Audit Lifecycle

LOVINTA H. ATRINAWATI, CISA

INFORMATION SYSTEMS
 Learning Outcomes
• Students able to plan audit engagements
• Students able to perform audit engagements

INFORMATION SYSTEMS
Managing Audit Function

INFORMATION SYSTEMS
 Audit
• auditing is
◦ an independent, objective assurance and consulting activity
◦ designed to add value and improve an organization's operations.
◦ helps an organization accomplish its objectives
◦ by bringing a systematic, disciplined approach
◦ to evaluate and improve the effectiveness of
◦ risk management,
◦ control, and
◦ governance processes.

INFORMATION SYSTEMS
BNI Organization Structure

INFORMATION SYSTEMS
Astra International

INFORMATION SYSTEMS
 POSITIONING THE INTERNAL AUDIT
FUNCTION IN THE ORGANIZATION

• The internal audit is effectively managed when:

The results of the internal audit’s work achieve the purpose and
responsibility included in the internal audit charter;

The internal audit conforms with the Standards;

The individuals who are part of the internal audit demonstrate

conformance with the Code of Ethics and the Standards; and

The internal audit activity considers trends and emerging issues that
could impact the effectiveness of the internal audit

INFORMATION SYSTEMS
 Position in the organization
• the positioning of the internal audit function affects the degree to
which it can remain objective
• Being positioned on a level with senior management with direct
access to the audit committee gives the internal audit function
greater independence and, consequently, greater objectivity
• Individual Objectivity
◦ An unbiased mental attitude that allows internal auditors to perform engagements in
such a manner that they have an honest belief in their work product and that no
significant quality compromises are made. Objectivity requires internal auditors not
to subordinate their judgment on audit matters to that of others.

• Organizational independence
• The chief audit executive’s line of reporting within the organization that allows the
internal audit function to fulfill its responsibilities free from interference.

INFORMATION SYSTEMS
 Reporting to the Board and Senior
Management
• The CAE has the responsibility to
◦ report periodically to senior management and the board on the internal
audit activity’s purpose, authority, responsibility, and performance relative to
its plan, and on its conformance with the Standards.
◦ Reporting must also include significant risk and control issues, including
fraud risks, governance issues, and other matters that require the attention
of senior management and/or the board

• coordinate with management routinely regarding the efforts to

report on various risk and control activities performed by either, in
accordance with roles and responsibilities set by the board and the
audit committee

INFORMATION SYSTEMS
 Audit Charter
• A formal written document that defines the internal audit function’s
purpose, authority, and responsibility. The internal audit charter is
subordinate to the audit committee’s charter.

INFORMATION SYSTEMS
 Audit Charter
• Link – BNI Audit Charter
• Link – Astra International Audit Charter

INFORMATION SYSTEMS
 Relationships with other unit
• Often, the internal audit function will coordinate efforts with other
departments in the organization that have similar risk mitigation
objectives and responsibilities, such as compliance and risk
management. As long as the internal audit function is not asked to
perform operating activities or design processes and procedures
they will later need to evaluate as part of their duties as an internal
audit function, there is no impairment to independence or
objectivity.

INFORMATION SYSTEMS
Coordinating Assurance Efforts

INFORMATION SYSTEMS
INTERNAL AUDIT ROLE IN ENTERPRISE
RISK MANAGEMENT

INFORMATION SYSTEMS
 Planning Audit Activities as
Function in Organization
• Internal audit plan
◦ Assurance services
◦ Consulting/Advisory services

• Audit Universe
• Example
◦ Risk factor
◦ Audit Universe
◦ Internal Audit Plan

INFORMATION SYSTEMS
 Communication and Approval
• After the internal audit plan has been established, it is incumbent
upon the CAE to present it to senior management and the board
(typically the audit committee) to be approved.
• Audit plan may include
list of proposed audit engagements (and specification regarding
whether the engagements are assurance or consulting in nature).

Rationale for selecting each proposed engagement (for example,

risk rating, time since last audit, change in management, etc.).

