4. Sumber: ITGI, COBIT 4.1, 2007

5. IT Control and Audit,
Sandra and Frederick, 2009
CPA Review, Wiley, 2013
IT Audit, James A. Hall, 2011

6. BUSINESS OBJECTIVES
GOVERNANCE OBJECTIVES
INFORMATION
CRITERIA
•Effectivene
ss
•Efficiency
MONITOR AND
•Confidenti
EVALUATE
ality
•Integrity
•Availabilit
y
•Complianc
.
IT RESOURCES
e
•Applicatio
•Reliability
ns
•Informati
on
DELIVERY AND
•Infrastruct
ACQUIRE AND
SUPPORT
ure IMPLEMENT
•People
PLAN AND
ORGANIZE

8. When identifying risks, auditors may find it useful to employ a top-down RA to determine
which applications to include as part of control review and what tests need to be performed.
10-K
Example:
F/S
Financial Statement Risk Analysis
Approach
Financial Statements Assertion
F/S Accounts mapped
to processes;
Processes mapped BUs
Revenue
and
Receivable
s BU
1
BU
2
BU
3
Non Financial
Disclosures mapped to
processes
Mgt and
Purchases
Financial
Payroll and
Legal
and
Treasury
Reporting/Acco
Benefits
Payables
Corporat unting BU
Corporat
Corporat Investor
e
1
e
e
Relation
BU
2
BU
Risk Identification and Analysis
3
Risk Assessment
Documents:
• Risk analysis matrix by F/S
Accounts and Disclosures
• Accounts risk analysis
mapped to Business and
Critical Applications and
Underlying Technology
Prepare Risk
Control Matrix
(Manual and
Automated)
Complianc
e
Manufactur
ing
Environme
ntal
Define Risk
Assessment for
IT-GC dan ITAC
See Risk Assessment Approach in the

9. Composite scores = ∑ (risk factor weight x risk scale) and adding the totals.
The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…].
For this example, the auditor may determine that the general control review will include
all process with a score > 200.
Risk Factor Weighting
20
10
10
10
10
10
15
15
100
Process
Logical
Access Risk
Physical
Risk
Financial
Impact
Supports to
Application
Risk ...
Risk ...
Risk ...
Risk ...
Composite
scores
IT
Governance
Data
Center
BC &
DRP
....
5
1
5
5
3
3
5
2
375
1
1
2
1
1
1
4
2
170
5
2
2
1
5
5
5
2
245
5
3
5
1
5
5
5
2
395
...
5
1
1
1
1
1
3
2
225

10. NO.
PROSEDUR
√/Х
KKA
REF
Tujuan Audit (IT Governance= 7 kriteria informasi):
To verify that the structure of the IT function is in accordance with the level of
potential risk and in a manner that promotes a working environment.
1
Audit Procedures
Review doc, including current org chart and job desc for key function,
to determine if individual/group are performing incompatible func.
 Assess the adequacy of the structure of IT organization.
 Verify that maintenance programmers assigned to specific projects
are not also the original design programmers.
 Verify that computer operators do not have access to the
operational details of a system’s internal logic.
2
 Through observe, determine that segregation policy is followed.
Evaluasi hasil pengukuran Key Goal Indicator, terutama mengenai:
 Percent of critical IT objectives covered by risk assessment
3
 Percent of IT personnel certified according to job needs
Buat Simpulan Audit
PIC

11. NO.
PROSEDUR
√/Х
KKA
REF
Tujuan Audit (IT Services):
1
Pengelolaan Layanan dan Kualitas Layanan telah sesuai dengan service level
management (SLM) Framework dan Service Level Agreement (SLA).
Dapatkan dan pelajari daftar layanan (service catalogue) ICT, service level
management (SLM) Framework, SLA, dan Operating Level Agreement
(OLA), beserta service-level metrics masing-masing layanan. Layanan TI,
antara lain:
Sitem keamanan TI.
Help Desk.
Database administrator.
System change.
2
Lakukan wawancara dengan ICT Division untuk mendapatkan pemahaman
mengenai Pengelolaan Layanan dan Kualitas Layanan.
a. Dapatkan dan pelajari SOP dan WI, serta job description proses
Layanan TI, yang akan digunakan sebagai acuan/standar dalam
penilaian kinerja ICT.
b.
Evaluasi apakah SOP, dan WI, serta job description fungsi TI telah
secara jelas diuraikan dan dikomunikasikan kepada seluruh staf TI.
PIC

12. NO.
PROSEDUR
√/Х
KKA
REF
3
SLA dan OLA (= untuk level operational)
a.
Periksa apakah SLA dan OLA telah didefinisikan secara jelas. Misal: SLA
waktu respon dihitung mulai keluhan terjadi atau saat laporan keluhan
diterima oleh Help Desk.
b.
4
Uji kecukupan transparansi / publikasi SLA dan OLA. Misal: SLA dan OLA
telah dapat diakses oleh seluruh user.
SLA dan OLA Up-date
a.
Periksa apakah ICT Division telah melakukan reviu secara periodik atas
SLA dan OLA untuk menilai apakah SLA dan OLA up-to-date terhadap
perubahan lingkungan internal dan eksternal.
b.
5
Periksa apakah setiap keluhan/ request user telah direspon secara tepat
dan cepat oleh ICT Division.
Lakukan pengujian terhadap performance Sistem TI:
a.
Load testing: Misal: semua user diminta melakukan operasi sistem TI
secara serentak).
b. Throughput testing: Misal: untuk real-time sistem, cek apakah output
diproses segera setelah input.
c.
6
Security testing: Misal: Lakukan pengujian apakah sistem dapat
mendeteksi virus yang sengaja dimasukan. Atau, minta security tim untuk
melakukan hack, perhatikan apakah sistem dapat menangkal hack tsb.
Lakukan observasi atas pelaksanaan layanan TI. Misal: saat keluhan user
masuk ke bagian Help Desk, auditor mengamati respon terhadap keluhan
tersebut lalu bandingkan dengan SOP.
PIC

