IS Audit Standards and Guidelines CDG4I3 / Audit Sistem Informasi Angelina Prima K | Gede Ary W. KK SIDE - 2014 Outline 1. IIA Standards 2. COSO: Internal Control Standard 3. BS7799 and ISO 17799: IT Security 4. ITIL 5. ISACA COBIT 5 1. IIA Standards (#1) The Institute of Internal Auditors (www.theiia.org) Standards for the Professional Practice of Internal Auditing terdiri atas: – Standards 5 standar umum 25 standar spesifik – Guidelines Professional Practice Framework – Standards: wajib – Practice Advisories: disarankan – Development and Practice Aids: panduan praktis 1. IIA Standards (#2) Standards for the Professional Performance of Internal Auditing Attribute Standards (atribut organisasi dan individu yang terlibat dalam audit) Performance Standards Implementation Standards (karakteristik (standar penerapan kegiatan audit tipe audit di internal dan kriteria berbagai industri kualitas yang dan area spesialis digunakan dalam tertentu) pengukuran) 1. IIA Standards (#3) Kode etik Internal Auditors: Integrity Objectivity Confidentiality Competency • Integritas auditor mendasari kepercayaan terhadap penilaian yang dihasilkan • Auditor harus objektif dalam mengumpulkan, mengevaluasi, dan menyampaikan informasi tentang aktivitas/ proses yang dinilai • Auditor menghormati nilai dan kepemilikan informasi yang diterima dan tidak menggunakan informasi di luar wewenang kecuali atas dasar hukum/ profesi • Auditor menerapkan pengetahuan, kemampuan dan pengalaman yang diperlukan dalam melaksanakan audit internal 2. COSO (#1) The Committee of Sponsoring Organizations of the Treadway Commission (www.coso.org) Dibentuk oleh kerjasama antara: 1. The American Institute of Certified Public Accountants 2. The Institute of Internal Auditors 3. The American Accounting Association 4. The Institute of Management Accountants 5. The Financial Executives Institute 2. COSO (#2) Mengidentifikasi sasaran dasar dari setiap organisasi bisnis/ pemerintahan, meliputi: 1. ekonomi dan efisiensi operasi, perlindungan aset, pencapaian dampak yang diinginkan, 2. keandalan laporan keuangan dan manajemen, serta 3. kesesuaian terhadap hukum dan aturan. Komponen pencapaian sasaran bagi manajemen: 1. 2. 3. 4. 5. Control environment Risk assessment process Operational control activities Information and communication systems Monitoring 2. COSO (#3) http://www.bumko.gov.tr/KONTROL_EN/Genel/Images/kontrol/coso.jpg 3. BS 7799/ ISO 17799 (#1) BS 7799 adalah standar yg diterbitkan oleh British Standards Institute (BSI). Terdiri atas 3 bagian: – BS 7799-1 (1995) diadopsi menjadi ISO/IEC 17799 “IT-Code of practice for information security management” (2000) diganti nama menjadi ISO/IEC 27002 (2007) – BS 7799-2 (1999) “Information Security Management Systems- Specification with guidance for use” diadopsi menjadi ISO/IEC 27001 (2005) – BS 7799-3 (2005) mencakup analisis dan manajemen resiko, sejalan dengan ISO/IEC 27001 3. BS 7799/ ISO 17799 (#2) http://www.isconsult.co.uk/i/is o17799-bs7799.gif http://www.ypsilon-it.com/images/BS7799.png NIST The National Institute of Standards and Technology (http://csrc.nist.gov/) Cakupan NIST Handbook serupa dengan BS 7799 dan ISO 17799, namun lebih detail pada: – Elemen-elemen keamanan sistem – Peran dan tanggung jawab – Ancaman-ancaman umum http://www.veracode.com/images/stories/nist_lg.jpg 4. ITIL v3 (#1) The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally. ITIL describes processes, procedures, tasks and checklists that are not organization-specific, used by an organization for establishing integration with the organization's strategy, delivering value and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement. ITIL Components The ITIL Core: best practice guidance applicable to all types of organizations who provide services to a business. The ITIL Complementary Guidance: a complementary set of publications with guidance specific to industry sectors, organization types, operating models, and technology architectures. ITIL PROCESS MODEL ITIL CORE Service strategy Service design Service transition Service operation Continual service improvement ITIL v3 STRUCTURE ITIL v3 STRUCTURE 5. ISACA Standards (#1) IS Audit and Control Association (www.isaca.org) Level panduan: – Standards: kebutuhan audit dan pelaporan SI, meliputi auditor yang berpengalaman, manajemen dan pihakpihak yang terlibat, pemegang CISA – Guidelines: panduan penerapan standar audit SI – Procedures: contoh prosedur yang harus