MANAGEMENT AND SYSTEM OBJECTIVES CONTROLS METHODOLOGY To provide reliable data
2
To encourage adherence ¾Timeliness: captured/enter/process to prescribed accounting ¾Valuation: calculation, summary,etc policies ¾Classification
3
To safeguard assets and ¾Transaction authorized ¾Distribution of output records ¾Validity: no non-valid data processed ¾Security of data and records
GENERAL
Exposures result from error/ irregularities
Management control objective
System control objective
Application controls
¾Completeness : input/process/output ¾Accuracy : inpu/process/output ¾Uniqueness ¾Reasonableness ¾Errors are detected
1
CONTROL
Top management controls • • • • • • •
Top management controls Systems development management controls Programming management con-trols Data resources management con-trols Security management controls Operations management controls Quality assurance management controls
Senior Manager Major functions • Planning Determine the goals of the information system function and the means of achieving these goals • Organizing gathering, allocating, and coordinating the resources needed to accomplish the goals • Leading Motivation, guiding and communicating with personnel • Controlling Comparing actual with planned performance as a basis for corrective actions.
1
Manager Data Processing
Manager Systems Analysis
Manager Programming
Manager Data Entry
Development
Maintenence
Development
Maintenence
Accounting Applications
Engineering Applications
Accounting Applications
Engineering Applications
Vice President Information System
Manager Operations
Computer Operations
Manager IS and IT Planning
Production Control
Network Operations
Applications Development
Librarian
Manager Quality Assurance
Standards Development
Applications Maintenance
FIGURE 3-4 Traditional data processing organization structure
Manager End-User Support
Manager Corporate Systems Integration
Data Administration
Manager Contracts and Outsourcing
Manager Operations Facilities
Manger Administration
Corporate Modeling
Database Administration
FIGURE 3-5 More recent information system department organizational structure
Tugas • Dari kasus (contoh boleh ditugaskan ke mahasiswa, atau komputerisasi di Universitas Bina Nusantara), mahasiswa diharapkan dapat melakukan identifikasi kelemahan pengendalian intern (general controls) yang ada serta memberikan saran perbaikan.
Manager Information Tecnology Services
Pengendalian umum • • • • •
Pengendalian organisasi &prosedur Pengendalian Dokumentasi Pengendalian perangkat keras Pengendalian keamanan fisik Pengendalian keamanan data dan fasilitas pengolahan • Pengendalian sistem komunikasi data
2
Insurance • Insurance sometimes can be used to mitigate losses that arise when disasters eventuate. Policies usually can be obtained to cover the following resources
Operations Management Operations Management Responsible for : • • • • • • • •
Computer Operations Communications Network Control Data Preparation and Entry operation Production Control File Library/Documentation and Program Library Help Desk / Technical Support Capacity Planning and Performance Monitoring Outsourced Operations
Operations Management Controls • Responsible for the daily running of computer facilities • Production application systems can accomplish • Development staff can design, implement and maintain application systems.
Computer Operations • Operations Controls Comply to standard operating procedure • Schedule Controls Computers are used for authorized purposes • Maintenance Controls Preventive and repair maintenance
3
Product control
Network Operations •
Wide area network controls → Control over : Network control terminals, that provides access to specialized systems software.
•
Local area network controls → Control over : File servers
• • • • • • • • • • •
Receipt/Dispatch Input/Output Input is accepted from authorized Output provided to authorized, timely basis Job Scheduling Production jobs are executed Management of Service–Level Agreements Monitor compliance Transfer Pricing / Chargeout Control Responsible for billing users Acquisition of Computer Consumables Responsible for acquiring and managing consumables
File Library
Documentation and Program Library
• To ensure that removable storage media are stored securely in a clean environment. • To ensure that storage media are used only for authorized purposes. • To maintain storage media in good working order. • To locate storage media appro-priately at either on–site or off–site facilities.
• To maintain the documentation needed to support computer operations and managing the inventory of acquired or licensed software. • Documentation should be kept up–to –date and be used only by authorized parties. • Acquired or licensed software should be carefully manages, so it or it’s documentation is not lost or stolen, illegal copies of the software are not made, and use of the software complies with the terms and conditions of the licensing agreement and suitable backup is maintained
4
Help Desk / Technical Support • To assist end users • To provide technical support for production systems by assisting with problem resolution. • To function effectively and efficiently, it must be staffed by competent and trustworthy personnel and be supported by a logging and reporting mechanism to help manage users queries and complaints.
