SlideShare ist ein Scribd-Unternehmen logo

Control and audit of information System (hendri eka saputra)

Hendri Eka Saputra
Hendri Eka Saputra

About material Control and audit of information System

Bildung
1 von 43
Downloaden Sie, um offline zu lesen
Control and Audit of Information System Hendri Eka Saputra
Summary of Internal Control Definition A process, effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives on: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations
Control Objectives In each area of internal control (financial reporting, operations and compliance) • Control objectives and • Subobjectives exist Example: Area of financial reporting • Top level objective – prepare and issue reliable financial information • Detailed level applied to A/R subobjectives All goods shipped are accurately billed in the proper period Invoices are accurately recorded for all authorized shipments and only for such shipments Authorized and only authorized sales returns and allowances are accurately recorded The continued completeness and accuracy of A/R is ensured Accounts receivable records are safeguarded
Foreign Corrupt Practices Act Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business The Act • Requires an effective system of internal control • Makes illegal payment of bribes to foreign officials
Controls over Financial Reporting Preventive • Aimed at avoiding the occurrence of misstatements in the financial statements • Example: Segregation of duties Detective • Designed to discover misstatements after they have occurred • Example: Monthly bank reconciliations Corrective • Needed to remedy the situation uncovered by detective controls • Example: Backups of master file Controls overlap • Complementary – function together • Redundant – address same assertion or control objective • Compensating – reduces risk existing weakness will result in misstatement
Components of Internal Control  The Control Environment  Risk Assessment  The Accounting Information and Communication System  Control Activities  Monitoring
Control Environment Factors  Integrity and ethical values  Commitment to competence  Board of directors or audit committee  Management philosophy and operating style  Organizational structure  Human resource policies and practices  Assignment of authority and responsibility
Risk Assessment--Factors Indicative of Increased Financial Reporting Risk  Changes in the regulatory or operating environment  Changes in personnel  Implementation of a new or modified information system  Rapid growth of the organization  Changes in technology affecting production processes or information systems  Introduction of new lines of business, products, or processes
Control Activities Performance reviews Information processing • General control activities • Application control activities Physical controls Segregation of duties • Segregate authorization, recording and custody of assets
Segregation of Duties
Objectives of an Accounting System  Identify and record valid transactions  Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions  Measure the value of transactions appropriately  Determine the time period in which the transactions occurred to permit recording in the proper period  Present properly the transactions and related disclosures in the financial statements
Monitoring Ongoing monitoring activities • Regularly performed supervisory and management activities • Example: Continuous monitoring of customer complaints Separate evaluations • Performed on nonroutine basis • Example: Periodic audits by internal audit
Limitations of Internal Control  Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc.  Controls that depend on the segregation of duties may be circumvented by collusion  Management may override the structure  Compliance may deteriorate over time
Enterprise Risk Management (ERM)  COSO issued a new internal control framework in 2004 on enterprise risk management. It does not replace the original COSO internal control framework.  It goes beyond internal control to focus on how organizations can effectively manage risks and opportunities.  The auditing standards are still structured around the original COSO internal control framework.
Financial Statement Audits: The Role of Internal Control Second Field Work Standard The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. [emphasis added]
Auditors’ Overall Approach with Internal Control Overall approach of an audit 1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report Steps 2-4 relate most directly to the role of internal control in financial statement audits
COBIT 5 For information security
Information!  Information is a key resource for all enterprises.  Information is created, used, retained, disclosed and destroyed.  Technology plays a key role in these actions.  Technology is becoming pervasive in all aspects of business and personal life. What benefits do information and technology bring to enterprises?
Enterprise Benefits Enterprises and their executives strive to:  Maintain quality information to support business decisions.  Generate business value from IT-enabled investments, i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT.  Achieve operational excellence through reliable and efficient application of technology.  Maintain IT-related risk at an acceptable level.  Optimise the cost of IT services and technology.
Stakeholder Value Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets. Enterprise boards, executives and management have to embrace IT like any other significant part of the business. External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
The COBIT 5 Framework Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
COBIT 5 Principles
COBIT 5 Enablers
Governance and Management Governance ensures that stakeholder needs, conditions and options are evaluated to determine balance, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance, compliance and compliance against agreed-on direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
Summary… COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
COBIT 5 Product Family
COBIT 5 for Information Security Extended view of COBIT5 Explains each component from info security perspective
it contain!  Guidance on drivers, benefits  Principles from infosec perspective  Enablers for support  Alignment with standards
Drivers The major drivers for the development of COBIT 5 for Information Security include: 1. The need to describe information security in an enterprise context 2. An increasing need for enterprises to: • Keep risk at acceptable levels. • Maintain availability to systems and services. • Comply with relevant laws and regulation. 3. The need to connect to and align with other major standards and frameworks 4. The need to link together all major ISACA research, frameworks and guidance
