Pengertian Audit IT.
Secara umum Audit IT adalah suatu proses kontrol pengujian terhadap infrastruktur teknologi informasi dimana berhubungan dengan masalah audit finansial dan audit internal. Audit IT lebih dikenal dengan istilah EDP Auditing (Electronic Data Processing), biasanya digunakan untuk menguraikan dua jenis aktifitas yang berkaitan dengan komputer.
Salah satu penggunaan istilah tersebut adalah untuk menjelaskan proses penelahan dan evaluasi pengendalian-pengendalian internal dalam EDP. Jenis aktivitas ini disebut sebagai auditing melalui komputer. Penggunaan istilah lainnya adalah untuk menjelaskan pemanfaatan komputer oleh auditor untuk melaksanakan beberapa pekerjaan audit yang tidak dapat dilakukan secara manual. Jenis aktivitas ini disebut audit dengan komputer.
Audit IT sendiri merupakan gabungan dari berbagai macam ilmu, antara lain Traditional Audit, Manajemen Sistem Informasi, Sistem Informasi Akuntansi, Ilmu Komputer, dan Behavioral Science. Audit IT bertujuan untuk meninjau dan mengevaluasi faktor-faktor ketersediaan (availability), kerahasiaan (confidentiality), dan keutuhan (integrity) dari sistem informasi organisasi.
Sejarah singkat Audit IT
Audit IT yang pada awalnya lebih dikenal sebagai EDP Audit (Electronic Data Processing) telah mengalami perkembangan yang pesat. Perkembangan Audit IT ini didorong oleh kemajuan teknologi dalam sistem keuangan, meningkatnya kebutuhan akan kontrol IT, dan pengaruh dari komputer itu sendiri untuk menyelesaikan tugas-tugas penting. Pemanfaatan teknologi komputer ke dalam sistem keuangan telah mengubah cara kerja sistem keuangan, yaitu dalam penyimpanan data, pengambilan kembali data, dan pengendalian. Sistem keuangan pertama yang menggunakan teknologi komputer muncul pertama kali tahun 1954.
Selama periode 1954 sampai dengan 1960-an profesi audit masih menggunakan komputer. Pada pertengahan 1960-an terjadi perubahan pada mesin komputer, dari mainframe menjadi komputer yang lebih kecil dan murah. Pada tahun 1968, American Institute of Certified Public Accountants (AICPA) ikut mendukung pengembangan EDP auditing. Sekitar periode ini pula para auditor bersama-sama mendirikan Electronic Data Processing Auditors Association (EDPAA).
Tujuan lembaga ini adalah untuk membuat suatu tuntunan, prosedur, dan standar bagi audit EDP. Pada tahun 1977, edisi pertama Control Objectives diluncurkan. Publikasi ini kemudian dikenal sebagai Control Objectives for Information and Related Technology (CobiT). Tahun 1994, EDPAA mengubah namanya menjadi Information System Audit (ISACA). Selama periode akhir 1960-an sampai saat ini teknologi TI telah berubah dengan cepat dari mikrokomputer dan jaringan ke internet. Pada akhirnya perubahan-perubahan tersebut ikut pula menentukan perubahan pada audit IT.
Jenis Audit IT.
1. Sistem dan aplikasi.
Audit yang berfungsi untuk memeriksa apakah sistem dan aplikasi sesuai dengan kebutuhan organisasi, berdayaguna, dan memiliki kontrol yang cukup baik untuk menjamin keabsahan, kehandalan, tepat waktu, dan keamanan pada input, proses, output pada semua tingkat kegiatan sistem.
2. Fasilitas pemrosesan informasi.
Audit yang berfungsi untuk memeriksa apakah fasilitas pemrosesan terkendali untuk menjamin ketepatan waktu, ketelitian, dan pemrosesan aplikasi yang efisien dalam keadaan normal dan buruk.
3. Pengembangan sistem.
Audit yang berfungsi untuk memeriksa apakah sistem yang dikembangkan mencakup kebutuhan obyektif organisasi.
4. Arsitektur perusahaan dan manajemen TI.
Audit yang berfungsi untuk memeriksa apakah manajemen TI dapat mengembangkan struktur organisasi dan prosedur yang menjamin kontrol dan lingkungan yang berdaya guna untuk pemrosesan informasi.
5. Client/Server, telekomunikasi, intranet, dan ekstranet.
Suatu audit yang berfungsi untuk memeriksa apakah kontrol-kontrol berfungsi pada client, server, dan jaringan yang menghubungkan client dan server.
Metodologi Audit IT.
