IT audit - general control
-
Upload
melania-lintang-kenisah -
Category
Documents
-
view
44 -
download
3
Transcript of IT audit - general control
![Page 1: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/1.jpg)
General ControlZaldy Adrianto
![Page 2: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/2.jpg)
Definition
• Risk assessment of the risks related to the IT organization, security, acquisition, development and maintenance, computer operations.
![Page 3: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/3.jpg)
Objectives
• To provide a comprehensive framework of internal controls for IT activities and to provide a certain level of assurance that the overall internal control objectives can be achieved.
According to Indonesian Auditing Standards (PSA No. 60 / SA Seksi 314)
![Page 4: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/4.jpg)
General Control Elements
• Organizational and Managerial
• System Development and Maintenance
• Operating System
• Software
• Data Entry and Program
• Backup and Recovery
According to PSA No. 60 / SA Seksi 314
![Page 5: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/5.jpg)
Organizational and Managerial Control
• Untuk memberikan keyakinan bahwa struktur organisasi dan manajemen telah diciptakan untuk memiliki internal kontrol yang memadai, diantaranya dengan memiliki:
• Kebijakan dan prosedur yang berkaitan dengan fungsi pengendalian.
• Pemisahan semestinya fungsi yang tidak sejalan (seperti penyiapan transaksi masukan, pemograman dan operasi komputer).
![Page 6: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/6.jpg)
System Development and Maintenance Control
• Untuk memberikan keyakinan bahwa pengembangan dan pemeliharaan sistem telah dilakukan dengan cara yang efisien dan melalui proses otorisasi yang semestinya, termasuk kedalamnya adalah:• Pengujian, perubahan, implementasi dan dokumentasi
sistem baru atau sistem yang direvisi.
• Perubahan terhadap sistem aplikasi.
• Akses terhadap dokumentasi sistem.
• Pemerolehan sistem aplikasi dan listing program dari pihak ketiga.
![Page 7: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/7.jpg)
Operating System Control
• Telah adanya pengendalian terhadap operasi sistem untuk memberikan keyakinan bahwa:• Sistem digunakan hanya untuk tujuan yang telah
diotorisasi
• Akses ke operasi komputer dibatasi hanya bagi karyawan yang telah mendapat otorisasi
• Hanya program yang telah diotorisasi yang digunakan.
• Kekeliruan pengolahan dapat dideteksi dan dikoreksi
![Page 8: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/8.jpg)
Software Control
• Telah adanya pengendalian terhadap perangkat lunak aplikasi telah didesain, diperoleh dan dikembangkan dengan cara yang efisien dan melalui proses otorisasi semestinya:• Otorisasi, pengesahan, pengujian, implementasi dan
dokumentasi perangkat lunak sistem baru dan modifikasi perangkat lunak sistem
• Pembatasan akses terhadap perangkat lunak dan dokumnetasi sistem hanya bagi karyawan yang telah mendapatkan otorisasi
![Page 9: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/9.jpg)
Backup and Recovery Procedure
• Telah adanya jaminan terhadap kelangsungan proses pengolahan sistem informasi dan ketersediaan informasi. Meliputi:
• Pembuatan cadangan data program komputer di lokasi yang berbeda dengan lokasi utama pengolahan data.
• Prosedur pemulihan untuk digunakan jika terjadi pencurian, kerugian atau penghancuran data baik yang disengaja maupun yang tidak disengaja
• Penyediaan pengolahan di lokasi di luar perusahaan dalam hal terjadi bencana.
![Page 10: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/10.jpg)
Data Entry and Program Control
• Telah adanya pengendalian terhadap proses data entry dan kontrol program untuk memberikan keyakinan bahwa:
• Struktur otorisasi telah diterapkan atas transaksi yang dimasukan ke dalam sistem.
• Akses ke data dan program dibatasi hanya bagi karywan yang telah mendapatkan otorisasi
![Page 11: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/11.jpg)
General Control Illustration
Production
Input
Process
Output
Testing Development
Logical Access Control
Policy and Standard Operating Procedures
Physical Access Control
Program Change Control
![Page 12: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/12.jpg)
IT Planning and Organization
• Strategic Plan (3-5 years)
• Current information assessment
• Strategic directions
• Development strategy
• Operational Plan (1-3 years)
• Progress reports
• Initiative to be undertaken
• Implementation schedule
![Page 13: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/13.jpg)
IT Plan Review
• Auditors evaluate whether top management has formulated a high-quality information systems plan appropriate to the needs of their organization.
