Presentasi berjudul: "IS Audit Standards and Guidelines"— Transcript presentasi:
1 IS Audit Standards and Guidelines CDG4I3 / Audit Sistem InformasiAngelina Prima K | Gede Ary W.KK SIDE
2 Outline IIA Standards COSO: Internal Control Standard BS7799 and ISO 17799: IT SecurityITILISACA COBIT 5
3 1. IIA Standards (#1)The Institute of Internal Auditors (www.theiia.org)Standards for the Professional Practice of Internal Auditing terdiri atas:Standards5 standar umum25 standar spesifikGuidelinesProfessional Practice FrameworkStandards: wajibPractice Advisories: disarankanDevelopment and Practice Aids: panduan praktis
4 1. IIA Standards (#2) Standards for the Professional Performance of Internal AuditingAttribute Standards(atribut organisasi dan individu yang terlibat dalam audit)Performance Standards(karakteristik kegiatan audit internal dan kriteria kualitas yang digunakan dalam pengukuran)Implementation Standards(standar penerapan tipe audit di berbagai industri dan area spesialis tertentu)
5 1. IIA Standards (#3) Kode etik Internal Auditors: Integritas auditor mendasari kepercayaan terhadap penilaian yang dihasilkanIntegrityAuditor harus objektif dalam mengumpulkan, mengevaluasi, dan menyampaikan informasi tentang aktivitas/ proses yang dinilaiObjectivityAuditor menghormati nilai dan kepemilikan informasi yang diterima dan tidak menggunakan informasi di luar wewenang kecuali atas dasar hukum/ profesiConfidentialityAuditor menerapkan pengetahuan, kemampuan dan pengalaman yang diperlukan dalam melaksanakan audit internalCompetency
6 2. COSO (#1)The Committee of Sponsoring Organizations of the Treadway Commission (www.coso.org)Dibentuk oleh kerjasama antara:The American Institute of Certified Public AccountantsThe Institute of Internal AuditorsThe American Accounting AssociationThe Institute of Management AccountantsThe Financial Executives Institute
7 2. COSO (#2) kesesuaian terhadap hukum dan aturan. Mengidentifikasi sasaran dasar dari setiap organisasi bisnis/ pemerintahan, meliputi:ekonomi dan efisiensi operasi, perlindungan aset, pencapaian dampak yang diinginkan,keandalan laporan keuangan dan manajemen, sertakesesuaian terhadap hukum dan aturan.Komponen pencapaian sasaran bagi manajemen:Control environmentRisk assessment processOperational control activitiesInformation and communication systemsMonitoring
9 3. BS 7799/ ISO (#1)BS 7799 adalah standar yg diterbitkan oleh British Standards Institute (BSI).Terdiri atas 3 bagian:BS (1995) diadopsi menjadi ISO/IEC “IT-Code of practice for information security management” (2000) diganti nama menjadi ISO/IEC (2007)BS (1999) “Information Security Management Systems- Specification with guidance for use” diadopsi menjadi ISO/IEC (2005)BS (2005) mencakup analisis dan manajemen resiko, sejalan dengan ISO/IEC 27001
11 NISTThe National Institute of Standards and Technology (http://csrc.nist.gov/)Cakupan NIST Handbook serupa dengan BS 7799 dan ISO 17799, namun lebih detail pada:Elemen-elemen keamanan sistemPeran dan tanggung jawabAncaman-ancaman umum
13 4. ITIL v3 (#1)The Information Technology Infrastructure Library (ITIL) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally.ITIL describes processes, procedures, tasks and checklists that are not organization-specific, used by an organization for establishing integration with the organization's strategy, delivering value and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement.
14 ITIL ComponentsThe ITIL Core: best practice guidance applicable to all types of organizations who provide services to a business.The ITIL Complementary Guidance: a complementary set of publications with guidance specific to industry sectors, organization types, operating models, and technology architectures.
