INTRODUCTION TO

INFORMATION SYSTEM AUDITING

Pertemuan 1 Sesi 3

Fakultas Ekonomi dan Bisnis

Universitas Padjadaran

Information System Risk

and Control
learning areas
Understanding IS risks for
business
Understanding IS Control: General
Control and Application Control
and its classifications
Implementing IT Internal Control
for business overview of ICOFR
(Internal Control over Financial
Reporting)

1. Information System Risks

What is
Risk?

Definition Risk

the possibility that something bad or unpleasant (such as

an injury or a loss) will happen. : someone or something
that may cause something bad or unpleasant to happen. : a
person or thing that someone judges to be a good or bad
choice for insurance, a loan, etc.

What is
Risk?

Definition of Business Risk

Risk is the threat that an event, action, or non-action will

adversely affect an organizations ability to achieve its
business objectives and execute its strategies successfully

For all businesses there are risks

that exist and that need to be
identified and addressed in order to
prevent or minimize losses.
Risk is the threat that an event,
action, or non-action will adversely
affect an organizations ability to
achieve its business objectives and
execute its strategies successfully.
Risk is measured in terms of
consequences and likelihood.
Risk review process may identify
opportunity, such as when effective
risk management can be turned to
competitive advantage

Risks

Threats

Objectives

Opportunit
ies

Impact

High Medium
Low

What is
IS Risk?

Definition of IS Risk

IS risk is business risk specifically, the business risk

associated with the use, ownership, operation,
involvement, influence and adoption of IS within an
enterprise. It consists of IS related events that could
potentially impact the business.

Understanding IS Risk
In evaluating IT related business
process, understanding the
relationship between risk and control
is important. Therefore business:
Must be able to identify and
differentiate risk types and the
control used to mitigate these
risk.
Must have knowledge of
common business risk, related
technology risks and relevant
controls.
Must be able to evaluate the risk
assessment and management
technique used by business
manager.

Analysing Business Risk Arising from IT

Accountant and Auditors should have a clear
understanding of:
The purposes and nature of business, the
environment in which the business operates
and related business risks
The dependence on technology and related
dependencies that process and deliver
business information
The business risks of using IT and how they
impact the achievement of the business goals
and objectives

A good overview of business processes and

the impact of IT and related risks on the
business process objectives

Understanding IS Risk
Examples of IT risks
technical failure of computer servers
failure in system implementation
human error in input of data
communication infrastructure failure
physical threat and theft
electronic & malicious threats (e.g. hacking)
and others

Security
Incident in
2014

DISCUSSION
Is there any impact to financial reporting?

2. Information System
Characteristics impact to Audit

Information
System
Characteristics

A. Lack of transaction
trails

E. Automated
transactions execution

B. Uniformity of
processing

F. Dependence of
other controls

C. Lack of
segregation of duties

G. Potential for
increased supervision

D. Potential for errors

or irregularities

H. Potential for Use

CAATs

IS Characteristics that Decrease Audit Risk

b. Uniformity of
processing

Inherent risk
A. Lack of Transaction Trails
B. Uniformity of Processing
D. Potential for Errors and
Irregularities
E. Initiation and Execution
of Transactions

G. Potential for Increased

Management
Supervision

control risk
C. Lack of Segregation
of Functions
F. Dependence of Other
Controls

IS Characteristics that Increase Audit Risk

H. Potential for use of

CAATS

detection risk

3. Information System Control

What is
Internal
Control?

By definition: internal control is a process, effected by an

entitys board of directors, management, and other
personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following
categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations

What is
Internal
Control?

Thus it reflects four fundamental concepts:

Internal control is a process. It is a means to an end, not
an end itself
Internal control is affected by people. It is not merely a
policy manual and forms, but people at every level of an
organization
Internal control can be expected to provide only
reasonable assurance, not absolute assurance, to an
entitys management and board
Internal control is geared to the achievement of
objectives in one or more separate but overlapping
categories

Relationship of
Risk and
Control

ICoFR is a process designed by, or under the supervision of, the company's principal executive & principal
financial officers, and effected by the company's BoD, management, and other personnel, to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of financial
statements for external purposes in accordance with GAAP and includes those policies and procedures that:

Relationship of Risk
and Control

pertain to the
maintenance of records
that in reasonable detail
accurately and fairly
reflect transactions &
dispositions of assets.

