Fasilkom UI

INTRODUCTION TO INFORMATION
SYSTEMS AUDIT

Audit and Review Its Role in

Information Technology
 Contents

1 Refresh Sesi 1

2 Basic Concept IT governance

3 IT auditor: skill, standards and resources

4 IT auditor type & Role

5 Management ‘s roles and responsibilities

in IT auditing
2 Dasar-Dasar Audi SI
 IT Environment

There is no fundamental difference between “IT

auditing” and auditing. Certain areas are not
changed:
 the definition of auditing
 the purposes of auditing
 the generally accepted
auditing standards
 the control objectives
 The Requirement to gather sufficient and appropriante
evidence
 The audi report
 IT Environment

Elements of a IT System
 Hardware - the physical equipment
 Software
• system programs perform generalized
functions for more than one program
• application programs sets of computer
instructions that perform data processing
tasks
 Documentation a description of the
system and control structures
 Personnel persons who manage, design,
program, operate or control the system

Elements of a Computer-
based System
 Data - transactions and
related information entered,
stored and processed by the
system
 Control Procedures-
activities designed to ensure
proper recording of
transactions and to prevent or understand and audit the
detect errors or irregularities
IT Environment
Management responsibilities to
assist the auditor:
• ensuring documentation of the
system is complete
• by maintaining a system of
transaction processing that
includes audit trails
• by making computer
resources and knowledgeable
personnel available to the
auditors to help them
system
 Effect of IT Processing
 The method used to process accounting transactions will
affect a company’s organization structure and will
influence the procedures and techniques used to
accomplish the objectives of internal control.
 The following are characteristics that distinguish
computer processing from manual processing
 Transaction trails may not exist
 Uniform processing of transactions eliminates random errors but
may cause systematic errors
 Segregation of functions incompatible functions may not be
segregated and many internal controls combined in the computer
 Effect of IT Processing

 Potential for errors and

irregularities through inappropriate
access to computer data or
systems Also errors are harder to
observe
 Potential for increased
management supervision with a
wide variety of analytical tools
 Initiation or subsequent execution
of transactions by computer
 IT Auditing

IT auditing :
 the evaluation of IT, practices, and operations to
assure the integrity of an entity’s information. can
include assessment of the efficiency, effectiveness,
and economy of computer-based practices
IT Audit Function - part of the business
environment.
Their unique blend of skills help to assess the
company’s exposures and develop controls
associated with their use of technology.

8
 Auditing Concerns

Focus on the systems’ controls

Look at the total systems environment
 Objectives: what we are trying to accomplish
 Context: industry sector, organizational structure,
business relationship
 Ensure provisions are made for:
 Transaction trails from beginning to end
 Handling exceptions
 Testing of controls
 Authorization over changes to systems
 Training of user personnel
 Adequate security to protect data
9
 Backup and recovery procedures
Auditing Concerns

Dasar-Dasar Audit SI
 Reasons for implementing an IT
governance
Increasing dependence on information and the
systems that deliver the information
Increasing vulnerabilities and a wide spectrum
of threats
 Scale and cost of current and future
investments in information and information
systems
Potential for technologies to dramatically change
organizations and
Business practices to create new opportunities
11 and reduce costs.
Reason For IT Auditing

Dasar-Dasar Audit SI
 IT Governance Intro

 IT governance :
 The responsibility of the board of directors and
executive management.
 It’s an integral part of enterprise governance and
consist of leadership and organizational
structures and processes tha ensure that the
organization’s IT sustains and extends the
organization’s strategies and objectives.

13
IT Governance Intro

Dasar-Dasar Audit SI
 IT Governance Intro

IT governance needs to ensure:

 Strategic alignment between IT and enterprise
objectives
 IT delivers the promised benefits & optimising cost
 Maximization of IT investments
• Resource Management
• How to measure IT’s performance
 Effective management of IT-related risks/risk
management

15
 Risk t & Security Control
Perspective
Castellans: using a “fortress” to physically
secure systems
 E.g. isolated spaces
Guardians: using law enforcement and
administrative regulations to prevent computer
crimes
 E.g ISMS policy & regulation related IT
Gatekeepers: limiting access
 E.g., passwords, encryption, biometrics
Need top and IS management support
16
 IT Auditor-Job Outlook

