1. Overview AIS Goal conflict occurs when a subsystem’s as all payroll data relating to a single employee.
mployee. File A set data items. physical view The way data are physically
goals are inconsistent with the goals of another subsystem
or with the system as a whole. Goal congruence occurs
when a subsystem achieves its goals while contributing to
the organization’s overall goal. Characteristics of Useful
Information Relevant, Reliable, Complete, Timely,
Understandable, Verifiable, Accessible. information
overload Exceeding the amount of information a human
mind can absorb and process, resulting in a decline in
decision-making quality and an increase in the cost of
providing information. business process A set of related,
coordinated, and structured activities and tasks,
performed by a person, a computer, or a machine, that
help accomplish a specific organizational goal.  give-get
exchange Transactions that happen a great many times,
such as giving up cash to get inventory from a supplier and
giving employees a paycheck in exchange for their labor.
business processes or transaction cycles The major give-
get exchanges that occur frequently in most companies.
revenue cycle Activities associated with selling goods and
services in exchange for cash or a future promise to
receive cash. expenditure cycle Activities associated with
purchasing inventory for resale or raw materials in
exchange for cash or a future promise to pay cash.
production or conversion cycle Activities associated with
using labor, raw materials, and equipment to produce
finished goods. human resources/payroll cycle Activities
associated with hiring, training, compensating, evaluating,
promoting, and terminating employees. financing cycle
Activities associated with raising money by selling shares
in the company to investors and borrowing money as well
as paying dividends and interest. general ledger and
reporting system Information-processing operations
involved in updating the general ledger and preparing
reports for both management and external parties.
accounting information system A system that collects,
records, stores, and processes data to produce
information for decision makers. predictive analysis The
use of data warehouses and complex algorithms to
forecast future events, based on historical trends and
calculated probabilities. value chain linking together of all
the primary and support activities in a business. value is
added as a product passes through the chain. primary
activities value chain activities that produce, market, and
deliver products and services to customers and provide
post-delivery service and support. A well-designed AIS can
add value to an organization by 1.Improving the quality
and reducing the costs of products or services.
2.Improving efficiency. 3.Sharing knowledge. 4.Improving
the efficiency and effectiveness of its supply chain.
5.Improving the internal control structure. 6.Improving
decision making. supply chain An extended system that
includes an organization’s value chain as well as its
suppliers, distributors, and customers. The Value Chain 1.
Inbound logistics consists of receiving, storing, and
distributing the materials. 2.Operations. 3.Outbound
logistics activities. 4.Marketing and sales activities.
5.Service activities. The supply chain 1.Raw material
supplier. 2.Manufacturer. 3.Distributor. 4.retailer.
5.Consumer. Support activities  1.Firm infrastructure.
2.Human resources. 3.Technology activities 4.Purchasing
activities.
2. Transaction Processing and ERP System Data processing
cycle The four operations (data input, data storage, data
processing, and information output) performed on data to
generate meaningful and relevant information. Source
Documents Documents used to capture transaction data
at its source when the transaction takes place. Turnover
Documents Records of company data sent to an external
party and then returned to the system as input. Source
data automation The collection of transaction data in
machine-readable form at the time and place of origin.
General ledger A ledger that contains summary-level data
for every asset, liability, equity, revenue, and expense
account of the organization. Subsidiary ledger A ledger
used to record detailed data for a general ledger account
with many individual subaccounts, such as accounts
receivable, inventory, and accounts payable. Coding The
systematic assignment of numbers or letters to items to
classify and organize them. Sequence codes Items are
numbered consecutively so that gaps in the sequence
code indicate missing items that should be investigated.
Block codes Blocks of numbers that are reserved for
specific categories of data, thereby helping to organize the
data. Group codes Two or more sub-groups of digits that
are used to code an item. Mnemonic codes Letters and
numbers that are interspersed to identify an item. The
mnemonic code is derived from the description of the
item and is usually easy to memorize. Entity The item
about which information is stored in a record. Attributes
The properties, identifying numbers, and characteristics of
interest of an entity that is stored in a database. Field The
portion of a data record where the data value for a
particular attribute is stored. Record A set of fields whose
data values describe specific attributes of an entity, such
behavior. Pelaku merasa sah sah saja untuk melakukan
of logically related records, such as the payroll records of
all employees. Database A set of interrelated, centrally
controlled data files that are stored with as little data
redundancy as possible. Batch processing Accumulating
transaction records into groups or batches for processing
at a regular interval such as daily or weekly. Online,
realtime processing The computer system processes data
immediately after capture and provides updated
information to users on a timely basis. Query A request for
the database to provide the information needed to deal
with a problem or answer a question. Four types of data
processing activities Creating, Reading, Updating, Deleting
Enterprise Resource Planning(ERP) A system that
integrates all aspects of an organization’s activities, such
as accounting, finance, marketing, human resources,
manufacturing, inventory management, into one system.
