IT审计相关知识(英文版)(ppt 62页).ppt

1、Advanced Information Technology and Management,IT Audit and Control Model of Information and Related Technology -COBIT Hu kejin W,IT Audit ISACA (Information Systems Audit and Control Association) CISA (Certified Information System Auditor,COBIT- Control Objectives For Information and Related Techno

2、logy Information Systems Audit and Control Foundation IT Governance Institute,1. IT Audit Overview 2. COBIT Overview 3. COBIT Architecture 4. Control Objectives 5. Management Guidelines 6. Audit Guidelines,1. IT Audit Overview,Auditing Objectives,Security Reliability Effectiveness,Scope of the audit

3、,1) Information Systems 2) to cover life cycle of IS,Audit Plan, Definition of Scope and Objectives. $ Analysis and understanding of standard procedures. $ Evaluation of system and internal controls. $ Audit Procedures and documentation of evidence. $ Analysis of facts encountered. $ Formation of op

4、inion over the controls. $ Presentation of report and recommendations,Audit Techniques, Compliance tests. $ Substantive tests. $ Auditing program. $ Integrated Test Facility. $ Parallel Simulation. $ Snapshot $ Tracing $ Program Code Comparison $ Computer Assisted Audit Techniques and Tools,Audit Wo

5、rk Team, Manager: Responsible for the audit and quality control. $ Senior/team leader: Responsible for the work papers. $ Staff: Responsible for the performance of the audit,Audit Report,Progress Reports. Work Papers. Other Work Papers. Preliminary Reports. Final Audit Report,1）What is our mission?

6、2）What are our goals and how will we achieve them? 3） How can we measure our performance? 4）How will we use that information to make improvements,1）Accounting Audit 2）System Audit 3）Performance Audit,Business Reference Model (BRM) Lines of Business Agencies, Customers, Partners Service Component Ref

7、erence Model (SRM) Service Domains, Service Types Business & Service Components Technical Reference Model (TRM) Service Component Interfaces, Interoperability Technologies, Recommendations Data & Information Reference Model (DRM) Business-focused Data Standardization Cross-Agency Information Exchang

8、es Performance and Business-Driven Performance Reference Model (PRM) Inputs, Outputs, and Outcomes Uniquely Tailored IT Performance Indicators Component-Based Architectures,Performance Reference Model (PRM) Inputs, Outputs, and Outcomes Uniquely Tailored IT Performance Indicators,Business Reference

9、Model (BRM) Lines of Business Agencies, Customers, Partners,Service Component Reference Model (SRM) Service Domains, Service Types Business & Service Components,Technical Reference Model (TRM) Service Component Interfaces, Interoperability Technologies, Recommendations,Data & Information Reference M

10、odel (DRM) Business-focused Data Standardization Cross-Agency Information Exchanges,Performance and Business-Driven,Component-Based Architectures,THE FEA REFERENCE MODEL FRAMEWORK,HUMAN CAPITAL,MISSION AND BUSINESS RESULTS,CUSTOMER RESULTD,VALUE,VALUE,STRATEGIC OUTCOMS,INPUT,TECHONLOGY,OTHER FIXED A

11、SSETS,PROCESS AND ACTIVITY,Mission and business-critical results aligned with the Business Reference Model. Results measured from a customer perspective,The direct effects of day-to-day activities and broader processes measured as driven by desired outcomes. Used to further define and measure the Mo

12、de of Delivery in The business reference model,Key enablers measured through their contribution to outputs and by extension outcomes,Data and Information Reference Model (DRM,Data and Information Reference Model (DRM) is currently under development,COBIT is the model for IT governance,2. COBIT Overv

13、iew,Business Requirements,IT Management,IT Resources,1). Executive Summary 2). Framework 3).Control Objectives 4).Management Guidelines 5).Audit Guidelines 6).Implementation Tool set,The control of,which satisfy,is enabled by,considering,IT Processes,Business Requirements,Control Statements,Control

