Matakuliah
Tahun
Versi
:A0274/Pengelolaan Fungsi Audit
Sistem Informasi
: 2005
: 1/1
Pertemuan 6
Internal Control System
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menunjukkan Internal
Control System.
2
Outline Materi
• Effective Internal Control Models
–
–
–
–
–
The COSO Model (AICPA, AAA, FEI, IIA and IMA)
The CobiT Model (ISACA)
The SAC and eSAC Reports (IIA)
SysTrust (AICPA and CICA)
Conclusions: Comparing and Contrasting the Models
• Regulations
–
–
–
–
–
Securities and Exchange Commision (1933, 1934)
Foreign Corrupt Practices Act (1977)
Copyright Laws (1976 et al.)
Environmental Laws (Various)
Sarbanes-Oxley Act (2002)
3
• Policies
– Systems Development Life Cycle Policy
– Systems Usage Policy (End Users)
– Security Policy
– Password Policy
– E-Mail Policy
– Business Recovery Policy
– Privacy Policy
4
Effective Internal Control Models
• There are numerous proven internal
controls models that internal auditors can
rely on in developing and maintaining an
effective internal control system. These
come from reliable professional
organizations such as COSO, ISACA, IIA,
AICPA and the Canadian Institute of
Chartered Accountants (CICA).
5
The COSO Model (AICPA, AAA, FEI, IIA
and IMA)
• The COSO Model was developed by the
Committee of Sponsoring Organizations
(COSO), originally known as the Treadway
Commission. Organizations in COSO
include American Institute of Certified
Public Accountants (AICPA), American
Accounting Association (AAA), Financial
Executives International (FEI), Institute of
Internal Auditors (IIA) and the Institute of
Management Accountants (IMA).
6
• COSO recognizes that people are involved
with internal control as members of the
board of directors (especially the audit
committee), management and other netity
personnel such as internal auditors.
• The cost-benefit consideration is part of
the COSO Model, as well as the dynamic
nature of risk assessment.
7
The CobiT Model (ISACA)
• The CobiT Model is the culmination of the
evolution of ISACA’s Control Objectives.
• Control objectives include not only objectives
related to control but also audit procedures.
• CobiT helps bridge the gaps between business
risks, control needs and technical issues. It is a
control model, or framework, to meet the needs
of information technology governance and
ensure the integrity of information and
information systems applied on an international
basis, from international input.
8
• CobiT classifies information technology
processes into four domains:
– Planning and organizations
– Acquisition and implementation
– Delivery and support
– Monitoring
9
The SAC and eSAC Reports (IIA)
• The SAC report also has a long history of
development and evolution.
• The eSAC report defines the system of
internal control, describes its components,
provides several classifications of controls,
describes control objectives and risks, and
defines the internal auditor’s role.
10
• The system of internal controls consists of
three components:
– The control environment
– Manual and automated systems
– Control procedures
11
• The control environment includes:
– Organization structure
– Control framework
– Policies and procedures
– External influences
12
• Automated systems consist of systems
and application sofware. The eSAC report
discusses the control risks associated with
end-user and departmental systems but
neither describes nor defines manual
systems. Control procedures consist of
general, application and compensating
controls.
13
• The eSAC report provides five
classification schemes for internal controls
in information systems:
– Preventive, detective and corrective
– Discretionary and non-discretionary
– Voluntary and mandated
– Manual and automated
– Application and general controls
14
• Risk in eSAC are defined as:
– Fraud
– Errors
– Business interruptions
– Inefficient and ineffective use of resources
15
• The role of internal auditors is also defined in
eSAC.
• Their responsibilities include ensuring the
adequacy of the internal control system, the
reliability of data and the efficient use of the
organization’s resources.
• Internal auditors are also to be concerned with
preventing and detecting fraud and coordinating
activities with external auditors.
• The integration of audit and information systems
skills and an understanding of the impact of
information technology on the audit process are
necessary for internal auditors.
16
• Internal audit professionals now perform
financial, operational and information
systems audits.
17
SysTrust (AICPA and CICA)
• SysTrust focuses on providing assurance
of the reliability of the controls of a system.
