control and audit information system

LOGOwww.themegallery.com

oleh :

ARIF PRASETYO

11353100414

CONTROL AND AUDIT INFORMATION SYSTEM

Dosen Pengampu : M. Jasman, S.Kom, M.InfoSys


Control & Audit

by Vishnu Ap Audit is a process checks are carried out systematically to find out

how the actual implementation of quality applied. The audit results will be in the

documentation and periodic evaluation. Meanwhile, according to Frans m. Royan

Audit aims to facilitate owners to control and avoid fraud and manipulation of data.

While understanding the information systems audit is an inspection activities

performed by an internal audit of the company in collecting evidence and

evaluating control of the company to achieve the company's objectives and in

accordance with the specified criteria.

control is also called a system control means (A control is a system) in other words,

is a set of interrelated components that relate to work together to accomplish a

purpose or goal, legality / validity of an activity (unlawful events), and inspection.


5 Accounting Information Systems Audit Cycle

1. Revienue Cycle (sales and cloction)

2. Expenditure Cycle (about how to buy goods)

3. Production Cycle (How to produce Goods)

4. HRM

5. General Regent and Reporting System


Internal audit

Internal audit is independent appraisal function to examine and evaluate the

activities and as a service for an organization. internal auditor perform a

variety of activities, including financial, operational, compliance and audit

fraud. Auditors can work for your organization or tasks can be outsourced.

Independence is self-imposed, but the auditor representing the interests of the

organization.


External vs. Internal Auditor

The external auditors are outsiders while internal auditors representing

the interests of the organization. Internal auditors often cooperate with

and assist the external auditors in some aspects of the financial audit.

Extent of cooperation depends on the independence and competence of

the internal audit staff. external auditors may rely in part on evidence

gathered by the internal audit department is organizationally independent

and reports to the audit committee of the board of directors.


The role of the Audit Committee

Subcommittee of the board of directors

• Usually three external members.

• SOX requires at least one member must be a "financial expert".

Functioning as an independent "check and balance" to the

internal audit function.

SOX mandates that external auditors report to the audit

committee:

• the employee committee and auditor fire and resolve disputes.


Auditing standards

statements of management and auditing purposes:

1. The existence or occurrence; Completeness; Rights and obligations; Valuation

or Allocation; Presentation and Disclosure.

2. The auditor develops auditing purposes and to design audit procedures based

on this statement.

3. Auditor search for material evidence corroborating the statement.

4. The auditor should determine whether internal control deficiencies and material

misstatement.

5. The auditor should communicate the results of their tests, including an audit

opinion.

LOGO

Audit risk

The probability that the auditor will make ineligible opinions (net) of the financial statements are,

in fact, a material misstatement. the inherent risk (IR) is associated with the unique

characteristics of the client's business or industry. control risk (CR) is the possibility of

controlling structure is flawed because the control does not exist or is inadequate to prevent or

detect errors. Detection risk (DR) is the auditor is willing to take the risk that errors are not

detected or prevented by the control structure will not be detected by the auditor. components

of audit risk in the model used to define the scope, nature and timing of substantive testing:

audit risk model: AR = IR x CR x DR

If the risk is acceptable audit is 5%, the risk of detection will depend on the planned control

structure.

The stronger the internal control structure, the lower the risk control and less substantive testing

the auditor should do.

substantive testing is labor intensive audit costs and time-consuming, which encourages and cause

interference.

management interests are served by a strong internal control structure.

www.themegallery.com

LOGO

Internal control

Management is required by law to establish and maintain an adequate system of internal controls.

A brief history of the law of internal control:

1. SEC Acts of 1933 and 1934.

2. Copyright law of 1976.

3. Foreign Corrupt Practices (FCPA) in 1977 requires companies registered with the SEC to:

• Keep records sufficient and fairly reflect the transactions and the company's financial position.

• Maintain internal control systems which provide reasonable assurance that organizational goals

are met.

Committee of Sponsoring Organizations - 1992

• Sarbanes-Oxley Act of 2002 (SOX) requires management of public companies to implement an

adequate system of internal controls over their financial reporting process. Under Section 302:

• Managers should state the organization's internal controls quarterly and annually.

• external auditors must perform certain procedures quarterly to identify modifications that control

material can affect financial reporting.

Section 404 requires management of public companies to access the effectiveness of internal

controls in their annual reports.


Internal Control System

internal control system consists of policies, practices and

procedures to achieve four broad objectives:

Safeguard company assets.

Ensure the accuracy and reliability of accounting records and

information.

Promoting efficiency in operations.

Measuring compliance with prescribed policies and procedures

management.


Modifying Principles

management's responsibility to make laws by SOX.

Goals must be achieved regardless of the data processing method used.

Each system has limitations on its effectiveness including: the possibility of

error, circumvention, overriding management and changing conditions.