Objectives and scope of each proposed engagement.

A from the internal audit strategy list of initiatives or projects that

result but may not be directly related to an audit engagement
INFORMATION SYSTEMS
 Resource Management
• Organizational Structure and Staffing Strategy
◦ Staff auditor or IT staff auditor.
◦ Senior auditor or IT senior auditor (sometimes referred to as an in-charge
auditor).
◦ Audit manager or IT audit manager.
◦ Audit director or IT audit director.
◦ Chief audit executive.

INFORMATION SYSTEMS
Audit Lifecycle

INFORMATION SYSTEMS
Proses Audit

Plan Perform
Perform Communicate

•Menentukan tujuan dan ruang •Jalankan prosedur audit dan •Melakukan komunikasi/konfirmasi
lingkup audit kumpulkan bukti (evidence) awal, memastikan hasil audit valid
•Memahami auditee, objektif dan •Evaluasi bukti yang telah •Melakukan komunikasi final
proses bisnis dikumpulkan, dan simpulkan
•Identifikasi dan nilai risiko •Susun rekomendasi berdasarkan •Melakukan monitoring dan follow up
implementasi rekomendasi
•Identifikasi kontrol kesimpulan yang didapatkan
•Susun prosedur audit (test plan)

Internal Auditing: Assurance & Consulting Services. 2017

Lovinta Happy Atrinawati, S.T., M.T., CISA | Program Studi Sistem Informasi
Reasons for Conducting an
Engagement
• Risk Level
• Inherent risk identified during the risk assessment
• Risks detected the last time the area was audited
• Compliance
• Organization’s system of internal controls for external reporting purposes
(PSAK, tax regulation)
• Recent Event
• Evaluate the process under unusual circumstances (Example: natural disaster,
fraud, customer bankruptcy)
• Changes
• Example: new tech implementation, staff promotion
or mutation, etc
SF1313 - AUDIT SISTEM INFORMASI 20
Tujuan dan Ruang lingkup Audit
•Tujuan audit
• evaluasi kecukupan kontrol untuk proses …..
• evaluasi kepatuhan …… terhadap peraturan ….
• evaluasi efektifitas dan efisiensi sistem….
• evaluasi akurasi …..
• evaluasi kinerja …..
•Ruang lingkup mencakup lokasi, waktu, komponen, proses, and
subproses
Prosedur Audit
•Prosedur audit adalah aktivitas spesifik yang dilakukan oleh auditor
untuk mengumpulkan bukti bahwa audit objektif telah tercapai

● Obtain a thorough understanding of the auditee,

Test of including the auditee’s objectives, risks, and controls
Control ● Test the design adequacy and operating effectiveness of
the targeted area’s system of internal controls

● Analyze plausible relationship among different elements

Substantive of data
Test ● Directly test recorded financial and nonfinancial
information for errors and fraud
 Prosedur Audit
Prosedur Definisi
Inquiry bertanya kepada auditee atau pihak ketiga untuk mendapatkan jawaban tertulis
atau tidak tertulis
- informasi yang disampaikan benar? jujur atau bohong?
Observation observasi, memperhatikan seseorang bekerja atau suatu proses
- terbatas waktu
Inspection Mempelajari dokumen dan bukti fisik lainnya.
- Ada atau tidak? lengkap atau tidak? konten sesuai atau tidak?
Vouching Menelusuri informasi dari dokumen yang paling baru ke dokumen sebelumnya.
Digunakan untuk memeriksa validitas informasi yang biasanya dilebih-lebihkan
(overstated).
contoh: penjualan dicatat apabila produk/jasa telah diterima pelanggan. Untuk
setiap informasi penjualan, maka perlu dilakukan pemeriksaan bukti serah terima
produk/jasa dengan pelanggan.
Lovinta Happy Atrinawati, S.T., M.T., CISA | Program Studi Sistem Informasi
 Prosedur Audit
Prosedur Definisi
Tracing Menelusuri informasi dari dokumen yang paling pertama ke dokumen
setelahnya. Digunakan untuk memeriksa validitas informasi yang biasanya
diminimalkan (understated).
contoh: apabila produk/jasa sudah diterima, maka biaya harus
dibebankan/dicatat. Untuk setiap produk/jasa diterima, pastikan biayanya sudah
dicatat dalam laporan keuangan/SI.
Reperform Melakukan kembali kontrol atau prosedur lainnya. Dilakukan untuk
mendapatkan bukti terkait efektivitas kontrol/prosedur.
Analytical Analisa informasi yang didapatkan pada saat audit dengan mengolah dan
procedures membandingkan informasi tersebut dengan data lainnya untuk mendapatkan
anomali seperti fluktuasi atau perbedaan data.

