Introduction To Information System Audit

Studium Generale
Audit Sistem Informasi
Yogyakarta, 12 Februari 2011

Oleh:
Umar Alhabsyi, MT, CISA, CRISC.
umar.alhabsyi@gmail.com
2010 by Umar Alhabsyi, MT, CISA, CRISC.
Studium Generale-FTI-UII: IS
Audit
Fakta
Sebuah studi dari Gartner menunjukkan
bahwa 20% investasi di IT, atau tidak
kurang dari USD 500 billion, terbuang
percuma setiap tahunnya.
(Nick Huber, ComputerWeekly, March
2002)
Para Investor mau membeli saham 20%

lebih mahal untuk perusahaan yang
menerapkan praktik-praktik good
governance pada perusahaannya
(McKinsey Investors Opinion Survey,
June 2000).
Audit
Fakta
Bagaimana Anda bisa yakin organisasi Anda tidak
mengalami musibah serupa ini?
Kesulitan Nike akibat kegagalan implementasi S/W Supply
Chain mengakibatkan kerugian sekitar US$200 million.
Matinya sistem pelaporan finansial dari Interstate Bakeries
menyebabkan market value nya turun 1/3 hanya dalam
sehari.
Kegagalan pada sistem logistik pada MFI and Sainsbury
menyebabkan kerugian jutaan GBP, penurunan profit dan
kejatuhan harga saham.
Kegagalan operasional perusahaan pasca merger the
Southern PacificUnion Pacific setelah dilacak ternyata
utamanya disebabkan oleh kegagalan koordinasi dari
sistem-sistem IT nya.
Audit
Fakta
...atau melewatkan manfaat-manfaatnya?
Transformasi supply chain dari Southwest Airlines
meningkatkan kemampuan perusahaan untuk
mengestimasi kebutuhan, mengurangi biaya
pengadaan dan meningkatkan service levels
sementara biayanya lebih rendah.
IBM menghemat US$12 billion selama 2 tahun
dengan menghubungkan bagian-bagian terpisah
dari sistem supply chain nya, juga mengurangi
tingkat persediaannya.
Sinergi IT yang sangat ekstensif di Great-West Life
berdampak signifikan pada sejumlah akusisi yang
dilakukan perusahaan.
Audit
Fakta
Changing IT Emphasis
Ten years ago we were afraid
of rockets destroying
computing centres..........
..........right now, we should
be aware of software errors
destroying rockets !
Audit
Risiko dan Nilai

Risiko dan nilai adalah 2 sisi mata uang yang
sama
Risiko bersifat inheren utnuk semua organisasi.
TAPI
Organisasi perlu memastikan bahwa kesempatan
untuk menciptakan nilai tidak hilang hanya
karena usaha untuk menghilangkan semua risiko.
p IT provides value
i
p
IT does not provide surprises

i
Cost, time and functionality are as expected

Risks are mitigated
IT pushes the envelope

i
New opportunities and innovations for process,

product and services
Audit
IS Audit
Proteksi Aset?
Ev
al
ua
tin
Bukti
Co
l
Bukti
le
ct
in
Collec
g
ting
at
g
in
Co
lle
ct
in
g
in
at
Bukti
IS Audit
IS Audit
Informasi yang
relevan dan handal
Evaluating yang efektif untuk
mendukung obyektif
bisnis dengan
resource yang efisien
Kontrol internal
yang cukup utk
memastikan obyektif
bisnis, operasional
dan
kontrol tercapai
Mencegah
hal-hal
yang tidak diinginkan,
bagaimana
mendeteksi dan
memperbaiki dalam
waktu yang dapat
diterima
alu
Ev
Bukti
al
Ev
in
lect
l
o
C
lu
a
Ev
in
at
Integritas dan
Ketersediaan Data
dan Sistem?
Audit
Basis dalam IS Audit?

