Fasilkom UI

INTRODUCTION TO INFORMATION
SYSTEMS AUDIT

IT Audit Processes
 Objectives

Understand the overall IT audit process

 The overall definition of the audit process
• Audit standards
 Audit planning
 Audit tasks

2
 Overview

The IT audit process providing reasonable

assurance that information and information
technology are processing as expected.
Either In Integrated Audit which IT audit
complement financial audit process or in
seperated IT audit

3
 Financial Audits
 Financial auditors
 Evaluate the fairness of financial statements
 Cover all equipment and procedures used in
processing significant data
 Certification: CPA
 Standards: Generally Accepted Accounting Principles
(GAAP)
• Fairly presented in conformity with generally accepted
accounting principles (GAAP).
• The measure for ‘fairly presented’: there is less than 5%
chance (5% audit risk) that the financial statements are
‘materially misstated’.

4
 IT Audits

IT auditors
 Evaluate IT systems, practices, and operations
 Assure the validity, reliability, and security of
information
 Assure the efficiency and effectiveness of the IT
environment in economic terms
 Certification: CISA, CISM, CISSP etc.
 Standards: Generally Accepted Auditing
Standards (GAAS)

5
 GAAS
 General standards
 An auditor should have adequate technical training and
proficiency
 An auditor should maintain an independent attitude
 Due professional care

 Field work standards

 The auditor must adequately plan the work and must properly
supervise any assistants
 "The auditor must obtain a sufficient understanding of the entity
and its environment, including its internal control, to assess the
risk of material misstatement of the financial statements whether
due to error or fraud, and to design the nature, timing, and
extent of further audit procedures."
 The auditor must obtain sufficient appropriate audit evidence
6
 GAAS (continued)

Reporting Standards
 In accordance with generally accepted
accounting principles
 Identify those circumstances in which such
principles have not been consistently observed in
the current period in relation to the preceding
period.
 Reasonably adequate
 Contain an expression of opinion regarding the
financial statements

7
ITAF (IT Assurance Framework)

ISACA Framework for IT Auditing,

Consist of
 Standards
• Must be followed by IS auditors
 Guidelines
• Provide assistance on how to implement the
standards
 Procedures
• Provide examples for implementing the standards
Dasar-Dasar Audit SI
ITAF (IT Assurance Framework)

Dasar-Dasar Audit SI
ITAF (IT Assurance Framework)

General Standards
 The guiding principles under which the IT
assurance profession operates.
Performance Standards
 Deal with the conduct of the assignment,
Reporting Standard
 Address the types of reports, means of
communication and the information
communicated

Dasar-Dasar Audit SI
Guidelines
 Provide the IT audit and assurance professional
with information and direction about an audit or
assurance area.
Tools and Techniques
 Provide specific information on various
methodologies, tools and templates

Dasar-Dasar Audit SI
 The Overall Audit Process

Step 1: Audit plan

Step 2: Audit schedule
Step 3: Audit tasks
Step 4: Evaluating audit’s performance and the
audit results
A uniform, process-oriented approach
A series of logical, orderly steps

12
 Step 1: Audit plan

Purpose:
 Identify what must be accomplished
Deliverable
 An audit plan
Steps:
 Preliminary assessment
 Risk assessment
 Identify application areas
 Preparing an audit plan

13
 Preliminary Assessment

To gather information for an audit plan

 General data gathering
 Identifying financial application areas
General data
 Nature of business
 Financial history
 Organization structure
 Systems involved
 Current procedures (e.g., the extent of
automation)
14
 General Data Gathering

 System related information

 An overall picture of major application systems
• Interrelationships, key inputs, and outputs
 Data control procedures
 Assurance of an uninterruptible power supply
 Procedures for backup, recovery, and restart of
operations
 Methods
 Interviews: inputs from managers and key
stakeholders
 Documentations
• Policies, organization chart, prior audit reports
 Physical inspections
15
 Risk Assessment

Standardized approach to evaluate:

 Business risks
 Application/systems risks
 Current control environment

Prioritized by risks
 Which subsystems need more detailed
examination

16
 Preparing an Audit Plan

The concluding activity in the preliminary review

phase of an audit engagement
Typical sections for an audit plan might include:
 Description of client organization
 Define objectives
 Define audit scope
 Structure work schedules
 Assure reasonable comprehensiveness
 Provide flexibility in approach

17
 Step 2: Audit schedule

Timing
 By request
 Synergizing and coordinating audits
Resources
 Availability of internal and external expertise
Cost

18
 Step 3: Audit tasks

There are seven basic steps that can assist an

auditor in the review of a computer-based
system :
 Define scope and objectives
 Obtain a basic understanding of the area
being audited
 Develop a detailed understanding of the area being
audited
 Evaluate control strengths and weaknesses
 Test the critical controls, processes and exposures
 Evaluate the results
 Final evaluation and report
19
 Documentation
 Some major audit decisions

The evaluation judgment

Timing of audit procedures
Audit use of the computer
Selecting application systems for
audit
 Some major audit decisions

The evaluation judgment

Timing of audit procedures
Audit use of the computer
Selecting application systems for
audit
 Obtain an Understanding

