8
BAB 2
LANDAS AN TEORI
2.1 Evaluasi
2.1.1 Pengertian Evaluasi
M enurut Umar (2005, p36), evaluasi adalah suatu proses untuk menyediakan
informasi tentang sejauh mana suatu kegiatan tertentu telah dicapai, bagaimana
perbedaan pencapaian itu dengan suatu standar tertentu untuk mengetahui apakah ada
selisih diantara keduanya, serta bagaimana manfaat yang telah dikerjakan itu bila
dibandingkan dengan harapan-harapan yang ingin diperoleh.
M enurut Kamus Besar Bahasa Indonesia (2002) evaluasi adalah proses penilaian
yang sistematis, mencakup pemberian nilai, atribut, apresiasi, pengenalan permasalahan
dan pemberian solusi atas permasalahan yang ditemukan.
Dari pengertian di atas maka dapat disimpulkan bahwa evauasi adalah proses
untuk memberikan informasi kepada pihak yang terkait tentang pencapaian suatu
kegiatan yang dinilai dengan sistematis berdasarkan suatu standar tertentu.
2.2 Sistem Pengendalian Internal
2.2.1 Pengertian Sistem Pengendalian Internal
M enurut Gondodiyoto (2003, p.78), sistem pengendalian intern meliputi metode
dan kebijakan yang terkoordinasi di dalam perusahaan untuk mengamankan kekayaan
perusahaan, menguji ketepatan, ketelitian dan kehandalan catatan atau data akuntansi
serta untuk mendorong ditaatinya kebijakan manajemen.
Pengertian pengendalian internal menurut The Committee of Sponsoring
Organization (COSO) yang dikutip oleh Amin (2000, p.3) dalam bukunya yang berjudul
COSO Based Auditing adalah sebagai berikut: “Internal control is process, effected by
9
an entity’s board of director, management, and other personnel designed to provide
reasonable assurance regarding achievement of objectives in the following categories:
a. Realibility of financial reporting.
b. Effectiveness and efficiency of operation.
c. Compliance with applicable laws and regulations”.
Dari pengertian diatas dapat disimpulkan bahwa sistem pengendalian internal
adalah proses yang dapat dipengaruhi manajemen dan karyawan dalam menyediakan
secara layak suatu kepastian mengenai prestasi yang diperoleh secara objektif dalam
penerapannya tentang bagian laporan keuangan yang dapat dipercaya, diterapkannya
efisiensi dan efektivitas dalam kegiatan operasional perusahaan dan diterapkannya
peraturan dan hukum yang berlaku agar ditaati oleh semua pihak.
2.2.2
Tujuan Pengendalian Internal
M enurut Hall (2001, p.150), “The internal control system is comprised on
policies, practices, and procedures employed by the organization to achieve four broad
objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting records and
information.
3. To promote effeciency in the firm’s operation.
4. To measure compliance with management’s prescribed policies and
procedures.”
M aksudnya secara umum adalah sistem pengendalian internal merangkum
kebijakan, praktik, dan prosedur yang digunakan oleh organisasi untuk mencapai empat
tujuan utama, yaitu:
10
1.
Untuk menjaga aktiva perusahaan.
2.
Untuk memastikan akurasi dan dapat diandalkan catatan dan informasi
akuntansi.
3.
Untuk mempromosikan efisiensi operasi perusahaan.
4.
Untuk mengukur kesesuaian dengan kebijakan dan prosedur yang telah
ditetapkan oleh manajemen.
M enurut Gondodiyoto (2007, p260), tujuan disusunnya sistem kontrol atau
pengendalian intern komputerisasi adalah untuk:
1.
M eningkatkan
pengamanan
(improve safeguard)
assets sistem informasi
(data/catatan akuntansi (accounting records) yang bersifat logical assets, maupun
physical assets seperti hardware, infrastructures, dan sebagainya).
2.
M eningkatkan integritas data (improve data integrity), sehingga dengan data yang
benar dan konsisten akan dapat dibuat laporan yang benar.
3.
M eningkatkan efektivitas sistem (improve system effectiveness).
4.
M eningkatkan efisiensi sistem (improve system efficiency).
2.2.3
Elemen-Elemen Pengendalian Internal
M enurut Gondodiyoto (2007, p.144-149), pengendalian internal terdiri dari lima
unsur atau komponen yang saling berintegrasi, antara lain :
1. Lingkungan Pengendalian (Control Environment)
Komponen yang berperan dalam membangun atmosfer (iklim) yang konduktif
bagi para karyawan mengenai kesadaran pentingnya kontrol sehingga dapat
menciptakan suasana yang dapat membuat karyawan dapat menjalankan dan
menyelesaikan tugas kontrol dan tanggung jawabnya masing-masing.
11
2. Penaksiran Resiko (Risk Assessment)
M erupakan proses identifikasi dan analisis resiko yang dapat menghambat atau
berhubungan dengan pencapaian tujuan perusahaan, serta menentukan cara
bagaimana resiko tersebut ditangani.
3. Aktivitas Pengendalian (Control Activities)
M erupakan kebijakan dan prosedur yang dirancang untuk memastikan
dilaksanakannya kebijakan manajemen dan bahwa resiko sudah diantisipasi dan
dapat membantu memastikan bahwa tindakan yang diperlukan untuk penanganan
resiko telah dilakukan sesuai dengan apa yang telah direncanakan.
4. Informasi dan Komunikasi (Information and Communication)
Komponen ini menjelaskan bahwa sistem informasi sangat penting bagi
keberhasilan atau peningkatan untuk operasional organisasi.
5. Pemantauan (Monitoring)
M erupakan proses yang menilai kualitas dari kinerja sistem dan internal control
dari waktu ke waktu, yang melakukan aktivitas monitoring dan melakukan evaluasi
secara terpisah.
2.3 Pengertian Resiko
Kata resiko berasal dari bahasa Italia risicare yang dalam Bahasa Inggris artinya
to dare, maknanya adalah the action we dare to take wich depends on how free we are to
make a choises (Pickett, 2005, p.34).
Peltier (2001, p.1) mendefinisikan risk : “the probability that a particular threat
will exploit a particular vulnerability.”
12
2.3.1 Jenis-Jenis Resiko
M enurut Gondodiyoto (2009, p110-111), dari berbagai sudut pandang, resiko
dapat dibedakan dalam beberapa jenis:
1. Resiko Bisnis (Business Risk)
Resiko bisinis adalah resiko yang dapat disebabkan oleh fakto-faktor intern
maupun ekstern yang berakibat kemungkinan tidak tercapainya tujuan organisasi
(business goals atau objective).
2. Resiko Bawaan (Inherent Risks)
Resiko bawaan ialah potensi kesalahan atau penyalahgunaan yang melekat pada
suatu kegiatan, jika tidak ada pengendalian intern.
3. Resiko Pengendalian (Control Risks)
Dalam suatu organisasi yang baik seharusnya sudah ada risks assessment, dan
dirancang pengendalian intern secara optimal terhadap setiap potensi resiko.
Resiko pengendalian adalah masih adanya resiko meskipun sudah ada
pengendalian.
4. Resiko Deteksi (Detection Risks)
Resiko deteksi adalah resiko yang terjadi karena prosedur audit yang dilakukan
mungkin tidak dapat mendekati adanya error yang cukup materialitas atau
adanya kemungkinan fraud. Resiko deteksi mungkin dapat terjadi karena auditor
ternyata dalam prosedur auditnya tidak dapat mendeteksi terjadinya existing
control failures (sistem pengendalian intern yang ternyata tidak berjalan dengan
baik).
13
2.4 Pengertian Sistem
Hall (2006) mendefinisikan, “Sistem adalah sekelompok dua atau lebih
komponen-komponen yang saling berkaitan (interrelated) atau subsistem –subsistem
yang saling bersatu untuk mencapai tujuan yang sama (common purpose)”.(h.5)
O’Brien (2005) menyatakan, “Sistem adalah sekelompok komponen yang saling
berhubungan, bekerja sama untuk mencapai tujuan bersama dengan menerima input
serta menghasilkan output dalam proses transformasi yang teratur.”(h.29).
Jadi dapat disimpulkan bahwa sistem adalah kumpulan dari komponenkomponen yang saling berhubungan satu dengan yang lainnya membentuk satu kesatuan
untuk mencapai tujuan tertentu.
2.5 Pengertian Informasi
M cleod yang diterjemahkan oleh Hendra (2007) mendefinis ikan, “Informasi
adalah data yang telah diproses atau data yang memiliki arti” (h.15).
M cLeod (2004) menyatakan, ”information is processed data that is meaningful it
usually tells the user something that she or he did not already know.” (p.10). (informasi
adalah data yang diproses yang biasanya memberitahukan kepada user sesuatu yang
tidak mereka ketahui).
Jadi dapat disimpulkan bahwa informasi adalah data yang sudah diproses atau
sudah mempunyai arti dan berguna untuk pengguna khusus.
M enurut Hall (2006) menuliskan bahwa informasi dapat berupa dokumen
operasional seperti pesanan penjualan, suatu laporan yang terstruktur, atau pesan di layar
komputer. Tanpa memperhatikan bentuk fisiknya, informasi yang berguna memiliki
karakteristik seperti berikut :
14
1. Akurat
Informasi harus bebas dari kesalahan yang sifatnya material. Namun
demikian, materialitas merupakan suatu konsep yang sulit dikuantifasikan.
M aterialitas tidak memiliki nilai yang absolute, ia merupakan konsep
masalah spesifik (problem-specifik concept). Kita kadang-kadang harus
mengorbankan keakuratan yang absolute untuk memperoleh informasi yang
tepat waktu. Sering kali, informasi yang sempurna tidak dapat disediakan
dalam kerangka waktu keputusan pemakai. Oleh karena itu, dalam
menyiapkan informasi, para desainer sistem mencari keseimbangan antara
informasi seakurat mungkin, tetapi tetap cukup waktu, agar berguna.
2. Lengkap
Tidak boleh ada bagian informasi yang essential bagi pengambilan keputusan
atau pelaksanaan tugas yang hilang.
3. Umpan Balik
Isi sebuah laporan atau dokumen harus melayani suatu tujuan. Dengan
demikian, laporan ini dapat mendukung keputusan manajer atau tugas
petugas administrasi. Kita telah menentukan bahwa hanya ada data yang
relevan dengan tindakan pemakai yang memiliki kandungan informasi. Oleh
karena itu, sistem informasi harus menyajikan hanya data yang relevan dalam
laporannya. Laporan yang berisi data tidak relevan hanya memboroskan
sumber daya dan tidak produktif bagi pemakai. Data yang tidak relevan
mengurangi perhatian dari pesan laporan yang sebenarnya dan dapat
menghasilkan keputusan atau tindakan yang tidak benar.
15
4. Tepat Waktu
Umur informasi merupakan faktor yang kritikal dalam menentukan
kegunaannya. Informasi harus tidak lebih tua dari periode waktu tindakan
yang didukungnya. M isalnya, jika seorang manajer melakukan keputusan
setiap hari untuk membeli persediaan dari pemasok berdasarkan status
laporan persediaan, maka informasi dalam laporan itu harus berumur tidak
lebih dari sehari.
5. Rangkuman
Informasi harus bebas dari kesalahan yang sifatnya material agar sesuai
dengan kebutuhan pemakai. M anajer tingkat lebih rendah cenderung
memerlukan informasi yang sangat rinci. Semakin arus informasi mengalir
ke atas melalui organisasi kemanajemen tingkat atas, semakin ia
dirangkumkan.
2.6 Pengertian Sistem Informasi
M enurut Gondodiyoto (2007, p.112), menyatakan bahwa sistem informasi masih
dapat didefinisikan sebagai kumpulan elemen-elemen atau sumber daya dan jaringan
prosedur yang saling berkaitan secara terpadu, terintegrasi dalam suatu hubungan
hierarki tertentu, dan bertujuan untuk mengolah data menjadi informasi.
M enurut O’Brien (2008, p.7), mendefinisikan, “Information system can be any
organized combination of people, hardware, software, communication networks, and
data resource that collect, transform, disseminates information in an organization”.
Dengan demikian “ Sistem informasi adalah suatu kesatuan yang terdiri dari manusia
(brainware), perangkat keras (hardware), perangkat lunak (software), jaringan
16
komputer, dan sumber daya data yang mengumpulkan, mentransformasikan dan
mendistribusikan informasi di dalam suatu organisasi ”.
M enurut whitten et al (2004, P12), “ information system is an arrangement of
people, data process, data, processes, and information technology that interact to
collect, proses, store and provide as output the information needed to support an
organization “. Dengan demikian, sistem informasi merupakan suatu pengturan dari
orang-orang, data, proses dan teknologi informasi yang saling berinteraksi untuk
mengumpulkan, memproses, menyimpan dan menyediakan kebutuhan informasi untuk
mendukung organisasi.
M enurut Laudon ( 2004, P8), “ information system can be defined technically as
a set of interrelated components that collect ( or retrieve ), process, store and distribute
information to support decision making, coordination, and control in an organization “.
Dengan demikian, sistem informasi adalah komponen-komponen yang saling
berhubungan dan bekerja sama untuk mengumpulkan, memproses, menyimpan dan
mendistribusikan informasi untuk mendukung pengambilan keputusan, koordinasi dan
pengendalian pada organisasi.
Dari pengertian sistem informasi diatas, maka ditarik kesimpulan bahwa sistem
informasi adalah suatu kesatuan berbagai komponen yang diproses untuk menghasilkan
informasi yang berguna bagi perusahaan dalam mencapai sasaran dan tujuannya.
2.6.1 Tujuan Sistem Informasi
Tujuan sistem informasi menurut Hall (2001, p.18) dibedakan atas tiga tujuan
umum bagi semua sistem, yaitu:
17
1.
Untuk
mendukung
fungsi
kepengurusan
(stewardship)
manajemen.
Kepengurusan yang merujuk ke tanggung jawab manajemen untuk mengatur
sumber daya perusahaan secara benar.
2.
Untuk mendukung pengambilan keputusan manajemen. Sistem informasi
menyediakan para manajer informasi yang mereka butuhkan untuk melakukan
tanggung jawab pengambilan keputusan.
3.
Untuk mendukung kegiatan operasi perusahaan. Sistem informasi menyediakan
informasi bagi personal operasi untuk membantu kegiatan operasi perusahaan
secara efesien dan efektif.
2.6.2 Komponen S istem Informasi
M enurut Hall yang dikutip oleh Gondodiyoto (2003, p.22-23), ada tiga jenis
syarat yang harus dipatuhi agar suatu informasi dapat dikatakan mempunyai kualitas
yang tinggi, yaitu:
1. Akurat
Artinya informasi harus bebas dari kesalahan-kesalahan dan harus jelas
mencerminkan maksudnya sehingga tidak menimbulkan banyak gangguan yang
dapat merubah dan merusak informasi.