Control
Risk
Tugas seorang IS Auditor adalah mengidentifikasi Risiko pada

area dalam cakupan Audit, serta identifikasi kebutuhan dan
evaluasi penerapan kontrol yang mengelolanya.
IS Auditor harus
memahami Audit
Subject
Audit
Risiko dalam Proses IS

Audit
Audit Risk = Risiko yang diakibatkan IS Auditor tidak
akurat dalam memberikan judgment terkait area yang
diaudit
IS Audit Risk
Inherent Risk
Control Risk
Risiko yang melekat pada

Risiko pada kontrol
sesuatu Kemungkinan
Kemungkinan tidak
terjadinya significant loss
efektifnya kontrol yang
pada sesuatu tanpa
diterapkan untuk
mempertimbangkan
membatasi atau
adanya penerapan
mengelola inherent risk.
kontrol-kontrol
Residual
Risk = IR x
CR
Detection Risk
Risiko dimana sebuah
kesalahan pada area yang
diaudit tidak terdeteksi
oleh Auditor.
Audit
Tipe Kontrol Internal
Kontrol Internal
Preventive Control Detective Control Corrective Control

Kontrol yang didesain untuk
mencegah terjadinya
kesalahan, kelalaian atau
kejadian lain yang telah
diketahui dapat berdampak
negatif.
Kontrol yang digunakan untuk

mengidentifikasi suatu kejadian,
kesalahan atau hal lain yang
terjadi dimana telah diketahui
akan berdampak signifikan
Kontrol yang digunakan

untuk melakukan
perbaikan pada hal-hal
yang berjalan tidak benar
atau semestinya
Audit
1
0
Bisnis dan Kontrol TI

Proses-Proses dalam Tata Kelola Bisnis
Businesss
Responsibility ITs ResponsibilityBusinesss
Responsibility
Busines
Busines
s
Control
s
IT General
Controls
Proses-Proses dalam
Siklus Tata Kelola TI
Apps Control
Audit
Application
Controls
s
Control
s
Kontrol yang diterapkan pada

seluruh proses dan aktifitas IT
dalam rangka memberikan
layanan pada organisasi
IT Gencon
Audit
Kontrol yang diterapkan proses

bisnis, baik yang terotomasi
(dengan IT) maupun yang
masih manual.
Audit
1
1
Proses IS Audit
Mengumpulkan Informasi dan Merencanakan
(mengenal bisnis organisasi, Review audit sebelumnya, Regulasi

yang berlaku, Inherent Risk Assessment)
Memahami Kontrol Internal
(Control environment, control procedures, detection risk assessment,

Control risk assessment, Menghitung total risiko)
Compliance Test
(Indentifikasi kontrol utama yang akan diuji, Lakukan pengujian

terhadap kontrol2 tsb dalam kehandalannya serta kepatuhannya
pada kebijakan dan prosedur organisasi)
Substantive Test
(Analisis prosedur, pengujian detail transaksi/balances, dll)
Simpulkan Hasil Audit
(Buat rekomendasi, susun Laporan Audit)
Audit
1
2
IS Audit butuh
Standard dan Framework
Sebagai guidelines dalam
melakukan proses Audit
Untuk memastikan kelengkapan
Untuk mengambil manfaat dari
best practices pengelolaan IT di
dunia
Untuk menjadi alat komunikasi
antara IT, bisnis dan Auditor
Untuk memastikan kapasitas dan
kompetensi Auditor
Untuk memastikan standard kode
etik pelaksanaan proses Audit
Audit
1
3
Standard IT/IS Audit

IT/IS Audit Standard
ISACA adalah standard dan panduan untuk IT/IS

auditing dan merupakan kode etik profesional bagi
auditor yang bersertifikasi CISA.
Audit
1
4
CobiT-
CCobiT
OBIT
best practices
repository for
IT Processes
IT Management Processes
IT Governance Processes
The only IT management and
control framework that covers
the end-to-end IT life cycle
The IT Governance
Framework
Merupakan kumpulan best practices yang

diterima secara Internasional
Berorientasi manajemen
Tersedia secara gratis di www.itgi.org
Terus dikembangkan
Dikelola oleh organisasi non Profit yang
reputable
Dipetakan 100% dengan COSO
Pemetaan yang kuat dengan hampir
semua standard utama lain yang terkait
Merupakan referensi, kumpulan best
practices, bukan obat Instant langsung
pakai
Organisasi masih butuh utk menganalisis
kebutuhan kontrolnya dan
menkustomisasinya berdasarkan:
Value drivers
Risk profile
IT infrastructure, organisation and
project portfolio
Audit
1
5
CobiT diantara Standard

