Audit Sistem Informasi - 2006

IT Audit Approach for Financial Audit

Support
Universitas Padjadjaran

Session 2
 QUIZ 1
 Waktu 15”

 Mengapa diperlukan audit system informasi ?

 Jelaskan bagaimana pengendalian dalam system
yang berbasis komputerisasi

2
 Audit Sistem Informasi - 2006

IT Audit Approach for Financial Audit

Support
Universitas Padjadjaran

Session 2
 Agenda

 Overview
 Risk & Audit Risk
 How IT Impacts the Audit Strategy
 IT Audit Approach

4
 Session 2 Objectives

 Understand the IT Audit approach when

supporting the Financial Audit work
 Understand the concept of IT Environment

5
 What is an IT Audit?

 Since most information systems employ IT, the IT

audit is a critical component of all external and
internal audits.
 IT audits:
 focus on the computer-based aspects of an
organization’s information system
 assess the proper implementation, operation, and control
of computer resources

6
 Elements of an IT Audit

 Systematic procedures are used

 Evidence is obtained
 tests of internal controls
 substantive tests
 Determination of materiality for weaknesses found
 Prepare audit report & audit opinion

7
 Types of Audit Tests

 Tests of controls – tests to determine if appropriate IC

are in place and functioning effectively
 Substantive testing – detailed examination of account
balances and transactions

8
 Overview Relation with Financial Audit

 To support financial audit because:

At present computers are used extensively to
process data and to provide information for
decision making, so that, a traditional/manual
audit engagement is not adequate to cover the
sophisticated information technology

9
 Risks and Audit Risk
RISK Definition (International Standard Organization):
The potential that a given threat will exploit
vulnerabilities of an asset or group of assets to cause
loss or damage to the assets

AUDIT RISK Definition:

The risk of an auditor failing to detect actual or
potential material losses or account misstatements at the
conclusion of the audit

10
 Type of Audit Risks
Type of Audit Risk
 Inherent Risk
Reflects the likelihood that a material loss or account misstatement exists in some segment
of the audit before the reliability of internal control considered

 Control Risk
Reflects the likelihood that internal controls in some segment will not prevent, detect or
correct material loss or account misstatement

 Detection Risk
Reflects the audit procedures used in some segments of the audit will fail to detect material
loss or account misstatement

11
 Classification of Controls (by
function)
 Preventive control
 Prevent an error, omission or malicious act from occurring
 Deter problem before they arise
 Attempt to predict potential problem before they occurred and make
adjustments (feed-forward controls)

 Detective control
Detect an error, omission or malicious act has occurred and report the
occurrence
Corrective Control
 Identify the cause of the problem
 Correct errors arising from a problem
 Remedy problems discovered by detective controls
 Modify the processing system to minimize future occurrences of the problem
 Minimize the impact of a threat

12
 Classification of Controls (by type)

Automated
Manual Controls
Controls

(Purely) Manual IT-Dependent

Application Controls
Controls Manual Controls

Assure Functioning

IT General Controls

13
 Audit Strategy

 Our audit strategy is the level of auditing we will

perform to maintain an acceptable level of audit risk.

AUDIT RISK = INHERENT RISK X CONTROL RISK X DETECTION RISK

Risk that our Nature of the Effectiveness Level of

conclusions are Account/ of Clients’ Auditing We
inaccurate and Business Controls Perform
engagement
objectives are
not met

14
 How IT Impacts the Audit Strategy

AUDIT RISK = INHERENT RISK X CONTROL RISK X DETECTION RISK

Nature of the Effectiveness Level of

Account/ of Clients’ Auditing We
Business Controls Perform

Financial Statement
Accounts
Cl
Specific Business ie nt
ls
ro

Processes Co
nt

nt
Co

Specific Computing ro
ls
nt

Applications
ie
Cl

General IT Processes

15
 Who Determines What?

Financial Statement Audit Team

Accounts
Audit Team
Specific Business

Processes Audit Team/ IT

Auditor
Specific Computing
Applications
IT Auditor

General IT Processes

16
 Flowchart of major steps in an Audit – Generic
Approach
START Test of Controls

Preliminary Audit
Work Re-assess
Control Risk

Obtain understanding
of control structure Still No Extended
Rely on Control ?
Substantive Testing

