09

Modul ke:

EDP AUDIT
Information Systems Operations
Rujito, S.E., M.M.
Learning Objective
EDP AUDIT
Information Systems Operations
Learning Objectives
• How to audit information systems (IS) operations from a broad
perspective, includes examples of a variety of real-world internal
control weaknesses and inefficiencies pertaining to IS operations
Preface
EDP AUDIT
Information Systems Operations
 Preface
• “Information system (IS)” is the study of complementary networks of
hardware and software (see information technology) that people and
organizations use to collect, filter, process, create and distribute data.1
• IS operations include internal controls at data processing facilities,
which are designed to help an organization’s operational processes
function as efficiently and effectively.
• All operations throughout an organization are interdependent, auditors
should not view IS operations as completely separate functions from the
other operations within an organization.
• Comprehensive input, processing, and output engine working toward
achieving the organization’s long-range strategic objectives
• Auditors should consider the overall impacts of inefficiencies and
ineffective procedures on the organization’s ability to achieve its long-
term objectives.

1 http://en.wikipedia.org/wiki/Information_systems
Preface
• IS operations of various scales have materialized at multiple locations
• Each functional area is responsible for conducting its processes in a
responsibly controlled manner
• All auditors should be familiar with the approaches that are necessary to
assess their adequacy.
• High-level approach, IS operations within an organization can be divided into
two interrelated components:
 Computer operations
 Business operations
Computer Operations
EDP AUDIT
Information Systems Operations
Computer operations
• Computer operations consist of those IS processes that ensure that input data is
processed in an efficient and effective manner to support the strategic objectives
and business operations of an organization.
• A typical computer operations audit should include assessments of internal
controls that ensure that :
 Production jobs are completed in a timely manner and production capacity is
sufficient to meet short- and long-range processing needs.
 Output media are distributed in a timely, accurate, and secure manner.
 Backup and recovery procedures adequately protect data and programs
against accidental or intentional loss or destruction.
 Maintenance procedures adequately protect computer hardware against
failure.
 Computer hardware, software, and data are insured at replacement cost.
 Problem management procedures ensure that system problems are
documented and resolved in a timely and effective manner.
For details, see next slide
Production job scheduling and monitoring
• Automated job-scheduling and initiation software can significantly
enhance operational efficiency…
• Each job should be assigned a priority number (e.g., one through
nine, with one having the highest priority).
• Reduces the need for computer operators to manually initiate each
program.
• To monitor the effectiveness, management of the computer
operations area should receive a system-generated daily production
report indicating the start and end times of each job, preferably with a
comparison to the planned production schedule, and any job that
abnormally terminated.
• Monitoring controls that should exist include periodically examining
the amount of available disk storage and the dynamic system
capacity utilization
Output media distribution
• Many production jobs result in the creation of electronic output files.
These output files are stored in a temporary queue sometimes
referred to as a SPOOL (simultaneous peripheral operation online),
which can be printed, copied to another directory, or both, depending
on the requirements of the data owners
• Output files should also be purged [dibersihkan] from the SPOOL on
a regular basis, typically within one or two days, in order to free up
disk storage space
• Physical output media (paper printouts, microfiche, and microfilm)
should be strictly controlled to ensure that unauthorized personnel
are not able to view or acquire sensitive information
• Logical access to the SPOOL files should be granted only to
necessary computer operations staff and system security
administrators.
Backup and recovery procedures
• As part of the plan, procedures should exist to adequately protect
data and programs against accidental or intentional loss or
destruction.
• The primary controls to provide this protection are to perform periodic
(daily, weekly, monthly) backups of system software, application
programs, etc.
• Daily backups are usually necessary only for data……
• Full backups of the entire system, including system software,
application programs, and data, should be performed weekly or
monthly.
Problem management
• Should be carefully logged to help ensure that system problems are
documented and resolved in a timely and effective manner. SCARAB
• Some organizations maintain a central Help Desk Department
• May require the process owners of each system to field and resolve
their own system problems
• Action may include resolving the problem over the phone, referring
the problem to a technician, or escalating the problem to a manager
• On a periodic basis, (e.g., weekly), a management report of system
problems should be prepared
• Unresolved problems should be highlighted, especially those that
have not been corrected for an extended period of time
Business Operations
EDP AUDIT
Information Systems Operations
Business operations
• All other functions within an organization besides those in the
computer operations area
• Business operations areas typically provide input data to the
computer operations area and utilize the resulting output in their daily
processes.
• Business operations audits should include assessments of the
adequacy of internal controls pertaining to all significant aspects of
the particular process under consideration.
• Information systems controls existing in business operating
environments can pertain to each of the three basic electronic data
processing categories: input, processing, and output.
Segregation of duties
• When examining a business operation or traditional centralized IS
processes such as computer operations, systems development, and
program change control, one of the most critical internal control
objectives is segregation of duties
• Duties must be properly segregated to adequately protect an
organization from unauthorized access to information, loss of
physical or financial assets, and a myriad of other potential risks.
• Segregation of duties can therefore exist in data entry areas, data
processing areas, and in business operating areas in which
processing output is utilized
Efficiency and Effectiveness of IS in
Business Operation
EDP AUDIT
Information Systems Operations
Efficiency and Effectiveness of IS in Business Operation
• Auditors should always be on the lookout for opportunities to
recommend automation of previously manual procedures to increase
operational efficiency
• Management is often so concerned with day-to-day operations that
they overlook automation opportunities
• Internal auditors can reinforce a business operation’s justification for
a programming request to automate a procedure
• Consider : the benefits of automation will outweigh the costs of
designing and programming the system
• Sometimes a process may already be automated or a system may
be providing automated information, but the quality of the service or
end product could be enhanced through a change in the automation
process
Case study of “opportunities to enhance the efficiency and/or
effectiveness of business operations by implementing
automated solutions were identified during internal audits”
Wire Transfer Automation (Finding)
• During an audit of a wire transfer operation at a financial institution, it
was noted that incoming wires were being manually posted to
customer accounts
• The incoming wire information was electronically transmitted from the
Federal Reserve to the financial institution’s personal computer–
based wire transfer application. <MT940>
• Wire Transfer Department was manually posting an average of about
200 wires per day, 1000 wires per week, 5000 wires per year
• Financial institution continued to grow, the volume of incoming wire
transfers was also expected to grow.
Case study of “opportunities to enhance the efficiency and/or
effectiveness of business operations by implementing
automated solutions were identified during internal audits”
Wire Transfer Automation (Recommendation)
• Wire Transfer Department work with the data processing systems
development group to create an application that could take the
electronically downloaded incoming wire transfer data from the
Federal Reserve and automatically post the transactions to customer
accounts. <MT940>
• Only incoming wires that had invalid account numbers would need to
be processed manually
• This case study illustrates how an operation in a fast-growing
company can grow so much that automation becomes cost effective,
but the operation is preoccupied with simply keeping up with the day-
to-day volume. In this case, management had not recognized that a
significant amount of manual effort could be saved by automating the
posting of incoming wire transfers.
The framework for the IS Auditing
Standards - ISACA
EDP AUDIT
Information Systems Operations
 The framework for the IS Auditing Standards provides
multiple levels of guidance - ISACA1
• Standards
 Define mandatory requirements for IS auditing and reporting.
 They inform :
 IS auditors of the minimum level of acceptable performance required to meet the
professional responsibilities set out in the ISACA Code of Professional Ethics .
 Management and other interested parties of the profession’s expectations
concerning the work of practitioners
 Holders of the Certified Information Systems Auditor (CISA) designation of
requirements.
• Guidelines
 Provide guidance in applying IS Auditing Standards
 The IS auditor should consider them in determining how to achieve implementation of
the standards
 The objective of the IS Auditing Guidelines is to provide further information on how to
comply with the IS Auditing Standards.
• Procedures
 Provide examples of procedures an IS auditor might follow in an audit engagement
 The objective of the IS Auditing Procedures is to provide further information on how to
comply with the IS Auditing Standards
1 http://www.isaca.org/Knowledge-Center
 IS Audit and Assurance Standards - ISACA1