Lain
Studium Generale-FTI-UII:
IS
16
Audit
1
6
Process Orientation
Business
Requirements
IT
Processes
IT
Resources
Domains
Pengelompokan proses, sering

bersesuaian juga dengan
domain tanggung-jawab
organisasi.
Contoh:
Plan & Organize, Acquire &
Implement, Deliver & Support, Monitor &

Evaluate
Kelompok aktifitas-aktifitas
sejenisIncident Management, Problem
Contoh:
Processes
Management, IT Strategy Plan, Change

Management, dst.
Aksi-aksi yang dibutuhkan untuk

mencapai sebuah hasil terukur
Activities
or Tasks
Contoh: record new problem, propose

solution, analisis, monitor solution, dst.
Audit
1
7
Control dan IT Control

Objective
Definition of Control
The Policies, Procedures, Practices and Organisational
Structures, Designed to Provide Reasonable Assurance that
Business Objectives will be Achieved and that Undesired
Events will be Prevented or Detected and Corrected.
Definition of IT Control Objective
A Statement of the Desired Result or Purpose to be
Achieved by Implementing Control Procedures in a Particular
IT Activity.
Audit
1
8
COBIT Framework
BUSINESS OBJECTIVES AND
GOVERNANCE OBJECTIVES
ME1
ME2
ME3
ME4
Monitor and evaluate IT

performance.
Monitor and evaluate
internal control.
Ensure compliance with
external requirements.
Provide IT governance.
O B I
FRAMEWORK
INFORMATION
Integrity
Efficiency
Effectiveness
Compliance
Availability
Confidentiality
Reliability
MONITOR
AND
EVALUATE
DS1 Define and manage
service levels.
DS2 Manage third-party
services.
DS3 Manage performance and
capacity.
DS4 Ensure continuous
service.
DS5 Ensure systems security.
DS6 Identify and allocate
costs.
DS7 Educate and train users.
DS8 Manage service desk and
incidents.
DS9 Manage the configuration.
DS10
Manage problems.
DS11
Manage data.
DS12
Manage the
physical environment.
DS13 Manage operations.
DELIVER
AND
SUPPORT
IT
RESOURCES
PLAN
AND
ORGANISE
Applications
Information
Infrastructure
People
ACQUIRE
AND
IMPLEMENT
PO1 Define a strategic IT plan.

PO2 Define the information
architecture.
PO3 Determine technological
direction.
PO4 Define the IT processes,
organisation and
relationships.
PO5 Manage the IT investment.
PO6 Communicate
management aims and
direction.
PO7 Manage IT human
resources.
PO8 Manage quality.
PO9 Assess and manage IT
risks.
PO10
Manage projects.
AI1 Identify automated
solutions.
AI2 Acquire and maintain
application software.
AI3 Acquire and maintain
technology infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit
solutions and changes.
Audit
2
0
CobiT Waterfall Model

The control of
IT Processes
that satisfy
Business
Requirements is enabled by
Control
considering
Statements
Control
Practices
4 Domains - 34 Processes - 210 Control Objectives
Audit
2
1
Contoh: DS2 Waterfall

Proses TI
Key Control
Key Performance
Audit
2
2
Contoh: DS2 Management

Guidelines
Hasil dari Proses ini menjadi

input untuk proses mana?
Dari mana saja Input
Proses ini?
Aktifitas apa yang terdapat

