Audit

Teknologi Informasi
Sesi 3
DTETI
2016

Audit Universe
The Universe
Inventory all potential audit areas in organization
Building audit universe documents the key business processes and
risks
Best practice: incorporating enterprise wide risk assessments into
audit plans
Internal Auditors (IIA) Standard 2010
Analyze risks exposures
Priorities for internal audit activity
Organization objectives, supporting process, risks
unachieved objectives, control to mitigate risks
Annual audit schedules
Process, duration, personnel
Planning
Organizational changes, risks changes, new regulations
introduction
Re-prioritizing

Risk Assessment
Fast pace of IT environment in business
Company must be aware of and deal with the risks it faces.
Set objectives so that the organization is operating in concert.

Risk assessment is important to provide a framework for allocating

audit resources to achieve maximum benets

a technique to examine potential projects in the audit universe and

choose projects that have the greatest risk exposure.
Unlimited potential audit projects, require prioritization
Provides explicit criteria for systematic evaluation and selection of audit
projects

Risk Assessment Process

Step 1
Goals

Key Questions

Examples
Produce reliable nancial
Set Objectives What are we trying to achieve?
statements

Step 2
Goals
Key Questions
Examples
Identify risks to
A natural disaster could
achieving those What could happen that would destroy computer systems
objectives
afect our objectives
and data
Step 3
Goals

Risk Assessment Process

Assess Risk

Key Questions
Examples
What are the consequences of
risk? What is likelihood event Consequences are severe;
will occur?
likelihood is slight

Step 4
Goals

Manage Risk

Key Questions

Examples

In light of the assessment, what

Insure against loss.
is the most cost-efective way Develop business recovery
to manage the risk>
plan. Self-insure

CONTROL ACTIVITIES
Step 5
Goals
Dene Control
Objective
Step 6
Goals

Design Control

Key Questions
Examples
For risks to managed through Implement recovery plan
internal control, what are the that reduces the impact of
control objectives?
a natural disaster.

Key Questions
How should the control be
designed to prevent or detect
identied risk?

Examples
Design recovery plan.
Implement plan.
Test on a regular basis.

Audit Plan

Dene scope according to organizational goals and policies

Budgets of time and costs
State objectives
Priorities
Structure an orderly approach
Provide for measurement of achievement
Assure reasonable comprehensiveness
Provide exibility in approach

Audit Scheduling

Create annual schedule

agreement from the board on audit areas
communicate the audit areas with the functional
departments
linked to current business objectives and risks
Costs
potential loss of goodwill
loss of revenue
Noncompliance with laws and regulations.
Time availability
High-risk prioritization
Schedule changes
Informed/communicated

Audit Budgeting

Budget Coordination
Human resource
Training (for error-correction action/recommendation)
Understand the capabilities and availabilities
High-level auditing areas, sensitive areas
Preparation
Scope Objectives clearly state
process areas
controls
functional area
time period
other specics
including
Prioritization
High priority must be performed
Lowest priority may be scrapped

Audit Workow

Internal Controls
Sets the tone of the Company
Senior Management must set an appropriate Tone at the Top that
positively inuences the control consciousness of the personnel.
This is the foundation for all other components of internal controls and
provides discipline and structure.
Factors that contribute to an efective control environment
Integrity and Ethical Values
Commitment to Competence
Managements Philosophy and Operating Style
Organizational Structure
Assignment of Authority and Responsibility
Human Resources Policies and Practices
IT Considerations
Control Policies and Procedures must be established and executed to help
ensure the actions identied by management to address risks are carried
out.

Monitoring

The entire control process must be monitored.

A process that assesses the quality of internal control
performance over time.
Examples monitoring activities
The regular management and supervisory activities carried
out in the normal course of business
Communications from external parties, which can corroborate
internally generated information or indicate problems
Customers corroborate billing data
Customer complaints
External Auditors regularly provide recommendations on the
way internal controls can be strengthened.
Employees may be required to sign of to evidence
performance of control functions.

(corroborate=establish or strengthen as with new evidence or facts)

IT Audit Standards
COSO
COBIT
ITIL
ISO
Background
When the savings and loan industry collapsed in the mid1980s US government wants more control
In an efort to deter governmental intervention, an
independent private-sector initiative, later called COSO,
was initiated in 1985 to assess how best to improve the
quality of nancial reporting.