ERP Advantages provides integrated data, data input
captured once, management gains visibility ERP
Disadvantages High cost,high amount time
required,complexity
3. Systems Documentation Techniques Documentation:
explains how a system works, including the who, what,
when, where, why, and how of data entry, data
processing, data storage, information output, and system
controls. Documentation are often supplemented
narrative description: a written step-by-step explanation
of system components and interactions. RULE: proceed
from left to right, top to bottom Data Flow Diagrams
(DFD): a graphical description of data sources, data flows,
transformation processes, data storage, and data
destinations. Using symbol. Control process and actions
should be ignored in here. Explode: the term used to
refine a high level or summary view DFD into successively
lower levels to provide greater amounts of detail.  Data
source and data destination (data sink, arrow pointing in):
are entities that send or receive data that the system uses
or produces. An entity can be both a source and a
destination. They are represented by squares. Data Flow:
is the flow or movement of data among processes, stores,
sources, and destinations. Arrow represents the direction
of data flow. Process represent the transformation of data,
circle represents transformation process (known as
bubble, the altering of data from inputs to outputs). A data
store is a repository of data, horizontal lines and parallel to
each other represent this. Flowcharts: is a pictorial,
analytical technique used to describe some aspect of an
information system in a clear, concise, and logical manner.
Flowcharts record how business processes are performed
and how documents flow through the organization. They
are also used to analyze how to improve business
processes and document flows. Flowcharting symbol:
Input/Output, Processing (square denotes an auxiliary
operation), Storage (show where data is stored), dan Flow
and Miscellaneous (indicate the flow of data, where
flowcharts begin or end, where decisions are made, and
how to add explanatory notes to flowcharts).Types of
Flowcharts: 1)Document Flowchart: A graphical
representation of the flow of documents and information
between departments or areas of responsibility within an
organization. It is particularly useful in analyzing the
adequacy of internal control procedures 2)System
Flowchart: A graphical representation of the relationship
among the input, processing, and output in an information
system 3)Program Flowchart: a graphical description of
the sequence of logical operations that a computer
performs. Business Process Diagram: a visual way to
describe the different steps or activities in a business
process
4. Relational Database Database A set of interrelated,
centrally coordinated data files that are stored with as
little data redundancy as possible. database management
system (DBMS) The program that manages and controls
the data and the interfaces between the data and the
application programs that use the data stored in the
database. database system The database, the DBMS, and
the application programs that access the database through
the DBMS. database administrator (DBA) The person
responsible for coordinating, controlling, and managing
the database. data warehouse Very large databases
containing detailed and summarized data for a number of
years that are used for analysis rather than transaction
processing. business intelligence  Analyzing large amounts
of data for strategic decision making. online analytical
processing (OLAP) Using queries to inves- tigate
hypothesized relationships among data. data mining Using
sophisticated statistical analysis to “discover”
unhypothesized relationships in the data. Advantages of
Database System data integration, data sharing, minimal
data redudancy & data inconsistencies, data
independence, cross-function analysis. record layout
Document that shows the items stored in a file, including
the order and length of the data fields and the type of
data stored. logical view How people conceptually
organize, view, and understand the relationships among
piracy: Pembajakan melalui salinan atau distribusi tanpa
arranged and stored in the computer system. Schema A
description of the data elements in a database, the
relationships among them, and the logical model used to
organize and describe the data. conceptual-level schema
The organization-wide view of the entire database that
lists all data elements and the relationships between
them. external-level schema  An individual user’s view of
portions of a database; also called a subschema.
Subschema A subset of the schema; the way the user
defines the data and the data relationships. internal-level
schema A low-level view of the entire database describing
how the data are actually stored and accessed. data
dictionary Information about the structure of the data-
base, including a description of each data element. data
definition language (DDL) DBMS language that builds the
data dictionary, creates the database, describes logical
views, and specifies record or field security constraints.
data manipulation language (DML) DBMS language that
changes database content, including data element
creations, updates, insertions, and deletions. data query
language (DQL) High-level, English-like, DBMS language
that contains powerful, easy-to-use commands that
enable users to retrieve, sort, order, and display data.
report writer DBMS language that simplifies report
creation. data model An abstract representation of
database contents. relational data model: A two-
dimensional table repre- sentation of data; each row
represents a unique entity (record) and each column is a
field where record attributes are stored. Tuple A row in a
table that contains data about a specific item in a database
table. primary key Database attribute, or combination of
attributes, that uniquely identifies each row in a table.
foreign key An attribute in a table that is also a primary
key in another table; used to link the two tables. update
anomaly  Improper database organization where a non-
primary key item is stored multiple times; updat- ing the
item in one location and not the others causes data
inconsistencies. insert anomaly Improper data- base
organization that results in the inability to add records to a
database. delete anomaly:  Improper organization of a
database that results in the loss of all informa- tion about
an entity when a row is deleted. relational database:  A
data- base built using the relational data model. entity
integrity rule A non- null primary key ensures that every
row in a table represents something and that it can be
identified. referential integrity rule Foreign keys which link
rows in one table to rows in another table must have
values that correspond to the value of a primary key in
another table. Two approaches to database design
normalization & semantic data modeling.  Normalization
Following relational database creation rules to design a
relational database that is free from delete, insert, and
update anomalies. semantic data modeling Using
knowledge of business processes and information needs
to create a diagram that shows what to include in a fully
normalized database (in 3NF). Designing a relational
database 1.Store all data in one uniform table 2.Vary the
number of column 3.The solution: a set of table. Basic
requirement of a relational database 1.Every column in a
row must be single valued 2.Primary key cannot be null.
3.Foreign keys, if not null, must have values that
correspond to the value of a primary key in another table
4.All nonkey attribute in a table must describe a
characteristic of the object identified by the primary key.