![Page 14: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/14.jpg)
Example of risks caused by poor planning
• declining efficiency and effectiveness of IT functions, insufficient resources to provide the required IT functions / availability, going concern issues and lack of competitive advantages.
![Page 15: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/15.jpg)
Organization
• Organizational controls ensure the alignment of IT facilities with the business needs and the proper management of these facilities.
![Page 16: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/16.jpg)
Key risks
• IT does not support business needs
• Loss of efficiency, untimely problem solving, unsatisfied staff, no improvements
• Unwanted combination of functions
• Untimely management reporting
• High dependence on one/few persons
![Page 17: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/17.jpg)
Key controls
• Planning and budgeting
• Quality and quantity of staff
• Segregation of duties or close supervision
• Efficient use of IT
• Procedures and documentation
![Page 18: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/18.jpg)
Organizational issues
• Position of IT department in organization
• Planning and reporting
• Centralization or decentralization of tasks
• Functions and task descriptions of IT staff
• Quality and quantity of staff
• Cost center, Profit center, Investment center and Hybrid center
![Page 19: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/19.jpg)
Change Management
• Change management procedures ensure that changes
• in the IT hardware and software do not negatively
• affect the general and application controls.
![Page 20: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/20.jpg)
Key risks
• Loss of effectiveness of IT controls
• Loss of valuable hardware during changes
• IT no longer meets the business needs
![Page 21: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/21.jpg)
Key controls
• Use of a development and programming standards
• Proper testing by the users
• Up-to-date hard- and software documentation
• User involvement in initiating and approving changes
![Page 22: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/22.jpg)
Integrated Audit Approach with the Systems Development Life Cycle
Feasibility
Study
Information Analysis
System Design
Program Development
Procedures and forms
development
Acceptance Testing
Conversion
Operation &
Maintenance
![Page 23: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/23.jpg)
Software Change Process
Development Test and
acceptance Production
Software library Read access for librarian
Read, write and
delete access rights
for developers
Use access rights
for developers
and users
Use access rights
for users
![Page 24: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/24.jpg)
Preliminary study• Technical feasibility:
• Is the available Technology sufficient to support the proposed project? Can the technology be acquired or developed?
• Operational feasibility:• Can the input data be collected for the system? Is the
output usable?
• Economic feasibility: • Do the benefits of the system exceed the cost?
• Behavioral feasibility:• What impact will the system have on the users’ quality
of working life?
![Page 25: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/25.jpg)
Type of Testing
• Program Testing
• System Testing
• User Testing
• Quality Assurance Testing
![Page 26: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/26.jpg)
Physical Security
Assets
Physical
Logical
Personnel
Hardware
Facilities
Documentation
Supplies
Mainframe, minis & micros
Peripherals: online/offline
System
Data / Information
Software
Application
Storage Media
How we secure our assets?
![Page 27: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/27.jpg)
Definition
• Physical security of computer hardware covers all controls to prevent damage to or loss of valuable assets and data on systems.
![Page 28: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/28.jpg)
Key risks
• Loss of valuable hardware
• Tampering or damage to hardware
• Damage by external influences (fire, water)
• Disturbances caused by power fluctuations
![Page 29: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/29.jpg)
Key controls
• Locked and dedicated computer room
• Availability of back-up power supply
• Fire and water detector
• No potentially dangerous situations (sprinklers, computer room on ground floor, etc.)
![Page 30: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/30.jpg)
Examples of physical threats
• Fire and smoke;
• Water;
• Power supply fluctuations and failures;
• Structural Damage;
• Pollution;
• Misuse;
• Theft.
![Page 31: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/31.jpg)
Control mitigating the threats
• Fire; smoke and fire detectors, reliable fire-extinguishing tools
• Water; water detectors, facilities must be designed and sited to mitigate losses from water damage
• Energy variations; Voltage regularities, circuit breakers and UPS
• Structural Damage; Facilities must be designed to withstand structural damage
• Pollution; Regular cleaning of facilities and equipment should occur
![Page 32: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/32.jpg)
Control mitigating the threats (cont’d)
• Viruses and worms; Up-to-date virus scanning software, prevent use of virus-infected programs and to close security loopholes that allow worms to propagate.