13. NO.
PROSEDUR
√/Х
KKA
REF
7
Monitor dan Reporting Service Level.
a.
8
Periksa apakah ICT Division memiliki mekanisme dan melakukan
memonitor SLA dan OLA secara kontinyu dan berkala.
Evaluasi apakah Key Goal Indicator telah mencakup seluruh process goal
yang ditetapkan.
Dapatkan dan pelajari hasil pengukuran Key Goal Indicator oleh Group TI
terkait Pengelolaan Layanan dan Kualitas Layanan, termasuk ukuran:
Jumlah layanan TIK yang tidak tercantum dalam katalog layanan.
Jumlah layanan TIK yang tidak disertai dengan service levelnya.
% service level yang diukur.
9
% service level yang memenuhi batas service level minimum.
Evaluasi hasil pengukuran Key Goal Indicator, terutama mengenai:
Kelayakan metode pengumpulan data.
Validitas data.
Deviasi antara target dan aktual.
10
11
Kelayakan action plan dari management terkait deviasi yang
unfavorable.
Lakukan wawancara dengan ICT Division.
Buat simpulan audit.
PIC

14. NO.
PROSEDUR
√/Х
KKA
REF
Tujuan Audit: (Example: Data Center)
Untuk menilai Pengelolaan Keamanan, Konfigurasi, Insiden dan Problem
telah dilaksanakan secara cukup dan efektif, mencakup proses perencanaan,
pengembangan, operasional, dan juga mencakup data dan informasi, aplikasi,
maupun infrastruktur.
Logic controls,
a.
Periksa apakah terdapat SOP bahwa:
a) Untuk log-in ke dalam sistem memerlukan ID dan password.
b) Karakter password harus minimal terdiri dari 6 karakter dan harus
merupakan kombinasi antar numerik dan alphabet.
b.
Uji apakah untuk log-in ke dalam sistem memerlukan ID dan password.
c.
Uji apakah karakter password harus minimal terdiri dari 6 karakter dan
harus merupakan kombinasi antar numerik dan alphabet.
Physical controls:
a) Observasi apakah ruangan penyimpanan fisik telah memiliki kunci
akses berupa kunci konvensional, electronic access lock, cipher lock,
atau biometric lock.
b) Periksa apakah setiap personel yang masuk ke dalam ruangan Sistem
TI telah dicatat ID, hari, jam.
c)
Dapatkan Access Control List, dan bandingkan dengan catatan personil
yang masuk ke dalam ruangan Sistem TI.
PIC

16. NO.
PROSEDUR
√/Х
KKA
REF
Tujuan Audit:
Untuk menilai Pengelolaan Keamanan, Konfigurasi, Insiden dan Problem
telah dilaksanakan secara cukup dan efektif, mencakup proses perencanaan,
pengembangan, operasional, dan juga mencakup data dan informasi, aplikasi,
maupun infrastruktur.
Physical controls:
b) Observasi apakah ruangan telah dilengkapi dengan personil keamanan
dan video surveillance cameras (CCTV).
c)
Observasi apakah prosedur darurat telah ditempelkan di ruangan.
d) Nilai kecukupan fasilitas sistem ventilasi, pendingin, dan anti
/penanganan kebakaran dalam ruangan fisik sistem TI.
e) Uji apakah ruangan dapat dimasuki oleh pihak yang tidak terotorisasi,
dengan mencoba memasuki area fisik, dengan identitas orang lain atau
melalui ventilasi udara.
f)
Uji apakah sistem ventilasi, AC,
dan pemadam kebakaran telah
beroperasi seperti yang ditentukan.
b) Uji apakah ruangan telah dilengkapi
dengan cadangan listrik dan UPS
yang cukup.
PIC

18. NO.
PROSEDUR
√/Х
KKA
REF
Tujuan Audit:
To verify the security and integrity of fin trans by determining that network
controls (1) can prevent and detect illegal access, (2) will render useless any
data that a perpetrator successfully captures, and (3) are sufficient to
preserve the integrity and physical security of data connected to the network.
1
Audit Procedures Relating to Subversive Threats
Review the adequacy of the firewall in achieving the proper balance
between control and convenience based on the org’s business
objectives and potential risks.
Criteria for assessing the firewall effectiveness include:
 Flexibility. The firewall should be flexible enough to accommodate
new services as the security needs of the organization change.
 Proxy services: to provide explicit user authentication to sensitive
services, applications, and data.
 Filtering: to deny all services that are not explicitly permitted.
 Segregation of systems: Systems that do not require public access
should be segregated from the Internet.
 Audit tools.:The firewall should provide a thorough set of audit and
logging tools that identify and record suspicious activity.
 Probe for weaknesses. Auditor should periodically probe the firewall
for weaknesses just as a computer Internet hacker would do.
PIC

19. Reporter
Severity Risk
Date and Time
Application
Access Denid
Suspicious
Behaviour
DDOS attack

20. NO.
PROSEDUR
√/Х
KKA
REF
2
3
4
5
6
Verify that an intrusion prevention system (IPS) with deep packet
inspection (DPI) is in place for organizations that are vulnerable to
DDos attacks, such as financial institutions.
Review security procedures governing the administration of data
encryption keys.
Verify the encryption process by transmitting a test message and
examining the contents at various points along the channel between
the sending and receiving locations.
Review the message transaction logs to verify that all messages were
received in their proper sequence.
Test the operation of the call-back feature by placing an unauthorized
call from outside the installation.
PIC