dalam proses ini? Siapa yang
bertanggung-jawab?
IS
23
Audit
2
3
Control Practices
Petunjuk detail untuk setiap Control Objectives?
Contoh: DS2- Manage Third-party Services
Control Objectives:
DS2.1 Identification of All Supplier Relationship
Identify all supplier services, and categorise them according to supplier type,
significance and criticality. Maintain formal documentation of technical and
organisational relationships covering the roles and responsibilities, goals, expected
deliverables, and credentials of representatives of these suppliers.
Control Practices:
1. Define and regularly review criteria to identify and categorise all supplier
relationships according to supplier type, significance and criticality of service.
The list should include a category describing vendors as preferred, non-preferred
or not recommended.
2. Establish and maintain a detailed register of suppliers, including name, scope,
purpose of the service, expected deliverables, service objectives and key
contact details.
Audit
2
4
Assurance/Audit Guide
Bagaimana menguji keberjalanan kontrol pada setiap proses?
Contoh: DS2- Manage Third-party Services
Control Objectives:
DS2.1 Identification of All Supplier Relationship
Identify all supplier services, and categorise them according to supplier type,
significance and criticality. Maintain formal documentation of technical and
organisational relationships covering the roles and responsibilities, goals, expected
deliverables, and credentials of representatives of these suppliers.
Test the Control Design
Enquire whether and confirm that a register of supplier relationship is maintained.
Obtain and inspect supplier relationship criteria for reasonableness and
completeness of categorisations by supplier type, significance and criticality
Determine if the supplier categorisation scheme is sufficiently detailed to
categorise all supplier relationship based on the nature of contracted services
Verify wheter past histories on supplier selection/rejection are kept and used.
Inspect the register of supplier relationships to ensure that it is up to date,
appropriately categorised and sufficiently detailed to ensure that it provides a
foundation for monitoring of existing suppliers.
Inspect a representative sample of supplier contracts, SLAs and other
documentation to ensure that they correspond with the supplier register.
IS
25
Audit
2
5
Process Maturity
Assessment
0non-existent: tidak teridentifikasi ada proses. Organisasi tidak

sadar akan adanya masalah
1Initial: organisasi sadar ada masalah dan perlu diatasi.
Pendekatan lebih banyak bersifat ad-hoc dan kasuistis
2Repeatable: sudah ada standard proses yang dapat terus
diulang. Tingkat ketergantungan individu masih tinggi.
3defined: prosedur sudah standard, terdokumentasi,
terformalisasi, dan dikomunikasikan melalui training-training.
4Managed: dapat dimonitor dan diukur tingkat kepatuhannya
hingga prosedur tindakan utk merespon penyelewengan. Proses
berada dalam kerangka constant improvement.
5Optimised: proses-proses sudah disempurnakan sesuai dng
best practices, berbasis hasil continous improvement. IT sudah
benar-benar terintegrasi dengan bisnis
Audit
2
6
Materiality
Risiko bisa terdapat di banyak area, apapun jenisnya
Audit
2
7
Profil Risiko TI
Profil Risiko Proses TI, utamanya
Key Control Analysis
mempertimbangkan:
Dapat dikombinasikan dengan standard/framework lain untuk

melihat dalam perspektif yang lain..
Audit
2
8
Process Maturity
Assessment
Audit
2
9
Key Control Analysis
Parameter Analisis untuk Key Contr
IT Process Key Control
Audit
3
0
Profil Risiko TI
Audit
3
1
Contoh Audit Program

Untuk Spesifik Sistem
Apache Web Services Server
Audit/Assurance Program
Audit
3
2
Contoh Audit Program

Untuk Spesifik Sistem
MySQL Server Audit/Assurance Program
Audit
3
3
Aku tidak tahu siapa penemu air, tetapi yang

pasti bukan ikan Marshall McLuhan
34
Audit
3
4
ThankMerciYou
bien
Syukron
Hatur Nuhun
Matur Nuwun
Terima kasih
Grazias
Danke
Kheili Mamnun
Matur se Kelangkong
Audit
3
5
Ada Pertanyaan??????
Audit
3
6
The Most Important IT

Processes
34
15
7
Survey
PO1
Define a strategic IT plan
PO3
Determine the technological direction
PO5
Manage the IT investment
PO9
Assess risks
PO10 Manage projects
AI1 Identify solutions
AI2 Acquire and maintain applications s/w
AI5 Install and accredit systems
AI6 Manage changes
DS1
Define service levels
DS4
Ensure continuous service
DS5
Ensure system security
DS10
Manage problems and incidents
DS11
Manage data
M1 Monitor the processes
Audit
3
7
Acquireand
andImplement
Implement
Acquire
Planand
andOrganise
Organise
Plan
Define
Define
Strategic
Strategic
IT Plan
IT Plan
Determine
Define
Determine
Define
Information Technological
Architecture Direction
Acquire and
Identify
Acquire and
Maintain
Identify
Automated
Maintain
Application
Automated
Solutions Application
Software
Solutions
Software
Install and
Install and
Accredit
Accredit
Systems
Systems
Manage
Manage
Change
Change
Acquire and Develop and