Benefits Using COBIT 5 for Information Security can result in a number of benefits, including: • Reduced complexity and increased cost-effectiveness due to improved and easier integration of information security standards • Increased user satisfaction with information security arrangements and outcomes • Improved integration of information security in the enterprise • Informed risk decisions and risk awareness • Improved prevention, detection and recovery • Reduced impact of security incidents • Enhanced support for innovation and competitiveness • Improved management of costs related to the information security function • Better understanding of information security
Information Security Defined ISACA defines information security as something that: Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity) and non-access when required (availability).
Using COBIT 5 Enablers for Implementing Information Security COBIT 5 for Information Security provides specific guidance related to all enablers 1. Information security policies, principles, and frameworks 2. Processes, including information security-specific details and activities 3. Information security-specific organisational structures 4. In terms of culture, ethics and behaviour, factors determining the success of information security governance and management 5. Information security-specific information types 6. Service capabilities required to provide information security functions to an enterprise 7. People, skills and competencies specific for information security
Enabler: Principles, Policies and Frameworks Principles, policies and frameworks refer to the communication mechanisms put in place to convey the direction and instructions of the governing bodies and management, including: • Principles, policies and framework model • Information security principles • Information security policies • Adapting policies to the enterprises environment • Policy life cycle
Enabler: Principles, Policies and Frameworks (cont.) Information Security Principles Information Security Policy Specific Information Security Policies Information Security Procedures Information Security Requirements and Documentation Generic Information Security Standards, Frameworks and Models Mandatory Information Security Standards, Frameworks and Models InputPolicy Framework
Information Security Principles Information security principles communicate the rules of the enterprise. These principles need to be: • Limited in number • Expressed in simple language In 2010 ISACA, ISF and ISC2 worked together to create 12 principles* that will help information security professionals add value to their organisations. The principles support 3 tasks: • Support the business. •Defend the business. •Promote responsible information security behaviour. * Principles are covered in COBIT 5 for Information Security and can also be located at www.isaca.org/standards
Information Security Policies Policies provide more detailed guidance on how to put principles into practice. Some enterprises may include policies such as: • Information security policy • Access control policy • Personnel information security policy • Incident management policy • Asset management policy COBIT 5 for Information Security describes the following attributes of each policy: • Scope • Validity • Goals
Enabler: Processes The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes: • The Governance domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. • The four Management domains are in line with the responsibility areas of plan, build, run and monitor (PBRM). • COBIT 5 for Information Security examines each of the processes from an information security perspective.
Enabler: Organisational Structures COBIT 5 examines the organisational structures model from an information security perspective. It defines information security roles and structures and also examines accountability over information security, providing examples of specific roles and structures and what their mandate is, and also looks at potential paths for information security reporting and the different advantages and disadvantages of each possibility.
Enabler: Culture, Ethics and Behaviour Examines the culture, ethics and behaviour model from an information security perspective providing detailed security specific examples of: 1. The Culture Life Cycle –measuring behaviours over time to benchmark the security culture –some behaviours may include: • Strength of passwords • Lack of approach to security • Adherence to change management practices 2. Leadership and Champions –need these people to set examples and help influence culture: • Risk managers • Security professionals • C-level executives 3. Desirable Behaviour –a number of behaviours have been identified that will help positively influence security culture: • Information security is practiced in daily operations. • Stakeholders are aware of how to respond to threats. • Executive management recognises the business value of security.
Enabler: Information Information is not only the main subject of information security but is also a key enabler. 1. Information types are examined and reveal types of relevant security information which can include: • Information security strategy • Information security budget • Policies • Awareness material • Etc. 2. Information stakeholders as well as the information life cycle are also identified and detailed from a security perspective. Details specific to security such as information storage, sharing, use and disposal are all discussed.
Enabler: Services, Infrastructure and Applications The services, infrastructure and applications model identifies the services capabilities that are required to provide information security and related functions to an enterprise. The following list contains examples of potential security-related services that could appear in a security service catalogue: • Provide a security architecture. • Provide security awareness. • Provide security assessments. • Provide adequate incident response. • Provide adequate protection against malware, external attacks and intrusion attempts. • Provide monitoring and alert services for security related events.
Enabler: People, Skills and Competencies To effectively operate an information security function within an enterprise, individuals with appropriate knowledge and experience must exercise that function. Some typical security-related skills and competencies listed are: • Information security governance • Information risk management • Information security operations COBIT 5 for Information Security defines the following attributes for each of the skills and competencies: • Skill definition • Goals • Related enablers
Thank You

Empfohlen

IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 

Empfohlen

IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Information system and control audit – lecture i
Information system and control audit – lecture iInformation system and control audit – lecture i
Information system and control audit – lecture iKartik T. Vayeda & Co.
 