diikuti oleh auditor SI COBIT CobIT (Control Objectives for Information & Related Technology) adalah panduan kerja dalam pengelolaan teknologi informasi. Disusun oleh ISACA (Information Systems Audit and Control Association) dan ITGI (IT Governance Institute) COBIT 5 menyediakan kerangka komprehensif yang membantu enterprise meraih sasaran dalam tata kelola dan manajemen TI di enterprise COBIT 5 bersifat umum dan dapat diterapkan pada berbagai ukuran enterprise, baik bersifat komersial, non-profit maupun pada sektor publik COBIT 5 Principles COBIT 5 Goals Cascade Overview Step 1. Stakeholder Drivers Influence Stakeholder Needs – Isu: perubahan strategi, perubahan lingkungan bisnis dan regulasi, serta teknologi baru Step 2. Stakeholder Needs Cascade to Enterprise Goals – Enterprise goals disusun dengan pendekatan balanced scorecard (BSC) Step 3. Enterprise Goals Cascade to IT-related Goals – IT-related berarti information and related technology, diturunkan dari dimensi-dimensi BSC. COBIT 5 mendefinisikan 17 IT-related goals. Step 4. IT-related Goals Cascade to Enabler Goals COBIT 5 Enterprise Enablers Masing-masing enabler: – Memerlukan input dari enablers lain agar dapat efektif, mis. proses memerlukan informasi, struktur organisasi memerlukan keterampilan dan perilaku – Menghasilkan output yang dibutuhkan oleh enablers lain, mis. proses menghasilkan informasi, keterampilan dan perilaku yang dibutuhkan oleh proses lain agar efisien COBIT 5 Enabler Dimensions COBIT 5 Process Reference Model COBIT 5 Process Reference Model 5. ISACA Standards (#2) Kode etik ISACA: – Mendukung implementasi dan kesesuaian dengan standar, prosedur dan kontrol SI yang tepat – Melaksanakan tugas secara profesional, sesuai standar dan praktek baik – Melayani kebutuhan stakeholder secara jujur dan sesuai aturan – Memelihara privasi dan kerahasiaan informasi yang didapat – Memelihara kompetensi di bidang tertentu secara profesional – Memberikan informasi hasil kerja kepada pihak terkait – Mendukung pendidikan profesional stakeholders dalam meningkatkan pemahaman tentang keamanan dan kontrol SI LATIHAN INTERNAL CONTROL Audit Procedures Mencakup: – Daftar orang yang akan diwawancara – Pertanyaan wawancara – Dokumentasi (kebijakan, prosedur, dll) yang akan diminta saat wawancara – Perangkat audit yang digunakan – Tingkat sampling dan metodologi yang dipakai – Bagaimana dan dimana pengarsipan bukti – Bagaimana evaluasi bukti Types of Internal Controls Preventive controls (cth: pembatasan pengguna, penggunaan password, dan pemisahan otorisasi transaksi) Detective controls (cth: penggunaan audit trails dan exception reports) Corrective controls (cth: disaster recovery plan) Directive controls: untuk mencapai hasil yang positif dan mendorong perilaku yang dapat diterima Compensating controls: untuk mengatasi kelemahan dari sebuah kontrol lainnya Elements of Internal Control Segregation on duties. Kontrol yang memastikan bahwa pihak yang memegang aset berbeda dengan pihak yang mencatat perpindahan aset. Competence and integrity of people. Agar efektif, pihak yang menguji kontrol harus kompeten, jujur dan konsisten. Appropriate levels of authority. Pemberian otoritas harus berdasarkan kebutuhan. Accountability. Tegas menentukan siapa yang berperan dalam keputusan, transaksi dan aksi yang diambil. Adequate resources. Meliputi SDM, keuangan, perangkat, bahan, dan metodologi. Supervision and review. Perlu pengawasan dan penilaian kontrol. 1. EQUITY FUNDING CORPORATION In 1973, one of the largest single company frauds ever committed was discovered in California. The collapse of the Equity Funding Corporation of America involved an estimated $2 billion fraud. The case was extremely complex, and it took several years before the investigation was complete. However, some of the pertinent findings derived from the Trustee’s Bankruptcy report follow. Equity Funding was a financial institution primarily enganged in life insurance. In 1964, its top management commenced to perpetrate a fraud that would take almost ten years to discover. The intent of the fraud was to inflate earnings so that management could benefit through trading their securities at high prices. The fraud progressed through three major stages: the “inflated earnings phase”, the “foreign phase”, and the “insurance phase”. The inflated earnings phase involved inflating income with bogus comissions supposedly earned through loans made to customers. Equity Funding had a