Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modul ke: EDP AUDIT Auditing IT Governance Controls Rujito, S.E., M.M. 03.

Published byEdward Crawford Modified over 8 years ago

Similar presentations

Presentation on theme: "Modul ke: EDP AUDIT Auditing IT Governance Controls Rujito, S.E., M.M. 03."— Presentation transcript:

1 Modul ke: EDP AUDIT Auditing IT Governance Controls Rujito, S.E., M.M. 03

2 Learning Objective EDP AUDIT Auditing IT Governance Controls

3 Setelah belajar session ini, diharapkan mahasiswa memahami : Understand the risks of incompatible functions and how to structure the IT function. Be familiar with the controls and precautions required to ensure the security of an organization’s computer facilities. Understand the key elements of a disaster recovery plan. Be familiar with the benefits, risks, and audit issues related to IT outsourcing Learning Objectives

4 Pendahuluan EDP AUDIT Auditing IT Governance Controls

5 IT Governance  Definition IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategy and objectives’’ (ITGI, 2003). 1 IT governance is the organizational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT’’ (Van Grembergen, 2002). 1 Information technology (IT) governance is a relatively new subset of corporate governance that focuses on the management and assessment of strategic IT resources 2 Information and technology (IT) governance is a subset discipline of corporate governance, focused on information and technology (IT) and its performance and risk management 3 1 Wim Van Grembergen & Steven De Haes, Enterprise Governance of Information Technology; Achieving Strategic Alignment and Value, Springer, 2009 2 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011 3 http://en.wikipedia.org/wiki/Corporate_governance_of_information_technology

6 IT Governance  Key objective To reduce risk and ensure that investments in IT resources add value to the corporation 1 To focus value creation efforts on an organisation's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders 2  Modern IT governance, however, follows the philosophy that all corporate stakeholders, including boards of directors, top management, and departmental users (i.e., accounting and finance) be active participants in key IT decisions 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011 2 http://en.wikipedia.org/wiki/Corporate_governance_of_information_technology

7 IT Governance What is IT Governance It is... the responsibility of the board and executive It consists of... The leadership, organisational structures & processes... to ensure that the enterprise’s IT... sustain and extend organisational strategies & objectives.

8 IT Governance Control: focus area 1 1 http://www.itgi.org IT governance should focus on four key areas: strategic alignment with business; value delivery; risk management; and resource management. PERFORMANCE MEASUREMENT RESOURCE MANAGEMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT www.itgi.org COBIT focus areas

9 IT Governance: Best Practice Implementation 1 1 http://www.itgi.org ITGI/Lighthouse survey 2005http://www.itgi.org 72% 13%8% 7% 66% 14%10% 66% 16%9% 61%21% 9% 50%20%12% 18% 51% 21% 12%16% Active management of IT ROI Actual IT performance measurement IT Risk Management IT Value Delivery IT resource management Alignment between IT strategy and overall strategy 0%100% Have implemented Implementing now Considering implementation Not considering implementation

10 IT Governance: international organization 1 1 http://www.itgi.org

11 Enterprise Governance of IT 1  From IT Governance to Enterprise Governance of IT : The IT governance discussion mainly stayed as a discussion within the IT area, while of course one of the main responsibilities is situated at the business side Business value from IT investments cannot be realized by IT, but will always be created at the business side Enterprise Governance of IT clearly goes beyond the IT-related responsibilities and expands toward (IT-related) business processes needed for business value creation 1 Wim Van Grembergen & Steven De Haes, Enterprise Governance of Information Technology; Achieving Strategic Alignment and Value, Springer, 2009

12 Enterprise Governance of IT  Definition Enterprise Governance of IT is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT-enabled business investments 1  Organization International Organization for Standardization (ISO) Y2008 a new worldwide ISO standard defined as ‘‘Corporate Governance of IT’’ (ISO/IEC 38500:2008). 1 Wim Van Grembergen & Steven De Haes, Enterprise Governance of Information Technology; Achieving Strategic Alignment and Value, Springer, 2009

13 Enterprise Governance of IT: international organization 1 1 http://www.iso.org/iso

14 Enterprise Governance of IT: ISO/IEC 38500:2008 (Model for Corporate Governance of IT) 1 1 ISO IEC 38500, Corporate governance of information Technology, First edition 2008-06-01.

