Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Ir. Yeffry Handoko Putra

Published byIrwan Sugiarto Modified over 6 years ago

Similar presentations

Presentation on theme: "Dr. Ir. Yeffry Handoko Putra"— Presentation transcript:

1 Dr. Ir. Yeffry Handoko Putra
Chap 8 – IT Audit Driver Dr. Ir. Yeffry Handoko Putra MAGISTER SISTEM INFORMASI

2 Multiple factors drive IT Audit
SSAE 16/SOC

3 System Development Life Cycle : ISO / IEC 15288

4 Law and Regulation Sarbanes–Oxley Act of 2002 (SOX)
Regulates public companies and their auditors; applies to all issuers of securities exchanged in US markets European Council Directive 2006/43/EC Sets standards for auditors and audits in the public interest; applies to organizations subject to statutory audit requirements Graham–Leach–Bliley Act of 1999 (GLBA) Enabled consolidation of different types of financial services firms within a single holding company; applies to financial institutions Health Insurance Portability and Accountability Act of 1996 (HIPAA) Protects the privacy and security of health-related personal information; applies to health-care providers, plans, and clearinghouses

5 Law and Regulation Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) HIPAA-covered entities, business associates, and contractors and subcontractors European Council Directive 95/46/EC Protects personal data privacy; applies to all organizations in European Union countries Computer Fraud and Abuse Act of 1986 Criminalizes unauthorized access or damage to protected computers; applies to all computing devices used in interstate or international commerce or communications Electronic Communications Privacy Act of 1986 (ECPA) Protects the content of personal communications; applies to electronic communications service providers, government organizations Federal Information Security Management Act of 2002 (FISMA) US federal executive agencies; applies to systems and informatio

6 ISO 9001 Quality management systems
Organizational Certifications and Associated Subject Areas Certification Subject Area CMMI for Services Maturity of service provider capabilities and processes ISO 9001 Quality management systems ISO Environmental management systems ISO/IEC IT security evaluation of computer systems and software ISO/IEC IT service management ISO/IEC Information security management systems Service Organization Control (SOC) Reports Security, privacy, and system controls implemented by service providers

7 Certification standards
Quality certification : ISO 9001 Information security : ISO/IEC 27000 Service management : ITIL or Capability Maturity Model Integration (CMMI)

8 Operational effectiveness
Six Sigma Total Quality Management ISO 9004:2009 (Managing for thesustained success of an organization – A quality management approach ) ISO 15504

9 Quality assurance and continuous improvement
Quality management initiatives such as quality assurance, quality control, and continuous improvement represent significant internal drivers for many organizations ISO [38] and ISO/IEC 17021

10 Why standards? Quality orientated process approaches and standards are maturing and gaining acceptance in many companies Standards emphasize communication and shared understanding For example: if one person says, “Testing is complete”, will all affected bodies understand what those words mean? This kind of understanding is not only important in a global development environment; even a small group working in the same office might have difficulties in communication and understanding of shared issues Standards can help in these and other areas to make the business more profitable because less time is spent on non-productive work

11 The use of standards has many potential benefits for any organization
Improved management of software Schedules and budgets are more likely to be met Quality goals are likely to be reached Employee training and turnover can be managed Visible certification can attract new customers or be required by existing ones Partnerships and co-development, particularly in a global environment, are enhanced 11 11

12 More business benefits
Regulation Cost effective compliance Customer assurance Reduce product liability Risk management Governance Cost Optimization Reduced transaction costs Product/process interoperability Flexibility in supply chain Best practice & management systems Maximizing Revenue Improve speed to market Product acceptance Product life cycle management Business Opportunities Develop new markets & future sales Influence technology change Influence industry evolution Structure regional/international competition 12 12

13 Importance of standards
Encapsulation of best practice avoids repetition of past mistakes Framework for quality assurance process it involves checking standard compliance Provide continuity new staff can understand the organisation by the standards applied

14 Problems with standards
There is evidence that the majority of small software organizations are not adopting existing standards as they perceive them as being orientated towards large organizations. Studies have shown that small firms’ negative perceptions of process model standards are primarily driven by negative views of cost, documentation and bureaucracy it has been reported that VSEs find it difficult to relate standards to their business needs and to justify the application of the international standards in their operations

15 IT Audit Processes Most IT audit approaches include one or more activities conducted within the process areas of audit planning, audit performance, audit reporting, and responding to audit findings and recommendations. Successfully implementing IT audit processes depends to a large extent on organizational commitments and the

16 Audit planning Audit preparation Resource allocation
Preliminary data gathering Audit procedures and protocols Planning internal and external audits

17 Audit performance Evidence collection
IT auditors collect evidence from multiple sources using a variety of methods, examining procedural and technical documentation, observing process execution and personnel behavior, testing controls, and checking system and environment configuration settings.

18 Audit performance Analysis of evidence

19 Reporting findings purpose and objectives for performing the audit;
audit scope, including organizational, functional, or technical elements to which the audit applies; identification of the audit client; identification of audit participants, including auditors and those subject to the audit; time frame during which the audit took place;

20 Reporting findings locations where auditing occurred, including organization facilities and auditor work sites outside the organization, if any; criteria specified for the audit; audit findings and supporting evidence; audit conclusions, including auditor recommendations; and •audit results

21 Process life cycles and methodologies
PDCA model ISACA’s IT Audit Framework defines information system audit and assurance guidelines in three major categories: general (preparatory), performance, and reporting The Federal Information System Controls Audit Manual (FISCAM) used in audits of U.S. government agencies defines an audit methodology organized into the three core steps of plan, perform, and report National Institute of Standards and Technology (NIST) special publication , Guide for Conducting Risk Assessments, prescribes a three-step process of preparing, conducting, and maintaining assessments

Download ppt "Dr. Ir. Yeffry Handoko Putra"

Similar presentations

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
EMS Auditing Definitions

EMS Auditing Definitions
IS Audit Function Knowledge

IS Audit Function Knowledge
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005.

ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Lecture 8 Understanding entity and its environment

Lecture 8 Understanding entity and its environment
FPSC Safety, LLC ISO 14001 4.5.4 AUDIT.

FPSC Safety, LLC ISO AUDIT.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Information Security Framework & Standards

Information Security Framework & Standards
Introduction to ISO 14000. International Organization for Standardization (ISO) n Worldwide federation of national standards bodies from over 100 countries,

Introduction to ISO International Organization for Standardization (ISO) n Worldwide federation of national standards bodies from over 100 countries,
Course Outline MAIL.PPT/1 © All Rights Reserved by TQMI TQMI, India's leading training and consultancy organisation, with its network of offices across.

Course Outline MAIL.PPT/1 © All Rights Reserved by TQMI TQMI, India's leading training and consultancy organisation, with its network of offices across.
M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.

M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.
Introduction to Auditing. Introduction The role of audits is critical in the business environment of the early twenty-first century. Important decisions.

Introduction to Auditing. Introduction The role of audits is critical in the business environment of the early twenty-first century. Important decisions.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Gathering Network Requirements Designing and Supporting Computer Networks – Chapter.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Gathering Network Requirements Designing and Supporting Computer Networks – Chapter.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Similar presentations

Ads by Google