Selasa, 06 Maret 2012

When We Need to Perform Information System Audit

Although various types of audits conducted, the majority of audit emphasis on accounting information systems within an organization and implementation of financial recording and operation of effective and efficient organization. Broadly speaking, the need for the audit in a company that already has expertise in the field of information technology among other things:

A. Losses due to data loss.
Data are processed into an information, an important asset in today's business organizations. Many operating activities rely on some important information. Information of a business organization will be a portrait or picture of the state organization in the past, present and future. If this information is missing will result in potentially fatal for the organization in carrying out its activities.

B. Losses due to computer processing errors.
Computer processing becomes the primary focus in a computer-based information systems. Many organizations have been using computers as a means to improve the quality of their work. Starting from a simple job, such as the calculation of compound interest to the use of computers as an aid in navigating airplanes or missiles. And many of these organizations are interconnected and integrated. It would be very concerned if there is an error in processing on the computer. Losses ranging from mathematical calculations are not trusted to the dependence of human life.

C. Wrong decisions due to misinformation.
The quality of a decision depends on the quality of information presented to decision-making. The accuracy and significance of the data or information depends on the type of decisions to be taken. If top managers will make decisions that are strategic, it may be related to the properties can be tolerated, long-term decisions. But sometimes misleading information will impact decision-making that is misleading as well.

D. Losses due to misuse of computers (Computer abused)
The main themes that drive the development of the systems audit business information within an organization is due to the frequent occurrence of crime computer misuse. Some types of crime and the misuse of computers, among others, is a virus, hacking, direct access is not legal (for example, went into the computer without permission or using a computer terminal and can result in physical damage or retrieve data or computer programs without permission) and or unauthorized access to personal interests (someone who has the authority to use the computer but for the purposes of undue).
  • Hacking - a person with an unauthorized access to computer systems that can view, modify, or remove a computer program or data or disrupt the system.
  • Viruses - A virus is a computer program that attaches itself and run itself a computer program or computer system on a floppy disk, data or program that aims to disrupt or damage the way a computer program or data in it. The virus was designed with two purposes, firstly to actively replicating itself and both interfere with or damage the operating system, programs or data.
The impact of computer crime and abuse include:
  •  Hardware, software, data, facilities, and other supporting documentation is damaged or stolen and misused or modified.
  • Confidentiality of data or important information from the person or organization is damaged or stolen or modified.
  • Routine operational activities will be disrupted. 
  • Computer crime and abuse from time to time increased, and nearly 80% of perpetrators of computer crime is on the inside.
E. Value of hardware, software and personnel information systems.
In an information system, hardware, software, data and personnel is an organizational resource. Some business organizations spend substantial funds to invest in the preparation of an information system, including the development of human resources. So that the necessary controls to maintain an investment in this field.

F. Maintenance of confidentiality of information
Information within a business organization is very diverse, from the data of employees, customers, and other transactions is very risky if not maintained properly. A person can only use the information to be misused. For example, if confidential customer data, can be used by competitors to take advantage of the competition.

At the time computers were first used, many auditors have thought that the audit process will be much changed to conform with the use of computer technology. There are two main points to consider in the audit of electronic data processing, namely the collection of evidence (evidence collection) and evaluation of evidence (evidence evaluation)

Diposting oleh di Tidak ada komentar:

Job Rule Information System Auditor

The CISA certification is for those who need to display knowledge of IT auditing, security, and control. This certification is extremely popular with the number of certified professionals numbering over 30,000. Testing is offered once per year at testing locations worldwide.
 
"IT professionals holding the Certified Information Systems Auditor (CISA) certification earned the largest gains in premium bonus pay among 56 certifications surveyed by Foote Partners, LLC during 2003 and 2002."