2. Tepat Waktu
Artinya informasi yang datang pada penerima tidak boleh terlambat. Sebab
informasi yang terlambat menjadi tidak bernilai lagi karena informasi yang terlambat
menjadi tidak bernilai lagi karena informasi merupakan landasan di dalam
melakukan pengambilan keputusan.
3. Relevan
Artinya informasi tersebut harus mempunyai manfaat bagi para pemakai.
18
2.7 Audit Sistem Informasi
2.7.1 Pengertian Audit Sistem Informasi.
M enurut Gondodiyoto (2003, p151)), audit sistem informasi merupakan suatu
pengevaluasian untuk mengetahui bagaimana tingkat kesesuaian antara aplikasi sistem
informasi dengan prosedur yang telah telah ditetapkan dan mengetahui apakah suatu
sistem informasi telah didesain dan diimplementasikan secara efektif, efisien, dan
ekonomis, memiliki mekanisme pengamanan asset yang memadai, serta menjamin
integritas data yang memadai.
Sedangkan menurut Rommey dan Steinbart (2003, p321), audit sistem informasi
mengkaji ulang pengendalian sistem informasi akuntansi untuk menilai pemenuhannya
dengan kebijakan dan prosedur pengendalian internal dan keefektifan perlindungan
terhadap aset.
M enurut Alberts dan Dorofee (2003, p.6), “Information systems audit are
independent appraisals of a company’s internal control to assure management,
regulatory authorities, and company shareholders that information is accurate and
valid”. Audit sistem informasi adalah penilaian independen atas pengendalian internal
suatu perusahaan yang dilakukan untuk meyakinkan pihak manajemen, pemerintah dan
para pemegang saham bahwa informasi yang ada adalah akurat dan benar.
O’brien (2003) menyatakan, “information systemscan be any organized
combination of people, hardware, software, communications networks, and data
resource
that
collects,
organization.”(p.7).
transforms,
(Sistem
and
informasi
disseminates
dapat
information
diorganisasikan
in
an
dengan
mengkombinasikan manusia, hardware, software, jaringan komunikasi dan sumber daya
19
data dimana informasi dikumpulkan, ditransformasikan dan disebarkan dalam
organisasi).
M engacu pada pendapat Turban, Rainer, Potter (2003) Sistem Informasi adalah
mengumpulkan, memproses, menyimpan, meneliti, dan menghamburkan informasi
untuk suatu tujuan spesifik yang memproses masukan dan menghasilkan keluaran yang
dikirim kepada pemakai atau kepada sistem itu sendiri.
M enurut pengertian diatas maka dapat disimpulkan bahwa Audit Sistem
Informasi adalah suatu proses mengumpulkan dan mengevaluasi bukti-bukti untuk
mengetahui apakah sistem aplikasi sudah menerapkan pengendalian intern yang
memadai agar dapat dilindungi dengan baik dan terhindar dari penyalahgunaan.
2.7.2 Tujuan Audit Sistem Informasi
M enurut Romney dan Steinbart (2006, p.316), “ The purpose of an information
system audit is to review and evaluate the internal control that protect the system”.
Tujuan dari audit sistem informasi adalah untuk mengkaji ulang dan mengevaluasi
pengendalian-pengendalian intern yang diterapkan untuk melindungi sistem yang ada.
M enurut Webber (1999) yang dikutip oleh Gondodiyoto (2007, p474-475),
tujuan audit teknologi informasi (audit objectives) lebih ditekankan pada beberapa aspek
penting, yaitu pemeriksaan dilakukan untuk dapat menilai: (a) apakah sistem
komputerisasi suatu organisasi atau perusahaan dapat mendukung pengamanan aset
(assets safeguarding), (b) apakah sistem komputerisasi dapat mendukung pencapaian
tujuan organisasi/perusahaan (systems effectiveness), (c) apakah sistem komputerisasi
tersebut sudah memanfaatkan sumber daya secara efisien (efficiency), dan (d) apakah
terjamin konsistensi dan keakuratan datanya (data integrity).
20
1. Pengamanan Aset
Aset informasi suatu perusahaan seperti perangkat keras (hardware), perangkat
lunak (software), sumber daya manusia, file atau data dan fasilitas lain harus
dijaga dengan sistem pengendalian intern yang baik agar tidak terjadi
penyalahgunaan aset perusahaan.
2. Efektivitas Sistem
Efektivitas sistem informasi perusahaan memiliki peranan penting dalam proses
pengambilan keputusan. Suatu sistem informasi dapat dikatakan efektif bila
sistem informasi tersebut telah dirancang dengan benar, telah sesuai dengan
kebutuhan user. Informasi yang dibutuhkan oleh para manajer dapat dipenuhi
dengan baik.
3. Efisiensi Sistem
Efisiensi menjadi sangat penting ketika sumber daya kapasitasnya terbatas. Jika
cara kerja dari sistem aplikasi komputer menurun maka pihak manajemen harus
mengevaluasi apakah efisiensi sistem masih memadai atau harus menambah
sumber daya, karena suatu sistem dapat dikatakan efisien jika sistem informasi
dapat memenuhi kebutuhan user dengan sumber daya informasi yang minimal.
4. Ketersediaan (Availability)
Berhubungan dengan ketersediaan dukungan/layanan teknologi informasi (TI).
TI hendaknya dapat mendukung secara kontinyu terhadap proses bisnis (kegiatan
perusahaan). M akin sering terjadi gangguan (sistem down) maka berarti tingkat
ketersediaan sistem rendah.
21
5. Kerahasiaan (Confidentiality)
Fokusnya ialah pada proteksi terhadap informasi agar terlindungi dari akses
pihak-pihak yang tidak berwenang.
6. Kehandalan (Reliability)
Berhubungan dengan kesesuaian dan keakuratan bagi manajemen dalam
pengelolaan organisasi, pelaporan dan pertanggungjawaban.
7. M enjaga Integritas Data
Integritas data (data integrity) adalah salah satu konsep dasar sistem informasi.
Data memiliki atribut-atribut seperti: kelengkapan, kebenaran, dan keakuratan. Jika
integritas data tidak terpelihara, maka suatu perusahaan tidak akan lagi memiliki
informasi atau laporan yang benar, bahkan perusahaan dapat menderita kerugian karena
pengawasan tidak tepat atau keputusan-keputusan yang salah.
2.7.3 Metode Audit
M etode audit yang digunakan, dibagi menjadi :
1. M etode auditing around the computer
M enurut Purnomo (2004,p37), dalam audit around the computer auditor
hanya memeriksa masukan dan keluaran saja tanpa memeriksa lebih dalam
terhadap penggunaan program.
2. M etode auditing through the computer
M enurut Purnomo(2004,p38) audit through the computer adalah
pelaksanaan EDP audit, dimana auditor selain memeriksa data masukan dan
keluaran juga melakukan uji coba proses pada komputer, sehingga auditor
tersebut merasakan sendiri langkah demi langkah pelaksanaan komputerisasi,
serta mengetahui bagaimana proses yang dilakukan melalui program tersebut.
22
3. M etode auditing with the computer
M enurut Gondodiyoto (2003, p155) auditing with the computer adalah
merupakan suatu pendekatan audit dengan bantuan komputer, dimana prosedur
auditnya dapat dilaksanakan dengan beberapa cara yaitu :
a. M emproses atau melakukan pengujian dengan sistem komputer klien
itu sendiri sebagai bagian dari pengujian pengendalian.
b. M enggunakan komputer untuk melaksanakan tugas audit yang
terpisah dari catatan klien, yaitu copy data atau file untuk dites dengan
komputer lain.
c. M enggunakan komputer sebagai alat bantu dalam audit, menyangkut:
1. Dalam pengujian program atau file yang dipergunakan dan
dimiliki oleh perusahaan ( sebagai software bantu audit )
2. M enggunakan komputer untuk dukungan kegiatan audit, misalnya
untuk administrasi dan surat menyurat.
Kelemahan utama sistem audit berbasis komputer yang digeneralisasi adalah
upaya dan biaya pengembangannya tentu relative besar dan mungkin memerlukan
keahlian teknis yang memadai.
Dari ketiga metode audit diatas dapat disimpulkan bahwa metode around the
computer dan
through the computer yang paling banyak digunakan pada saat
dilakukannya audit sistem informasi karena biaya yang dibutuhkan relative lebih murah
dibandingkan dengan metode with the computer.
23
2.7.4 Tahapan Audit
Tabel 2.1 Tahapan Audit
(Sumber: Gondodiyoto (2007, p487) yang mengutip dari CIS A Review Manual
(2003, p35))
Tahapan Audit
Subjek Audit
Sasaran Audit
Jangkauan Audit
Rencana Pre-audit
Prosedur
audit
dan
langkah-langkah
pengumpulan bukti audit
Prosedur untuk evaluasi
Pelaporan hasil audit
2.7.5
Tentukan/identifikasi unit/lokasi yang diaudit
Tentukan sistem secara spesi fik, fungsi atau unit organisasi yang akan
diperiksa
Identi fikasi sistem secara spesi fik, fungsi at au unit organisasi untuk
dimasukkan lingkup pemeriksaan
1. Identi fikasi kebutuhan keahlian teknik dan sumber daya yang
diperlukan untuk audit.
2. Identi fikasi sumber bukti untuk tes atau review seperti fungsi flow
chart, kebijakan, standard prosedur dan kert as kerja audit
sebelumnya.
1. Identi fikasi dan pilih pendekatan audit untuk m emeriksa dan
menguji pengendalian intern.
2. Identi fikasi daftar individu untuk interview.
3. Identi fikasi dan menghasilkan kebijakan yang berhubungan dengan
bagian, standar dan pedoman untuk interview.
4. Mengembangkan instrument audit dan m etodologi penelitian dan
pemeriksaan kontrol internal
1. Organisasikan sesuai kondisi dan situasi.
2. Identi fikasi prosedur evaluasi atas tes efektivitas dan efisiensi
sistem, evaluasi kekuatan dari dokum en, kebijakan dan pros edur
yang diaudit
Siapkan laporan yang objekti f, konstruktif (bersi fat membangun) dan
menampung penjelasan auditee.
Pendekatan Audit Sistem Informasi
M enurut Gondodiyoto (2007, p451), Auditor harus memutuskan pendekatan
mana yang akan ditempuh, diantara tiga pendekatan audit yang berkaitan dengan
komputer:
1. Audit di sekitar (input/output) komputer (audit around the computer)
Dalam pendekatan audit di sekitar komputer, auditor (dalam hal ini harus
akuntan yang registered, dan bersertifikasi akuntan publik) dapat mengambil
kesimpulan
dan
merumuskan
opini dengan
hanya menelaah
struktur
24
pengendalian dan melaksanakan pengujian transaksi dan prosedur verifikasi
saldo perkiraan dengan cara sama seperti pada sistem akuntansi manual. Auditor
tidak perlu menguji pengendalian SI berbasis teknologi informasi klien (file
program atau pengendalian atas file atau data di komputer), melainkan cukup
terhadap input (dokumen) serta output (laporan) sistem aplikasi saja.
Keunggulan metode audit di sekitar komputer adalah:
a. Pelaksanaan audit lebih sederhana
b. Auditor yang memiliki pengetahuan minimal di bidang komputer dapat
dilatih dengan mudah untuk melaksanakan audit.
Kelemahannya adalah jika kondisi (user requirements) berubah, mungkin
sistem itupun perlu diredesain dan perlu penyesuaian (update) program-program,
bahkan mungkin struktur data, sehingga auditor perlu menilai ulang apakah
sistem masih berjalan baik.
2. Audit terhadap komputer (audit through the computer)
Dalam pendekatan audit ke sistem komputer (audit through the
computer) auditor melakukan pemeriksaan langsung terhadap program-program
dan file-file komputer pada audit SI berbasis TI. Auditor menggunakan komputer
(software bantu) atau dengan cek logika atau listing program untuk menguji
logika program dalam rangka pengujian pengendalian yang ada pada komputer.
Selain itu auditor juga dapat meminta penjelasan dari para teknisi komputer
mengenai spesifikasi sistem dan atau program yang diaudit.
25
Keunggulan pendekatan audit dengan pemeriksaan sistem komputerisasi
ialah:
a. Auditor memperoleh kemampuan yang besar dan efektif dalam melakukan
pengujian terhadap sistem komputer.
b. Auditor akan merasa lebih yakin terhadap kebenaran hasil kerjanya.
c. Auditor dapat menilai kemampuan sistem komputer tersebut untuk
menghadapi perubahan lingkungan.
Sebetulnya mungkin tidak dapat dikatakan sebagai suatu kelemahan
dalam pendekatan audit ini, namun jelas bahwa audit through the computer
memerlukan tenaga ahli auditor yang terampil dalam pengetahuan teknologi
informasi, dan mungkin perlu biaya yang besar pula.
3. Audit menggunakan dukungan komputer (audit with the computer)
Pada pendekatan ini audit dilakukan dengan menggunakan komputer dan
software untuk mengotomatisasi prosedur pelaksanaan audit. Pendekatan audit
dengan bantuan komputer merupakan cara audit yang sangat bermanfaat,
khususnya dalam pengujian substantif atas file dan record perusahaan. Software
audit yang digunakan merupakan program komputer yang dipakai auditor untuk
membantu pengujian dan evaluasi keandalan record atau data perusahaan.
Keunggulan menggunakan pendekatan ini adalah:
a. M erupakan program komputer yang diproses untuk membantu pengujian
pengendalian sistem komputer klien itu sendiri.
b. Dapat melaksanakan tugas audit yang terpisah dari catatan klien, yaitu
dengan mengambil copy data atau file untuk dites dengan komputer lain.
Kelemahannya adalah upaya dan biaya untuk pengembangan relatif besar.
26
2.7.6
Jenis Audit Sistem Informasi
M enurut Gondodiyoto (2007, p443-446), sesungguhnya audit SI berbasis
teknologi informasi dapat digolongkan dalam tipe atau jenis-jenis pemeriksaan :
1.
Audit laporan keuangan (general audit on financial statements)
Dalam hal ini audit terhadap aspek-aspek teknologi informasi pada suatu
sistem informasi akuntansi berbasis teknologi adalah dilaksanakan dalam rangka
audit keuangan (general financial audit) yang sistem akuntansinya berbasis
komputer (sering disebut audit teknologi informasi).
Audit objectives-nya adalah sama dengan audit tradisional, yaitu memeriksa
kesesuaian financial statements dengan standar akuntansi keuangan dan ada atau
tidak adanya salah saji material pada laporan keuangan.
2.
Audit sistem informasi (SI) sebagai kegiatan tersendiri, terpisah dari audit
keuangan. Sebetulnya audit SI pada hakekatnya merupakan salah satu dari bentuk
audit operasional, tetapi kini audit SI sudah dikenal sebagai satu satuan jenis audit
tersendiri yang tujuan utamanya lebih untuk meningkatkan IT governance.
