peranan audit pada perbaikan sistem...

Riyanarto Sarno

PERANAN AUDIT

PADA PERBAIKAN

SISTEM INFORMASI

ALIGNMENT

BUSINESS & IT VALUE CREATION

• Computer Science Corp. :

“while IT has become an increasingly critical component of business success, information system executives must ensure that their plan in sync with the strategies directing the overall interprise“ (Aligning Technology and Corporate Goals is Top IS issue)

STRATEGI BISNIS

Measuring your strategy : “It’s simple but not easy”

Measuring Business Performance

• Optimizing the management of business proseses

• Enhancing Business Goals

• Acknowledging IT contribution to Business Strategy

• Acknowledging degree of alignment between Business & IT goals

Balanced Scorecard

(Performance Measurement Framework)

Four Balanced Scorecard Perspectives

LEARNING AND

GROWTH

INTERNAL/BUSINESS

PROCESSCUSTOMER

FINANCIAL

Balanced Scorecard Perspectives

• Finance : Strategic themes = Financial strategies (growth, sustain, harvest) vs Financial themes (Revenue growth and mix, Cost reduction/ productivity improvement, Asset utilization/ investment strategy)

• Customer: market share, customer acquisition, customer retention, customer satisfaction dan customer profitability

• Internal/Business Process: innovation process, operations process and postsale service process

• Learning & growth: continuous improvement to products and services

Strategic

Themes

Measuring

Customer

Perspective

Internal/ Business Proses

Value Chain Model

Customer

Need

Identified

Customer

Need

Satisfied

Indentify

the Market

Create the

Product/

Service

Offering

Build the

Product/

Services

Deliver the

Product/

Service

Service

the

Custo-

mer

Innovation

Process

Operations

Process

Postsale

Service

Process

ALIGNING

BUSINESS &

IT

Aligning IT with business

means bridging the gap

between what technology

promises and

what it actually delivers

Business Goals

Balanced Scorecard -Four Perspectives

No Business Goals

Financial Perspective

1.√Provide a good return on investment of IT-enabled business investments

.

.

.

.

.

.3. Improve corporate governance and transparency

Customer Perspective

4.√ Improve customer orientation and service...

.

.

.

9.Obtain reliable and useful information for strategic decision making

Internal-Business-Process Perspective

10.√ Improve and maintain business process functionality

.

.

.

.

.

.15. Improve and maintain operational and staff productivity

Learning and Growth Perspective

16.√ Manage product and business innovation

17. Acquire and maintain skilled and motivated people

Business Goals in COBIT

The top 10 most important Business Goals based on ITGI’s research findings

IT Goals

No. IT Goals

1.√ Respond to business requirements in alignment with the business strategy

2.√ Respond to governance requirements in line with board direction

3.√ Ensure satisfaction of end users with service offerings and service levels

4. Optimise the use of information

5. Create IT agility

.

.

.

.

.

.28. Ensure that IT demonstrates cost-efficient service quality,

continuous improvement and readiness for future

IT Goals in COBIT

The top 10 most important IT Goals based on ITGI’s

research findings

Linking Business Goals to IT Goals

Balanced

Scorecard -

Four

Perspectives

No Business Goals IT Goals

Financial

Perspective

1.

√

Provide a good return on

investment of IT-enabled

business investments

24√

2.

√

Manage IT-related business

risk

2 √ 14 √ 17 18 19 21 22

3. Improve corporate

governance and transparency

2 18

The statement and its relevance number of


The relevance number of IT Goals in COBIT


Nomor Tujuan TI dalam COBIT

Balanced

Scorecard -

Four

Perspectives


Customer

Perspective

4.√ Improve customer orientation and

service

3 √ 23 √

5.√ Offer competitive products and services 5 24 √

6.√ Establish service continuity and

availability

10 16 22 23 √

7.√ Create agility in responding to changing

business requirements

1 √ 5 25

√

8. Achieve cost optimisation of service

delivery

7 8 10 24

9.√ Obtain reliable and useful information

for strategic decision making

2 √ 4 12 20 26 √





Balanced

Scorecard -

Four

Perspectives

No. Business Goals IT Goals

Internal-

Business-

Process

Perspective

10.√ Improve and maintain business

process functionality

6

√

7 11

11. Lower process costs 7 8 13 15 24

12.√ Provide compliance with external

laws, regulations and contracts

2

√

19 20 21 22 26 √ 27 √

13. Provide compliance with internal

policies

2 13

14. Manage business change 1 5 6 11 28

15. Improve and maintain operational

and staff productivity

7 8 11 13





Balanced

Scorecard -

Four

Perspectives


Learning and

Growth

Perspective

16.√ Manage product and

business innovation

5 25

√

28

17.√ Acquire and maintain skilled

and motivated people

9




IT Governance Frameworks

–Information Technology Infrastructure Library (ITIL)