Control Activities
Risk Assessment
Control Environment

ACTIVITY 2
ACTIVITY 1
DIVISION
ENTITY LEVEL

Monitoring

provide reasonable assurance

regarding prevention or timely
detection of unauthorized
acquisition, use or disposition of
assets that could have a material
effect on FS.
3

Therefore, management part related to ICoFR is to ensure that there is in

fact a system of internal controls in place that could provide reasonable
assurance that the company is able to record, process, summarise, and
report financial data so that financial statements & other financial
information fairly present in all material respects the financial condition
and results of operations.

3 Dimensi COSOICIntegrated Framework

Information & Communication

provide reasonable assurance that

transactions are recorded as necessary
to permit preparation of FS in
accordance with GAAP, and that receipts
& expenditures are being made only in
accordance with authorizations.
2

What is
Internal
Control?

IS Control
Objectives

Safeguarding of assets
Assuring integrity of general operating system
environments
Assuring the integrity of sensitive and critical application
system environments through:
Authorization of the input
Accuracy and completeness of processing of
transactions
Accuracy, completeness and security of the output
Ensuring the efficiency and effectiveness of operations
Complying with requirements, policies and procedures,
and applicable laws
Developing business continuity and disaster recovery
plans

IT Control
Classifications

IT Control

IT Control

Financial Reports
Balance
Sheet

Income
Statement

IT Infrastructure and Operations

Information
Security

IT
Management

Notes to FS

Management
Report

Others

Business Processes & Information System

Revenue

Purchasin
g

Human
Resources

Others

Corporate Governance & Management

Control
Environment

Risk
Assessment

Control
Activities

Information
and
Communicatio
n

Monitoring

Transactional
Level & IT General
Control
Entity Level & IT
Entity Level
Control

Entity level controls, have an important, but indirect effect on the likelihood that a misstatement will be
detected or prevented on a timely basis. These controls might affect the other controls selected for
testing and the nature, timing, and extent of procedures to be performed on other controls.
Transactional level control including manual and application system control are controls to mitigate risks
in financial reporting process.
The nature, timing, and extent of ITGC correlate with the risk within IT environment, such as IT
Organization & Relationship (SOD); IT Policies & Procedures; IT Risk Assessment Plan; IT Management,
and Information security

IT General
Control

IT general controls are broad controls over general IT

activities, such as security and access, computer
operations, and systems development and system
changes. General controls are embedded in IT processes
and services.
Related to Financial Audit needs, Minimum Consists of:
IT Entity Level Controls
Change Management
Information Security
Back Up and Recovery Controls
Third Party IT Providers

IT General
Control

IT provides services (development and operational IT

processes), usually in a shared service to many business
processes in the whole enterprise. The IT infrastructure is
provided as a common service (networks, databases,
operating systems and storage).
The reliable operation of these general controls is
necessary for reliance to be placed on application controls.
For example, poor change management could accidentally
or deliberately jeopardize the reliability of automated
application controls such as integrity checks.

IT General
Control

IT Level
Sophistication
the level of sophistication is directly
related to the proper quantity and
power of IT audit procedures. That
is, a low level would use rather
simple procedures (low-level
strength such as inquiry3 and
observation) and would be rather
limited as to the number of
procedures.

IT Entity Level
Control

IT Entity Level Control

Also known as Organizational and Managerial Control, Control Environment, Policy
and Procedures Control or others.

IT entity-level controls are related to the entitys environment

They provide an umbrella of controls over the acquisition, implementation and
management of the IT (systems and technologies) used in the entity.
Controls in this area including IT Governance, IT policies and procedures, IT
management, planning and strategy, human resources, and IT risk management.
For the low level of IT sophistication, the risk is likely to be so low as to become
irrelevant.

IT Governance
IT Governance ensure the
alignment of IT facilities with the business
needs
and the proper management of these
facilities.