5. Fraud Threats to AIS (jenis ancaman terhadap sistem
informasi akuntansi), Natural and political disasters Any
threat that purely caused by natural and external
phenomenon such as floods or attacks by terrorists (The
systems are not at fault). Software errors and equipment
malfunctions: operating system crashes, hardware
failures, power outages and fluctuations. -> kesalahan
sistem yang tidak sengaja. Unintentional acts Accidents
caused by human carelessness: accidents or innocent
errors and omissions. -> kesalahan manusia yang tidak
sengaja Intentional acts (computer crimes): Sabotage,
Corruption, fraud, social engineering,malware. -> ada
tujuan jahat. Fraud is gaining an unfair advantage over
another person. Bisa disebut fraud kalo 1.A false
statement, representation, or disclosure 2.A material fact,
3.An intent to deceive 4.A justifiable reliance 5.An injury or
loss suffered by the victim. Two types of frauds:
Misappropriation of Asset (pencurian inventory, pelaku
biasanya karyawan) dan fraudulent financial reporting
(penyalahan informasi LK, pelaku biasanya manajemen).
WHO: Pelaku fraud sering disebut sebagai white-collar
criminals. WHY: Fraud Triangle, Terdapat tiga keadaan
dimana seseorang berpotensi menjadi pelaku fraud.
Pressure, is a person’s incentive or motivation for
committing fraud. Bisa karena alasan finansial, emosional
(merasa pekerjaan gak dihargain), dan lifestyle.
Opportunity,  is the condition or situation, including one’s
personal abilities to commit a fraud. Biasanya fraudster
punya kesempatan kalo internal control perusahaan ga
bagus. Rationalization, perpetrators to justify their illegal
fraud. Computer fraud is any fraud that requires computer
technology to perpetrate it (ex: destruction of software,
Theft of assets covered up by altering computer records).
Computer Fraud Classification: Input Fraud (The simplest
and most common way to commit a computer fraud is to
alter or falsify computer input) ->  perpetrators need only
understand how the system operates so they can cover
their tracks. Processor Fraud: unauthorized system use,
including the theft of computer time and services.
Computer Instructions Fraud: Computer instructions fraud
includes tampering with company software, copying
software illegally, using software in an unauthorized
manner, and developing software to carry out an
unauthorized activity. Data Fraud: Illegally using, copying,
browsing, searching, or harming company data constitutes
data fraud. Output Fraud: illegal copying of private
documents. Ways to Prevent and Detect Fraud:
organizations must create a climate that makes fraud less
likely, increases the difficulty of committing it, improves
detection methods, and reduces the amount lost if a fraud
occurs.
6. Fraud Komputer dan Teknik Abuse Spoofing: Pemalsuan
identitas dengan tujuan tertentu. Macam-macam bentuk
spoofing: 1.E-mail spoofing 2.Caller ID spoofing 3.IP
address spoofing 4.Address Resolution Protocol (ARP)
spoofing 5.SMS spoofing 6.Web-page spoofing 7.DNS
spoofing. Adware: Spyware yang merekam data pengguna
dan memunculkan iklan yang sesuai tanpa sepengetahuan
pengguna Bluebugging: Pengendalian remote pada
telepon genggam untuk mengakses tanpa izin dari pemilik.
Bluesnarfing: Pencurian data dengan media bluetooth.
Carding: Pencurian identitas kartu kredit dan transaksinya.
Chipping: Penanaman chip mikro pada kartu untuk
merekam aktivitas dan mencuri credentials. Data leakage:
Penyalinan dokumen organisasi tanpa izin. Eavesdropping:
Menguping percakapan yang bersifat pribadi. Economic
espionage: Pencurian informasi ekonomi dan hak properti.
Hacking: Pengaksesan yang bersifat ilegal atau
unauthorized pada suatu entitas atau objek. Hijacking:
pengambilalihan kendali atas komputer orang lain untuk
melakukan aktivitas terlarang, seperti mengirim spam
tanpa sepengetahuan pengguna komputer. Botnet:  A
network of powerful and dangerous hijacked computers
that are used to attack systems or spread malware.
