Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Yeffry Handoko Putra, M.T

Published byHendri Wibowo Modified over 6 years ago

Similar presentations

Presentation on theme: "Dr. Yeffry Handoko Putra, M.T"— Presentation transcript:

1 Dr. Yeffry Handoko Putra, M.T
IT Audit and Control Dr. Yeffry Handoko Putra, M.T MAGISTER SISTEM INFORMASI

2 Sylabus Chap 1 – IT Audit Fundamental Chap 2 - Audit in Context Chap 3 – Internal Audit Chap 4 – External Audit Chap 5 – Audit Type and IT Audit Component Chap 6 - IT Audit Driver Chap 7 – IT Audit with COBIT 5 Chap 8 – CISA Certification Review

3 Reference [Gantz] Gants, S.,(2014), The Basic of IT Audit, Elsevier [ISACA] ISACA (2013), CISA Review Manual 2013

4 COBIT 5 Foundation Course - Sponsored by ISACA - Riyadh Chapter
The Evolution of COBIT 5 Governance of Enterprise IT COBIT 5 2005/7 2000 1998 Evolution 1996 IT Governance COBIT4.0/4.1 BMIS (2010) Management COBIT3 Val IT 2.0 (2008) Control COBIT2 Reference section 4 Audit Risk IT (2009) COBIT1 2012 By Aqel M. Aqel, CISA, MBA, CSSGB, COBIT 5

5 Audit in many area

6 Evaluating criteria conformity: ITIL Assessment :
What is IT Auditing? Evaluating criteria conformity: ITIL Assessment : Quantitative : Balanced Score Card: maturity model (cobit 4.1) Qualitative : PAM Cobit 5 (e.g. Partially, Not available, Fulfilled ) Inspection : CMMI model Comparing to standard, framework, requirement

7 What to audit entire organizations individual business units mission functions and business processes Services Systems Infrastructure or technology components Focused on : controlling, finding bias (differentiation to standard), method

8 Who make IT audit? Internal Audit External Audit

9 Why should do IT Auditing?
Preventive Correcting Detective

10 Some reason to do IT Auditing
complying with securities exchange rules that companies have an internal audit function; valuating the effectiveness of implemented controls; confirming adherence to internal policies, processes, and procedures; checking conformity to IT governance or control frameworks and standards;

11 Some reason to do IT Auditing (2)
analyzing vulnerabilities and configuration settings to support continuous monitoring; identifying weaknesses and deficiencies as part of initial or ongoing risk management; measuring performance against quality benchmarks or service level agreements; verifying and validating systems engineering or IT project management practices;

12 Who perform IT Auditing (The Actor)
Internal auditors : employee External IT Auditor: consultant Auditing firm Certification Organization (ISACA with CISA ) International Organization

13 External Auditor from ISACA
Certified Information System Auditor (CISA) Certified in Risk and Information System Control (CRISC) Certified Information System Manager (CISM)

14 How to become IT Auditor

15 The good thing of IT Auditing (Auditing Context)

16 Categories of Performance Measures
Performance Measurement: What are indicators of good IT performance? IT Control Profile: How can we measure the effectiveness of our controls? Risk Awareness: What are the risks of not achieving our objectives? Benchmarking: How do we perform relative to others and standards? Measures are effectively statistics. This provides some categories for performance metrics.

17 IS Auditor & IT Governance
Are IS functions aligned with organization’s mission, vision, values, objectives and strategies? Does IS achieve performance objectives established by the business? Does IS comply with legal, fiduciary, environmental, privacy, security, and quality requirements? Are IS risks managed efficiently and effectively? Are IS controls effective and efficient? These are functions that an IS Auditor would we concerned with relative to IT governance. Fiduciary = Financial

18 Audit: Recognizing Problems
End-user complaints Excessive costs or budget overruns Late projects Poor motivation - high staff turnover High volume of H/W or S/W defects Inexperienced staff – lack of training Unsupported or unauthorized H/W S/W purchases Numerous aborted or suspended development projects Reliance on one or two key personnel Poor computer response time Extensive exception reports, many not tracked to completion These are things that an auditor would look for.

19 Audit: Review Documentation
IT Strategies, Plans, Budgets Security Policy Documentation Organization charts & Job Descriptions Steering Committee Reports System Development and Program Change Procedures Operations Procedures HR Manuals QA Procedures Contract Standards and Commitments Bidding, selection, acceptance, maintenance, compliance Auditors would review this documentation. Do they follow best practices? Do they document processes well?

20 IT Governance The main idea from COBIT with five key area:

21 IT Governance Also supported by The Information Technology Infrastructure Library (ITIL) and ISO/IEC for service management; The Project Management Body of Knowledge (PMBOK) and Projects in Controlled Environments version 2 (PRINCE2) for project management; Capability Maturity Model Integration (CMMI) and ISO/IEC for software development processes; and The ISO/IEC series and National Institute of Standards and Technology (NIST) risk management framework for information security management.

22 Risk Management COSO’s enterprise risk management framework

23 Risk Management NIST’s risk management framework

24 Compliance and certification

25 Quality management and quality assurance
ISO 9001

26 The PDCA cycle popularized by W. Edwards Deming

27 Information Security Management System
The ISMS process defined in ISO/IEC applies the familiar PDCA model

Download ppt "Dr. Yeffry Handoko Putra, M.T"

Similar presentations

Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
IT Services Group 4 Jalal Hafidi Mathew Joseph Tolulope Oke

IT Services Group 4 Jalal Hafidi Mathew Joseph Tolulope Oke
Security Controls – What Works

Security Controls – What Works
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Quality Manual for Interoperability Testing Morten Bruun-Rasmussen Presented by Jos Devlies, Eurorec.

Quality Manual for Interoperability Testing Morten Bruun-Rasmussen Presented by Jos Devlies, Eurorec.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Similar presentations

Ads by Google