Standard and Guidelines for IS Auditing

Comments

Transcription

Standard and Guidelines for IS Auditing
9/5/2014
IS Audit Standards and Guidelines
CDG4I3 / Audit Sistem Informasi
Angelina Prima K | Gede Ary W.
12-CRS-0106 REVISED 8 FEB 2013
KK SIDE - 2014
Outline
12-CRS-0106 REVISED 8 FEB 2013
1. IIA Standards
2. COSO: Internal Control Standard
3. BS7799 and ISO 17799: IT Security
4. ITIL
5. ISACA COBIT 5
1
9/5/2014
1. IIA Standards (#1)
The Institute of Internal Auditors (www.theiia.org)
Standards for the Professional Practice of Internal
Auditing terdiri atas:
– Standards
 5 standar umum
 25 standar spesifik
Professional Practice Framework
– Standards: wajib
– Practice Advisories: disarankan
– Development and Practice Aids: panduan praktis
12-CRS-0106 REVISED 8 FEB 2013
– Guidelines
1. IIA Standards (#2)
Standards for
the Professional Performance of Internal Auditing
(atribut organisasi
dan individu yang
terlibat dalam
audit)
Performance
Standards
Implementation
Standards
(karakteristik
(standar penerapan
kegiatan audit
tipe audit di
internal dan kriteria
berbagai industri
kualitas yang
dan area spesialis
digunakan dalam
tertentu)
pengukuran)
12-CRS-0106 REVISED 8 FEB 2013
Attribute
Standards
2
9/5/2014
1. IIA Standards (#3)
Kode etik Internal Auditors:
Objectivity
Confidentiality
Competency
• Integritas auditor mendasari kepercayaan
terhadap penilaian yang dihasilkan
• Auditor harus objektif dalam mengumpulkan,
mengevaluasi, dan menyampaikan informasi
tentang aktivitas/ proses yang dinilai
• Auditor menghormati nilai dan kepemilikan
informasi yang diterima dan tidak menggunakan
informasi di luar wewenang kecuali atas dasar
hukum/ profesi
• Auditor menerapkan pengetahuan, kemampuan
dan pengalaman yang diperlukan dalam
melaksanakan audit internal
12-CRS-0106 REVISED 8 FEB 2013
Integrity
2. COSO (#1)
The Committee of Sponsoring Organizations of the
Treadway Commission (www.coso.org)
Dibentuk oleh kerjasama antara:
1. The American Institute of Certified Public Accountants
2. The Institute of Internal Auditors
3. The American Accounting Association
4. The Institute of Management Accountants
12-CRS-0106 REVISED 8 FEB 2013
5. The Financial Executives Institute
3
9/5/2014
2. COSO (#2)
Mengidentifikasi sasaran dasar dari setiap organisasi
bisnis/ pemerintahan, meliputi:
1. ekonomi dan efisiensi operasi, perlindungan aset,
pencapaian dampak yang diinginkan,
2. keandalan laporan keuangan dan manajemen, serta
3. kesesuaian terhadap hukum dan aturan.
1.
2.
3.
4.
5.
Control environment
Risk assessment process
Operational control activities
Information and communication systems
Monitoring
12-CRS-0106 REVISED 8 FEB 2013
Komponen pencapaian sasaran bagi manajemen:
http://www.bumko.gov.tr/KONTROL_EN/Genel/Images/kontrol/coso.jpg
12-CRS-0106 REVISED 8 FEB 2013
2. COSO (#3)
4
9/5/2014
3. BS 7799/ ISO 17799 (#1)
BS 7799 adalah standar yg diterbitkan oleh British Standards
Institute (BSI).