Dalam praktiknya, tahapan-tahapan dalam audit IT tidak berbeda dengan audit pada umumnya, sebagai berikut :
1. Tahapan Perencanaan.
Sebagai suatu pendahuluan mutlak perlu dilakukan agar auditor mengenal benar obyek yang akan diperiksa sehingga menghasilkan suatu program audit yang didesain sedemikian rupa agar pelaksanaannya akan berjalan efektif dan efisien.
2. Mengidentifikasikan reiko dan kendali.
Untuk memastikan bahwa qualified resource sudah dimiliki, dalam hal ini aspek SDM yang berpengalaman dan juga referensi praktik-praktik terbaik.
3. Mengevaluasi kendali dan mengumpulkan bukti-bukti.
Melalui berbagai teknik termasuk survei, interview, observasi, dan review dokumentasi.
4. Mendokumentasikan.
Mengumpulkan temuan-temuan dan mengidentifikasikan dengan auditee.
5. Menyusun laporan.
Mencakup tujuan pemeriksaan, sifat, dan kedalaman pemeriksaan yang dilakukan.
Alasan dilakukannya Audit IT.
Ron Webber, Dekan Fakultas Teknologi Informasi, monash University, dalam salah satu bukunya Information System Controls and Audit (Prentice-Hall, 2000) menyatakan beberapa alasan penting mengapa Audit IT perlu dilakukan, antara lain :
1. Kerugian akibat kehilangan data.
2. Kesalahan dalam pengambilan keputusan.
3. Resiko kebocoran data.
4. Penyalahgunaan komputer.
5. Kerugian akibat kesalahan proses perhitungan.
6. Tingginya nilai investasi perangkat keras dan perangkat lunak komputer.
Manfaat Audit IT.
A. Manfaat pada saat Implementasi (Pre-Implementation Review)
1. Institusi dapat mengetahui apakah sistem yang telah dibuat sesuai dengan kebutuhan ataupun memenuhi acceptance criteria.
2. Mengetahui apakah pemakai telah siap menggunakan sistem tersebut.
3. Mengetahui apakah outcome sesuai dengan harapan manajemen.
B. Manfaat setelah sistem live (Post-Implementation Review)
1. Institusi mendapat masukan atas risiko-risiko yang masih yang masih ada dan saran untuk penanganannya.
2. Masukan-masukan tersebut dimasukkan dalam agenda penyempurnaan sistem, perencanaan strategis, dan anggaran pada periode berikutnya.
3. Bahan untuk perencanaan strategis dan rencana anggaran di masa mendatang.
4. Memberikan reasonable assurance bahwa sistem informasi telah sesuai dengan kebijakan atau prosedur yang telah ditetapkan.
5. Membantu memastikan bahwa jejak pemeriksaan (audit trail) telah diaktifkan dan dapat digunakan oleh manajemen, auditor maupun pihak lain yang berwewenang melakukan pemeriksaan.
6. Membantu dalam penilaian apakah initial proposed values telah terealisasi dan saran tindak lanjutnya.
Rabu, 10 Juni 2009
Audit Information Technology - IT Audit
Senin, 08 Juni 2009
Latihan soal test CISA tanpa isi
1. Which of the following is a benefit of a risk-based approach to audit planning? Audit:
A. scheduling may be performed months in advance.
B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern.
2. An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:
A. implemented a specific control during the development of the application system.
B. designed an embedded audit module exclusively for auditing the application system.
C. participated as a member of the application system project team, but did not have operational responsibilities.
D. provided consulting advice concerning application system best practices.
3. A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:
A. can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.
4. With regard to the evidence gathered during a computer forensic investigation, an IS auditor should be MOST concerned with:
A. analysis.
B. evaluation.
C. preservation.
D. disclosure.
5. Which of the following BEST describes the early stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and environment applicable to the review
D. Reviewing prior IS audit reports
6. During the course of an audit, an IS auditor observes that duties are not properly segregated. Under such a circumstance, the IS auditor should look for:
A. overlapping controls.
B. preventive controls.
C. compensating controls.
D. logical access controls.
7. Before implementing an IT balanced scorecard, an organization must:
A. deliver effective and efficient services.
B. define key performance indicators.
C. provide business value to IT projects.
D. control IT expenses.
8. To assist an organization in planning for IT investments, the IS auditor should recommend the use of:
A. project management tools.
B. an object oriented architecture.
C. tactical planning.
D. enterprise architecture.
9. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?
