5 - introduction is audit
DESCRIPTION
auditingTRANSCRIPT
Information Systems (IS) Audit
By Sony Devano
Definition
The process of collecting and evaluating evidence to determine whether a Computer Systems (Information Systems) safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently.
IS Audit ProfessionComputer auditIT AuditEDP AuditInformation Systems Audit
Objectives1. To safeguard IS assets
• For instances: hardware, software, people (knowledge), data files, system documentation, and supplies.
2. To maintain data integrity
• Completeness, accuracy and soundness. This is to minimize uncertainty factors on using the information produced from IS systems.
3. To increase the effectiveness and the efficiency of the information systems
Standard Professional Akuntan Publik
PSA No 60 [SA Seksi 314]
“Penentuan Risiko dan Pengendalian Intern - Pertimbangan dan Karakteristik Sistem Informasi Komputer (SIK = penggunaan komputer dalam pengolahan informasi keuangan suatu entitas yang signifikan bagi audit, terlepas apakah komputer tersebut dioperasikan oleh entitas tersebut atau oleh pihak ketiga )”
Types of Audits Financial Statement Audits
– An audit to determine whether the overall financial statements are stated in accordance with specified criteria
Operational Audits– A review of any part of an organization’s operating
procedures and methods for the purpose of evaluating efficiency and effectiveness
Compliance Audits– An audit to determine whether the auditee is following
specific procedures, rules, regulations set down by some higher authority
Types of Auditors CPA Firms General Accounting Office (GAO) Auditors Internal Revenue Agents (IRS) Internal Auditors
MATTERS INFORMATION SYSTEMS AUDITOR FINANCIAL/ INTERNAL AUDITOR
Qualification CISA CPA/CIA
Professional Organization
ISACA AICPA/IIA
Auditee: IT Division Mostly Finance & Accounting Department/ All functions of Organization
Career objectives:Chief Information Officer, Consultants: Auditor/Advisor for Information Systems/Technology Control
Standards Generally Accepted IT Controls Principle (CoBIT)
GAAP/SAS 78: Internal Controls
Chief Financial Officer, Head of Internal Audit Division
Differences between the IT Auditor and the Financial Auditor
Relation with Financial Audit
To support financial audit because:At present computers are used extensively to process data and to provide information for decision making, so that, a traditional/manual audit engagement is not adequate to cover the sophisticated information technology
Type of Audit Risks Inherent Risk
Reflects the likelihood that a material loss or account misstatement exists in some segment of the audit before the reliability of internal control considered
Control RiskReflects the likelihood that internal controls in some segment will not prevent, detect or correct material loss or account misstatement
Detection RiskReflects the audit procedures used in some segments of the audit will fail to detect material loss or account misstatement
Classification of Controls Preventive control
– Prevent an error, omission or malicious act from occurring– Deter problem before they arise– Attempt to predict potential problem before they occurred and make
adjustments (feed-forward controls)
Detective controlDetect an error, omission or malicious act has occurred and report the occurrence
Corrective Control– Identify the cause of the problem– Correct errors arising from a problem– Remedy problems discovered by detective controls– Modify the processing system to minimize future occurrences of the
problem– Minimize the impact of a threat
Flowchart of major steps in an Audit
Flowchart of major steps in an Audit
START
Preliminary AuditWork
Obtain understanding of control structure
Assess Control Risk
Rely on Control ?
StillRely on Control ?
Increase reliance
on control ?
Limited Substantive Testing
Form audit opinion and issue report
Extended Substantive Testing
STOP
No
No
No
Yes
Yes
Test of Controls
Re-assess Control Risk
When does IT audit involved?When does IT audit involved?
Type of works in financial audit GCR (General Computer Controls Review)
ACR (Application Controls Review)
General Computer Controls Review
Definition– Risk assessment of the risks related to the IT
organization, security, acquisition, development and maintenance, computer operations.
Objectives – To provide a comprehensive framework of
internal controls for IT activities and to provide a certain level of assurance that the overall internal control objectives can be achieved.
General Control ElementsAccording to PSA No. 60 / SA Seksi 314
Organizational and Managerial System Development and Maintenance Operating System Software Data Entry and Program Backup and Recovery
Organizational and Managerial Control
Untuk memberikan keyakinan bahwa struktur organisasi dan manajemen telah diciptakan untuk memiliki internal kontrol yang memadai, diantaranya dengan memiliki:– Kebijakan dan prosedur yang berkaitan dengan
fungsi pengendalian.– Pemisahan semestinya fungsi yang tidak sejalan
(seperti penyiapan transaksi masukan, pemograman dan operasi komputer).
System Development and Maintenance Control
Untuk memberikan keyakinan bahwa pengembangan dan pemeliharaan sistem telah dilakukan dengan cara yang efisien dan melalui proses otorisasi yang semestinya, termasuk kedalamnya adalah:
– Pengujian, perubahan, implementasi dan dokumentasi sistem baru atau sistem yang direvisi.
– Perubahan terhadap sistem aplikasi.
– Akses terhadap dokumentasi sistem.
– Pemerolehan sistem aplikasi dan listing program dari pihak ketiga.