To evaluate the reliability of a system
objectively, the CPA evaluates SysTrust’s
four essential principles – availability,
security, integrity and maintainability –
individually against four categories of
criteria – policies, communication,
procedures and monitoring.
18
• The evaluation of a system’s reliability
begins by understanding the basic
components of the system. A system is
defined as a set of procedures used to
accomplish specific results and an
information system consists of five basic
components organized to transform data
inputs (raw facts) into information outputs.
19
• These five basic components of a system
are:
– Infrastructure
– Software
– Personnel
– Procedures
– Data
20
• A reliable system is capable of operating without
material error, fault or failure during a specified
period in a specified environment.
• Availability is defined by the system being
available for operations. Security is the
protection of the system against unauthorized
physical or logical access – including both the
physical components and the data. Integrity
refers to system processing being complete,
accurate, timely, components and the data.
21
Conclusion: Comparing and Contrasting
The Models
• The CobiT Model views internal control as
a process that includes policies,
procedures, practices and organizational
structures that support business
processes and objectives.
22
Regulations
• Internal auditors know the importance of
adhering to federal and state regulations.
23
Securities and Exchange Commission
(1933, 1934)
• The Securities Act of 1933 and the Securities
Exchange Act of 1934 require all corporations
that report to the Securities and exchange
Commission (SEC) to maintain a system of
internal control that is evaluated as part of the
annual external audit.
• The SEC laws have a direct impact on
companies that have publicly traded stock,
especially regarding the need for a system of
internal control and its evaluation.
24
Foreign Corrupt Practices Act (1977)
• The Foreign Corrupt Practices Act of 1977
also requires SEC companies to maintain
an internal control system with reasonable
assurance that the organization’s
objectives are being met and even
providing penalties for violations.
25
Copyright Laws (1976 et al.)
• The Copyright Laws of 1976 (and other
years) protect intellectual property. One
aspect of intellectual property crucial to
internal controls is software.
• Unauthorized software poses a legal and
financial risk to firms.
26
• According to ISAC, information systems
auditors have a responsibility regarding
the risks of software piracy to:
– Be aware of such risks
– Communicate these risks to management
– Review software implementation
– Develop adequate control procedures
– Incorporate appropriate techniques or tools in
audit programs to detect unauthorized use of
software
27
Environmental Laws (Various)
• In addition, there are federal laws
regarding environmental issues that affect
many oranizations.
28
Sarbanes-Oxley Act (2002)
• Several public frauds carried out in the
year prior to 2002 focused attention on all
aspects of financial reporting. Enron
collapsed after what amounted to financial
fraud by some of its executive managers.
29
Policies
• Internal controls should have objectives
related to assets, security and auditability
– ideally, objectives shared with executive
management.
• Policies may be developed before a risk
assessment is formally conducted, but if
so, they are definitely affected by an
appropriate risk assessment.
30
Systems Development Life Cycle Policy
• A key policy consideration is information
systems, especially systems development and
implementation.
• One systems development life cycle (SDLC)
concept that is often overlooked in actual
practice in that of taking systems off-line for
upgrades, updates, and so on, and bringing
them back online only after testing the new
system thoroughly. It is recommended that this
concept be included as corporate policy.
31
Systems Usage Policy (End Users)
• A second related area is computer usage.
32
Security Policy
• Internal auditors need to assist
management in establishing fundamental
security objectives tied to business
objectives and assets that need protection
from identified risk.
• A security policy will remind employees of
the importance and value of information
they handle and the risks or exposures
that exist.
33
Password Policy
• A significant part of the security policy is a
password policy. An effective password
policy is a strategic advantage in
maintaining strong internal controls and
helps to minimize adverse events such as
computer crime, fraud and other
unauthorized activities. It has been shown
that an effective password system in
operation prevents the majority of potential
unauthorized activities.
34
E-Mail Policy
• Internal auditors should also assist
management in developing an e-mail
policy that describes appropriate use of
corporate e-mail resources.
35
Business Recovery Policy
• For disaster recovery, the policy should
include some basics of the disaster
recovery plan.
36
Privacy Policy
• Information about individuals, either
personal data or data about actions, is
generally considered private information.
37
The End
38