IT审计相关知识(英文版)

1、IT Audit and Control Model of Information and Related Technology -COBIT Hu kejin W IT Audit ISACA (Information Systems Audit and Control Association) CISA (Certified Information System Auditor) COBIT- Control Objectives For Information and Related Technology Information Systems Audit and Control Fou

2、ndation IT Governance Institute 1. IT Audit Overview 2. COBIT Overview 3. COBIT Architecture 4. Control Objectives 5. Management Guidelines 6. Audit Guidelines 1. IT Audit Overview Auditing Objectives Security Reliability Effectiveness Scope of the audit 1) Information Systems 2) to cover life cycle

3、 of IS Audit Plan $ Definition of Scope and Objectives. $ Analysis and understanding of standard procedures. $ Evaluation of system and internal controls. $ Audit Procedures and documentation of evidence. $ Analysis of facts encountered. $ Formation of opinion over the controls. $ Presentation of re

4、port and recommendations. Audit Techniques $ Compliance tests. $ Substantive tests. $ Auditing program. $ Integrated Test Facility. $ Parallel Simulation. $ Snapshot $ Tracing $ Program Code Comparison $ Computer Assisted Audit Techniques and Tools. Audit Work Team $ Manager: Responsible for the aud

5、it and quality control. $ Senior/team leader: Responsible for the work papers. $ Staff: Responsible for the performance of the audit. Audit Report Progress Reports. Work Papers. Other Work Papers. Preliminary Reports. Final Audit Report. 1）What is our mission? 2）What are our goals and how will we ac

6、hieve them? 3） How can we measure our performance? 4）How will we use that information to make improvements? 1）Accounting Audit 2）System Audit 3）Performance Audit Business Reference Model (BRM) Lines of Business Agencies, Customers, Partners Service Component Reference Model (SRM) Service Domains, Se

7、rvice Types Business & Service Components Technical Reference Model (TRM) Service Component Interfaces, Interoperability Technologies, Recommendations Data & Information Reference Model (DRM) Business-focused Data Standardization Cross-Agency Information Exchanges Performance and Business-Driven Per

8、formance Reference Model (PRM) Inputs, Outputs, and Outcomes Uniquely Tailored IT Performance Indicators Component-Based Architectures Performance Reference Model (PRM) Inputs, Outputs, and Outcomes Uniquely Tailored IT Performance Indicators Business Reference Model (BRM) Lines of Business Agencies

9、, Customers, Partners Service Component Reference Model (SRM) Service Domains, Service Types Business & Service Components Technical Reference Model (TRM) Service Component Interfaces, Interoperability Technologies, Recommendations Data & Information Reference Model (DRM) Business-focused Data Stand

10、ardization Cross-Agency Information Exchanges Performance and Business-Driven Component-Based Architectures THE FEA REFERENCE MODEL FRAMEWORK HUMAN CAPITAL MISSION AND BUSINESS RESULTS CUSTOMER RESULTD VALUE VALUE STRATEGIC OUTCOMS INPUT TECHONLOGY OTHER FIXED ASSETS PROCESS AND ACTIVITY Mission and

11、 business-critical results aligned with the Business Reference Model. Results measured from a customer perspective The direct effects of day-to-day activities and broader processes measured as driven by desired outcomes. Used to further define and measure the Mode of Delivery in The business referen

12、ce model. Key enablers measured through their contribution to outputs and by extension outcomes Data and Information Reference Model (DRM) is currently under development COBIT is the model for IT governance! 2. COBIT Overview Business Requirements IT Management IT Resources 1). Executive Summary 2).