Operating System Control
Telah adanya pengendalian terhadap operasi sistem untuk memberikan keyakinan bahwa:– Sistem digunakan hanya untuk tujuan yang telah
diotorisasi– Akses ke operasi komputer dibatasi hanya bagi
karyawan yang telah mendapat otorisasi– Hanya program yang telah diotorisasi yang
digunakan.– Kekeliruan pengolahan dapat dideteksi dan
dikoreksi
Software Control Telah adanya pengendalian terhadap
perangkat lunak aplikasi telah didesain, diperoleh dan dikembangkan dengan cara yang efisien dan melalui proses otorisasi semestinya:– Otorisasi, pengesahan, pengujian, implementasi
dan dokumentasi perangkat lunak sistem baru dan modifikasi perangkat lunak sistem
– Pembatasan akses terhadap perangkat lunak dan dokumentasi sistem hanya bagi karyawan yang telah mendapatkan otorisasi
Backup and Recovery Procedure Telah adanya jaminan terhadap kelangsungan
proses pengolahan sistem informasi dan ketersediaan informasi. Meliputi:– Pembuatan cadangan data program komputer di
lokasi yang berbeda dengan lokasi utama pengolahan data.
– Prosedur pemulihan untuk digunakan jika terjadi pencurian, kerugian atau penghancuran data baik yang disengaja maupun yang tidak disengaja
– Penyediaan pengolahan di lokasi di luar perusahaan dalam hal terjadi bencana.
Data Entry and Program Control Telah adanya pengendalian terhadap
proses data entry dan kontrol program untuk memberikan keyakinan bahwa:– Struktur otorisasi telah diterapkan atas
transaksi yang dimasukan ke dalam sistem.
– Akses ke data dan program dibatasi hanya bagi karywan yang telah mendapatkan otorisasi
How we secure our assets?
Assets
Assets
Logical
Personnel
Hardware
Facilities
Documentation
Supplies
Mainframe, minis & micros
Peripherals: online/offline
System
Data / Information
Software
Application
Storage Media
Examples of physical threats
Fire and smoke; Water; Power supply fluctuations and failures; Structural Damage; Pollution; Misuse; Theft.
SERVER RACK
FIREEXTINGUISHER
WATER SPRINKLERSMOKE and FIRE
DETECTOR
Picture example of Physical Security
Picture example of Physical Security
AIR CONDITIONAIRE
POWER REGULATOR & GENSET
Identification
Authentication
Authorization
User Profiles
Access control
files
DatabaseSoftwareLibrary
Auditlog
Reportwriter
Securityreports
Authentication ProcessAuthentication Process
WINDOWS 2000 LOGON
Example of Logical Access SecurityExample of Logical Access Security
Application controls
Application controls are controls exist within the application to safeguard assets, maintain data integrity, and achieve their objectives efficiently and effectively.
Input
Processing
Output
Application controls Classification
Process controls– Run-to-run totals (network of checksums)– Audit trail
Access control reviewInput Control - Authorization
Access control reviewInput Control - Authorization
Module
UserA B C D
Manager P P P P
Supervisor A A A A
Clerk1 E E x x
Clerk2 x x E E
E: EntryA: ApproveP: Posting
Verified to User Authorization Forms
Process Control - Run to run totalsProcess Control - Run to run totals
POS
CalulateDiscountand PPN
SALES APPLICATION
RecordSales
CreatingSub General
LedgerPosting
ACCOUNTING / GL APPLICATION
Summarizing
SalesReport
ConsolidatedSales Report
Sub LedgerJournal
GeneralLedgerAccount
FinancialStatementAccount
POS 1Sales Net 305Discount (5)PPN 30+Total POS 1 330
POS 2 300POS 3 350POS 4 330POS 5 250+Total Sales 1540
Total Transaction 4500
Sales Net 1700Discount (300)PPN 140+Total Sales 1540
Total Transaction 4500Total POS 5
Kas 1540Discount 300 PPN 140 Sales 1700
Sales 1700 Sales Product 1 1000 Sales Product 2 700
Total Transaction 4500Total POS 5
100 Kas 1540201 Deferred PPN (140)
500 Sales (1700)503 Discount 300
100 Kas 1500201Deferred PPN (140)
300 InventoryBegining 1000Add 1000Substract 1700Ending (300)
Process Control -Audit trailProcess Control -Audit trail
No. UserID Name Function
1. 1002 Darma Cashier
2. 1005 Rudy Cashier
3. 1050 Hamdi Assistant Mgr
No. UserID Input AmountAccount
No.Source DocID
1. 1002 12:03-09-11-01 1,000,000 103 31.232.212-5
2. 1005 13:15-09-10-01 454,000 500 31.232.211-7
3. 1050 09:40-09-11-01 (50,000) 506 12.342.423-4
User Master File
Audit Trail
Output Control - DistributionOutput Control - Distribution
Module
User
A B C D
Manager A A A A
Supervisor P P P P
Clerk1 V V V -
Clerk2 - V V V A: AllV: ViewP: Print
Verified to User Authorization Form
Old vs. New: The Big PictureOld vs. New: The Big Picture
Status quo: Future state vision:
Application Controls
IT General Controls
IT Environ-ment
IT General Controls
IT Environment
ApplicationControls
What is Application Software?
