DAMPAK TI TERHADAP AUDIT 14 PEMERIKSAAN AKUTANSI DAMPAK TI TERHADAP AUDIT YULAZRI M.AK., CA., CPA FAK EKONOMI & BISNIS

VISI DAN MISI UNIVERSITAS ESA UNGGUL

Materi Sebelum UTS PENGANTAR AUDIT AUDIT PROSES TANGGUNG JAWAB DAN TUJUAN AUDIT BUKTI AUDIT KERTAS KERJA PEMERIKSAAN STANDAR AUDIT LAPORAN AUDIT

Materi Setelah UTS MATERIALITAS DAN AUDIT RISK INTERNAL CONTROL PENILAIAN IC DAN TEST IC PERENCANAAN DAN AUDIT PROGRAM KODE ETIK PROFESI KEWAJIBAN HUKUM DAMPAK TI PADA PROSES AUDIT

KEMAMPUAN AKHIR YANG DIHARAPKAN Mahasiswa memahami tahapan proses audit. Mahasiswa memahami proses perencanaan audit. Mahasiswa dapat menggunakan aplikasi dasar dari analisa laporan keuangan (analytical review)

Proses/tahapan audit previous new Field work Reporting Planning Risk Risk respond Reporting

Perencanaan audit Audit should be plan

Basic Computer Architecture Central Processing Unit (CPU) Main Memory (RAM) (volatile memory) Turn-off the computer and it forgets Disk Drive non-volatile (persistent) memory Maintains data across shutdowns Data Files Temporary Files Registry Entries Unallocated Space Swap Space Log Files Email

Computer Forensic Requirements Hardware Familiarity with all internal and external devices/components of a computer Thorough understanding of hard drives and settings Understanding motherboards and the various chipsets used Power connections Memory

TI DAN AKUNTANSI Teknologi informasi (TI) berfungsi untuk meningkatkan efektifitas dan efisiensi serta kualitas proses bisnis, termasuk di dalamnya proses akuntansi. Teknologi informasi berpengaruh besar terhadap pendekatan dan proses audit laporan keuangan. Auditor harus memahami keunggulan dan kelemahan TI.

How Information Technologies Enhance Internal Control Computer controls replace manual controls Higher-quality information is available

TI DAN SISTEM PENGENDALIAN TI mengantikan pengendalian manual yang cenderung kurang efektif dan kurang efisien. TI meningkatkan keunggulan kualitas pengolahan data dari sisi: Kemampuannya memproses transaksi yang komplek dalam jumlah yang besar secara efektif dan efisien. Konsistensi dalam proses pengolahan data. Kemampuannya menjamin keandalan proses pengolahan data.

TI DAN SISTEM PENGENDALIAN TI menggantikan pemisahan fungsi konvensional. TI menurunkan peluang kecurangan (fraud). TI meningkatkan keunggulan kualitas informasi dari sisi: ketepatan waktu, keakuratan informasi, kemudahan akses, serta kemampuan adaptasi dengan kebutuhan pengguna informasi (customizing). Halaman

Assessing Risks of Information Technologies Risks to hardware and data Reduced audit trail IT can improve a company’s internal controls; however, it can also affect the company's overall control risk. If IT systems fail, organizations can be paralyzed by the inability to retrieve information or by the use of unreliable information caused by processing errors. Specific risks to IT systems include the aforementioned. Need for IT experience and separation of IT duties

Kerusakan file data dan informasi karena rusaknya hardware/software. RISIKO PENGGUNAKAN TI Saat ini TI bukan lagi pilihan, tapi keharusan. Risiko yang harus diperhatikan antara lain: Kerusakan file data dan informasi karena rusaknya hardware/software. Kerusakan proses yang sangat masif yang tidak dapat diketahui dengan segera. Ketergantungan yang tinggi terhadap fungsi hardware/software. Halaman

Risks to Hardware and Data Reliance on hardware and software Unauthorized access Without proper physical protection, hardware or software may not function or may function improperly. When organizations replace manual procedures with technology-based procedures, the risk of random error from human involvement decreases. However, the risk of systematic error increases because once procedures are programmed into computer software, the computer processes information consistently for all transactions. IT cased accounting systems often allow online access to electronic data in master files software and other records. Because online access can occur from remote access points, there is potential for illegitimate access. Since much of the data is stored in centralized electronic files, this increases the risk of loss or destruction of entire data files. Systematic vs. random errors Data loss