13、 Framework 3).Control Objectives 4).Management Guidelines 5).Audit Guidelines 6).Implementation Tool set The control of which satisfy is enabled by considering IT Processes Business Requirements Control Statements Control Practices Data Application Systems Technology Facilities People Events Busines

14、s Objectives Business Opportunities External Requirements Regulations Risks Information Effectiveness Confidentiality Integrity Availability Compliance Reliability Message input Service output Business Processes Information IT Resources IT Resources People Application Systems Technology Facilities D

15、ata Information Criteria effectiveness confidentiality integrity availability compliance reliability ? Do they match What you get What you need Information criteria IT domains IT resources Planning & organization Acquisition & implementation Delivery & support Monitoring Domains Processes Activities

16、 Information Criteria IT Processes IT Resources Quality Fiduciary Security people Application Systems Technology Facilities Data Domains Processe s Activities/Tasks 3. COBIT Architecture Management framework Management guidelines Control objectives Audit guidelines Tool set Management guidelines Mat

17、urity models Critical success factors Key goal indicators Key performance indicators IT domains Planning & Organization Acquisition & Implementation Delivery & Support Monitoring COBIT IT Processes Defined Within the Four Domains COBIT Business Objectives Information IT Resources Planning & Organiza

18、tion Acquisition & Implementation Delivery & Support Monitoring IT Resources IT Resources Application Systems Data Application Systems Technology Facilities People Domains Processes Processes Activities/ Tasks Information Criteria Quality Fiduciary Security Quality Cost Delivery Effectiveness Effici

19、ency Reliability Compliance Confidentiality Integrity Availability 4.Control Objectives High-Level Control Objectives 34 (Control Over the IT Process) Control Objectives 318 (Control Over the Activities/Tasks) Planning & Organization PO1 define a strategic IT plan PO2 define the information architec

20、ture PO3 determine the technological direction PO4 define the IT organization and relationships PO5 manage the IT investment PO6 communicate management aims and direction PO7 manage human resources PO8 ensure compliance with external requirements PO9 assess risks PO10 manage projects PO11 manage qua

21、lity Acquisition & Implementation AI1 identify solutions AI2 acquire and maintain application software AI3 acquire and maintain technology architecture AI4 develop and maintain IT procedures AI5 install and accredit systems AI6 manage changes Delivery & Support DS1 define service levels DS2 manage t

22、hird-party services DS3 manage performance and capacity DS4 ensure continuous service DS5 ensure systems security DS6 identify and attribute costs DS7 educate and train users DS8 assist and advise IT customers DS9 manage the configuration DS10 manage problems and incidents DS11 manage data DS12 mana

23、ge facilities DS13 manage operations Monitoring M1 monitor the processes M2 assess internal control adequacy M3 obtain independent assurance M4 provide for independent audit DOMAIN Process Information Criteria IT Resources Planning & Organization PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11 Effecti

24、veness Efficiency Confidentiality Integrity Availability Compliance Reliability People Application Systems Technology Facilities Data DOMAIN Process Information Criteria IT Resources People Application Systems Technology Facilities Data Effectiveness Efficiency Confidentiality Integrity Availability

25、 Compliance Reliability PO1 define a strategic IT plan Planning & Organization PO2 define the information architecture P S S S P S Managements Question 1. How do responsible managers “keep the ship on course”? 2. How to achieve results that are satisfactory for the largest possible segment of our st

26、akeholders? 3. How to timely adapt the organization to trends and developments in the enterprises environment? Dashboards Scorecards BenchmarkingBenchmarking 5. Management Guidelines Maturity Models CSF KGI KPI Generic Maturity Model 0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimi

27、zed 0123 4 5 Non- ExistentInitialRepeatable Defined Managed Optimized Enterprise Current Status International Standard Guidelines Industry Best Practice Enterprise Strategy GoalsEnablers Balanced Business Scorecard Information Technology Measure (Outcome) Measure (Performance) Critical Success Facto

28、rs (CSF) Define the most important issues or actions for management to achieve control over and within its IT processes. Key Goal Indicators (KGI) Define measures that tell management -after the fact- whether an IT process has achieved its business requirements Key Performance Indicators (KPI) Define