Zombie:  A hijacked computer, typically part of a botnet,
that is used to launch a variety of Internet attacks. Denial-
of-service (DoS) attack: serangan komputer di mana
penyerang mengirimkan begitu banyak bom
email/permintaan halaman web, seringkali dari alamat
palsu yang dihasilkan secara acak, sehingga server email
atau penyedia layanan web server layanan Internet
kelebihan beban. Man-in-the-middle (mITm) attack:
Seorang hacker yang menempatkan dirinya di antara klien
dan host untuk mencegat komunikasi di antara mereka
Identity theft pencurian identitas untuk mendapatkan
tujuan tertentu (misal nomor social security) Internet
terrorism mengganggu lalu lintas internet pada
komunikasi dan e-commerce Internet pump-and-dump
Fraud penipuan yg menaikkan harga saham dan
penjualannya dengan media internet Keylogger: spyware
yang mencatat dan mengingat ketikan credentials tanpa
sepengetahuan pengguna. Malware: Perangkat lunak yang
bersifat menyalahgunakan. Password cracking Usaha
pembobolan kode sandi untuk mendapatkan akses pada
program, file, dan data. Phising: Suatu login page yang
dirancang persis laman asli untuk mendapatkan
credentials pengguna awam. Podslurping: Penggunaan
perangkat kecil dengan penyimpanan (iPod, Flash drive)
untuk menyalin file tanpa izin. Posing: Pembuatan bisnis
yang seolah legal dan mengumpulkan data pribadi dalam
proses transaksi tanpa adanya pengiriman barang yang
dijual. QR barcode replacements: menimpa QR asli dengan
QR yang dibuat untuk menjebak pengguna Ransomware:
Perangkat lunak yang ”menyandera” data pada suatu
perangkat dan memaksa pemilik perangkat tersebut
membayar sejumlah uang untuk menebusnya. Rootkit:
Seperangkat software yang bekerja menyeluruh, biasanya
untuk membobol akses ke inti dari sistem. Round-down
fraud fraud melalui pembulatan dua angka di belakang
desimal ke atas untuk meraup keuntungan pribadi Salami
technique: Mencuri bagian uang kecil dari transaksi besar
secara berkelanjutan. Scareware: Perangkat lunak
malicious yang tidak memiliki fungsi melainkan hanya
menakut-nakuti pengguna. Scavenging/dumpster diving:
Mencari informasi penting yang bersifat rahasia pada
folder recycle bin atau trash. Sexting: Bertukar pesan yang
bersifat seksual dan vulgar secara eksplisit pada telepon
genggam. Shoulder surfing: Mengintip/menguping saat
seseorang yang memiliki kewenangan membuka suatu
data yang bersifat rahasia. Skimming: Penggesekan kartu
secara ganda tanpa diketahui pemilik untuk mencatat
nomor kartu tersebut untuk penyalahgunaan. Social
engineering: Teknik yang meyakinkan orang lain untuk
membocorkan informasi rahasia atau pribadi. Software
izin. Spamming: Mengirim pesan yang tidak dikehendaki
oleh penerima secara berulang dalam jarak waktu yang
singkat. Dictionary attack: Using special software to guess
company e-mail addresses and send them blank e-mail
messages. Splog: Blog yang mencantumkan link lain untuk
menaikkan peringkat Google Rank link yang
direferensikan. Spyware: Perangkat lunak yang dirancang
untuk memata-matai pengguna. Steganography:
Menyembunyikan file gambar atau suara berukuran besar
pada suatu file host.  Superzapping: Penggunaan
perangkat lunak khusus untuk mem-bypass pengawasan
pada sistem dan melakukan tindakan ilegal. Tabnapping
upaya penggantian webpage pada tab tanpa diketahui
pengguna perangkat melalui Javascript Time bomb/logic
bomb: Perangkat lunak yang terlihat tidak melakukan apa-
apa hingga pada waktu yang telah ditentukan tanpa
sepengetahuan pengguna, akan menghancurkan data-data
yang ada pada sistem.  Torpedo software: Malware yang
selain merusak sistem, juga membasmi malware (saingan)
lain. Virus: Kode destruktif yang biasanya disisipkan pada
suatu file berekstensi .exe atau .bat. Zero-day attack
Penyerangan pada bug sistem sebelum celah bug tersebut
diperbaiki.
7. Control and AIS Internal controls processes
implemented to provide reasonable assurance that the
following control objectives are achieved: asset safeguard,
records maintenance, accurate and reliable information,
financial reports based on criteria, operational efficiency,
managerial policies, and comply with applicable laws and
regulations. threat/event Any potential adverse
occurrence or unwanted event that could injure the AIS or
the organization. exposure/impact The potential dollar
loss should a particular threat become a reality.
likelihood/risk The probability that a threat will come to
pass. Fungsi Internal Control preventive controls Controls
that deter problems before they arise. detective controls
Controls designed to discover control problems that were
not prevented. corrective controls Controls that identify
and correct problems as well as correct and recover from
the resulting errors. Kategori internal control general
controls Controls designed to make sure an organization’s
information system and control environment is stable and
well managed. application controls Controls that prevent,
detect, and correct transaction errors and fraud in
application programs. four levers of control (Robert
simons) - belief system System that describes how a
company creates value, helps employees understand
management’s vision, communicates company core
values, and inspires employees to live by those values.
boundary system System that helps employees act
ethically by setting boundaries on employee behavior.
diagnostic control system System that measures,
monitors, and compares actual company progress to
budgets and performance goals. interactive control system
System that helps managers to focus subordinates’
attention on key strategic issues and to be more involved
in their decisions. foreign Corrupt Practices Act (fCPA)
legislation passed to prevent companies from bribing
foreign officials to obtain business; also requires all
publicly owned corporations maintain a system of internal
accounting controls. Sarbanes–Oxley Act (SOX) legislation
intended to prevent financial statement fraud, make
financial reports more transparent, provide protection to
investors, strengthen internal controls at public
companies, and punish executives who perpetrate fraud.
Public Company Accounting Oversight Board (PCAOB) A
board created by SOX that regulates the auditing
profession; created as part of SOX. Aspek SOX - New rules
for auditors. Auditors must report specific information to
the company’s audit committee, such as critical accounting
policies and practices. New roles for audit committees
Audit committee members must be on the company’s
board of directors and be independent of the company
New rules for management, New Internal Control
Requirements report must contain management’s
assessment of the company’s internal controls, attest to
their accuracy, and report significant weaknesses or
material noncompliance. 3 Framework Internal Control
1.Control Objectives for Information and Related
Technology (COBIT) - A security and control framework
that allows (1) management to benchmark the security
and control practices of IT environments, (2) users of IT
services to be assured that adequate security and control
exist, and (3) auditors to substantiate their internal control
opinions and advise on IT security and control matters.