RISIKO PENGGUNAAN TI Kerusakan sistematis vs random, pada saat proses manual digantikan dengan TI, kerusakan random karena human errors dapat diturunkan, tetapi kerusakan sistematis justru bisa meningkat. Unauthorized access. Akses online terhadap data elektronik berpotensi meningkatkan risiko akses tanpa otorisasi. Loss of data. Data elektronik yang rata-rata disimpan terpusat dalam data base, meningkatkan risiko kerusakan atau hilangnya keseluruhan data. Need for IT experience. Penggunaan TI memerlukan staf yang memahami dan mampu memanfaatkan keunggulan TI Halaman

PENGENDALIAN TI General controls (pengendalian umum). Adalah sistem pengendalian untuk seluruh aspek fungsi TI, mencakup: administrasi TI, pemisahan fungsi TI, pengembangan TI, pengamanan akses fisik dan online terhadap hardware/software/data, backup data, dan perencanaan kontinjensi untuk situasi emerjensi. Auditor harus mengevaluasi pengendalian umum untuk keseluruhan TI dalam organisasi. Halaman

PENGENDALIAN TI Aplication controls (pengendalian aplikasi). Adalah sistem pengendalian untuk program aplikasi yang digunakan untuk memproses transaksi, seperti pengendalian untuk sistem penjualan dan penerimaan kas. Auditor harus mengevaluasi pengendalian aplikasi untuk setiap kategori transaksi atau akun, karena pengendalian aplikasi bisa jadi berbeda-beda untuk setiap kategori transaksi atau akun. Halaman

Reduced Audit Trail Visibility of audit trail Lack of traditional authorization With the use of computers, IT often reduces or even eliminates source documents and records that allow the organization to trace accounting information. In many IT systems, employees who deal with the initial processing of transactions never see the final results. Therefore, they are less able to identify mistakes. Advanced IT systems can often initiate transactions automatically, such as calculating interest on savings accounts and ordering inventory when pre-specified order levels are reached. Detection risk Reduced human involvement

Need for IT Experience and Separation of Duties It is important to have personnel with knowledge and experience to install, maintain, and use the system. Reduced separation of duties Need for IT experience

Internal Controls Specific to Information Technology Information technology controls General controls apply to all aspects of the IT function including IT admin, separation of IT duties, systems development, physical and online security over access to hardware, software and related data. Application controls apply to processing transactions. Application controls General controls

Relationship Between General and Application Controls

Control activities Kebijakan dan prosedur yang membantu menjamin pengarahan managemen dilaksanakan

Control Activities Pemisahan Tugas Pengendalian Pengolahan Informasi General Control Application Control Pengendalian Pisik Review Kinerja

Pemisahan Tugas: seseorang tidak boleh melakukan tugas yang tidak kompatibel Pemisahan tugas pelaksana, pencatatan, dan penyimpanan aset dari suatu transaksi Pemisahan bagian IT dengan Pengguna Pemisahan dalam bagian IT: Pengembangan sistem Operation Data control Securities administration

Information Processing Control General Control Pengendalian organisasi dan operasional Pengendalian pengembangan sistem dan dokumentasi Pengendalian perangkat keras dan lunak Pengendalian akses Pengendalian data dan prosedural Application Control

Physical Control Direct physical control Indirect physical control Penghitungan berkala terhadap aset

Information and communication: Idenfikasi, perekaman, dan pertukaran informasi dalam rerangka bentuk dan waktu yang memungkinkan orang menjalankan tanggungjawabnya

Information and Communication Transaksi Hanya transakasi valid Seluruh transaksi Hak dan kewajiban Pengukuran Cukup detail Audit atau transaction trail Dokumen dan catatan

Categories of General and Application Controls

Administration of the IT Function The perceived importance of IT within an organization is often dictated by the attitude of the board of directors and senior management.

Segregation of IT Duties The CIO or IT manager should be responsible for oversight of the IT function. Systems analysts are responsible for the overall design of each application system Computer operators are responsible for the day-to-day operations of the computer following the schedule established by the CIO.

Systems Development Typical test strategies Pilot testing Pilot testing is when a new system is implemented in one part of the organization while other locations continue to rely on the old system. Parallel testing is when the new and old systems operate simultaneously in all locations. Pilot testing Parallel testing

Physical and Online Security Online Controls: User ID control Password control Separate add-on security software Physical controls decrease the risk of unauthorized changes to programs and improper use of programs and data files. Proper user IDs and passwords control access to software and related data files this reducing the likelihood that unauthorized changes are made to software applications and data files. Physical Controls: Keypad entrances Badge-entry systems Security cameras Security personnel

Backup and Contingency Planning Offsite storage of critical files is a key element to a backup and contingency plan One key to a backup and contingency plan is to make sure that all critical copies of software and data files are backed up and stored off the premises.

