Professional Documents
Culture Documents
Slide 1 - Dasar-Dasar Audit TI
Slide 1 - Dasar-Dasar Audit TI
Risiko-risiko Umum TI
Organizational
Costs of Incorrect Costs of Computer
Costs of Data
Decision Making Abuse
Loss
Value of Maintenance of
H/W, S/W & B/W Privacy
ORGANIZATIONS
Controlled
High Costs of
Evolution of
Computer Error
Computer Use
Control and
Audit
Change to Change to
Evidence Auditing Evidence
Collection Evaluation
Auditor Competency:
• Generalist
• IT Auditor
• IT Control & Security
Specialist
Definisi Audit TI :
Ron Weber, Information System Control & Audit – 1999
Information systems auditing is the process of collecting and evaluating evidence to
determine whether a computer system safeguards assets, maintains data integrity, allows
organizational goals to be achieved effectively, and uses resources efficiently. Sometimes
information systems auditing has another objective –which is ensuring that an organization
complies with some regulation.
ORGANIZATIONS
•Hardware
•Software
•Completeness •Machine Time
•Facilities
•Soundness •Peripherals
•People
•Purity •System Software
•Data
•Veracity •Labor
•System Documentation
•Supplies
Top Management
IS Management
Programming Management
Data Management
Security Management
Auditing Manajemen
Tradisional Teknologi
Informasi
AUDIT TEKNOLOGI
INFORMASI
Ilmu
Komputer Ilmu
Perilaku
T
Annual Audit Control Control
Audit Planning
Planning Evaluation Exist?
Control Control is
Testing Effective? T
Limited Extended
Audit Reporting
Substantive Testing Substantive Testing
Audit Follow-up
Audit Planning
Informasi Bisnis
Dokumentasi Pemahaman TI
Finansial (Pendapatan, Biaya, Laba, Aktiva)
Indikator Organisasi (Struktur, Jumlah, Lokasi, Afiliasi)
Tujuan Audit dan Lingkup Audit
Risiko Audit (Audit Risk)
AR = IR X CR X DR
Tim Audit dan Jadual Audit
Control Evaluation
Kebijakan, Standar, Pedoman, Prosedur, Struktur Organisasi
Lingkungan TI
Sistem operasi dan sistem aplikasi
Infrastruktur
Komunikasi
Pengendalian TI
Perencanaan dan organisasi
Pengembangan dan implementasi
Operasi dan layanan TI
Dokumentasi Informasi TI
Diagram Sistem Aplikasi (Data/Application Flow Diagram)
Diagram Infrastruktur & Jaringan (Network Diagram)
Penilaian Risiko TI
Risiko Umum TI (IT Inherent Risk)
Risiko Pengendalian TI (IT Control Riks)
Sistem Informasi
Entitas “ABC”
1 3
Data 1 Data 2
Entitas A Aplikasi A Aplikasi C Entitas B
2
Data 3 Data 4
Aplikasi B
Database A
Daftar Server
Control Evaluation
Kebijakan, Standar, Pedoman, Prosedur, Struktur Organisasi
Control Testing
Analisa risiko
Reviu pengendalian intern
Substantive Testing
Test of details of transactions
Audit Reporting
Audit findings and conclussions
Audit Follow-up
INPUT OUTPUT
PROSES
Pertimbangan:
Risiko bawaan rendah; logika aplikasi “straightforward”; transaksi input adalah
batched; pengendalian dilakukan melalui metode tradisional; pemrosesan
hanyalah men-sorting input data dan meng-update master file “sequentially”; jejak
audit ada dan jelas; lingkungan relatif konstan; sistem jarang dimodifikasi
INPUT OUTPUT
PROSES
Pertimbangan:
Risiko bawaan tinggi; aplikasi memproses input & output dalam jumlah yang besar;
pengendalian intern yang signifikan melekat dalam sistem; logika prosesnya
kompleks; terdapat kesenjangan yang signifikan dalam jejak audit
ISACA
Standards IS Auditing Standards
Guidelines
Procedures
S1 Audit Charter
The purpose, responsibility, authority and accountability of the
information systems audit function or information systems audit
assignments should be appropriately documented in an audit charter or
engagement letter.
The audit charter or engagement letter should be agreed and approved
at an appropriate level within the organisation(s).
S2 Independence
Professional Independence
In all matters related to the audit, the IS auditor should be independent
of the auditee in both attitude and appearance.
Organisational Independence
The IS audit function should be independent of the area or activity being
reviewed to permit objective completion of the audit assignment.
S4 Professional Competence
The IS auditor should be professionally competent, having the skills and
knowledge to conduct the audit assignment.
The IS auditor should maintain professional competence through appropriate
continuing professional education and training.
S5 Planning
The IS auditor should plan the information systems audit coverage to address the audit
objectives and comply with applicable laws and professional auditing standards.
The IS auditor should develop and document a risk-based audit approach.
The IS auditor should develop and document an audit plan that lists the audit detailing the
nature and objectives, timing and extent, objectives and resources required.
The IS auditor should develop an audit program and/or plan and detailing the nature, timing and
extent of the audit procedures required to complete the audit.
Evidence
During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant
evidence to achieve the audit objectives. The audit findings and conclusions are to be supported
by appropriate analysis and interpretation of this evidence.
Documentation
The audit process should be documented, describing the audit work performed and the audit
evidence that supports supporting the IS auditor's findings and conclusions.
S7 Reporting
The IS auditor should provide a report, in an appropriate form, upon completion of the
audit. The report should identify the organisation, the intended recipients and any
restrictions on circulation.
The audit report should state the scope, objectives, period of coverage and the nature,
timing and extent of the audit work performed.
The report should state the findings, conclusions and recommendations and any
reservations, qualifications or limitations in scope that the IS auditor has with respect to
the audit.
The IS auditor should have sufficient and appropriate audit evidence to support the results
reported.
When issued, the IS auditor’s report should be signed, dated and distributed according to
the terms of the audit charter or engagement letter.
S8 Follow-Up Activities
After the reporting of findings and recommendations, the IS auditor should request and
evaluate relevant information to conclude whether appropriate action has been taken by
management in a timely manner.
S10 IT Governance
The IS auditor should review and assess whether the IS function aligns with the
organisation’s mission, vision, values, objectives and strategies.
The IS auditor should review whether the IS function has a clear statement about the
performance expected by the business (effectiveness and efficiency) and assess its
achievement.
The IS auditor should review and assess the effectiveness of IS resource and performance
management processes.
The IS auditor should review and assess compliance with legal, environmental and
information quality, and fiduciary and security requirements.
A risk-based approach should be used by the IS auditor to evaluate the IS function.
The IS auditor should review and assess the control environment of the organisation.
The IS auditor should review and assess the risks that may adversely effect the IS
environment.