Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sistem Pengenalian (Kontrol) Intern & CoBIT IT Governance Pertemuan 3-4 Matakuliah: A0294/Audit SI Lanjutan Tahun: 2009.

Similar presentations


Presentation on theme: "Sistem Pengenalian (Kontrol) Intern & CoBIT IT Governance Pertemuan 3-4 Matakuliah: A0294/Audit SI Lanjutan Tahun: 2009."— Presentation transcript:

1

2 Sistem Pengenalian (Kontrol) Intern & CoBIT IT Governance Pertemuan 3-4 Matakuliah: A0294/Audit SI Lanjutan Tahun: 2009

3 Bina Nusantara University 2 Risk & Control Perlu Control karena ada Risk (dari Italia Risicare, dalam English to dare): “the action we dare to take, which depend on how free we are to make choices”.

4 Bina Nusantara University 3 Overview of Control Concepts What is the traditional definition of internal control? Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies.

5 Bina Nusantara University 4 Overview of Control Concepts What is management control? Management control encompasses the following three features: –It is an integral part of management responsibilities. –It is designed to reduce errors, irregularities, and achieve organizational goals. –It is personnel-oriented and seeks to help employees attain company goals.

6 Bina Nusantara University 5 Internal Control Classifications The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications: –Preventive, detective, and corrective controls –General and application controls –Administrative and accounting controls –Input, processing, and output controls

7 Bina Nusantara University 6 Model of Internal Controls COSO Framework of Internal Control ISACA COBIT Canadian CoCo The IIA SAC/e-SAC United Kingdom Cadbury Commission Dan sebagainya

8 Bina Nusantara University 7 Committee of Sponsoring Organizations In 1992, COSO issued the results of a study to develop a definition of internal controls and to provide guidance for evaluating internal control systems. The report has been widely accepted as the authority on internal controls.

9 Bina Nusantara University 8 Committee of Sponsoring Organizations The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of five organizations: –American Accounting Association –American Institute of Certified Public Accountants –Institute of Internal Auditors –Institute of Management Accountants –Financial Executives Institute

10 Bina Nusantara University 9 COSO Internal Control Soft Controls “People” Openness Shared Values Clarity Commitment to Competence Honesty High Expectations Communications Hard Controls “Activities” Reviews Inspections Policies Reconciliations Structure Limits of Authority Userids and Password Physical Counts

11 Bina Nusantara University 10 Five Interrelated Components of Internal Control 1. Control environment- tone at the top 2. Risk assessment - identification/analysis of risks 3. Control activities - policies and procedures 4. Information & communication - processing of info in a form and time frame to enable people to do their jobs 5. Monitoring - process that assess quality of internal control over time

12 Bina Nusantara University 11 Information Systems Audit and Control Foundation The Information Systems Audit and Control Foundation (ISACF) recently developed the Control Objectives for Information and related Technology (COBIT). COBIT consolidates standards from 36 different sources into a single framework. The framework addresses the issue of control from three vantage points, or dimensions:

13 Bina Nusantara University 12 ISACA Foundation 1.Information: needs to conform to certain criteria that COBIT refers to as business requirements for information 2.IT resources: people, application systems, technology, facilities, and data 3.IT processes: planning and organization, acquisition and implementation, delivery and support, and monitoring

14 Bina Nusantara University 13 CobiT CobiT’s Control Objectives and Management Guidelines are valuable IT governance tools that help in the understanding and management of risks and benefits associated with information integrity, security and availability and the management of related IT.

15 Bina Nusantara University 14 Authoritative, up-to-date set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors. Structured and organized to provide a powerful control model

16 Bina Nusantara University 15 Executive Summary -- Senior Executives (CEO, COO, CFO, CIO) Framework -- Senior Operational Management (Directors of IS and Audit / Controls) Control Objectives -- Middle Management (Mid-Level IS and IS Audit/ Controls Managers) Audit Guidelines -- The Line Manager and Controls Practitioner (Applications or Operations Manager and Auditor) Implementation Tool Set -- Any of the above Management Guidelines -- Management and Audit

17 Bina Nusantara University 16

18 Bina Nusantara University 17

19 Bina Nusantara University 18

20 Bina Nusantara University 19 Why and how is COBIT used?  Incorporates major international standards  Has become the de facto standard for overall control over IT  Starts from business requirements  Is process-oriented IT Processes IT Management Processes IT Governance Processes C OBI T repository for C OBI T as a response to the needs best practices

21 Bina Nusantara University 20 CobiT Framework IT Domains PLANNING&ORGANISATION ACQUISITION&IMPLEMENTATIONDELIVERY&SUPPORT MONITORING BUSINESS OBJECTIVES INFORMATION IT RESOURCES

22 Bina Nusantara University 21 PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage projects PO11 Manage quality AI1 Identify automated solutions AI2 Acquire and mantain application software AI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT procedures AI5 Install and accredit systems AI6 Manage changes M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit DS1 Define service levels DS2 Manage third-party services DS3 Manage peformance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Assist and advise IT customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage operations IT RESOURCES IT RESOURCES Data Application systems Technology Facilities People Data Application systems Technology Facilities People PLAN AND ORGANISE PLAN AND ORGANISE ACQUIRE AND IMPLEMENT ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT Effectiveness Efficiency Confidenciality Integrity Availability Compliance Reliability Effectiveness Efficiency Confidenciality Integrity Availability Compliance Reliability Criteria Business Objectives C OBI T Framework MONITOR AND EVALUATE