2.Committee of Sponsoring Organizations (COSO)- A
privatesector group consisting of the American Accounting
Association, the AICPA, the Institute of Internal Auditors,
the Institute of Management Accountants, and the
financial Executives Institute. Internal Control—Integrated
framework (IC) A COSO framework that defines internal
controls and provides guidance for evaluating and
enhancing internal control systems. Enterprise Risk
Management—Integrated framework (ERM) A COSO
framework that improves the risk management process by
expanding (adds three additional elements) COSO’s
Internal Control—Integrated. internal environment The
company culture that is the foundation for all other ERM
components, as it influences how organizations establish
strategies and objectives; structure business activities; and
identify, assess, and respond to risk. risk appetite The
amount of risk a company is willing to accept to achieve its
goals and objectives. To avoid undue risk, risk appetite
must be in alignment with company strategy. audit
committee The outside, independent board of director
members responsible for financial reporting, regulatory
compliance, internal control, and hiring and overseeing
internal and external auditors. policy and procedures
manual A document that explains proper business
practices, describes needed knowledge and experience,
explains document procedures, explains how to handle
transactions, and lists the resources provided to carry out
specific duties. background check Aninvestigation of a
prospective or current employee that involves verifying
their educational and work experience, talking to
references, checking for a criminal record or credit
problems, and examining other publicly available
information. Dua model ERM 1. Objectives setting
a.strategic objectives - High-level goals that are aligned
with and support the company’s mission and create
shareholder value. b.operations objectives -  Objectives
that deal with the effectiveness and efficiency of company
operations and determine how to allocate resources.
c.reporting objectives - Objectives to help ensure the
accuracy, completeness, and reliability of company
reports; improve decision making; and monitor company
activities and performance. d.compliance objectives -
Objectives to help the company comply with all applicable
laws and regulations. 2. event identification- event A
positive or negative incident or occurrence from internal
or external sources that affects the implementation of
strategy or the achievement of objectives. inherent risk
The susceptibility of a set of accounts or transactions to
significant control problems in the absence of internal
control. residual risk The risk that  remains after
management implements internal controls or some other
response to risk. Ways to respond risk reduce, share,
accept, avoid. Expected loss: Impact x Likelihood. Control
activities policies, procedures, and rules that provide
reasonable assurance that control objectives are met and
risk responses are carried out. Authorization management
lacks the time and resources to supervise each company
activity and decision, it establishes policies for employees
to follow and then empowers them. digital signature a
means of electronically signing a document with data that
cannot be forged. General authorization management can
authorize employees to handle routine transactions
without special approval. segregation of accounting duties
= Authorization—approving transactions and decisions.
Recording—preparing source documents; entering data
into computer systems; and maintaining journals, ledgers,
files, or databases.Custody—handling cash, tools,
inventory, or fixed assets; receiving incoming customer
checks; writing checks. systems administrator Person
responsible for making sure a system operates smoothly
and efficiently. network manager Person who ensures that
the organization’s networks operate properly. security
management People that make sure systems are secure
and protected from internal and external threats. change
management Process of making sure changes are made
smoothly and efficiently and do not negatively affect the
system. users People who record transactions, authorize
data processing, and use system output. systems analysts
People who help users determine their information needs
and design systems to meet those needs. programmers
People who use the analysts’ design to create and test
computer programs. computer operators People who
operate the company’s computers. information system
library Corporate databases, files, and programs stored
and managed by the system librarian. data control group
People who ensure that source data is approved, monitor
the flow of work, reconcile input and output, handle input
errors, and distribute systems output. steering committee
An executive-level committee to plan and oversee the
information systems function. strategic master plan A
multiple-year plan of the projects the company must
complete toachieve its long-range goals. project
development plan A document that shows how a project
will be completed. project milestones Points where
progress is reviewed and actual and estimated completion
times are compared. system performance measurements
Ways to evaluate and assess a system. data processing
schedule A schedule that shows when each data
processing task should be performed. throughput The
amount of work performed by a system during a given
period of time. response time How long it takes for a
system to respond. utilization The percentage of time a
system is used. postimplementation review Review,
performed after a newsystem has been operating for a
brief period, to ensure that it meets its planned objectives.
systems integrator An outside party hired to manage a
company’s systems development effort. analytical review
The examination of the relationships between different
sets of data. audit trail A path that allows a transaction to
be traced through a data processing system from point of
origin to output or backward from output to point of
origin. computer security officer (CSO) An employee
independent of the information system function who
monitors the system,disseminates information about
improper system uses and their consequences, and
reports to top management. chief compliance officer
(CCO) An employee responsible for all the compliance
tasks associated with SOX and other laws and regulatory
rulings. forensic investigators Individuals who specialize in
fraud, most of whom have specialized training with law
enforcement agencies such as the FBI or IRS or have
professional certifications such as Certified Fraud
Examiner (CFE). computer forensics specialists Computer
experts who discover, extract, safeguard, anddocument
computer evidence such that its authenticity, accuracy,
and integrity will not succumb to legal challenges. neural
networks Computing systems that imitate the brain’s
learning process by using a network of interconnected
processors that perform multiple operations
simultaneously and interact dynamically. fraud hotline A
phone number employees can call to anonymously report
fraud and abuse.
