Materi Perkuliahan Control and Auditing Information System in Uin Suska Riau.
About Fundamental and Theory Control and Audit. Where this Slide just Theory, not spesific because it just job from teacher in the class.
1. Information System of Uin
Suska Riau
Mata Kuliah : Control and Audit
Informastion System
Created by Date : Saturday, 07
January 2017
2.
3. Auditing
Information technology (IT) developments have had tremendous impact on
auditing.
Business organizations undergo different types of audits for different
purposes.
Most common are external (financial) audits, internal audits and fraud audits.
4. External Audits
Independent attestation performed by an expert (i.e., CPA) who expresses an
opinion regarding the fair presentation of financial statements.
Required by SEC for all public companies.
Key concept is independence:
Similar to a trial by judge.
Auditor collects evidence and renders opinion.
Basis of public confidence in financial statements.
Strict rules must be followed.
Defined by SEC, FASB, AICPA and SOX.
5. Internal Audits
Internal auditing is an independent appraisal function to examine and evaluate
activities within, and as a service to, an organization.
Internal auditors perform a wide variety of activities including financial,
operational, compliance and fraud audits.
Auditors may work for the organization or task may be outsourced.
Independence is self-imposed, but auditors represent the interests of the
organization.
6. External vs Internal Auditor
External auditors represent outsiders while internal auditors represent
organization’s interests.
Internal auditors often cooperate with and assist external auditors in some
aspects of financial audits.
Extent of cooperation depends upon the independence and competence
of the internal audit staff.
External auditors can rely in part on evidence gathered by internal audit
departments that are organizationally independent and report to the board of
directors’ audit committee.
7. The IT Audit
First step is audit planning which includes the analysis of audit risk.
Techniques for gathering evidence include questionnaires, management
interviews, reviewing system documentation and observing activities.
Objective of tests of controls is to determine if adequate controls are in place
and functioning.
Third phase focuses on financial data and a detailed investigation of specific
account balances and transactions through substantive tests.
Files may be extracted using Computer-Assisted-Audit Tools and Techniques
(CAATTs) software.
8. Internal Control
Management required by law to establish and maintain adequate system of internal
controls.
Brief history of internal control legislation:
SEC Acts of 1933 and 1934.
Copyright Law of 1976.
Foreign Corrupt Practices (FCPA) of 1977 requires companies registered with
the SEC to:
Keep records that fairly and reasonably reflect firm’s transactions and
financial position.
Maintain a system of internal control that provides reasonable assurance
that organization objectives are met.
Committee of Sponsoring Organizations - 1992
9. Lanjutan..
Sarbanes-Oxley Act of 2002 (SOX) requires management of public companies to
implement adequate internal control system over their financial reporting
process. Under Section 302:
Managers must certify organization’s internal controls quarterly and annually.
External auditors must perform certain procedures quarterly to identify any
material control modifications that may impact financial reporting.
Section 404 requires management of public companies to access the effectiveness
of their internal controls in an annual report.
10. Internal Control System
Internal control system comprises policies, practices, and procedures to achieve four
broad objectives:
Safeguard assets of the firm.
Ensure accuracy and reliability of accounting records and information.
Promote efficiency in the firm’s operations.
Measure compliance with management’s prescribed policies and procedures.
11.
12. Operating System Security
Log-On Procedure:
First line of defense against unauthorized access consisting of user IDs and passwords.
Access Token:
Contains key information about the user which is used to approve actions attempted
during the session.
Access Control List:
Assigned to each IT resource and used to control access to the resource.
Discretionary Access Privileges:
Allows user to grant access to another user.
13. Operating System Security
Access Privileges
Verify that access privileges are consistent with separation of incompatible functions and
organization policies.
Viruses & Destructive Programs
Verify effectiveness of procedures to protect against programs such as viruses, worms,
back doors, logic bombs, and Trojan horses.
Password Control
Ensure adequacy and effectiveness of password policies for controlling access to the
operating system.
14. Threats
1. Subversive Verify security and integrity of financial transactions.
2. Determine network controls (1) can prevent and detect illegal access; (2) will render
captured data useless; and (3) are sufficient to preserve integrity and security of data.