A. References from other customers
B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan
10. IT governance ensures that an organization aligns its IT strategy with:
A. enterprise objectives.
B. IT objectives.
C. audit objectives.
D. control objectives.
11. An IS auditor should ensure that IT governance performance measures:
A. evaluate the activities of IT oversight committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and definitions.
D. evaluate the IT department.
12. Which of the following would be included in an IS strategic plan?
A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS department
13. When reviewing a system development project at the project initiation stage, an IS auditor finds that the project team is following the organization’s quality manual. To meet critical deadlines the project team proposes to fast track the validation and verification processes, commencing some elements before the previous deliverable is complete. Under these circumstances, the IS auditor should:
A. report this as a critical finding to senior management.
B. accept that different quality processes can be adopted for each project.
C. report to IS management the team’s failure to follow quality procedures.
D. report the risks associated with fast tracking to the project steering committee.
14. Which of the following risks could result from inadequate software baselining?
A. Scope creep
B. Sign-off delays
C. Software integrity violations
D. Inadequate controls
15. Which of the following is critical to the selection and acquisition of the correct operating system software?
A. Competitive bids
B. User department approval
C. Hardware configuration analysis
D. Purchasing department approval
16. When conducting a review of business process reengineering, an IS auditor found that a key preventive control had been removed. The IS auditor should:
A. inform management of the finding and determine whether management is willing to accept the potential material risk of not having that preventive control.
B. determine if a detective control has replaced the preventive control during the process and, if it has, not report the removal of the preventive control.
C. recommend that this and all control procedures that existed before the process was reengineered be included in the new process.
D. develop a continuous audit approach to monitor the effects of the removal of the preventive control.
17. To assist in testing a core banking system being acquired, an organization has provided the vendor with sensitive data from its existing production system. An IS auditor's PRIMARY concern is that the data should be:
A. sanitized.
B. complete.
C. representative
D. current.
18. An organization decides to purchase a package instead of developing it. In such a case, the design and development phases of a traditional software development life cycle (SDLC) would be replaced with:
A. selection and configuration phases.
B. feasibility and requirements phases.
C. implementation and testing phases.
D. nothing; replacement is not required.
19. An IS auditor is performing a project review to identify whether a new application has met business objectives. Which of the following test reports offers the most assurance that business objectives are met?
A. User acceptance
B. Performance
C. Sociability
D. Penetration
20. When reviewing input controls, an IS auditor observes that in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should:
A. not be concerned since there may be other compensating controls to mitigate the risks.
B. ensure that overrides are automatically logged and subject to review.
C. verify whether all such overrides are referred to senior management for approval.
D. recommend that overrides not be permitted.
21. Capacity monitoring software is MAINLY used to ensure:
A. maximum use of available capacity.
B. that future acquisitions meet user needs.
C. concurrent use by a large number of users.
D. continuity of efficient operations.
22. Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?
A. Sensitive data can be read by operators.
B. Data can be amended without authorization.
C. Unauthorized report copies can be printed.
D. Output can be lost in the event of system failure.
23. The database administrator has decided to disable certain normalization controls in the database management system (DBMS) software to provide users with increased query performance. This will MOST likely increase the risk of:
A. loss of audit trails.
B. redundancy of data.
C. loss of data integrity.
D. unauthorized access to data.
24. An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if:
A. the setup is geographically dispersed.
B. the network servers are clustered in a site.
C. a hot site is ready for activation.
D. diverse routing is implemented for the network.
25. When reviewing a service level agreement for an outsourced computer center, an IS auditor should FIRST determine that:
A. the cost proposed for the services is reasonable.
B. security mechanisms are specified in the agreement.
C. the services in the agreement are based on an analysis of business needs.
D. audit access to the computer center is allowed under the agreement.
26. An IS auditor should recommend the use of library control software to provide reasonable assurance that:
A. program changes have been authorized.
B. only thoroughly tested programs are released.
C. modified programs are automatically moved to production.
D. source and executable code integrity is maintained.
27. Which of the following provides the BEST method for determining the level of performance provided by similar information-processing-facility environments?
