Matakuliah Tahun Versi :A0274/Pengelolaan Fungsi Audit Sistem Informasi : 2005 : 1/1 Pertemuan 7 Internal Control System 1 Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : • Mahasiswa dapat menunjukkan Internal Control System. 2 Outline Materi • Risk Assessment – Risk Assessment: Internal Perspective – Risk Assessment: External perspective • Control Strategies – Fourfold Perspective of Controls Model • • • • Prediction Prevention Detection correction – Information Systems and Controls Model • Physical Controls • Computer Controls: General • Computer Controls: Application – An Internal Audit Function 3 – Corporate Governance • Audit Committee • Information Technology Governance – Logs and Auditability – Segregation of Duties – Investigation Procedures 4 Risk Assessment • Risk assessment is a critical step in building an effective internal control system that has the ability to manage undesirable events, primarily because it strategically focuses attention on the most likely trouble spots with the highest costs rather than general protection. The IIA focuses on risk assessment in internal auditor activities and standards. 5 • The five major areas of internal control include: – Control Environment – Risk Assessment – Information and Communication – Monitoring – Control Activities 6 Risk Assessment: Internal Perspective • An effective risk assessment must emphasize a good understanding of the internal risks. 7 Risk Assessment: External Perspective • An effective risk assessment must also emphasize a good understanding of the external risks, especially if the firm has a web server connected to its internal systems or has remote access to networks. If the company has remote access to its computer systems, it should be concerned about unauthorized access by users external to the organization. • If the company has employed electronic commerce, there are a number of risks to consider. 8 • While online, there is a risk that the data used in an e-commerce transaction might be stolen. • The highest risk associated with the Internet is neither hackers or crackers but viruses or worm. It is relatively easy to spread malicious code as attachments to e-mail. And while it is virtually impossible to activate a virus by simply opening an e-mail message, Microsoft complicated that by allowing the automatic opening of attachments in Outlook. Almost all wide-spread viruses depend on the features of Outlook (e.g., automatically open attachments) and the address book on each computer. 9 • There are several other problem areas or risks associated with e-mail. 10 Control Strategies • Effective control activities can help to mitigate the risks identified in the risk assessment. 11 Fourfold Perspective of Controls Model • Before developing management policies, management needs to have a general understanding of how to design effective internal controls. 12 Prediction • The first area, prediction, is the most difficult. 13 Prevention • Secondly, activities should be implemented where the objective is to prevent malicious activities. • A better control is firewall that has multiple layers: a combination of routers, filters, proxy servers, software, and so on, used to provide a shield that could be compared to an onion, with all its layers of skin. Preventive controls are also necessary in software applications to prevent errors in data 14 Detection • It is much easier to develop controls for detection, the third perspective. 15 Correction • The last perspective, correction, is another fruitful source of controls. 16 Information Systems and Controls Model • A second model applies to controls in general: physical and computer. 17 Physical Controls • Physical controls involve controls of a manual nature. • Transaction authorization needs physical controls (i.e., manual controls) to ensure all material transactions are processed by the accounting system with integrity and in compliance with management policies and objectives. Using management decision rules, certain recurring transactions become a programmed procedure, or operate under general authority. Other decisions of a nonroutine nature need specific authority. 18 • Segregation of duties is another important type of physical control. 19 • Three good rules of thumb for developing controls using segregation of duties controls is: – Separate authorization of transactions from processing them – Separate custody of assets from record keeping – Create controls such that a successful fraud can only be perpetrated using collusion 20 • The latter generally can be accomplished by separating steps of the process between different individuals. Also, make sure segregation of duties extends beyond the typical area of basic accounting functions. 21 • Some of the controls that illustrate proper segregation of duties in information systems are: – Separate systems development from computer operations. – Separate new systems development from maintenance, which also should increase the quality of documentation. – Separate the database administrator (DBA) from other database and systems functions, computer operations, development and maintenance. – Separate data library function from computer operations, development and maintenance. – Use of a data control group. 22 • Management also will assess the integrity of the computer system and data on an ongoing basis as a part of independent verification. Internal controls should also be implemented for independent verification of data. A classic control in this category is the comparison of physical assets with accounting records but it also includes controls such as reviewing management reports. 23 Computer Controls: General • They would include controls such as locked doors for sensitive areas (e.g., data storage, mainframe room). They should also include controls regarding the development of new systems. 24 • These controls might include: – Requiring a written request with justification from user(s) – Requiring a written evaluation and authorization of this request by information systems staff – Requiring the design of the application by a crossfunctional team that includes a CISA or CIA (to ensure the inclusion of adequate controls during development) – Requiring adequate documentation procedures – Requiring a written report on the testing (probably reintroduce CISA or CIA to the process at this point) 25 – Requiring full off-line testing for new applications, hardware, or systems before activation online – Requiring training of new applications before implementation 26 • Major changes to existing software systems should generally follow the same set of controls. • There should also be controls regarding computer operations. • Access to programs and data are critical and need controls and have already been discussed. 27 Computer Controls: Application • They include: – Input controls – Processing controls – Output controls 28 An Internal Audit Function • The most important general control activity is an internal audit function. Each enterprise must have an independent source for developing and verifying controls, above and beyond what the external auditors might do in a financial audit. 29 Corporate Governance • A key control strategy is an effective corporate governance structure. This strategy begins with the internal auditor function and includes an effective audit committee and information technology governance. 30 Audit Committee • Another key major control activity is an adequate audit committee. But having an audit committee is not the same as having an effective audit committee. • Companies need an audit committee for several reasons. • The organizational structure of the committee is also important. • Leadership refers to the chair of the audit committee. • Lastly, the audit committee needs to be proactive. 31 Information Technology Governance • Information technology governance is similar to corporate governance in its objectives and is a prime service of ISACA. 32 • The objectives of information technology governance are to: – Understand the issues and the strategic importance of information technology – Ensure that the enterprise can sustain its operations – Ascertain it can implement the strategies required to extend its activities into the future 33 • Information governance should address the following: – Appropriate and adequate business and information technology performance measures – Appropriate and adequate business and information technology outcome drivers – Information technology strategic and alignment issues – Best practices in information technology governance – Questions boards and management should ask 34 Logs and Auditability • The last control activities area is that of logs. The more an enterprise is dependent on systems, automation and computers, the more invisible audit trails tend to become. • One effective control is the implementation of computer logs. • If the entity is connected to the Internet, logs become even more important. Logs hould be used to track data such as sites visited, files downloaded or uploaded, time spent on the Internet, etc. 35 • Hacking tools might be an indication of an employee preparing to hack into the organization’s system. 36 Segregation of Duties • Another primary objective of internal controls is the effective use of segregation of incompatible duties. • Three rules to observe are to separate transaction authorization from transaction processing, record keeping from asset custody and any series of transaction processing steps such that a collusion of individuals would be necessary to commit fraud. 37 Investigation Procedures • Management must also consider what specific procedures should be employed to protect against internal threats. Key positions, including executives, may require a background search. 38 The End 39