15. Network Control
Purpose of network control is to:
Establish communications sessions.
Manage the flow of data across the network.
Detect and resolve data collisions between nodes.
Detect line failure of signal degeneration errors
Two or more signals transmitted simultaneously will result in data collision which
destroys messages.
Polling most popular technique for establishing a communication session in WANs.
Token passing involves transmitting special signal around the network. Only the
node processing the token is allowed to transmit data.
16.
17. Database Approach
Access to the data resource is controlled by a database management system (DBMS).
Centralizes organization’s data into a common database shared by the user community.
All users have access to data they need which may overcome flat-file problems.
Elimination of data storage problem: No data redundancy.
Elimination of data updating problem: Single update procedure eliminates currency
of information problem.
Elimination of task-data dependency problem: Users only constrained by legitimacy
of access needs.
19. Audit Procedures for Testing Database Acces
Control
Backup policy should balance inconvenience of frequent activity against business disruption caused by system failure.
Verify that automatic backup procedures are in place and functioning and that copies of the database are stored off-site.
Verify backups are performed routinely and frequently.
20.
21. Participants in Systems Development
Systems professionals:
Analysts, engineers, database designers and programmers.
End users:
Managers, operations personnel from various functional areas, including
accountants.
Stakeholders:
Individuals with an interest in the system who are not formal end users.
Includes steering committee and both internal and external auditors.
22. Systems Development Life Cycle
When developing a new information system, there are many, many steps
that must be followed. The systems development life cycle (SDLC) is an attempt
to structure these steps.
From the perspective of a definition, the SDLC is a structured step-by-step
approach for developing information systems.
When developing a system, there are three primary choices you will make very
early in the process:
Insourcing is how much will be done by your own IT
Selfsourcing is how much can be done by the end-users.
Outsourcing is how much will be done by a third-party
organization.
24. Objective: To link individual systems projects to the strategic objectives of the firm.
Most firms establish a steering committee to provide guidance and review project
status.
May include the CEO, CFO, CIO, senior management, internal auditors, and
external parties (consultants).
Responsibilities include resolving system conflicts, reviewing projects and
assigning priorities, budgeting system development, and determining whether
or not to continue the project at various stages of development.
Two levels: strategic systems planning and project planning.
Phase 1 - System Planning
25. Involves allocation of resources at the macro level.
Time frame of 3 – 5 years with process similar to budgeting resources for other
strategic activities.
Technically not part of SDLC which pertains to specific applications.
Concerned with allocation of systems resources.
Four justifications:
A changing plan is better than no plan.
Reduces crises in systems development.
Provides authorization control for SDLC.
Systems planning tends to be a cost-effective means of managing systems
projects and application development.
Strategic System Planning
26. Purpose is to allocate resources to individual applications within the framework of
the strategic plan.
Identifying user needs, preparing proposals, evaluating proposals’ feasibility,
prioritizing and scheduling.
Two formal documents:
Project proposal provides management with a basis for deciding whether to
proceed by summarizing findings and outlining link between system and
business objectives of the firm.
Project schedule represents management’s commitment to the project.
Project Planning
27. Process to survey current system and analyze user needs.
Survey step has advantages and disadvantages:
Usually involves a detailed system survey.
Can result in current tar pit syndrome where analyst is “sucked-in” and “bogged
down” by the surveying task.
Surveying system may stifle new ideas (thinking inside the box).
Identifies aspects of old system that should be kept.
Forces analysts to fully understand the old system which will be required to
convert to the new one.
Analyst may determine root cause of problems, which may not be the system at
all.
Phase 2 - System Analysis
28. Phase 2 - System Analysis
Survey Phase Gathering Fact
Data sources
Users
Data stores
Processes
Data flows
Controls
Transaction volumes
Error rates
Resource costs
Bottlenecks
Redundant
operations
29. Fact-gathering techniques:
Observation, task participation, personal interviews, key document review.
Analyst is analyzing while gathering facts.
Systems analysis report:
Presented to management or the steering committee.
