Matakuliah
Tahun
Versi
:A0274/Pengelolaan Fungsi Audit
Sistem Informasi
: 2005
: 1/1
Pertemuan 7
Internal Control System
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menunjukkan Internal
Control System.
2
Outline Materi
• Risk Assessment
– Risk Assessment: Internal Perspective
– Risk Assessment: External perspective
• Control Strategies
– Fourfold Perspective of Controls Model
•
•
•
•
Prediction
Prevention
Detection
correction
– Information Systems and Controls Model
• Physical Controls
• Computer Controls: General
• Computer Controls: Application
– An Internal Audit Function
3
– Corporate Governance
• Audit Committee
• Information Technology Governance
– Logs and Auditability
– Segregation of Duties
– Investigation Procedures
4
Risk Assessment
• Risk assessment is a critical step in
building an effective internal control
system that has the ability to manage
undesirable events, primarily because it
strategically focuses attention on the most
likely trouble spots with the highest costs
rather than general protection. The IIA
focuses on risk assessment in internal
auditor activities and standards.
5
• The five major areas of internal control
include:
– Control Environment
– Risk Assessment
– Information and Communication
– Monitoring
– Control Activities
6
Risk Assessment: Internal Perspective
• An effective risk assessment must
emphasize a good understanding of the
internal risks.
7
Risk Assessment: External Perspective
• An effective risk assessment must also
emphasize a good understanding of the external
risks, especially if the firm has a web server
connected to its internal systems or has remote
access to networks. If the company has remote
access to its computer systems, it should be
concerned about unauthorized access by users
external to the organization.
• If the company has employed electronic
commerce, there are a number of risks to
consider.
8
• While online, there is a risk that the data used in
an e-commerce transaction might be stolen.
• The highest risk associated with the Internet is
neither hackers or crackers but viruses or worm.
It is relatively easy to spread malicious code as
attachments to e-mail. And while it is virtually
impossible to activate a virus by simply opening
an e-mail message, Microsoft complicated that
by allowing the automatic opening of
attachments in Outlook. Almost all wide-spread
viruses depend on the features of Outlook (e.g.,
automatically open attachments) and the
address book on each computer.
9
• There are several other problem areas or
risks associated with e-mail.
10
Control Strategies
• Effective control activities can help to
mitigate the risks identified in the risk
assessment.
11
Fourfold Perspective of Controls Model
• Before developing management policies,
management needs to have a general
understanding of how to design effective
internal controls.
12
Prediction
• The first area, prediction, is the most
difficult.
13
Prevention
• Secondly, activities should be implemented
where the objective is to prevent malicious
activities.
• A better control is firewall that has multiple
layers: a combination of routers, filters, proxy
servers, software, and so on, used to provide a
shield that could be compared to an onion, with
all its layers of skin. Preventive controls are also
necessary in software applications to prevent
errors in data
14
Detection
• It is much easier to develop controls for
detection, the third perspective.
15
Correction
• The last perspective, correction, is another
fruitful source of controls.
16
Information Systems and Controls Model
• A second model applies to controls in
general: physical and computer.
17
Physical Controls
• Physical controls involve controls of a manual
nature.
• Transaction authorization needs physical
controls (i.e., manual controls) to ensure all
material transactions are processed by the
accounting system with integrity and in
compliance with management policies and
objectives. Using management decision rules,
certain recurring transactions become a
programmed procedure, or operate under
general authority. Other decisions of a nonroutine nature need specific authority.
18
• Segregation of duties is another important
type of physical control.
19
• Three good rules of thumb for developing
controls using segregation of duties
controls is:
– Separate authorization of transactions from
processing them
– Separate custody of assets from record
keeping
– Create controls such that a successful fraud
can only be perpetrated using collusion
20
• The latter generally can be accomplished
by separating steps of the process
between different individuals. Also, make
sure segregation of duties extends beyond
the typical area of basic accounting
functions.
21
• Some of the controls that illustrate proper
segregation of duties in information systems are:
– Separate systems development from computer
operations.
– Separate new systems development from
maintenance, which also should increase the quality
of documentation.
– Separate the database administrator (DBA) from
other database and systems functions, computer
operations, development and maintenance.
– Separate data library function from computer
operations, development and maintenance.
– Use of a data control group.
22
• Management also will assess the integrity
of the computer system and data on an
ongoing basis as a part of independent
verification. Internal controls should also
be implemented for independent
verification of data. A classic control in this
category is the comparison of physical
assets with accounting records but it also
includes controls such as reviewing
management reports.
23
Computer Controls: General
• They would include controls such as
locked doors for sensitive areas (e.g., data
storage, mainframe room). They should
also include controls regarding the
development of new systems.
24
• These controls might include:
– Requiring a written request with justification from
user(s)
– Requiring a written evaluation and authorization of
this request by information systems staff
– Requiring the design of the application by a crossfunctional team that includes a CISA or CIA (to ensure
the inclusion of adequate controls during
development)
– Requiring adequate documentation procedures
– Requiring a written report on the testing (probably reintroduce CISA or CIA to the process at this point)
25
– Requiring full off-line testing for new
applications, hardware, or systems before
activation online
– Requiring training of new applications before
implementation
26
• Major changes to existing software
systems should generally follow the same
set of controls.
• There should also be controls regarding
computer operations.
• Access to programs and data are critical
and need controls and have already been
discussed.
27
Computer Controls: Application
• They include:
– Input controls
– Processing controls
– Output controls
28
An Internal Audit Function
• The most important general control activity
is an internal audit function. Each
enterprise must have an independent
source for developing and verifying
controls, above and beyond what the
external auditors might do in a financial
audit.
29
Corporate Governance
• A key control strategy is an effective
corporate governance structure. This
strategy begins with the internal auditor
function and includes an effective audit
committee and information technology
governance.
30
Audit Committee
• Another key major control activity is an adequate
audit committee. But having an audit committee
is not the same as having an effective audit
committee.
• Companies need an audit committee for several
reasons.
• The organizational structure of the committee is
also important.
• Leadership refers to the chair of the audit
committee.
• Lastly, the audit committee needs to be
proactive.
31
Information Technology Governance
• Information technology governance is
similar to corporate governance in its
objectives and is a prime service of
ISACA.
32
• The objectives of information technology
governance are to:
– Understand the issues and the strategic
importance of information technology
– Ensure that the enterprise can sustain its
operations
– Ascertain it can implement the strategies
required to extend its activities into the future
33
• Information governance should address the
following:
– Appropriate and adequate business and information
technology performance measures
– Appropriate and adequate business and information
technology outcome drivers
– Information technology strategic and alignment issues
– Best practices in information technology governance
– Questions boards and management should ask
34
Logs and Auditability
• The last control activities area is that of logs.
The more an enterprise is dependent on
systems, automation and computers, the more
invisible audit trails tend to become.
• One effective control is the implementation of
computer logs.
• If the entity is connected to the Internet, logs
become even more important. Logs hould be
used to track data such as sites visited, files
downloaded or uploaded, time spent on the
Internet, etc.
35
• Hacking tools might be an indication of an
employee preparing to hack into the
organization’s system.
36
Segregation of Duties
• Another primary objective of internal
controls is the effective use of segregation
of incompatible duties.
• Three rules to observe are to separate
transaction authorization from transaction
processing, record keeping from asset
custody and any series of transaction
processing steps such that a collusion of
individuals would be necessary to commit
fraud.
37
Investigation Procedures
• Management must also consider what
specific procedures should be employed to
protect against internal threats. Key
positions, including executives, may
require a background search.
38
The End
39