You are on page 1of 35

Konsep Audit TI

Risiko-risiko Umum TI

Organizational
Costs of Incorrect Costs of Computer
Costs of Data
Decision Making Abuse
Loss

Value of Maintenance of
H/W, S/W & B/W Privacy
ORGANIZATIONS

Controlled
High Costs of
Evolution of
Computer Error
Computer Use

Control and
Audit

© 2010 – CHANDRA YULISTIA, CISA 2

Dampak TI terhadap Auditor

Change to Change to
Evidence Auditing Evidence
Collection Evaluation

Auditor Competency:
• Generalist
• IT Auditor
• IT Control & Security
Specialist

© 2010 – CHANDRA YULISTIA, CISA 3

Sometimes information systems auditing has another objective –which is ensuring that an organization complies with some regulation. or detected and corrected. consume resources efficiently. and uses resources efficiently. Information System Control & Audit – 1999 Information systems auditing is the process of collecting and evaluating evidence to determine whether a computer system safeguards assets. CISA 4 . Konsep Audit TI Definisi Audit TI : Ron Weber. © 2010 – CHANDRA YULISTIA. CISA Review Manual 2006 The process of collecting and evaluating evidence to determine whether information systems and related resources adequately safeguards assets. maintains data integrity. and have in effect internal controls that provide reasonable assurance that operational and control objectives will be meet and that undesired events will be prevented. in a timely manner. achieve organizational goals effectively. provide relevant and reliable information. allows organizational goals to be achieved effectively. maintain data and system integrity. ISACA.

Konsep Audit TI Tujuan Audit TI Information Systems Audit & Control ORGANIZATIONS Improved Improved Improved Improved data safeguarding of system system integrity assets effectiveness efficiency •Hardware •Software •Completeness •Machine Time •Facilities •Soundness •Peripherals •People •Purity •System Software •Data •Veracity •Labor •System Documentation •Supplies © 2010 – CHANDRA YULISTIA. CISA 5 .

Konsep Audit TI Sejumlah kata kunci:  Pengumpulan dan penilaian bukti  Keyakinan memadai  Pengamanan aset . accuracy & consistency  Efektifitas – tujuan tercapai  Efisien . CISA 6 .menggunaan sumber daya secara optimal © 2010 – CHANDRA YULISTIA.menjamin completeness.menjamin confidentiality & availability  Integritas Data .

CISA 7 .Pengendalian TI Top Management IS Management System Development Management Programming Management Data Management Security Management Quality Assurance Management Operation Management Application System Control © 2010 – CHANDRA YULISTIA.

Konsep Audit TI Kombinasi Keahlian dalam Audit TI Auditing Manajemen Tradisional Teknologi Informasi AUDIT TEKNOLOGI INFORMASI Ilmu Komputer Ilmu Perilaku © 2010 – CHANDRA YULISTIA. CISA 8 .

Metodologi Audit TI .

CISA 10 . Metodologi Audit T Annual Audit Control Control Audit Planning Planning Evaluation Exist? Y Control Control is Testing Effective? T Y Limited Extended Audit Reporting Substantive Testing Substantive Testing Audit Follow-up © 2010 – CHANDRA YULISTIA.

CISA 11 . Metodologi Audit TI Audit Planning  Informasi Bisnis  Dokumentasi Pemahaman TI  Finansial (Pendapatan. Pedoman. Aktiva)  Indikator Organisasi (Struktur. Standar. Afiliasi)  Tujuan Audit dan Lingkup Audit  Risiko Audit (Audit Risk)  AR = IR X CR X DR  Tim Audit dan Jadual Audit Control Evaluation  Kebijakan. Struktur Organisasi © 2010 – CHANDRA YULISTIA. Lokasi. Prosedur. Biaya. Jumlah. Laba.