Confirmation Mendapatkan verifikasi tertulis/tidak tertulis terkait akurasi informasi dari pihak
ketiga.
Lovinta Happy Atrinawati, S.T., M.T., CISA | Program Studi Sistem Informasi
 Contoh Analytical Procedures
• Analysis of common size information
• Percentage of sales, percentage of A/R
• Number of device login using one account
• Ratio analysis
• Percentage of defect, revenue-A/R
• Number or size of transaction/user compared to HW capacity
• Trend analysis
• Cost, revenue
• Number of transaction/data per year
• Analysis of future-oriented information
• Sales vs target
• Cost vs budget of IS project
• External benchmarking
• Using data from third party
• Internal benchmarking
• Revenue
Lovinta Happy all branch
Atrinawati, S.T., M.T., CISA | Program Studi Sistem Informasi
• Comparison of bandwidth across information systems
 Audit Evidence

Bukti Audit (Evidence):

- bentuk dokumentasi dari prosedur audit yang dilakukan
- dasar bagi auditor untuk menyimpulkan hasil audit dan merumuskan rekomendasi

Relevant Reliable Sufficient

● bukti sesuai dengan tujuan ● bukti didapatkan dari ● bukti audit sudah cukup
audit? sumber yang dipercaya? sesuai ruang lingkup?
● mendukung kesimpulan dan ● bukti didapatkan langsung ● bukti audit saling
rekomendasi auditor? oleh auditor? mendukung?
Documenting Audit Evidence

INFORMATION SYSTEMS
Audit Evidence Persuasiveness
• Evidence obtained from independent third party is more reliable than
evidence obtained form auditee personnel
• Evidence produced by a process or system with effective controls is more
reliable than evidence produced by a process or system with ineffective
controls
• Evidence obtained directly by the internal auditor is more reliable than
evidence obtained indirectly
• Documented evidence is more reliable than undocumented evidence
• Timely evidence is more reliable than untimely evidence
• Corroborated evidence is more sufficient than uncorroborated
• Larger sample sizes produce more sufficient evidence than
smaller samples
 Contoh: Audit procurement
Key Objective Test of Control Audit Evidence Substantive Test Audit Evidence
bertransaksi dengan Tidak bisa memilih Screen recording Bandingkan data File excel hasil
vendor reputasi baik vendor di luar daftar transaksi 1 tahun analisa
vendor disetujui terakhir, apakah ada
(reperform) transaksi dgn vendor
yang tidak disetujui
membandingkan Tidak bisa create Screen recording Periksa apakah ada File excel hasil
penawaran dari 3 Purchase order jika Purchase Order analisa
vendor untuk tidak input tiga tanpa perbandingan
mendapatkan harga perbandingan harga harga 3 vendor
dan kualitas terbaik
Three ways Tidak bisa menginput Screen recording Periksa apakah ada File excel hasil
matching: payment = nilai goods receive/ data transasi yang analisa
invoice = goods invoice/ payment nilai goods receive <>
receive = purchase yang berbeda dari PO invoice <> payment
order <> PO