Weitere ähnliche Inhalte

Was ist angesagt?

Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 

Was ist angesagt? (20)

Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
The information security audit
The information security auditThe information security audit
The information security audit
 

Andere mochten auch

Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Information system and control audit – lecture i
Information system and control audit – lecture iInformation system and control audit – lecture i
Information system and control audit – lecture iKartik T. Vayeda & Co.
 
PENGENALAN AUDIT DAN KONTROL SISTEM INFORMASI
PENGENALAN AUDIT DAN KONTROL SISTEM INFORMASIPENGENALAN AUDIT DAN KONTROL SISTEM INFORMASI
PENGENALAN AUDIT DAN KONTROL SISTEM INFORMASIDhina Pohan
 
Kontrol dan Audit Sistem Informasi
Kontrol dan Audit Sistem InformasiKontrol dan Audit Sistem Informasi
Kontrol dan Audit Sistem InformasiHerman efendi
 
Kontrol dan audit sistem informasi
Kontrol dan audit sistem informasiKontrol dan audit sistem informasi
Kontrol dan audit sistem informasisyul amri
 
Tugas control & audit sistem informasi
Tugas control & audit sistem informasiTugas control & audit sistem informasi
Tugas control & audit sistem informasiNur Fatrianti
 
Kontrol audit sistem informasi
Kontrol audit sistem informasiKontrol audit sistem informasi
Kontrol audit sistem informasiDinda Afani
 
Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)Rudi Kurniawan
 
Kontrol & Audit Sistem Informasi
Kontrol & Audit Sistem InformasiKontrol & Audit Sistem Informasi
Kontrol & Audit Sistem Informasidwiki apsyarin
 
Cobit 5 - Kontrol dan Audit Sistem informasi
Cobit 5 - Kontrol dan Audit Sistem informasiCobit 5 - Kontrol dan Audit Sistem informasi
Cobit 5 - Kontrol dan Audit Sistem informasisayuti01
 
Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Basuki Rahmad
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
In-house tax audit of tax declaration in Russia, VAT
In-house tax audit of tax declaration in Russia, VATIn-house tax audit of tax declaration in Russia, VAT
In-house tax audit of tax declaration in Russia, VATAccountor Russia and Ukraine
 
Information system and control audit ~ Lecture # 1
Information system and control audit ~ Lecture # 1Information system and control audit ~ Lecture # 1
Information system and control audit ~ Lecture # 1FCA Vikram S Mathur
 
Specialised audit
Specialised auditSpecialised audit
Specialised auditpreeti garg
 

Andere mochten auch (20)

Information System audit
Information System auditInformation System audit
Information System audit
 
Information system and control audit – lecture i
Information system and control audit – lecture iInformation system and control audit – lecture i
Information system and control audit – lecture i
 
PENGENALAN AUDIT DAN KONTROL SISTEM INFORMASI
PENGENALAN AUDIT DAN KONTROL SISTEM INFORMASIPENGENALAN AUDIT DAN KONTROL SISTEM INFORMASI
PENGENALAN AUDIT DAN KONTROL SISTEM INFORMASI
 
Internal controls in an IT environment
Internal controls in an IT environment Internal controls in an IT environment
Internal controls in an IT environment
 
Kontrol dan Audit Sistem Informasi
Kontrol dan Audit Sistem InformasiKontrol dan Audit Sistem Informasi
Kontrol dan Audit Sistem Informasi
 
Kontrol dan audit sistem informasi
Kontrol dan audit sistem informasiKontrol dan audit sistem informasi
Kontrol dan audit sistem informasi
 
Tugas control & audit sistem informasi
Tugas control & audit sistem informasiTugas control & audit sistem informasi
Tugas control & audit sistem informasi
 
Kontrol audit sistem informasi
Kontrol audit sistem informasiKontrol audit sistem informasi
Kontrol audit sistem informasi
 
Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)
 