Key Risks:
IT does not support business needs
Loss of efficiency, untimely problem
solving, unsatisfied staff, no
improvements
Unwanted combination of functions
Untimely management reporting
High dependence on one/few persons

IT Governance
Key Controls needed:
Proper Planning and budgeting
Quality and quantity of staff
Segregation of duties or close supervision
Efficient use of IT
Proper Procedures and documentation

Change Management

Change Management
Also known as Program Development and Program Changes, System Development
and Acquisition, or others.

Basically, change management controls are the controls management has in place to
ensure that all changes in the IT portfolio are authorized properly and implemented
securely.
The controls would ensure that the systems or technologies were acquired with
some forethought as to their reliability and applicability to the entity, and were
tested offline diligently before becoming operational.
Change management applies to software (applications) and hardware
(infrastructure, including operating systems and networks)

Some basic control issues should be evident in all systems

development and acquisition work:
User requirements should be documented, and their
achievement should be measured.
Systems design should follow a formal process to
ensure that user requirements and controls are
designed into the system.
Systems development should be conducted in a
structured manner to ensure that requirements and
design features are incorporated into the finished
product.
Testing should ensure that individual system elements
work as required, system interfaces operate as
expected users are involved in the testing process, and
the intended functionality has been provided.
Application maintenance processes should ensure that
changes in application systems follow a consistent
pattern of control. Change management should be
subject to structured assurance validation processes.

Information Security

Information Security
Also known as Access Management, Logical and Physical Security, or others.

Information security relates to the inherent risk that an unauthorized party could
gain access to financial reporting applications or data and intentionally or
unintentionally create misstatements in the data.
Information Security is primarily related to two types of access: Physical Access and
Logical Access

Logical Security
Logical security involves determining who
can go where and whether they are
authorized. This means that identification
of users as well as authentication of users
is a prerequisite for any subsequent
security measures such as determining the
authority level of users.
The IT assets under logical security can
be grouped in four layers:
Networks,
Platforms (operating systems),
Databases
Applications.

Technical exposures in logical

access include:
Data leakage
Wire tapping
Trojan horses / backdoors
Viruses
Worms
Logic bombs
Denial-of-service attacks
Computer shutdown
War driving
Rounding down & Salami
technique

Logical Security

Identification

User
Profiles

Authentication
Access
control
files

Authorization

Database

Log

Software
Library

Logical Security

Common vulnerabilities that may be exploited

to gain unauthorized system access include:
Weak authentication methods
The potential for users to bypass the
authentication mechanism
Lack of confidentiality and integrity for the
stored authentication information
Lack of encryption for authentication and
protection of information transmitted over a
network
Users lack of knowledge on the risks
associated with sharing passwords, security
tokens, etc.

Best practices for logon IDs and

passwords
Passwords should be a minimum of 8
characters
Passwords should be a combination
of alpha, numeric, upper and lower
case and special characters
Login IDs not used should be
deactivated
The system should automatically
disconnect a logon session if no
activity has occurred for a period of
time.
Other additional security for special
security needs:
Multi-factor Authentication
Multi-person Password
Biometric

Multi Factor Authentication

Encryption

Physical Security & Environmental Control

Physical security refers to the

safeguarding of the hardware, buildings,
and media containing the data and
programs, as well as the infrastructure
used to support the processing of data.
Physical exposures could result in:
Financial loss
Legal repercussion
Loss of credibility or loss of competitive
edge
Expose the business to unauthorized
access
Unavailability of the business information

Technical exposures in physical access

include:
Unauthorized entry
Damage, vandalism or theft to
equipment or documents
Copying or viewing of sensitive or
copyrighted information
Alteration of sensitive equipment and
information
Public disclosure of sensitive
information
Abuse of data processing resources
Piggy Backing

Physical Security & Environmental Control

Physical
Combination door locks (cipher locks)
Biometric door locks
Manual or electronic logging
Identification badges (photo IDs)
Video cameras
Security guards
Controlled visitor access
Deadman doors
Not advertising the location of sensitive
facilities
Computer workstation locks
Secured report / document distribution cart

Environtmental
Alarm Control Panels
Water detectors
Handheld fire extinguishers
Manual fire alarms
Smoke detectors
Fire suppression systems
Computer room location
Regular inspection by fire department
Fireproof walls, floors and ceilings
Electrical surge protectors
Uninterruptible power supply / generator
Emergency power-off switch

Back Up and
Recovery

Back up and Recovery

Also known as BCP and DRP, Contingency Plan, or others.