Jadi dapat disimpulkan bahwa pengertian audit SI dapat dikelompokkan dalam dua
tipe, yaitu : audit SI akuntansi berbasis teknologi informasi yang merupakan bagian dari
kegiatan audit atau pemeriksaan laporan keuangan (general financial audit). Di pihak
lain audit SI juga dapat dikategorikan sebagai jenis audit operasional, khususnya kalau
pemeriksaan yang dilakukan adalah dalam rangka penilaian terhadap kinerja unit
fungsional atau fungsi sistem informasi (pusat/instalasi komputer), atau untuk
mengevaluasi sistem-sistem aplikasi yang telah diimplementasikan pada suatu organisasi
(general information systems review), untuk memeriksa keterandalan sistem-sistem
27
aplikasi komputer tertentu yang sedang dikembangkan (system development) maupun
yang sudah dioperasikan (post implementation audit).
2.8 CobIT
Standar merupakan pedoman bagi auditor dalam menjalankan tanggungjawab
profesionalnya. Standar-standar ini meliputi pertimbangan mengenai kualitas profesional
mereka, seperti keahlian dan independensi, persyaratan pelaporan dan bahan bukti.
Dalam audit sistem informasi, penulis menggunakan standar CobIT (Control Objectives
for Information and Related Technology) yang dikembangkan oleh IT Governance
Institute kemudian dipiblikasikan oleh ISACA (Information Audit and Control
Association). ISACA merupakan sebuah asosiasi profesional dalam audit sistem
informasi, pengendalian, keamanan dan governance. ISACA yang beranggotakan
auditor sistem informasi internasional mempunyai fungsi sebagai sumber informasi,
pihak yang memberikan panduan-panduan praktek bagi auditor sistem informasi serta
menyediakan standar, panduan (guidelines), dan prosedur dalam hal audit, pengendalian
dan keamanan sistem informasi oleh para profesional audit sistem informasi di seluruh
dunia.
Kredit mempunyai fungsi yang unik. M enurut muchdarsyah (2000:173), secara
singkat fungsi kredit adalah:
a.
meningkatkan daya guna dari uang,
b.
meningkatkan daya guna dari barang,
c.
meningkatkan peredaran dan lalu lintas uang,
d.
sebagai salah satu alat stabilisasi ekonomi
e.
menimbulkan kegairahan berusaha masyarakat,
28
f.
sebagai jembatan untuk mempercepat dan meningkatkan pendapatan
nasional, dan
g.
sebagai alat untuk meningkatkan hubungan ekonomi dan perdagangan
internasional.
2.8.1 Pengertian CobIT
M enurut Gondodiyoto (2009, p161&163), CobIT adalah merupakan a set
of best practices (framework) bagi pengelolaan teknologi informasi (IT management).
CobIT adalah sekumpulan dokumentasi best practices untuk IT governance yang dapat
membantu auditor, pengguna (user), dan manajemen, untuk menjembatani gap antara
risiko bisnis, kebutuhan kontrol dan masalah-masalah teknis TI.
2.8.2 Manfaat CobIT
CobIT bermanfaat bagi auditor, IT users, manager yaitu:
a. Bagi Auditor, karena merupakan teknik yang dapat membantu dalam identifikasi
IT controls issues.
b. Bagi IT users, karena memperoleh keyakinan atas kehandalan sistem aplikasi
yang dipergunakan.
c. Bagi Manager, memperoleh manfaat dalam keputusan investasi di bidang TI
serta infrastrukturnya, menyusun strategic IT Plan, menentukan information
architecture, dan keputusan atas procurement (pengadaan atau pembelian)
mesin.
29
2.8.3 Kriteria Kerja CobIT
Table 2.2 Kriteria Kerja CobIT
Efekti fitas
Untuk memperoleh inform asi yang relevan dan berhubungan dengan
proses bisnis seperti penyampaian inform asi dengan benar, konsisten,
dapat dipercaya dan tepat waktu.
Efisiensi
Memfokuskan pada ketentuan informasi melalui penggunaan sumber daya
yang optimal.
Kerahasiaan
Mempfokuskan prot eksi terhadap inform asi yang penting dari orang yang
tidak memiliki hak otorisasi.
Integritas
Berhubungan dengan keakuratan dan kelengkapan informasi sebagai
kebenaran yang sesuai dengan harapan dan nilai bisnis.
Keters ediaan
Berhubungan dengan informasi yang ters edia ketika diperlukan dalam
proses bisnis sekarang dan yang akan datang.
Kepatuhan
Sesuai menurut hukum, peraturan dan rancana perjanjian untuk pros es
bisnis.
Keakuratan Informasi
Berhubungan dengan ketentuan kecocokan informasi untuk manajem en
mengoperasikan entitas dan mengatur pelatihan keuangan dan
kelengkapan laporan pert anggung jawaban.
Sumber (CobIT Framework, 2003)
2.8.4 Produk CobIT
Di dalam IT Governance Institute (2007, p7), produk CobIT meliputi:
1.
Board Briefing on IT Governance, 2nd Edition—Helps executive understand why
IT Governance is important, what its issues are and what their responsibility is for
managing it.
2.
Management guidelines atau maturity models—Help assign responsibility,
measure performance, and benchmark and address gaps in capability.
3.
Frameworks—Organize IT governance objectives and good practices by IT
domains and processes, and link them to business requirements.
4.
Control objectives—Provide a complete set of high-level requirements to be
considered by management for effective control of each IT process.
5.
®
™
nd
IT Governance Implementation Guide: Using CobIT and Val IT , 2 Edition—
Provides a generic road map for implementing IT governance using the CobIT
and Val IT™ resources.
30
6.
®
CobIT Control Practices: Guidance to Achieve Control Objectives for Succesfull
nd
IT Governance, 2 Edition—Provides guidance on why controls are worth
implementing and how to implement them.
7.
IT Assurance Guide: Using CobIT®—Provides guidance on how CobIT can be
used to support a variety of assurance activity together with suggested testing
steps for all the IT processes and control objectives.
2.8.5 domain CobIT
CobIT Framework mencakup tujuan pengendalian yang terdiri dari 4 domain yaitu :
1. Perencanaan & Organisasi (Planning & Organization)
Yaitu mencakup pembahasan tentang identifikasi dan strategi investasi TI yang
dapat memberikan yang terbaik untuk mendukung pencapaian tujuan bisnis.
Selanjutnya identifikasi dan visi strategi perlu direncanakan, dikomunikasikan,
dan diatur pelaksanaanya (dari bebagai persepektif).
2. Perolehan dan Implementasi (Acquisition and Implementation)
Yaitu untuk merealisasikan strategi TI, perlu diatur kebutuhan TI, diidentifikasi,
dikembangkan, atau diimplementasikan secara terpadu dalam proses bisnis
perusahaan
3. Penyerahan dan Pendukung (delivery and support)
Domain ini lebih dipusatkan pada ukuran tentang aspek ukuran tentang aspek
dukungan TI terhadap kegiatan operasioanl bisnis (tingkat jasa layanan TI
aktual atau service level) dan aspek urutan (prioritas implementasi dan untuk
pelatihannya).
4. Monitoring
Yaitu semua proses TI yang perlu dinilai secara berkala agar kualitas dan tujuan
dukungan TI tercapai, dan kelengkapannya berdasarkan pada syarat kontrol
intenal yang baik.
31
Tabel 2.3 Domain & High Level Controls CobIT
CobIT Domain
High Level Objectives
1. Plan and Organize
1. Define a strategic IT Plan and direction
2. Define the information architecture
3. Define technological direction
4. Define IT processes, organization and relationship
5. Manage the IT investment
6. Communicate management aim and direction
7. Manage IT human resources
8. Manage Quality
9. Assess and manage IT risks
10. Manage projects
2. Acquire and Implement
1.
2.
3.
4.
5.
6.
7.
Identify automated solutions
Acquire and maintain application software
Acquire and maintain technology infrastructure
Enable operation and use
Procure IT resource
Manage Changes
Install and accredit solutions and changes
3. Deliver and Support
1.
2.
3.
4.
Define and manage service levels
Manage third-party services
Manage performance and capacity
Ensure continuous service
CobIT Domain
High Level Objectives
3. Deliver and Support
5. Ensure systems security
6. Identify and allocate costs
7. Educate and train users
8. Manage service desk and incidents
9. Manage the configuration
10. Manage problems
11. Manage data
12. Manage the physycal environment
13. Manage operation
4. Monitor and Evaluate
1.
2.
3.
4.
Monitor and evaluate IT process
Monitor and evaluate internal control
Ensure regulatory compliance
Provide IT Governance
Sumber: Gondodiyoto (2007, p.160)
32
Dalam bentuk gambar, hubungan antara Business Objectives, IT Governance,
Information, IT Resources, 4 Domains, dan 34 High-level Control Objectives adalah
sebagai berikut :
Gambar 2.1 CobIT Processes Defined Within The Four Domain
Sumber : ITGI-CobIT 4.1th edition (2007, p26)
BUSINEGambar ini adalah sama (tetapi dengan diagram atau cara penggambaran lain)
dengan gambar terakhir uraian CobIT. 4 domains dan 34 high-level control objectives
33
tersebut menyangkut seluruh sumber daya informasi (IT resources), yaitu orang (people,
user maupun brainware teknisi TI lainnya), aplikasi TI, teknologi, fasilitas dan
infrastruktur lainnya dan data untuk menuju ke ukuran atau kriteria IT governance
seperti gambar yang terdapat pada lampiran.
CobIT diharapkan dapat membantu menemukan berbagai macam kebutuhan
manajemen berkaitan dengan teknologi informasi, membantu mengoptimalkan investasi
teknologi informasi, dan menyediakan ukuran (kriteria) ketika terjadi penyelewengan
atau penyimpangan serta dapat diterapkan dan diterima sebagai standar teknologi
informasi dan praktek kendali untuk mendukung kebutuhan manajemen dalam
menentukan dan memantau tingkatan yang sesuai dengan keamanan dan kendali
perusahaan mereka.
2.8.6
Control COBIT
2.8.6.1 Appendix I
Tables Linking Goals and Processes
This appendix provides a global view of how generic business goals relate to IT
goals, the IT processes and information criteria. There are three tables:
a. The first table maps the business goals, organized according to a balanced
scorecard, to the IT goals and information criteria. This helps show, for a given
generic business goal, the IT goalsthat typically support this goal and the COBIT
information criteria that relate to the business goal. The set of 17 business goals
should not be regarded as a complete set of possible business goals; it is a
selection of relevant business goals that can have a clear impact on IT (ITrelated business goals).
b. The second table maps the IT goals to COBIT’s IT processes and the information
criteria on which the IT goal is based.
c. The third table provides a reserve mapping showing for each IT process the IT
goals that are supported.
The tables help demonstrate the scope of CobiT and the overall business relationship
between COBIT and business drivers, enabling typical IT-related business goals to be
mapped via IT goals to the IT processes needed to support them. The tables are based
on generic goals and, therefore, should be used as a guide and tailored for a specific
enterprise.
34
Gambar 2.2 CobIT Linking IT Goals to IT Processes
Sumber : ITGI-CobIT 4.1th edition (2007,p.170)
35
Gambar 2.3 CobIT Linking Business Goals To IT Goals
Sumber : ITGI-CobIT 4.1th edition (2007,p.169)
Gambar 2.4 CobIT Reserve Mapping S howing for Each IT Process the IT Goals
Sumber : ITGI-CobIT 4.1th edition (200
36
2.8.6.2 Appendix II
Mapping IT Processes IT Governace Focus Areas, COSO, COBIT IT Resources and
COBIT Information Criteria
This appendix provides a mapping between the COBIT IT processes and the five IT
governance focus areas, the components of COSO, IT resources and the information
criteria. The table also provides a relative importance indicator (high, medium, low)
based on benchmarking via COBIT online. This matrix demonstrates on one page and at
a high level how the COBIT framework addresses IT governance and COSO
requirements, and shows the relationship between IT processes and the IT resources and
information criteria. P is used when there is a primary relation and S when there is only
a secondary relation. No P or S does not mean that there is no relation, only that it is
less important, or marginal. The importance values are based on a survey and the
opinions of experts, and are provided only as a guide. Users should consider what
processes are important within their own organizations.
Gambar 2.5 Mapping IT Processes to IT Governance
Sumber : ITGI-CobIT 4.1th edition (2007, p173)
37
2.8.6.3 Appendix III
Maturity Model For Internal Control
This appendix provides a generic maturity model showing the states of the internal
control environment and the establishment of internal controls in an enterprise. It shows
how the management of internal control an awareness of need to establish better
internal control, typically develops from an adhoc to an optimised level. The model
provide a high level guide to help COBIT users appreciate that is required for effective
internal controls in IT and to help position there enterprise on the maturity scale.
Gambar 2.6 Maturity Model For Internal Control
Sumber : ITGI-CobIT 4.1th edition (2007)
38
2.8.6.4 Control Objective
PO1.1 IT Value Management
Work with the business to ensure that the enterprise portofolio of IT-enable
investment contains programmes that have solid business cases. Recognize that there
are mandatory, sustaining and discretionary investment that differ in complexity and
degree of freedom in allocating funds. IT processes should provide effective and efficient
delivery of the IT components of programs and early warning of any deviations from
plan, including cost, schedule or functionality, that might impact the expected outcomes
of te programs. IT services should be executed against equitable and enforceable service
level agreements (SLAs). Accountability for achieving the benefits and controlling the
costs should be clearly assigned and monitored. Astablish fair, transparent, repeatable
and comparable evaluation of business cases, including financial worth, risk of not
delivering a capability and the risk of not realising the expected benefits.
PO1.2 Business-IT Aligment
Establish processes of bi-directional education and reciprocal involvement in
strategic planning to achieve business and IT alignment and integration. Mediate
between business an IT imperatives so priorities can be mutually agreed.
PO1.3 Assesment of Current Capability and Performance
Assess the current capability and performance of solution an service delivery to
establish a baseline against which future requirements can be compared. Defone
performance in terms of IT’s contribution to business objective, functionality, stability,
complexcity, costs, strengths and weaknesses.
PO1.4 IT Strategic Plan
Create a strategic plan that defines, in co-operation with relevant stakeholders,
how IT goals will contribute to the enterprise’s strategic objectives and related costs
and risks. It should include how IT will support IT-enable investment programmes, IT
services and IT assets. IT should define how the objectives will be met, the
measurements to be used and procedures to obtain formal sign-off from the
stakeholders. The IT strategic plan should cover investment/operational budget, funding
sources, sourcing strategy, acquisition strategy, and legal and regulatory requirements.
The strategic plan should be sufficiently detailed to allow for the definition of tactical IT
plans
PO1.5 Tactical Plans
Create a portofolio of tactical IT plans that are derived from the IT strategic
plan. The tactical plans should address IT-enabled programme investments, IT services
an IT assets. The tactical plans should describe required IT initiatives, resource
requirements, and how the use of recources and achievement of benefits will be
monitored an managed. The tactical plans should be sufficiently detailes to allow the
definition of project plans. Actively manage the set of tactical IT plans and initiatives
through analysis of project and service portofolios.
