management企业管理类英文

Application-levelITRiskAssessment

ISACADenverChapterMeetingFebruary21,2008OutlineWhythistopic?SECinterpretiveguidanceABC’simplementationapproachDesignoftheITRAmodelModelwalk-through/Q&AWhyThisTopic?

GRCSpendingSkyrocketsGovernanceRiskComplianceBoardandEntityManagementEnterpriseRiskMgt

(COSO,COCO)PublicCompanies

(Sarbanes-Oxley,NYSE,Nasdaq,Turnbull,etc.)CorporatePolicyandProcedureManagementOperationalRiskMgtSOX-Like

(Japan,Canada,EU)ITGovernance

(CobiT,ISO17799&27001-ISM)ITRiskMgt

(CobiT,ITIL,etc.)SpecificAreas

(PCI-DSS,AML,etc.)InternalAuditDepartmentsFinancialInstitutionRiskMgt(BaselII,etc.)PersonalInformation

(FTC,HIPAA,GLBA,COPPA,EUD,etc.)WhyThisTopic?

USCongressRespondsPCAOBCreated

(07/30/02)PCAOBProposesAS2

(10/07/03)PCAOB&SECApproveAS2

(03/09/04&06/17/04)ICFROpinionsLargeAcceleratedFilers

(FYEs11/15/04+)RoundtableFeedback

(04/13/05)PCAOBPolicyStatement

(05/16/05)WhyThisTopic?

CorporateOutcryBegins “Thefirst-yearimplementationofnewrequirementsforpubliccompanies’internalcontroloverfinancialreporting(ICFR)provedmoreburdensomeandcostlythanexpected,resultinginanoutcryfromcorporateAmerica.”JournalofAccountancy,TwoYearsandCounting,June2007WhyThisTopic?

Fix:AuditFirmsPerthePCAOBPolicystatementissued5/16/05,theauditorsshould—IntegratetheirauditsTailorauditplanstotheirclient’srisksUseatop-downapproachUsetheworkofothersCommunicatedirectlyandtimelywithclientsWhyThisTopic?

SOXYearTwo-2005PCAOBSAGRe:InternalControl

(06/08/05)ICFROpinionsAcceleratedFilers

(FYEs07/15/05+)AS2ImplementationReport

(11/30/05)InternalControlAuditInspectionsReport

(05/01/06)RoundtableFeedback

(05/10/06)AndThen?WhyThisTopic?

CorporateOutcry(Cont)Theaveragecostofbeingapubliccompanywithrevenueunder$1billionrose$1.6million,or130%,sincetheSarbanes-Oxleyerabegan.

Source:“SecondAnniversary:TheImpactofSarbanes-Oxley,”InstitutionalShareholderServices,WhyThisTopic?

Fix:Issuer(&AuditFirms)PCAOBAnnouncesAS2Rewrite

(12/xx/06)PCAOBProposesGuidanceforIssuers

(12/20/06)SECApprovesInterpretiveGuidance

(05/23/07)PCAOBAdoptsAS5ReplacingAS2

(05/24/07)SECInterpretiveGuidanceEffective

(06/27/07)AS5Effective

(FYEs11/15/07+)Management’sReportRequired

(FYEs12/15/07+)SECAnnouncesSmallBizC&BStudy

(02/01/08)ICFROpinionsNon-AcceleratedFilers

(FYEs12/15/09+)SECInterpretiveGuidance

ForIssuerManagementGuidanceRegardingManagement’sReportonInternalControlOverFinancialReportingEffectiveDate:June27,2007ACTION:Interpretation.SECInterpretiveGuidance

UnderlyingPrinciplesManagementshould:Evaluatewhetherithasimplementedcontrolsthatadequatelyaddresstheriskthatamaterialmisstatementofthefinancialstatementswouldnotbepreventedordetectedinatimelymanner.Baseitsassessmentofriskontheevaluationofevidenceabouttheoperationofitscontrols.SECInterpretiveGuidance

BenefitsITRA

Overview-ApproachUseriskfactors(riskassessmentevaluationcriteria)toassessthelevelofinherentriskandcontrolriskforeachapplicationsystem.UsetheresultantriskratingstodeterminethelevelofoverallriskaccordingtotheCompany'smethodology.Usetheoverallriskassessmentratingtoguidetheappropriatelevelofinternalcontrolevaluationprocedurestobeapplied.ITRA

ModelWalk-ThroughITRA

RunSettingsAssignmentofpointvaluestoriskfactorsBreakpointswhichdefineLow,Medium,andHighriskapplicationsExcludingriskfactorcategoriesfromresultsExcludingmissing/unknowndataITRA

RiskFactorsInformationCategoriesAPPL(ApplicationSystems)ADOS(Application/DatabaseServerOperatingSystemsDBMS(DataBaseManagementSystems)PlusbasicAPPLinformationBiastowardsobjectivevssubjectiveevaluationcriteriaITRA

APPLBasicInformationNameSOX-Indicator-IC-DeptVendor-NameOriginal-Implementation-DateMajor-Release-Implementation-DateSoftware-VersionSupport-SourceInfrastructureManagement-SourceApp-Server-OS-Vendor,Product,Version,&SP-LevelDB-Server-OS-Vendor,Product,Version,&SP-LevelDB-DBMS-Vendor,Product,Version,&SP-LevelITRA

APPLRiskFactors(1of2)Vendor-ReputationMonths-Post-Original-Implementation-DateMonths-Post-Major-Release-DateVersion-SupportedUsers-CountCustomizationUser-ConfigurableSimple-or-Complex-LogicInterfaces-Total-CountInterfaces-Manual-CountChanges-Count-NormalChanges-Count-EmergencyFailures-CountRestores-CountITRA

APPLRiskFactors(2of2)Gaps-Security-CountGaps-Changes-CountGaps-QAAR-CountGaps-SOD-CountGaps-Other-CountOutages-Count-DaysOutages-HoursProcesses-Supported-CountBP-Risk-Average-InherentMateriality-I-CountMateriality-G-CountMateriality-S-CountITTierITRA

ADOSRiskFactorsOutsourcer-SAS70ReportOpinion,TestingExceptions-Moderate,&TestingExceptions-MajorAppServerOS-Vendor-ReputationDBServerOS-Vendor-ReputationAppServerOS-Version-SupportedDBServerOS-Version-SupportedChanges-CountFailures-CountGaps-Security-CountGaps-Changes-CountGaps-QOSR-CountGaps-Other-CountProduction-Server-CountITRA

DBMSRiskFactorsVendor-ReputationVersion-SupportedChanges-CountFailures-CountGaps-Security-CountGaps-Changes-CountGaps-QDBR-CountGaps-Other-CountITRA

ModelWalk-Through(cont)ITRA

MajorDataSourcesICDepartmentAPPLLi