15 How integration between Enterprise Governance of IT and IT Governance 1 1 Wim Van Grembergen & Steven De Haes, Enterprise Governance of Information Technology; Achieving Strategic Alignment and Value, Springer, 2009 & https://www.google.com

16 How integration between Enterprise Governance of IT and IT Governance (Context COBIT and Val IT) Are we getting the benefits? Are we getting them done well? Are we doing the right things? Are we doing them the right way? VAL IT COBIT The strategic questionThe value question The architecture questionThe delivery question

17 IT Governance Control EDP AUDIT Auditing IT Governance Controls

18 IT Governance Control 1  Although all IT governance issues are important to the organization, not all of them are matters of internal control under SOX that may potentially impact the financial reporting process  Consider, three IT governance issues that are addressed by SOX and the COSO internal control framework: Organizational structure of the IT function Computer center operations Disaster recovery planning 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011

19 IT Governance Control: Organizational structure of the IT function EDP AUDIT Auditing IT Governance Controls

20 IT Governance Control: Organizational structure of the IT function 1  The organization of the IT function has implications for the nature and effectiveness of internal controls, which, in turn, has implications for the audit  Two extreme organizational models: Centralized approach Distributed approach 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011

21 IT Governance Control: Organizational structure of the IT function 1 Centralized approach (Centralized Data Processing) 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011  All data processing is performed by one or more large computers housed at a central site that serves users throughout the organization  IT services activities are consolidated and managed as a shared organization resource  The IT services function is usually treated as a cost center whose operating costs are charged back to the end users

22 IT Governance Control: Organizational structure of the IT function 1 Centralized approach : Organizational Chart of a Centralized Information Technology Function 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011  Database Administration : Centrally organized companies maintain their data resources in a central location that is shared by all end users. In this shared data arrangement, an independent group headed by the database administrator (DBA) is responsible for the security and integrity of the database Data Processing : The data processing group manages the computer resources used to perform the day-to-day processing of transactions. Data Conversion : The data conversion function transcribes transaction data from hard-copy source documents into computer input. For example, data conversion could involve keystroking sales orders into a sale order application in modern systems, or transcribing data into magnetic media (tape or disk) suitable for computer processing in legacy type systems.

23 IT Governance Control: Organizational structure of the IT function 1 Centralized approach : Organizational Chart of a Centralized Information Technology Function 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011  Computer Operations : The electronic files produced in data conversion are later processed by the central computer, which is managed by the computer operations groups. Accounting applications are usually executed according to a strict schedule that is controlled by the central computer’s operating system.  Data Library : The data library is a room adjacent to the computer center that provides safe storage for the off-line data files. Those files could be backups or current data files. For instance, the data library could be used to store backup data on DVDs, CD-ROMs, tapes, or other storage devices.

24 IT Governance Control: Organizational structure of the IT function 1 Centralized approach : Organizational Chart of a Centralized Information Technology Function 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011  Systems Development and Maintenance: system development and systems maintenance. The participants in system development activities include systems professionals, end users, and stakeholders  Systems professionals include systems analysts, database designers, and programmers who design and build the system. Systems professionals gather facts about the user’s problem, analyze the facts, and formulate a solution. The product of their efforts is a new information system  End users are those for whom the system is built  Stakeholders are individuals inside or outside the firm who have an interest in the system, but are not end users. They include accountants, internal auditors, external auditors, and others who oversee systems development

25 IT Governance Control: Organizational structure of the IT function 1 Centralized approach : Segregation of Incompatible IT Functions  The importance of segregating incompatible duties within manual activities. Specifically, operational tasks should be segregated to: Separate transaction authorization from transaction processing. Separate record keeping from asset custody. Divide transaction-processing tasks among individuals such that short of collusion between two or more individuals fraud would not be possible. 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p 39

26 IT Governance Control: Organizational structure of the IT function 1 Distributed approach (Distributed Data Processing/DDP) 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011  Risks Associated with DDP: Inefficient Use of Resources Destruction of Audit Trails: Auditors use the audit trail to trace selected financial transactions from the source documents that captured the events, through the journals, subsidiary ledgers, and general ledger accounts that recorded the events, and ultimately to the financial statement themselves Hiring Qualified Professionals

