Matakuliah
Tahun
Versi
:A0274/Pengelolaan Fungsi Audit
Sistem Informasi
: 2005
: 1/1
Pertemuan 8
Internal Control System
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menunjukkan Internal
Control System.
2
Outline Materi
• Malicious Activities
– Crime and Misappropriation of Assets
• Types of Crimes
• Types of Criminals
– Unauthorized Access and Authentication
• Specific controls/CAATTs
– Monitoring Systems
– Firewalls
– Generalized Audit Software
– Other Potential controls/CAATTs
3
Malicious Activities
• A brief description of aspects of malicious
activities will assist in the development of
effective specific controls.
4
Crime and misappropriation of Assets
• Computer crime is becoming popular
among those with a criminal mind.
5
Types of Crimes
• Crimes associated with the theft of assets
typically are carried out by employees.
• Another crime is financial fraud. By its
very nature, it is virtually limited to
executive management.
6
Types of Criminals
• Criminals can be broken dwon into
different groups with specific profiles. The
description of crimes includes a profile of
the employee or manager who might
commit a crime.
7
Unauthorized Access and
Authentication
• Access control systems are used to
authenticate and verify usually by using
one of three basic approaches to security:
– Something you have
– Something you know
– Something you are
8
• There is a difference between verification
and identification. Verification is the
process of confirming that the person
carrying the token (badge, card, password,
etc., which is the claim of identity) is the
rightful owner of the token. Identification,
on the other hand, is the recognition of a
specific individual from among all the
individuals enrolled on the system. Ideally,
access control systems would do both.
9
Specific Controls/CAATTs
• One resource for internal auditors in developing
an effective internal control system is proven
controls and CAATTs, which includes people,
techniques and models.
• People would include the use of experts and
professionals in the internal auditor function,
whether the corporation has a separate internal
audit department, outsources the function or
relies on external auditors for the function.
10
Monitoring Systems
• One of the best detective tools is a good
monitoring system.
11
Firewalls
• Any server connected to the Internet
should also have a firewall as a preventive
scheme.
12
Generalized Audit Software
• Audit software is also valuable in auditing
operations.
13
• To use CAATTs or GAS, the internal auditor
should follow these steps:
–
–
–
–
–
–
–
Set the audit objectives.
Meet with the owner of the data and a programmer.
Formally request the data.
Create or build the input file definition of the GAS.
Verify data integrity for the data imported.
Gain an understanding of the data.
Analyze the data.
14
• An internal auditor might run these types
of tests:
– Reasonableness
– Completeness
– Gap
– Duplication
– Period-to-period (trends)
– Regression analysis
– Statistical analysis
– Transaction matching
15
Other Potential Controls/CAATTs
• Other CAATTs include the following, which is not
an exhaustive list and somen of which have
been discussed previously:
–
–
–
–
–
–
–
–
–
Embedded audit modules
Artificial neural networks
System development life cycle
Librarian
Passwords
Biometrics
Intrusion detection system
Firewalls
Anti-virus software
16
– Digital certificates
– Digital signatures
– Encryption
– Proposed XBRL system
– Disaster recovery plan/business recovery plan
– Incident response plan
17
The End
18