Zaldy Adrianto
Denition
Risk assessment of the risks related
to the IT organization, security, acquisition, development and maintenance, computer operations.
Objectives
To provide a comprehensive
framework of internal controls for IT activities and to provide a certain level of assurance that the overall internal control objectives can be achieved.
According to Indonesian Auditing Standards (PSA No. 60 / SA Seksi 314)
pengembangan dan pemeliharaan sistem telah dilakukan dengan cara yang esien dan melalui proses otorisasi yang semestinya, termasuk kedalamnya adalah:
Pengujian, perubahan, implementasi dan dokumentasi sistem baru atau sistem yang direvisi. Perubahan terhadap sistem aplikasi. Akses terhadap dokumentasi sistem. Pemerolehan sistem aplikasi dan listing program dari pihak ketiga.
Software Control
Telah adanya pengendalian terhadap perangkat
lunak aplikasi telah didesain, diperoleh dan dikembangkan dengan cara yang esien dan melalui proses otorisasi semestinya:
Otorisasi, pengesahan, pengujian, implementasi dan dokumentasi perangkat lunak sistem baru dan modikasi perangkat lunak sistem Pembatasan akses terhadap perangkat lunak dan dokumnetasi sistem hanya bagi karyawan yang telah mendapatkan otorisasi
Production
Output Process Input
IT Plan Review
Auditors evaluate whether top
management has formulated a highquality information systems plan appropriate to the needs of their organization.
Organization
Organizational controls ensure the
alignment of IT facilities with the business needs and the proper management of these facilities.
Key risks
IT does not support business needs Loss of efciency, untimely problem
solving, unsatised staff, no improvements
Unwanted combination of functions Untimely management reporting High dependence on one/few persons
Planning and budgeting Quality and quantity of staff Segregation of duties or close
supervision
Key controls
Organizational issues
Position of IT department in organization Planning and reporting Centralization or decentralization of tasks Functions and task descriptions of IT staff Quality and quantity of staff Cost center, Prot center, Investment
center and Hybrid center
Change Management
Change management procedures
ensure that changes not negatively controls.
Key risks
Loss of effectiveness of IT controls Loss of valuable hardware during
changes needs
Key controls
Use of a development and
programming standards
Development
Production
Software library
Read access for librarian
Technical feasibility:
Preliminary study
Operational feasibility:
Is the available Technology sufcient to support the proposed project? Can the technology be acquired or developed? Can the input data be collected for the system? Is the output usable?
Economic feasibility: Do the benets of the system exceed the cost? Behavioral feasibility:
What impact will the system have on the users quality of working life?
Type of Testing
Program Testing System Testing User Testing Quality Assurance Testing
Physical Security
How we secure our assets?
Personnel Hardware Physical Facilities Documentation Assets Supplies Mainframe, minis & micros Peripherals: online/offline Storage Media
Application System
Denition
Physical security of computer
hardware covers all controls to prevent damage to or loss of valuable assets and data on systems.
Key risks
Loss of valuable hardware Tampering or damage to hardware Damage by external inuences (re,
water)
Key controls
Locked and dedicated computer room Availability of back-up power supply Fire and water detector No potentially dangerous situations
(sprinklers, computer room on ground oor, etc.)
Fire and smoke; Water; Power supply uctuations and failures; Structural Damage; Pollution; Misuse; Theft.
Key risks
Potential for fraud and misuse of
systems and data
Key controls
Up-to-date user access list Use of unique user-id and password Periodic review of list by management Regular change of passwords Clean desk
Authentication Process
User Profiles Identification Authentication Authorization
Audit log Report writer Security reports
Database
Software Library
Key risks
Data cannot be recovered (in time) after
system failure
Key controls
Regular back ups, preferably daily Safe storage of tapes, preferably in reproof
vault and externally tapes
What Is a Disaster?
A "Disaster" Is Any Event Which
Disables or Interrupts Your Clients Ability to Maintain a Business-AsUsual Environment for a Period of Time That Adversely Affects Ongoing Operations.
Safeguards vital corporate assets Ensures continued availability of Critical Minimizes the effect of a disaster Considers the entire business including
IT
HUMAN- DELIBERATE
- terrorist attack - industrial action - blackmail
MISCELLANEOUS
- loss of key staff - loss of key supplier - negligence
NATURAL
- inclement weather - legal/regulatory requirements - earthquakes/volcanoes
Hot- or cold standby Personnel resources available Single point of failure will fail ! Regular testing required
BACKUP TAPE
BACKUP STORAGE
POWER REGULATOR