INFORMATION SYSTEMS
 Contoh Prosedur Audit
Objective: Evaluasi keamanan data nilai pada SIAKAD
Risk: data nilai dapat diupdate oleh orang yang tidak berhak: - nilai dapat diubah oleh selain dosen MK
(mhs, dosen resign, tendik, dsb)

Control Activites Audit Procedure Audit Evidence

- SOP User management - periksa apakah ada SOP User management (inspection) - SOP User management
untuk meminta - wawancara apakah tendik di UPT TIK mengerti SOP - Notulen wawancara
username dan password (inquiry)
(directive) - periksa apakah SIAKAD memiliki fitur login - Bukti printscreen atau screen recording
- login ke dalam sistem (repreform/observasi)
menggunakan username - periksa apakah ada mapping user authorization siakad - Dokumen peta user dan role
password (preventive) (inspection)
- ada mapping role - hak - periksa apakah ada user non-dosen yang dapat mengedit - Dokumen hasil Analisa peta user role
akses (user nilai MK (analytical procedure) - Screen recording percobaan edit nilai
authorization) menggunakan akun non – dosen
(preventive) - wawancara apakah ada review berkala terhadap hak akses - Notulen wawancara
- ada review berkala user (inquiry)
terhadap hak akses user - periksa apakah ada bukti (berita acara) review hak akses - Berita acara review hak akses
(detective) user (inspection)
- apabila ada dosen yang - periksa apakah ada dosen yang sudah resign, coba untuk - Screen recording bukti percobaan login
sudah resign, hak login menggunakan user dosen tersebut (reperform) dengan akun dosen yang sudah resign
aksesnya dicabut
(corrective)
CONTOH
PENUGASAN
 AUDIT KEAMANAN SIAKAD
• Tujuan : Evaluasi keamanan data nilai pada SIAKAD
• Auditor:
◦ Lead auditor: …………………………
◦ Tim auditor: 1………………………….
2……………………………….

• Ruang lingkup
◦ Proses: Login, input nilai, permanen nilai, laporan nilai
◦ Periode: tahun akademik 2020/2021

• Auditee
◦ Sub Bagian Akademik
◦ Program Studi
◦ UPT TIK

INFORMATION SYSTEMS
 Contoh Prosedur Audit
Objectives Risk Control Activites Audit Procedure

Evaluasi data nilai dapat - SOP User management - periksa apakah ada SOP User management (inspection)
keamanan data diupdate oleh orang untuk meminta username - wawancara apakah tendik di UPT TIK mengerti SOP
nilai pada yang tidak berhak: dan password (directive) (inquiry)
SIAKAD - nilai dapat diubah - login ke dalam sistem - periksa apakah SIAKAD memiliki fitur login
oleh selain dosen MK menggunakan username (repreform/observasi)
(mhs, dosen resign, password (preventive) - periksa apakah ada mapping user authorization siakad
tendik, dsb) - ada mapping role - hak (inspection)
akses (user authorization) - periksa apakah ada user non-dosen yang dapat mengedit
(preventive) nilai MK (analytical procedure)
- ada review berkala - wawancara apakah ada review berkala terhadap hak akses
terhadap hak akses user user (inquiry)
(detective) - periksa apakah ada bukti (berita acara) review hak akses
- apabila ada dosen yang user (inspection)
sudah resign, hak aksesnya - periksa apakah ada dosen yang sudah resign, coba untuk
dicabut (corrective) login menggunakan user dosen tersebut (reperform)
Evidence

INFORMATION SYSTEMS
Assignment (group)
Audit Objective:

Evaluasi akurasi informasi transkrip mahasiswa yang dihasilkan SIAKAD

1. Risiko apa yang dapat menyebabkan objektif tidak tercapai?
2. kontrol apa yang dibutuhkan?
3. bagaimana prosedur auditnya?
 Assignment
• Read Chapter 10 of book Internal Auditing - Assurance and Advisory
Services 4th Edition
• Browse the GTAG, learn how to use GTAG. Pick one to read
thoroughly.

INFORMATION SYSTEMS
End of Slides

INFORMATION SYSTEMS