IT审计与控制模型COBIT同济大学刘仲英教授

1、Advanced Information Advanced Information Technology and Technology and ManagementManagementIT Audit and Control Model of Information and Related Technology -COBITHu kejin WIT AuditISACA (Information Systems Audit andControl Association)CISA (Certified Information System Auditor)COBIT-Control Object

2、ives For Information and Related TechnologyInformation Systems Audit and ControlFoundationIT Governance Institute1. IT Audit Overview2. COBIT Overview3. COBIT Architecture4. Control Objectives5. Management Guidelines6. Audit Guidelines1. IT Audit OverviewAuditingObjectivesSecurity Reliability Effect

3、ivenessScope of the audit1) Information Systems2) to cover life cycle of ISAudit Plan$ Definition of Scope and Objectives.$ Analysis and understanding of standard procedures.$ Evaluation of system and internal controls.$ Audit Procedures and documentation of evidence.$ Analysis of facts encountered.

4、$ Formation of opinion over the controls.$ Presentation of report and recommendations.Audit Techniques$ Compliance tests.$ Substantive tests.$ Auditing program.$ Integrated Test Facility.$ Parallel Simulation.$ Snapshot$ Tracing $ Program Code Comparison$ Computer Assisted Audit Techniques and Tools

5、.Audit Work Team$ Manager: Responsible for the audit andquality control.$ Senior/team leader: Responsible for thework papers.$ Staff: Responsible for the performanceof the audit. Audit ReportProgress Reports.Work Papers.Other Work Papers.Preliminary Reports.Final Audit Report.1）What is our mission?2

6、）What are our goals and how will we achieve them?3）How can we measure our performance?4）How will we use that information tomake improvements?1）Accounting Audit2）System Audit3）Performance AuditBusiness Reference Model (BRM)? Lines of Business? Agencies, Customers, PartnersService Component Reference

7、Model (SRM)?Service Domains, Service Types?Business & Service ComponentsTechnical Reference Model (TRM)?Service Component Interfaces, Interoperability? Technologies, RecommendationsData & Information Reference Model (DRM)? Business-focused Data Standardization? Cross-Agency Information Excha

8、ngesPerformance and Business-DrivenPerformance Reference Model (PRM)?Inputs, Outputs, and Outcomes?Uniquely Tailored IT Performance IndicatorsComponent-Based ArchitecturesPerformance Reference Model (PRM)?Inputs, Outputs, and Outcomes?Uniquely Tailored IT Performance IndicatorsBusiness Reference Mod

9、el (BRM)? Lines of Business? Agencies, Customers, PartnersService Component Reference Model (SRM)?Service Domains, Service Types?Business & Service ComponentsTechnical Reference Model (TRM)?Service Component Interfaces, Interoperability? Technologies, RecommendationsData & Information Refere

10、nce Model (DRM)? Business-focused Data Standardization? Cross -Agency Information ExchangesPerformance and Business-DrivenComponent-Based ArchitecturesTHE FEA REFERENCE MODEL FRAMEWORKHUMAN CAPITAL MISSION AND BUSINESSRESULTSCUSTOMERRESULTDVALUE VALUE STRATEGIC OUTCOMSINPUTTECHONLOGY OTHERFIXED ASSE

11、TSPROCESS AND ACTIVITY Mission and business-critical resultsaligned with the Business ReferenceModel. Results measured from a customerperspectiveThe direct effects of day-to-day activitiesand broader processes measured as driveby desired outcomes. Used to furtherdefine and measure the Mode of Delive

12、ryin The business reference model.Key enablers measured throughtheir contribution to outputs and by extension outcomesData and Information Reference Model (DRM)Data and Information Reference Model (DRM) is currently under developmentCOBIT is the model for IT governance!2. COBIT OverviewBusinessRequi

13、rementsIT ManagementIT Resources1). Executive Summary2). Framework3).Control Objectives4).Management Guidelines5).Audit Guidelines6).Implementation Tool setThe control ofwhich satisfyis enabled byconsideringIT ProcessesBusinessRequirementsControlStatementsControlPracticesDataApplication SystemsTechn

