1. Electronic Data Processing Audit Sistem Informasi Dimas M. Widiantoro, S.E., S.Kom., M.Sc

2. Agenda Introduction Refresh our Memories Case Discussion

3. Introduction

4. Four major functions in data management: ◦ Record & Repository Creation ◦ Repository Maintenance through additions and updates ◦ Data Retrieval ◦ Data storage and Removal

5. Case First Case Kepolisian saat ini sudah menerapkan teknologi komputer dalam pembuatan SKCK (Surat Keterangan Catatan Kepolisian). Budi selaku pemohon selalu menuliskan nama dan keterangan dirinya di setiap proses pengajuan. Mulai dari RT, RW, Polsek, Polres, Polda, hingga Mabes Polri. Masalah apa yang ada dalam sistem ini?

6. Introduction 1400000

7. Objective of this term Understand the operational problems inherent in the flat-file approach to data management that gave rise to the database approach. Understand the relationships among the fundamental components of the database concept. Recognize the defining characteristics of three database models: hierarchical, network, and relational. Understand the operational features and associated risks of deploying centralized, partitioned, and replicated database models in the DDP environment. Be familiar with the audit objectives and procedures used to test data management controls.

8. Data Management Approach Flat File Approach Database Approach

9. Introduction

10. Flat File Approach

11. The disadvantage of Flat File Approach Data StorageData UpdatingCurrency of InformationTask Data Dependency

12. The Database Approach

13. Introduction

14. Key Element of Database

15. DBMS Program Development Back Up Recovery Database Usage Reporting Database Access

16. User Application Interface Informal Access

17. Database Administrator Planning and sync with Database Environment Design Database Implements Security Standard Programming Maintenance Development and the update of task dependency

18. Physical Database  Character  Field  Record  File  Database Graphically…

19. Data Organization Structure Employee Record 1 Employee Record 2 Employee Record 3 Employee Record 4 Name Field SS No. Field Salary Field Name Field SS No. Field Salary Field Name Field SS No. Field Salary Field Name Field SS No. Field Salary Field Jones T.A.275-32-387420,000Klugman J.L.349-88-791328,000Alverez, J.S.542-40-3718100,000Porter, M.L.617-87-791550,000 Human Resource Database Payroll File Benefit File

20. Master files: permanent data (records) pertaining to entities (people, places, and things) Transaction files: records pertaining to events currently being processed, such as sales, receipts of goods Reference files: These contain tables or lists of data needed for making calculations e.g., product price tables History files: These are also called archive files Open files: These record incomplete transactions. e.g., Open sales order file

21. Database in Distributed Environment

22. Centralized Database The first approach involves retaining the data in a central location. Remote IT units send requests for data to the central site, which processes the requests and transmits the data back to the requesting IT unit. The actual processing of the data is performed atmthe remote IT unit. The central site performs the functions of a file manager that services,the data needs of the remote sites.

23. Centralized Database

24. Distributed Database This model is separated into two kinds – Partitioned method – Replicated method

25. Distributed Database

26. Distributed Database Model Client PC Distributed Databases on Intranets and Other Networks End User Databases Data Warehouse Data Marts Operational Databases of the Organization Network Server External Databases on the Internet and Online Services

27. Concurrency Control Database concurrency is the presence of complete and accurate data at all user sites.

28. Concurrency Control

29. Controlling and Auditing DMS

30. How is it flowing? http://www.astuteconsulting.com/Services/Internal-Audit-and-Risk-Management/Information-System- Review.aspx

31. Audit Control Control Over Data management Access controls are designed to prevent unauthorized individuals from viewing, retrieving, corrupting, or destroying the entity’s data. Backup controls ensure that in the event of data loss due to unauthorized access, equipment failure, or physical disaster the organization can recover its database.

32. User Control

34. The audit process can be broken down into the following audit phases: Establish the Terms of the Engagement Preliminary Review Establish Materiality and Assess Risks Plan the Audit Consider Internal Control

35. Method Appropriate Access Authority. Biometric Controls. Inference Controls. Encryption Controls.

36. Audit Procedures for Testing Database Access Controls Responsibility for Authority Tables and Subschemas. The auditor should verify that database administration (DBA) personnel retain exclusive responsibility for creating authority tables and designing user views. Evidence may come from three sources: (1) by reviewing company policy and job descriptions, which specify these technical responsibilities; (2) by examining programmer authority tables for access privileges to data definition language (DDL) commands; and (3) through personal interviews with programmers and DBA personnel.

37. Brief Auditing IS Standard 050 (Planning) states, “The IT auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards.”information systems

38. Planning To meet the audit objectives, and to ensure that audit resources will be used efficiently, the auditor will need to establish levels of materiality. The auditor should consider both qualitative and quantitative aspects in determining materiality.

39. Materiality In assessing materiality, the IT auditor should consider: The aggregate level of error acceptable to management, the IT auditor, and appropriate regulatory agencies. The potential for the cumulative effect of small errors or weaknesses to become material.

40. Where financial transactions are not processed, the following identifies some measures the auditor should consider when assessing materiality: Criticality of the business processes supported by the system or operation. Cost of the system or operation (hardware, software, third-party services) Potential cost of errors. Number of accesses/transactions/inquiries processed per period. Penalties for failure to comply with legal and contractual requirements.