• Theft; labeling and locking.
![Page 33: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/33.jpg)
Picture example of Physical Security
![Page 34: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/34.jpg)
Logical AccessControl
• Logical Access Security covers the controls to restrict access to information systems and data to authorized users.
![Page 35: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/35.jpg)
Key risks
• Potential for fraud and misuse of systems and data
• Loss of information confidentiality
![Page 36: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/36.jpg)
Key controls
• Up-to-date user access list
• Use of unique user-id and password
• Periodic review of list by management
• Regular change of passwords
• Clean desk
![Page 37: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/37.jpg)
Authentication Process
Identification
Authentication
Authorization
User
Profiles
Access control
files
Database Software Library
Audit log
Report writer
Security reports
![Page 38: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/38.jpg)
Backup,Recovery andContingency
• Back up controls and business continuity planning cover all procedures to ensure the availability of computer systems and data.
![Page 39: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/39.jpg)
Key risks
• Data cannot be recovered (in time) after system failure
• Back up tapes are damaged or lost or cannot be used
• Loss of valuable business information
• Business cannot be continued after disaster (fire, etc.)
![Page 40: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/40.jpg)
Key controls
• Regular back up’s, preferably daily
• Safe storage of tapes, preferably in fireproof vault and externally
• Periodically testing of restore of back up tapes
• Preparation of Business Continuity Plan (not limited to IT!)
![Page 41: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/41.jpg)
Backup Strategy for critical IT Resources
• Personnel;
• Training and rotation of duties among information systems staff so they can take the place of others. Arrangements with another company for provision of staff
• Hardware;
• Arrangements with another company for provision of hardware
• Facilities;
• Arrangements with another company for provision of facilities
• Documentation;
• Inventory of documentation stored securely on site and offsite
![Page 42: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/42.jpg)
Backup Strategy for critical IT Resources (cont’d)
• Supplies;
• Inventory of critical supplies stored securely on site and off site
• Data / Information;
• Inventory of files stored securely on site and off site
• Applications software;
• Inventory of application software stored securely on site and off site
• System Software;
• Inventory of systems software stored securely on site and off site
![Page 43: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/43.jpg)
Disaster Recovery Plan (DRP)
• IT Disaster Recovery Plan forms one part of the overall BCP
• Limited use to the business if IT is saved but the rest of the business is lost
![Page 44: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/44.jpg)
What Is a Disaster?
• A "Disaster" Is Any Event Which Disables or Interrupts Your Client’s Ability to Maintain a Business-As-Usual Environment for a Period of Time That Adversely Affects Ongoing Operations.
![Page 45: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/45.jpg)
Business Continuity Plan (BCP)
• A Process which ...
• Safeguards vital corporate assets
• Ensures continued availability of Critical Services
• Minimizes the effect of a disaster
• Considers the entire business including IT
![Page 46: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/46.jpg)
Business Continuity Planning example
SAFETY - fire - electrical
- hazardous substances
HUMAN- DELIBERATE - terrorist attack - industrial action
- blackmail
MISCELLANEOUS - loss of key staff - loss of key supplier
- negligence
NATURAL - inclement weather - legal/regulatory requirements
- earthquakes/volcanoes
Is your Business safe
?
TECHNOLOGICAL - loss of power - network outage
- software /hardware breakdown - Year 2000
![Page 47: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/47.jpg)
Some issues regarding BCP
• On-site vs. off-site contingency planning
• Hot- or cold standby
• Personnel resources available
• Single point of failure will fail !
• Regular testing required
![Page 48: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/48.jpg)
EXAMPLE PICTURE OF BCP STRATEGY
BACKUP TAPE BACKUP STORAGE
![Page 49: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/49.jpg)
POWER REGULATOR
![Page 50: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/50.jpg)
Find the issues in the next 5 slides
![Page 51: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/51.jpg)
![Page 52: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/52.jpg)
![Page 53: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/53.jpg)
![Page 54: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/54.jpg)
![Page 55: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/55.jpg)
![Page 56: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/56.jpg)
How many did you find?
Was IT OK?
![Page 57: IT audit - general control](https://reader031.fdocuments.net/reader031/viewer/2022013011/55721273497959fc0b907e5c/html5/thumbnails/57.jpg)
?