Kontrol & Audit Sistem Informasi
Kontrol & Audit Sistem InformasiKontrol & Audit Sistem Informasi
Kontrol & Audit Sistem Informasi
 
Cobit 5 - Kontrol dan Audit Sistem informasi
Cobit 5 - Kontrol dan Audit Sistem informasiCobit 5 - Kontrol dan Audit Sistem informasi
Cobit 5 - Kontrol dan Audit Sistem informasi
 
Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment Presentation
 
Auditing and inspection
Auditing and inspectionAuditing and inspection
Auditing and inspection
 
In-house tax audit of tax declaration in Russia, VAT
In-house tax audit of tax declaration in Russia, VATIn-house tax audit of tax declaration in Russia, VAT
In-house tax audit of tax declaration in Russia, VAT
 
Accounting and audit in russia
Accounting and audit in russiaAccounting and audit in russia
Accounting and audit in russia
 
Information system and control audit ~ Lecture # 1
Information system and control audit ~ Lecture # 1Information system and control audit ~ Lecture # 1
Information system and control audit ~ Lecture # 1
 
Electronic Data Interchange
Electronic Data InterchangeElectronic Data Interchange
Electronic Data Interchange
 
Specialised audit
Specialised auditSpecialised audit
Specialised audit
 

Ähnlich wie Control and audit of information System (hendri eka saputra)

gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.pptKhalilIdhman
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)Sam Mandebvu
 
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...TRANANHQUAN4
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
Assessing risks and internal controls training
Assessing risks and internal controls trainingAssessing risks and internal controls training
Assessing risks and internal controls trainingshifataraislam
 
Brief overview on Internal control (Audit)
Brief overview on Internal control (Audit)Brief overview on Internal control (Audit)
Brief overview on Internal control (Audit)Hisyam
 
IFC Knowldge Sharing 23.02.20 (1).pptx
IFC Knowldge Sharing 23.02.20 (1).pptxIFC Knowldge Sharing 23.02.20 (1).pptx
IFC Knowldge Sharing 23.02.20 (1).pptxSejalJain178980
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGoutama Bachtiar
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfSALES97
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
Internal Financial Controls
Internal Financial ControlsInternal Financial Controls
Internal Financial Controlstarunmallappa
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB
 

Ähnlich wie Control and audit of information System (hendri eka saputra) (20)

gray_audit_presentation.ppt
gray_audit_presentation.pptgray_audit_presentation.ppt
gray_audit_presentation.ppt
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 
Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 framework
 
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
Assessing risks and internal controls training
Assessing risks and internal controls trainingAssessing risks and internal controls training
Assessing risks and internal controls training
 
Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007Accountability Corbit Overview 06262007
Accountability Corbit Overview 06262007
 
Brief overview on Internal control (Audit)
Brief overview on Internal control (Audit)Brief overview on Internal control (Audit)
Brief overview on Internal control (Audit)
 
IFC Knowldge Sharing 23.02.20 (1).pptx
IFC Knowldge Sharing 23.02.20 (1).pptxIFC Knowldge Sharing 23.02.20 (1).pptx
IFC Knowldge Sharing 23.02.20 (1).pptx
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdf
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
 
It Governance Methodology Cox
It Governance Methodology CoxIt Governance Methodology Cox
It Governance Methodology Cox
 
Auditing concept
Auditing conceptAuditing concept
Auditing concept
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
Internal Financial Controls
Internal Financial ControlsInternal Financial Controls
Internal Financial Controls
 
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
PECB Webinar: Aligning COBIT 5.0 and ISO/IEC 38500
 

Kürzlich hochgeladen

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 

Kürzlich hochgeladen (20)

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 

Control and audit of information System (hendri eka saputra)