Maintain
Maintain
Maintain
Maintain
Technology
IT
Technology
IT
Infrastructure Procedures
Define IT
Communicate
Define IT
Organisation
Manage ITCommunicate
Aims and
Organisation
Manage IT
and
Investment Aims and
Direction
and
Investment
Relationships
Direction
Relationships
Manage
Manage
Human
Human
Resource
Resource
Ensure
Ensure
Compliance
Compliance
with External
with External
Standards
Standards
Manage
Manage
Projects
Projects
Assess
Assess
Risks
Risks
CobiT Framework
Manage
Manage
Quality
Quality
Monitorand
andEvaluate
Evaluate
Monitor
Monitor
Monitor
the
the
Process
Process
Obtain
Obtain
Independent
Independent
Assurance
Assurance
Assess
Assess
Internal
Internal
Control
Control
Adequacy
Adequacy
Provide
Provide
Independent
Independent
Audit
Audit
Deliverand
andSupport
Support
Deliver
Define and
Manage
Manage
Ensure
Define and
Manage
Manage
Manage
Ensure
Third-party
Performance Continuous
Manage
Service
Third-party
Services
and Capacity
Service
Service
Levels
Services
and Capacity
Service
Levels
Educate
Educate
and
and
Train Users
Train Users
Ensure
Ensure
System
System
Security
Security
Assist and
Manage
Assist and
Advise
Manage
Manage
Manage
Problems and Manage
Advise
Manage
IT
ConfigurationProblems and
Data
Incidents
IT
Configuration
Data
Customers
Incidents
Customers
Identify
Manage
Identify
and Allocate Manage
Operations
and Allocate
Costs
Operations
Costs
Manage
Manage
Facilities
Facilities
Audit
3
8
Acquireand
andImplement
Implement
Acquire
Planand
andOrganise
Organise
Plan
Define
Define
Strategic
Strategic
IT Plan
IT Plan
Determine
Define
Determine
Define
Acquire and
Identify
Acquire and
Maintain
Identify
Automated
Maintain
Application
Automated
Software
Solutions
Software
Install and
Install and
Accredit
Accredit
Systems
Systems
Define IT
Communicate
Define IT
Organisation
Aims and
Organisation
Manage IT
and
Investment Aims and
Direction
and
Investment
Relationships
Direction
Relationships
Manage
Manage
Human
Human
Resource
Resource
Ensure
Ensure
Compliance
Compliance
with External
with External
Standards
Standards
Manage
Manage
Projects
Projects
Assess
Assess
Risks
Risks
Manage
Manage
Quality
Quality
Monitor
Monitor
the
the
Process
Process
Obtain
Obtain
Independent
Independent
Assurance
Assurance
Provide
Provide
Independent
Independent
Audit
Audit

Maintain
Maintain
Maintain
Maintain
Technology
IT
Technology
IT
ITIL
ITIL
ServiceSupport
Support
Service
Service
Service
Desk
Desk
ServiceDelivery
Delivery
Service
Service
Availability
Capacity
Service
Incident
Problem
Level
Availability
Capacity
Incident
Problem
Management Management
Level
Management Management Management
Management Management Management Management Management
Financial
Continuity
Change
Release
Configuration
Financial
Continuity
Change
Release
Configuration
Monitorand
andEvaluate
Evaluate
Monitor
Assess
Assess
Internal
Internal
Control
Control
Adequacy
Adequacy
Manage
Manage
Change
Change
Deliverand
andSupport
Support
Deliver
Define and
Manage
Manage
Ensure
Define and
Manage
Manage
Manage
Ensure
Third-party
Manage
Service
Third-party
Services
and Capacity
Service
Service
Levels
Services
and Capacity
Service
Levels
Educate
Educate
and
and
Train Users
Train Users
Ensure
Ensure
System
System
Security
Security
Assist and
Manage
Assist and
Advise
Manage
Manage
Manage
Problems and Manage
Advise
Manage
IT
Data
Incidents
IT
Configuration
Data
Customers
Incidents
Customers
Identify
Manage
Identify
and Allocate Manage
Operations
and Allocate
Costs
Operations
Costs
Manage
Manage
Facilities
Facilities
Audit
3
9
Acquireand
andImplement
Implement
Acquire
Planand
andOrganise
Organise
Plan
Define
Define
Strategic
Strategic
IT Plan
IT Plan
Determine
Define
Determine
Define
Acquire and
Identify
Acquire and
Maintain
Identify
Automated
Maintain
Application
Automated
Software
Solutions
Software
Install and
Install and
Accredit
Accredit
Systems
Systems
Define IT
Communicate
Define IT
Organisation
Aims and
Organisation
Manage IT
and
Investment Aims and
Direction
and
Investment
Relationships
Direction
Relationships
Manage
Manage
Human
Human
Resource
Resource
Ensure
Ensure
Compliance
Compliance
with External
with External
Standards
Standards
Manage
Manage
Projects
Projects
Assess
Assess
Risks
Risks
Manage
Manage
Quality
Quality
Monitor
Monitor
the
the
Process
Process
Obtain
Obtain
Independent
Independent
Assurance
Assurance
Provide
Provide
Independent
Independent
Audit
Audit