Metodologi Audit TI  Lingkungan TI  Sistem operasi dan sistem aplikasi  Infrastruktur  Komunikasi  Pengendalian TI  Perencanaan dan organisasi  Pengembangan dan implementasi  Operasi dan layanan TI  Dokumentasi Informasi TI  Diagram Sistem Aplikasi (Data/Application Flow Diagram)  Diagram Infrastruktur & Jaringan (Network Diagram)  Penilaian Risiko TI  Risiko Umum TI (IT Inherent Risk)  Risiko Pengendalian TI (IT Control Riks) © 2010 – CHANDRA YULISTIA. CISA 12 .

Metodologi Audit TI © 2010 – CHANDRA YULISTIA. CISA 13 .

CISA 14 .SISTEM INFORMASI “PT ABC” Sistem Informasi Entitas “ABC” 1 3 Data 1 Data 2 Entitas A Aplikasi A Aplikasi C Entitas B 2 Data 3 Data 4 Aplikasi B Database A © 2010 – CHANDRA YULISTIA. Metodologi Audit TI DFD LEVEL 1 .

Metodologi Audit TI © 2010 – CHANDRA YULISTIA. CISA 15 .

CISA 16 . Metodologi Audit TI Daftar Aplikasi (Lampirkan Diagram Aplikasi – lihat contoh) No Nama Aplikasi Fungsi Sistem Bahasa Sistem Tanggal Pemilik Pengguna Utama Operasi Pemrograman Database Modifikasi Utama 1 2 Daftar Lisensi Paket Aplikasi & Database No Nama Paket Aplikasi & Database Vendor Jumlah Tipe Lisensi Keterangan / Ref Lisensi 1 2 © 2010 – CHANDRA YULISTIA.

2 Daftar Perangkat Terminal No Deskripsi Jumlah Spesifikasi Merek Lokasi 1 PC. etc. Metodologi Audit TI Daftar Perangkat Jaringan (Lampirkan Diagram Jaringan No Deskripsi Jumlah Spesifikasi Merek Tipe 1 Router. Switch. etc 2 Daftar Server No Deskripsi / Fungsi Merk & Tipe Jumlah Sistem Operasi Lokasi 1 2 © 2010 – CHANDRA YULISTIA. NC. CISA 17 . Notebook.

etc. CISA 18 . Metodologi Audit TI Daftar Media Komunikasi Data (Eksternal & Internal) Koneksi ke Kecepatan No Media Koneksi Untuk Aktifitas Provider Internal Eksternal Koneksi 1 2 Daftar Teknologi Khusus No Teknologi Khusus Fungsi Utama Pengguna Utama 1 Contoh : Absensi Otomatis. 2 © 2010 – CHANDRA YULISTIA. Bar Code Reader. Document Imaging.

3. Metodologi Audit TI Daftar Kebijakan & Prosedur TI No Kebijakan dan Prosedur Sistem Informasi Deskripsi Singkat Ket 1 2 Uraian Singkat Permasalahan Yang Dihadapi No Permasalahan 1 2. CISA 19 . © 2010 – CHANDRA YULISTIA.

Struktur Organisasi  Control Testing  Analisa risiko  Reviu pengendalian intern  Substantive Testing  Test of details of transactions  Audit Reporting  Audit findings and conclussions  Audit Follow-up © 2010 – CHANDRA YULISTIA. Metodologi Audit TI  Control Evaluation  Kebijakan. Standar. CISA 20 . Prosedur. Pedoman.

jejak audit ada dan jelas. lingkungan relatif konstan. pengendalian dilakukan melalui metode tradisional. CISA 21 . Pendekatan Audit TI Audit around the Computer INPUT OUTPUT PROSES Pertimbangan: Risiko bawaan rendah. sistem jarang dimodifikasi © 2010 – CHANDRA YULISTIA. pemrosesan hanyalah men-sorting input data dan meng-update master file “sequentially”. logika aplikasi “straightforward”. transaksi input adalah batched.

pengendalian intern yang signifikan melekat dalam sistem. Pendekatan Audit TI Audit Through the Computer INPUT OUTPUT PROSES Pertimbangan: Risiko bawaan tinggi. terdapat kesenjangan yang signifikan dalam jejak audit © 2010 – CHANDRA YULISTIA. aplikasi memproses input & output dalam jumlah yang besar. CISA 22 . logika prosesnya kompleks.

