IT AUDIT

Control vs. Risk

Ilham
IT Audit Role

• Advising the Audit Committee and senior management on IT

internal control issues

• Performing IT Risk Assessments

• Performing:
• Institutional Risk Area Audits

• General Controls Audits

• Application Controls Audits

• Technical IT Controls Audits

• Internal Controls advisors during systems development and analysis activities.

2
IT Audit Role

• Advising the Audit Committee and senior management on IT

internal control issues

• Performing IT Risk Assessments

• Performing:
• Institutional Risk Area Audits

• General Controls Audits

• Application Controls Audits

• Technical IT Controls Audits

• Internal Controls advisors during systems development and analysis activities.

3
IT Risk
IT Risk

The chance that information systems will

not satisfy the business requirement of
ensuring the achievement of IT objectives
and responding to threats to the
provision of IT services

Source: ISACA
Definisi Risiko

Threat

Vurnerability RISK

Impact
(asset Value)
Definisi Risiko

• Threat
• Ancaman yang diakibatkan oleh adanya
kelemahan
• Vulnerability
• Kelemahan yang dapat dieksploitasi
sehingga menjadi sebuah ancaman
• Impact
• Dampak yang terjadi dikarenakan adanya
kelemahan yang berhasil dieksploitasi.
Tipe Risiko
Strategi
c

RISK

Operation
al
Tactical
Ruang Lingkup Risiko
IT Control
Control

Control is defined as the policies,

procedures, practices and organizational
structures designed to provide reasonable
assurance that business objectives will be
achieved and that undesired events will be
prevented or detected and corrected.

Source: ISACA
Control Objectives

IT Control Objective is defined as a

statement of the desired result or
purpose to be achieved by
implementing control procedures in a
particular IT activity.

Source: ISACA
Control Practices

A key control mechanism that supports

the achievement of control objectives
through responsible use of resources,
appropriate management of risk and
alignment of IT with business.

Source: ISACA
A car has brakes…

14
A car has brakes to allow it to go faster…

15
Understanding IT Controls

16
Controls Classification

 Preventive

 Detective

 Corrective
 Understanding IT Controls
IT control is a process that
provides assurance for
information and information
services, and help to
mitigate
risks associated with use of
technology.

18
 Importance of IT Controls
• Needs for IT controls,
such as
• controlling cost
• protecting information
assets
• complying with laws
and regulations

• Implementing effective
IT controls will
improve efficiency,
reliability, and
flexibility.

19
 Roles and Responsibilities
• Board of Directors
/Governing Body
• Management – define,
approve,
implement IT
controls
• Auditor

20
 Based on Risk
• Analyzing Risk
• Identify and prioritize
risks
• Consider risk in
determining the
adequacy of IT controls
• Define risk mitigation
strategy –
accept/mitigate/share

21
 Monitoring
• Monitoring IT Controls
• – Ongoing
monitoring/specia l
review/automated
continuous
auditing

22
 Assessment
• Assessing IT controls is
an ongoing process
• Technology continues
to advance
• New vulnerabilities
emerge

23
IT Control: General Control
Physical Security
• Physical Access
IT Control • Temperature
Control
• Fire Protection
• UPS
Backup/Contingency
General Planning
• Data Backups
Control • Restore Procedures
• Offsite Storage

Disaster Recovery
Change Management • Business Resumption Plans
• Program Change Controls • BRP Testing
• Tracking • Alternate Processing
• Change Approvals

24
IT Control: Application Control
IT Control
Access Controls
• User-IDs/Passwords
• Data Security
• Network Security
• Security Administration
• Access Authorization

Input Controls
• Data Entry Controls
Application • System Edits
Control • Segregation of Duties
• Transaction Authorizatio

General
Processing Controls
Control
Output Controls • Audit Trails
• Reconciliation • Interface Controls
• Distribution • Control Total
• Access
25
Terimakasi annas vijaya 2018
h