Scribd Logo
Upload

Welcome to Scribd!

  • Internal Control and Is Audit

    Uploaded by

    Pinta Saras Puspita
    46 views24 pages
    materi dari Pak Ahmad Zakie UNPAD

    Original Title

    2. Internal Control and is Audit

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    materi dari Pak Ahmad Zakie UNPAD

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    46 views24 pages

    Internal Control and Is Audit

    Uploaded by

    Pinta Saras Puspita
    materi dari Pak Ahmad Zakie UNPAD

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Session 2

    Internal Control and


    Information System Audit

    Agenda
    1.
    2.
    3.
    4.

    Control Framework of COBIT


    Control Classification
    Information System Control Procedures
    Computer Assisted Audit Tools and Techniques (CAATs)

    Management Expectations of IT

    Re-Engineered Processes
    Right-Sizing
    Distributed Processing
    Flattened Organizations
    Outsourcing

    Both need
    a Control
    Framework

    Management Responsibilities for IT


    Safeguarding Assets
    Information as Most Valuable Asset

    COBIT
    Control
    OBjectives
    for Information
    and Related Technology

    Mission:
    To research, develop, publicize, and promote an
    authoritative, up-to-date, international set of generally
    accepted IT control objectives for day-to-day use by
    business managers and auditors.

    Who Needs COBIT?


    Management Needs CObIT
    IT investment decisions
    Balance of risk and control
    Benchmark existing and future IT environment
    IS Auditors Need CObIT
    To substantiate opinions to management on
    internal controls
    To answer the question of what are the minimum
    controls necessary
    Users Need CObIT
    To obtain assurance on return on costs, on
    security, and control of products and services they
    acquire internally and externally.

    COSO & COBIT: The Needs

    In most companies of any size, data moves between multiple


    business groups and IT systems on its way from initial
    transactions to the reports that the CEO and CFO must attest
    to.

    Attesting to the accuracy of the data requires confidence in


    accounting procedures and controls. These are addressed
    within the COSO framework.
    The SOX 404 attestation also
    requires confidence in the IT
    systems that house, move, and
    transform data. This requires
    confidence in the processes and
    controls for those IT systems and
    databases. The COBiT framework
    was designed to address IT
    concerns.

    COSO & COBIT: The Linkage

    Cobits
    Golden Rule
    In order to provide
    the information that
    the organization
    needs to achieve
    its objectives, IT
    resources need to
    be managed by a
    set of naturally
    grouped
    processes.

    COBIT: IT Governance
    Business

    requirements

    information

    IT
    Processes
    Control
    Objectives

    Critical
    Success
    Factors

    Key
    Performance
    Indicators

    Key Goal
    Indicators

    Maturity
    Models

    Audit
    Guidelines

    Control
    Practices

    Session 2

    Internal Control and


    Information System Audit

    Agenda
    1.
    2.
    3.
    4.

    Control Framework of COBIT


    Control Classification
    Information System Control Procedures
    Computer Assisted Audit Tools and Techniques (CAATs)

    Internal Control Objectives


    Management has three broad objectives in
    designing an effective internal control system

    Compliance
    with laws and
    regulations

    Reliability of
    financial
    reporting

    Efficiency/
    effectiveness
    of operations

    Control Classifications
    Preventive Control
    Preventive controls are those inputs, which are designed to protect
    the organization from unlawful activities

    Detective Control
    Detective controls are those which detect and report the occurences
    of an error, omission or malicious act in the Information System.

    Corrective Control
    Corrective controls are very important because prevention and
    detection alone cannot be effective unless there is an appropriate
    corrective mechanism in place.

    Preventive Control

    Employ qualified personnel


    Segregation of duties
    Access control
    Vaccination against diseases
    Documentation
    Prescribing appropriate books for a course
    Training and retraining of staff
    Authorization of transactions
    Validation, edit checks in the application
    Firewalls
    Anti virus software
    Passwords

    Detective Control

    Surprise checks by supervisor


    Hash totals
    Checks points in production jobs
    Echo control in telecommunications
    Error message over tape labels
    Duplicate checking of calculations
    Periodic performance reporting with variances
    Past due accounts report
    The internal audit functions
    Intrusion detection system
    Cash counts and bank reconciliation
    Monitoring expenditure against budget amount

    Corrective Control

    Contingency planning
    Backup procedure
    Rerun procedures
    Tratment procedures for a disease
    Change input value to an application system
    Investigate budget variance and report violations

    Compensatory Control
    While designing the appropriate control one thing should be
    kept in mind the cost of the lock should not be more
    than the cost of the assets it protects.

    Compensatory Control

    Session 2

    Internal Control and


    Information System Audit

    Agenda
    1.
    2.
    3.
    4.

    Control Framework of COBIT


    Control Classification
    Information System Control Procedures
    Computer Assisted Audit Tools and Techniques (CAATs)

    View of IT Controls
    Information system auditors need to understand the range of controls
    available for mitigating IT risks.

    IT Governance
    The controls can be thought
    of as existing within a
    hierarchy that relies on the
    operating
    effectiveness
    interconnectivity
    of
    the
    controls as well as the
    realization that failure of a
    set of controls can lead to
    increased
    reliance
    and
    necessary examination of
    other control groups

    Another View
    General Control
    General IT controls are
    typically pervasive
    in nature and are
    addressed through various
    audit avenues.

    Application Control
    Application controls provide
    another category of controls
    and include controls within
    an application around input,
    processing, and output.

    IT Governance
    When addressing the topic of IT controls, an
    important consideration is IT governance, which
    provides the framework to ensure that IT can
    support the organizations overall business needs.
    IT Governance is not only composed of the control needed
    to address identified risk but also is an integrated structure
    of IT practices and personnel that must be aligned closely
    with and enable achievement of the organizations
    overall strategies and goals.

    IT Controls
    Application
    Controls

    INTERNAL
    CONTROLS

    Computer
    Application
    Systems and
    Program

    Application
    Systems
    Development/
    Changes
    General
    Controls
    Computer
    Service Center
    (Operations
    and Security)

    IT Controls and Financial Reporting

    Session 2

    Internal Control and


    Information System Audit

    Agenda
    1.
    2.
    3.
    4.

    Control Framework of COBIT


    Control Classification
    Information System Control Procedures
    Computer Assisted Audit Tools and Techniques (CAATs)

    Computer Assisted Audit Tools and


    Techniques (CAATs)
    For evaluation of controls in the information system,
    auditors sometimes use some tools which are used
    in the computer system, an exercise also known as
    auditing with computer, for extracting and
    evaluating evidence.
    Such tools are basically data-mining tools and
    generically called Computer Assisted Tools and
    Techniques (CAATs).

    Types of CAATs

    Packaged Software
    Generalized Audit Software (GAS)
    Embedded Audit Module (EAM)
    Audit Hook (AH)
    Integrated Test Facility (ITF)
    Parallel Simulation (PS)
    Program Code Analysis (PCA)
    Test Data
    Specialized Audit Software (SAS)
    Find the definitions..!!

    End of Presentation

    Thank You!

    L/O/G/O

    You might also like