Matakuliah : A0214/Audit Sistem Informasi
Tahun
: 2007
Pertemuan 3-4
AUDIT AND REVIEW
ITS ROLE IN INFORMATION TECHNOLOGY
Bina Nusantara
10’S REASON
TO START OF IT AUDITING
1.
2.
3.
4.
5.
Bina Nusantara
Auditing around the computer was becoming unsatisfactory for the purpose of
data reliance.
Reliance on controls was becoming highly questionable.
Financial institutions were losing money due to creative programming.
Payroll databases could not be relied on for accuracy due to sophisticated
programmers
The security of data could no longer be enforced effectively
10’S REASON
TO START OF IT AUDITING
6. Advancements occurred in technology.
7. Internal Networks were being accessed by employees’ desktop computers.
8. Personal computers became accessible for office and home use.
9. Large Amounts of data required advanced software programs to audit them, known
as CAATs (Computer Assisted Audit Technique).
10. The tremendous growth of corporate hackers, either internal or external,
warranted the need for IT auditors.
Bina Nusantara
THE NEED FOR THE IT AUDIT FUNCTION
• The increased reliance on computers to perform daily transactions
and with the higher risks associated with new technology,
management needs assurance that the controls governing its
computer operations are adequate.
• IT Governance is the process by which an enterprise’s IT is directed
and controlled.
Bina Nusantara
•
•
•
•
•
Bina Nusantara
AUDITING CONCERNS
An adequate audit trail so that transactions can be traced forward and backward through
the system.
The documentation and existence of controls over the accounting for all data (e.g.
transactions) entered into the system and controls to ensure the integrity of those
transactions throughout the computerized segment of the system.
Handling exceptions to and rejections from, the computer system
Unit and integrated testing, with controls in place to determine whether the systems
perform as stated.
Controls over changes to the computer system to determine whether the proper
authorization has been given and documented
AUDITING CONCERNS
• Authorization procedures for system overrides and documentation of those
processes
• Determining whether organization and government policies and procedures are
adhered to in system implementation
• Training user personnel in the operation of the system
• Developing detailed evaluation criteria so that it is possible to determine whether
the implemented system has met predertemined specifications
• Adequate controls between internconnected computer systems
Bina Nusantara
AUDITING CONCERNS
• Adequate security procedures to protect the user’s data
• Backup and recovery procedures for the operation of the system and assurance
of business continuity
• Ensuring technology provided by different vendors (i.e., operational platforms) is
compatible and controlled
• Adequately designed and controlled databases to ensure that common definitions
of data are used throughout the organization, that redundancy is eliminated or
controlled, and data existing in multiple databases is updated concurrently
Bina Nusantara
REVIEWERS OF IS
• IT Auditor has level of knowledge, skills, and abilities to do a quality
job and provide a quality assessment.
• How utilize the IT auditor to assist in providing objective, value
added contributions to their work?
Bina Nusantara
WHAT ARE THE POLICIES AND PROCEDURES OF MANAGEMENT
• Policies and procedures are only as good as the management
structure which formed them and enforces the action taken. The IT
auditor should examine the corporate structure of the policies and
procedures set by management. The auditor should then verify that
the policies and procedures follow audit standards.
Bina Nusantara
WHAT ARE THE POLICIES AND PROCEDURES OF MANAGEMENT
• Each function in organization, including internal audit and IT, needs
complete, well documented polices and procedures to describe the
scope of the function of its activities and the interrelationships with
other departments. As policies, and procedures are developed and
organized into a standards manual, they should be tied directly to
the goals and objectives of the organzation.
Bina Nusantara
AUDITOR STANDARDS
•
•
•
•
•
•
Bina Nusantara
American Institute of Certified Public Accountants (AICPA)
Institute of Internal Auditor (IIA)
Internal Federation of Accountants (IFAC)
Information Systems Audit and Control Association (ISACA)
Ikatan Akuntan Indonesia (IAI)
Ikatan Audit Sistem Informasi Indonesia (IASII)
Skills Related to IT Auditing
•
•
•
•
•
•
•
•
•
•
•
Bina Nusantara
Performance of general controls
Preparation of application assessments
Transfer control protocol/Internet protocol (TCP/IP)
Asynchronous transfer method (ATM)
Electronic funds transfer (EFT)
Database management systems (DBMS)
Business continuity planning
Disaster recovery planning
System under change
Audit integration services
Information security services
Auditor Independence
• The audit report and opinion must be free of any bias or influence if
the integrity of the audit process is to be valued and recognized for
its contribution to the organization’s goals and objectives.
Bina Nusantara
The Role of the IT Auditor
•
•
•
•
Bina Nusantara
Counselor
Partner of Senior Management
Internal Audit Function
External Audit
The Organization’ Responsibility in Developing IT Audit Skills
•
Preaudit Checklist :
–
–
–
–
–
Bina Nusantara
Who are members of the audit team, and what are their roles and assignments?
What are the credentials and experience of the assigned audit team?
What orientation or training can you provide them to be comfortable within the environment?
Communicate with your managers and staff in the areas to be audited
If an area was audited before, review the prior report to see the issues raised and recommended
made. Get an update of corrections or changes made as a result of prior audit work and give your
staff and the audit department credit
The Organization’ Responsibility in Developing IT Audit Skills
•
Audit Cheklist:
–
–
–
–
–
–
–
–
–
–
Bina Nusantara
Purpose of the audit?
Scope and objectives?
Who are the audit staff assigned ? (Ask to be notified if any staff are changed)
Timeframe for work to be performed?
Use of computer time/access to system/logs/training needed
Access to IT management and staff?
Communicate (1) and (2) to all IT staff affected
Set weekly or biweekly meetings with audit manager/audit team to discuss audit progress and
issues
Before the audit is finished, request close out conference from audit group
Request a copy of audit report
The Organization’ Responsibility in Developing IT Audit Skills
• Post audit checklist:
– When the audit report is issued, pull your team together and discuss the report; if you
follow the steps above there should be no surprise. If there are, there was a
communication breakdown somewhere.
– If you disagree with the report or portions of the report, do so in writing with
supporting evidence. Remember, the auditor has supporting evidence for their
reports, and this exits in their working papers. For those area your agree, indicate
what corrective actions your team plans to take.
– Have your team provide a status report to you on a 3- to 6-month cycle with a copy to
go to internal audit. This shows you value their work.
Bina Nusantara