18 5. ISACA Standards (#1)IS Audit and Control Association (www.isaca.org)Level panduan:Standards: kebutuhan audit dan pelaporan SI, meliputi auditor yang berpengalaman, manajemen dan pihak- pihak yang terlibat, pemegang CISAGuidelines: panduan penerapan standar audit SIProcedures: contoh prosedur yang harus diikuti oleh auditor SI
19 COBITCobIT (Control Objectives for Information & Related Technology) adalah panduan kerja dalam pengelolaan teknologi informasi. Disusun oleh ISACA (Information Systems Audit and Control Association) dan ITGI (IT Governance Institute)COBIT 5 menyediakan kerangka komprehensif yang membantu enterprise meraih sasaran dalam tata kelola dan manajemen TI di enterpriseCOBIT 5 bersifat umum dan dapat diterapkan pada berbagai ukuran enterprise, baik bersifat komersial, non-profit maupun pada sektor publik
21 COBIT 5 Goals Cascade Overview Step 1. Stakeholder Drivers Influence Stakeholder NeedsIsu: perubahan strategi, perubahan lingkungan bisnis dan regulasi, serta teknologi baruStep 2. Stakeholder Needs Cascade to Enterprise GoalsEnterprise goals disusun dengan pendekatan balanced scorecard (BSC)Step 3. Enterprise Goals Cascade to IT-related GoalsIT-related berarti information and related technology, diturunkan dari dimensi-dimensi BSC. COBIT 5 mendefinisikan 17 IT-related goals.Step 4. IT-related Goals Cascade to Enabler Goals
22 COBIT 5 Enterprise Enablers Masing-masing enabler:Memerlukan input dari enablers lain agar dapat efektif, mis. proses memerlukan informasi, struktur organisasi memerlukan keterampilan dan perilakuMenghasilkan output yang dibutuhkan oleh enablers lain, mis. proses menghasilkan informasi, keterampilan dan perilaku yang dibutuhkan oleh proses lain agar efisien
26 5. ISACA Standards (#2) Kode etik ISACA: Mendukung implementasi dan kesesuaian dengan standar, prosedur dan kontrol SI yang tepatMelaksanakan tugas secara profesional, sesuai standar dan praktek baikMelayani kebutuhan stakeholder secara jujur dan sesuai aturanMemelihara privasi dan kerahasiaan informasi yang didapatMemelihara kompetensi di bidang tertentu secara profesionalMemberikan informasi hasil kerja kepada pihak terkaitMendukung pendidikan profesional stakeholders dalam meningkatkan pemahaman tentang keamanan dan kontrol SI
28 Audit Procedures Mencakup: Daftar orang yang akan diwawancara Pertanyaan wawancaraDokumentasi (kebijakan, prosedur, dll) yang akan diminta saat wawancaraPerangkat audit yang digunakanTingkat sampling dan metodologi yang dipakaiBagaimana dan dimana pengarsipan buktiBagaimana evaluasi bukti
29 Types of Internal Controls Preventive controls (cth: pembatasan pengguna, penggunaan password, dan pemisahan otorisasi transaksi)Detective controls (cth: penggunaan audit trails dan exception reports)Corrective controls (cth: disaster recovery plan)Directive controls: untuk mencapai hasil yang positif dan mendorong perilaku yang dapat diterimaCompensating controls: untuk mengatasi kelemahan dari sebuah kontrol lainnya
30 Elements of Internal Control Segregation on duties. Kontrol yang memastikan bahwa pihak yang memegang aset berbeda dengan pihak yang mencatat perpindahan aset.Competence and integrity of people. Agar efektif, pihak yang menguji kontrol harus kompeten, jujur dan konsisten.Appropriate levels of authority. Pemberian otoritas harus berdasarkan kebutuhan.Accountability. Tegas menentukan siapa yang berperan dalam keputusan, transaksi dan aksi yang diambil.Adequate resources. Meliputi SDM, keuangan, perangkat, bahan, dan metodologi.Supervision and review. Perlu pengawasan dan penilaian kontrol.