Committee of Sponsoring
Organizations
COSO formalized the concepts of internal control and
framework in 1992 when it issued the landmark publication
Internal Control-Integrated Framework.
Boeing uses COSO as the internal audit foundation
Since that time, other professional associations have
continued to develop additional frameworks
Sponsors
American Institute of Certied Public Accountants (AICPA)
American Accounting Association (AAA)
Financial Executives Institute (FEI)
Institute of Internal Auditors (IIA)
Institute of Management Accountants (IMA)

Scoping The COSO Framework

Monitoring

Control

Policies/procedures
Activities

Assessment of a control
systems performance
over time
Combination of ongoing
and separate evaluation
Management and
supervisory activities
Internal audit activities

Information &
Communication

Pertinent information
identied, captured and
communicated in a
timely manner
Access to internally and
externally generated
information
Flow of information that
allows for successful
control actions from
instructions on
responsibilities to
summary of ndings for
management action

Control Environment

Sets tone of organization,

inuencing control consciousness of
its people
Factors include integrity, ethical
values, competence, authority,
responsibility, organization
structure, HR policies and IT control
environment
Foundation for all other components
of control

that ensure
management
directives are carried
out
Range of activities
including approvals,
authorizations,
verications,
recommendations,
performance reviews,
asset security and
segregation of duties

Risk

Risk
assessment is
Assessment

the identication and

analysis of relevant
risks to achieving the
entitys objectives
forming the basis for
determining control
activities

The New Box

Strategic

What Does the Future Hold?

Risk Response

Division

Risk Assessment

Entity-Level

Event Identification

Subsidiary

Objective Setting

Business Unit

Internal Environment

Control Activities
Information & Communication
Monitoring
Objective Setting
Internal Environment

Event Identication
Risk Response

COSO & IT Control

COSO introduces the concept of controls over information

systems.
Classies information systems control activities:
General computer control
IT management, IT infrastructure, and software
acquisition, development, and maintenance
Application control

International Standard Organization

ISO 27001/ISO 17799/BS 7799
Mainly for management of information security
ISO 17799 address 11 major areas within the information security
discipline:
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development, and maintenance
Information security incident management
Business continuity management
Compliance

Control Objectives for Information

and Related Technologies
CoBIT
First published in April 1996
The foremost internationally recognized framework for IT governance and
control. The most recent version, CoBIT 4.0, was released in 2005.
Developed by the IT Governance Institute (ITGI) of ISACA using a
worldwide panel of experts from industry, academia, government, and the
IT security and control profession.
In-depth research was conducted across a wide variety of global sources
in order to pull together the best ideas from all germane technical and
professional standards.
represents a generally applicable and internationally accepted standard
of good practice for IT controls.
independent of technical platform.
management and business process owner-oriented.
the international de facto standard for IT governance

COBIT Framework

IT Infrastructure Library

ITIL
The IT Infrastructure Library (ITIL) was developed by the
U.K. government in the mid-1980s
Become a de facto standard for best practices in the
provision of IT infrastructure management and service
delivery

Auditing Web Applications

The best compilation of common web application issues is
maintained by the Open Web Application Security Project
(OWASP).
According to its website, it is "dedicated to enabling
organizations to develop, purchase, and maintain
applications that can be trusted."
The OWASP "top ten" have made their way into standards,
such as the Payment Card Industry (PCI) standard, and
these "top ten" are regarded as a set of minimum standards
you should examine during an audit.

Web Audit Example?

Coverage/Scope
Platform
Server
Application
Audit Aspects
Functional
Services
Performance
Security

Quick Exercise

Brief assessments and submit to Papirus as individual work

Web pages checker (search words online web checker)
Accessibility
http://www.etre.com/tools/accessibilitycheck/
http://achecker.ca/checker/index.php
Validation
http://validator.w3.org/
CSS validation
http://jigsaw.w3.org/css-validator/
Monitoring services
http://host-tracker.com/
Broken link
http://www.brokenlinkcheck.com/
Performance
http://www.webpagetest.org/
Basic security
http://sitecheck.sucuri.net/scanner/