A. User satisfaction
B. Goal accomplishment
C. Benchmarking
D. Capacity and growth planning
28. Which of the following satisfies a two-factor user authentication?
A. Iris scanning plus fingerprint scanning
B. Terminal ID plus global positioning system
C. A smart card requiring the user's PIN
D. User ID along with password
29. Naming conventions for system resources are important for access control because they:
A. ensure that resource names are not ambiguous.
B. reduce the number of rules required to adequately protect resources.
C. ensure that user access to resources is clearly and uniquely identified.
D. ensure that internationally recognized names are used to protect resources.
30. Which of the following would MOST effectively reduce social engineering incidents?
A. Security awareness training
B. Increased physical security measures
C. E-mail monitoring policy
D. Intrusion detection systems
31. To protect a VoIP infrastructure against a denial-of-service attack, it is MOST important to secure the:
A. access control servers.
B. session border controllers.
C. backbone gateways.
D. intrusion detection system.
32. Which of the following acts as a decoy to detect active Internet attacks?
A. Honeypots
B. Firewalls
C. Trapdoors
D. Traffic analysis
33. Which of the following BEST provides access control to payroll data being processed on a local server?
A. Logging access to personal information
B. Using separate passwords for sensitive transactions
C. Using software that restricts access rules to authorized staff
D. Restricting system access to business hours
34. Which of the following is the MOST effective anti-virus control?
A. Scanning e-mail attachments on the mail server
B. Restoring systems from clean copies
C. Disabling floppy drives
D. An online antivirus scan with up-to-date virus definitions
35. An IS auditor reviewing the log of failed logon attempts would be MOST concerned if which of the following accounts was targeted?
A. Network administrator
B. System administrator
C. Data administrator
D. Database administrator
36. An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. Which of the following weaknesses would be considered the MOST serious?
A. The security officer also serves as the database administrator.
B. Password controls are not administered over the client-server environment.
C. There is no business continuity plan for the mainframe system's noncritical applications.
D. Most local area networks do not back up file-server-fixed disks regularly.
37. A utility is available to update critical tables in case of data inconsistency. This utility can be executed at the OS prompt or as one menu option in an application. The BEST control to mitigate the risk of unauthorized manipulation of data is to:
A. delete the utility software and install it as and when required.
B. provide access to the utility on a need-to-use basis.
C. provide access to the utility to user management.
D. define access so that the utility can be executed only in the menu option.
38. An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that:
A. maximum unauthorized access would be possible if a password is disclosed.
B. user access rights would be restricted by the additional security parameters.
C. the security administrator's workload would increase.
D. user access rights would be increased.
39. An element of an information security program is the monitoring, detection and prevention of hacking activities and alerting the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose?
A. Intrusion detection systems
B. Firewalls
C. Routers
D. Proxy servers
40. To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a:
A. secure shell (SSH-2) tunnel for the duration of the problem.
B. two-factor authentication mechanism for network access.
C. dial-in access.
D. virtual private network (VPN) account for the duration of the vendor support contract.
41. Which of the following concerns about the security of an electronic message would be addressed by digital signatures?
A. Unauthorized reading
B. Theft
C. Unauthorized copying
D. Alteration
42. Which of the following would be MOST appropriate to ensure the confidentiality of transactions initiated via the Internet?
A. Digital signature
B. Data Encryption Standard
C. Virtual private network
D. Public key encryption
43. To prevent IP spoofing attacks, a firewall should be configured to drop a packet if:
A. the source routing field is enabled.
B. it has a broadcast address in the destination field.
C. a reset flag (RST) is turned on for the TCP connection.
D. dynamic routing is used instead of static routing.
44. In the event of a data center disaster, which of the following would be the MOST appropriate strategy to enable complete recovery of a critical database?
A. Daily data backup to tape and storage at a remote site
B. Real-time replication to a remote site
C. Hard disk mirroring to a local server
D. Real-time data backup to the local storage area network (SAN)
45. A PRIMARY objective of testing a business continuity plan (BCP) is to:
A. familiarize employees with the BCP.
B. ensure that all residual risks are addressed.
C. exercise all possible disaster scenarios.
D. identify limitations of the BCP.
46. A structured walk-through test of a disaster recovery plan involves:
A. representatives from each of the functional areas coming together to go over the plan.
B. all employees who participate in the day-to-day operations coming together to practice executing the plan.
C. moving the systems to the alternate processing site and performing processing operations.
D. distributing copies of the plan to the various functional areas for review.
47. An organization having a number of offices across a wide geographical area has developed a disaster recovery plan (DRP). Using actual resources, which of the following is the MOST cost-effective test of the DRP?
A. Full operational test
B. Preparedness test
C. Paper test
D. Regression test
48. Data mirroring should be implemented as a recovery strategy when:
A. recovery point objective is low.
B. recovery point objective is high.
C. recovery time objective is high.
D. disaster tolerance is high.
49. The window of time for recovery of information processing capabilities is based on the:
A. criticality of the processes affected.
B. quality of the data to be processed.
C. nature of the disaster.
D. applications that are mainframe-based.
50. In a business continuity plan which of the following notification directories is the MOST important?
A. Equipment and supply vendors
B. Insurance company agents
C. Contract personnel services
D. A prioritized contact list