Standar Audit TI .

CISA 24 . Standar Audit TI  ISACA  Standards  IS Auditing Standards  Guidelines  Procedures  Ikatan Audit Sistem Informasi Indonesia (IASII)  Standar Audit Sistem Informasi (SASI) © 2010 – CHANDRA YULISTIA.

responsibility. © 2010 – CHANDRA YULISTIA. Standar Audit TI S1 Audit Charter  The purpose. CISA 25 .  The audit charter or engagement letter should be agreed and approved at an appropriate level within the organisation(s). S2 Independence Professional Independence  In all matters related to the audit. authority and accountability of the information systems audit function or information systems audit assignments should be appropriately documented in an audit charter or engagement letter. the IS auditor should be independent of the auditee in both attitude and appearance. Organisational Independence  The IS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment.

 The IS auditor should maintain professional competence through appropriate continuing professional education and training. Standar Audit TI S3 Professional Ethics and Standards  The IS auditor should adhere to the ISACA Code of Professional Ethics in conducting audit assignments. having the skills and knowledge to conduct the audit assignment. including observance of applicable professional auditing standards.  The IS auditor should exercise due professional care. in conducting the audit assignments S4 Professional Competence  The IS auditor should be professionally competent. CISA 26 . © 2010 – CHANDRA YULISTIA.

 The IS auditor should develop an audit program and/or plan and detailing the nature. the IS auditor should obtain sufficient.  The IS auditor should develop and document a risk-based audit approach. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. objectives and resources required. timing and extent. Documentation  The audit process should be documented. CISA 27 . reliable and relevant evidence to achieve the audit objectives. timing and extent of the audit procedures required to complete the audit.  The IS auditor should develop and document an audit plan that lists the audit detailing the nature and objectives. Standar Audit TI S5 Planning  The IS auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards. describing the audit work performed and the audit evidence that supports supporting the IS auditor's findings and conclusions. S6 Performance of Audit Work Supervision  IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met . Evidence  During the course of the audit. © 2010 – CHANDRA YULISTIA.

the IS auditor should request and evaluate relevant information to conclude whether appropriate action has been taken by management in a timely manner.  The audit report should state the scope. period of coverage and the nature. dated and distributed according to the terms of the audit charter or engagement letter. © 2010 – CHANDRA YULISTIA.  S8 Follow-Up Activities  After the reporting of findings and recommendations.  The IS auditor should have sufficient and appropriate audit evidence to support the results reported. qualifications or limitations in scope that the IS auditor has with respect to the audit. upon completion of the audit. Standar Audit TI S7 Reporting  The IS auditor should provide a report. in an appropriate form. the IS auditor’s report should be signed.  When issued. conclusions and recommendations and any reservations. objectives. CISA 28 . The report should identify the organisation. the intended recipients and any restrictions on circulation. timing and extent of the audit work performed.  The report should state the findings.

the IS auditor should consider the implications in relation to other aspects of the audit and in particular the representations of management. including internal controls. suspected or alleged irregularities and illegal acts.  The IS auditor should obtain an understanding of the organisation and its environment. the IS auditor should assess whether such a misstatement may be indicative of an irregularity or illegal act.  The IS auditor should maintain an attitude of professional skepticism during the audit. © 2010 – CHANDRA YULISTIA.  The IS auditor should design and perform procedures to test the appropriateness of internal control and the risk of management override of controls.  The IS auditor should obtain sufficient and appropriate audit evidence to determine whether management or others within the organisation have knowledge of any actual. the IS auditor should consider the risk of irregularities and illegal acts. irrespective of his/her evaluation of the risk of irregularities and illegal acts.  When the IS auditor identifies a misstatement. recognising the possibility that material misstatements due to irregularities and illegal acts could exist. If there is such an indication. CISA 29 . Standar Audit TI S9 Irregularities and Illegal Acts  In planning and performing the audit to reduce audit risk to a low level. the IS auditor should consider unusual or unexpected relationships that may indicate a risk of material misstatements due to irregularities and illegal acts.  When performing audit procedures to obtain an understanding of the organisation and its environment.

