Add to collection(s) Add to saved
  1. Business
  2. Management

Sistem Pengenalian (Kontrol) Intern & CoBIT IT Governance Pertemuan 3-4 Matakuliah

advertisement 
Matakuliah
Tahun
: A0294/Audit SI Lanjutan
: 2009
Sistem Pengenalian (Kontrol) Intern & CoBIT
IT Governance
Pertemuan 3-4
Risk & Control
Perlu Control karena ada Risk (dari Italia Risicare, dalam
English to dare): “the action we dare to take, which depend
on how free we are to make choices”.
Bina Nusantara University
2
Overview of Control Concepts
• What is the traditional definition of internal control?
• Internal control is the plan of organization and the
methods a business uses to safeguard assets, provide
accurate and reliable information, promote and improve
operational efficiency, and encourage adherence to
prescribed managerial policies.
Bina Nusantara University
3
Overview of Control Concepts
• What is management control?
• Management control encompasses the following three
features:
– It is an integral part of management responsibilities.
– It is designed to reduce errors, irregularities, and achieve
organizational goals.
– It is personnel-oriented and seeks to help employees attain
company goals.
Bina Nusantara University
4
Internal Control Classifications
•The specific control procedures used in the
internal control and management control systems
may be classified using the following four internal
control classifications:
–
–
–
–
Preventive, detective, and corrective controls
General and application controls
Administrative and accounting controls
Input, processing, and output controls
Bina Nusantara University
5
Model of Internal Controls
•
•
•
•
•
•
COSO Framework of Internal Control
ISACA COBIT
Canadian CoCo
The IIA SAC/e-SAC
United Kingdom Cadbury Commission
Dan sebagainya
Bina Nusantara University
6
Committee of Sponsoring Organizations
• In 1992, COSO issued the results of a study to develop a
definition of internal controls and to provide guidance for
evaluating internal control systems.
• The report has been widely accepted as the authority on
internal controls.
Bina Nusantara University
7
Committee of Sponsoring Organizations
• The Committee of Sponsoring Organizations (COSO) is a
private sector group consisting of five organizations:
–
–
–
–
–
American Accounting Association
American Institute of Certified Public Accountants
Institute of Internal Auditors
Institute of Management Accountants
Financial Executives Institute
Bina Nusantara University
8
COSO Internal Control
Hard Controls
Soft Controls
“People”
Openness
Shared Values
Clarity
Commitment to
Competence
Honesty
High Expectations
Communications
Bina Nusantara University
“Activities”
Reviews
Inspections
Policies
Reconciliations
Structure
Limits of Authority
Userids and
Password
Physical Counts
9
Five Interrelated Components of Internal
Control
1. Control environment- tone at the top
2. Risk assessment - identification/analysis of
risks
3. Control activities - policies and procedures
4. Information & communication - processing
of info in a form and time frame to enable people
to do their jobs
5. Monitoring - process that assess quality of
internal control over time
10
Bina Nusantara University
Information Systems Audit
and Control Foundation
• The Information Systems Audit and Control
Foundation (ISACF) recently developed the
Control Objectives for Information and related
Technology (COBIT).
• COBIT consolidates standards from 36 different
sources into a single framework.
• The framework addresses the issue of control
from three vantage points, or dimensions:
Bina Nusantara University
11
ISACA Foundation
1. Information: needs to conform to certain criteria that
COBIT refers to as business requirements for
information
2. IT resources: people, application systems, technology,
facilities, and data
3. IT processes: planning and organization, acquisition
and implementation, delivery and support, and
monitoring
Bina Nusantara University
12
CobiT
• CobiT’s Control Objectives and Management
Guidelines are valuable IT governance tools that
help in the understanding and management of risks
and benefits associated with information integrity,
security and availability and the management of
related IT.
Bina Nusantara University
13
• Authoritative, up-to-date set of generally
accepted IT control objectives and control
practices for day-to-day use by business
managers and auditors.