8. Controls for Information Security The Trust Services
Framework organizes IT-related controls into five
principles that jointly contribute to systems reliability:
(1)Security—access (both physical and logical) to the
system and its data is controlled and restricted to
legitimate users(2)Confidentiality—sensitive
organizational information (e.g., marketing plans, trade
secrets) is protected from unauthorized disclosure.
(3)Privacy—personal information about customers,
employees, suppliers, or business partners is collected,
used, disclosed, and maintained only in compliance with
internal policies and external regulatory requirements and
is protected from unauthorized disclosure (4)Processing
Integrity—data are processed accurately, completely, in a
timely manner, and only with proper authorization
(5)Availability—the system and its information are
available to meet operational and contractual obligations.
Two Fundamental Information Security Concepts
(1)Security Is a Management Issue, Not Just a Technology
Issue, steps:(a)Assess threats & select risk response
(b)Develop and communicate policy (c)Acquire &
implement solutions (d) Monitor performance (2)
Defense-in-Depth and the Time-Based Model of
Information Security, is The idea of defense-in-depth is to
employ multiple layers of controls in order to avoid having
a single point of failure. time-based model of security P =
the time it takes an attacker to break through the
organization’s preventive controls, D = the time it takes to
detect that an attack is in progress, C = the time it takes to
respond to the attack and take corrective action. Those
three variables are then evaluated as follows: If P > D + C,
then the organization’s security procedures are effective.
Otherwise, security is ineffective. Understanding Targeted
Attacks, steps: (1)Conduct reconnaissance, (2)Attempt
social engineering, (3)Scan and map the target,
(4)Research, (5)Research, (6)Cover tracks. authentication
Verifying the identity of the person or device attempting
to access the system. biometric identifier A physical or
behavioral characteristic that is used as an authentication
credential. multifactor authentication The use of two or
more types of authentication credentials in conjunction to
achieve a greater level of security. multimodal
authentication The use of multiple authentication
credentials of the same type to achieve a greater level of
security. authorization The process of restricting access of
authenticated users to specific portions of the system and
limiting what actions they are permitted to perform.
compatibility test Matching the user’s authentication
credentials against the access control matrix to determine
whether that employee should be allowed to access that
resource and perform the requested action. border router
A device that connects an organization’s information
system to the Internet. firewall A special-purpose
hardware device or software running a general-purpose
computer that controls both inbound and outbound
communication between the system behind the firewall
and other networks. demilitarized zone (DMZ) A separate
network located outside the organization’s internal
information system that permits controlled access from
the Internet. Encryption: konten -> ciphertext. Decryption:
ciphertext -> konten. Tujuan enkripsi: melindungi data
saat perjalanan melalui internet (kontrol preventif). Tiga
faktor yg menentukan kekuatan enkripsi: (1) key length
(2)encryption algorithm (3)kebijakan mengelola
crypthographic keys. Dua jenis sistem enkripsi
(1)symmetric, kuncinya sama (2)asymmetric, pake dua
kunci yaitu public (disebar) & private (dirahasiakan). Jenis
enkripsi: (1) Hasing, mengubah plaintext -> hash (2) Tanda
tangan digital, hash yang dienkripsi dgn private key (3)
digital certificate, dokumen mengandung kunci public
beserta pemiliknya (4) public key infrastructure, sistem yg
menerbitkan private & public key beserta digital certificate
(5) VPN, menggunakan encryption & authentification
untuk transfer informasi melalui internet dgn aman
(menciptakan virtual private network)
9. Confidentiality & Privacy Controls 4 basic action to
preserve sensitive information 1)identify & classify.
(COBIT) 5 management practice APO01.06 points out that
classification is the responsibility of information owners.
the appropriate set of controls can be deployed to protect
it. 2)encrypt(the only way to protect information)
3)control assess, Information Right Management (IRM)
software for additional layer to protect that stored in
digital format. Data loss prevention (DLP) like antivirus
program in reverse blocking that contain keyword that org
want to protect outgoing massage. Digital watermark code
embedded in doc that enables an org to identify
information that has been disclosed. COBIT 5 DSS05.06 -
control physical access to sensitive information stored in
physical documents. The importance of proper disposal of
sensitive information. Access controls-protect
confidentiality must be continuously reviewed and
modified to respond to new threats created by
technological advances.  Control in virtual environments,
sensitive data  should not be hosted on the same physical
server with virtual machines that are accessible via the
Internet 4)train employee. Privacy control, first step to
protect is identify what information the org processes,
stored, who access it. Information need to be encrypted
while it transit and storage. Data masking- protecting
privacy by replacing sensitive personal information with
fake data (tokenization). Spam ( unsolicited email that
contains either edv or offensive content).  U.S. Congress
passed the Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-SPAM) Act in 2003.