Assess Control Risk

Yes

Increase No Limited
Form audit
reliance opinion and
Substantive Testing
Rely on Control ? on control ? issue report
No Yes

When does IT audit involved? STOP

17
 Type of works of IT Audit in financial
audit
 .
GCR (General Computer Controls Review)
 Risks assessment for IT organisation, security, acquisition,
development and maintenance, computer operations
 ACR (Application Controls Review)
 Evaluation of controls of computerised business applications, e.g.:
Review of control on SAP SD (Sales & Distribution) module
 Special review of IT functions
 This will include both general and application. Leading practice
implemented COBIT, the generally accepted IT Control
Principles, which was designed to focus on processes rather than
divisional/unit

18
 Old vs. New: The Big Picture of IT Audit

Status quo: Future state vision:

IT Environment

IT Environ-
ment
IT General Controls

Application Controls
Application
Controls

IT General Controls

19
 Two Parts of IT-Related Work: The Big
Picture
1. The IT Environment

Combined Risk Assessment

• Identify business and inherent risks

Value Observation
• Impact on internal control at entity level
• Regulatory requirements
2. Application and IT General Controls
• Focus on controls (including IT-dependent manual
controls) that deal with control risk for each
relevant assertion relating to the significant
accounts

20
 First Part: IT Environment

IT Environ-
ment

Application Controls

IT General Controls

21
 Audit Sistem Informasi - 2006

IT Environment :
Organization of IT for the business
 Responsibility of IT Management

Where can you find the IT organization in a company?

Finance manager ( no specific IT manager)
IT Manager, reporting to Finance Manager
IT Manager or CIO, reporting to CEO
CIO and IT Manager

23
 Responsibilities in IT Management

 System development
Development and implementation of new information
systems
 Application management
 Network Management
 Helpdesk/user support
 Project management

24
 Organizational requirements for IT
departments
 Position in the organization
 Segregation of duties
 Screening and hiring
 Staff skills and development (training)

25
 Types of IT organizations
Sm all IT organization (1-5 people)

CEO /PresDir

M arketing Finance Production

Head of IT

Application managem ent Network (hardware) managem ent

and support

26
 Types of IT organizations
M edium size IT organization (5 - 50 staff)

C E O /P resD ir

M arketing

Fin ance

P roduction

IT D epartm ent

S ystem D evelopm ent Infrastructure m anag em ent A pplication m a nagem ent H elpd esk

P rogram m ers N etw o rk m anagem ent D a tab ase M anager

Inform ation ana lysts H ardw are m an agem ent O ffice ap plication m anagem ent

Telecom m u nication m anagem ent B usiness application m ana gem ent

27
 Segregation of Duties

 CO 1: Transaction authorization is separate from

transaction processing.
 CO 2: Asset custody is separate from record-keeping
responsibilities.
 CO 3: The tasks needed to process the transactions are
subdivided so that fraud requires collusion.

28
 Segregation of Duties

Control Objective 1 Authorization Processing

Control Objective 2 Authorization Custody Recording

Custody Recording

Control Objective 3 Authorization Task 1 Task 2 Task 3 Task 4

TRANSACTION

29
 Segregation of Duties Matrix in IT
Organization

Control Group

Administrator

Administrator
Administrator

Administrator
Support Mgr.
Help Desk &

Programmer
Programmer
Application

Data Entry

Assurance
Computer
End User

Librarian
Operator

Network

Security
Analyst

Quality
System

System
System

Tape
DB
Control Group
System Analyst X
Application Programmer X
Help Desk & Support Mgr X X X
End User X X
Data Entry X X X
Computer Operator X X X X X
DB Administrator X X X X X X
Network Administrator X X X X X X X X
System Administrator X X X X X X X
Security Administrator X X X X
Tape Librarian X X X X X X X
System Program mer X X X X X X X X X X X X
Quality Assurance X X X X X X

