Risk AssessmentFast pace of IT environment in business• Company must be aware of and deal with the risks it faces.• Set objectives so that the organization is operating in concert.• Risk assessment is important to provide a framework for allocating audit resources to achieve maximum beneﬁts – a technique to examine potential projects in the audit universe and – choose projects that have the greatest risk exposure. – Unlimited potential audit projects, require prioritization – Provides explicit criteria for systematic evaluation and selection of audit projects
Risk Assessment Process Step 1 Goals Key Questions Examples Produce reliable financial Set Objectives What are we trying to achieve? statements Step 2 Goals Key Questions Examples Identify risks to A natural disaster could achieving those What could happen that would destroy computer systems objectives affect our objectives and data Step 3 Goals Key Questions Examples What are the consequences of risk? What is likelihood event Consequences are severe; Assess Risk will occur? likelihood is slight Risk Assessment Process Step 4 Goals Key Questions Examples In light of the assessment, what Insure against loss. is the most cost-effective way Develop business recovery Manage Risk to manage the risk> plan. Self-insure CONTROL ACTIVITIES Step 5 Goals Key Questions Examples For risks to managed through Implement recovery plan Define Control internal control, what are the that reduces the impact of Objective control objectives? a natural disaster. Step 6 Goals Key Questions Examples How should the control be Design recovery plan. designed to prevent or detect Implement plan. Design Control identified risk? Test on a regular basis.
Audit Plan• Deﬁne scope according to organizational goals and policies – Budgets of time and costs• State objectives – Priorities• Structure an orderly approach• Provide for measurement of achievement• Assure reasonable comprehensiveness• Provide ﬂexibility in approach
Audit Scheduling• Create annual schedule – agreement from the board on audit areas – communicate the audit areas with the functional departments• linked to current business objectives and risks – Costs • potential loss of goodwill • loss of revenue • Noncompliance with laws and regulations. – Time availability • High-risk prioritization• Schedule changes – Informed/communicated
Audit Budgeting• Budget Coordination – Human resource • Training (for error-correction action/recommendation) – Understand the capabilities and availabilities • High-level auditing areas, sensitive areas• Preparation• Scope Objectives clearly state – process areas – controls – functional area – time period – other speciﬁcs – including • Prioritization – High priority – must be performed – Lowest priority – may be scrapped
Internal Controls• Sets the tone of the Company• Senior Management must set an appropriate “Tone at the Top” that positively influences the control consciousness of the personnel.• This is the foundation for all other components of internal controls and provides discipline and structure.• Factors that contribute to an effective control environment – Integrity and Ethical Values – Commitment to Competence – Management’s Philosophy and Operating Style – Organizational Structure – Assignment of Authority and Responsibility – Human Resources Policies and Practices – IT Considerations• Control Policies and Procedures must be established and executed to help ensure the actions identified by management to address risks are carried out.
Monitoring• The entire control process must be monitored.• A process that assesses the quality of internal control performance over time.• Examples monitoring activities – The regular management and supervisory activities carried out in the normal course of business – Communications from external parties, which can corroborate internally generated information or indicate problems • Customers corroborate billing data • Customer complaints – External Auditors regularly provide recommendations on the way internal controls can be strengthened. – Employees may be required to “sign off” to evidence performance of control functions.
IT Audit Standards• COSO• COBIT• ITIL• ISOBackground• When the savings and loan industry collapsed in the mid-1980s → US government wants more control• In an effort to deter governmental intervention, an independent private-sector initiative, later called COSO, was initiated in 1985 to assess how best to improve the quality of financial reporting.
Committee of Sponsoring Organizations• COSO formalized the concepts of internal control and framework in 1992 when it issued the landmark publication Internal Control-Integrated Framework.• Boeing uses COSO as the internal audit foundation• Since that time, other professional associations have continued to develop additional frameworks• Sponsors – American Institute of Certified Public Accountants (AICPA) – American Accounting Association (AAA) – Financial Executives Institute (FEI) – Institute of Internal Auditors (IIA) – Institute of Management Accountants (IMA)
Scoping – The COSO FrameworkMonitoring Control Activities Assessment of a control Policies/procedures that system’s performance over ensure management time directives are carried out Combination of ongoing and Range of activities separate evaluation including approvals, authorizations, Management and supervisory verifications, activities recommendations, Internal audit activities performance reviews, asset security and segregation of dutiesInformation &Communication Pertinent information identified, captured and Risk Assessment communicated in a timely Risk assessment is the manner Control Environment identification and analysis Sets tone of organization, influencing control of relevant risks to Access to internally and achieving the entity’s externally generated consciousness of its people objectives – forming the information Factors include integrity, ethical values, basis for determining Flow of information that competence, authority, responsibility, control activities allows for successful control organization structure, HR policies and IT actions from instructions on control environment responsibilities to summary of Foundation for all other components of findings for management control action
The New Box StrategicWhat Does the Future Hold? Internal Environment Objective Setting Subsidiary Business Unit Event Identification Division Entity-Level Risk Assessment Risk Response Control Activities Information & Communication Monitoring Objective Setting Event Identification Internal Environment Risk Response
COSO & IT Control• COSO introduces the concept of controls over information systems.• classifies information systems control activities: – General computer control • IT management, IT infrastructure, and software acquisition, development, and maintenance – Application control
International Standard OrganizationISO 27001/ISO 17799/BS 7799• Mainly for management of information security• ISO 17799 adress 11 major areas within the information security discipline: – Security policy – Organization of information security – Asset management – Human resources security – Physical and environmental security – Communications and operations management – Access control – Information systems acquisition, development, and maintenance – Information security incident management – Business continuity management – Compliance
Control Objectives for Information and Related TechnologiesCoBIT• First published in April 1996• The foremost internationally recognized framework for IT governance and control. The most recent version, CoBIT 4.0, was released in 2005.• Developed by the IT Governance Institute (ITGI) of ISACA using a worldwide panel of experts from industry, academia, government, and the IT security and control profession.• In-depth research was conducted across a wide variety of global sources in order to pull together the best ideas from all germane technical and professional standards. – represents a generally applicable and internationally accepted standard of good practice for IT controls. – independent of technical platform. – management and business process owner-oriented. – the international de facto standard for IT governance
IT Infrastructure Library• ITIL – The IT Infrastructure Library (ITIL) was developed by the U.K. government in the mid-1980s – Become a de facto standard for best practices in the provision of IT infrastructure management and service delivery
Auditing Web Applications• The best compilation of common web application issues is maintained by the Open Web Application Security Project (OWASP).• According to its website, it is "dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted."• The OWASP "top ten" have made their way into standards, such as the Payment Card Industry (PCI) standard, and these "top ten" are regarded as a set of minimum standards you should examine during an audit.