A software that is designed and created to
perform specific personal, business or
scientific processing task, such as word
processing, interactive game, business
application, etc.
Categories of software
In-house developed application
Integrated application (e.g. ERP systems:
SAP, JDE, PeopleSoft, Oracle, etc)
Package application (e.g. ACCPAC,
Picador, etc)
What is Data Analysis
• Manipulating, cleansing and processing the data, without changing it to be analyzed for a certain purpose, such as decision making, audit purpose, forecasting, etc.
Tools of Data Analysis• ACL
• Idea
• MS Excell
• Access
• etc
PHASE 5:Final reporting, presentation of results
PHASE 4: Document findings and discuss with auditee
PHASE 3:Evaluate controls and gather evidence
Audit Methodology
PHASE 2:Identify risks and controls
PHASE 1:Planning the Audit
An overview of the full audit planning
P H A S E 1
PLANNING THE AUDIT
STEP 5:IdentifyRisk
STEP 4:UnderstandingClient’sBackground
STEP 3:EngagementLetter
STEP 2:Teaming
STEP 1:Acceptingthe Audit Engagement
Phase 5Phase 4Phase 3Phase 2Phase 1
Phase 2: Identify risks and Controls
Phase 5Phase 4Phase 3Phase 2Phase 1
Activities:• Document relevant process• Identify risks in the process• Identify the controls that are currently in place
Result:• Process and risk documentation (matrix or narrative)
Phase 3: Evaluate controls and gather evidence
Phase 5Phase 4Phase 3Phase 2Phase 1
Activities:• Assess the effectiveness of controls• Gather evidence of effective controls• Identify risks that have not been mitigated
Result:• Risk and control documentation
Phase 4: Document findings and discuss with auditee
Phase 5Phase 4Phase 3Phase 2Phase 1
Activities:• Prepare draft report• Discuss findings with auditee (the one who is
being audited)• Revise draft to final version
Result:• Final agreed upon report
Phase 5: Final reporting and presenting of results
Phase 5Phase 4Phase 3Phase 2Phase 1
Activities:• Send final report• Present findings to management• Prepare plan for improvement
Result:• Happy client
P H A S E 1
PLANNING THE AUDIT
STEP 5:Prepare audit plan
STEP 4:UnderstandingClient’sBackground
STEP 3:EngagementLetter
STEP 2:Teaming
STEP 1:Acceptingthe Audit Engagement
Phase 5Phase 4Phase 3Phase 2Phase 1
Step 1: Accepting the audit engagement
STEP 5STEP 4STEP 3STEP 2STEP 1
• Investigating new or continuing clientAudit ObjectiveIdentify the purpose of the audit
Audit SubjectIdentify the area to be auditedAudit ScopeIdentify the specific systems and entity of the organization to be included in the review
• Accept the audit engagementPreparing engagement letter
STEP 5STEP 4STEP 3STEP 2
Step 2: Teaming
STEP 1
Steps• Identify technical skills of the team• Identify resources needed to perform the audit• Identify the sources of the information for test or review• Identify the location and facilities to be audited
Constraint: • Limitation of staff availability• Inadequate facility to perform the audit• Lack of technical skills
STEP 5STEP 4STEP 3STEP 2
Step 3: Engagement Letter
STEP 1
• Clearly states management’s objectives for, and delegation of authority to IS Audit.
• Minimize misunderstanding between client and auditor
• Outline the overall authority, scope and responsibilities of the audit function.
• The highest level of management should approve this document.
• Has a legal responsibility
STEP 5STEP 4
Step 4: Understanding client’s background
STEP 3STEP 2STEP 1
• Gather organizations’ standards, policies and guidelines
• IS Auditor should familiar with the regulatory environment in which the business operates. Example: Banking, Insurance
• Prepare list of persons to be interviewed
• Identify and select audit approach to verify and test the controls
• Develop audit tools and methodology
STEP 5STEP 4
Step 5: Prepare audit plan
STEP 3STEP 2STEP 1
Combining previous activities and communicate to team and client.
IS Audit Methods
• Auditing Around The Computer
• Auditing Through The Computer
• Auditing With The Computer
Auditing Around The Computer
Transaksi
Pemrosesan
Output
Analisa
auditor
OPERASI SISTEM KOMPUTERPENGUJIAN AUDITOR ATAS INPUT/OUTPUT
Database
Pemilihan
transaksi
Pemilihan output
yg terkait dgn
transaksi pilihan
Kesimpulan
auditor
Auditing Through The Computer
– Testing the computer application program. Example:
• Test data
• Integrated Test Facility
• Parallel Simulation
– Data Verification. Example:• Embedded Audit Data Collection / System Control
Audit Review File
Auditing With The Computer
FilePemrosesan
Pemasukan
data
Output
Obyek
analisa
Analisa
auditor
Kesimpulan
auditor
Question And AnswerQuestion And Answer
• •
Thank YouThank You
• •