30
 Centralized Computer Services Function

President

VP
VP Computer VP VP
Marketing
Services Operations Finance

Systems Database Data

Development Administration Processing

New Systems Data Data Data

Systems Computer
Development Control Preparation Library
Maintenance Operations

31
 Centralized IT Structure

 Critical to segregate:
 systems development from computer operations
 database administrator (DBA) from other computer service
functions
– DBA’s authorizing and systems development’s processing
– DBA authorizes access
 maintenance from new systems development
 data library from operations

32
 Distributed Organizational Structure

President

VP VP VP VP
Marketing Finance Administration Operations

Manager Manager
Treasurer Controller Plant X Plant Y

IPU IPU IPU IPU IPU IPU

33
 Distributed IT Structure

 Despite its many advantages, important IC

implications are present:
 incompatible software among the various work centers
 data redundancy may result
 consolidation of incompatible tasks
 difficulty hiring qualified professionals
 lack of standards

34
 Organizational Structure Internal
Control
 A corporate IT function alleviates potential problems
associated with distributed IT organizations by
providing:
 central testing of commercial hardware and software
 a user services staff
 a standard-setting body
 reviewing technical credentials of prospective systems
professionals

35
 Audit Procedures
 Review the corporate policy on computer security
 Verify that the security policy is communicated to employees
 Review documentation to determine if individuals or groups are performing
incompatible functions
 Review systems documentation and maintenance records
 Verify that maintenance programmers are not also design programmers
 Observe if segregation policies are followed in practice.
 e.g., check operations room access logs to determine if programmers
enter for reasons other than system failures
 Review user rights and privileges
 Verify that programmers have access privileges consistent with their job
descriptions

36
 CISA Exam Question

An IS auditor reviews an organizational chart

PRIMARILY for:
A. an understanding of workflows.
B. investigating various communication channels.
C. understanding the responsibilities and authority of
individuals.
D. investigating the network connected to different
employees.
37
 CISA Exam Question

The PRIMARY objective of an audit of IT security policies is to

ensure that:
A. they are distributed and available to all staff.
B. security and control policies support business and IT
objectives.
C. there is a published organizational chart with functional
descriptions.
D. duties are appropriately segregated.

38
 CISA Exam Question

From a control perspective, the key element in job descriptions is

that they:
A. provide instructions on how to do the job and define authority.
B. are current, documented and readily available to the employee.
C. communicate management’s specific job performance
expectations.
D. establish responsibility and accountability for the employee’s
actions

39
 Audit Sistem Informasi - 2006

IT Environment:
Hardware (Computer)
 Course Learning Objective

After Completion of this course you will be able to:

 Understand about type of hardware.
 Understand about the risk, control and security related
to hardware

41
 Hardware (Content)

 Hardware architecture
 Hardware components
 Risks and Controls
 Hardware Review/audit techniques

42
 Kinds of Computer
 Supercomputing is primarily scientific computing, usually modelling real
systems in nature. Render farms are collections of computers that work
together to render animations and special effects. Work that previously
required supercomputers can be done with the equivalent of a render farm.
 Mainframes used to be the primary form of computer. Mainframes are large
centralized computers. At one time they provided the bulk of business
computing through time sharing. Mainframes and mainframe replacements
(powerful computers or clusters of computers) are still useful for some large
scale tasks, such as centralized billing systems, inventory systems, database
operations, etc. When mainframes were in widespread use, there was also a
class of computers known as minicomputers which were smaller, less
expensive versions of mainframes for businesses that couldn’t afford true
mainframes.

43
 Kinds of Computer (cont’d)
 Servers are computers or groups of computers used for internet serving,
intranet serving, print serving, file serving, and/or application serving. Servers
are also sometimes used as mainframe replacements.
 Desktop are used for personal computers.
 Workstations are more powerful versions of personal computers. Often only
one person uses a particular workstation (like desktops) and workstations
often run a more powerful version of a desktop operating system, but
workstations run on more powerful hardware and often have software
associated with larger computer systems.
 Handheld are much smaller and less capable than desktop, so that they can fit
into the limited memory of handheld devices.