31 1. EQUITY FUNDING CORPORATION In 1973, one of the largest single company frauds ever committed was discovered in California. The collapse of the Equity Funding Corporation of America involved an estimated $2 billion fraud. The case was extremely complex, and it took several years before the investigation was complete. However, some of the pertinent findings derived from the Trustee’s Bankruptcy report follow.Equity Funding was a financial institution primarily enganged in life insurance. In 1964, its top management commenced to perpetrate a fraud that would take almost ten years to discover. The intent of the fraud was to inflate earnings so that management could benefit through trading their securities at high prices.The fraud progressed through three major stages: the “inflated earnings phase”, the “foreign phase”, and the “insurance phase”. The inflated earnings phase involved inflating income with bogus comissions supposedly earned through loans made to customers. Equity Funding had a funded life insurance program whereby customers who bought mutual fund shares could obtain a loan prom the company to pay the premium on a life insurance policy. After some years the customer would sell off the mutual fund holdings to repay the loan. The mutual fund shares should have appreciated sufficiently so only a partial sale of shares would required. Thus, the customer had the cash value of the insurance policy and the remaining mutual fund shares as assets from the investment.
32 The inflated earnings obtained via bogus commisions were supported by manual entries made on the company’s books. Even though supporting documentation did not exist for the entries, the company’s auditors failed to detect the fraud. However, the inflated assets did not bring about cash inflows, and the company started to suffer severe cash sortages because of real operating losses.To remedy the cash shortage situation, the fraud moved into the second stage, the foreign phase. The company acquired foreign subsidiaries and used these subsidiaries in complex transfers of assets. Funds were brought into the parent company to reduce the funded loans asset account and falsely represent customer repayments of their loans. However, even this scheme proved inadequate.The third stage, the insurance phase, involved the resale of insurance policies to other insurance companies. This practice is not unusual in the insurance business – when one company needs cash immediately and another company has a cash surplus. Equity Funding created bogus policies. In the short run it attempted to solve its cash problems by selling these policies to another insurance company. In the long run, however, the purchasing company expected cash receipts from premiums on the policies. Because the policies were bogus, Equity Funding had to find the cash to pay the premiums. Thus, it was only a matter of time before the fraud could no longer be concealed. Interestingly, the fraud was revealed by a disgruntled employee who was involved in the fraud but had been fired by Equity Funding management.
33 The computer was not used in the fraud until the insurance phase The computer was not used in the fraud until the insurance phase. The task of creating the bogus policies was too big to be handled manually. Instead, a program was written to generate policies. These policies were coded as the now infamous “Class 99”.The trustee’s investigations led to two conclusions. First, the fraud was unsophisticated and doomed to failure. Second, some of the fundamental principles of good auditing were not applied.Required. Write a brief report outlining some traditional audit procedures that, if they had been used, should have detected the fraud. Be sure to explain why you believe the procedures you recommend would have been successful.(Weber, Ron Information Systems Control and Audit. Prentice-Hall.Inc.)
34 2. JERRY SCHNEIDEROne of the more famous cases of computer abuse involves a young man named Jerry Schneider. Schneider had a flair for electronics. By the time he left high school, he had already formed his own firm to market his inventions. His firm also sold refurbished Western Electric telephone equipment. In 1970, he devised a scheme whereby Pasific Telephone in Los Angeles would supply him with good equipment – free!Pasific Telephone used a computerized equipment ordering system. Equipment sites placed orders using a touch-tone card dialer. The orders were subsequently keypunched onto cards. The computer then updated the inventory master file and printed the orders. The orders were supplied to a transportation office that shipped the supplies.Scheider intended to gain access to the ordering system. He sought to have Pasific Telephone deliver supplies to him as if he were one of its legitimate sites. He used a variety of techniques to find out how the system worked and to breach security: He sifted through trash cans and found discarded documents that provided him with information on the ordering system. He posed as a magazine writer and gathered information directly from Pasific Telephone. To support his activities, he bought a Pasific Telephone delivery van at an auction., “acquired” the master key for supply delivery locations in the Los Angeles area, and bought a touch-tone telephone card dialer with a set of cards similar to those used by the equipment sites to submit orders.
