Memahami dan Melakukan Audit Teknologi Informasi
Empower Your Auditor
Memahami dan Melakukan
Audit Teknologi Informasi
Memahami Audit TI
Pengendalian dan audit TI Apakah diperlukan? Mengapa diperlukan? Bagaimana hubungan antara pengendalian – audit?
Memahami Audit TI Cost of Data Error in Decision Computer Loss Making Abuse Cost of H/W
Cost of S/W & B/W Computer Errors Privacy
Evolution Use of Computer
- Controls •Audit
Memahami Audit TI
TI dan Pengendalian Intern Apa dan bagaimana dampak TI pada pengendalian intern (internal control)? o Pemisahan fungsi o Sistem otorisasi o Dokumentasi dan pencatatan o Delegasi wewenang dan tanggung jawab o Pengendalian phisik atas aset dan dokumen o Akuntabilitas pencatatan o Sumber daya yang kompeten o Supervisi oleh manajemen
Memahami Audit TI
TI dan Auditing Apa dan bagaimana dampak TI pada auditing? o Pengumpulan bukti o Penilaian bukti
Memahami Audit TI
Audit dan Audit TI The `ordinary’ auditor, who is familiar with the issues Level 1 and methods of IT audit, can undertake simple IT audit tasks, and can use IT audit specialists to serve general The Generalist audit objectives. The auditor who has chosen to specialise in IT audit, Level 2 skilled at undertaking most IT audits, except those in The IT Auditor highly specialised areas of IT. The auditor who, through length of experience, has Level 3 become very familiar with IT and IT audit issues, and The IT Control & can undertake or supervise audit tasks including highly Security Specialist specialised ones.
Memahami Audit TI Definisi Audit TI atau Audit SI:
The process of collecting and evaluating evidence to determine
whether a computer system safeguards assets, maintains data
integrity, allows organizational goals to be achieved effectively, and
uses resources efficiently2. ISACA, CISA Review Manual 2005 The process of collecting and evaluating evidence to determine
whether information systems and IT environments adequately
safeguard assets, maintain data and system integrity, provide relevant
and reliable information, achieve organizational goals effectively,
consume resources efficiently, and have in effect internal controls that
provide reasonable assurance that operational and control objectives
will be metMemahami Audit TI
Sejumlah kata kunci: o Pengumpulan dan penilaian bukti o Keyakinan memadai o Tujuan operasional & tujuan pengendalian o Tujuan audit
¾Pengamanan aset - menjamin confidentiality & availability ¾Integritas Data - menjamin completeness, accuracy & consistency ¾Efektifitas – relevan, akurat, tepat waktu, lengkap
¾Efisien - menggunaan sumber daya secara optimal
Memahami Audit TI
Manajemen Teknologi Informasi Auditing
Tradisional Ilmu Komputer
Ilmu Perilaku
INFORMASI
Melakukan Audit TI
Bagaimana tahapan audit? o Pekerjaan pendahuluan o Perencanaan audit o Pengujian pengendalian (control testing) o Pengujian substantif (substantive testing)
Bagaimana tahapan audit TI
Melakukan Audit TI Preliminary Audit Work Obtaining Understanding Assess Control Risk Rely on Control ? Test of Control Reassess Control Risk Still rely on Control ? Limited Substantive Test
Extended Substantive Test Form Audit Opinion & Issue Audit Report No Yes Yes No
PRELIMINARY REVIEW PRELIMINARY REVIEW CONTROL TESTING CONTROL TESTING SUBSTANTIVE TESTING SUBSTANTIVE TESTING
Melakukan Audit TI Faktorisasi Sistem (System Factoring) Faktorisasi Sistem (System Factoring) Level 0 Sistem
Level 1 Subsistem Subsistem Level 2 Subsistem Subsistem Subsistem Subsistem Subsistem
Faktorisasi Fungsi Faktorisasi Fungsi (Function Factoring) (Function Factoring) Fungsi-fungsi TI Sistem Manajemen Siklus Akuntansi Subsistem Manajemen Sistem Aplikasi Subsistem Aplikasi Melakukan Audit TI
Melakukan Audit TI
Pendekatan Audit TI Audit a round t he Computer Audit a round t he Computer
Audit t hrough t he Computer Audit t hrough t he Computer
Audit with the Computer Audit with the Computer
Melakukan Audit TI Audit around the Computer Audit around the Computer
INPUT
OUTPUT PROSES Pertimbangan:
Risiko bawaan rendah; logika aplikasi “straightforward”; transaksi input adalah batched; pengendalian dilakukan melalui metode tradisional; pemrosesan hanyalah men-sorting input data dan meng-update master file “sequentially”; jejak audit ada dan jelas; lingkungan relatif konstan; sistem jarang dimodifikasi
Melakukan Audit TI Audit Through the Computer
INPUT
OUTPUT PROSES Pertimbangan:
Risiko bawaan tinggi; aplikasi memproses input & output dalam jumlah yang besar; pengendalian intern yang signifikan melekat dalam sistem; logika prosesnya kompleks; terdapat kesenjangan yang signifikan dalam jejak audit
Melakukan Audit TI
Standar Audit TI Information Systems Audit & Control Association
(ISACA) o Standards o Guidelines o Procedures
Melakukan Audit TI
o 010 Audit Charter 010.010 Responsibility, Authority and Accountability The responsibility, authority and accountability of the information systems audit function are to be appropriately documented in an audit charter or engagement letter. o 020 Independence
020.010 Professional Independence In all matters related to auditing, the information systems auditor is to be independent of the auditee in attitude and appearance.
020.020 Organizational Relationship The information systems audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit.
Melakukan Audit TI
o 030 Professional Ethics and Standards
030.010 Code of Professional Ethics
The information systems auditor is to adhere to the Code of Professional Ethics of the Information Systems Audit and Control Association.
030.020 Due Professional Care
Due professional care and observance of applicable professional auditing standards are to be exercised in all aspects of the information systems auditor's work. o 040 Competence
040.010 Skills and Knowledge
The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor's work.
040.020 Continuing Professional Education
The information systems auditor is to maintain technical competence through appropriate continuing professional education.
Melakukan Audit TI
o 050 Planning
050.010 Audit Planning
The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards. o 060 Performance of Audit Work
060.010 Supervision
Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met.
060.020 Evidence
During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.
Melakukan Audit TI
o 070 Reporting
070.010 Report Content and Form
The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The audit report is to state the scope, objectives, period of coverage and the nature and extent of the audit work performed. The report is to identify the organization, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions and recommendations and any reservations or qualifications that the auditor has with respect to the audit. o 080 Follow-Up Activities
080.010 Follow-Up
The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions and recommendations to determine whether appropriate actions have been implemented in a timely manner.
Melakukan Audit TI Code of Professional Ethics:
1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
2. Perform their duties with due diligence and professional care, in accordance with professional standards and best practices
3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence
6. Inform appropriate parties of the results of work performed; revealing all significant facts known to them
7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control.