27 IT Governance Control: Organizational structure of the IT function 1 Distributed approach (Distributed Data Processing/DDP) 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011  Advantages of DDP: Cost Reductions Improved User Satisfaction Backup Flexibility

28 IT Governance Control: Organizational structure of the IT function 1 Audit Objective  To verify that the structure of the IT function is such that individuals in incompatible areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment. This is an environment in which formal, rather than casual, relationships need to exist between incompatible tasks. Audit Procedures : centralized IT function Review relevant documentation, including the current organizational chart, mission statement, and job descriptions for key functions, to determine if individuals or groups are performing incompatible functions. Review systems documentation and maintenance records for a sample of applications. Verify that maintenance programmers assigned to specific projects are not also the original design programmers. Verify that computer operators do not have access to the operational details of a system’s internal logic. Systems documentation, such as systems flowcharts, logic flowcharts, and program code listings, should not be part of the operation’s documentation set. Through observation, determine that segregation policy is being followed in practice. Review operations room access logs to determine whether programmers enter the facility for reasons other than system failures 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p46

29 IT Governance Control: Organizational structure of the IT function 1 Audit Procedures : distributed IT function Review the current organizational chart, mission statement, and job descriptions for key functions to determine if individuals or groups are performing incompatible duties. Verify that corporate policies and standards for systems design, documentation, and hardware and software acquisition are published and provided to distributed IT units. Verify that compensating controls, such as supervision and management monitoring, are employed when segregation of incompatible duties is economically infeasible. Review systems documentation to verify that applications, procedures, and databases are designed and functioning in accordance with corporate standards. 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p46

30 IT Governance Control: Computer Center Operation EDP AUDIT Auditing IT Governance Controls

31 IT Governance Control: Computer Center 1  Accountants routinely examine the physical environment of the computer center as part of their annual audit.  The objective is to present computer center risks and the controls that help to mitigate risk and create a secure environment  The following are areas of potential exposure that can impact the quality of information, accounting records, transaction processing, and the effectiveness of other more conventional internal controls. 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p47

32 IT Governance Control: Computer Center 1 Physical Location  The physical location of the computer center directly affects the risk of destruction to a natural or man-made disaster.  The computer center should be away from human-made and natural hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults  The center should be away from normal traffic, such as the top floor of a building or in a separate, self contained building Construction  A computer center should be located in a single-story building of solid construction with controlled access  The building windows should not open and an air filtration system should be in place that is capable of extracting pollens, dust, and dust mites 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p47

33 IT Governance Control: Computer Center 1 Access  Access to the computer center should be limited to the operators and other employees who work there.  Physical controls, such as locked doors, should be employed to limit access to the center. Access should be controlled by a keypad or swipe card, though fire exits with alarms are necessary  To achieve a higher level of security, access should be monitored by closed-circuit cameras and video recording systems.  Computer centers should also use sign-in logs for programmers and analysts who need access to correct program errors.  The computer center should maintain accurate records of all such traffic. 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p47

34 IT Governance Control: Computer Center 1 Air Conditioning  Computers function best in an air-conditioned environment, in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent. (75 degree Fahrenheit = 24 degree Celsius*) Fire Suppression  Fire is the most serious threat to a firm’s computer equipment  An effective fire suppression system; some of the major features of such a system : Automatic and manual alarms should be placed in strategic locations around the installation. These alarms should be connected to permanently staffed fire-fighting stations There must be an automatic fire extinguishing system that dispenses the appropriate type of suppressant for the location Manual fire extinguishers should be placed at strategic locations The building should be of sound construction to withstand water damage caused by fire suppression equipment 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p48

35 IT Governance Control: Computer Center 1 Audit Objective The auditor’s objective is to evaluate the controls governing computer center security :  Physical security controls are adequate to reasonably protect the organization from physical exposures  Insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p49

36 IT Governance Control: Computer Center 1 Audit Procedures The following are tests of physical security controls :  Tests of Physical Construction. The auditor should obtain architectural plans to determine that the computer center is solidly built of fireproof material  Tests of the Fire Detection System The auditor should establish that fire detection and suppression equipment, both manual and automatic, are in place and tested regularly.  Tests of Access Control The auditor must establish that routine access to the computer center is restricted to authorized employees. Details about visitor access (by programmers and others), such as arrival and departure times, purpose, and frequency of access, can be obtained by reviewing the access log. 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p49