Maintain
Maintain
Maintain
Maintain
Technology
IT
Technology
IT
ITIL
ITIL
ServiceSupport
Support
Service
Service
Service
Desk
Desk
ServiceDelivery
Delivery
Service
Service
Availability
Capacity
Service
Incident
Problem
Level
Availability
Capacity
Incident
Problem
Level
Financial
Continuity
Change
Release
Configuration
Financial
Continuity
Change
Release
Configuration
Monitorand
andEvaluate
Evaluate
Monitor
Assess
Assess
Internal
Internal
Control
Control
Adequacy
Adequacy
Manage
Manage
Change
Change
Deliverand
andSupport
Support
Deliver
Define and
Manage
Manage
Ensure
Define and
Manage
Manage
Manage
Ensure
Third-party
Manage
Service
Third-party
Services
and Capacity
Service
Service
Levels
Services
and Capacity
Service
Levels
Educate
Educate
and
and
Train Users
Train Users
Ensure
Ensure
System
System
Security
Security
Assist and
Manage
Assist and
Advise
Manage
Manage
Manage
Problems and Manage
Advise
Manage
IT
Data
Incidents
IT
Configuration
Data
Customers
Incidents
Customers
Identify
Manage
Identify
and Allocate Manage
Operations
and Allocate
Costs
Operations
Costs
Manage
Manage
Facilities
Facilities
Audit
4
0
Acquireand
andImplement
Implement
Acquire
Planand
andOrganise
Organise
Plan
Define
Define
Strategic
Strategic
IT Plan
IT Plan
Determine
Define
Determine
Define
Define IT
Communicate
Define IT
Organisation
Aims and
Organisation
Manage IT
and
Investment Aims and
Direction
and
Investment
Relationships
Direction
Relationships
Manage
Manage
Human
Human
Resource
Resource
Ensure
Ensure
Compliance
Compliance
with External
with External
Standards
Standards
Manage
Manage
Projects
Projects
Assess
Assess
Risks
Risks
Manage
Manage
Quality
Quality
Acquire and
Identify
Acquire and
Maintain
Identify
Automated
Maintain
Application
Automated
Software
Solutions
Software
Monitor
Monitor
the
the
Process
Process
Obtain
Obtain
Independent
Independent
Assurance
Assurance
Provide
Provide
Independent
Independent
Audit
Audit
Manage
Manage
Change
Change

