Group 7 :
1.      Nadifa Tyas Sulistiani                         C1I016015
2.      Isna Kamillia Insani                            C1I016017
3.      Tiffany Christy Marendra                   C1I016024
4.      Rysdea Revayana                               C1I016033


What every IT Auditor Should Know About Using Inquiry to Gather Evidence
·         Inquiry Framework :
2 kind of inquiries :
1.      Theoritical Interviews
Advantages :
-          In interview, auditor can identify people’s honestly through their body language, speech and other behavioral characteristics.
-          Open – ended question in interview can give more information and assessment rather than list of question in questionaire.
Disadvantages :
-          The availability of both parties (interviewer and interviewee)
-          The ability to meet between auditor and interviewee
-          Distraction in interview location
-          Time takes to create interview question
-          Takes time to write the interview result.
2.      Questionnaire :
Advantages :
-          Time saving in gather data
-          Can use standardized and professional question
Disadvantages :
-          Less the advantages of interview, information gathered in interview is generally richer.
-          The answer of interviewee can be fictive to looks good.
-          Fails to complete the questionnaire
-          Missuderstand question
-          Provide incomplete / incorrect information
-          More costly in correcting information error
·         Inquiry Effectiveness
There are several manners of gathering evidence. One popular framework is:  inquiry, observation, examination and inspection/reperformance.Obviously, inquiry is viewed as providing the least amount of assurance and, thus, has a low level of reliance as evidence. There are a variety of reasons why inquiry, or inquiry alone, may be insufficient in developing competent evidence
A specific example in IT may be helpful to demonstrate some of the nuances in inquiry. The following illustrates a situation that is not uncommon:  Executives establish standard operating procedures and a sufficiency of controls, then believe those procedures are being done and those controls have operating effectiveness.
An example from a real audit involves an interview-type inquiry in which two C-level executives were asked about access controls. When asked who had access to a certain high-risk function, the IT auditors were given a very short list (good news so far). When asked if anyone else could get access to the function, the answer was no one (feeling good about access controls). But when the IT auditors used an inspection test for the access controls—due to the fact that a high level of risk was assessed to this function—they discovered that several other people had access and that a key senior executive actually assigned login credentials and kept a handwritten list of all of them.
Therefore, IT auditors need to be careful about relying on inquiry evidence when obtained from senior managers and executives who may be under the wrong impression about the procedures and controls they designed and believe were implemented. If there is any significance in the difference between design and operations, it could cancel out the assurance that the inquiry appears to provide.
Other dangers include the aforementioned temptation to focus on the answers of a questionnaire and mentally disengage.
The danger here is when two things happen:
1.  The employee makes unauthorized adjustments and/or changes to business practices or controls and does not communicate that change to the proper authorities.
 2.  The change is to the detriment of the overall internal control structure or effectiveness of business processes.
           Another group of dangers could be described as:  things that are that should not be. These can be seen as a failure to properly carry out the authorized procedures or controls. A good IT example involves the testing of new technologies, especially applications.
           A similar situation exists when employees are terminated. Access rights for a terminated employee should be concluded in correlation to that person’s date of termination.
           A third category or group of dangers is nefarious activities. Unfortunately, human nature is such that the business community will never successfully eliminate nefarious activities.
           For instance, in one IT audit, the IT auditor discovered that a key senior manager had managed to edit the login application and have the login credentials bypassed (if-then-else statement, where if employee # = key manager, skip login).


Comments

Post a Comment

Popular posts from this blog

Group 7 : 1.       Nadifa Tyas Sulistiani                          C1I016015 2.       Isna Kamillia Insani                             C1I016017 3.       Tiffany Christy Marendra                    C1I016024 4.       Rysdea Revayana                                C1I016033 What every IT Auditor Should Know About Using Inquiry to Gather Evidence ·       ...
Read more
APPENDIX II REGULATION OF THE FINANCIAL EXAMINATION AGENCY REPUBLIC OF INDONESIA NUMBER 1 OF 2017  STANDARD OF COUNTRY FINANCIAL EXAMINATION STANDARD EXAMINATION STATEMENTS 100 STANDARD GENERAL STANDARD EXAMINATION STATEMENTS 100 GENERAL STANDARDS PRELIMINARY Scope 1. This PSP sets general standards for carrying out financial checks, performance checks, and PDTT. 2. This general standard relates to ethics; independence, integrity, and professionalism; quality control; competence; consideration of non-compliance, fraud and disobedience; audit communication; and documentation examination in the implementation and reporting of examination results; relationship with professional standards used by public accountants; as well as obligations Government Internal Oversight Apparatus and public accountants in the examination state fi...
Read more