PO1.6 IT Portofolio Management
Actively manage with the business the portofolio of IT-enabled investment
programmes required to achieve spesific strategic business objectives by identifying,
defining, evaluating, prioritizing, selecting, initiating, managing and controlling
programmes. This should include clarifying desired business outcomes, ensuring that
programme objectives support achievement of the outcomes, understanding the full
scope of effort required to achieve the outcomes, assigning clear accountability with
39
supporting measures, defining projects within the programme, allocating resources and
funding, delegating authority, and commissioning required projects at programme
launch.
PO2 Define the Information Architecture
PO2.1 Enterprise Information Architecture Model
Establish and maintain an enterprise information model to enable applications
development and decision-supporting activities, consistent with IT plans an described in
PO1. The model should facilitate the optimal creation, useand sharing of information by
the business in a way tha maintains integrity and is flexible, functional, costs-effective,
timely, secure and resilient to failure.
PO2.2 Enterprise Data Dictionary ana Data Syntax Rules
Maintain an enterprise data dictionary that incur[porates the organisation’s
data syntax rules. This dictionary should enable the sharing of data elements amongst
applications and system, promote a common understanding of data amongst IT and
business users, and prevent incompatible data elements from being created.
PO2.3 Data Classification Scheme
Establish a classification scheme that applies throughout the enterprise, based
on the criticality and sensitivity ( e.g,.piblic,confidential, top sevret) of enterprise data.
This scheme should include details about data ownership;definition of appro[iate
security levels and protection controls; and a brief description of data retention and
destruction requirements, criticality and sensitivity. It should be used as the basis for
applying controls such as access controls, achieving or encryption.
PO2.4 Integrity Management
Define and implement procedures to ensure the integrity and consistency of all
data stored in electronic from, such as databases, data warehouses and data archieves.
PO3 Determine Technological Direction
PO3.1 Technological Direction Planning
Analyse existing and emerging technologies, and plan which technological
direction is appropriate to realise the IT strategy and the business systems architecture.
Also identify in the plan which technologies have the potential to create business
opportunities. The plan should address systems architecture, technological direction,
migration strategies and contingency aspects of infrastructure components.
PO3.2 Technology Infrastructure Plan
Create and maintain a technology infrastructure plan that is in accordance with
the IT strategic and tactical plans. The plan should be based on the technological
direction and include contingency arrangements and direction for acquisition of
technology resources. It should consider changes in the competitive environtment,
economies of scale for information system staffing and investments, and improved
interoperability of platforms and applications.
PO3.3 Monitor Future Trends and Regulations
Establish a process to monitor the business sector, industry, technology,
infrastructure, legal and regulatory environment trends. Incorporate the consequences
of these trends into the development of the IT technology infrastructure plan.
40
PO3.4 Technology Standards
To provide consistent, effective and secure technological solutions
enterprisewide, establish a technology forum to provide technology guidelines, advice
on infrastructure products and guidance on the selection of technology, and measure
compliance with these standards and guidelines. This forum should direct technology
standards and practices based in their business relevance, risks and compliance with
external requirements.
PO3.5 IT Architectu re Board
Establish an IT architecture board to provide architectureguidelines and advice
on their application, and to verify compliance. This entity should direct IT architecture
design, ensuring that it enables the business strategy and considers regulatory
compliance and continuity requirements. This is related/linked to PO2 Define the
Information Architecture.
PO4 Define the IT Processes, Organisation and Relationship
PO4.1 IT Process Framework
Define an IT process framework to execute the ITn strategic plan. This
framework should include an IT process structure and relationship (e.g., to manage
process gaps and overlaps), ownership, maturity, performance measurement,
improvement, compliance, quality targets and plans to achieve them. It should provide
integration amongst the processes that are specific to IT, enterprise portofolio
management, business processes and business change processes. The IT process
framework should be integrated into a quality management system (QMS) and the
internal control framework.
PO4.2 IT Strategy Comitee
Establish an IT strategy committee at the board level. This committee should
ensure that IT governance, as part of enterprise governance, is adequately addressed;
advise on strategicdirection; and review major investments on behalf of the full board.
PO4.3 IT steering Committee
Establish an IT steering (or equivalent) composed of executive, business and IT
management to:
1. Determine prioritisation of IT-enabled investment programmes in line with
the enterprise’s business strategy and priorities
2. Track status of projects and resolve resource conflict
3. Monitor service levels and service improvements
PO4.4 Organisational Placement of the IT Function
Place the IT function in the overall organisational structure with a
businessmodel contingent on the importance of IT within the enterprise, specifically its
criticality to business strategy and the level of operational dependence on IT. The
reporting line of the CIO should be commensurate with the importance of IT within the
enterprise.
PO4.5 IT Organisational structure
Establish an internal and external IT organizational structure with a business
model contingent on the importance of IT within the enterprise, specifically its criticality
41
to business strategy and the level of operational dependence on IT. The reporting line of
the CIO should be commensurate with the importance of IT within the enterprise.
PO4.6 Establishment of Roles and Responsibilities
Establish and communicate roles and responsibilities for IT personnel and end
users that delineate between IT personnel and end-user authority, responsibilities and
accountabilitiy for meeting the organisation’s needs.
PO4.7 Responsibility for IT Quality Assurance
Assign responsibility for the performance of the quality assurance (QA) function
and provide the QA group with appropriate QA systems, controls and communications
expertise. Ensure that the organisational placement and the responsibilities and size of
the QA group satisfy the requirements of the organization.
PO4.8 Responsibility for Risk, Security and Compliance
Embed ownersip and responsibility for IT-related risks within the business at an
appropriate senior level. Define and assign roles critical for managing IT risks,
including the specific responsibility for information security, physical security and
compliance. Establish risk and security management responsibilities may need to be
assigned at a system-specific level to deal with related security issues. Obtain direction
from senior management on the appetite for IT risk and approval of any residual IT
risks.
PO4.9 Data and System Ownership
Provide the business with procesures and tools, enabling it to address its
responsibilities for ownership of data and information systems. Owners should make
decisions about classifying information and systems and protecting them in line with this
classification.
PO4.10 Supervision
Implement adequate supervisory practices in the IT function to ensure that roles
and responsibilities are properly exercised, to assess whether all personnel have
sufficient authority and resources to execute their roles and responsibilities, and to
generally review KPIs.
PO4.11 Segregation of Duties
Implement a division of roles and responsibilities that reduces the possibility for
a single invidual to compromise a critical process. Make sure that personnel are
performing only authorized duties elevant to their respective jobs and positions.
PO4.12 IT Staffing
Evaluate staffing requirements on a regular basis or upon major changes to the
business, operational or IT environments to ensure that the IT function has sufficient
resources to adequately and appropriately support the business goals and aobjectives.
PO4.13 Key IT Personnel
Define and identify key IT personnel (e.g.,replacements/backup personnel), and
minimize reliance on single individual performing a critical job function.
PO4.14 Contracted Staff Policies and Procedures
Ensure that consultants and contract personnel who support the IT function
know and comply with the organization’s policies for the protection of the
organization’s information assets such that they meet agreed-upon contractual
requirements.
42
PO4.15 Relationship
Establish and maintain an optimal co-ordination, communication and liaison
structure between the IT function and various other interests inside and outside and
outside the IT function, various other interests inside and outside the IT function, such
as the board, executives, business units, individual users, suppliers, security officers,
risk managers, the corporate compliance group, outsourcers and offsite management.
PO5 Manage IT Investment
PO5.1 Financial Management Framework
Establish and maintain a financial framework to manage the investment and cost
of IT assets and services through portfolios of IT-enabled investments, business cases
and IT budgets.
PO5.2 Prioritisation Within IT Budget
Implement a decision-making process to priorities the allocation of IT resources
for operations, projects and maintenance to maximize IT’s contribution to optimizing the
return on the enterprise’s portfolio of IT-enabled investment programmes and other IT
services and assets.
PO5.3 IT Budgeting
Establish and implement practices to prepare a budget reflecting the priorities
established by the enterprise’s portfolio of IT-enabled investment programmes, and
including the outgoing costs of operating and maintaining the current infrastructure.
The practices should support development of an overall IT budget as well as
development of budgets for individual programmes, with specific emphasis on the IT
components of those programmes. The practices should allow for ongoing review,
refinement and approval of the overall budget and the budgets for individual
programmes.
PO5.4 Cost Management
Implement a cost management process comparing actual costs to budgets. Costs
should be monitored and reported. Where there are deviations, these should be
identified in a timely manner and the impact of those deviations on programmes should
be assessed. Together with the business sponsor of those programmes, appropriate
remedial action should be taken and, if necessary, the programme business case should
be updated.
PO5.5 Benefit Management
Implement a process to monitor the benefits from providing and maintaining
appropriate IT capabilities. IT’s contribution to the business, either as a component of
IT-enabled investment programmes or as part of regular operational support, should be
identified and documented in a business case, agreed to, monitored and reported.
Reports should be reviewed and, where there are opportunities to improve IT’s
contribution, appropriate actions should be defined and taken. Where changes in IT’s
contribution impact the programme, or where changes to other related projects impact
the programme, the programme business case should be updated.
43
PO6Communicate Management Aims and Direction
PO6.1 IT Policy and Control Environment
Define the elements of a control environment for IT, aligned with the enterprise’s
management philosophy and operating style. These elements should include
expectation/requirements regarding delivery of value from IT investments, appetite for
risk, integrity, ethical values, staff competence, accountability and responsibility. The
control environment should be based on a culture that supports value delivery whilst
managing significant risk, encourages cross-divisional co-operation and teamwork,
promotes compliance and continuous process improvement, and handles process
deviations (including failure) well.
PO6.2 Enterprise IT Risk and Control Framework
Develop and maintain a framework that defines the enterprise’s overall
approach to IT risk and control and that aligns with the IT policy and control
environment and the enterprise risk and control framework.
PO6.3 IT Policies Management
Develop and maintain a set of policies to support IT strategy. These policies
should include policy intent; roles and responsibilities; exception process; compliance
approach; and reference to procedures, standards and guidelines. Their relevance
should be confirmed and approved regularly.
PO6.4 Policy, Standard and Procedu res Rollout
Roll out and enforce IT policies to all relevant staff, so they are built into and are
an integral part of enterprise operations.
PO6.5 Communication of IT Objectives and Direction
Communicate awareness and understanding of business and IT objectives and
direction to appropriate stakeholders and users throughout the enterprise.
PO7 Manage IT Human Resources
PO7.1 Personnel Requirement and Retention
Maintain IT personnel requirement processes in line with the overall
organisation’s personnel policies and procedures (e.g., hiring, positive work
environment, orienting). Implement processes to ensure that the organization has an
appropriately deployed IT workforce with the skills necessary to achieve organizational
goals.
PO7.2 Personnel Competencies
Regularly verify that personnel have the competencies to fulfil their roles on the
basis of their education, training and/or experience. Define core IT competency
requirements and verify that they are being maintained, using qualification and
certification programmes where appropriate.
PO7.3 Staffing of Roles
Define, monitor and supervise roles, responsibilities and compensation
framework for personnel, including the requirement to adhere to management policies
and procedures, the code of ethics, and professional practices. The level of supervision
should be in line with the sensitivity of the position and extent of responsibilities
assigned.
44
PO7.4 Personnel Training
Provide IT employees with appropriate orientation when hired and ongoing
training to maintain their knowledge, skills, abilities, internal controls and security
awareness at the level required to achieve organizational goals.
PO7.5 Dependence Upon Individuals
Minimize the exposure to critical dependency on key individuals through
knowledge capture (documentation), knowledge sharing, succession planning and staff
backup.
PO7.6 Personnel Clearance Procedu res
Include background check in the recruitment process. The extent and frequency
of periodic reviews of these checks should depend on the sensitivity and/or criticality of
the function and should be applied for employees, contractors and vendors.
PO7.7 Employee Job Performance Evaluation
Require a timely evaluation to be performed on a regular basis against
individual objectives derived from the organisation’s goals, establish standards and
specific job responsibilities. Employees should receive coaching on performance and
conduct whenever appropriate.
PO7.8 Job Change and Termination
Take expedient actions regarding job changes, especially job terminations.
Knowledge transfer should be arranged, responsibilities reassigned and access rights
removed such that risk are minimized and continuity of the function is guaranteed.
PO8 Manage Quality
PO8.1 Quality Management System
Establish and maintain a QMS that provides a standard, formal and continuous
approach regarding quality management that is aligned with business requirements. The
QMS should identify quality requirements and criteria; key IT processes and their
sequence and interaction; and the policies, criteria and methods for defining, detecting,
correcting and preventing non-conformity. The QMS should define the organizational
structure for quality management, covering the roles, task and responsibilities. All key
areas should develop their quality plans in line with criteria and policies and record
quality data. Monitor and measure the effectiveness and acceptance of the QMS, and
improve it when needed.
PO8.2 IT Standards and Quality Practies
Identify and maintain standards, procedures and practice for key IT processes to
guide the organization in meeting the intent of the QMS. Use industry good practices for
reference when improving and tailoring the organisation’s quality practices.
PO8.3 Development and Acquisition Standards
Adopt and maintain standards for all development and acquisition that follow the
life cycle of the ultimate deliverable, and include sign-off at key milestones based on
agreed-upon sign-off criteria. Consider software coding standards; naming conventions;
file formats; schema and data dictionary design standards; user interface standards;
interoperability; system performance efficient; scalability; standards for development
and testing; validation against requirements; test plans; and unit, regression and
integration testing.
45
PO8.4 Customer Focu s
Focus quality management on customers by determining their requirement and
aligning them to the IT standards and practices. Define roles and responsibilities
concerning conflict resolution between the user/customer and the IT organization.
PO8.5 Continuous Improvement
Maintain and regularly communicate an overall quality plan that promotes
continuous improvement.
PO8.6 Quality Measurement, Monitoring and Review
Define, plan and implement measurements to monitor continuing compliance to
the QMA, as well as the value the QMS provides. Measurement, monitoring and
recording of information should be used by the process owner to take appropriate
corrective and preventive actions.
PO10 Manage Project
PO10.1 Programme Management Framework
Maintain the programme of projects, related to the portfolio of IT-enabled
investment programmes, by identifying, defining, evaluating, prioritizing, selecting,
initiating, managing and controlling projects. Ensure that the projects support the
programme’s objectives. Co-ordinate the activities and interdependencies of multiple
projects, manage the contribution of all the projects within the programme to expected
outcomes, and resolve resource requirements and conflicts.
PO10.2 Project Management Framework
Establish and maintain a project management framework that defines the scope
and boundaries of managing project, as well as the method to be adopted and applied to
each project undertaken. The framework and supporting method should be integrated
with the programme management processes.
PO10.3Project Management Approach
Establish a project management approach commensurate with the size,
complexity and regulatory requirements of each project. The project governance
structure can include the roles, responsibilities and accountabilities of the programme
sponsor, project sponsors, steering committee, project office and project manager, and
the mechanisms through which they can meet those responsibilities (such as reporting
and stage reviews). Make sure all IT projects have sponsors with sufficient authority to
own the execution of the project within the overall strategic programme.