Maintain
Maintain
Maintain
Maintain
Technology
IT
Technology
IT
ITIL
ITIL
plusSupport
PRINCE2Project
Project
Management
Service
Support
Service
Delivery
plus
PRINCE2
Management
Service
Service
Delivery
Service
Service
Desk
Desk
Service
Availability
Capacity
Service
Incident
Problem
Level
Availability
Capacity
Incident
Problem
Level
Financial
Continuity
Change
Release
Configuration
Financial
Continuity
Change
Release
Configuration
Monitorand
andEvaluate
Evaluate
Monitor
Assess
Assess
Internal
Internal
Control
Control
Adequacy
Adequacy
Install and
Install and
Accredit
Accredit
Systems
Systems
Deliverand
andSupport
Support
Deliver
Define and
Manage
Manage
Ensure
Define and
Manage
Manage
Manage
Ensure
Third-party
Manage
Service
Third-party
Services
and Capacity
Service
Service
Levels
Services
and Capacity
Service
Levels
Educate
Educate
and
and
Train Users
Train Users
Ensure
Ensure
System
System
Security
Security
Assist and
Manage
Assist and
Advise
Manage
Manage
Manage
Problems and Manage
Advise
Manage
IT
Data
Incidents
IT
Configuration
Data
Customers
Incidents
Customers
Identify
Manage
Identify
and Allocate Manage
Operations
and Allocate
Costs
Operations
Costs
Manage
Manage
Facilities
Facilities
Audit
4
1
Acquireand
andImplement
Implement
Acquire
Planand
andOrganise
Organise
Plan
Define
Define
Strategic
Strategic
IT Plan
IT Plan
Determine
Define
Determine
Define
Define IT
Communicate
Define IT
Organisation
Aims and
Organisation
Manage IT
and
Investment Aims and
Direction
and
Investment
Relationships
Direction
Relationships
Manage
Manage
Human
Human
Resource
Resource
Ensure
Ensure
Compliance
Compliance
with External
with External
Standards
Standards
Manage
Manage
Projects
Projects
Assess
Assess
Risks
Risks
Acquire and
Identify
Acquire and
Maintain
Identify
Automated
Maintain
Application
Automated
Software
Solutions
Software
Monitor
Monitor
the
the
Process
Process
Obtain
Obtain
Independent
Independent
Assurance
Assurance
Provide
Provide
Independent
Independent
Audit
Audit

Maintain
Maintain
Maintain
Maintain
Technology
IT
Technology
IT
ManagementManagement Management
Management
Financial
Continuity
Change
Release
Configuration
Financial
Continuity
Change
Release
Configuration
Monitorand
andEvaluate
Evaluate
Monitor
Assess
Assess
Internal
Internal
Control
Control
Adequacy
Adequacy
Manage
Manage
Change
Change
ITIL
ITIL
plusSupport
PRINCE2Project
Project
Management
Service
Support
Service
Delivery
plus
PRINCE2
Management
Service
Service
Delivery
Service
Availability
Capacity
Service
Service plus
Incident
Problem Quality
ISO
9001
Management
Level
Availability
Capacity
Service plus
Incident
Problem
ISO 9001
Quality
Management
Level
Desk
Management
Management
Desk
Manage
Manage
Quality
Quality
Install and
Install and
Accredit
Accredit
Systems
Systems
Deliverand
andSupport
Support
Deliver
Define and
Manage
Manage
Ensure
Define and
Manage
Manage
Manage
Ensure
Third-party
Manage
Service
Third-party
Services
and Capacity
Service
Service
Levels
Services
and Capacity
Service
Levels
Educate
Educate
and
and
Train Users
Train Users
Ensure
Ensure
System
System
Security
Security
Assist and
Manage
Assist and
Advise
Manage
Manage
Manage
Problems and Manage
Advise
Manage
IT
Data
Incidents
IT
Configuration
Data
Customers
Incidents
Customers
Identify
Manage
Identify
and Allocate Manage
Operations
and Allocate
Costs
Operations
Costs
Manage
Manage
Facilities
Facilities
Audit
4
2
Acquireand
andImplement
Implement
Acquire
Planand
andOrganise
Organise
Plan
Define
Define
Strategic
Strategic
IT Plan
IT Plan
Determine
Define
Determine
Define
Define IT
Communicate
Define IT
Organisation
Aims and
Organisation
Manage IT
and
Investment Aims and
Direction
and
Investment
Relationships
Direction
Relationships
Manage
Manage
Human
Human
Resource
Resource
Ensure
Ensure
Compliance
Compliance
with External
with External
Standards
Standards
Manage
Manage
Projects
Projects
Assess
Assess
Risks
Risks
Acquire and
Identify
Acquire and
Maintain
Identify
Automated
Maintain
Application
Automated
Software
Solutions
Software
Monitor
Monitor
the
the
Process
Process
Obtain
Obtain
Independent
Independent
Assurance
Assurance
Provide
Provide
Independent
Independent
Audit
Audit