funded life insurance program whereby customers who bought mutual fund shares could obtain a loan prom the company to pay the premium on a life insurance policy. After some years the customer would sell off the mutual fund holdings to repay the loan. The mutual fund shares should have appreciated sufficiently so only a partial sale of shares would required. Thus, the customer had the cash value of the insurance policy and the remaining mutual fund shares as assets from the investment. The inflated earnings obtained via bogus commisions were supported by manual entries made on the company’s books. Even though supporting documentation did not exist for the entries, the company’s auditors failed to detect the fraud. However, the inflated assets did not bring about cash inflows, and the company started to suffer severe cash sortages because of real operating losses. To remedy the cash shortage situation, the fraud moved into the second stage, the foreign phase. The company acquired foreign subsidiaries and used these subsidiaries in complex transfers of assets. Funds were brought into the parent company to reduce the funded loans asset account and falsely represent customer repayments of their loans. However, even this scheme proved inadequate. The third stage, the insurance phase, involved the resale of insurance policies to other insurance companies. This practice is not unusual in the insurance business – when one company needs cash immediately and another company has a cash surplus. Equity Funding created bogus policies. In the short run it attempted to solve its cash problems by selling these policies to another insurance company. In the long run, however, the purchasing company expected cash receipts from premiums on the policies. Because the policies were bogus, Equity Funding had to find the cash to pay the premiums. Thus, it was only a matter of time before the fraud could no longer be concealed. Interestingly, the fraud was revealed by a disgruntled employee who was involved in the fraud but had been fired by Equity Funding management. The computer was not used in the fraud until the insurance phase. The task of creating the bogus policies was too big to be handled manually. Instead, a program was written to generate policies. These policies were coded as the now infamous “Class 99”. The trustee’s investigations led to two conclusions. First, the fraud was unsophisticated and doomed to failure. Second, some of the fundamental principles of good auditing were not applied. Required. Write a brief report outlining some traditional audit procedures that, if they had been used, should have detected the fraud. Be sure to explain why you believe the procedures you recommend would have been successful. (Weber, Ron. 1999. Information Systems Control and Audit. Prentice-Hall.Inc.) 2. JERRY SCHNEIDER One of the more famous cases of computer abuse involves a young man named Jerry Schneider. Schneider had a flair for electronics. By the time he left high school, he had already formed his own firm to market his inventions. His firm also sold refurbished Western Electric telephone equipment. In 1970, he devised a scheme whereby Pasific Telephone in Los Angeles would supply him with good equipment – free! Pasific Telephone used a computerized equipment ordering system. Equipment sites placed orders using a touch-tone card dialer. The orders were subsequently keypunched onto cards. The computer then updated the inventory master file and printed the orders. The orders were supplied to a transportation office that shipped the supplies. Scheider intended to gain access to the ordering system. He sought to have Pasific Telephone deliver supplies to him as if he were one of its legitimate sites. He used a variety of techniques to find out how the system worked and to breach security: He sifted through trash cans and found discarded documents that provided him with information on the ordering system. He posed as a magazine writer and gathered information directly from Pasific Telephone. To support his activities, he bought a Pasific Telephone delivery van at an auction., “acquired” the master key for supply delivery locations in the Los Angeles area, and bought a touch-tone telephone card dialer with a set of cards similar to those used by the equipment sites to submit orders. Scheider took advantage of the budgeting system used for ordering sites. Typically, these sites had a budget allocated larger than