37 IT Governance Control: Computer Center 1 Audit Procedures The following are tests of physical security controls :  Tests of Raid (redundant arrays of independent disks) 2. Most systems that employ RAID provide a graphical mapping of their redundant disk storage. From this mapping, the auditor should determine if the level of RAID in place is adequate for the organization, given the level of business risk associated with disk failure.  Tests of the Uninterruptible Power Supply. The computer center should perform periodic tests of the backup power supply to ensure that it has sufficient capacity to run the computer and air conditioning.  Tests for Insurance Coverage 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p49 2 Raid involves using parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks.

38 IT Governance Control: Disaster Recovery Planning EDP AUDIT Auditing IT Governance Controls

39 IT Governance Control: Disaster Recovery Planning 1 Type of Disaster 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p50

40 IT Governance Control: Disaster Recovery Planning 1  This is a comprehensive statement of all actions to be taken before, during, and after any type of disaster.  The essential elements of an effective DRP  Although the details of each plan are unique to the needs of the organization, all workable plans possess four common features: Identify critical applications Create a disaster recovery team Provide site backup Specify backup and off-site storage procedures Home work by group !!! 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p51

41 Outsourcing the IT Function EDP AUDIT Auditing IT Governance Controls

42 Outsourcing the IT Function 1  The costs, risks, and responsibilities associated with maintaining an effective corporate IT function are significant  Some companies outsource their IT functions to third-party vendors who take over responsibility for: management of IT assets management of staff delivery of IT services :  data entry  data center operations  applications development  applications maintenance  network management  Focus for non–core areas 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p57

43 Outsourcing the IT Function  Benefit : 1 Improved core business performance Improved IT performance (because of the vendor’s expertise) Reduced IT costs  Risks Inherent to IT Outsourcing 1 Failure to Perform Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance. Vendor Exploitation Large-scale IT outsourcing involves transferring to a vendor “specific assets,” such as the design, development, and maintenance of unique business applications that are critical to an organization’s survival 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p57

44 Outsourcing the IT Function  Risks Inherent to IT Outsourcing 1 (cont’d) Outsourcing Costs Exceed Benefits Reduced Security Information outsourced to offshore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data Loss of Strategic Advantage IT outsourcing may affect incongruence between a firm’s IT strategic planning and its business planning functions 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p57

45 Outsourcing the IT Function  Audit Implications of IT Outsourcing 1 Management may outsource its organization’s IT functions, but it cannot outsource its management responsibilities under SOX for ensuring adequate IT internal controls. The PCAOB specifically states in its Auditing Standard No. 2, “The use of a service organization does not reduce management’s responsibility to maintain effective internal control over financial reporting. Rather, user management should evaluate controls at the service organization, as well as related controls at the user company, when making its assessment about internal control over financial reporting.” 1 James A. Hall, Information Technology Auditing and Assurance, 3 Edition, 2011, p59 The detail explanation will be delivered by next session/module

46 Terima Kasih Rujito, S.E., M.M.

Download ppt "Modul ke: EDP AUDIT Auditing IT Governance Controls Rujito, S.E., M.M. 03."

Similar presentations

IT Controls Part I: Sarbanes-Oxley & IT Governance

IT Controls Part I: Sarbanes-Oxley & IT Governance
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Concepts.

Auditing Concepts.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
INTERNAL CONTROL COMPONENT Pertemuan_6 Mata Kuliah: CSP402, IT Governance Tahun Akademik : 2012/2013 SAS 78 / COSO Describes the relationship between the.

INTERNAL CONTROL COMPONENT Pertemuan_6 Mata Kuliah: CSP402, IT Governance Tahun Akademik : 2012/2013 SAS 78 / COSO Describes the relationship between the.
Auditing Computer Systems

Auditing Computer Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Auditing IT Governance Controls

Auditing IT Governance Controls
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Purpose of the Standards

Purpose of the Standards
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
IT Controls Part I: Sarbanes-Oxley & IT Governance 1 Accounting Information Systems, 5 th edition James A. Hall.

IT Controls Part I: Sarbanes-Oxley & IT Governance 1 Accounting Information Systems, 5 th edition James A. Hall.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Similar presentations

Ads by Google