CAN-SPAM provides both criminal and civil penalties for
violations of the law. Identity theft is the unauthorized use
of someone’s personal information for the perpetrator’s
benefit. Privacy regulation. federal regulations, including
the Health Insurance Portability and Accountability Act
(HIPAA), the Health Information Technology for Economic
and Clinical Health Act (HITECH), and the Financial Services
Modernization Act (commonly referred to as the Gramm–
Leach–Bliley Act, representing the names of its three
Congressional sponsors)- to protect customers personal
information. GAPP identifies and defines the following 10
internationally recognized best practices for protecting the
privacy of customers’ personal information:
1)management protect privacy of customers. 2)notice-
before collect personal information, as soon as practicable
thereafter. 3)Choice and consent , 4)Collection, cookie is a
text file created by a website and stored visitor hard disk
5)Use, retention, and disposal when info no longer useful
it should be disposed, 6)access provide individuals with
the ability to access, review, correct, and delete,
7)Disclosure to third parties 8)security 9)quality
10)monitoring & enforcement org should assign
employees to be responsible ensuring compliance, and
periodically verify that their employees are complying.
encryption is the process of transforming normal content,
called plaintext, into unreadable gibberish, called
ciphertext. Decryption reverses this process, transforming
ciphertext back into plaintext. Important factor strength of
any encryption system: (1) key length, (2) encryption
algorithm, and (3) policies for managing the cryptographic
keys.Symmetric encryption that use the same key both to
encrypt and to decrypt. asymmetric encryption systems -
that use two keys (one public, the other private); either
key can encrypt, but only the other matching key can
decrypt.Public key keys used in asymmetric encryption
systemsPrivate key used in asymmetric encryption
systems.key escrow - process of storing a copy of an
encryption key in a secure location. Hashing transforming
plaintext of any length into a short code called a
hash(Plaintext transformed into short code).
nonrepudiation  legally binding agreements that cannot be
unilaterally repudiated by either party. public key
infrastructure (PKI)  issuing pairs of public and private keys
and corresponding digital certificates. virtual private
network (vPn) Using encryption and authentication to
securely transfer information over the Internet, thereby
creating a “virtual” private network.
10. Processing Integrity & Availability Controls -Data
Input/A turnaround document is a record of company data
sent to an external party and then returned by the
external party for subsequent input to the system. Threat
input (Data that is: Invalid.
Unauthorized,IncompleteInaccurate). Data Entry control
(A sequence check tests whether a transaction file is in the
proper numerical or alphabetical Sequence, Batch totals
calculate numeric values for a batch of input records(Batch
totals calculate numeric values for a batch of input records
(financial total,hash total, record count), Prompting,
Closed-loop verification) Data proses/Data matching, File
labels, Recalculation of batch totals, Cross-footing and
zero-balance, Write-protection mechanismsConcurrent
update controls output/ User review of output,
Reconciliation procedure, External data reconciliation,
Data transmission controls(Checksum, Parity bits).
Minimizing risk of system downtime (Preventive
maintenance, Fault tolerance,Data center location and
design,Training,Patch management and antivirus
software). recovery and resumption of normal operation
(Backup procedures,Disaster recovery plan (DRP), Business
continuity plan (BCP). fault tolerance( The capability of a
system to continue performing when there is a hardware
Failure) redundant arrays of independent drives (RAID) - A
fault tolerance technique that records data on multiple
disk drives instead of just one to reducethe risk of data
loss. uninterruptible power supply (UPS) An alternative
power supply device that protects against the loss of
power and fluctuations in the power level by using battery
power to enable the system to operate long enough to
back up critical data and safely shut down. recovery point
objective (RPO) - The amount of data the organization is
willing to reenter or potentially lose. recovery time
objective (RTO) The maximum tolerable time to restore an
organization’s information system following a disaster,
representing the length of time that the organization is
willing to attempt to function without its information
system. incremental backup A type of partial backup that
involves copying only the data items that have changed
since the last partial backup. This produces a set of
incremental backup files, each containing the results of
one day’s transactions. differential backup - A type
ofpartialbackup that involves copying all changes made
since the last full backup. Thus, each new differential
backup file contains the cumulative effects of all activity
since the last full backup disaster recovery plan (DRP) A
plan to restore an organization’s IT capability in the event
that its data center is destroyed. cold site A disaster
recovery option that relies on access to an alternative
facility that is prewired for necessary telephone and
Internet access, but does not contain any computing
equipment. hot site A disaster recovery option that relies
on access to a completely operational alternative data
center that is not only prewired but also contains all
necessary hardware and software. real-time mirroring
Maintaining complete copies of a database at two
separate data centers and updating both copies in real-
time as each transaction occurs.
11. Sistem Informasi Audit Audit adalah proses sistematis
untuk mendapatkan dan mengevaluasi bukti dan
pernyataan-pernyataan mengenai kegiatan ekonomi dan
internal control dengan standar kriteria audit. Tipe-tipe
audit: 1)Financial Audit: memeriksa reliability dan
integritas transaksi keuangan, pencatatan akuntansi, dan
laporan keuangan. 2)Sistem Informasi/Internal Control
Audit: pemeriksaan secara general dan secara kontrol
aplikasi dari sebuah sistem informasi utk melihat apakah SI
tersebut “compliance” dengan kebijakan dan prosedur
kontrol internal serta efektivitas dalam pengamanan aset.