14、ologyFacilitiesPeopleEventsBusiness ObjectivesBusiness OpportunitiesExternal RequirementsRegulationsRisksInformationEffectivenessConfidentialityIntegrityAvailabilityComplianceReliabilityMessageinputServiceoutputBusinessProcessesInformationIT ResourcesIT ResourcesPeopleApplication SystemsTechnologyFa

15、cilitiesDataInformation Criteriaeffectivenessconfidentialityintegrityavailabilitycompliancereliability?Do they matchWhat you getWhat you needInformation criteriaITdomainsITresourcesPlanning & organizationAcquisition &implementationDelivery &supportMonitoringDomainsProcessesActivitiesInfo

16、rmation CriteriaIT ProcessespeopleDomainsProcessesActivities/Tasks3. COBIT ArchitectureManagementframeworkManagementguidelinesControlobjectivesAuditguidelinesTool setManagementguidelinesMaturitymodelsCritical successfactorsKey goalindicatorsKey performancindicatorsIT domainsPlanning &Organizatio

17、nAcquisition &ImplementationDelivery &SupportMonitoringCOBIT IT Processes Defined Within the Four DomainsCOBITBusinessObjectivesInformationIT ResourcesPlanning &OrganizationAcquisition &ImplementationDelivery &SupportMonitoringIT ResourcesIT ResourcesDataApplication SystemsTechno

18、logyFacilitiesPeopleDomainsProcessesProcessesActivities/TasksInformation CriteriaQualityFiduciarySecurityQualityCostDeliveryEffectivenessEfficiencyReliabilityComplianceConfidentialityIntegrityAvailability4.Control ObjectivesHigh-Level Control Objectives 34(Control Over the IT Process)Control Objecti

19、ves 318(Control Over the Activities/Tasks) Planning & OrganizationPO1 define a strategic IT planPO2 define the information architecturePO3 determine the technological directionPO4 define the IT organization and relationshipsPO5 manage the IT investmentPO6 communicate management aims and directio

20、nPO7 manage human resourcesPO8 ensure compliance with external requirementsPO9 assess risksPO10 manage projectsPO11 manage quality Acquisition &ImplementationAI1 identify solutionsAI2 acquire and maintain application softwareAI3 acquire and maintain technology architectureAI4 develop and maintai

21、n IT proceduresAI5 install and accredit systemsAI6 manage changesDelivery &SupportDS1 define service levelsDS2 manage third-party servicesDS3 manage performance and capacityDS4 ensure continuous serviceDS5 ensure systems securityDS6 identify and attribute costsDS7 educate and train usersDS8 assi

22、st and advise IT customersDS9 manage the configurationDS10 manage problems and incidentsDS11 manage dataDS12 manage facilitiesDS13 manage operationsMonitoringM1 monitor the processesM2 assess internal control adequacyM3 obtain independent assuranceM4 provide for independent auditDOMAINProcessInforma

23、tion CriteriaIT ResourcesPlanning & OrganizationPO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11EffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliabilityPeopleApplication SystemsTechnologyFacilitiesDataDOMAIN ProcessInformation CriteriaIT ResourcesPeopleApplication SystemsTec

24、hnologyFacilitiesDataPO1 define a strategic IT planPlanning & OrganizationPO2 define theinformationarchitectureP S S SP SManagements Question1. How do responsible managers“keep the ship on course”?2. How to achieve results that aresatisfactory for the largest possiblesegment of our stakeholders?

25、3. How to timely adapt the organizationto trends and developments in the enterprises environment?DashboardsScorecardsBenchmarking5. Management GuidelinesMaturity ModelsCSFKGIKPI Generic Maturity Model0 Non-Existent1 Initial2 Repeatable3 Defined4 Managed5 Optimized 012345Non-ExistentInitial Repeatabl

26、eDefinedManagedOptimizedEnterprise Current StatusInternational Standard GuidelinesIndustry Best PracticeEnterprise StrategyGoalsEnablersBalanced BusinessScorecardInformationTechnologyMeasure(Outcome)Measure(Performance)Critical SuccessFactors (CSF)Define the most important issues or actionsfor management to achieve control over and within its IT processes.Key Goal Indicators(KGI)Define measures that tell management-after the fact-whether an IT process has achieved itsbusiness requirementsKey Performanc