Provides survey findings, problems identified with old system, user needs and
new system requirements.
Constitutes a formal contract that specifies the objectives and goals of the
system.
Phase 2 - System Analysis
30. Purpose to produce alternative systems that satisfy identified system requirements.
Structured design approach:
Designs system from the top-down by starting with “big picture” and gradually
decomposing system into more detail until fully understood.
Designs should identify all inputs, outputs, processes and special features necessary
to distinguish one alternative from another.
Object-oriented design approach (OOD):
Builds information systems from reusable objects.
Concept of reusability is central as standard modules can be used in other systems
with similar needs.
Library of reusable modules results in less time, cost, maintenance, and testing and
improved user support and system flexibility.
Phase 3 - Conceptual System Design
31. Identify optimal solution from alternatives.
First step is a detailed feasibility study:
Technical: Existing or new technology?
Economic: Are funds available?
Legal: Any conflicts with new system and legal responsibilities?
Operational: Procedures and personnel compatible with new system?
Schedule: Is firm able to implement project in acceptable amount of time?
Second step is a cost-benefit analysis:
Identify both one-time and recurring costs and tangible and intangible benefits
which cannot be easily quantified.
Compare costs and benefits.
Phase 4 - System Evaluation and Selection
32.
33. Controlling and Auditing the SDLC
System planning and analysis.
Conceptual system design impacts auditability.
Economic feasibility needs to be measured accurately.
Systems implementation.
Provide technical expertise with regard to accounting rules.
Specify documentation standards.
Verify control adequacy and compliance with SOX.
34.
35. Provides a smooth and seamless flow of information across organization:
Standardized environment with shared database and integrated applications
that support communication.
Data remain independent of any specific application.
Extensive data sharing occurs through application-sensitive views that present
data to meet user needs.
What is ERP?
37. ERP Systems Configurations
Most based on the client-server model.
Typical two-tier model:
Server handles application and database duties.
Used in LAN applications where server demand is limited to a small population
of users.
Three-tier model:
Database and application functions separated.
Typical of large systems that use WANs.
Client initially establishes communication with the application server which
initiates a second connection to the database server.
40. Data warehousing involves extracting, converting and standardizing data from ERP
and legacy systems and loading it into a central archive – the data warehouse.
Loaded data are accessible via various query and analysis tools used for data
mining (selecting, exploring and modeling large amounts of data to uncover
relationships).
Involves sophisticated techniques that use database queries and artificial
intelligence to model real-world phenomena.
Most large ERP implementations include separate operational and data warehouse
databases.
What is Data Warehousing?
41. Modelling Data for Data Warehouse
Due to vast size, data warehouse database consists of denormalized data.
Inefficiency can be devastating.
Relationship among attributes does not change.
Data is static so nothing gained by constructing normalized tables with dynamic
links.
Relational theory does not apply to a data warehousing system.
Normalized tables pertaining to selected events may be consolidated into
denormalized tables.
43. Risk Associated with ERP
Implementation
Big bang implementation occurs when organizations switch operations from legacy
systems to ERP in a single event.
Some advantages, but numerous failures.
Initial opposition and changes cause disruption.
Phased-in implementation approach as emerged as a popular alternative.
Independent ERP units installed over time, assimilated, and integrated without
disrupting operations.
Can be used by organizations that are not diversified, with legacy system retired
over time. Process reengineering will still need to occur.
44. Risk Associated with ERP
Implementation
Opposition to changes in the business’s culture.
Choosing the wrong ERP:
Goodness of fit: No one ERP product is best for all industries.
Scalability: System’s ability to grow in terms of size, speed, workload and
transaction cost.
Choosing the wrong consultant:
Thoroughly interview potential consultants and establish explicit expectations.
45. Risk Associated with ERP
Implementation
High cost and cost overruns:
Training costs usually higher than estimated due to need for employees to learn
new procedures.
Testing and integration costs are difficult to estimate.
Database conversion requires testing, manual reconciliation and sometimes
manual input.
Management should establish key performance measures to help determine ERP
success.
Disruptions to operations:
ERP implementations usually involve business process reengineering (BPR).