Universitas Komputer Indonesia Chap 4 ISACA IT Standards

Universitas Komputer Indonesia Chap 4 – ISACA : IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals Dr. Ir. Yeffry Handoko Putra MAGISTER SISTEM INFORMASI

Universitas Komputer Indonesia ISACA Updated: 1 March 2010 § IT Audit and Assurance Standards are mandatory requirements for certification holders’ reports on the audit and its findings. § Codification: – Standards are numbered consecutively as they are issued, beginning with S 1 – Guidelines are numbered consecutively as they are issued, beginning with G 1 – Tools and Techniques are numbered consecutively as they are issued, beginning with P 1. Magister Sistem Informasi (MSI)

Universitas Komputer Indonesia Standards define mandatory requirements for IT audit and assurance. They inform: § IT audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics § Management and other interested parties of the profession’s expectations concerning the work of practitioners § Holders of the Certified Information Systems Auditor™ (CISA®) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. Magister Sistem Informasi (MSI)

Universitas Komputer Indonesia § Guidelines provide guidance in applying IT Audit and Assurance Standards. § The IT audit and assurance professional should consider them in determining how to achieve implementation of the standards, use professional judgement in their application and be prepared to justify any departure. § The objective of the IT Audit and Assurance Guidelines is to provide further information on how to comply with the IT Audit and Assurance Standards. Magister Sistem Informasi (MSI)

Universitas Komputer Indonesia § Tools and Techniques provide examples of procedures an IT audit and assurance professional might follow. § The tools and techniques documents provide information on how to meet the standards when performing IT audit and assurance work, but do not set requirements. § The objective of the IT Audit and Assurance Tools and Techniques is to provide further information on how to comply with the IT Audit and Assurance Standards. Magister Sistem Informasi (MSI)

Universitas Komputer Indonesia Index of IT Audit and Assurance Standards § § § § S 1 Audit Charter S 2 Independence S 3 Professional Ethics and Standards S 4 Competence S 5 Planning S 6 Performance of Audit Work S 7 Reporting S 8 Follow-Up Activities S 9 Irregularities and Illegal Acts S 10 IT Governance S 11 Use of Risk Assessment in Audit Planning S 12 Audit Materiality S 13 Using the Work of Other Experts S 14 Audit Evidence S 15 IT Controls S 16 E-commerce Magister Sistem Informasi (MSI) 1 January 2005 1 January 2005 1 September 2005 1 November 2005 1 July 2006 1 February 2008 1 February 20

Universitas Komputer Indonesia Index of IT Audit and Assurance Guidelines § § § G 1 Using the Work of Other Auditors G 2 Audit Evidence Requirement G 3 Use of Computer Assisted Audit Techniques (CAATs) G 4 Outsourcing of IS Activities to Other Organisations G 5 Audit Charter G 6 Materiality Concepts for Auditing Information Systems G 7 Due Professional Care G 8 Audit Documentation G 9 Audit Considerations for Irregularities and Illegal Acts G 10 Audit Sampling G 11 Effect of Pervasive IS Controls Magister Sistem Informasi (MSI) 1 March 2008 1 May 2008 1 February 2008 1 March 2008 1 Sept. 2008 1 August 2008

Universitas Komputer Indonesia Index of IT Audit and Assurance Guidelines § § § § G 12 Organisational Relationship and Independence 1 August 2008 G 13 Use of Risk Assessment in Audit Planning 1 August 2008 G 14 Application Systems Review 1 October 2008 G 15 Audit Planning 1 May 2010 G 16 Effect of Third Parties on an Organisation’s IT Controls 1 March 2009 G 17 Effect of Nonaudit Role on the IT Audit and Assurance Professional’s Independence 1 May 2010 G 18 IT Governance 1 July 2002 G 19 Irregularities and Illegal Acts Withdrawn 1 September 2008 G 20 Reporting 1 January 2003 G 21 Enterprise Resource Planning (ERP) Systems Review 1 August 2003 G 22 Business-to-consumer (B 2 C) E-commerce Review 1 October 2008 G 23 System Development Life Cycle (SDLC) Reviews 1 August 2003 G 24 Internet Banking 1 August 2003 G 25 Review of Virtual Private Networks 1 July 2004 G 26 Business Process Reengineering (BPR) Project Reviews 1 July 2004 Magister Sistem Informasi (MSI)

Universitas Komputer Indonesia Index of IT Audit and Assurance Guidelines § § § § G 27 Mobile Computing G 28 Computer Forensics G 29 Post-implementation Review G 30 Competence G 31 Privacy G 32 Business Continuity Plan (BCP) Review G 33 General Considerations on the Use of the Internet G 34 Responsibility, Authority and Accountability G 35 Follow-up Activities G 36 Biometric Controls G 37 Configuration Management Process G 38 Access Controls G 39 IT Organisation G 40 Review of Security Management Practices G 41 Return on Security Investment (ROSI) G 42 Continuous Assurance Magister Sistem Informasi (MSI) 1 September 2004 1 January 2005 1 June 2005 1 September 2005 1 March 2006 1 February 2007 1 November 2007 1 February 2008 1 May 2008 1 October 2008 1 May 2010

Universitas Komputer Indonesia Index of IT Audit and Assurance Tools and Techniques § § § § P 1 IS Risk Assessment P 2 Digital Signatures P 3 Intrusion Detection P 4 Viruses and other Malicious Code P 5 Control Risk Self-assessment P 6 Firewalls P 7 Irregularities and Illegal Acts P 8 Security Assessment—Penetration Testing and Vulnerability Analysis § P 9 Evaluation of Management Controls Over Encryption Methodologies § P 10 Business Application Change Control § P 11 Electronic Funds Transfer (EFT) Magister Sistem Informasi (MSI) 1 July 2002 1 August 2003 1 November 2003 1 September 2004 1 January 2005 1 October 2006 1 May 2007

Universitas Komputer Indonesia Exercise: As and IS Auditor what is (write in Indonesia ) A. Standard for Audit Evidence; Guideline for Audit Evidence; Tools and Techniques for Audit Evidence B. Standard for Planning; Guideline for ERP; Tools and Techniques for Business Application Change Control Magister Sistem Informasi (MSI)

Universitas Komputer Indonesia Exercise: As and IS Auditor what is C. Standard for IT Control; Guideline for Effect of Pervasive Control; Tools and Technique for Control Risk Assessment D. Standard for use of Risk Assessment in Audit Planning; Guideline for Risk Assessment in Audit Planning; Tools and Technique for IS Risk Assessment Magister Sistem Informasi (MSI)

Universitas Komputer Indonesia Exercise A Exercise B Exercise C Exercise D Magister Sistem Informasi (MSI)