44
 Hardware …
Hardware architecture
Classes
 Large (mainframe)
 IBM S-360/370, S390, z900
 Unisys NX4801-21
 Bull, Fujitsu
 Medium (mini computer)
 IBM S/36, S/38, AS/400 (i-series), RISC 6000
 DEC VAX
 HP3000 series, Bull
 Small (microcomputer)
 IBM PC Compatible

45
 Meet the GIANT..

46
 Hardware …
Hardware components
 Devices
 Processors
 Storage
 FDD, Hard disk, CD-ROM, Magnetic Tape, Micro film
 Input/output devices
 Keyboard, POS terminals, Barcode readers, Mouse, Stylus,
scanner
 Printer, Monitor, Plotter
 Communication and networking devices
 Modems, routers, switches & hubs, NIC
47
 Hardware …
Risks and controls
Risks Controls
Failures  Environmental controls (humidifiers, AC,
UPS, surge protector)
 Monitoring and Maintenance
Theft, vandalism Physical access

Disasters Backup, avoid flammable materials (incl.

Printers)
Under/over capacity Capacity planning

48
 Hardware …
Hardware review/audit techniques
 Physical controls
 Environmental controls
 Hardware capacity management
 CPU, I/O, terminal, telecommunication, bandwidth and storage utilization
 Number of users
 New technologies, applications
 Service level agreements
 Hardware monitoring
 Hardware error reports
 Availability reports
 Utilization reports
 Hardware acquisition plan & maintenance
 Information processing requirements, Hardware requirements, System software
requirements, Support and maintenance requirements.

49
 CISA Exam Question

What is a risk associated with attempting to control physical access to

sensitive areas, such as computer rooms, using card keys or locks?
A. Unauthorized individuals wait for controlled doors to open and
walk in behind those authorized.
B. The contingency plan for the organization cannot effectively test
controlled access practices.
C. Access cards, keys and pads can be easily duplicated allowing
easy compromise of the control.
D. Removing access for those who are no longer authorized is
complex.
50
 Audit Sistem Informasi - 2006

IT Environment:
Operating Systems
 Course Learning Objective

After Completion of this course you will be able to:

 Understand about Operating System.
 Understand about risk, security and control related to
operating system

52
 What is Operating System?
 The most important Program that runs on a computers.
 Every general-purpose computer must have an operating system to run other programs.

 Operating systems perform basic tasks, such as recognizing input from the keyboard,
sending output to the display screen, keeping track of files and directories on the
disk, and controlling periperal devices such as disk drives and printers.

53
 Various of Operating System

 Microsoft = Windows CE, Windows 3.x, Windows 95, Windows

98, Windows 98 SE, Windows ME, Windows NT, Windows
2000, Windows XP, Windows 2003
 Apple = MacOS
 Open Source = Unix, Linux
 IBM = IBM OS/2 Wrap

54
 FYI: Windows NT, ME, 98, 95, 3.1

Products are no longer supported by Microsoft. We

should seriously question why the organization still
has these servers in operation and what security
measures are in place.

55
 Requirements for Effective Operating
Systems Performance
 Protect itself from tampering from users
 Prevent users from tampering with the programs of other
users
 Safeguard users’ applications from accidental corruption
 Safeguard its own programs from accidental corruption
 Protect itself from power failures and other disasters

56
 Operating Systems Security

 Log-On Procedure
 first line of defense – user IDs and passwords
 Access Token
 contains key information about the user
 Access Control List
 defines access privileges of users
 Discretionary Access Control
 allows user to grant access to another user

57
 Operating System Audit Objective
The Operating System Control exist to ensure:
 System used by authorized purposes
 Only authorized person may access to Computer Operating
System
 Only authorized program may run in the Computer System
 Security patches updated by vendor
 The Audit Log is activated
 The Anti Virus definition is updated