Maintain
Maintain
Maintain
Maintain
Technology
IT
Technology
IT
ManagementManagement Management
Management
Financial
Continuity
Change
Release
Configuration
Financial
Continuity
Change
Release
Configuration
plusInvestors
Investors
In17799
People(IIP)
(IIP)
plus
In
People
plus
ISO
plus ISO 17799
InformationSecurity
Security
Information
Monitorand
andEvaluate
Evaluate
Monitor
Assess
Assess
Internal
Internal
Control
Control
Adequacy
Adequacy
Manage
Manage
Change
Change
ITIL
ITIL
plusSupport
PRINCE2Project
Project
Management
Service
Support
Service
Delivery
plus
PRINCE2
Management
Service
Service
Delivery
Service
Availability
Capacity
Service
Service plus
Incident
Problem Quality
ISO
9001
Management
Level
Availability
Capacity
Service plus
Incident
Problem
ISO 9001
Quality
Management
Level
Desk
Management
Management
Desk
Manage
Manage
Quality
Quality
Install and
Install and
Accredit
Accredit
Systems
Systems
Deliverand
andSupport
Support
Deliver
Define and
Manage
Manage
Ensure
Define and
Manage
Manage
Manage
Ensure
Third-party
Manage
Service
Third-party
Services
and Capacity
Service
Service
Levels
Services
and Capacity
Service
Levels
Educate
Educate
and
and
Train Users
Train Users
Ensure
Ensure
System
System
Security
Security
Assist and
Manage
Assist and
Advise
Manage
Manage
Manage
Problems and Manage
Advise
Manage
IT
Data
Incidents
IT
Configuration
Data
Customers
Incidents
Customers
Identify
Manage
Identify
and Allocate Manage
Operations
and Allocate
Costs
Operations
Costs
Manage
Manage
Facilities
Facilities
Audit
4
3

Introduction To Information System Audit

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Introduction To Information System Audit

Hochgeladen von

Copyright:

Verfügbare Formate

Studium Generale

Audit Sistem Informasi

Yogyakarta, 12 Februari 2011

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Para Investor mau membeli saham 20%

2010 by Umar Alhabsyi, MT, CISA, CRISC.

2010 by Umar Alhabsyi, MT, CISA, CRISC.

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Risiko dan Nilai

IT does not provide surprises

Cost, time and functionality are as expected

IT pushes the envelope

New opportunities and innovations for process,

2010 by Umar Alhabsyi, MT, CISA, CRISC.

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Basis dalam IS Audit?

Tugas seorang IS Auditor adalah mengidentifikasi Risiko pada

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Risiko dalam Proses IS

Risiko yang melekat pada

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Tipe Kontrol Internal

Preventive Control Detective Control Corrective Control

Kontrol yang digunakan untuk

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Kontrol yang digunakan

Bisnis dan Kontrol TI

Kontrol yang diterapkan pada

Kontrol yang diterapkan proses

2010 by Umar Alhabsyi, MT, CISA, CRISC.

(mengenal bisnis organisasi, Review audit sebelumnya, Regulasi

Memahami Kontrol Internal

(Control environment, control procedures, detection risk assessment,

(Indentifikasi kontrol utama yang akan diuji, Lakukan pengujian

(Analisis prosedur, pengujian detail transaksi/balances, dll)

Simpulkan Hasil Audit

(Buat rekomendasi, susun Laporan Audit)

2010 by Umar Alhabsyi, MT, CISA, CRISC.

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Standard IT/IS Audit

ISACA adalah standard dan panduan untuk IT/IS

2010 by Umar Alhabsyi, MT, CISA, CRISC.

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Merupakan kumpulan best practices yang

CobiT diantara Standard

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Pengelompokan proses, sering

Implement, Deliver & Support, Monitor &

Management, IT Strategy Plan, Change

Aksi-aksi yang dibutuhkan untuk

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Contoh: record new problem, propose

Control dan IT Control

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Monitor and evaluate IT

2010 by Umar Alhabsyi, MT, CISA, CRISC.

PO1 Define a strategic IT plan.

CobiT Waterfall Model

4 Domains - 34 Processes - 210 Control Objectives

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Contoh: DS2 Waterfall

2010 by Umar Alhabsyi, MT, CISA, CRISC.

Contoh: DS2 Management