• Structured and organized to provide a
powerful control model
Bina Nusantara University
14
• Executive Summary -- Senior Executives
(CEO, COO, CFO,
CIO)
• Framework -- Senior Operational Management (Directors of IS and
Audit / Controls)
• Control Objectives -- Middle Management
(Mid-Level IS and IS
Audit/ Controls Managers)
• Audit Guidelines -- The Line Manager and Controls Practitioner
(Applications or Operations Manager and Auditor)
• Implementation Tool Set -- Any of the above
• Management Guidelines -- Management and Audit
Bina Nusantara University
15
Bina Nusantara University
16
Bina Nusantara University
17
Bina Nusantara University
18
Why and how is COBIT used?
COBIT as a response to the needs
 Incorporates major international
standards
 Has become the de facto standard
COBIT
for overall control over IT
 Starts from business requirements
 Is process-oriented
best practices
repository for
IT Processes
IT Management Processes
IT Governance Processes
Bina Nusantara University
19
CobiT Framework IT Domains
BUSINESS OBJECTIVES
INFORMATION
IT RESOURCES
PLANNING
&
MONITORING
Bina Nusantara University
ORGANISATION
DELIVERY
ACQUISITION
&
&
SUPPORT
IMPLEMENTATION
20
COBIT
Criteria
Framework
M1
M2
M3
M4
•
•
•
•
•
•
•
Effectiveness
Efficiency
Confidenciality
Integrity
Availability
Compliance
Reliability
Monitor the process
Assess internal control adequacy
Obtain independent assurance
Provide for independent audit
IT
RESOURCES
•
•
•
•
•
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine the technological direction
PO4 Define the IT organisation and relationships
PO5 Manage the IT investment
PO6 Communicate management aims and direction
PO7 Manage human resources
PO8 Ensure compliance with external requirements
PO9 Assess risks
PO10 Manage projects
PO11 Manage quality
Data
Application systems
Technology
Facilities
People
PLAN AND
ORGANISE
MONITOR AND
EVALUATE
DS1 Define service levels
DS2 Manage third-party services
DS3 Manage peformance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs
DS7 Educate and train users
DS8 Assist and advise IT customers
DS9 Manage the configuration
DS10 Manage problems and incidents
DS11 Manage data
DS12
ManageUniversity
facilities
Bina Nusantara
DS13 Manage operations
ACQUIRE AND
IMPLEMENT
DELIVER AND
SUPPORT
AI1
AI2
AI3
AI4
AI5
AI6
Identify automated solutions
Acquire and mantain application software
Acquire and maintain technology infrastructure
21
Develop and maintain IT procedures
Install and accredit systems
Manage changes
Control Objectives & Control Practices
• High-level control objective
– One per process
• Detailed control objectives
– Three to 30 per process
• Control practices
– Five to seven per control objective
Bina Nusantara University
22
CobiT IT Domains Processes
PLANNING & ORGANISATION
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Define a strategic IT plan
Define the information architecture
Determine the technological direction
Define the IT organization and relationships
Manage the investment
Communicate management aims and directions
Manage human resources
Ensure compliance with external requirements
Assess risks
Manage project
Manage quality
Bina Nusantara University
PLANNING
&
ORGANISATION
23
CobiT IT Domains Processes
ACQUISITION & IMPLEMENTATION
ACQUISITION
&
IMPLEMENTATION
1. Identify solutions
2.
3.
4.
5.
Acquire and maintain application software
Acquire and maintain technology architecture
Develop and maintain IT procedures
Install and accredit systems
6. Manage changes
Bina Nusantara University
24
CobiT IT Domains Processes
DELIVERY & SUPPORT
Define Service Levels
1. Manage third-party services
2. Manage performance and capacity
3. Ensure continuous service
4. Ensure system security
5. Identify and attribute costs
6. Educate and train users
7. Assist and advise IT customers
8. Manage the configuration
9. Manage problems and incidents
10. Manage data
11. Manage facilities
12. Manage operations
Bina Nusantara University
DELIVERY
&
SUPPORT
25
CobiT IT Domains Processes
MONITORING
MONITORING
1. Monitor the processes
2. Assess the internal control adequacy
3. Obtain independent assurance
4. Provide for independent audit
Bina Nusantara University
26
Framework
What you get
BUSINESS
PROCESSES
What you need
Information Criteria
INFORMATION
Do they match?