14、Practices,Data Application Systems,Technology,Facilities,People,Events Business Objectives Business Opportunities External Requirements Regulations Risks,Information Effectiveness Confidentiality Integrity Availability Compliance Reliability,Message input,Service output,Business Processes,Informatio

15、n,IT Resources,IT Resources,People Application Systems Technology Facilities Data,Information Criteria effectiveness confidentiality integrity availability compliance reliability,Do they match,What you get,What you need,Information criteria,IT domains,IT resources,Planning & organization,Acquisition

16、 & implementation,Delivery & support,Monitoring,Domains,Processes,Activities,Information Criteria,IT Processes,IT Resources,Quality,Fiduciary,Security,people,Application Systems,Technology,Facilities,Data,Domains,Processes,Activities/Tasks,3. COBIT Architecture,Management framework,Management guidel

17、ines,Control objectives,Audit guidelines,Tool set,Management guidelines,Maturity models,Critical success factors,Key goal indicators,Key performance indicators,IT domains,Planning & Organization,Acquisition & Implementation,Delivery & Support,Monitoring,COBIT IT Processes Defined Within the Four Dom

18、ains,COBIT,Business Objectives,Information,IT Resources,Planning & Organization,Acquisition & Implementation,Delivery & Support,Monitoring,IT Resources,IT Resources,Application Systems,Data,Application Systems,Technology,Facilities,People,Domains,Processes,Processes,Activities/ Tasks,Information Cri

19、teria,Quality,Fiduciary,Security,Quality Cost Delivery,Effectiveness Efficiency Reliability Compliance,Confidentiality Integrity Availability,4.Control Objectives,High-Level Control Objectives 34 (Control Over the IT Process) Control Objectives 318 (Control Over the Activities/Tasks,Planning & Organ

20、ization,PO1 define a strategic IT plan PO2 define the information architecture PO3 determine the technological direction PO4 define the IT organization and relationships PO5 manage the IT investment PO6 communicate management aims and direction PO7 manage human resources PO8 ensure compliance with e

21、xternal requirements PO9 assess risks PO10 manage projects PO11 manage quality,Acquisition & Implementation,AI1 identify solutions AI2 acquire and maintain application software AI3 acquire and maintain technology architecture AI4 develop and maintain IT procedures AI5 install and accredit systems AI

22、6 manage changes,Delivery & Support,DS1 define service levels DS2 manage third-party services DS3 manage performance and capacity DS4 ensure continuous service DS5 ensure systems security DS6 identify and attribute costs DS7 educate and train users DS8 assist and advise IT customers DS9 manage the c

23、onfiguration DS10 manage problems and incidents DS11 manage data DS12 manage facilities DS13 manage operations,Monitoring,M1 monitor the processes M2 assess internal control adequacy M3 obtain independent assurance M4 provide for independent audit,DOMAIN,Process,Information Criteria,IT Resources,Pla

24、nning & Organization,PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11,Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability,People Application Systems Technology Facilities Data,DOMAIN,Process,Information Criteria,IT Resources,People Application Systems Technology Facil

25、ities Data,Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability,PO1 define a strategic IT plan,Planning & Organization,PO2 define the information architecture,P S S S,P S,Managements Question 1. How do responsible managers “keep the ship on course”? 2. How to achiev

26、e results that are satisfactory for the largest possible segment of our stakeholders? 3. How to timely adapt the organization to trends and developments in the enterprises environment,Dashboards,Scorecards,Benchmarking,Benchmarking,5. Management Guidelines,Maturity Models CSF KGI KPI,Generic Maturit

27、y Model,0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized,0,1,2,3,4,5,Non- Existent,Initial,Repeatable,Defined,Managed,Optimized,Enterprise Current Status,International Standard Guidelines,Industry Best Practice,Enterprise Strategy,Goals,Enablers,Balanced Business Scorecard,Infor

28、mation Technology,Measure (Outcome,Measure (Performance,Critical Success Factors (CSF,Define the most important issues or actions for management to achieve control over and within its IT processes,Key Goal Indicators (KGI,Define measures that tell management -after the fact- whether an IT process has achieved its business requirements,Key Performance Indicators (KP