1 Pertemuan 8 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1

2 Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Mahasiswa dapat menunjukkan Internal Control System.

3 Outline Materi Malicious Activities –Crime and Misappropriation of Assets Types of Crimes Types of Criminals –Unauthorized Access and Authentication Specific controls/CAATTs –Monitoring Systems –Firewalls –Generalized Audit Software –Other Potential controls/CAATTs

4 Malicious Activities A brief description of aspects of malicious activities will assist in the development of effective specific controls.

5 Crime and misappropriation of Assets Computer crime is becoming popular among those with a criminal mind.

6 Types of Crimes Crimes associated with the theft of assets typically are carried out by employees. Another crime is financial fraud. By its very nature, it is virtually limited to executive management.

7 Types of Criminals Criminals can be broken dwon into different groups with specific profiles. The description of crimes includes a profile of the employee or manager who might commit a crime.

8 Unauthorized Access and Authentication Access control systems are used to authenticate and verify usually by using one of three basic approaches to security: –Something you have –Something you know –Something you are

9 There is a difference between verification and identification. Verification is the process of confirming that the person carrying the token (badge, card, password, etc., which is the claim of identity) is the rightful owner of the token. Identification, on the other hand, is the recognition of a specific individual from among all the individuals enrolled on the system. Ideally, access control systems would do both.

10 Specific Controls/CAATTs One resource for internal auditors in developing an effective internal control system is proven controls and CAATTs, which includes people, techniques and models. People would include the use of experts and professionals in the internal auditor function, whether the corporation has a separate internal audit department, outsources the function or relies on external auditors for the function.

11 Monitoring Systems One of the best detective tools is a good monitoring system.

12 Firewalls Any server connected to the Internet should also have a firewall as a preventive scheme.

13 Generalized Audit Software Audit software is also valuable in auditing operations.

14 To use CAATTs or GAS, the internal auditor should follow these steps: –Set the audit objectives. –Meet with the owner of the data and a programmer. –Formally request the data. –Create or build the input file definition of the GAS. –Verify data integrity for the data imported. –Gain an understanding of the data. –Analyze the data.

15 An internal auditor might run these types of tests: –Reasonableness –Completeness –Gap –Duplication –Period-to-period (trends) –Regression analysis –Statistical analysis –Transaction matching

16 Other Potential Controls/CAATTs Other CAATTs include the following, which is not an exhaustive list and somen of which have been discussed previously: –Embedded audit modules –Artificial neural networks –System development life cycle –Librarian –Passwords –Biometrics –Intrusion detection system –Firewalls –Anti-virus software

17 –Digital certificates –Digital signatures –Encryption –Proposed XBRL system –Disaster recovery plan/business recovery plan –Incident response plan

18 The End