Terdiri atas 3 bagian:
– BS 7799-1 (1995)  diadopsi menjadi ISO/IEC 17799 “IT-Code
of practice for information security management” (2000) 
diganti nama menjadi ISO/IEC 27002 (2007)
– BS 7799-2 (1999) “Information Security Management Systems-
Specification with guidance for use”  diadopsi menjadi ISO/IEC
27001 (2005)
sejalan dengan ISO/IEC 27001
12-CRS-0106 REVISED 8 FEB 2013
– BS 7799-3 (2005) mencakup analisis dan manajemen resiko,
http://www.isconsult.co.uk/i/is
o17799-bs7799.gif
http://www.ypsilon-it.com/images/BS7799.png
12-CRS-0106 REVISED 8 FEB 2013
3. BS 7799/ ISO 17799 (#2)
5
9/5/2014
NIST
The National Institute of Standards and Technology
(http://csrc.nist.gov/)
Cakupan NIST Handbook serupa dengan BS 7799 dan
ISO 17799, namun lebih detail pada:
– Elemen-elemen keamanan sistem
– Peran dan tanggung jawab
http://www.veracode.com/images/stories/nist_lg.jpg
12-CRS-0106 REVISED 8 FEB 2013
12-CRS-0106 REVISED 8 FEB 2013
– Ancaman-ancaman umum
6
9/5/2014
4. ITIL v3 (#1)
ITIL describes processes, procedures, tasks and checklists that
are not organization-specific, used by an organization for
establishing integration with the organization's strategy, delivering
value and maintaining a minimum level of competency. It allows
the organization to establish a baseline from which it can plan,
implement, and measure. It is used to demonstrate compliance
and to measure improvement.
12-CRS-0106 REVISED 8 FEB 2013
The Information Technology Infrastructure Library (ITIL) is a
set of practices for IT service management (ITSM) that focuses on
aligning IT services with the needs of business. ITIL provides a
cohesive set of best practice, drawn from the public and private
sectors internationally.
ITIL Components
The ITIL Core: best practice guidance applicable to
all types of organizations who provide services to a
business.
12-CRS-0106 REVISED 8 FEB 2013
The ITIL Complementary Guidance: a complementary
set of publications with guidance specific to industry
sectors, organization types, operating models, and
technology architectures.
7
9/5/2014
12-CRS-0106 REVISED 8 FEB 2013
ITIL PROCESS MODEL
ITIL CORE
Service strategy
Service design
Service transition
Service operation
12-CRS-0106 REVISED 8 FEB 2013
Continual service
improvement
8
9/5/2014
ITIL v3 STRUCTURE
12-CRS-0106 REVISED 8 FEB 2013
ITIL v3 STRUCTURE
5. ISACA Standards (#1)
IS Audit and Control Association (www.isaca.org)
Level panduan:
– Standards: kebutuhan audit dan pelaporan SI, meliputi
auditor yang berpengalaman, manajemen dan pihakpihak yang terlibat, pemegang CISA
– Guidelines: panduan penerapan standar audit SI
12-CRS-0106 REVISED 8 FEB 2013
– Procedures: contoh prosedur yang harus diikuti oleh
auditor SI
9
9/5/2014
COBIT
CobIT (Control Objectives for Information & Related
Technology) adalah panduan kerja dalam pengelolaan
teknologi informasi. Disusun oleh ISACA (Information
Systems Audit and Control Association) dan ITGI (IT
Governance Institute)
COBIT 5 bersifat umum dan dapat diterapkan pada berbagai
ukuran enterprise, baik bersifat komersial, non-profit
maupun pada sektor publik
12-CRS-0106 REVISED 8 FEB 2013
COBIT 5 menyediakan kerangka komprehensif yang
membantu enterprise meraih sasaran dalam tata kelola dan
manajemen TI di enterprise
12-CRS-0106 REVISED 8 FEB 2013
COBIT 5 Principles
10
9/5/2014
COBIT 5 Goals Cascade Overview
Step 1. Stakeholder Drivers
Influence Stakeholder Needs
– Isu: perubahan strategi,
perubahan lingkungan bisnis dan
regulasi, serta teknologi baru
Step 2. Stakeholder Needs
Cascade to Enterprise Goals
– Enterprise goals disusun dengan
pendekatan balanced scorecard
(BSC)
– IT-related berarti information and
related technology, diturunkan dari
dimensi-dimensi BSC. COBIT 5
mendefinisikan 17 IT-related goals.
