management企业管理类英文版课件

1、management企业管理类英文版1 Application-level IT Risk Assessment Kerry L. Shackelford KLS Consulting LLC ISACA Denver Chapter Meeting February 21, 2008 management企业管理类英文版 2 Outline zWhy this topic? zSEC interpretive guidance zABCs implementation approach zDesign of the ITRA model zModel walk-through / Q&A m

2、anagement企业管理类英文版 3 Why This Topic? GRC Spending Skyrockets GovernanceRiskCompliance Board and Entity Management Enterprise Risk Mgt (COSO, COCO) Public Companies (Sarbanes-Oxley, NYSE, Nasdaq, Turnbull, etc.) Corporate Policy and Procedure Management Operational Risk MgtSOX-Like (Japan, Canada, EU)

3、 IT Governance (CobiT, ISO 17799 & 27001-ISM) IT Risk Mgt (CobiT, ITIL, etc.) Specific Areas (PCI-DSS, AML, etc.) Internal Audit Departments Financial Institution Risk Mgt (Basel II, etc.) Personal Information (FTC, HIPAA, GLBA, COPPA, EUD, etc.) management企业管理类英文版 4 Why This Topic? US Congress Resp

4、onds management企业管理类英文版 5 Why This Topic? Corporate Outcry Begins “The first-year implementation of new requirements for public companies internal control over financial reporting (ICFR) proved more burdensome and costly than expected, resulting in an outcry from corporate America.” Journal of Accou

5、ntancy, Two Years and Counting, June 2007 management企业管理类英文版 6 Why This Topic? Fix: Audit Firms zPer the PCAOB Policy statement issued 5/16/05, the auditors should yIntegrate their audits yTailor audit plans to their clients risks yUse a top-down approach yUse the work of others yCommunicate directl

6、y and timely with clients management企业管理类英文版 7 Why This Topic? SOX Year Two - 2005 management企业管理类英文版 8 Why This Topic? Corporate Outcry (Cont) zThe average cost of being a public company with revenue under $1 billion rose $1.6 million, or 130%, since the Sarbanes-Oxley era began. Source: “Second An

7、niversary: The Impact of Sarbanes-Oxley,” Institutional Shareholder Services, management企业管理类英文版 9 Why This Topic? Fix: Issuer (& Audit Firms) management企业管理类英文版 10 SEC Interpretive Guidance For Issuer Management zGuidance Regarding Managements Report on Internal Control Over Financial Reporting yEf

8、fective Date: June 27, 2007 zACTION: Interpretation. management企业管理类英文版 11 SEC Interpretive Guidance Underlying Principles zManagement should: yEvaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevente

9、d or detected in a timely manner. yBase its assessment of risk on the evaluation of evidence about the operation of its controls. management企业管理类英文版 12 SEC Interpretive Guidance Benefits management企业管理类英文版 13 ITRA Overview - Approach z Use risk factors (risk assessment evaluation criteria) to assess

10、 the level of inherent risk and control risk for each application system. z Use the resultant risk ratings to determine the level of overall risk according to the Companys methodology. z Use the overall risk assessment rating to guide the appropriate level of internal control evaluation procedures t

11、o be applied. management企业管理类英文版 14 management企业管理类英文版 15 ITRA Model Walk-Through management企业管理类英文版 16 ITRA Run Settings zAssignment of point values to risk factors zBreak points which define Low, Medium, and High risk applications zExcluding risk factor categories from results zExcluding missing /

12、 unknown data management企业管理类英文版 17 ITRA Risk Factors zInformation Categories yAPPL (Application Systems) yADOS (Application / Database Server Operating Systems yDBMS (Data Base Management Systems) zPlus basic APPL information zBias towards objective vs subjective evaluation criteria management企业管理类

13、英文版 18 ITRA APPL Basic Information z Name z SOX-Indicator-IC-Dept z Vendor-Name z Original-Implementation- Date z Major-Release- Implementation-Date z Software-Version z Support-Source z Infrastructure Management- Source z App-Server-OS-Vendor, Product, Version, & SP- Level z DB-Server-OS-Vendor, Pr

14、oduct, Version, & SP- Level z DB-DBMS-Vendor, Product, Version, & SP-Level management企业管理类英文版 19 ITRA APPL Risk Factors (1 of 2) z Vendor-Reputation z Months-Post-Original- Implementation-Date z Months-Post-Major-Release- Date z Version-Supported z Users-Count z Customization z User-Configurable z S

15、imple-or-Complex-Logic z Interfaces-Total-Count z Interfaces-Manual-Count z Changes-Count-Normal z Changes-Count-Emergency z Failures-Count z Restores-Count management企业管理类英文版 20 ITRA APPL Risk Factors (2 of 2) zGaps-Security-Count zGaps-Changes-Count zGaps-QAAR-Count zGaps-SOD-Count zGaps-Other-Cou

16、nt zOutages-Count-Days zOutages-Hours zProcesses-Supported- Count zBP-Risk-Average- Inherent zMateriality-I-Count zMateriality-G-Count zMateriality-S-Count zIT Tier management企业管理类英文版 21 ITRA ADOS Risk Factors z Outsourcer-SAS 70 Report Opinion, Testing Exceptions-Moderate, & Testing Exceptions-Majo

17、r z App Server OS-Vendor- Reputation z DB Server OS-Vendor- Reputation z App Server OS-Version- Supported z DB Server OS-Version- Supported z Changes-Count z Failures-Count z Gaps-Security-Count z Gaps-Changes-Count z Gaps-QOSR-Count z Gaps-Other-Count z Production-Server-Count management企业管理类英文版 22

18、 ITRA DBMS Risk Factors zVendor-Reputation zVersion-Supported zChanges-Count zFailures-Count zGaps-Security-Count zGaps-Changes-Count zGaps-QDBR-Count zGaps-Other-Count management企业管理类英文版 23 ITRA Model Walk-Through (cont) management企业管理类英文版 24 ITRA Major Data Sources z IC Department yAPPL Lists yCMS Reports yAPPL Narratives yDetailed Assessment yITGC