PO10.4 Stakeholder Commitment
Obtain commitment and participation from the affected stakeholders in the
definition and the execution of the project within the context of the overall IT-enabled
investment programme.
PO10.5 Project Scope Statement
Define and document the nature and scope of the project to confirm and develop
amongst stakeholders a common understanding of project scope and how it relates to
other projects within the overall IT-enabled investment programme. The definition
should be formally approved by the programme and project sponsor before project
initiation.
PO10.6 Project Phase Initiation
Approve the initiation of each major project phase and communicate it to all
stakeholders. Base the approval of the initial phase on programme governance
46
decisions. Approval of subsequent phases should be based on review and acceptance of
the deliverables of the previous phase, and approval of an updated business case at the
next major review of the programme. In the event of overlapping project phases, an
approval point should be established by programme and project sponsors to authorize
project programme.
PO10.7 Integrated Project Plan
Establish a formal, approved integrated project plan (covering business and
information systems resources) to guide project execution and control throughout the
life of the project. The activities and interdependencies of multiple projects within a
programme should be understood and documented. The project plan should be
maintained throughout the life of the project. The project plan, and change to it, should
be approved in line with the programme and project governance framework.
PO10.8 Project Resou rces
Define the responsibilities, relationships, authorities and performance criteria of
project team members, and specify the basis for acquiring and assigning competent staff
members and/or contractors to the project. The procurement of the products and
services required for each project should be planned and managed to achieve project
objective using the organisation’s procurement practices.
PO10.9 Project Risk Management
Eliminate or minimize specific risk associated with individual projects through a
systematic process of planning, identifying, analyzing, responding to, monitoring and
controlling the areas or events that have the potential to cause unwanted change. risk
faced by the project management process and the project deliverable should be
established and centrally recorded.
PO10.10 Project Quality Plan
Prepare a quality management plan that describes the project quality system and
how it will be implemented. The plan should be formally review and agreed to by all
parties concerned and then incorporated into the integrated project plan.
PO10.11 Project Change Control
Establish a change control system for each project, so all changes to the project
baseline (e.g., cost, schedule, scope, quality) are appropriately reviewed, approved and
incorporated into the integrated project plan in line with the programme and project
governance framework.
PO10.12 Project Planning of Assurance Methods
Identify assurance task required to support the accreditation of new or modified
system during project planning, and include them in the integrated project plan. The
task should provide assurance that internal controls and security features meet the
defined requirements.
PO10.13 Project Performance Measurement, Reporting and Monitoring
Measure project performance against key performance scope, schedule, quality,
cost and risk criteria. Identify any deviations from the plan, assess the impact of
deviations on the project and overall programme, and report results to key stakeholders.
Recommend, implement and monitor remedial action, when required, in line with the
programme and project governance framework.
PO10.14 Project Closu re
Require that, at the end of each project, the project stakeholders ascertain
whether the project delivered the planned results and benefits. Identify and communicate
47
any outstanding activities required to achieve the planned results of the project and the
benefits of the programme, and identify and document lessons learned for use on future
project and programmes.
AI1 Identify Automated Solutions
AI1.1 Definition and Maintenance of Business Functional and Technical
Requirements
Identify, priorities, specify and agree on business functional and technical
requirements covering the full scope of all initiatives required to achieve the expected
outcomes of the IT-enabled investment programme.
AI1.2 Risk Analysis Report
Indentify, document and analysis risk associated with the business requirements
and solution design as part of the organisation’s process for the development of
requirements.
AI1.3 Feasibility Study and Formulation of Alternative Courses of Action
Develop a feasibility study that examines the possibility of implementing the
requirements. Business management, supported by the IT function, should assess the
feasibility and alternative courses of action and make a recommendation to the business
sponsor.
AI1.4 Requirements and Feasibility Decision and Approval
Verify that the process requires the business sponsor to approve and sign off on
business functional and technical requirements and feasibility study reports at
predetermined key stages. The business sponsor should make the final decision with
respect to the choice of solution and acquisition approach.
AI2 Acquire and Maintain Application Software
AI2.1 High-level Design
Translate business requirements into a high-level design specification for
software acquisition, taking into account the organisation’s technological direction and
information architecture. Have the design specifications approved by management to
ensure that the high-level design responds to the requirements. Reassess when
significant technical or logical discrepancies
occur during development or
maintenance.
AI2.2 Detailed Design
Prepare detailed design and technical software application requirements.
Defines the criteria for acceptance of the requirements. Have the requirements approved
to ensure that they correspond to the high-level design. Reassessment when significant
technical or logical discrepancies occur during development or maintenance.
AI2.3 Application Control and Auditability
Implement business controls, where appropriate, into automated controls such
that processing is accurate, complete, timely, authorized an auditable.
AI2.4 Application Security and Availability
Address application security and availability requirements in response to
identified risk and in line with the organisation’s data classification, information
architecture, information security architecture and risk tolerance.
48
AI2.5 Configuration and Implementation of Acquired Application Software
Configure and implement acquired application software to meet business
objectives.
AI2.6 Major Upgrades to Existing Systems
In the event of major changes to existing systems that result in significant chance
in current design and/or functionality, follow a similar development process as that used
for the development of new systems.
AI2.7 Development of Application Software
Ensure that automated functionality is developed in accordance with design
specifications, development and documentation standards. QA requirements, and
approval standards. Ensure that all legal and contractual aspects are identified and
addresses for application software developed by third parties.
AI2.8 Software Quality Assurance
Develop, resources and execute a software QA plan to obtain the quality
specified in the requirements definition and the organisation’s quality policies and
procedures.
AI2.9 Application Requirements Management
Track the status of individual requirements (including all rejected requirements)
during the design, development and implementation, and approve change to
requirements through an established change management process.
AI2.10 Application Software Maintenance
Develop a strategy and plan for the maintenance of software applications.
AI3 Acquire and Maintain Technology Infrastructure
AI3.1 Technological Infrastructu re Acquisition Plan
Produce a plan for the acquisition, implementation and maintenance of the
technological infrastructure that meets established business functional and technical
requirements and is in accord with the organisation’s technology direction.
AI3.2 Infrastructure Resou rces Protection and availability
Implement internal control, security and auditability measures during
configuration, integration and maintenance of hardware and infrastructural software to
protect resources and ensure availability and integrity. Responsibilities for using
sensitive infrastructure components should be clearly defined and understood by those
who develop and integrate infrastructure components. Their use should be monitored
and evaluated.
AI3.3 Infrastructure Maintenance
Develop a strategy and plan for infrastructure maintenance, and ensure that
changes are controlled in line with the organisation’s change management procedure.
Include periodic review against business needs, patch management, upgrade strategies,
risk, vulnerabilities assessment and security requirements.
AI3.4 Feasibility Test Environment
Establish development and test environments to support effective and efficient
feasibility and integration testing of infrastructure components.
49
AI4 Enable Operation and Use
AI4.1 Planning for Operational Solutions
Develop a plan to identify and document all technical, operational and usage
aspects such that all those who will operate, use and maintain the automated solutions
can execise their responsibility.
AI4.2 Knowledge Transfer to Business Management
Transfer knowledge to business management to allow those individuals to take
ownership of the system and data, and exercise responsibility for service delivery and
quality, internal control, and application administration.
AI4.3 Knowledge Transfer to End Users
Transfer knowledge and skills to allow end users to effectively and efficiently use
the system in support of business processes.
AI4.4 Knowledge Transfer to Operations and Support Staff
Transfer knowledge and skills to enable operations and technical support staff to
effectively and efficiently deliver, support and maintain the system and associated
infrastructure.
AI5 Procure IT Resources
AI5.1 Procurement Control
Develop and follow a set of procedures and standards that is consistent with the
business organisation’s overall procurement process and acquisition strategy to acquire
IT-related infrastructure, facilities, hardware, software and services need by the
business.
AI5.2 Supplier Contract Management
Set up a procedure for establishing, modifying and terminating contracts for all
suppliers. The procedure should cover, at a minimum, legal, financial, organizational,
documentary, performance, security, intellectual property, and termination
responsibilities and liabilities (including penalty clauses). All contracts and contract
change should be reviewed by legal advisors.
AI5.3 Supplier Selection
Select suppliers according to a fair and formal practice to ensure a viable best fit
based on specified requirements. Requirements should be optimized with input from
potential suppliers.
AI5.4 IT Resources Acquisition
Protect and enforce the organisation’s interests in all acquisition contractual
agreement, including the right and obligations of all parties in the contractual terms for
the acquisition of software, development resources, infrastructure and services.
AI6 Manage Changes
AI6.1 Change Standards and Procedures
Set up formal change management procedures to handle in a standardized
manner all requests (including maintenance and patches) for changes to applications,
procedures, processes, system and service parameters, and the underlying platforms.
AI6.2 Impact Assessment, Prioritisation and Authorisation
Assess all requests for change in a structured way to determine the impact on the
operational system and its functionality. Ensure that change are categorized, prioritized
and authorized.
50
AI6.3 Emergency Changes
Establish a process for defining, raising, testing, documenting, assessing and
authorizing emergency changes that do not follow the establish change process.
AI6.4 Change Status Tracking and Reporting
Establish a tracking and reporting system to document rejected changes,
communicate the status of approved and in-process change, and complete changes.
Make certain that approved change are implemented as planned.
AI6.5 Change Closure and Documentation
Whenever changes are implemented, update the associated system and user
documentation and procedures accordingly.
AI7 Install and Accredit Solution and Changes
AI7.1 Training
Train the staff members of the affected user department and the operations group
of the IT function in accordance with the defined training and implementation plan and
associated materials, as part of every information systems development, implementation
or modification project.
AI7.2 Test Plan
Establish a test plan based on organization wide standards that defines roles,
responsibilities, and entry and exit criteria. Ensure that the plan is approved by relevant
parties.
AI7.3 Implementation Plan
Establish an implementation and fallback/backout plan. Obtain approval from relevant
parties.
AI7.4 Test Environment
Define and establish a secure test environment representative of the planned
operations environment relative to security, internal controls, operational practices,
data quality and privacy requirements, and work loads.
AI7.5 System and Data Conversion
Plan data conversion and infrastructure migration as part of the organisation’s
development methods, including audit trails, rollback and fallbacks.
AI7.6 Testing of Changes
Test changes independently in accordance with the defined test plan prior to
migration to the operational environment. Ensure that the plan considers security and
performance.
AI7.7 Final Acceptance Test
Ensure that business process owners and IT stakeholders evaluate the outcome
of the testing process as determined bye the test plan. Remediate significant errors
identified in the testing process, having completed the suite of test identified in the test
plan and any necessary regression test. Following evaluation, approve promotion to
production.
AI7.8 Promotion to Production
Following testing, control the hardover of the changed system to operations,
keeping it in line with the implementation plan. Obtain approval of the key stakeholders,
such us users, system owner and operational management. Where appropriate, run the
system in parallel with the old system for a while, and compaire behavior and results.
51
AI7.9 Post-implementation Review
Establish procedures in line with the organizational change management
standards to require a post-implementation review as set out in the implementation plan.
DS1 Define and Manage Services Levels
DS1.1 Service Level Management Framework
Define a framework that provides a formalized service level management
process between the customer and service provider. The framework should maintain
continuous alignment with business requirements and priorities and facilitate common
understanding between the customer and provider(s). The framework should include
processes for creating service requirements, service definitions, SLAs, OLAs and
funding sources. These attributes should be organized in a service catalogue. The
framework should define the organizational structure for service level management,
covering the roles, tasks and responsibilities of internal and external service providers
and customers.
DS1.2 Definition of Services
Base definitions of IT service characteristies and business requirements. Ensure
that they are organised and stored centrally via the implementation of a service
catalogue portofolio approach.
DS1.3 Service Level Agreements
Define and agree to SLAs for all critical IT services based on customer
requirements and IT capabilities. This should cover customer commitments; service
support requirements; quantitative and qualitative metrics for measuring the service
signed off on by the stakeholders; funding and commercial arrangements, if applicable;
and roles and responsibilities, including oversight of the SLA. Consider items such as
availability, reliability, performance, capacity for growth, levels of support, continuity
planning, security and demand constraints.
DS1.4 Operating Level Agreement
Define OLAs that explain how the services will be technically delivered to
support the SLA(s) in an optimal manner. The OLAs should be specify that technical
processes in terms meaningful to the provider and may support several SLAs.
DS1.5 Monitoring and Reporting of Service Level Achievements
Continuously monitor specified service level performance criteria. Reports on
achievement of service levels should be provided in a format that is meaningful to the
stakeholder. The monitoring statistics should be analysed and acted upon to indentify
negative and positive trends for individual services as well as for services overall.
DS1.6 Review of Service Level Agreement and Contracts
Regulary review SLAs and underpinning contract (UCs) with internal and
external service providers to ensure that they are effective and up to date and that
changes in requirements have been taken into account.
DS2 Manage Third-party Services
DS2.1 Identification of All Supplier Relationships
Identify all supplier services, and categories the according to supplier type,
significance and criticality. Maintain formal documentation of technical and
organizational relationships covering the roles and responsibilities, goals, expected
deliverables, and credentials of representatives of these suppliers.
52
DS2.2 Supplier Relationship Management
Formalise the relationship management process for each supplier. The
relationship owners should lialise on customer and supplier issues and ensure the
quality of the relationship based on trust and transparency (e.g., through SLAs).
DS2.3 Supplier Risk Management
Identify and mitigate risk relating to suppliers’ ability to continue effective
service delivery in a secure and efficient manner on a continual basis. Ensure that
contracts conform to universal business standards in accordance with legal and
regulatory requirements. Risk management should further consider non-disclosure
agreement (NDAs), escrow contracts, continued viability, conformance with security
requirements, alternative suppliers, penalties and rewards, etc.
DS2.4 Supplier Performance Monitoring
Establish a process to monitor service delivery to ensure that the supplier is
meeting current business requirements and continuing to adhere to the contract
agreements and SLAs, and that performance is competitive with alternative suppliers
and market conditions.
DS3 Manage Performance and Capacity
DS3.1 Performance and Capacity Planning
Establish a planning process for the review of performance and capacity of IT
resources to ensure that cost-justifiable capacity and performance are available to
process the agreed-upon workloads as determined by the SLAs. Capacity and
performance plans should leverage appropriate modeling techniques to produce a
model of the current and forecasted performance, capacity and throughput of the IT
resources.
DS3.2 Current Performance and Capacity
Assess current performance and capacity forecasting of IT resources to
determine if sufficient capacity and performance exist to deliver against agreed-upon
service levels.
DS3.3 Future Performance and Capacity
Conduct performance and capacity forecasting of IT resources at regular
interval to minimize the risk of service disruptions due to insufficient capacity or
performance degradation, and identify excess capacity for possible redeployment.
Identify work load trends and determine forecasts to be input to performance and
capacity plans.