Step 4. IT-related Goals Cascade
to Enabler Goals
12-CRS-0106 REVISED 8 FEB 2013
Step 3. Enterprise Goals Cascade
to IT-related Goals
COBIT 5
Enterprise
Enablers
– Memerlukan input dari enablers lain agar dapat efektif, mis. proses memerlukan
informasi, struktur organisasi memerlukan keterampilan dan perilaku
– Menghasilkan output yang dibutuhkan oleh enablers lain, mis. proses
menghasilkan informasi, keterampilan dan perilaku yang dibutuhkan oleh proses lain
agar efisien
12-CRS-0106 REVISED 8 FEB 2013
Masing-masing enabler:
11
9/5/2014
12-CRS-0106 REVISED 8 FEB 2013
COBIT 5 Enabler Dimensions
12-CRS-0106 REVISED 8 FEB 2013
COBIT 5 Process Reference Model
12
9/5/2014
12-CRS-0106 REVISED 8 FEB 2013
COBIT 5
Process Reference Model
5. ISACA Standards (#2)
Kode etik ISACA:
– Mendukung implementasi dan kesesuaian dengan standar,
prosedur dan kontrol SI yang tepat
– Melaksanakan tugas secara profesional, sesuai standar dan
praktek baik
– Melayani kebutuhan stakeholder secara jujur dan sesuai aturan
– Memelihara privasi dan kerahasiaan informasi yang didapat
– Memelihara kompetensi di bidang tertentu secara profesional
– Mendukung pendidikan profesional stakeholders dalam
meningkatkan pemahaman tentang keamanan dan kontrol SI
12-CRS-0106 REVISED 8 FEB 2013
– Memberikan informasi hasil kerja kepada pihak terkait
13
9/5/2014
12-CRS-0106 REVISED 8 FEB 2013
LATIHAN
INTERNAL CONTROL
Before: Audit Procedures
Mencakup:
– Daftar orang yang akan diwawancara
– Pertanyaan wawancara
– Dokumentasi (kebijakan, prosedur, dll) yang akan
diminta saat wawancara
– Perangkat audit yang digunakan
– Tingkat sampling dan metodologi yang dipakai
– Bagaimana evaluasi bukti
12-CRS-0106 REVISED 8 FEB 2013
– Bagaimana dan dimana pengarsipan bukti
14
9/5/2014
Next: Types of Internal Controls
Preventive controls (cth: pembatasan pengguna,
penggunaan password, dan pemisahan otorisasi transaksi)
Detective controls (cth: penggunaan audit trails dan
exception reports)
Corrective controls (cth: disaster recovery plan)
Compensating controls: untuk mengatasi kelemahan dari
sebuah kontrol lainnya
12-CRS-0106 REVISED 8 FEB 2013
Directive controls: untuk mencapai hasil yang positif dan
mendorong perilaku yang dapat diterima
Next: Elements of Internal Control
Segregation on duties. Kontrol yang memastikan bahwa pihak
yang memegang aset berbeda dengan pihak yang mencatat perpindahan
aset.
Competence and integrity of people. Agar efektif, pihak
yang menguji kontrol harus kompeten, jujur dan konsisten.
Appropriate levels of authority. Pemberian otoritas harus
berdasarkan kebutuhan.
Accountability. Tegas menentukan siapa yang berperan dalam
keputusan, transaksi dan aksi yang diambil.
bahan, dan metodologi.
Supervision and review. Perlu pengawasan dan penilaian
kontrol.
12-CRS-0106 REVISED 8 FEB 2013
Adequate resources. Meliputi SDM, keuangan, perangkat,
15
9/5/2014
1. EQUITY FUNDING CORPORATION
In 1973, one of the largest single company frauds ever committed was discovered in
California. The collapse of the Equity Funding Corporation of America involved an
estimated $2 billion fraud. The case was extremely complex, and it took several years
before the investigation was complete. However, some of the pertinent findings derived
from the Trustee’s Bankruptcy report follow.
