INFORMATION SYSTEM
BY :
K e v i n D w i j a y a P. S e b o ( 1 6 0 8 1 0 3 0 1 0 3 5 )
Chesilia Pramesti A (160810301084)
Davidea Rahma (160810301087)
Why Is Control Needed?
7-3
Internal Controls
Preventive controls
1 Deter problems from occurring
Detective controls
2 Discover problems that are not prevented
Corrective controls
3 Identify and correct problems; correct and recover from the problems
Control Frameworks
7-8
Committee of Sponsoring Organizations
COSO COSO-ERM
Control (internal) environment Internal environment
Risk assessment Objective setting
Control activities Event identification
Information and communication Risk assessment
Risk response
Monitoring
Control activities
Information and communication
Monitoring
7-10
COSO & COBIT Similarities and Differences
COSO COBIT
1. Primary User Focus is management.
1. The Primary User Focus is the management, operator
2. The point of view of internal control is the unity of some
and auditor of the information system.
processes in general.
2. The internal view of the internal control is the unity of several
3.The goals to be achieved from an internal control is the processes consisting of policies, procedures, application and
operation of an effective and efficient system, reporting of reliable organizational structure.
financial statements and compliance with applicable regulations. 3. Objectives to be achieved from an internal control is the operation of
4.Component / domain is the control of the environment, risk an effective and efficient system, confidentiality, unity and availability of
management, supervision and control of information and information equipped with a reliable financial reporting system in
communication activities. accordance with applicable regulations.
4. The intended components / domains are planning and organizing,
5. The control focus of eSAC is the entity entity.
integration and application, supervision of support and distribution.
6.Evaluation of internal control is directed to how effectively the 5. The control focus of COBIT is the information technology side.
control is applied in certain time points.
6. Evaluation of internal control is directed to how effective the control is
7. Accountability of the eSAC control system is addressed to applied within the specified time period.
management. 7. Accountability for the control system of COBIT is directed to
management.
STRATEGIC OBJECTIVES
1
OPERATION OBJECTIVES
OBJECTIVE 2
SETTING COMPLIANCE OBJECTIVES
3
COMPLIANCE OBJECTIVES
4
EVENT IDENTIFICATION
EVENT TECHNIQUES
RISK ASSESSMENT AND RISK RESPONSE
INHERENT RISK
RESIDUAL RISK
MANAGEMENTS RESPOND TO RISK
ESTIMATE LIKELIHOOD & IMPACT
IDENTIFY CONTROLS
Preventive Corrective
Control Detective Control Control
ESTIMATE COST AND BENEFIT
CONTROL ACTIVITIES
Controls are selected and developed to help reduce risks
1 to an acceptable
1. Proper authorization
2. Segregation of duties
2. Network Management
1. Autorization
3. Security Management
Segretion
of Segretion 4. Change Management
2. Recording Accounting of 5. Users
Duties Systems
Duties 6. System Analysis
3. Custody
7. Programming
8. Computer operations
9. Information System Library
10. Data Control
1 Steering committe
4 Data processing schedule
2 Strategic masterplan
5 System performance measurements
23
INFORMATION AND COMMUNICATION
MONITORING
THANK YOU!
No Questions?