Information System

Auditing
Presented by Instructor Team

Agenda
1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls
3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
Definition: Information Systems Auditing

The process of collecting and evaluating evidence to

determine whether a Computer Systems (Information
Systems) safeguards assets, maintains data integrity,
allows organizational goals to be achieved effectively,
and uses resources efficiently.

(Ron Webber)
IS Audit Objectives

Asset Safeguarding
The assets of a computer installation include hardware, software, people,
data files, system documentation, and supplies must be protected by system
of internal control.

Data Integrity

Data integrity is a fundamental concept in IS auditing. It is a state implying

data has certain attributes: completeness, soundness, purity, veracity.

System Effectiveness and Efficiency

• Evaluating effectiveness implies knowledge of user needs.
• An efficient data processing system uses minimum resources to achieve
its required output.
 Information System Auditor vs Financial/Internal Auditor

Matters Information System Financial/Internal

Auditor Auditor
Standards General Accepted IT GAAP/SAS 78: Internal
Controls Principle (COBiT) Control

Auditee IT Division Mostly Finance &

Accounting Dept/All
Functions of Organization
Professional ISACA AICPA/IIA
Organization

Qualification CISA CPA/CIA

Career Objectives Chief Information Officer, Chief Financial Officer,

Consultants: Auditor/Advisor Head of Internal Audit
for Information Division
Systems/Technology Control
ISACA Information Systems Audit and Control Association
• Information Systems Audit and Control Association® (ISACA™) is a
recognized global leader in IT governance, control and assurance. ISACA
sponsors international conferences, administers the globally respected
CISA®
• Founded in 1969,
• Now more than 110,000 constituents in over 180 countries,
• Its members include internal and external auditors, CEOs, CFOs, CIOs,
educators, information security and control professionals, business
managers, students, and IT consultants
• Develops globally-applicable Information Systems (IS) Auditing and
Control Standards.
• Certify professionals with CISA (Certified Information Systems Auditor™)
• More than 103,000 have earned the CISA designation since its inception
in 1978.
 Information System
Auditing
Presented by Instructor Team

Agenda
1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls
3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
Specific Industry Application

• Banking (Internet and Mobile banking)

• Insurance (Agency Systems)
• Telecommunication (Billing systems)
• Oil and Gas (Purchasing and Inventory systems)
• Manufacturing (Product costing)
• Retail (Point Of sales)
Non Specific Industry Application

• Reporting Systems
• Call Center
• Enterprise Resource Planning
• Office Automation
• Cloud Computing
The Need for Control and IS Audit
Your business processes depend on the computer applications
and data that support them - so you need to be sure that your data
and systems are secure. Yet, all the time, rapid changes in
business and technology keep increasing your organization's
control and security challenges - and reducing your reaction time.’

Source: Ernst & Young website –www.ey.com

Information Security Risk

Unauthorized Information Unauthorized

disclosure theft Use

Confidentiality

Integrity
Availability

Unauthorized Security Unauthorized

modification destruction denial
View of IT Controls
Information system auditors need to understand the range of controls
available for mitigating IT risks.

IT Governance Another View

General Control
The controls can be thought
of as existing within a General IT controls are
hierarchy that relies on the typically pervasive
operating effectiveness in nature and are
interconnectivity of the addressed through various
controls as well as the audit avenues.
realization that failure of a Application Control
set of controls can lead to
Application controls provide
increased reliance and
another category of controls
necessary examination of
and include controls within
other control groups
an application around input,
processing, and output.
IT Controls
Computer
Application Application
Controls Systems and
Program

INTERNAL
CONTROLS
Application
Systems
Development/
Changes
General
Controls
Computer
Service Center
(Operations
and Security)
IT Controls and Financial Reporting
 Information Technology
Risk and Controls
Information System Audit Course

Agenda
1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls
3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
Financial Audit Objective and External
Auditors’ Responsibility

• The primary objective of an audit of financial statement

is to express an opinion as to whether financial
statements are fairly presented, in all material respects,
at a specified date.
• It is external auditors’ responsibility to design the audit
engagement to provide reasonable assurance that the
financial statements are fairly stated in all material
respects.
When an IS Audit is or is not required?
• Importance to the client’s business activities: limited /
moderate / very important
• Complexity of the computer environment: simple /
moderate / complex
• Extend of use in the business: limited / moderate /
pervasive
• Overall classification: minor / significant / dominant
• An IS auditor will be involved if the overall classification
is significant or dominant.
• Does size of a company also determine the involvement
of an IS auditor?
SPAP* related to IS Audit
• SA 314: Penentuan Risiko dan Pengendalian Intern -
Pertimbangan dan Karakteristik Sistem Informasi
Komputer (SIK)
• SA 319: Pertimbangan atas Pengendalian Intern dalam
Audit Laporan Keuangan
• SA 324: Pelaporan atas Pengolahan Transaksi oleh
Organisasi Jasa
• SA 327: Teknik Audit Berbantuan Komputer
• SA 335: Auditing dalam Lingkungan SIK

• * SPAP = Standar Profesional Akuntan Publik (issued by Institut Akuntan Publik

Indonesia/IAPI)
Conclusion
• An IS audit is very relevant when external
auditors are engaged in auditing a client having
significant or dominant computer processing
environment(s).
• From external auditors’ point of view, an IS
audit will help them to determine whether
control assurance and substantive assurance
can be obtained in order to achieve effective
and efficient audit.
 Information System
Auditing
Presented by Instructor Team

Agenda
1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls
3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
Agenda 4: Application of IS Audit and Web Trust
Web Trust – Sys Trust Certification
Agenda 4: Application of IS Audit and Web Trust

Catatan
WebTrust Defined

pemenuhan prinsip
PROCESSING
INTEGRITY
Melalui Systrust
(lihat slide berikut)
Ernst &Young’s seal - Cyber Process Certification Agenda 4: Application of IS Audit and Web Trust
Agenda 4: Application of IS Audit and Web Trust

Report of Management
Contoh Penerapan WebTrust
Agenda 4: Application of IS Audit and Web Trust

Report of Independent
Report of Independent Accountant

Accountants
Agenda 4: Application of IS Audit and Web Trust
Sertifikasi Pada Internet Banking

VeriSign
Certificate
 Agenda 4: Contoh Penerapan: Audit Laporan Keuangan & Web Trust
Sertifikasi Pada Internet Banking
Comparison of Seals

Transaction
Privacy of Security of Business Processing
Product Cost Data Data Policies Integrity
BBBOnline Low NO NO Lightly NO
Covered
TRUSTe Low YES NO NO NO
Veri-Sign Low to NO YES: Data NO NO
Medium Transmittal
NO: Data
Storage
ICSA High YES YES Somewhat Lightly
Covered Covered
WebTrust High YES YES YES YES
End of Presentation
Thank You.