The fraud progressed through three major stages: the “inflated earnings phase”, the
“foreign phase”, and the “insurance phase”. The inflated earnings phase involved inflating
income with bogus comissions supposedly earned through loans made to customers.
Equity Funding had a funded life insurance program whereby customers who bought
mutual fund shares could obtain a loan prom the company to pay the premium on a life
insurance policy. After some years the customer would sell off the mutual fund holdings to
repay the loan. The mutual fund shares should have appreciated sufficiently so only a
partial sale of shares would required. Thus, the customer had the cash value of the
insurance policy and the remaining mutual fund shares as assets from the investment.
12-CRS-0106 REVISED 8 FEB 2013
Equity Funding was a financial institution primarily enganged in life insurance. In 1964, its
top management commenced to perpetrate a fraud that would take almost ten years to
discover. The intent of the fraud was to inflate earnings so that management could benefit
through trading their securities at high prices.
The inflated earnings obtained via bogus commisions were supported by manual entries
made on the company’s books. Even though supporting documentation did not exist for the
entries, the company’s auditors failed to detect the fraud. However, the inflated assets did
not bring about cash inflows, and the company started to suffer severe cash sortages
because of real operating losses.
The third stage, the insurance phase, involved the resale of insurance policies to other
insurance companies. This practice is not unusual in the insurance business – when one
company needs cash immediately and another company has a cash surplus. Equity Funding
created bogus policies. In the short run it attempted to solve its cash problems by selling
these policies to another insurance company. In the long run, however, the purchasing
company expected cash receipts from premiums on the policies. Because the policies were
bogus, Equity Funding had to find the cash to pay the premiums. Thus, it was only a matter
of time before the fraud could no longer be concealed. Interestingly, the fraud was revealed
by a disgruntled employee who was involved in the fraud but had been fired by Equity
Funding management.
12-CRS-0106 REVISED 8 FEB 2013
To remedy the cash shortage situation, the fraud moved into the second stage, the foreign
phase. The company acquired foreign subsidiaries and used these subsidiaries in complex
transfers of assets. Funds were brought into the parent company to reduce the funded loans
asset account and falsely represent customer repayments of their loans. However, even this
scheme proved inadequate.
16
9/5/2014
The computer was not used in the fraud until the insurance phase. The task of
creating the bogus policies was too big to be handled manually. Instead, a program
was written to generate policies. These policies were coded as the now infamous
“Class 99”.
The trustee’s investigations led to two conclusions. First, the fraud was
unsophisticated and doomed to failure. Second, some of the fundamental principles
of good auditing were not applied.
Required. Write a brief report outlining some traditional audit procedures that, if
they had been used, should have detected the fraud. Be sure to explain why you
believe the procedures you recommend would have been successful.
12-CRS-0106 REVISED 8 FEB 2013
(Weber, Ron. 1999. Information Systems Control and Audit. Prentice-Hall.Inc.)
2. JERRY SCHNEIDER
One of the more famous cases of computer abuse involves a young man named Jerry
Schneider. Schneider had a flair for electronics. By the time he left high school, he had already
formed his own firm to market his inventions. His firm also sold refurbished Western Electric
telephone equipment. In 1970, he devised a scheme whereby Pasific Telephone in Los Angeles
would supply him with good equipment – free!
Scheider intended to gain access to the ordering system. He sought to have Pasific Telephone
deliver supplies to him as if he were one of its legitimate sites. He used a variety of techniques
to find out how the system worked and to breach security: He sifted through trash cans and
found discarded documents that provided him with information on the ordering system. He
posed as a magazine writer and gathered information directly from Pasific Telephone. To
support his activities, he bought a Pasific Telephone delivery van at an auction., “acquired” the
master key for supply delivery locations in the Los Angeles area, and bought a touch-tone
telephone card dialer with a set of cards similar to those used by the equipment sites to submit
orders.
12-CRS-0106 REVISED 8 FEB 2013
Pasific Telephone used a computerized equipment ordering system. Equipment sites placed
orders using a touch-tone card dialer. The orders were subsequently keypunched onto cards.
The computer then updated the inventory master file and printed the orders. The orders were
supplied to a transportation office that shipped the supplies.