DS3.4 IT Resources Availability
Provide the required capacity and performance, taking into account aspects such
as normal workloads, contingencies, storage requirements and IT resource life cycles.
Provisions such as prioritizing tasks, fault-tolerance mechanisms and resource
allocation performance if individual IT resources.
DS3.5 Monitoring and Reporting
Continuously monitor the performance and capacity of IT resources. Data gathered
should serve two purposes:
1. To maintain and tune current performance within IT and address such issues as
resilience, contingency, current and projected workloads, storage plans, and
resource acquisition.
53
2. To report delivered service availability to the business, as required by the SLAs
Accompany all exception reports with recommendations for corrective action.
DS4 Ensure Continuous Service
DS4.1 IT Continuity Framework
Develop a framework for IT continuity to support enterprisewide continuity
management using a consistent process. The objective of the framework should be to
assist in determining the required resilience of the infrastructure and to drive the
development of disaster recovery and IT contingency plans. The framework should
address the organizational structure for continuity management, covering the roles, task
and responsibilities of internal and external service providers, their management and
their customers, and the planning processes that create the rules and structures to
document, test and execute the disaster recovery and IT contingency plans. The plan
should also address item such as the identification of critical resources, noting key
dependencies, the monitoring and reporting of the availability of critical resources,
alternative processing, and principles of backup and recovery.
DS4.2 IT Continuity Plans
Develop IT continuity plans based on the framework and designed to reduce the
impact of a major disruption on key business functions and processes. The plans should
be based on risk understanding of potential business impact and address requirements
for resilience, alternative processing and recovery capability of all critical IT services.
They should also cover usage guidelines, roles and responsibilities, procedures,
communication processes, and the testing approach.
DS4.3 Critical IT Resources
Focus attention on items specified as most critical in the continuity plan to built
in resilience and establish priorities in recovery situations. Avoid the distraction of
recovering less-critical items and ensure response and recovery in line with prioritized
business needs, while ensuring that costs are kept at an acceptable level and complying
with regulatory and contractual requirements. Consider resilience, response and
recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more
than 24 hours and critical business operational periods.
DS4.4 Maintenance of the IT Continuity Plan
Encourage IT management to define and execute change control procedures to
ensure that the IT continuity plan is kept up to date and continually reflects actual
business requirements. Communicate changes in procedures and responsibilities clearly
and in a timely manner.
DS4.5 Testing of the IT Continuity Plan
Test the IT continuity plan on a regular basis to ensure that IT systems can be
effectively recovered , shortcomings are addressed and the plan remains relevant. This
require careful preparation, documentation, reporting of test result and according to the
results, implementation of an action plan. Consider the extent of testing recovery of
single application to integrated testing scenarios to en-to-end testing and integrated
vendor testing.
DS4.6 IT Continuity Plan Training
Provide all concerned parties with regular training sessions regarding the
procedures and their roles and responsibilities in case of an incident or disaster. Verify
and enhance training according to the result of the contingency test.
54
DS4.7 Distribution of the IT continuity Plan
Determine that a defined and managed distribution strategy exists to ensure that
plans are properly and securely distributed and available to appropriately authorized
interested parties when and where needed. Attention should be paid to making the plans
accessible under all disaster scenarios.
DS4.8 IT Services Recovery and Resumption
Plan the action to betaken for the period when IT is recovering and resuming
services. This may include activation of backup sites, initiation of alternative processing,
customer and stakeholder communication, and resumption procedures. Ensure that the
business understands IT recovery times and the necessary technology investment to
support business recovery and resumption needs.
DS4.9 Offsite Backup Storage
Store offsite all critical backup media, documentation and other IT resources
necessary for IT recovery and business continuity plans. Determine the content of
backup storage in collaboration between business process owners and IT personnel.
Management of the offsite storage facility should respond to the data classification
policy and the enterprise’s media storage practices. IT management should ensure that
offsite arrangements are periodically assessed, at least annually, for content,
environmental protection and security. Ensure compatibility of hardware and software
to restore archived data, and periodically test and refresh archived data.
DS4.10 Post-resumption Review
Determine whether IT management has established procedures for assessing the
adequacy of the plan in regard to the successful resumption the IT function after a
disaster, and update the plan accordingly.
DS5 Ensure System Secu rity
DS5.1 Management of IT security
Manage IT security the highest appropriate organizational level, so the
management of security actions is in line with business requirements.
DS5.2 IT Security Plan
Translate business, risk and compliance requirements into overall IT security
plan, taking into consideration the IT infrastructure and the security culture. Ensure that
the plan is implementation in security policies and procedures together with appropriate
investments in services, personnel, software and hardware. Communicate security
policies and procedures to stakeholders and users.
DS5.3 Identify Management
Ensure that all users (internal, external and temporary) and their activity on IT
systems (business application, IT environment, system operation, development and
maintenance) are uniquely identifiable. Enabled user identities via authentication
mechanisms. Confirm that user access rights to systems and data are in line with defined
and documented business needs and that job requirements are attached to user
identities. Ensure that user access right are requested by user management, approved by
system owners and implemented bye the security-responsible person. Maintain user
identities and access rights in a central repository. Deploy cost-effective technical and
procedural measures, and keep them current to establish user identification, implement
authentication and enforce access rights.
55
DS5.4 User Account Management
Address requesting, establishing, issuing, suspending, modifying and closing
user account and related user privileges with a set of user account management
procedures. Include an approval procedure outlining the data or system owner granting
the access privileges. These procedures should apply for all users, including
administrators (privileged users) and internal and external users, for normal and
emergency cases. Rights and obligations relative to access to enterprise systems and
information should be contractually arranged for all types of users. Perform regular
management review of all accounts and related privileges.
DS5.5 Security Testing, Surveillance and Monitoring
Test and monitor the IT security implementation in a proactive way. IT security
should be reaccredited in a timely manner to ensure that the approved enterprise’s
information security baseline in maintained. S logging and monitoring function will
enable to early prevention and/or detection and subsequent timely reporting of unusual
and/or abnormal activities that may need to be addressed.
DS5.6 Security Incident Definition
Clearly define and communicate the characteristics of potential security incident
so they can be properly classified and treated by the incident and problem management
process.
DS5.7 Protection of Security Technology
Make security-related technology resistance to tampering, and do not disclose
security documentation unnecessarily.
DS5.8 Cryptographic Key Management
Determine that policies and procedures are in place to organize the generation,
change, revocation, destruction, distribution, certification, storage, entry, use and
archiving of cryptographic keys to ensure the protection of keys against modification
and un authorized disclosure.
DS5.9 Malicious Software Prevention, Detection and Correction
Put preventive, detective and corrective measures in place (especially up-to-date
security patches and virus control) across the organization to protect information
systems and technology from malware (e.g., viruses, worms, spyware, spam).
DS5.10 Network Security
Use security techniques and related management procedures (e.g., firewalls,
security appliances, network segmentation, intrusion detection) to authorize access and
control information flow from and to networks.
DS5.11 Exchange of Sensitive Data
Exchange sensitive transaction data only over a trusted path or medium with
control to provide authenticity of content, proof of submission, proof of receipt and nonrepundation of origin.
DS6 Identify and Allocate Costs
DS6.1 Definition of Services
Identify all IT cost, and map them to IT services to support a transparent cost
model. IT services should be linked to business processes such that the business can
identify associated service billing levels.
56
DS6.2 IT Accounting
Capture and allocate actual cost according to the enterprise cost model.
Variance between forecasts and actual costs should be analysed and reported on, in
compliance with the enterprise’s financial measurement systems.
DS6.3 Cost Modeling and Charging
Establish and use an IT costing model based on the service definitions that
support the calculation of chargeback rates per services. The IT cost model should
ensure that charging for services is identifiable, measurable and predictable bye users
to encourage proper use of resources.
DS6.4 Cost Model Maintenance
Regularly review and benchmark the appropriateness of the cost/recharge model
to maintain its relevance an appropriateness to the evolving business and IT activities.
DS7 Educate and Train Users
DS7.1 Identification of Education and Training Needs
Establish and regularly update a curriculum for each target group of employees
considering:
1. Current and future business needs and strategy
2. Value of information as an asset
3. Corporate values (ethical values, control and security culture, etc)
4. Implementation of new information infrastructure and software (i.e., packages,
applications)
5. Current and future skills, competence profiles and certification and/or
credentialing needs as well as required reaccreditation
6. Delivery methods (e.g., classroom, web-based), target group size, accessibility
and timing
DS7.2 Delivery of Training and Education
Based on the identified education and training needs, identify target groups and
their members, efficient delivery mechanisms, teachers, trainers, and mentors. Appoint
trainers and organize timely training sessions. Record registration (including
prerequisites), attendance and training session performance evaluations.
DS7.3 Evaluation of Training Received
Evaluate education and training content delivery upon completion for relevance,
quality, effectiveness, the retention of knowledge, cost and value. The results of this
evaluation should serve as input for future curriculum definition and the delivery of
training sessions.
DS8 Manage Service Desk and Incidents
DS8.1 Service Desk
Establish a service desk function, which is the user interface with IT, to register,
communicate, dispatch and analyse all calls, reported incidents, service requests and
information demands. There should be monitoring and escalation procedures based on
57
agreed-upon service levels relative to the appropriate SLA that allow classification and
prioritisation of any reported issues as an incident, service request or information
request. Measure end users’ satisfaction with the quality of the service desk and IT
services.
DS8.2 Registration of Customer Queries
Establish a function and system to allow logging and tracking of calls, incidents,
service requests and information needs. It should work closely with such processes as
incident management, problem management, change management, capacity
management and availability management. Incidents should be classified according to a
business and service priority and routed to the appropriate problem management team,
where necessary. Customers should be kept informed of the status of their queries.
DS8.3 Incident Escalation
Establish service desk procedures, so incidents that cannot be resolved
immediately escalated according to limits defined in the SLA and, if appropriate,
workarounds are provided. Ensure that incident ownership and life cycle monitoring
remain with the service desk for user-based incidents, regardless which IT group is
working on resolution activities.
DS8.4 Incident Closure
Establish procedures for the timely monitoring of clearance of customer queries.
When the incident has been resolved, ensure that the service desk records the resolution
steps, and confirm that the action taken has been agreed to by costumer. Also record
and report unresolved incident (known errors and workarounds) to provide information
for proper problem management.
DS8.5 Reporting and Trend Analysis
Produce reports of service desk activity to enable management to measure
service performance and service response time and to identify trends or recurring
problems, so service can be continually improved.
DS10 Manage Problems
DS10.1 Identification and Classification of Problems
Implement processes to report and classify problems that have identified as part
of incident management. The steps involved in problem classification are similar to the
steps in classifying incidents; they are to determine category, impact, urgency and
priority. Categories problems as appropriate into related groups or domains (e.g.,
hardware, software, support software). These groups may match the organisational
responsibilities of the user and customer base, and should be the basis for allocating
problems to support staff.
DS10.2 Problem Tracking and Resolution
Ensure that the problem management system provides for adequate audit trail
facilities that allow tracking, analyzing and determining the root cause of all reported
problems considering:
1. All associated configuration items
2. Outstanding problems and incidents
3. Known and suspected errors
58
4. Tracking of problem trends
Identify and initiate sustainable solutions addressing the root cause, raising change
request via the establish change management process. Throughout the resolution
process, problem management should obtain regular reports from change management
on progress in resolving problems and errors. Problem management should monitor the
continuing impact of problems and known errors on user services. In the event that this
impact become severe, problem management should escalate the problem, perhaps
referring it to appropriate board to increase the priority of the RFC or to implement an
urgent change as appropriate. Monitor the progress of problem resolution against SLAs.
DS10.3 Problem Closure
Put in place a procedure to close problem records either after confirmation or
successful elimination of the known error or after agreement with the business on how to
alternatively handle the problem.
DS10.4 Integration of Configuration, Incident and Problem Management
Integrate the related processes of configuration, incident and problem
management to ensure effective management of problems and enable improvements.
DS11 Manage Data
DS11.1 Business Requirement for Data Management
Verify that all data expected for processing are received and processed
completely, accurately and in a timely manner, and all output is delivered in accordance
with business requirements. Support restart and reprocessing needs.
DS11.2 Storage and Retention Arrangements
Define and implement procedures for effective and efficient data storage,
retention and archiving to meet business objectives, the organisation’s security policy
and regulatory requirements.
DS11.3 Media Library Management System
Define and implement Procedures to maintain an inventory of stored and
archived media to ensure their usability and integrity.
DS11.4 Disposal
Define and implement procedures to ensure that business requirements for
protection of sensitive data and software are met when data and hardware are disposed
or transferred.
DS11.5 Backup and Restoration
Define and implement procedures for backup and restoration of systems,
applications, data and documentation in line with business requirements and the
continuity plan.
DS11.6 Security Requirements for Data Management
Define and implement policies and procedures to indentify and apply security
requirements applicable to the receipt, processing, storage and output of data to meet
business objectives, the organisation’s security policy and regulatory requirements.
DS12 Manage the Physical Environment
DS12.1 Site Selection and Layout
Define and select the physical sites for IT equipment to support the technology
strategy linked to the business strategy. The selection and design of the layout of a site
should take into account the risk associated with natural and man-made disasters, whilst
59
considering relevant laws and regulations, such as occupational health and safety
regulations.
DS12.2 Physical Security Measures
Define and implement physical security measures in line with business
requirements to secure the location and the physical assets. Physical security measures
must be capable of effectively preventing, detecting and mitigating risk relating to theft,
temperature, fire, smoke, water, vibration, terror, vandalism, power outages, chemicals
or explosive.
DS12.3 Physical Access
Define and implement procedures to grant, limit and revoke access to premises,
buildings and areas according to business needs, including emergencies. Access to
premises, buildings and area should be justified, authorized, logged and monitored. This
should apply to all persons entering the premises, including staff, temporary staff,
clients, vendors, visitors or any other third party.
DS12.4 Protection Against Environmental Factors
Design and implement measures for protection against environmental factors.
Install specialized equipment and devices to monitor and control the environment.
DS12.5 Physical Facilities Management
Manage facilities, including power and communications equipment, in line with
laws and regulations, technical and business requirements, vendor specifications, and
health and safety guidelines.
DS13 Manage Operations
DS13.1 Operations Procedures and Instructions
Define, implement and maintain procedures for IT operations, ensuring that the
operations staff members are familiar with all operations task relevant to them.
Operational procedures should be cover shift handover (formal handover of activity,
status update, operational problems, escalation procedures and reports on current
responsibilities) to support agreed-upon service levels and ensure continuous
operations.
DS13.2 Job Scheduling
Organize the scheduling of job, processes and tasks into the most efficient
sequence, maximizing throughput and utilization to meet business requirements.
DS13.3 IT Infrastructu re Monitoring
Define and implement procedures to monitor the IT infrastructure and related
events. Ensure that sufficient chronological information is being stored in operations
logs to enable the reconstruction, review and examination of the time sequences of
operations and the other activities surrounding or supporting operations.