23 Bina Nusantara University 22 Control Objectives & Control Practices High-level control objective – One per process Detailed control objectives – Three to 30 per process Control practices – Five to seven per control objective

24 Bina Nusantara University 23 CobiT IT Domains Processes PLANNING & ORGANISATION 1.Define a strategic IT plan 2.Define the information architecture 3.Determine the technological direction 4.Define the IT organization and relationships 5.Manage the investment 6.Communicate management aims and directions 7.Manage human resources 8.Ensure compliance with external requirements 9.Assess risks 10.Manage project 11.Manage quality PLANNING&ORGANISATION

25 Bina Nusantara University 24 CobiT IT Domains Processes ACQUISITION & IMPLEMENTATION 1.Identify solutions 2.Acquire and maintain application software 3.Acquire and maintain technology architecture 4.Develop and maintain IT procedures 5.Install and accredit systems 6.Manage changes ACQUISITION&IMPLEMENTATION

26 Bina Nusantara University 25 CobiT IT Domains Processes DELIVERY & SUPPORT Define Service Levels 1.Manage third-party services 2.Manage performance and capacity 3.Ensure continuous service 4.Ensure system security 5.Identify and attribute costs 6.Educate and train users 7.Assist and advise IT customers 8.Manage the configuration 9.Manage problems and incidents 10.Manage data 11.Manage facilities 12.Manage operations DELIVERY&SUPPORT

27 Bina Nusantara University 26 CobiT IT Domains Processes MONITORING 1.Monitor the processes 2.Assess the internal control adequacy 3.Obtain independent assurance 4.Provide for independent audit MONITORING

28 Bina Nusantara University 27 Framework data application systems technology facilities people BUSINESS PROCESSES BUSINESS PROCESSES INFORMATION IT RESOURCES effectiveness efficiency confidentiality integrity Availability Compliance reliability effectiveness efficiency confidentiality integrity Availability Compliance reliability Information Criteria Do they match? What you need What you get

29 Bina Nusantara University 28 Information Criteria (Component-1) Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability of Information

30 Bina Nusantara University 29 IT Resources (Component-2) Data Application Systems Technology Facilities People

31 Bina Nusantara University 30 COBIT Domains: Information Processes (3rd Component) Planning/ Organization Acquisition / Implementation Delivery / Support Monitoring

32 Bina Nusantara University 31 Relation to Other Control Models CobiT is in alignment with other control models: – COSO – COCO – Cadbury – King

33 Bina Nusantara University 32 CobiT : An IT control framework u Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. u Promotes process focus and process ownership u Divides IT into 34 processes belonging to four domains u Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT u Effectiveness u Efficiency u Availability, u Integrity u Confidentiality u Reliability u Compliance. u Planning u Acquiring & Implementing u Delivery & Support u Monitoring

34 Bina Nusantara University 33 Why governance? “Due diligence” IT is strategic to the business IT is critical to the business Expectations and reality don’t match IT involves huge investments and large risks

35 Bina Nusantara University Non- Existent InitialRepeatableDefinedManagedOptimised Enterprise current status International standard guidelines Industry best practice Enterprise strategy Legend for symbols usedLegend for rankings used 0 - Management processes are not applied at all 1 - Processes are ad hoc and disorganised 2 - Processes follow a regular pattern 3 - Processes are documented and communicated 4 - Processes are monitored and measured 5 - Best practices are followed and automated Start from a Maturity Model

36 Bina Nusantara University 35 1Non-exxistenceTahap yang paling awal, masih pemula (belum mapan). proses manajemen tidak ada sama sekali, komputerisasi dilaksanakan secara alamiah, tidak diimplementasikan berdasarkan suatu metodologi yang tepat. Misalnya perusahaan menggunakan komputer tetapi hanya untuk pengetikan atau pembuatan tabel-tabel laporan yang belum terarah dan dilakukan secara amatiran. Artinya sudah menggunakan komputer, tetapi belum menjalankan sistem berbasis komputerisasi. 2InitialSudah mulai ada kegiatan penyusunan sistem komputerisasi yang lebih terorganisir/ terarah, tatapi perencanaan, perancangan, dan proses masih bersifat ad-hoc dan tidak terorganisir dengan baik. 3RepeatableProses perencanaan, perancangan, dan implementasi sistem berbasis komputer telah menemukan pola yang lebih terarah, berjalan dengan pola yang sama (mulai mengenal “metodologi” pengembangan sistem, system development methodology). 4DefinedSeluruh proses telah didokumentasikan dan telah dikomunikasikan dan dilaksanakan berdasarkan metoda pengembangan sistem komputerisasi yang baik. 5ManagedProses komputerisasi telah dapat dimonitor dan terukur dengan baik, manajemen proyek pengembangan sistem komputerisasi sudah dijalankan dengan lebih terorganisir. 6OptimizedBest practices telah diikuti dan diotomatisasi pada sistem berdasarkan proses yang terencana, terorganisir dan menggunakan metodologi yang tepat. Skala level of maturity of IT governance

37 Bina Nusantara University 36 How Does COBIT Link to IT Governance? IT Governance Goals Responsibilities Control Objectives Business Needs to Direction (IT Strategy and Policy) Control, Risk and Requirements Information the Achieve Its Objectives Information (IT Assurance)

38 Bina Nusantara University 37 The End


Download ppt "Sistem Pengenalian (Kontrol) Intern & CoBIT IT Governance Pertemuan 3-4 Matakuliah: A0294/Audit SI Lanjutan Tahun: 2009."

Similar presentations


Ads by Google