The system should provide reasonable assurance that the broad objectives are

met.

Costs to achieve improved control should not be greater than the benefits.

Cost of material weaknesses corrected offset by gains.

LOGO

PDC Model



PDC Model

passive preventive control techniques designed to reduce the frequency of

undesirable events occurred.

more cost effective than detect and fix problems after they occur.

is a detective control devices, techniques and procedures to identify and

expose the undesirable events that pass preventive controls.

corrective controls to correct problems identified.


IT Governance

Part of the corporate governance focusing on resource

management and strategic IT assessment.

key object to reduce risk and ensure investment in IT

resources add value to the corporation.

All of the company's stakeholders must be active

participants in key IT decisions.


Control IT Governance

COSO (Committee Of Sponsoring Organitation) was first made in 1992. Three

issues of IT governance is handled by SOX and the COSO internal control

framework:

• the organizational structure of the IT function.

• computer operations center.

• disaster recovery planning.


There are 5 parts of COSO, namely:

1. Control environment

2. The risk factors

3. The information communication

4. monitoring

5. control activity, in control of this activity there are two categories, namely

• in IT

• physically

The purpose of control is to avoid the occurrence of Error, Froud (thieves), Acess and

Nischip.

In 2001 there kasun EROM, which occurred between the public transport games.

Sabban Oxcly has made rule of law sourch in 2002, 4 times in a year perform an audit.

For membagun a company needs to be held to protect preventive control, detective and

corrective controls to mendekteksi control to fix.


Audit Data Base

Access to data resources controlled by a database

management system (DBMS).

Centralize the organization's data into a common database

shared by a community of users.

All users have access to the data they need to overcome the

problem of flat-file.

Deletion of data storage problem: There is no data

redundancy.

Elimination of the problem of updating the data: Single

update procedure eliminates a problem of information.

Abolition of duty-dependency problems User data is limited

only by the legitimacy of the access needs.

LOGO

Physical database

the lowest level and the only one in the physical form.

Sports magnetic disk coated metal that makes a logical collection of files and

records.

data structure of bricks and mortar database.

Allows records to be located, stored, and retrieved.

Two components: organization and access methods.

File organization refers to the way records are physically arranged in the

storage device - either sequential or random.

access method is a program used to search for records and to navigate through

the database.


LOGO

Terminology database

Entity: Organization Anything want to capture data about.

Record Type: physical representation of database entities.

Genesis: In relation to the number of records is represented by a particular

record type.

Attributes: Defining entities with values different (ie each employee has a

different name).

Database: Set the type of record that organizations need to support their

business processes.


LOGO

AUDIT INFORMATION SYSTEM BASED ON COBITFRAMEWORK


Control Objectives for Information and releated

Technology, or in short COBIT is a standard guide

information technology management practices. COBIT IT

governance is designed as a tool that helps in pemahamaan

and manage the risks, benefits and evaluation related to IT.

Standards issued by the COBIT IT govermance Institute

which is part of ISACA. COBIT 4.0 is the latest version ..


COBIT Framework consists of 34 high-level control objective,

which each IT grouped in four Primary Domain:

LOGO

1. Planning and Organization

Includes strategies and tactics regarding the identification of how IT can best contribute

to the achievement of the organization's business objectives, forming a good

organization with good technology infrastructure anyway.

PO1 Difene a strategic information technology plan

PO2 difine the information archicture

PO3 Determine the technological direction

PO4 Difene the IT organization and releationship

PO5 Manage the investment in information technology

PO6 Communicate management aims and direction

PO7 Manage human resources

PO8 Ensure compliance with external requirements

PO9 Assess risks

PO10 Manage Projects

PO11 Manage quality



2. Acquisition and Implementation

Identifikassi Ti solution later in implementassikan and

integrated into business processes to realize the IT strategy.

AI1 Identity automated solutions

AI2 Acquire and maintain application software

AI3 Acquire and maintain technology infrastructure

AI4 Develop and maintain IT procedure

AI5 Install and accredit systems

AI6 Manage Changes


3. Delivery and Support

Domain associated with the desired storage service, which consists of the operating

system and the security aspects of business continuity up to the procurement

training.

DS1 Define and manage service levels

DS2 manage third-party service

DS3 manage performance and capacity

DS4 Ensure continuous service

DS5 Ensure system security

DS6 Identify and allocate costs

DS7 Educate and train users

DS8 Assist and advise costumers

DS9 manage the configuration

DS10 manage problems and incidents

DS11 manage the data

DS12 Manage facilities

DS13 Manage Operations


4. Monitoring

All IT processes need to be assessed regularly and periodically bagaimmana

kesesuiananya the quality and control requirements.

M1 monitor the process

M2 Assess internal control adequacy

M3 obatin independent assuarance

M4 Provide for independent audit

control and audit information system

Economy & Finance