–ISO 17799 (27002)

–Control Objectives for Information and related Technology (COBIT)

IT Governance Frameworks

ITIL Framework

COBIT Domains

IT processes are usually divided into the responsibility domains of plan, build, run and monitor

Each Domain has processes

Plan and Organise (PO)

Acquire and

Implement

(AI)

Deliver and

Support

(DS)

Monitor and Evaluate (ME)

Processes of PO Domain

PO1 Define a Strategic IT Plan

PO2 Define the Information Architecture

PO3 Determine Technological Direction

PO4Define the IT Processes, Organisation and

Relationships

PO5 Manage the IT Investment

PO6 Communicate Management Aims and Direction

PO7 Manage IT Human Resources

PO8 Manage Quality

PO9 Assess and Manage IT Risks

PO10 Manage Projects

Pola Pikir

31

•COBIT’s

Mission

• COBIT’s Vision

•Melakukan penelitian, pengembangan, publikasi dan promositerhadap control objective dari teknologi informasi yang secara umum diterima di lingkungan internasional untukpemakaian sehari-hari oleh manager dan auditor

COBIT: An IT Control Framework

•Sebagai model untuk penguasaan IT

33

•IT Processes

•IT

•Resources

•Business

Requirements

Data

Information Systems

Technology

Facilities

Human Resources

Plan and Organise (Perencanaan & Org.)

Acquire and Implement (Pengadaan & Implementasi)

Deliver and Support (Pengantaran & dukungan)

Monitor and Evaluate (Pengawasan &Evaluasi)

Effectiveness(efektifitas)

Efficiency (Efisiensi)

Confidentiality (Rahasia)

Integrity (Integritas)

Availability (Ketersediaan)

Compliance (Pemenuhan)

Information Reliability

(Kehandalan Informasi)

•COBIT Framework

•H

ow

do

th

ey r

ela

te?

34

Topics• Strategi dan taktik

• Merencanakan Visi

• Organisasi and infrastruktur

Questions• Apakah IT dan strategi bisnis sudah

ditetapkan?

• Apakah perusahaan sudah menggunakan secara maksimum sumber dayanya?

• Apakah semua orang di dlm org. sudah memahami sasaran IT?

• Apakah resiko IT sudah dipahami & diatur?

• Apakah mutu sistem IT sudah sesuai dgn kebutuhan bisnis?

•Plan and Organise

Topics

IT solutions

Perubahan dan Pemeliharaan

Questions

Apakah proyek baru dapat

memberikan solusi terhadap

kebutuhan bisnis?

Apakah proyek baru dapat selesai

tepat waktu dan sesuai anggaran?

Apakah sistem kerja yg baru bisa

diterapkan dgn baik?

Apakah perubahan yg dibuat tdk

merepotkan kegiatan bisnis yg

berjalan?

•Acquire and Implement

•COBIT Framework•

Do

ma

ins

35

Topics• Layanan pengantaran& dukungan

• Dukungan proses penyusunan

• Pengolahan sistem aplikasi

Questions• Apakah layanan IT yg diberikan

sesuai dgn prioritas bisnis?

• Apakah biaya IT dapat dioptimalkan?

• Apakah pekerja mampu menggunakan sistem IT lebih produktif dan aman?

• Apakah keamanan, integritas dan ketersediaan sudah pada tempatnya?

•Deliver and Support

Topics

Penilaian over time, jaminanpengiriman

Sistem pengendalian manajemenkesalahan

Pengukuran pekerjaan

Questions

Dapatkan IT mendeteksi suatupermasalahan sebelum semuanyaterlambat?

Apakah jaminan kemandirian ygdiperlukan dpt memastikan bidang2 kritis bisa beroperasi sesuai dgn ygdiharapkan?