Growth rate for accountants and auditors

(www.bls.gov): 18% between 2006 and 2016

IT auditor:
 One of the fastest growing careers
• 11.2% increases in 2006
• Average technology positions grew 3% in 2006
• Salary range $67,000-$94,250, an 11% increase
over 2005

17
 IT Auditor: Knowledge, Skills,
and Abilities
Understand the overall control philosophy
Technical skills
 Understand information system management
 Ability to communicate technical information
Experience with a particular industry and/or the
specific business
 Communication skills that enable the auditor to bridge
the gap between IT professionals and business
management

18
 IT Auditor: Knowledge, Skills,
and Abilities

19
 IT Auditor Independence

Need to value and recognize the integrity of the

audit process
Audit reports and opinions must be free of bias
or influence
Sarbanes-Oxley
 Auditor rotation
 Scope-of-service restrictions

20
 IT Audit Continuous
Reassessment
Stay on track with audits
Auditor steps back and reassess the audit
project:
 Reaffirm audit goals
• E.g., to ensure that current documentation is available,
adequate, and safeguarded.

 Verify audit scope

• E.g., vendor-supplied systems and internal modifications

 If auditor has deviated from either, then the audit

scope should be evaluated and revised
21
 IT Auditor Ethical Standards

To be an auditor, one must have high ethical

standards
Auditors are trusted individuals
Some things may be unethical but still legal
Examples of a typical code of ethics
• Will inform each organization, employer or client of
any business connections, interests or affiliations
which might influence my judgment or impair the
equitable character of my services.
• Will respect my peers opinion and conduct to
ensure that honesty and openness is
22
demonstrated within an audit team.
 Class Exercise

Bob has just been assigned to work as an

external IT auditor for the XYZ company. His
wife just found a job as junior IT manager at
XYZ one month ago.

Q: What should Bob do?

23
 IT Auditor Knowledge
Resources
Experience
Colleagues (IT professionals and other auditors)
Publications and periodicals in IT and/or audit
Seminars
University training

24
 The Role of the IT Auditor

 IT Auditor as Counselor
 Active role in the development of policies on auditability, control,
testing, and standards
 Educate users and IT personnel on the importance of
compliance with control requirements

 IT Auditor as a Partner of Senior Management

 Provide independent assessment of the effect of IT decisions on
the business
 Verify that all alternatives are considered, risks are assessed,
solutions are technically correct, business needs are satisfied,
and costs are reasonable

25
 Internal vs. External Auditors

The internal IT auditor:

 Provides assurance to management that its policies
and procedures are implemented and working as
intended
• Monitoring and testing system reliability
The external IT auditor:
 Evaluates the reliability and validity of computer
system controls, which
• Minimizes transaction testing required to render an
opinion on financial statements
 Deal with both manual and automated systems

26
 Key Certifications and
Professional Associations
 Certified Internal Auditor (CIA), by the Institute of
Internal Auditors

 Information Systems Auditor and Control

Association (ISACA)
 Certified information systems auditor (CISA)
 Certified information security manager (CISM)
 International Information Systems Security
Certification Consortium (commonly known as
(ISC)²).
 Certified Information Systems Security Professional
(CISSP)

27
 Collaboration between IT Auditor
and IT Managers
Are these attitudes correct?
 Manager: “Arguing with an Auditor is
like mud wrestling with a pig! After a
time you realize that the pig is
enjoying himself.”

 Manager: “Are we the evils

ourselves or dealing with evils.”

28
 How IT Managers Support the IT
Audit Function
 Support and participate in the audit planning process
 Develop and promote risk and control awareness
 Provide resources to accomplish the audit tasks
 Hold the auditors to their standards of practice

29
 What IT Managers Need to
Know About an Audit
What is the purpose of the audit?
What are the audit’s scope and objectives?
Who is assigned to perform the audit?
What is the timeframe for the audit?
What IT resources are needed?
 systems, staff

30
 What Should IT Managers Expect
From an Audit?

Regular communication
 audit status
 issues found to date
A closing meeting to review the audit process
and results (issues, actions, plans, etc.)
A final audit report
Audit follow-up on action plans identified during
the audit

31
 Class Exercise

In the following scenario,

 What assistance could an IT auditor provide?
 How can IT managers get involved?

Scenario: A new system is being developed that will enable

customers to view their account status and submit orders via
the Internet. The technology used is new to the company.

32