58
 Operating Systems Controls

Access Privileges
 Audit objectives: verify that access privileges are consistent
with separation of incompatible functions and organization
policies
 Audit procedures: review or verify…
 policies for separating incompatible functions
 a sample of user privileges, especially access to data and
programs
 security clearance checks of privileged employees
 formally acknowledgements to maintain confidentiality of data
 users’ log-on times

59
 Operating Systems Controls

Password Control
 Audit objectives: ensure adequacy and effectiveness
password policies for controlling access to the operating
system
 Audit procedures: review or verify…
 passwords required for all users
 password instructions for new users
 passwords changed regularly
 password file for weak passwords
 encryption of password file
 password standards
 account lockout policies
60
 Operating Systems Controls

Malicious & Destructive Programs

 Audit objectives: verify effectiveness of procedures to
protect against programs such as viruses, worms, back
doors, logic bombs, and Trojan horses
 Audit procedures: review or verify…
 training of operations personnel concerning destructive programs
 testing of new software prior to being implemented
 currency of antiviral software and frequency of upgrades

61
 Operating System Controls

Audit Trail Controls

 Audit objectives: whether used to (1) detect unauthorized
access, (2) facilitate event reconstruction, and (3) promote
accountability
 Audit procedures: review or verify…
 how long audit trails have been in place
 archived log files for key indicators
 monitoring and reporting of security violations

62
 Stand Alone Server – Windows Basics
Group Policy Objects
 Account Policies
– Password Policy
– Account Lockout
Policy
 Local Policies
– Audit Policy
– Security Options Users &
Groups

Windows Server
(Stand Alone)
Database
Applications
Services

63
 Active Directory – The Basics
Windows Domain (Active
Directory)
 A group of Windows 2000 computers Domain
in the same security partition root

 Unit of Replication
OU OU
 Unit of authentication
 Forms a security boundary OU MyCompany. OU
com
 Defines the scope of administration
OU OU OU OU
 Basic unit of Group Policy, machines,
and organizational units

DomainController
Domain Controller Domain
Domain Controller
Controller
Domain
DomainController
Controller

64
 Company Policy (1)
 Memastikan Bahwa 1 User Account Hanya Berlaku Untuk 1 Orang dan
Tidak Di-Share Dengan Pihak Lain
 Mengganti / Merubah Nama Account Default, terutama Account
Administrator dan Guest
 Minimum Kebijakan Password:
 Enforce password history: 10 password remembered
 Max. Password age: 90 days
 Min. Password age: 2 days
 Min. password length: 8 characters
 Password must meet complexity requirements: enable
 Store password using rev. Encryption: disable

65
 Company Policy (2)
Minimum Kebijakan
Account Lockout:
 Account Lockout Policy:
 Account lockout duration: 0
 Account lockout threshold: 3
invalid logon attempts
 Audit logon events: success,
 Reset account lockout counter
after: 1440 min.
66
Minimum Kebijakan Audit:
 Audit acc. Logon events: success,
failure
 Audit acc. Mgmt: success, failure
 Audit directory service access:
success, failure
failure
 Audit object access: success,
failure
 Company Policy (3)

User Rights & Privilege Assignment:

 Access to this computer from the network:
Administrators, Backup Operators, Power Users,
Users, Authenticated Users
 Log on locally (server): Administrator, Backup
Operator, Power Users
 Shutdown the system: Administrators

67
 Company Policy (Anti Virus)
 Anti Virus Wajib Diterapkan oleh semua client dan
Signature-nya Wajib diperbaharui Secara Berkala.
 Print Screen Anti Virus Application from the Server

68
 Audit Tool (Microsoft Baseline Analyzer)
 Windows MBSA is a free tool that can be used to check
the system for many of steps in our audit program.
 http://www.microsoft.com/technet/security/tools/mbsah
ome.mspx

69
 Audit Tool (DumpSec)
 DumpSEC is always an option
 http://www.somarsoft.com

70
 Audit Tool (DumpACL)

 DumpACL also is always an option

 http://www.somarsoft.com

71
 Any Question?

72