  • 1. Control and Audit of Information System Hendri Eka Saputra
  • 2. Summary of Internal Control Definition A process, effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives on: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations
  • 3. Control Objectives In each area of internal control (financial reporting, operations and compliance) • Control objectives and • Subobjectives exist Example: Area of financial reporting • Top level objective – prepare and issue reliable financial information • Detailed level applied to A/R subobjectives All goods shipped are accurately billed in the proper period Invoices are accurately recorded for all authorized shipments and only for such shipments Authorized and only authorized sales returns and allowances are accurately recorded The continued completeness and accuracy of A/R is ensured Accounts receivable records are safeguarded
  • 4. Foreign Corrupt Practices Act Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business The Act • Requires an effective system of internal control • Makes illegal payment of bribes to foreign officials
  • 5. Controls over Financial Reporting Preventive • Aimed at avoiding the occurrence of misstatements in the financial statements • Example: Segregation of duties Detective • Designed to discover misstatements after they have occurred • Example: Monthly bank reconciliations Corrective • Needed to remedy the situation uncovered by detective controls • Example: Backups of master file Controls overlap • Complementary – function together • Redundant – address same assertion or control objective • Compensating – reduces risk existing weakness will result in misstatement
  • 6. Components of Internal Control  The Control Environment  Risk Assessment  The Accounting Information and Communication System  Control Activities  Monitoring
  • 7. Control Environment Factors  Integrity and ethical values  Commitment to competence  Board of directors or audit committee  Management philosophy and operating style  Organizational structure  Human resource policies and practices  Assignment of authority and responsibility
  • 8. Risk Assessment--Factors Indicative of Increased Financial Reporting Risk  Changes in the regulatory or operating environment  Changes in personnel  Implementation of a new or modified information system  Rapid growth of the organization  Changes in technology affecting production processes or information systems  Introduction of new lines of business, products, or processes
  • 9. Control Activities Performance reviews Information processing • General control activities • Application control activities Physical controls Segregation of duties • Segregate authorization, recording and custody of assets
  • 11. Objectives of an Accounting System  Identify and record valid transactions  Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions  Measure the value of transactions appropriately  Determine the time period in which the transactions occurred to permit recording in the proper period  Present properly the transactions and related disclosures in the financial statements
  • 12. Monitoring Ongoing monitoring activities • Regularly performed supervisory and management activities • Example: Continuous monitoring of customer complaints Separate evaluations • Performed on nonroutine basis • Example: Periodic audits by internal audit
  • 13. Limitations of Internal Control  Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc.  Controls that depend on the segregation of duties may be circumvented by collusion  Management may override the structure  Compliance may deteriorate over time
  • 14. Enterprise Risk Management (ERM)  COSO issued a new internal control framework in 2004 on enterprise risk management. It does not replace the original COSO internal control framework.  It goes beyond internal control to focus on how organizations can effectively manage risks and opportunities.  The auditing standards are still structured around the original COSO internal control framework.
  • 15. Financial Statement Audits: The Role of Internal Control Second Field Work Standard The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. [emphasis added]
  • 16. Auditors’ Overall Approach with Internal Control Overall approach of an audit 1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report Steps 2-4 relate most directly to the role of internal control in financial statement audits
  • 18. Information!  Information is a key resource for all enterprises.  Information is created, used, retained, disclosed and destroyed.  Technology plays a key role in these actions.  Technology is becoming pervasive in all aspects of business and personal life. What benefits do information and technology bring to enterprises?
  • 19. Enterprise Benefits Enterprises and their executives strive to:  Maintain quality information to support business decisions.  Generate business value from IT-enabled investments, i.e., achieve strategic goals and realise business benefits through effective and innovative use of IT.  Achieve operational excellence through reliable and efficient application of technology.  Maintain IT-related risk at an acceptable level.  Optimise the cost of IT services and technology.
  • 20. Stakeholder Value Delivering enterprise stakeholder value requires good governance and management of information and technology (IT) assets. Enterprise boards, executives and management have to embrace IT like any other significant part of the business. External legal, regulatory and contractual compliance requirements related to enterprise use of information and technology are increasing, threatening value if breached. COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
  • 21. The COBIT 5 Framework Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
  • 24. Governance and Management Governance ensures that stakeholder needs, conditions and options are evaluated to determine balance, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance, compliance and compliance against agreed-on direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
  • 25. Summary… COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
  • 26. COBIT 5 Product Family
  • 27. COBIT 5 for Information Security Extended view of COBIT5 Explains each component from info security perspective
  • 28. it contain!  Guidance on drivers, benefits  Principles from infosec perspective  Enablers for support  Alignment with standards
  • 29. Drivers The major drivers for the development of COBIT 5 for Information Security include: 1. The need to describe information security in an enterprise context 2. An increasing need for enterprises to: • Keep risk at acceptable levels. • Maintain availability to systems and services. • Comply with relevant laws and regulation. 3. The need to connect to and align with other major standards and frameworks 4. The need to link together all major ISACA research, frameworks and guidance