17
9/5/2014
Scheider took advantage of the budgeting system used for ordering sites. Typically, these sites
had a budget allocated larger than they needed. Providing this budget was not exceeded, no
investigation of equipment ordering took place. Schneider managed to gain access to the
online computer system containing information on budgets. He then determined the size of
orders that would be tolerated. For seven months Pasific Telephone delivered him equipment
that he resold to his customers and to Pasific Telephone. He kept track of the reorder levels for
various Pasific Telephone inventories, depleted these inventories with his ordering, and then
resold the equipment back to Pasific Telephone.
Scheider’s downfall occurred when he revealed his activities to an employee. He as unable to
keep up with the pace of his activities. As a result, he confided in an employee to obtain
assistance. When the employee asked for a pay raise, Schneider fired him. The employee then
went back to Pasific Telephone and told the the fraud.
Required. Write a brief report outlining some basic internal control procedures that, if they had
been applied, should have prevented or detected Schneider’s activities. Be sure to explain why
the application of the internal control procedures you recommend would have been successful.
(Weber, Ron. 1999. Information Systems Control and Audit. Prentice-Hall.Inc.)
12-CRS-0106 REVISED 8 FEB 2013
There are varying reports on how much Schneider took from Pasific Telephone. Parker (1976)
estimates it as possible equipment worth a few million dollars was taken. For the fraud
Schneider received a two-month jail sentence followed by three years probation. Interestingly,
upon completing the jail term, he set up a consulting firm specializing in computer security.
3. UNION DIME SAVINGS BANK
Banks seem especially prone to computer abuse. Roswell Steffen used a computer to embezzle
$1.5 million of funds at the Union Dime Savings Bank in New York City. Inan interview with
Miller (1974) after he was discovered, he claimed, “Anyone with a head on his shoulders could
successfully embezzle funds from a bank. And many do.”
Steffen was a compulsive gambler. He initially “borrowed” $5,000 from a cash box at the bank
to support his gambling with the intention of returning the money from his earnings.
Unfortunately, he lost the $5,000. He then spent the next three and one-half years trying to
replace the money, again by “borrowing” from the bank to gamble at the racetrack.
He used several techniques to obtain money. He first concentrated on accounts over $100,000
that had a little activity and had interest credited quarterly. He used the supervisory terminal to
reduce the balances in these accounts. Occasionaly an irate customer complained about the
balances. Steffen then faked a telephone call to the data processing department, informed the
customer it was a simple error, and corrected the situation by moving funds from another
account.
12-CRS-0106 REVISED 8 FEB 2013
As the head teller at Union Dime, Steffen had a supervisory terminal in the bank’s online
computer system that he used for various administrative purposes. He took money from the
cash box and used the terminal to manipulate customer account balances so the discrepancies
would not be evidenced in the bank’s daily proof sheets.
18
9/5/2014
Other sources of funds included two-year certificate accounts and new accounts. With twoyear certificate accounts, he prepared the necessary documents but did not record the
deposit in the bank’s files. Initially he had two years to correct the situation. Matters
became more complicated, however, when the bank started to pay quarterly interest on
these accounts.
With a new accounts, he used two new passbooks from the bank supply of prenumbered
books. Upon opening an account, he enterd the transaction using the account number of the
first passbook but recorded the entry in the second passbook. He then destroyed the first
passbook.
(Weber, Ron. 1999. Information Systems Control and Audit. Prentice-Hall.Inc.)
THANK YOU
12-CRS-0106 REVISED 8 FEB 2013
Required. Write a brief report outlining some basic internal control procedures that, if they
had been applied, should have prevented or detected Steffen’s activities. Be sure to explain
why the application of the control procedures you recommend would have been successful.
12-CRS-0106 REVISED 8 FEB 2013
Perpetrating the fraud became very complex, and Steffen made many mistakes. However,
the bank’s internal control system and audit techniques were sufficiently weak that he could
explain away discrepancies and continue. He was caught because police raided Steffen’s
bookie and noticed a lowly paid bank teller making very large bets.
19