History Of Information Technology Auditing
Information Technology Auditing (IT auditing) began as Electronic Data Process (EDP) Auditing and developed largely as a result of the rise in technology in accounting systems, the need for IT control, and the impact of computers on the ability to perform attestation services. The last few years have been an exciting time in the world of IT auditing as a result of the accounting scandals and increased regulation. IT auditing has had a relatively short yet rich history when compared to auditing as a whole and remains an ever changing field.
The introduction of computer technology into accounting systems changed the way data was stored, retrieved and controlled. It is believed that the first use of a computerized accounting system was at General Electric in 1954. During the time period of 1954 to the mid-1960s, the auditing profession was still auditing around the computer. At this time only mainframe computers were used and few people had the skills and abilities to program computers. This began to change in the mid-1960s with the introduction of new, smaller and less expensive machines. This increased the use of computers in businesses and with it came the need for auditors to become familiar with EDP concepts in business. Along with the increase in computer use, came the rise of different types of accounting systems. The industry soon realized that they needed to develop their own software and the first of the generalized audit software (GAS) was developed. In 1968, the American Institute of Certified Public Accountants (AICPA) had the Big Eight (now the Big Four) accounting firms participate in the development of EDP auditing. The result of this was the release of Auditing & EDP. The book included how to document EDP audits and examples of how to process internal control reviews.
Around this time EDP auditors formed the Electronic Data Processing Auditors Association (EDPAA). The goal of the association was to produce guidelines, procedures and standards for EDP audits. In 1977, the first edition of Control Objectives was published. This publication is now known as Control Objectives for Information and related Technology (CobiT). CobiT is the set of generally accepted IT control objectives for IT auditors. In 1994, EDPAA changed its name to Information Systems Audit and Control Association (ISACA). The period from the late 1960s through today has seen rapid changes in technology from the microcomputer and networking to the internet and with these changes came some major events that change IT auditing forever.
The formation and rise in popularity of the Internet and E-commerce have had significant influences on the growth of IT audit. The Internet influences the lives of most of the world and is a place of increased business, entertainment and crime. IT auditing helps organizations and individuals on the Internet find security while helping commerce and communications to flourish.
Pengertian EDP Auditing/Computer Auditing:
1. Electronic Data Processing (EDP) can refer to the use of automated methods to process commercial data. Typically, this uses relatively simple, repetitive activities to process large volumes of similar information. For example: stock updates applied to an inventory, banking transactions applied to account and customer master files, booking and ticketing transactions to an airline's reservation system, billing for utility services.
2. Menurut Ron Weber, EDP auditing adalah proses mengumpulkan dan menilai bukti untuk menentukan apakah sistsem computer mampu mengamankan harta, memelihara kebenaran data maupun mencapai tujuan organisasi perusahaan secara efektif dan menggunakan aktiva perusahaan secara hemat.
3. Menurut Gallegos, Richardson dan Borthick: Computer auditing is the evaluation of computer information systems, practices and operation to assure the integrity of an entity’s information.
Include one or both of the following:
- Assessment of internal controls within the CIS environment to assure the validity, reliability and security of information
- Assessment of the efficiency and effectiveness of the CIS environment in economic terms.
Metode audit EDP
1.Auditing-around the computer
yaitu pendekatan audit dengan memperlakukan komputer sebagai kotak hitam, teknik ini tidak menguji langkah langkah proses secara langsung, hanya berfokus pada input dan output dari sistem computer.
Kelemahannya:
a. Umumnya data base mencakup jumlah data yang banyak dan sulit untuk ditelusuri secara manual
b. Tidak membuat auditor memahami sistem computer lebih baik
c. Mengabaikan pengendalian sistem, sehingga rawan terhadap kesalahan dan kelemahan potensial dalam system.
d. Lebih berkenaan dengan hal yang lalu dari pada audit yang preventif
e. Kemampuan computer sebagai fasilitas penunjang audit mubazir
f. Tidak mencakup keseluruhan maksud dan tujuan audit
2. Auditing-through the computer
pendekatan audit yang berorientasi computer yang secara langsung berfokus pada operasi pemrosesan dalam system computer dengan asumsi bila terdapat pengendalian yang memadai dalam pemrosesan, maka kesalahan dan penyalahgunaan dapat dideteksi.
3. Auditing-with the computer
menggunakan computer (audit software) untuk membantu melaksanakan langkah langkah audit. Generalized Audit Software Program (GASP) untuk substantive test.
Manfaat GASP:
a. memungkinkan auditor memiliki tingkat independensi yang tinggi
b. mengurangi keperluan tingkat keahlian computer dan pelatihan
c. dapat mengakses berbagai catatan klien tanpa program khusus
d. memungkinkan auditor mengendalikan pelaksanaan program
e. memanfaatkan kecepatan dan keakuratan computer
Kelemahan GASP:
a.dirancang untuk kemudahan implementasi tapi mengabaikan efisiensi
b. banyak GASP hanya berfungsi pada computer tertentu
Perbedaan sistem audit manual dan EDP :
1. Visibility
2. Sarana dan fasilitas
3. Personalia
4. Pemisahan tugas
5. Kemungkinan terjadinya kesalahan dan kecurangan
6. Meningkatnya supervisi manajemen
7. Pelaksanaan transaksi secara otomatis dengan computer
Sistem pengendalian intern dalam EDP
SPI meliputi rencana organisasi serta metode dan ketentuan yg terkoordinir dalam suatu perusahaan:
1. untuk melindungi aktiva
2. mengecek kecermatan dan keandalan data akuntansi
3. meningkatkan efisiensi usaha
4. mendorong ditaatinya kebijakan manajemen
Pengendalian tambahan dalam EDP:
1. pengendalian umum (general control)
2. pengendalian aplikasi (application control)
Resiko audit (audit risk)
Adalah kemungkinan akuntan mengeluarkan pendapat wajar atas laporan keuangan yang mengandung kesalahan yang material.
1. resiko inheren adalah resiko adanya kesalahan yang material yg didukung
oleh laporan keuangan yang diaudit.
2. resiko pengendalian adalah resiko karena ketidakmampuan system untuk
menemukan dan menghindari kesalahan secara dini
3. resiko deteksi adalah resiko yang timbul karena auditor tidak menemukan
kesalahan material saat melakukan audit.
Transaction Flow Auditing (TFA)
Suatu metode yang digunakan untuk mendokumentasikan pengendalian aplikasi terkomputerisasi guna mengaudit arus transaksi yang meliputi:
- siklus aktifitas bisnis organisasi
- tipe transaksi yg mngalir melalui siklus
- fungsi yg dilaksanakan dalam setiap sklus: mengakui, mengotorisasi,
memproses, mengklasifikasi dan melaporkan transaksi
Perdekatan TFA diorganisasi dalam 5 fase
1. General Risk Analysis (GRA)
2. Transaction Flow Review (TFR)
3. Specific Risk Analysis (SRA)
4. Compliance and substrantive audit test
5. Final reporting
Pengetahuan yang harus dimiliki auditor computer
1. Computer system, operation and software
2. CIS techniques
3. Management concept and practices
4. Security of CIS function
5. Assessment of risk and threats
6. Auditing concepts and practices
7. Additional qualifications
Kualitas yg harus dimiliki auditor computer:
1. ability to evaluate objectively
2. ability to recognize key issues quickly
3. ability to communicate effectively
4. Knowledge of the CIS function