they needed. Providing this budget was not exceeded, no investigation of equipment ordering took place. Schneider managed to gain access to the online computer system containing information on budgets. He then determined the size of orders that would be tolerated. For seven months Pasific Telephone delivered him equipment that he resold to his customers and to Pasific Telephone. He kept track of the reorder levels for various Pasific Telephone inventories, depleted these inventories with his ordering, and then resold the equipment back to Pasific Telephone. Scheider’s downfall occurred when he revealed his activities to an employee. He as unable to keep up with the pace of his activities. As a result, he confided in an employee to obtain assistance. When the employee asked for a pay raise, Schneider fired him. The employee then went back to Pasific Telephone and told the the fraud. There are varying reports on how much Schneider took from Pasific Telephone. Parker (1976) estimates it as possible equipment worth a few million dollars was taken. For the fraud Schneider received a two-month jail sentence followed by three years probation. Interestingly, upon completing the jail term, he set up a consulting firm specializing in computer security. Required. Write a brief report outlining some basic internal control procedures that, if they had been applied, should have prevented or detected Schneider’s activities. Be sure to explain why the application of the internal control procedures you recommend would have been successful. (Weber, Ron. 1999. Information Systems Control and Audit. Prentice-Hall.Inc.) 3. UNION DIME SAVINGS BANK Banks seem especially prone to computer abuse. Roswell Steffen used a computer to embezzle $1.5 million of funds at the Union Dime Savings Bank in New York City. Inan interview with Miller (1974) after he was discovered, he claimed, “Anyone with a head on his shoulders could successfully embezzle funds from a bank. And many do.” Steffen was a compulsive gambler. He initially “borrowed” $5,000 from a cash box at the bank to support his gambling with the intention of returning the money from his earnings. Unfortunately, he lost the $5,000. He then spent the next three and one-half years trying to replace the money, again by “borrowing” from the bank to gamble at the racetrack. As the head teller at Union Dime, Steffen had a supervisory terminal in the bank’s online computer system that he used for various administrative purposes. He took money from the cash box and used the terminal to manipulate customer account balances so the discrepancies would not be evidenced in the bank’s daily proof sheets. He used several techniques to obtain money. He first concentrated on accounts over $100,000 that had a little activity and had interest credited quarterly. He used the supervisory terminal to reduce the balances in these accounts. Occasionaly an irate customer complained about the balances. Steffen then faked a telephone call to the data processing department, informed the customer it was a simple error, and corrected the situation by moving funds from another account. Other sources of funds included two-year certificate accounts and new accounts. With twoyear certificate accounts, he prepared the necessary documents but did not record the deposit in the bank’s files. Initially he had two years to correct the situation. Matters became more complicated, however, when the bank started to pay quarterly interest on these accounts. With a new accounts, he used two new passbooks from the bank supply of prenumbered books. Upon opening an account, he enterd the transaction using the account number of the first passbook but recorded the entry in the second passbook. He then destroyed the first passbook. Perpetrating the fraud became very complex, and Steffen made many mistakes. However, the bank’s internal control system and audit techniques were sufficiently weak that he could explain away discrepancies and continue. He was caught because police raided Steffen’s bookie and noticed a lowly paid bank teller making very large bets. Required. Write a brief report outlining some basic internal control procedures that, if they had been applied, should have prevented or detected Steffen’s activities. Be sure to explain why the application of the control procedures you recommend would have been successful. (Weber, Ron. 1999. Information Systems Control and Audit. Prentice-Hall.Inc.) THANK YOU