•
•
•
•
•
•
•
effectiveness
efficiency
confidentiality
integrity
Availability
Compliance
reliability
IT RESOURCES
•data
•application systems
•technology
•facilities
•people
Bina Nusantara University
27
Information Criteria (Component-1)
Bina Nusantara University
•
Effectiveness
•
Efficiency
•
Confidentiality
•
Integrity
•
Availability
•
Compliance
•
Reliability of Information
28
IT Resources (Component-2)
• Data
• Application Systems
• Technology
• Facilities
• People
Bina Nusantara University
29
COBIT Domains: Information
Processes (3rd Component)
Planning/
Organization
Monitoring
Acquisition /
Implementation
Delivery /
Support
Bina Nusantara University
30
Relation to Other Control Models
•
CobiT is in alignment with other control
models:
– COSO
– COCO
– Cadbury
– King
Bina Nusantara University
31
CobiT : An IT control framework
Starts from the premise that IT needs
to
deliver the information that the enterprise
needs to achieve its objectives.
Promotes process focus and process
ownership
Divides IT into 34 processes belonging to
four domains
Looks at fiduciary, quality and security
needs of enterprises and provides for
seven information criteria that can be used
to generically define what the business
requires from IT
Bina Nusantara University
Planning
Acquiring & Implementing
Delivery
& Support
Monitoring
Effectiveness
Efficiency
Availability,
Integrity
Confidentiality
Reliability
Compliance.
32
Why governance?
•
•
•
•
•
“Due diligence”
IT is strategic to the business
IT is critical to the business
Expectations and reality don’t match
IT involves huge investments and large risks
Bina Nusantara University
33
Start from a Maturity Model
NonExistent
0
Initial
1
Repeatable
2
Legend for symbols used
Enterprise current status
International standard guidelines
Industry best practice
Enterprise strategy
Bina Nusantara University
Defined
3
Managed
Optimised
4
5
Legend for rankings used
0 - Management processes are not applied at all
1 - Processes are ad hoc and disorganised
2 - Processes follow a regular pattern
3 - Processes are documented and communicated
4 - Processes are monitored and measured
5 - Best practices are followed and automated
34
Skala level of maturity of IT governance
1
Non-exxistence
Tahap yang paling awal, masih pemula (belum mapan). proses manajemen tidak ada sama sekali, komputerisasi
dilaksanakan secara alamiah, tidak diimplementasikan berdasarkan suatu metodologi yang tepat. Misalnya
perusahaan menggunakan komputer tetapi hanya untuk pengetikan atau pembuatan tabel-tabel laporan yang
belum terarah dan dilakukan secara amatiran. Artinya sudah menggunakan komputer, tetapi belum menjalankan
sistem berbasis komputerisasi.
2
Initial
Sudah mulai ada kegiatan penyusunan sistem komputerisasi yang lebih terorganisir/ terarah, tatapi perencanaan,
perancangan, dan proses masih bersifat ad-hoc dan tidak terorganisir dengan baik.
3
Repeatable
Proses perencanaan, perancangan, dan implementasi sistem berbasis komputer telah menemukan pola yang lebih
terarah, berjalan dengan pola yang sama (mulai mengenal “metodologi” pengembangan sistem, system
development methodology).
4
Defined
Seluruh proses telah didokumentasikan dan telah dikomunikasikan dan dilaksanakan berdasarkan metoda
pengembangan sistem komputerisasi yang baik.
5
Managed
Proses komputerisasi telah dapat dimonitor dan terukur dengan baik, manajemen proyek pengembangan sistem
komputerisasi sudah dijalankan dengan lebih terorganisir.
6
Optimized
Best practices telah diikuti dan diotomatisasi pada sistem berdasarkan proses yang terencana, terorganisir dan
menggunakan metodologi yang tepat.
Bina Nusantara University
35
How Does COBIT Link to IT Governance?
Direction
(IT Strategy and Policy)
Requirements
Goals
Control
Objectives
Information the
Business Needs to
Achieve Its Objectives
Bina Nusantara University
Responsibilities
Information (IT
Control, Risk and
Assurance)
IT Governance
36
The
Bina Nusantara University
End
37
Related documents
Global Quality and International Quality Standards
Global Quality and International Quality Standards
Title Goes Here - Binus Repository
Title Goes Here - Binus Repository
Title Goes Here - Binus Repository
Title Goes Here - Binus Repository
International Marketing
International Marketing
> Pertemuan > - Binus Repository
> Pertemuan > - Binus Repository
Download
advertisement