DS13.4 Sensitive Document and Output Devices
Establish appropriate physical safeguards, accounting practices and inventory
management over sensitive IT assets, such as special forms, negotiable instruments,
special purpose printers a security tokens.
DS13.5 Preventive Maintenance for Hardware
Define and implement procedures to ensure timely maintenance of infrastructure
to reduce the frequency and impact of failures or performance.
60
ME1 Monitor and Evaluate IT Performance
ME1.1 Monitoring Approach
Establish a general monitoring framework and approach to define the scope,
methodology and process to be followed for measuring IT’s solution and service
delivery, and monitor IT’s contribution to the business. Integrate the framework with the
corporate performance management system.
ME1.2 Definition and Collection of Monitoring Data
Work with the business to define a balanced set of performance targets and have
them approved by the business and other relevant stakeholders. Define benchmarks with
which to compare the targets, and identify available data to be collected to measure the
targets. Establish processes to collect timely and accurate data to report on progress
against targets.
ME1.3 Monitoring Method
Deploy a performance monitoring method (e.g., balanced scorecard) that
records targets; captures measurements; provides a succinct, all-around view of IT
performance; and fits within the enterprise monitoring system.
ME1.4 Performance Assessment
Periodically review performance against targets, analyse the cause of any
deviations, and initiate remedial action to address the underlying causes. At appropriate
times, perform root cause analysis across deviations.
ME1.5 Board and Executive Reporting
Develop senior management reports on IT’s contribution to the business,
specifically in terms of the performance of the enterprise’s portfolio, IT-enabled
investment programmes, and the solution and service deliverable performance of
individual programmes. Include in status reports the extent to which planned objectives
have been achieved, budgeted resources used, set performance targets met and
identified risk mitigated. Anticipate senior management’s review by suggesting remedial
actions for major deviations. Provide the report to senior management, and solicit
feedback from management’s review.
ME1.6 Remedial Actions
Identify and initiate remedial actions based on performance monitoring, assessment
and reporting. This includes follow-up of all monitoring, reporting and assessments
through:
1. Review, negotiation and establishment of management responses
2. Assignment of responsibility for remediation
3. Tracking of results of actions committed
ME4 Provide IT Governance
ME4.1 Establishment of an IT Governance Framework
Define, establish and align the IT governance framework with the overall
enterprise governance and control environment. Base the framework on suitable IT
process and control model and provide for unambiguous accountability and practices to
avoid a breakdown in internal control and oversight. Confirm that the IT governance
framework ensures compliance with laws and regulations and is aligned with, and
61
confirms delivery of, the enterprise’s strategies and objectives. Report IT governance
status and issues.
ME4.2 Strategic Alignment
Enable board and executive understanding of strategic IT issues, such as the role
of IT, technology insight and capabilities. Ensure that there is a shared understanding
between the business and IT regarding the potential contribution of IT to the business
strategy. Work with the board and the established governance bodies, such as an IT
strategy committee, to provide strategic direction to management relative to IT, ensuring
that the strategy and objectives are cascaded into business units and IT functions, and
that confidence and trust are developed between the business and IT. Enable the
alignment of IT to the business in strategy and operations, encouraging co-responsibility
between the business and IT for making strategic decisions and obtaining benefits from
IT-enabled investment.
ME4.3 Value Delivery
Manage IT-enabled investment programmes and other IT assets and services to
ensure that they deliver the greatest possible value in supporting the enterprise’s
strategy and objectives. Ensure that the expected business outcomes of IT-enabled
investments and the full scope of effort required to achieve those outcomes are
understood; that comprehensive and consistent business cases are created and approved
by stakeholders; that assets and investments are managed throughout their economic life
cycle; and that there is active management of the realization of benefits, such as
contribution to new services, efficiency gains and improved responsiveness to customer
demands. Enforce a disciplined approach to portfolio, programme and project
management, insisting that the business takes ownership of all IT-enabled investments
and IT ensures optimization of the costs of delivering IT capabilities and services.
ME4.4 Resource Management
Oversee the investment, use and allocation of IT resources through regular
assessments of IT initiatives and operations to ensure appropriate resourcing and
alignment with current and future strategic objectives and business imperatives.
ME4.5 Risk Management
Work with the board to define the enterprise’s appetite for IT risk, and obtain
reasonable assurance that IT risk management practices are appropriate to ensure that
the actual IT risk does not exceed the board’s risk appetite. Embed risk management
responsibilities inti organization, ensuring that the business and IT regularly assess and
report IT-related risk and their impact and that the enterprise’s IT risk position is
transparent to all stakeholders.
ME4.6 Performance Measurement
Confirm that agreed-upon IT objectives have been met or exceeded, or that
progress toward IT goals meets expectations. Where agreed-upon objectives have been
missed or progress is not as expected, review management’s remedial action. Report to
the board relevant portfolios, programme and IT performance, supported by reports to
enable senior management to review the enterprise’s progress toward identified goals.
ME4.7 Independent Assurance
Obtain independent assurance (internal or external) about the conformance of IT
with relevant has and regulations; the organisation’s policies, standards and
procedures; generally accepted practices; and the effective and efficient performance of
IT.
62
2.9
Perkreditan
2.9.1 Penggolongan Kredit
M enurut M unir Fuady dalam Usman (2001:238) penggolongan kredit dibagi
menjadi:
a. Penggolongan berdasarkan jangka waktu, dibedakan antara kredit jangka
pendek (1 tahun), kredit jangka menengah (1-3tahun) dan kredit jangka
panjang (diatas5 tahun). Pembedaan ini berdasarkan pengamatan penulis
adalah bersifat nisbi karena mungkin saja kredit jangka pendek diperpanjang
setiap tahunnya tanpa diperjanjikan floating.
b. Penggolongan berdasarkan dokumentasi yang dapat dibagi ke dalam:
1. Kredit dengan perjanjian kredit tertulis (formal).
2. Kredit dengan instrument promissory notes, bonds atau obligasi, kartu
kredit, dan sebagainya.
3. Kredit cerukan atau overdraft.
M enurut penulis,semua kredit tentu ada dokumentasinya, paling tidak ada
cover letter yang menyertainya. Bila tidak, agak sukar kiranya untuk
mentrasirnya lebih-lebih bila itu dengan klausul with recourse.
c. Penggolongan bidang ekonomi, antara lain untuk bidang pertanian,
pertambangan, perindustrian, listrik gas dan air, konstruksi, perdagangan,
restoran, hotel, pengangkutan, sector jasa, dan lain-lain sector.
d. Pengolongan berdasarkan tujuan penggunaannya, yaitu kredit konsumtif,
kredit produktif, kredit investasi, kredit modal kerja, dan kredit likuiditas.
63
e. Penggolongan kredit berdasarkan objek yang ditransfer:
1. Kredit uang (money credit), di mana pemberian dan pengembalian kredit
dilakukan dalam bentuk uang.
2. Kredit bukan uang (non money credit, mercantile credit, merchant credit)
dimana diberikan dalam bentuk barang dan jasa, dan pengembaliannya
dilakukan dalam bentuk uang.
f. Penggolongan kredit berdasarkan waktu pencairannya:
1. Kredit tunai (cash credit) dimana pencairan kredit dilakukan dengan tunai
atau pemindahbukuan ke dalamrekening debitur.
2. Kredit tidak tunai (non cash credit), dimana kredit tidak dibayar pada saat
pinjaman dibuat, antar lain garansi bank atau stand by LC (yang bersifat
conditional/bersyarat, yakni pembayaran dilakukan hanya jika syarat
tertentu dipenuhi), letter of credit dalam hal ini impor barang ( dimana
pembayaran dilkukan bank bila syarat dokumen perkapalan, yakni bill of
lading atau airway bill memenuhi persyaratan letter of credit).
g. Penggolongan kredit menurut cara penarikannya:
1. Kredit sekali jadi (aflopend) seperti cara kredit tunai sekaligus.
2. Kredit rekening Koran, yaitu kredit dimana penyediaan dan penarikannya
dilakukan melalui rekening Koran yang tidak sekaligus terjadi, tetapi
berangsur-angsur dan berulang-ulang selama ceiling kredit mencukupi.
Debitur diharuskan menarik dengan cek, bilyet giro, dan warkat lainnya,
lalu menyetorkan hasil usahanya melalui rekening ini baik tunai langsung
ataupun melalui kliring. Cara ini yang paling umum dilakukan sehingga
bank dapat mengontrol aktivitas usaha nasabah debitur.
64
3. Kredit berulang-ulang (revolving loan). Hampir sama dengan kredit
diatas, hanya penggunaan rekening korannya secara terbatas.
4. Kredit bertahap, yakni kredit pencairan dana kreditnya dilakukan secara
bertahap, misalnya tranche I, II, III, dan IV.
5. Kredit tiap transaksi (self liquidating atau eenmalige transactie crediet)
merupakan kredit yang diberikan untuk satu transaksi tertentu, dimana
pengembalian kredit diambil dari hasil transaksi yang bersangkutan. Sisi
mana ( penjualan atau pembelian atau transaksi ) yang mengandung self
liquidating ini sering tidak jelas sehingga kredit ini mungkin lebih tepat
dimasukkan sebagai “golongan lain”.
h. Penggolongan kredit dilihat dari pihak debiturnya.
1. Kredit terorganisasi, yakni kredit yang diorganisasi oleh lembaga legal
dan dengan cara legal pula.
2. Kredit tak terorganisasi oleh berbagai lembaga atau perseorangan yang
profesinya bukan sebagai lembaga kredit, seperti rentenir, penjual barang,
dan lain-lain.
i. Penggolongan kredit berdasarkan Negara asal:
1. Kredit domestic (domestic atau onshore credit)
2. Kredit luar negeri(foreign atau offshore credit)
j. Pengolongan kredit berdasarkan jumlah kreditur:
1. Kredit dengan debitur tunggal
2. Kredit dengan debitur banyak (syndicated loan)
65
2.9.2 Pengertian Kredit dan Pembiayaan
M enurut asal mulanya kata kredit berasal dari kata credere yang artinya adalah
kepercayaan, maksudnya adalah apabila seseorang memperoleh kredit maka berarti
mereka memperoleh kepercayaan. Sedangkan bagi si pemberi kredit artinya memberikan
kepercayaan kepada seseorang bahwa uang yang dipinjamkan pasti kembali.
Pengertian kredit menurut Undang-Undang Perbankan nomor 10 tahun 1998
adalah penyediaan uang atau tagihan yang dapat dipersamakan dengan itu, berdasarkan
persetujuan atau kesepakatan pinjam meminjam antara bank dengan pihak lain yang
mewajibkan pihak peminjam melunasi utangnya setelah jangka waktu tertentu dengan
pemberian bunga.
Sedangkan pengertian pembiayan adalah penyediaan uang atau tagihan yang
dapat dipersamakan dengan itu, berdasarkan persetujuan atau kesepakatan antara bank
dengan pihak lain yang mewajibkan pihak yang dibiayai untuk mengembalikan uang
atau tagihan tersebut setelah jangka waktu tertentu dengan imbalan atau bagi hasil.
Yang menjadi perbedaan antara kredit yang diberikan oleh bank berdasarkan
konvensional dengan pembiayaan yang diberikan oleh bank berdasarkan prinsip syariah
adalah terletak pada keuntungan yang diharapkan. Bagi bank berdasarkan prinsip
konvensional keuntungan yang diperoleh melalui bunga, sedangkan bagi bank yang
berdasarkan prinsip syariah keuntungan yang diperoleh berupa imbalan atau bagi hasil.
2.9.3 Unsur-Unsur Kredit
Adapun unsur-unsur yang terkandung dalam pemberian suatu fasilitas kredit
adalah sebagai berikut:
66
1. Kepercayaan
Yaitu suatu keyakinan pemberi kredit (bank) bahwa kredit yang diberikan baik
berupa uang, barang atau jasa akan benar-benar diterima kembali dimasa tertentu dimasa
datang.
2. Kesepakatan
Disamping unsur kepercayaan di dalam kredit juga mengandung unsur
kesepakatan antara si pemberi kredit dengan si penerima kredit. Kesepakatan ini
dituangkan dalam suatu perjanjian dimana masing-masing pihak menandatangani hak
dan kewajibannya masing-masing.
3. Jangka waktu
Setiap kredit yang diberikan pasti memiliki jangka waktu tertentu, jangka waktu
ini mencakup masa pengembalian kredit yang telah disepakati. Hampir dapat dipastikan
bahwa tidak ada kredit yang tidak memiliki jangka waktu.
4. Resiko
Faktor resiko kerugian dapat diakibatkan dua hal yaitu resiko kerugian yang
diakibatkan nasabah sengaja tidak mau membayar kreditnya pada hal mampu dan resiko
kerugian yang diakibatkan karena nasabah tidak disengaja yaitu akibat terjadinya
musibah seperti bencana alam. Penyebab tidak tertagih sebenarnya dikarenakan adanya
suatu tenggang waktu pengembalian (jangka waktu). Semakin panjang waktu suatu
kredit semakin besar resikonya tidak tertagih, demikian pula sebaliknya. Resiko ini
menjadi tanggungan bank, baik resiko yang disengaja maupun resiko yang tidak
disengaja.
67
5. Balas jasa
Akibat dari pemberian fasilitas kredit bank tentu mengharapkan suatu
keuntungan dalam jumlah tertentu. Keuntungan atas pemberian suatu kredit atau jasa
tersebut yang kita kenal dengan nama bunga bagi bank prinsip konvensional. Balas jasa
dalam bentuk bunga, biaya provisi dan komisi serta biaya administrasi kredit ini
merupakan keuntungan utama bank. Sedangkan bagi bank yang berdasarkan prinsip
syariah balas jasanya ditentukan dengan bagi hasil.
2.9.4 Jenis-Jenis Kredit
Secara umum jenis-jenis kredit yang disalurkan oleh bank dan dilihat dari
berbagai segi adalah:
1. Dilihat dari Segi Kegunaan
M aksud jenis kredit dilihat dari segi kegunaannya adalah untuk melihat
penggunaan uang tersebut apakah untuk digunakan dalam kegiatan utama atau hanya
kegiatan tambahan. Jika ditinjau dari segi kegunaan terdapat dua jenis kredit yaitu:
a. Kredit investasi
Yaitu kredit yang biasanya digunakan untuk keperluan perluasan usaha atau
membangun proyek atau pabrik baru dimana masa pemakaiannya untuk suatu
periode yang relative lebih lama dan biasanya kegunaan kredit ini adalah untuk
kegiatan utama suatu perusahaan.
b. Kredit modal kerja
M erupakan kredit yang digunakan untuk keperluan meningkatkan produksi
dalam operasionalnya. Kredit modal kerja merupakan kredit yang dicarikan
untuk mendukung kredit investasi yang sudah ada.