  • 30. Benefits Using COBIT 5 for Information Security can result in a number of benefits, including: • Reduced complexity and increased cost-effectiveness due to improved and easier integration of information security standards • Increased user satisfaction with information security arrangements and outcomes • Improved integration of information security in the enterprise • Informed risk decisions and risk awareness • Improved prevention, detection and recovery • Reduced impact of security incidents • Enhanced support for innovation and competitiveness • Improved management of costs related to the information security function • Better understanding of information security
  • 31. Information Security Defined ISACA defines information security as something that: Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity) and non-access when required (availability).
  • 32. Using COBIT 5 Enablers for Implementing Information Security COBIT 5 for Information Security provides specific guidance related to all enablers 1. Information security policies, principles, and frameworks 2. Processes, including information security-specific details and activities 3. Information security-specific organisational structures 4. In terms of culture, ethics and behaviour, factors determining the success of information security governance and management 5. Information security-specific information types 6. Service capabilities required to provide information security functions to an enterprise 7. People, skills and competencies specific for information security
  • 33. Enabler: Principles, Policies and Frameworks Principles, policies and frameworks refer to the communication mechanisms put in place to convey the direction and instructions of the governing bodies and management, including: • Principles, policies and framework model • Information security principles • Information security policies • Adapting policies to the enterprises environment • Policy life cycle
  • 34. Enabler: Principles, Policies and Frameworks (cont.) Information Security Principles Information Security Policy Specific Information Security Policies Information Security Procedures Information Security Requirements and Documentation Generic Information Security Standards, Frameworks and Models Mandatory Information Security Standards, Frameworks and Models InputPolicy Framework
  • 35. Information Security Principles Information security principles communicate the rules of the enterprise. These principles need to be: • Limited in number • Expressed in simple language In 2010 ISACA, ISF and ISC2 worked together to create 12 principles* that will help information security professionals add value to their organisations. The principles support 3 tasks: • Support the business. •Defend the business. •Promote responsible information security behaviour. * Principles are covered in COBIT 5 for Information Security and can also be located at www.isaca.org/standards
  • 36. Information Security Policies Policies provide more detailed guidance on how to put principles into practice. Some enterprises may include policies such as: • Information security policy • Access control policy • Personnel information security policy • Incident management policy • Asset management policy COBIT 5 for Information Security describes the following attributes of each policy: • Scope • Validity • Goals
  • 37. Enabler: Processes The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areas—governance and management—with management further divided into domains of processes: • The Governance domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined. • The four Management domains are in line with the responsibility areas of plan, build, run and monitor (PBRM). • COBIT 5 for Information Security examines each of the processes from an information security perspective.
  • 38. Enabler: Organisational Structures COBIT 5 examines the organisational structures model from an information security perspective. It defines information security roles and structures and also examines accountability over information security, providing examples of specific roles and structures and what their mandate is, and also looks at potential paths for information security reporting and the different advantages and disadvantages of each possibility.
  • 39. Enabler: Culture, Ethics and Behaviour Examines the culture, ethics and behaviour model from an information security perspective providing detailed security specific examples of: 1. The Culture Life Cycle –measuring behaviours over time to benchmark the security culture –some behaviours may include: • Strength of passwords • Lack of approach to security • Adherence to change management practices 2. Leadership and Champions –need these people to set examples and help influence culture: • Risk managers • Security professionals • C-level executives 3. Desirable Behaviour –a number of behaviours have been identified that will help positively influence security culture: • Information security is practiced in daily operations. • Stakeholders are aware of how to respond to threats. • Executive management recognises the business value of security.
  • 40. Enabler: Information Information is not only the main subject of information security but is also a key enabler. 1. Information types are examined and reveal types of relevant security information which can include: • Information security strategy • Information security budget • Policies • Awareness material • Etc. 2. Information stakeholders as well as the information life cycle are also identified and detailed from a security perspective. Details specific to security such as information storage, sharing, use and disposal are all discussed.
  • 41. Enabler: Services, Infrastructure and Applications The services, infrastructure and applications model identifies the services capabilities that are required to provide information security and related functions to an enterprise. The following list contains examples of potential security-related services that could appear in a security service catalogue: • Provide a security architecture. • Provide security awareness. • Provide security assessments. • Provide adequate incident response. • Provide adequate protection against malware, external attacks and intrusion attempts. • Provide monitoring and alert services for security related events.
  • 42. Enabler: People, Skills and Competencies To effectively operate an information security function within an enterprise, individuals with appropriate knowledge and experience must exercise that function. Some typical security-related skills and competencies listed are: • Information security governance • Information risk management • Information security operations COBIT 5 for Information Security defines the following attributes for each of the skills and competencies: • Skill definition • Goals • Related enablers