3)Operational Audit: berpusat pada penggunaan sumber
daya yang ekonomis dan efisien untuk mencapai tujuan
dan objectives yang telah ditetapkan. 4)Compliance Audit:
menentukan apakah entitas patuh (compliance) pada
hukum, regulasi, kebijakan dan prosedur. Proses audit ini
kerap menghasilkan rekomendasi untuk meningkatkan
proses dan kontrol untuk memastikan kepatuhannya dgn
regulasi. 5)Investigative Audit: memeriksa kemungkinan
fraud, misappropriation of assets, waste dan kekerasan,
atau aktivitas pemerintahan yang tidak baik. Proses Audit:
1)  Audit Planning: proses audit hrs direncanakan sehingga
bs berfokus pada area yang memiliki faktor resiko
terbesar. 3 tipe resiko audit : a) Inherent Risk: resiko jika
tidak ada proses kontrol. b) Control Risk: resiko adanya
kesalaha material di dalam pelaporan laporan keuangan
dan internal control. c) Detection Risk: resiko auditor dan
prosedur yg dilakukannya gagal mendeteksi salah saji
material. Proses yg kedua yaitu 2) Audit Evidence: a)
Observation (watching how data control personnel handle
data processing work as it is received) b) Review of
documentation to understand how a particular process or
internal control system is supposed to function c)
Discussions with employees d) Physical examination of
tangible assets e) Confirmation f) Reperformance of
calculations to verify quantitative information g) Vouching:
dr transaksi diliat ke dokumen h) Analytical Review:
memeriksa hubungan dari data-data untuk melihat
hubungan atau tren yg tidak biasa. Proses ke tiga yaitu 3)
Evaluasi Audit Evidence -> 1) Materialitas: Amount of an
error, fraud, or omission that would affect the decision of
a prudent user of financial information. 2)reasonable
assurance - Obtaining complete assurance that
information is correct is prohibitively expensive, so
auditors accept a reasonable degree of risk that the audit
conclusion is incorrect. THE RISK-BASED AUDIT APPROACH
1. Determine the threats (fraud and errors) facing the
company 2. Identify the control procedures 3. Evaluate
control procedures. Controls are evaluated in two ways: a.
a systems review determines whether control procedures
are actually in place b. Tests of controls are conducted to
determine whether existing controls work as intended. 4.
Evaluate control weaknesses. Sistem info audit goals: to
review and evaluate the internal controls that protect the
system; Auditor harus memastikan bahwa 6 tujuan audit
ini terpenuhi 1 ) Overall security 2) Program Development
and Acquisition:  During systems review, auditors should
discuss development procedures with management,
system users, and information system personnel.(list types
of errors & fraud, control procedures, audit procedures
(system review, test of control), compensating control 3)
Program Modification: The auditor should verify that
separate development and production programs are
maintained and that changes are implemented by
someone independent of the user and programming
functions. The development program’s access control
table is reviewed to verify that only authorized users had
access to the system 4)  Processing Test Data: Process a
hypothetical set of valid and invalid transactions. The
program should process all valid transactions correctly and
reject all invalid ones -> using test data generator. Test
Data Generator: software berdasarkan spesifikasi program
untuk menghasilkan data set utk mengetes program logic.
5)Concurrent Data Technique Continually monitor the
system and collect audit evidence while live data are
processed during regular operating hours. Using: An
integrated test facility (ITF) - inserts fictitious records that
represent a fictitious division, department, customer, or
supplier in company master files. Processing test
transactions to update them will not affect actual records;
Snapshot technique marking transactions with a special
code, recording them and their master file records before
and after processing, and storing the data to later verify
that all processing steps were properly executed; System
control audit review file (SCARF) - using embedded audit
modules to continuously monitor transactions, collect data
on transactions with special audit significance, and store
the data to later identify and investigate questionable
transactions; Audit hooks- audit routines that notify
auditors of questionable transactions, often as they occur.
Continous and Intermitten Simulation (CIS): menanamkan
modul audit dalam database sistem manajemen (DBMS)
yang memeriksa semua transaksi yang memperbarui
database menggunakan kriteria yang mirip dengan SCARF.
Jika suatu transaksi memiliki signifikansi audit khusus,
maka Modul CIS secara mandiri memproses data (dengan
cara yang mirip dengan simulasi paralel), mencatat
hasilnya, dan membandingkannya dengan yang diperoleh
oleh DBMS. Ketika perbedaan ada, mereka disimpan
dalam log audit untuk penyelidikan selanjutnya. Jika trdpt
perbedaan serius, CIS dapat mencegah DBMS dari
melakukan pembaruan. Jika auditor menemukan program
yang terdapat unauthorized code atau serious errors,
maka Analisis Program Logic yang mendetail sangat
diperlukan, dimana analisis ini membutuhkan keahlian
pada bahasa programming dan auditor menganalisis
perkembangan,operasional dan dokumentasi program
serta menggunakan software berikut ini: a)Automated
Flowcharting Programs: perangkat lunak yang
menerjemahkan kode sumber program dan menghasilkan
alur diagram (flowchart) dari logika program. b)Automated
Decision Table Programs: software yg menginterpretasikan
kode sumber program dan menghasilkan decision table
dari logika program. c)Scanning Routines: software yang
mencari program untuk keterjadiannya (occurence) dari
suatu item yg spesifik. d)Mapping programs: software yg
mengidentifikasi kode program yg belum dieksekusi.
e)Program Tracing: Secara berurutan mencetak semua
program yang dieksekusi langkah-langkah, bercampur
dengan output, jadi urutan eksekusi program dapat
diamati. f)Input Controls Matrix: sebuah matrix yg dapat
menunjukkan prosedur kontrol yg diterapkan untuk setiap
input record field; digunakan untuk mendokumentasikan
review input controls matrix dari sumber data controls.
Audit Software - Computer-assisted audit techniques
(CAATs) refer to audit software, often called generalized
audit software (GAS), that uses auditor-supplied
specifications to generate a program that performs audit
functions, thereby automating or simplifying the audit
process