•Monitor and Evaluate

•COBIT Domains

•D

om

ain

s

36

•The control of •(kendali)

•IT Processes•which satisfy•(yang mencakupi)

•is enabled by•(dimungkinkan)

•Control

• Statements•Considering •(mempertimbangkan)

•Control

•Practices

•COBIT Framework

•W

ate

rfa

ll M

od

el

•Business

•Requirements

37

•AI1 Identify automated solutions

•AI2 Acquire and maintain application software

•AI3 Acquire and maintain technology infrastructure

•AI4 Develop and maintain IT procedures

•AI5 Install and accredit systems

•AI6 Manage changes

•M1 Monitor the process

•M2 Assess internal control adequacy

•M3 Obtain independent assurance

•M4 Provide for independent audit

•DS1 Define service levels

•DS2 Manage third-party services

•DS3 Manage performance and capacity

•DS4 Ensure continuous service

•DS5 Ensure systems security

•DS6 Identify and attribute costs

•DS7 Educate and train users

•DS8 Assist and advise IT customers

•DS9 Manage the configuration

•DS10 Manage problems and incidents

•DS11 Manage data

•DS12 Manage facilities

•DS13 Manage operations

•IT

•RESOURCES

• Data

• Application systems

• Technology

• Facilities

• People

•PLAN AND

•ORGANISE

•ACQUIRE AND

•IMPLEMENT

•DELIVER AND

SUPPORT

•MONITOR AND

•EVALUATE

• Effectiveness

• Efficiency

• Confidentiality

• Integrity

• Availability

• Compliance

• Reliability

• Criteria

•COBIT

•Framework

•PO1 Define a strategic IT plan (menggambarkan)

•PO2 Define the information architecture

•PO3 Determine the technological direction (menentukan)

•PO4 Define the IT organisation and relationships

•PO5 Manage the IT investment

•PO6 Communicate management aims and direction

•PO7 Manage human resources

•PO8 Ensure compliance with external requirements

•PO9 Assess risks (menilai)

•PO10 Manage projects

•PO11 Manage quality

38

Maturity of IT Processes

PO Answers :

• Are IT and the business strategy aligned?

• Is the enterprise achieving optimum use of its resources?

• Does everyone in the organisation understand the IT objectives?

• Are IT risks understood and being managed?

• Is the quality of IT systems appropriate for business needs?

Processes of AI Domain

AI1 Identify Automated Solutions

AI2 Acquire and Maintain Application Software

AI3 Acquire and Maintain Technology Infrastructure

AI4 Enable Operation and Use

AI5 Procure IT Resources

AI6 Manage Changes

AI7 Install and Accredit Solutions and Changes

AI Answers :

• Are new projects likely to deliver solutions that meet business needs?

• Are new projects likely to be delivered on time and within budget?

• Will the new systems work properly when implemented?

• Will changes be made without upsetting current business operations?

Processes of DS Domain

DS1 Define and Manage Service Levels

DS2 Manage Third-party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS6 Identify and Allocate Costs

DS7 Educate and Train Users

DS8 Manage Service Desk and Incidents

DS9 Manage the Configuration

DS10 Manage Problems

DS11 Manage Data

DS12 Manage the Physical Environment

DS13 Manage Operations

DS Answers :

• Are IT services being delivered in line with business priorities?

• Are IT costs optimised?

• Is the workforce able to use the IT systems productively and safely?

• Are adequate confidentiality, integrity and availability in place for information security?

Processes of

ME Domain

ME1 Monitor and Evaluate IT Performance

ME2 Monitor and Evaluate Internal Control

ME3 Ensure Compliance With External

Requirements

ME4 Provide IT Governance

ME Answers :

• Is IT’s performance measured to detect problems before it is too late?

• Does management ensure that internal controls are effective and efficient?

• Can IT performance be linked back to business goals?

• Are adequate confidentiality, integrity and availability controls in place for information security?

Linking IT Goals to IT Processes

IT Goals IT Processes1.

√

Respond to business requirements

in alignment with the business

strategy PO1 PO2 PO4 PO10 AI1 AI6 AI7 DS1 DS3 ME1

2.

√

Respond to governance

requirements in line with board

direction PO1 PO4 PO10 ME1 ME3

3.

