Electronic Data Processing Audit Sistem Informasi Dimas M. Widiantoro, S.E., S.Kom., M.Sc Agenda • • • • Introduction Refresh our Memories Case Discussion Introduction Introduction Four major functions in data management: ◦ ◦ ◦ ◦ Record & Repository Creation Repository Maintenance through additions and updates Data Retrieval Data storage and Removal Case First Case Kepolisian saat ini sudah menerapkan teknologi komputer dalam pembuatan SKCK (Surat Keterangan Catatan Kepolisian). Budi selaku pemohon selalu menuliskan nama dan keterangan dirinya di setiap proses pengajuan. Mulai dari RT, RW, Polsek, Polres, Polda, hingga Mabes Polri. Masalah apa yang ada dalam sistem ini? Introduction 1400000 Objective of this term Understand the operational problems inherent in the flat-file approach to data management that gave rise to the database approach. Understand the relationships among the fundamental components of the database concept. Recognize the defining characteristics of three database models: hierarchical, network, and relational. Understand the operational features and associated risks of deploying centralized, partitioned, and replicated database models in the DDP environment. Be familiar with the audit objectives and procedures used to test data management controls. Data Management Approach • Flat File Approach • Database Approach Introduction Flat File Approach The disadvantage of Flat File Approach Data Storage Data Updating Currency of Information Task Data Dependency The Database Approach Introduction Key Element of Database DBMS • • • • Program Development Back Up Recovery Database Usage Reporting Database Access User • Application Interface • Informal Access Database Administrator • • • • • • Planning and sync with Database Environment Design Database Implements Security Standard Programming Maintenance Development and the update of task dependency Physical Database Character Field Record File Database Graphically… Data Organization Structure Human Resource Database Payroll File Employee Record 1 Employee Record 2 Benefit File Employee Record 3 Employee Record 4 Name SS No. Salary Name SS No. Salary Field Field Field Field Field Field Name SS No. Salary Name SS No. Salary Field Field Field Field Field Field Jones T.A. Alverez, J.S. 275-32-3874 20,000 Klugman J.L. 349-88-7913 28,000 542-40-3718 100,000 Porter, M.L. 617-87-7915 50,000 • Master files: permanent data (records) pertaining to entities (people, places, and things) • Transaction files: records pertaining to events currently being processed, such as sales, receipts of goods • Reference files: These contain tables or lists of data needed for making calculations e.g., product price tables • History files: These are also called archive files • Open files: These record incomplete transactions. e.g., Open sales order file Database in Distributed Environment Centralized Database • The first approach involves retaining the data in a central location. Remote IT units send requests for data to the central site, which processes the requests and transmits the data back to the requesting IT unit. The actual processing of the data is performed atmthe remote IT unit. The central site performs the functions of a file manager that services,the data needs of the remote sites. Centralized Database Distributed Database • This model is separated into two kinds – Partitioned method – Replicated method Distributed Database Distributed Database Model Client PC Network Server Distributed Databases on Intranets and Other Networks End User Databases Data Warehouse External Databases on the Internet and Online Services Operational Databases of the Organization Data Marts Concurrency Control • Database concurrency is the presence of complete and accurate data at all user sites. Concurrency Control Controlling and Auditing DMS How is it flowing? • http://www.astuteconsulting.com/Services/Internal-Audit-and-Risk-Management/Information-SystemReview.aspx Audit Control Control Over Data management • Access controls are designed to prevent unauthorized individuals from viewing, retrieving, corrupting, or destroying the entity’s data. • Backup controls ensure that in the event of data loss due to unauthorized access, equipment failure, or physical disaster the organization can recover its database. User Control The audit process can be broken down into the following audit phases: Establish the Terms of the Engagement Consider Internal Control Preliminary Review Plan the Audit Establish Materiality and Assess Risks Method • • • • Appropriate Access Authority. Biometric Controls. Inference Controls. Encryption Controls. Audit Procedures for Testing Database Access Controls • Responsibility for Authority Tables and Subschemas. The auditor should verify that database administration (DBA) personnel retain exclusive responsibility for creating authority tables and designing user views. Evidence may come from three sources: • (1) by reviewing company policy and job descriptions, which specify these technical responsibilities; • (2) by examining programmer authority tables for access privileges to data definition language (DDL) commands; and • (3) through personal interviews with programmers and DBA personnel. Brief Auditing • IS Standard 050 (Planning) states, “The IT auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards.” Planning • To meet the audit objectives, and to ensure that audit resources will be used efficiently, the auditor will need to establish levels of materiality. The auditor should consider both qualitative and quantitative aspects in determining materiality. Materiality • In assessing materiality, the IT auditor should consider: • The aggregate level of error acceptable to management, the IT auditor, and appropriate regulatory agencies. • The potential for the cumulative effect of small errors or weaknesses to become material. Where financial transactions are not processed, the following identifies some measures the auditor should consider when assessing materiality: • Criticality of the business processes supported by the system or operation. • Cost of the system or operation (hardware, software, third-party services) • Potential cost of errors. • Number of accesses/transactions/inquiries processed per period. • Penalties for failure to comply with legal and contractual requirements.