Transcript Electronic Data Processing * Audit Sistem Informasi

Electronic Data Processing
Audit Sistem Informasi
Dimas M. Widiantoro, S.E., S.Kom., M.Sc
Agenda
•
•
•
•
Introduction
Refresh our Memories
Case
Discussion
Introduction
Introduction

Four major functions in data management:
◦
◦
◦
◦
Record & Repository Creation
Repository Maintenance through additions and updates
Data Retrieval
Data storage and Removal
Case
First Case
Kepolisian saat ini sudah menerapkan teknologi
komputer dalam pembuatan SKCK (Surat
Keterangan Catatan Kepolisian). Budi selaku
pemohon selalu menuliskan nama dan
keterangan dirinya di setiap proses pengajuan.
Mulai dari RT, RW, Polsek, Polres, Polda, hingga
Mabes Polri. Masalah apa yang ada dalam
sistem ini?
Introduction
1400000
Objective of this term
Understand the operational problems inherent in
the flat-file approach to data management that gave
rise to the database approach.
Understand the relationships among the
fundamental components of the database concept.
Recognize the defining characteristics of three
database models: hierarchical, network, and
relational.
Understand the operational features and associated
risks of deploying centralized, partitioned, and
replicated database models in the DDP environment.
Be familiar with the audit objectives and procedures
used to test data management controls.
Data Management Approach
• Flat File Approach
• Database Approach
Introduction
Flat File Approach
The disadvantage of Flat File Approach
Data Storage
Data Updating
Currency of Information
Task Data Dependency
The Database Approach
Introduction
Key Element of Database
DBMS
•
•
•
•
Program Development
Back Up Recovery
Database Usage Reporting
Database Access
User
• Application Interface
• Informal Access
Database Administrator
•
•
•
•
•
•
Planning and sync with Database Environment
Design Database
Implements Security
Standard Programming
Maintenance
Development and the update of task
dependency
Physical Database
 Character
 Field
 Record
 File
 Database
Graphically…
Data Organization Structure
Human Resource
Database
Payroll File
Employee
Record 1
Employee
Record 2
Benefit File
Employee
Record 3
Employee
Record 4
Name SS No. Salary Name SS No. Salary
Field Field Field Field Field Field
Name SS No. Salary Name SS No. Salary
Field Field Field Field Field Field
Jones T.A.
Alverez, J.S.
275-32-3874
20,000
Klugman J.L. 349-88-7913
28,000
542-40-3718
100,000
Porter, M.L.
617-87-7915
50,000
• Master files: permanent data (records) pertaining to
entities (people, places, and things)
• Transaction files: records pertaining to events currently
being processed, such as sales, receipts of goods
• Reference files: These contain tables or lists of data
needed for making calculations e.g., product price
tables
• History files: These are also called archive files
• Open files: These record incomplete transactions.
e.g., Open sales order file
Database in Distributed Environment
Centralized Database
• The first approach involves retaining the data
in a central location. Remote IT units send
requests for data to the central site, which
processes the requests and transmits the data
back to the requesting IT unit. The actual
processing of the data is performed atmthe
remote IT unit. The central site performs the
functions of a file manager that services,the
data needs of the remote sites.
Centralized Database
Distributed Database
• This model is separated into two kinds
– Partitioned method
– Replicated method
Distributed Database
Distributed Database Model
Client PC
Network
Server
Distributed
Databases
on Intranets
and Other
Networks
End User
Databases
Data
Warehouse
External
Databases
on the
Internet and
Online
Services
Operational
Databases
of the
Organization
Data
Marts
Concurrency Control
• Database concurrency is the presence of
complete and accurate data at all user sites.
Concurrency Control
Controlling and Auditing DMS
How is it flowing?
•
http://www.astuteconsulting.com/Services/Internal-Audit-and-Risk-Management/Information-SystemReview.aspx
Audit Control
Control Over Data management
• Access controls are designed to prevent
unauthorized individuals from viewing,
retrieving, corrupting, or destroying the
entity’s data.
• Backup controls ensure that in the event of
data loss due to unauthorized access,
equipment failure, or physical disaster the
organization can recover its database.
User Control
The audit process can be broken down
into the following audit phases:
Establish
the Terms of
the
Engagement
Consider
Internal
Control
Preliminary
Review
Plan the
Audit
Establish
Materiality
and Assess
Risks
Method
•
•
•
•
Appropriate Access Authority.
Biometric Controls.
Inference Controls.
Encryption Controls.
Audit Procedures for Testing Database
Access Controls
• Responsibility for Authority Tables and Subschemas.
The auditor should verify that database administration
(DBA) personnel retain exclusive responsibility for
creating authority tables and designing user views.
Evidence may come from three sources:
• (1) by reviewing company policy and job descriptions,
which specify these technical responsibilities;
• (2) by examining programmer authority tables for
access privileges to data definition language (DDL)
commands; and
• (3) through personal interviews with programmers and
DBA personnel.
Brief Auditing
• IS Standard 050 (Planning) states, “The IT
auditor should plan the information systems
audit coverage to address the audit objectives
and comply with applicable laws and
professional auditing standards.”
Planning
• To meet the audit objectives, and to ensure
that audit resources will be used efficiently,
the auditor will need to establish levels of
materiality. The auditor should consider both
qualitative and quantitative aspects in
determining materiality.
Materiality
• In assessing materiality, the IT auditor should
consider:
• The aggregate level of error acceptable to
management, the IT auditor, and appropriate
regulatory agencies.
• The potential for the cumulative effect of
small errors or weaknesses to become
material.
Where financial transactions are not processed, the
following identifies some measures the auditor should
consider when assessing materiality:
• Criticality of the business processes supported by
the system or operation.
• Cost of the system or operation (hardware,
software, third-party services)
• Potential cost of errors.
• Number of accesses/transactions/inquiries
processed per period.
• Penalties for failure to comply with legal and
contractual requirements.