• Are a cornerstone of its professional contribution to the audit and assurance

community
• Comprise the first level of ITAF2 guidance
• Provide information required to meet compliance needs.
• Supply essential guidance to improve effectiveness and efficiency.
• Offer a risk-based approach that is aligned with ISACA methodology.
• Apply to individuals providing assurance over some components of IS
systems, applications and infrastructure
• May also provide benefits to a wider audience, including users of IS audit
and assurance reports
• Are issued by the Professional Standards and Career Management
Committee of ISACA

1 http://www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/Standards-for-IT-Audit-and-
Assurance.aspx
2 ITAF = A Professional Practices Framework for IS Audit/ Assurance,
 IS Audit and Assurance Guidelines - ISACA1

• Note that the current guidelines are being revised to support the IS audit and
assurance standards effective 1 November 2013
• IS Audit and Assurance Guidelines
Subject Effective Date
1 February
Audit Charter (G5)
2008
Organisational Independence (G12) 1 August 2008
Professional’s Independence (G17) 1 May 2010
Reasonable Expectation In development
Due Professional Care (G7) 1 March 2008
Proficiency (G30) 1 June 2005
Assertions In development
Criteria In development
Engagement Planning (G15) 1 May 2010
1http://www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/IT-Audit-and-Assurance-
Guidelines.aspx
 IS Audit and Assurance Guidelines - ISACA1
• IS Audit and Assurance Guidelines
Subject Effective Date
Risk Assessment in Audit Planning (G13) 1 August 2008
Performance and Supervision (G8) 1 March 2008
Materiality (G6) 1 May 2008
Evidence (G2) 1 May 2008
Using the Work of Other Experts (G1) 1 March 2008
1 September
Irregularity and Illegal Acts (G9)
2008
Audit Sampling (G10) 1 August 2008
16 September
Reporting (G20)
2010
Follow-up Activities (G35) 1 March 2006

1http://www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/IT-Audit-and-Assurance-
Guidelines.aspx
 IS Audit and Assurance Guidelines - ISACA1

• IS Audit and Assurance Guidelines (example)

Subject Effective Date

1 February
Audit Charter (G5)
2008

Subject Effective Date

Audit Sampling (G10) 1 August 2008

1 http://www.isaca.org/Knowledge-Center
 IS Audit and Assurance Tools and Techniques - ISACA1

• COBIT 5 family of products

• IS Audit/Assurance Programs
• IT Audit Basics
• Technical and Risk Management Reference Series
• White papers

1 http://www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/IT-Audit-and-Assurance-Tools-and-
Techniques.aspx
Terima Kasih
Rujito, S.E., M.M.