√

Ensure satisfaction of end users

with service offerings and service

levels PO8 AI4 DS1 DS2 DS7 DS8 DS10 DS13

4. Optimise the use of information PO2 DS11

5. Create IT agility PO2 PO4 PO7 AI3

.

.

.

.

.

.

28.

Ensure that IT demonstrates cost-

efficient service quality, continuous

improvement and readiness for

future PO5 DS6 ME1 ME3

IT Processes in COBIT

IT Goals in COBITand its relevance number

PENGUKURAN KINERJA TI

Measuring IT performance :

one way to overcome “IT investment paradox”

Respond to business requirements in alignment with the business strategy

Degree of compliance with business and governance requirements

IT Goals

measure

Set

outcome

Define the strategy to deliver service offerings

Percent of IT objectives in the IT strategic plan that support the strategicbusiness plan

Process Goals

measure

performance indicator

drive

Set

Translating IT strategic planning into tactical plans

Percent of strategic/tactical IT plans meetings where business representatives have actively participated

Activities Goals

measure


drive

PO1 Goals and Metrics

Define how business functional and control requirements are translated into effective and efficient automated solutions

Number of projects where stated benefits were not achieved due to incorrectfeasibility assumptions

IT Goals

measure

Set

outcome

Identify solutions that are technically feasible and cost effective

Percent of the application portfolio not consistent with architecture

Process Goals

measure


drive

Set

Undertaking feasibility studies as defined in the development standard

Percent of projects in the annual IT plan subject to the feasibility study

Activities Goals

measure


drive

AI1 Goals and Metrics

Ensure satisfaction of end users with service offerings and service levels

Percent of users satisfied that service delivery meets agreed-upon levels

IT Goals

measure

Set

outcome

Formalise and monitor SLAs and performance criteria

Percent of services meeting service levels

Process Goals

measure


drive

Set

Reporting on service level achievements (reports and meetings)

Percent of service levels reported

Activities Goals

measure


drive

DS1 Goals and Metrics

Ensure that IT demonstrates cost-efficient service quality, continuous improvement and readiness for future change

Amount of reduction in the number of outstanding process deficiencies

IT Goals

measure

Set

outcome

Measure, monitor and report process metrics

Percent of critical processes monitored

Process Goals

measure


drive

Set

Reviewing performance against agreed-upon targets and initiating necessary remedial action

Number of metrics (per process)

Activities Goals

measure


drive

ME1 Goals and Metrics

COBIT Management, Control, Alignment &

Monitoring

IT Processes

IT Goals

BUSINESS GOALSGovernance Drivers

Business OutcomesA

pp

licat

ion

s

Info

rmat

ion

Infr

astr

uct

ure

Peo

ple

Information Criteria

IT Resources

IT Processes

Process Descriptions

Performance Indicators

Outcome Measures

Maturity Levels

Agar perbaikan yang kontinu terhadap Proses TI dapat dilakukan, maka harus

dievaluasi kondisi eksistingnya

COBIT menyediakan kerangka identifikasi sejauh mana

perusahan telah memenuhi standar pengelolan Proses TI

yang baik level kedewasaan

Maturity Attribute Table

Continuous Improvement

measured with

Business

Goals

Business

Outcome

IT Goals

IT Outcome

Process

Goals

Performance

indicators of

IT Process

Activity

Goals

Performance

indicators of

IT Activities

Outcome measure

Business Metrics

Performance indicator

Outcome measure

IT Metrics Performance indicator

Outcome measure

Process Metrics

Performance indicator

Define Goals

Indicate Performance

Mea

sure

Ach

ieve

men

t

Imp

rove

an

d R

ealig

n

drive

measured with measured with measured with

drive drive

set set set

Continuous Improvement

(Traditional Audit Approach)

Time

Co

ntr

ol E

nvir

on

men

t

t1 t2

Reality

Expectation

Asses 1 Asses 2

Audit rotation schedule

based on annual risk

assessment function

Continuous Improvement(Ongoing Measurement of Risk Indicators)

Time

Co

ntr

ol E

nvir

on

men

t

t1

t2

Reality

Expectation

Assess 1 Assess 2

Ongoing

Measurement

Report

Report Report

t1

Thank youhttp://blog.its.ac.id/riyanarto

http://riyanarto.blogspot.com

peranan audit pada perbaikan sistem...

Documents