Requirements:  
  • Must pass one exam. The exam is administered once annually, in June and consists of 200 multiple choice questions to be completed in four hours.
  • Five years of verifiable experience in IS auditing, control or security is required. Experience must be obtained in the 10 years preceding taking of the exam.
  • Agree to the ISACA code of ethics.
  • Agree to adhere to the Information Systems Auditing Standards as adopted by ISACA.
 Costs: 
  • Prices for ISCA members range from $300 to 385 depending upon when you register and if you do so online.
  • Prices for non-members rangge from $420 to 505, also depending upon date and method of
 Recertification: 

To maintain your certification you must pay maintenance fees and complete a minimum of 20 contact hours of CPE (continuing professional education) credits annually. 
Diposting oleh di Tidak ada komentar:

Information Systems Audit

ISACA is an international professional association that deals with IT Governance. It is an affiliate member of IFAC.Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

History

 The ISACA was founded in the USA in 1967, when a group of individuals with jobs auditing controls in the computer systems, which were becoming increasingly critical to the operations of their organizations, recognized the need for a centralized source of information and guidance in the field. In 1969, Stuart Tyrnauer, employed by the (then) Douglas Aircraft Company, incorporated the entity as the EDP Auditors Association, serving as its founding Chairman for the first three years. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field.

Current status

 ISACA currently serves more than 95,000 constituents (members and professionals holding ISACA certifications) in more than 160 countries. The job titles of members are such as IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. They work in nearly all industry categories. There is a network of ISACA chapters with 170 chapters established in over 160 countries. Chapters provide education, resource sharing, advocacy, networking and other benefits.

Major publications

  • Standards, Guidelines and Procedures for information system auditing(Guideline co-developed with the International Federation of Accountants)
  • COBIT
  • Val IT (Getting best value from IT investments)
  • Risk IT
  • Information System Control Journal

Certifications


Certified Information Systems Auditor(CISA)

Certified Information Security Manager (CISM)

Certified in the Governance of Enterprise IT (CGEIT)

Certified in Risk and Information Systems Control (CRISC)

Certified in Risk and Information Systems Control (CRISC) is a certification for information technology professionals with experience in managing IT risks, awarded by ISACA. To gain this certification, candidates must pass a written examination and have at least eight years of information technology or business experience, with a minimum of three years work experience in at least three CRISC domains.
The intent of the certification is to provide a common body of knowledge for information technology / systems risk management, and to recognize the knowledge of enterprise and IT risk that a wide range of IT and Business practitioners have acquired, as well as the capability to: design, implement and maintain information system (IS) controls, to mitigate IS/IT risks.
The CRISC requires demonstrated knowledge in five functional areas or ‘’Domains’’ of IT risk management.
  • Risk Identification, Assessment and Evaluation
  • Risk Response
  • Risk Monitoring
  • Information Systems Control Design and Implementation
  • IS Control Monitoring and Maintenance


Diposting oleh di Tidak ada komentar:

Information System

An information system and MIS (IS) - or application landscape is any combination of information technology and people's activities that support operations, management and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people, processes, data and technology. In this sense, the term is used to refer not only to the information and communication technology (ICT) that an organization uses, but also to the way in which people interact with this technology in support of business processes.

Some make a clear distinction between information systems, computer systems, and business processes. Information systems typically include an ICT component but are not purely concerned with ICT, focusing in instead, on the end use of information technology. Information systems are also different from business processes. Information systems help to control the performance of business processes.

Alter argues for an information system as a special type of work system. A work system is a system in which humans and/or machines perform work using resources to produce specific products and/or services for customers. An information system is a work system whose activities are devoted to processing (capturing, transmitting, storing, retrieving, manipulating and displaying) information.

As such, information systems inter-relate with data systems on the one hand and activity systems on the other. An information system is a form of communication system in which data represent and are processed as a form of social memory. An information system can also be considered a semi-formal language which supports human decision making and action.

 Information systems are the primary focus of study for the information systems discipline and for organisational informatics.

Components

It consists of computers, instructions, stored facts, people and procedures.
ISs can be categorized in four parts:
  1. Management Information System (MIS)
  2. Decision Support System (DSS)
  3. Executive Information System (EIS)
  4. Transaction Processing System (TPS)
Diposting oleh di Tidak ada komentar:
Langganan: Postingan (Atom)