Capacity Planning/Performance Monitoring • To ensure that systems are executing efficiently, an acceptable response time or turnaround time is being achieved, and an acceptable level of uptime is occuring. • Performance statistics is used to determine : • Unauthorized activities are occuring. • Systems performance is acceptable. • More hardware and software resources are needed.
Management of Outsourced Operations • On going evaluation of the financial viability of the outsourcing vendor. • Ensuring compliance with the outsourcing contract’s term and conditions. • Ensuring the on going reliability of controls in the outsourcing vendor’s operations. • Maintaining procedures for disaster recovery with the outsourcing vendor.
QUALITY ASSURANCE – – – – – – –
Quality assurance management controls Pentingnya peranan quality assurance (QA) Kwalifikasi QA Fungsi QA Problem rekruitmen QA QA dan system development Hubungan QA audit internal dan audit eksternal indipenden
5
Quality Assurance Personnel Perform 6 Major Functions
Motivations Toward The QA Role • Increasing organizations are producing Safety–Critical Systems. • Users more demanding in the quality • Organizations are undertaking more ambitious information systems projects that have more stringent quality requirements. • Organizations are more concerned about their liabilities if they produce and sell defective software. • Poor control over the production, implementation, operation and maintenance of software can be costly • Improving the quality of software is part of a worldwide trend among organization to improve the quality of the goods and services they sell
Programming Management Controls Objectives • To produce or acquire and to implement high quality programs. • High quality programs : • Perform their functions correctly and completely. • Have a high-quality user interface. • Work efficiently. • Well designed and well documented. • Easy to maintain. • Robust under abnormal conditions.
• • • • • • •
Develop quality goals for the information systems function overall and to assist in the development of quality goals for specific information systems. Develop, promulgate, and maintain information system standards. Monitoring compliance with standards Identify areas for improvement Report to management Regular reports on compliance with general/specific standards. Train all other information systems personnel
Pengendalian Aplikasi • Pengendalian Aplikasi ialah sistem atau mekanisme yang didesain untuk mendeteksi kemungkinan kesalahan/ kelalaian atau penyalahgunaan, dan aturan itu hanya berla-ku khusus untuk sistem aplikasi tertentu saja. • Misalnya cek-konsistensi antara Nomor-KartuATM dengan PIN untuk sistem aplikasi penarikan uang tunai bank dari ATM. Sistem lain mungkin tidak perlu PIN
6
Input Controls • Yaitu mekanisme yang didesain untuk mendeteksi agar tidak ada data salah atau disalahgunakan, yang masuk ke file komputer. • Pada tahap penangkapan data pada pengisian dokumen input (data capturing) • Pada tahap pemasukan data (data entry) maupun pengecekan terprogram (data validation)
Pengendalian proses • • • •
Pengendalian Data/ File/ Database
Pengendalian Hasil keluaran • Mekanisme yang didesain dengan tujuan agar informasi komputer sampai kepada yang berhak, tepat sasaran, tepat waktu, dan akurat (tidak salah data). • Keluaran akurat dan sesuai dengan yang dibutuhkan • Keluaran tepat sasaran kepada yang berhak • Keluaran sesuai jadwal waktu atau saat diperlukan
Processing logic check Run-to-run check File and program check Audit trail linkage
• • • • • •
Access controls Application/ program controls Cryptographic controls File handling controls Audit-trail xontrols Existence controls
7
Studi Kasus Anggap suatu Tim Auditor mencoba mengidentifikasi sistem pengendalian intern suatu perusahaan (contoh: prosedur nonton bioskop) : • Pemisahan tugas kasir dengan petugas penjaga pintu • Pemegang karcis yang belum dijual adalah manajer • Semua petugas memakai seragam. • Karcis bernomor tercetak (pre-numbered) dan kode Dinas Pajak DKI • Laporan kasir pada akhir jam kerja malam itu.. • Adanya petugas khusus pencatatan pembukuan • Pemeriksaan fisik atas roll film • Verifikasi oleh pihak ketiga (Dinas Pajak)
8