Memahami Audit TI
Pengendalian dan audit TI
Apakah diperlukan?
Mengapa diperlukan?
Memahami Audit TI
Cost of Data Loss
Cost of H/W,
S/W & B/W Computer Errors Cost of Error in Decision
Making Computer Abuse
Privacy Evolution Use of Computer
• Controls
Memahami Audit TI
TI dan Pengendalian Intern
Apa dan bagaimana dampak TI pada pengendalian intern
(internal control)?
o Pemisahan fungsi
o Sistem otorisasi
o Dokumentasi dan pencatatan
o Delegasi wewenang dan tanggung jawab
o Pengendalian phisik atas aset dan dokumen
o Akuntabilitas pencatatan
Memahami Audit TI
TI dan Auditing
Apa dan bagaimana dampak TI pada auditing?
Memahami Audit TI
Audit dan Audit TI
The auditor who, through length of experience, has become very familiar with IT and IT audit issues, and can undertake or supervise audit tasks including highly specialised ones.
Level 3
The IT Control & Security Specialist
The auditor who has chosen to specialise in IT audit, skilled at undertaking most IT audits, except those in highly specialised areas of IT.
Level 2 The IT Auditor
The `ordinary’ auditor, who is familiar with the issues and methods of IT audit, can undertake simple IT audit tasks, and can use IT audit specialists to serve general audit objectives.
Level 1
Memahami Audit TI
Definisi Audit TI atau Audit SI:
1. Ron Weber, Information System Control & Audit – 1999
The process of collecting and evaluating evidence to determine
whether a computer system safeguards assets, maintains data
integrity, allows organizational goals to be achieved effectively, and
uses resources efficiently
2.
ISACA, CISA Review Manual 2005
Memahami Audit TI
Sejumlah kata kunci:
o Pengumpulan dan penilaian bukti
o Keyakinan memadai
o Tujuan operasional & tujuan pengendalian
o Tujuan audit
¾
Pengamanan aset - menjamin confidentiality & availability
¾
Integritas Data - menjamin completeness, accuracy &
consistency
¾
Efektifitas – relevan, akurat, tepat waktu, lengkap
Memahami Audit TI
Manajemen Teknologi
Informasi Auditing
Tradisional
Ilmu
Komputer PerilakuIlmu AUDIT TEKNOLOGI
Melakukan Audit TI
Bagaimana tahapan audit?
o Pekerjaan pendahuluan
o Perencanaan audit
o Pengujian pengendalian (control testing)
o Pengujian substantif (substantive testing)
Melakukan Audit TI
Still rely on Control ?
Limited Extended
Form Audit Opinion &
No
Yes
Yes
No
PRELIMINARY REVIEW
PRELIMINARY REVIEW
CONTROL TESTING
CONTROL TESTING
SUBSTANTIVE TESTING
Melakukan Audit TI
Faktorisasi Sistem
Faktorisasi Sistem
(System Factoring)
(System Factoring)
Sistem
Subsistem Subsistem
Subsistem Subsistem Subsistem Subsistem Subsistem
Level 0
Level 1
Faktorisasi Fungsi
Faktorisasi Fungsi
(Function Factoring)
(Function Factoring)
Fungsi-fungsi TI
Sistem Manajemen Siklus Akuntansi
Subsistem Manajemen Sistem Aplikasi
Subsistem Aplikasi
Pendekatan Audit TI
Audit
Audit
a
a
round
round
t
t
he Computer
he Computer
Audit
Audit
t
t
hrough
hrough
t
t
he Computer
he Computer
Audit with the Computer
Audit with the Computer
Audit around the Computer
Audit around the Computer
PROSES
INPUT
OUTPUT
Pertimbangan:
Risiko bawaan rendah; logika aplikasi “straightforward”; transaksi input adalah batched; pengendalian dilakukan melalui metode tradisional; pemrosesan hanyalah men-sorting input data dan meng-update master file “sequentially”; jejak
Audit Through the Computer
PROSES
INPUT
OUTPUT
Pertimbangan:
Risiko bawaan tinggi; aplikasi memproses input & output dalam jumlah yang besar;
Melakukan Audit TI
Standar Audit TI
Information Systems Audit & Control Association
(ISACA)
o
010 Audit Charter
010.010 Responsibility, Authority and Accountability
The responsibility, authority and accountability of the
information systems audit function are to be appropriately
documented in an audit charter or engagement letter.
o
020 Independence
020.010 Professional Independence
In all matters related to auditing, the information systems
auditor is to be independent of the auditee in attitude and
appearance.
020.020 Organizational Relationship
o 030 Professional Ethics and Standards 030.010 Code of Professional Ethics
The information systems auditor is to adhere to the Code of Professional Ethics of the Information Systems Audit and Control Association.
030.020 Due Professional Care
Due professional care and observance of applicable professional auditing standards are to be exercised in all aspects of the information systems auditor's work.
o 040 Competence
040.010 Skills and Knowledge
The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor's work.
040.020 Continuing Professional Education
The information systems auditor is to maintain technical competence through appropriate continuing professional education.
o 050 Planning
050.010 Audit Planning
The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards.
o 060 Performance of Audit Work 060.010 Supervision
Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met.
060.020 Evidence
During the course of the audit, the information systems auditor is to obtain
o 070 Reporting
070.010 Report Content and Form
The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The audit report is to state the scope, objectives, period of coverage and the nature and extent of the audit work performed. The report is to identify the organization, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions and recommendations and any reservations or qualifications that the auditor has with respect to the audit.
o 080 Follow-Up Activities 080.010 Follow-Up
The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions and recommendations to determine whether appropriate actions have been
Melakukan Audit TI
Code of Professional Ethics:
1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
2. Perform their duties with due diligence and professional care, in accordance with professional standards and best practices
3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence
6. Inform appropriate parties of the results of work performed; revealing all significant facts known to them