or obtains information that a material irregularity or illegal act may exist. former employees. © 2010 – CHANDRA YULISTIA.  If the IS auditor has identified a material irregularity or illegal act involving management or employees who have significant roles in internal control. Standar Audit TI S9 Irregularities and Illegal Acts  The IS auditor should obtain written representations from management at least annually or more often depending on the audit engagement. the IS auditor should communicate these matters to the appropriate level of management in a timely manner. or suspected irregularities or illegal acts affecting the organisation as communicated by employees. regulators and others  If the IS auditor has identified a material irregularity or illegal act. the IS auditor should communicate these matters in a timely manner to those charged with governance. CISA 30 . It should:  Acknowledge its responsibility for the design and implementation of internal controls to prevent and detect irregularities or illegal acts  Disclose to the IS auditor the results of the risk assessment that a material misstatement may exist as a result of an irregularity or illegal act  Disclose to the IS auditor its knowledge of irregularities or illegal acts affecting the organisation in relation to: – Management – Employees who have significant roles in internal control  Disclose to the IS auditor its knowledge of any allegations of irregularities or illegal acts.

Standar Audit TI S9 Irregularities and Illegal Acts  The IS auditor should advise the appropriate level of management and those charged with governance of material weaknesses in the design and implementation of internal control to prevent and detect irregularities and illegal acts that may have come to the IS auditor’s attention during the audit. results. CISA 31 . © 2010 – CHANDRA YULISTIA. the IS auditor should consider the legal and professional responsibilities applicable in the circumstances. planning.  If the IS auditor encounters exceptional circumstances that affect the IS auditor’s ability to continue performing the audit because of a material misstatement or illegal act. those charged with governance.  The IS auditor should document all communications. evaluations and conclusions relating to material irregularities and illegal acts that have been reported to management. including whether there is a requirement for the IS auditor to report to those who entered into the engagement or in some cases those charged with governance or regulatory authorities or consider withdrawing from the engagement. regulators and others.

objectives and strategies.  The IS auditor should review and assess compliance with legal.  The IS auditor should review and assess the control environment of the organisation.  The IS auditor should review and assess the effectiveness of IS resource and performance management processes. Standar Audit TI S10 IT Governance  The IS auditor should review and assess whether the IS function aligns with the organisation’s mission. © 2010 – CHANDRA YULISTIA. CISA 32 .  The IS auditor should review whether the IS function has a clear statement about the performance expected by the business (effectiveness and efficiency) and assess its achievement.  A risk-based approach should be used by the IS auditor to evaluate the IS function. values. vision. and fiduciary and security requirements. environmental and information quality.  The IS auditor should review and assess the risks that may adversely effect the IS environment.

© 2010 – CHANDRA YULISTIA. Standar Audit TI S11 Use of Risk Assessment in Audit Planning  The IS auditor should use an appropriate risk assessment technique or approach in developing the overall IS audit plan and in determining priorities for the effective allocation of IS audit resources. CISA 33 . the IS auditor should identify and assess risks relevant to the area under review.  When planning individual reviews.

and not engage in acts discreditable to the profession. Support the professional education of stakeholders in enhancing their understanding of information systems security and control. in accordance with professional standards and best practices 3. procedures and controls for information systems. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Serve in the interest of stakeholders in a lawful and honest manner. 5. 2. appropriate standards. and encourage compliance with. Such information shall not be used for personal benefit or released to inappropriate parties. Kode Etik Auditor TI 1. Support the implementation of. Maintain competency in their respective fields and agree to undertake only those activities. © 2010 – CHANDRA YULISTIA. CISA 34 . Perform their duties with due diligence and professional care. which they can reasonably expect to complete with professional competence 6. Inform appropriate parties of the results of work performed. while maintaining high standards of conduct and character. revealing all significant facts known to them 7. 4.