35 Scheider took advantage of the budgeting system used for ordering sites. Typically, these sites had a budget allocated larger than they needed. Providing this budget was not exceeded, no investigation of equipment ordering took place. Schneider managed to gain access to the online computer system containing information on budgets. He then determined the size of orders that would be tolerated. For seven months Pasific Telephone delivered him equipment that he resold to his customers and to Pasific Telephone. He kept track of the reorder levels for various Pasific Telephone inventories, depleted these inventories with his ordering, and then resold the equipment back to Pasific Telephone.Scheider’s downfall occurred when he revealed his activities to an employee. He as unable to keep up with the pace of his activities. As a result, he confided in an employee to obtain assistance. When the employee asked for a pay raise, Schneider fired him. The employee then went back to Pasific Telephone and told the the fraud.There are varying reports on how much Schneider took from Pasific Telephone. Parker (1976) estimates it as possible equipment worth a few million dollars was taken. For the fraud Schneider received a two-month jail sentence followed by three years probation. Interestingly, upon completing the jail term, he set up a consulting firm specializing in computer security.Required. Write a brief report outlining some basic internal control procedures that, if they had been applied, should have prevented or detected Schneider’s activities. Be sure to explain why the application of the internal control procedures you recommend would have been successful.(Weber, Ron Information Systems Control and Audit. Prentice-Hall.Inc.)
36 3. UNION DIME SAVINGS BANK Banks seem especially prone to computer abuse. Roswell Steffen used a computer to embezzle $1.5 million of funds at the Union Dime Savings Bank in New York City. Inan interview with Miller (1974) after he was discovered, he claimed, “Anyone with a head on his shoulders could successfully embezzle funds from a bank. And many do.”Steffen was a compulsive gambler. He initially “borrowed” $5,000 from a cash box at the bank to support his gambling with the intention of returning the money from his earnings. Unfortunately, he lost the $5,000. He then spent the next three and one-half years trying to replace the money, again by “borrowing” from the bank to gamble at the racetrack.As the head teller at Union Dime, Steffen had a supervisory terminal in the bank’s online computer system that he used for various administrative purposes. He took money from the cash box and used the terminal to manipulate customer account balances so the discrepancies would not be evidenced in the bank’s daily proof sheets.He used several techniques to obtain money. He first concentrated on accounts over $100,000 that had a little activity and had interest credited quarterly. He used the supervisory terminal to reduce the balances in these accounts. Occasionaly an irate customer complained about the balances. Steffen then faked a telephone call to the data processing department, informed the customer it was a simple error, and corrected the situation by moving funds from another account.
37 Other sources of funds included two-year certificate accounts and new accounts. With two- year certificate accounts, he prepared the necessary documents but did not record the deposit in the bank’s files. Initially he had two years to correct the situation. Matters became more complicated, however, when the bank started to pay quarterly interest on these accounts.With a new accounts, he used two new passbooks from the bank supply of prenumbered books. Upon opening an account, he enterd the transaction using the account number of the first passbook but recorded the entry in the second passbook. He then destroyed the first passbook.Perpetrating the fraud became very complex, and Steffen made many mistakes. However, the bank’s internal control system and audit techniques were sufficiently weak that he could explain away discrepancies and continue. He was caught because police raided Steffen’s bookie and noticed a lowly paid bank teller making very large bets.Required. Write a brief report outlining some basic internal control procedures that, if they had been applied, should have prevented or detected Steffen’s activities. Be sure to explain why the application of the control procedures you recommend would have been successful.(Weber, Ron Information Systems Control and Audit. Prentice-Hall.Inc.)