68
2. Dilihat dari Segi Tujuan Kredit
Kredit jenis ini dilihat dari tujuan pemakaian suatu kredit, apakah bertujuan
untuk diusahakan kembali atau dipakai untuk keperluan pribadi. Jenis kredit dilihat dari
segi tujuan adalah:
a. Kredit produktif
Kredit yang digunakan untuk peningkatan usaha atau produksi atau investasi.
Kredit ini diberikan untuk menghasilkan barang atau jasa. Artinya kredit ini
digunakan untuk diusahakan sehingga menghasilkan suatu baik berupa barang
maupun jasa.
b. Kredit konsumtif
M erupakan kredit yang digunakan untuk dikonsumsi atau dipakai secara pribadi.
Dalam kredit ini tidak ada pertambahan barang dan jasa yang dihasilkan, karena
memang untuk digunakan atau dipakai oleh seseorang atau badan usaha.
c. Kredit perdagangan
Kredit perdagangan merupakan kredit yang digunakan untuk kegiatan
perdagangan
dan
biasanya
untuk
membeli
barang
dagangan
yang
pembayarannya diharapkan dari hasil penjualan barang dagangan tersebut. Kredit
ini sering diberikan kepada supplier atau agen-agen perdagangan yang akan
membeli barang dalam jumlah tertentu.
3. Dilihat dari Segi Jangka Waktu
Dilihat dari segi jangka waktu, artinya lamanya masa pemberian kredit mulai
dari pertama sekali diberikan sampai masa pelunasannya jenis kredit ini adalah:
69
a. Kredit jangka pendek
Kredit ini merupakan kredit yang memiliki jangka waktu kurang dari 1 tahun
atau p aling lama 1 tahun dan bisanya digunakan untuk keperluan modal kerja.
b. Kredit jangka menengah
Jangka waktu kreditnya berkisar antara 1 tahun sampai dengan 3 tahun, kredit
jenis ini dapat diberikan untuk modal kerja. Beberapa bank mengklasifikasikan
kredit menengah menjadi kredit jangka panjag.
c. Kredit jangka panjang
M erupakan kredit yang masa pengembaliannya paling panjang yaitu diatas 3
tahun atau 5 tahun.
4. Dilihat dari Segi Jaminan
Dilihat dari segi jaminan maksudnya adalah setiap pemberian suatu fasilitas
kredit harus dilindungi dengan suatu barang atau surat-surat berharga minimal senilai
kredit yang diberikan. Jenis kredit dilihat dari segi jaminan adalah:
a. Kredit dengan jaminan
M erupakan kredit yang diberikan dengan suatu jaminan tertentu. Jaminan
tersebut dapat berbentuk barang berwujud atau tidak berwujud. Artinya setiap
kredit yang dikeluarkan akan dilindungi senilai jaminan yang diberikan si calon
debitur.
b. Kredit tanpa jaminan
Yaitu kredit yang diberikan tanpa jaminan barang atau orang tertentu. Kredit
jenis ini diberikan dengan melihat prospek usaha, karakter serta loyalitas si calon
debitur selama berhubungan dengan bank yang bersangkutan.
70
5. Dilihat dari Segi Sektor Usaha
Setiap sektor usaha memiliki karakteristik yang berbeda-beda, oleh karena itu
pemberian fasilitas kredit pun berbeda pula. Jenis kredit jika dilihat dari sektor usaha
sebagai berikut:
a. Kredit pertanian, merupakan kredit yang dibiayai untuk sektor perkebunan atau
pertanian rakyat. Sektor usaha pertanian dapat berupa jangka pendek atau jangka
panjang.
b. Kredit peternakan, dalam hal ini kredit diberikan untuk jangka waktu yang
relative pendek misalnya peternakan ayam dan untuk kredit jangka panjang
seperti sapi atau kambing.
c. Kredit industri, yaitu kredit untuk membiayai industri pengolahan baik untuk
industri kecil, menengah atau besar.
d. Kredit pertambangan, yaitu jenis kredit untuk usaha tambang yang dibiayainya,
biasanya dalam jangka panjang, seperti tambang emas, minyak atau tambang
timah.
e. Kredit perikanan, merupakan kredit yang diberikan untuk membangun sarana
dan prasarana pendidikan atau dapat pula berupa kredit untuk para mahasiswa
yang sedang belajar.
f. Kredit profesi
g. Kredit perumahan, yaitu kredit untuk membiayai pembangunan atau pembelian
perumahan.
h. Dan sektor-sektor usaha
71
2.10 Bank
2.10.1 Pengertian Bank
Bank secara sederhana dapat diartikan sebagai:”lembaga keuangan yang kegiatan
utamanya adalah menghimpun dana dari masyarakat dan menyalurkannya kembali dana
tersebut kemasyarakat serta memberikan jasa bank lainnya.” Selanjutnya jika ditinjau
dari asal mula terjadinya Bank maka pengertian bank adalah meja atau tempat untuk
menukarkan uang. Kemudian pengertian Bank menurut Undang – undang RI nomor 10
tahun 1998 tanggal 10 november 1998 tentang perbankan adalah:”Badan usaha yang
menghimpun dana dari masyarakat dalam bentuk simpanan dan menyalurkannya kepada
masayarakat dalam bentuk kredit dan atau bentuk-bentuk lainnya dalam rangka
meningkatkan taraf hidup rakyat banyak.”
Dari uraian diatas dapat dijelaskan bahwa Bank merupakan perusahaan yang
bergerak dalam bidang keuangan, artinya usaha perbankan selalu berkaitan masalah
bidang keuangan. Jadi dapat disimpulkan bahwa usaha perbankan meliputi tiga kegiatan
utama yaitu:
1. M enghimpun dana, adalah mengumpulkan atau mencari dana (uang) dengan cara
membeli dari masyarakat luas dalam bentuk simpanan giro, tabungan dan
deposito. Jenis simpanan yang dapat dipilih oleh masayarakat adalah simpanan
giro, tabungan, serifikat deposit serta deposito berjangka dimana masing-masing
jenis simpanan yang ada memeliki kelebihan dan keuntungan tersendiri.
Kegiatan penghimpunan dana ini sering disebut dengan istilah funding.
2. M enyalurkan dana, adalah melemparkan kembali dana yang diperoleh lewat
simpanan giro, tabungan dan deposito kemasyarakat dalam bentuk pinjaman
(Kredit) bagi Bank yang berdasarkan prinsip konvensional atau pembiayaan bagi
72
Bank yang berdasarkan prinsip syariah. Kegiatan penyaluran dana ini juga
dikenal dalam perbankan dengan istilah lending.
3. M emberikan jasa Bank lainnya, adalah jasa pendukung atau pelengkap kegiatan
perbankan. Jasa-jasa ini diberikan terutama untuk mendukung kelancaran
kegiatan menghimpun dan menyalurkan dana, baik yang berhubungan langsung
dengan kegiatan penyimpanan dan kredit maupun tidak langsung.
2.10.2 Sejarah Bank
Sejarah perbankan yang dikenal oleh dunia berawal darai daratan benua Eropa
mulai dari zaman Babylonia yang kemudian dilanjutkan ke zaman Yunani Kuno dan
Romawi. Bank – bank yang sudah terkenal pada saat itu di benua Eropa adalah Bank
Venesia tahun 1171, kemudian menyusul Bank of Genoa dan Bank of Barcelona tahun
1320.
Perkembangan perbankan di dataran Inggris baru dimulai pada abad ke-16.
Namun karena Inggris yang begitu aktif mencari daerah penjajahan, maka
perkembangan perbankan pun ikut dibawa ke Negara jajahannya seperti Benua Amerika,
Afrika dan Asia yang memang sudah di kenal pada saat itu memegang peran penting
dalam bidang perdagangan.
Seiring dengan perkembangan
perdagangan dunia maka perkembangan
perkembangan perbankan pun semakin pesat karena perkembangan dunia perbankan
tidak terlepas dari perkembangan perdagangan. Perkembangan perdagangan yang
semula hanya berkembang dan maju didaratan Eropa akhirnya menyebar keseluruh
benua Asia, Amerika, dan Afrika.
73
Dalam perjalanannya perkembangan perbankan di Indonesia tidak terlepas dari
zaman
penjajahan
Hindia
Belanda.
Pemerintah
Hindia
Belandalah
yang
memperkenalkan dunia perbankan kepada masayrakat Indonesia.
Di zaman kemerdekaan perkembangan perbankan di Indonesia bertambah maju
dan berkembang lagi. Beberapa bank milik Belanda dinasionalisir oleh Pemerintahan
Indonesia menjadi Bank milik pemerintahan Indonesia, sehingga menambah deretan
Bank yang memang sudah ada sebelumnya.
2.10.3 Jenis-jenis Bank
Praktik perbankan diindonesia saat ini yang diatur dalam Undang-undang
Perbankan memiliki beberapa jenis Bank. Di dalam Undang-Undang Perbankan nomor
10 tahun 1998 dengan sebelumnya yaitu Undang-Undang nomor 14 tahun 1967, terdapat
beberapa perbedaan jenis perbankan.
Untuk jelasnya jenis perbankan dewasa ini dapat ditinjau dari berbagai segi
antara lain:
1. Dilihat dari Segi Fungsinya
Dalam Undang-Undang Pokok Perbankan nomor 14 tahun 1967 jenis perbankan
menurut fungsinya terdiri dari:
a. Bank Umum; b. Bank Pembangunan; c. Bank Tabungan; d. Bank Pasar; e.
Bank Desa; f. Lumbung Desa; g. Bank Pegawai; h. Dan Bank jenis lainnya.
Kemudian menurut Undang-Undang Pokok Perbankan nomor 7 tahun 1992 dan
ditegaskan lagi dengan keluarnya Undang-Undang RI nomor 10 tahun 1998 maka jenis
perbankan terdiri dari dua jenis bank yaitu:
a. Bank Umum
b. Bank Perkreditan Rakyat (BPR)
74
Pengertian Bank Umum sesuai dengan Undang-undang nomor 10 tahun 1998
adalah Bank yang melaksanakan kegiatan usaha secara konvensional dan atau
berdasarkan prinsip syariah yang dalam kegiatannya memberikan jasa dalam lalu lintas
pembayaran. Sedangkan pengertian Bank Perkreditan Rakyat menurut Undang-undang
nomor 10 tahun 1998 adalah Bank yang melaksanakan kegiatan usaha secara
konvensional atau berdasarkan prinsip syariah yang dalam kegiatannya tidak
memberikan jasa dalam lalu lintas pembayaran.
Disamping kedua jenis Bank di atas dalam praktiknya masih terdapat satu lagi
jenis Bank yang ada di Indonesia yaitu bank Sentral. Jenis bank ini tidak bersifat
komersial seperti halnya Bank Umum dan BPR. Bahkan disetiap Negara jenis ini selalu
ada dan di Indonesia fungsi Bank Sentral di pegang oleh Bank Indonesia (BI).
2. Dilihat dari Segi Kepemilikan
Jenis bank dilihat dari segi kepemilikan maksudnya adalah siapa saja yang
memiliki bank tersebut. Kepemilikian ini dapat dilihat dari akte pendirian dan
penguasaan usaha yang dimiliki bank yang bersangkutan.
Jenis Bank dilihat dari segi kepemilikan adalah sebagai berikut:
a. Bank milik Pemerintah
Akte pendiri maupun modalnya dimiliki oleh Pemerintah, sehingga seluruh
keuntungan bank ini dimiliki oleh pemerintah.
b. Bank milik Swasta Nasional
Bank yang seluruh atau sebagian besarnya dimiliki oleh swasta nasional serta
akte pendiriannya pun didirikan oleh swasta, begitu pula pembagian
keuntungannya diambil oleh swasta.
75
3. Dlihat dari Segi Status
Pembagian jenis
Bank dari segi status merupakan pembagian berdasarkan
kedudukan atau status Bank tersebut. Kedudukan atau status ini menunjukkan ukuran
kemampuan Bank dalam melayani masyarakat baik dari segi jumlah produk, modal
maupun kualitas pelayanannya. Jenis Bank bila dilihat dari segi status biasanya khusus
untuk Bank umum.
Dalam praktiknya jenis Bank dilihat dari status dibagi ke dalam dua macam yaitu:
a. Bank Devisa
Bank yang berstatus devisa atau Bank Devisa merupakan Bank yang dapat
melaksanakan transaksi keluar negeri atau yang berhubungan dengan mata uang
asing secara keseluruhan.
b. Bank non devisa
Bank yang belum mempunyai izin untuk melaksanakan transaksi sebagai bank
devisa, sehingga tidak dapat melaksanakan transaksi seperti halnya Bank Devisa.
4. Dilihat dari Segi Cara M enentukan Harga
Jenis Bank jika dilihat dari segi atau caranya dalam menentukan harga baik harga
jual maupun harga beli terbagi dalam 2 kelompok yaitu:
a. Bank yang berdasarkan Prinsip Konvensional
M ayoritas Bank yang berkembang di Indonesia dewasa ini adalah Bank yang
berorientasi pada prinsip Konvensional. Hal ini disebabkan tidak terlepas dari
sejarah bangsa Indonesia dimana asal mula Bank di Indonesia dibawa oleh kolonial
belanda (barat). Dalam mencari keuntungan dan menentukan harga kepada para
nasabahnya, Bank yang berdasarkan prinsip konvensional menggunakan 2 metode
yaitu:
76
1. M enetapkan harga jual, baik untuk produk simpanan seperti giro,
tabungan
maupun
deposito. Demikian
pula harga beli produk
pinjamannya (kredit) juga ditentukan berdasarkan tingkat suku bunga
tertentu. Penentuan harga seperti ini disebut dengan istilah spread based.
2. Untuk
jasa-jasa
Bank
lainnya
pihak
perbankan
konvensional
menggunakan atau menerapkan berbagai biaya-biaya dalam nominal atau
persentase tertentu seperti biaya administrasi, biaya provisi, sewa, iuran
dan biaya-biaya lainnya. System pengenaan biaya ini disebut dengan
istilah fee based.
b. Bank yang berdasarkan Prinsip Syariah
Penentuan harga Bank yang berdasarkan Prinsip Syariah terhadap produknya
sangat berbeda dengan Bank yang berdasarkan Prinsip Konvensional. Bank
berdasarkan Prinsip Syariah menetapkan aturan perjanjian berdasarkan hukum islam
antara Bank dengan pihak lain baik dalam hal untuk menyimpan dana atau
pembiayaan usaha atau kegiatan perbankan lainnya. Penentuan harga atau menari
keuntungan bagi bank yang berdasarkan Prinsip Syariah adalah dengan cara:
1. Pembiayaan berdasarkan prinsip bagi hasil (mudharabah).
2. Pembiayaan berdasarkan prinsip penyertaan modal (musbarakah).
3. Prinsip jual beli barang dengan memperoleh keuntungan (murabahah).
4. Pembiayaan barang modal berdasarkan sewa murni tanpa pilihan (ijarah).
5. Atau dengan adanya pilihan pemindahan kepemilikan atas barang yang
disewa dari pihak Bank oleh Pihak lain (ijarah wa iqtina).
77