Interviews & Documentation

Understand the relationship of each application
to the client’s business
Flowchart
 An effective tool to understand related processes
• Frequency of processing
• Document source and destination
• Actions that process/change the data
• Controls over the documents transfer between
units
22
 Dealing with Complexity
Conducting an information system audit is an
exercise in dealing with complexity
1. Given the purposes of the information systems
audit, factor the system to be evaluated into
subsystems
2. Determine the reliability of each subsystem and
the implications of each subsystems level
of reliability for the
overall level of reliability
in the system,.
 Subsystem factoring

 A subsystem is a “unit” which performs a basic function

needed by the overall system for it to be able to attain
its fundamental objectives.
 Subsystems are logical rather than physical
components.
 Different functions delineate different subsystems
 Subsystem independence Each subsystem can be
evaluated separately from the effects of control strength
and weaknesses in other subsystems.
 Internal cohesiveness of subsystems. All the activities
performed by the subsystem should be directed
towards accomplishing a single function
 Management subsystems

 Top management controls

 Information systems management
 Systems development management
 Programming management
 Data administration
 Security administration
 Operations management
 Quality assurance management
 Application subsystems

 Boundary controls
 Input controls
 Communication controls
 Processing controls
 Database controls
 Output controls
 Obtain an Understanding
 Steps followed in development of flowcharts and their
use as audit evaluation tools include:
 Understanding how data is processed by computers
 Identifying documents and their flow through the
system
 Defining critical data
 Developing audit data flow diagrams
 Evaluating the quality of system documentation
 Assessing controls over documents
 Determining the effectiveness of processing under
computer programs
 Evaluating the usefulness of reports
Dasar-Dasar Audit SI
 Evaluating Control Strength
and Weakness
Existence of
 Documented policies and procedures
• Accuracy and completeness
 Evidence of compliance
 Process Effectiveness
• Avoid redundancy and bottlenecks
 Management support
Examples of controls over documents
 Record counts
 Control totals : Input = processed
28
 Component reliability

 A system achieves the goals of asset

safeguarding, maintaining data integrity, and
achieving system effectiveness and efficiency if
each of its subsystems is reliable.
 A subsystem is reliable only if the components
that perform the basic activities are reliable
 Auditors must evaluate components with respect
to each type of error or irregularity that might
occur.
 Component reliability

 Reliability of a component is a
function of the controls that act on
that component
 A control is a pattern of activities or
actions executed by one or more
components to prevent detect or
correct errors or irregularities that
might affect the reliability of the
component
 Subdivisions of Control Review

Board of Directors Management

Goals of Internal Control

Management Controls
 asset safeguarding
 maintaining data integrity Accounting controls
Application controls
 achieving system effectiveness
and efficiency

Risks
Systems Subsystems Components
Threats

A subsystem is reliable only if Reliability of a component is

the components that perform the a function of the controls that
basic activities are reliable act on that component
 Consider attributes of the
control
 in place and working
 generality vs specificity
 preventive , detective,
corrective
 number of components
used to execute
 number of subsystems
impacted by the control
 Evidence

Observation
 Observe the activity being performed
Evidence of the activity
 Source documents (input forms, etc.)
 Output documents (reports)
 Logs (errors, exceptions)
Duplicating the activity
 repeating the task

33
 Testing

Compliance testing
 Are they doing what they said they would do?
 Determines adherence to existing controls (policies,
procedures, etc.)
Substantive testing
 Determine if the business objective is being achieved
 Are the current controls enabling the intended
business goal to be met?

34
 Evaluating the Results

Legal requirements
Audit Standards
Best Practices
Company policies and procedures

35
 Audit Risk(1)

 The risk of an auditor failling to detect actual or potential

material losses or account misstatement at the
conclusion of the audit
 DAR : IR X CRX DR
 DAR : Desired audit risk
• Level reliance of external parties
• The likelihood organization encounter financial difficultie
 IR : likelihood that a material loss or account
misstatement exist in some segment of the audit
before consider the reliability of internal control
• Nature of the organization (is it high flyer)
• The Industry in which it operates ( rapid to change)
36
• Management characteristic (agresive /otocratic)
 Audit Risk(2)

CR (Control Risk) :

 likelihood that internal control in some segment of
the audit will not prevent, detect or correct
materiall losses.
 Consider the reliability of both management and
application controls.
 Management control are fundamental controls
because they cover all application system
DR (Detection Risk) : likelihood of audit
procedures will fail to detect.

37
 Final Evaluation and Report

Closing meeting with management to discusses

weaknesses identified during the audit and
formulate value-adding recommendations
Management responses
 Fix discrepancies
Report audience(s)
Review process

38
 Evaluate Audit’s Performance

Client feedback
Audit results
 Accurate issues
 Realistic action plans
Audit management
 Resource allocation
 On time?
Did the audit add value?

39
 Everyday Auditing

 We develop expectations (standards, best practices)

 We experience or observe an activity (testing)
 We compare our experiences to our expectations
(analyze our test results)
 We modify our behavior based on the difference
between what we experienced and our expectations
(action plan)
Exercise:
 Please apply everyday auditing to the following
action:

40