Matakuliah Tahun Versi :A0274/Pengelolaan Fungsi Audit Sistem Informasi : 2005 : 1/1 Pertemuan 6 Internal Control System 1 Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : • Mahasiswa dapat menunjukkan Internal Control System. 2 Outline Materi • Effective Internal Control Models – – – – – The COSO Model (AICPA, AAA, FEI, IIA and IMA) The CobiT Model (ISACA) The SAC and eSAC Reports (IIA) SysTrust (AICPA and CICA) Conclusions: Comparing and Contrasting the Models • Regulations – – – – – Securities and Exchange Commision (1933, 1934) Foreign Corrupt Practices Act (1977) Copyright Laws (1976 et al.) Environmental Laws (Various) Sarbanes-Oxley Act (2002) 3 • Policies – Systems Development Life Cycle Policy – Systems Usage Policy (End Users) – Security Policy – Password Policy – E-Mail Policy – Business Recovery Policy – Privacy Policy 4 Effective Internal Control Models • There are numerous proven internal controls models that internal auditors can rely on in developing and maintaining an effective internal control system. These come from reliable professional organizations such as COSO, ISACA, IIA, AICPA and the Canadian Institute of Chartered Accountants (CICA). 5 The COSO Model (AICPA, AAA, FEI, IIA and IMA) • The COSO Model was developed by the Committee of Sponsoring Organizations (COSO), originally known as the Treadway Commission. Organizations in COSO include American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA). 6 • COSO recognizes that people are involved with internal control as members of the board of directors (especially the audit committee), management and other netity personnel such as internal auditors. • The cost-benefit consideration is part of the COSO Model, as well as the dynamic nature of risk assessment. 7 The CobiT Model (ISACA) • The CobiT Model is the culmination of the evolution of ISACA’s Control Objectives. • Control objectives include not only objectives related to control but also audit procedures. • CobiT helps bridge the gaps between business risks, control needs and technical issues. It is a control model, or framework, to meet the needs of information technology governance and ensure the integrity of information and information systems applied on an international basis, from international input. 8 • CobiT classifies information technology processes into four domains: – Planning and organizations – Acquisition and implementation – Delivery and support – Monitoring 9 The SAC and eSAC Reports (IIA) • The SAC report also has a long history of development and evolution. • The eSAC report defines the system of internal control, describes its components, provides several classifications of controls, describes control objectives and risks, and defines the internal auditor’s role. 10 • The system of internal controls consists of three components: – The control environment – Manual and automated systems – Control procedures 11 • The control environment includes: – Organization structure – Control framework – Policies and procedures – External influences 12 • Automated systems consist of systems and application sofware. The eSAC report discusses the control risks associated with end-user and departmental systems but neither describes nor defines manual systems. Control procedures consist of general, application and compensating controls. 13 • The eSAC report provides five classification schemes for internal controls in information systems: – Preventive, detective and corrective – Discretionary and non-discretionary – Voluntary and mandated – Manual and automated – Application and general controls 14 • Risk in eSAC are defined as: – Fraud – Errors – Business interruptions – Inefficient and ineffective use of resources 15 • The role of internal auditors is also defined in eSAC. • Their responsibilities include ensuring the adequacy of the internal control system, the reliability of data and the efficient use of the organization’s resources. • Internal auditors are also to be concerned with preventing and detecting fraud and coordinating activities with external auditors. • The integration of audit and information systems skills and an understanding of the impact of information technology on the audit process are necessary for internal auditors. 16 • Internal audit professionals now perform financial, operational and information systems audits. 17 SysTrust (AICPA and CICA) • SysTrust focuses on providing assurance of the reliability of the controls of a system. To evaluate the reliability of a system objectively, the CPA evaluates SysTrust’s four essential principles – availability, security, integrity and maintainability – individually against four categories of criteria – policies, communication, procedures and monitoring. 18 • The evaluation of a system’s reliability begins by understanding the basic components of the system. A system is defined as a set of procedures used to accomplish specific results and an information system consists of five basic components organized to transform data inputs (raw facts) into information outputs. 19 • These five basic components of a system are: – Infrastructure – Software – Personnel – Procedures – Data 20 • A reliable system is capable of operating without material error, fault or failure during a specified period in a specified environment. • Availability is defined by the system being available for operations. Security is the protection of the system against unauthorized physical or logical access – including both the physical components and the data. Integrity refers to system processing being complete, accurate, timely, components and the data. 21 Conclusion: Comparing and Contrasting The Models • The CobiT Model views internal control as a process that includes policies, procedures, practices and organizational structures that support business processes and objectives. 22 Regulations • Internal auditors know the importance of adhering to federal and state regulations. 23 Securities and Exchange Commission (1933, 1934) • The Securities Act of 1933 and the Securities Exchange Act of 1934 require all corporations that report to the Securities and exchange Commission (SEC) to maintain a system of internal control that is evaluated as part of the annual external audit. • The SEC laws have a direct impact on companies that have publicly traded stock, especially regarding the need for a system of internal control and its evaluation. 24 Foreign Corrupt Practices Act (1977) • The Foreign Corrupt Practices Act of 1977 also requires SEC companies to maintain an internal control system with reasonable assurance that the organization’s objectives are being met and even providing penalties for violations. 25 Copyright Laws (1976 et al.) • The Copyright Laws of 1976 (and other years) protect intellectual property. One aspect of intellectual property crucial to internal controls is software. • Unauthorized software poses a legal and financial risk to firms. 26 • According to ISAC, information systems auditors have a responsibility regarding the risks of software piracy to: – Be aware of such risks – Communicate these risks to management – Review software implementation – Develop adequate control procedures – Incorporate appropriate techniques or tools in audit programs to detect unauthorized use of software 27 Environmental Laws (Various) • In addition, there are federal laws regarding environmental issues that affect many oranizations. 28 Sarbanes-Oxley Act (2002) • Several public frauds carried out in the year prior to 2002 focused attention on all aspects of financial reporting. Enron collapsed after what amounted to financial fraud by some of its executive managers. 29 Policies • Internal controls should have objectives related to assets, security and auditability – ideally, objectives shared with executive management. • Policies may be developed before a risk assessment is formally conducted, but if so, they are definitely affected by an appropriate risk assessment. 30 Systems Development Life Cycle Policy • A key policy consideration is information systems, especially systems development and implementation. • One systems development life cycle (SDLC) concept that is often overlooked in actual practice in that of taking systems off-line for upgrades, updates, and so on, and bringing them back online only after testing the new system thoroughly. It is recommended that this concept be included as corporate policy. 31 Systems Usage Policy (End Users) • A second related area is computer usage. 32 Security Policy • Internal auditors need to assist management in establishing fundamental security objectives tied to business objectives and assets that need protection from identified risk. • A security policy will remind employees of the importance and value of information they handle and the risks or exposures that exist. 33 Password Policy • A significant part of the security policy is a password policy. An effective password policy is a strategic advantage in maintaining strong internal controls and helps to minimize adverse events such as computer crime, fraud and other unauthorized activities. It has been shown that an effective password system in operation prevents the majority of potential unauthorized activities. 34 E-Mail Policy • Internal auditors should also assist management in developing an e-mail policy that describes appropriate use of corporate e-mail resources. 35 Business Recovery Policy • For disaster recovery, the policy should include some basics of the disaster recovery plan. 36 Privacy Policy • Information about individuals, either personal data or data about actions, is generally considered private information. 37 The End 38