Backup and recovery relate to the entitys ability to recover from a critical event that
causes the loss of data and/or systems. It could be as simple as restoring a backup
of data, necessary because the network hard drive crashed and is no longer
accessible, thus requiring the entity to reconstruct its accounting records, including
those since the backup was last made. It could be a larger scope if the computer
center burns or is destroyed by a tornado, hurricane/typhoon or other storm. In that
case, the entity has to restore systems and technologies (e.g., hardware) as well as
data.
This issue is commonly referred to as business continuity planning (BCP) or disaster
recovery planning (DRP).

Back up and Recovery

Back up controls and business continuity planning cover all procedures to ensure the
availability of computer systems and data
Key Risks:
Data cannot be recovered (in time) after system
failure
Back up tapes are damaged or lost or cannot be used
Loss of valuable business information
Business cannot be continued after disaster (fire,
etc.)

Key Controls:
Regular back ups, preferably daily
Safe storage of tapes, preferably in fireproof vault
and externally (offsite)
Periodic testing of restore of back up tapes
Preparation of Business Continuity Plan

Back up and Recovery

IT failure
Natural

Damage of
building/

equipment

hacking

disaster

Terrorism/
war

Virus/

Threat on
business
continuity

Other

busines
failure

Companies
needs Business
Continuity Plan
to continue
operations
when disaster
occurs

Back up and Recovery

Recovery Response
Business
Disruptio
n

Continuity Response

Emergency Response
Initial response
& declare
incident

Restore key
process

Backlog
process

Resume normal operation

Third-Party IT
Providers

Third-Party IT Providers
Also known as IT Outsourcing, Vendor Management or others.

the use of third-party providers who provide some service to the user entity that is
relevant to the financial reporting transactions or processes
This issue is commonly referred to as business continuity planning (BCP) or disaster
recovery planning (DRP).

Application
Control

Application controls are automated or IT-dependent

controls intended to help ensure that transactions are
properly initiated, authorized, recorded, processed, and
reported.
In simple terms, automated control procedures or
manual controls that are dependent on IT.
Application controls are embedded in business process
applications.

Application
Control

Application controls are applied at the business process

level or to specific business activities.
Most business processes are automated and integrated
with IT application systems, resulting in many of the
controls being automated as well.
Some controls within the business process remain as
manual procedures such as manual authorization of
transactions, separation of duties and reconciliations.
Therefore controls at the business process level are a
combination of manual and automated application
controls.

Application
Control

The objective of application controls is to ensure that:

Input data is accurate, complete, authorized, and
correct.
Data is processed as intended in an acceptable time
period.
Data stored is accurate and complete.
Outputs are accurate and complete.
A record is maintained to track the process of data from
input to storage and to the eventual output.

Application Control
Input Controls

These controls are used mainly to check the integrity of data entered into a
business application.
Example:
Users are limited to selecting a values in a pre-populated dropdown box
The system validates that a valid number is entered into a field where a
dollar amount is expected.

Processing Controls

These controls provide an automated means to ensure processing is complete,

accurate, and authorized.
Example:
Transactions exceeding a specific dollar amount must be approved by an
executive before being applied in the system.

Output Controls

These controls address what is done with the data and should compare output
results with the intended result by checking the output against the input.
Example:
Reports are complete and accurate

Application Control
Integrity Controls

These controls monitor data being processed and in storage to ensure it

remains consistent and correct.
Example:
Systematically checking for duplicated data before adding information to
the application
Users are limited to selecting a values in a pre-populated dropdown box
Control totals & record counts are included on all reports.

Audit Trail

Separation of the management or execution of certain duties or of areas of

responsibility is required in order to prevent and reduce opportunities for
unauthorized modification or misuse of data or service
Example:
Users with the ability to create a vendor are systematically restricted from
paying that (or other) vendors.

Segregation of Duties

Need to Know Basis principles

Example:
SoD Matrix
User Request forms and approval

Thanks!
It is not that I'm so smart. But I
stay with the questions much
longer.

Albert Einstein