Hardware Controls These controls are built into computer equipment by the manufacturer to detect and report equipment failures.

Application controls are designed for each software application Input controls Output controls Processing controls

Aplication control Pengendalian Input Pengendalian Proses Pengendalian Output

Aplication control Input Control Otorisasi Konversi Data Input Verification Control Computer Editing: missing data check, valid character check, limit (reasonable) check, valid sign check, valid code check, check digit) Koreksi Kesalahan

Processing Control Control totals File identification labels Limit and reasonableness checks Before-and-after report Sequence test Process tracing data

Output control: hasil benar dan hanya orang yang berhak yang memperoleh hasilnya Reconciliation of totals Comparioson to source document Visual scanning

Input Controls These controls are designed by an organization to ensure that the information being processed is authorized, accurate, and complete.

Batch Input Controls Total for all Financial total records in a batch Total of codes from all batch records Hash total Total of records in a batch Record count

Processing Controls Correct file, database, or program? Validation test Correct processing order? Sequence test Accuracy of processed data? Arithmetic accuracy test Data exceeds preset amounts? Data reasonableness test Completeness of record fields? Completeness test

Output Controls These controls focus on detecting errors after processing is completed rather than on preventing errors.

Impact of Information Technology on the Audit Process Effects of general controls on system-wide applications Effects of general controls on software changes Ineffective general controls create the potential for material misstatements across all system applications regardless of the quality of the application controls. Client changes to application software affect the auditor’s reliance on automated controls. Auditors obtain information about general and application controls through interviews, examination of system documentation, and reviews of detailed questionnaires completed by IT staff. If general controls are ineffective, the auditor’s ability to rely on IT-related application controls to reduce control risk in all cycles is reduced. After identifying specific IT-based application controls that can be used to reduce control risk, auditors can reduce substantive testing. Obtaining an understanding of client general controls Relating IT controls to transaction-related audit objectives Effect of IT controls on substantive testing

Auditing in IT Environments with Varied Complexity Audit around the computer LESS Smaller companies IT controls < effective Audit though the computer MORE Parallel simulation Test data

Auditing Around and Through the Computer

Test Data Approach 1. Test data should include all relevant conditions that the auditor wants tested. 2. Application programs tested by the auditors’ test data must be the same as those the client used throughout the year. Auditor’s process their own test data using the client’s computer system and application program to determine whether the automated controls correctly process the test data. 3. Test data must be eliminated from the client’s records.

Test Data Approach Input test transactions to test key control procedures Master files Application programs (assume batch system) Transaction files (contaminated?) Contaminated master files Control test results

Test Data Approach Control test results Auditor makes comparisons Auditor-predicted results of key control procedures based on an understanding of internal control Differences between actual outcome and predicted result

Parallel Simulation The auditor uses auditor-controlled software to perform parallel operations to the client’s software by using the same data files.

Parallel Simulation Production transactions Master file Auditor-prepared program Client application system programs Auditor results Client results Auditor makes comparisons between client’s application system output and the auditor-prepared program output Exception report noting differences

Embedded Audit Module Approach Auditor inserts an audit module in the client’s application system to identify specific types of transactions.

Embedded Audit Module Approach

Issues for Different IT Environments Network Environments Database Management Systems Outsourced IT e-Commerce systems

KEUNGGULAN TI Reduced human involvement (penurunan keterlibatan manusia), proses bisnis menjadi lebih efisien dan tidak dibatasi dengan waktu. Lack of traditional authorization (penghilangan otorisasi manual), otorisasi tersebar luas, proses bisnis lebih cepat dan lebih efisien. Reduced separation of duties, proses bisnis menjadi lebih sederhana, birokrasi yang rumit menjadi berkurang tajam, pengendalian dilakukan secara elektronik. Halaman

Pengendalian Umum vs Aplikasi Risiko Pengubahan Software Aplikasi Tanpa Otorisasi Risiko Benturan Antar Sub Sistem Pengendalian Aplikasi Penerimaan Kas Pengendalian Aplikasi Penjualan Pengendalian Aplikasi Penggajian Pengendalian Aplikasi Siklus Lainnya Risiko Pengubahan Master File Tanpa Otorisasi Risiko Proses Tanpa Otorisasi PENGENDALIAN UMUM Halaman