Information System

Audit
CDG413
Introduction and
Foundations of IS Audit
1
Subject Description
It covers the encouragement of IS/IT to support business goals by
evaluating the contribution and compliance of IT programs in enterprise.
Some best practices, frameworks, or guidelines will be introduced to the
participants to demonstrate how IS audit shuld be performed. Due to
subject is allocated as elective course in Informatics, technical aspect in IS
audit process are recommended, such as audit trail, business processes
engineering, and security appraisal.

2
Information
System
• It comprises People, Data, Processes, and Technology
• IS is a set of interrelated people, data, processes, and information
technology to collects, processes, stores, and provides neccessary
information of output to support an organization (Whitten et al, 2007)
• An IS collects, processes, stores, analyzes, and disseminates information for
a specific purpose (Turban, McLean, Wetherbe; 2004).

3
 Business vs IS feat. IT

4
Ward, Peppard; 2002
 Why enterprises
adopt IS/IT strategies
• alignment between IS/IT with the business or successful of investment;
• gaining competitive advantage from business opportunities created by
using IS/IT;
• building a cost-effective, yet flexible technology infrastructure for the
future;
• developing the appropriate resources and competencies to deploy IS/IT
successfully across the organization.

5
Ward, Peppard; 2002
Audit is ...
Independent review and examination of records and activities
to assess the adequacy of internal controls, to ensure
compliance with established policies and operational
procedures, and to recommend necessary changes in controls,
policies, or procedures International (Organization for
Standardization/ISO).

6
Audit is ...
a formal inspection and verification to check whether a
standard or set of guidelines is being followed, that
records are accurate, or that efficiency and effectiveness
targets are being met (Information Technology
Infrastructure Library).

7
IS/IT Audit
The process of collecting and evaluating evidence to
determine whether a computer system safeguards assets,
maintains data integrity, allows organizational goals to be
achieved effectively and uses resources efficiently.

8
Factors influencing
toward control and audit of
computers
• Organizational costs of data loss
• Costs of incorrect decision making
• Costs of computer abuse
• Value of HW,SW, personnel
• High costs of computer error
• Maintenance of privacy
• Controlled evolution of computer use
9
Why Audit?
It takes much efforts, time, resources, etc.
• Complying with rules and regulation;
• Evaluating the effectiveness of implemented controls;
• Confirming adherence to internal policies, processes, and procedures;
• Checking conformity to IT governance or control frameworks and standards;
• Analyzing vulnerabilities and configuration settings to support continuous monitoring;
• Identifying weaknesses and deficiencies as part of initial or ongoing risk management;
• Measuring performance against quality benchmarks or service level agreements;
• Verifying and validating systems engineering or IT project management practices;
• Self-assessing the organization against standards or criteria that will be used in
anticipated external audits.
10
Goals of
IS/IT Audit
• Asset safeguarding
• System efficiency
• Data integrity
• System effectiveness
• Certification and credibility

11
Attribute of
IS/IT Audit
• Auditor
• Audit goal
• Audit scope
• Audit technique or framework or guideline
• Audit timing/period

12
Baseline of
IT Audit
• Traditional audit (evidence-based financial compliance)
• Computer science (software and network reliability)
• Information system management (software engineering and
IT project management)
• Behavioral science (people’s acceptance, abusement,
inhibitng-motivation factors)

13
IT Audit Drivers
[1]

14
IT Audit Drivers
[2] case studies
• Sarbanes–Oxley Act of 2002 in USA
• Information Security Management Systems in Indonesia
• General Data Protection Regulation (GDPR) in Europe Union
• Health Information Technology for Economic and Clinical
Health Act (HITECH 2009) in Western countries

15
Auditor
Responsibility
It is the responsibility of auditor to:
• Follow professional standards
• Be fair, competent, and accurate
• Understand the audit target environment
• Report any conflict of interest or independence
• Add value by offering recommendation and guidance

16
Generally
Accepted Auditing Standards

17
Control is ...
It (sometimes called the countermeasure or safeguard) is a
tactic, mechanism, or strategy that either reduces or
eliminates a risk and a vulnerability.

18
Control Objective is ...
It is a statement of desired result or purpose to be achieved by
implementing the control. Control objectives may relate to:
• Security (Confidentiality, Integrity, availability)
• Privacy
• Compliance
• Effectiveness
• Efficiency

19
Internal Control is ...
policies, plans and procedures, and organizational structures
designed to provide reasonable assurance that business
objectives will be achieved and undesired events will be
prevented or detected and corrected (IT Governance
Institute).

20
Internal Control
Types & Purposes

21
Evidence is ...
Collected and valuable information during auditing processes as proof
to conclude control effectivity and goals. It is actualized in:
• Observation results
• Written notes
• Correspondention
• Internal processes and procedure documentation
• Business record

22
Major Steps
in Auditing

23
IS/IT Audit
Life Cycle

24
IS/IT Audit Life Cycle [1] Planning

It encompasses all the activities necessary to ensure that specific audit can be
executed completely and efficiently to satisfy the audit objectives.
• Objectives and scope
• Start date, finish date and timeline
• Personnel and resources requirements
• Related planning documents
• Protocols, audit criteria, Evidentiary and Procedural requirements
• Set expectations about audit reports or other work products that will be
delivered by the end of audit
25
IS/IT Audit Life Cycle [2] Performance
It is the stage in which the audit team executes the plan developed for the audit
and conducts a detailed examination of processes, IT assets, and controls,
comparing evidence collected about the organization and its capabilities and
practices to the requirements specified in audit criteria, relevant protocols, or
applicable standards. It includes:
• • the examination of all documentation and contextual information available
• • the collection of evidence through observation, interviews, and tests
• • the analysis of the evidence to identify weaknesses, control deficiencies, or
other issues

26
IS/IT Audit Life Cycle [2] Report

• The contents of the report depend on the objective and the

audience of the report. It may contain satisfactory findings and
areas of conformance; weaknesses or deficiencies; or both of those
• Most of the audit report contains non-conformity or noncompliance
findings towards audit criteria
• Full details of the audit process are captured in audit work papers
that contains evidence, related criteria, audit method.

27
IS/IT Audit Life Cycle [2] Response

Audit reports become a significant input for organizations

improvement. Organizations assess the risk of the audit findings and
determine the best response to that risk
• Do risk assessments
• Prioritize corrective action based on risk
• Risk response: mitigation, avoidance, transference, or acceptance

28