IT审计与控制模型COBIT(同济大学刘仲英教授)

AdvancedInformationTechnologyandManagementITAuditandControlModelofInformationandRelatedTechnology-----COBITHukejinWhzhu@sh163.netITAuditISACA(InformationSystemsAuditandControlAssociation)CISA(CertifiedInformationSystemAuditor)COBIT----ControlObjectivesForInformationandRelatedTechnologyInformationSystemsAuditandControlFoundationITGovernanceInstitute1.ITAuditOverview2.COBITOverview3.COBITArchitecture4.ControlObjectives5.ManagementGuidelines6.AuditGuidelines1.ITAuditOverviewAuditingObjectivesSecurityReliabilityEffectivenessScopeoftheaudit1)InformationSystems2)tocoverlifecycleofISAuditPlan$DefinitionofScopeandObjectives.$Analysisandunderstandingofstandardprocedures.$Evaluationofsystemandinternalcontrols.$AuditProceduresanddocumentationofevidence.$Analysisoffactsencountered.$Formationofopinionoverthecontrols.$Presentationofreportandrecommendations.AuditTechniques$Compliancetests.$Substantivetests.$Auditingprogram.$IntegratedTestFacility.$ParallelSimulation.$Snapshot$Tracing$ProgramCodeComparison$ComputerAssistedAuditTechniquesandTools.AuditWorkTeam$Manager:Responsiblefortheauditandqualitycontrol.$Senior/teamleader:Responsiblefortheworkpapers.$Staff:Responsiblefortheperformanceoftheaudit.AuditReportProgressReports.WorkPapers.OtherWorkPapers.PreliminaryReports.FinalAuditReport.1）Whatisourmission?2）Whatareourgoalsandhowwillweachievethem?3）Howcanwemeasureourperformance?4）Howwillweusethatinformationtomakeimprovements?1）AccountingAudit2）SystemAudit3）PerformanceAuditBusinessReferenceModel(BRM)•LinesofBusiness•Agencies,Customers,PartnersServiceComponentReferenceModel(SRM)•ServiceDomains,ServiceTypes•Business&ServiceComponentsTechnicalReferenceModel(TRM)•ServiceComponentInterfaces,Interoperability•Technologies,RecommendationsData&InformationReferenceModel(DRM)•Business-focusedDataStandardization•Cross-AgencyInformationExchangesPerformanceandBusiness-DrivenPerformanceReferenceModel(PRM)•Inputs,Outputs,andOutcomes•UniquelyTailoredITPerformanceIndicatorsComponent-BasedArchitecturesPerformanceReferenceModel(PRM)•Inputs,Outputs,andOutcomes•UniquelyTailoredITPerformanceIndicatorsBusinessReferenceModel(BRM)•LinesofBusiness•Agencies,Customers,PartnersServiceComponentReferenceModel(SRM)•ServiceDomains,ServiceTypes•Business&ServiceComponentsTechnicalReferenceModel(TRM)•ServiceComponentInterfaces,Interoperability•Technologies,RecommendationsData&InformationReferenceModel(DRM)•Business-focusedDataStandardization•Cross-AgencyInformationExchangesPerformanceandBusiness-DrivenComponent-BasedArchitecturesTHEFEAREFERENCEMODELFRAMEWORKHUMANCAPITALMISSIONANDBUSINESSRESULTSCUSTOMERRESULTDVALUEVALUESTRATEGICOUTCOMSINPUTTECHONLOGYOTHERFIXEDASSETSPROCESSANDACTIVITYMissionandbusiness-criticalresultsalignedwiththeBusinessReferenceModel.ResultsmeasuredfromacustomerperspectiveThedirecteffectsofday-to-dayactivitiesandbroaderprocessesmeasuredasdrivenbydesiredoutcomes.UsedtofurtherdefineandmeasuretheModeofDeliveryinThebusinessreferencemodel.Keyenablersmeasuredthroughtheircontributiontooutputs–andbyextensionoutcomesDataandInformationReferenceModel(DRM)DataandInformationReferenceModel(DRM)iscurrentlyunderdevelopmentCOBITisthemodelforITgovernance!!!2.COBITOverviewBusinessRequirementsITManagementITResources1).ExecutiveSummary2).Framework3).ControlObjectives4).ManagementGuidelines5).AuditGuidelines6).ImplementationToolsetThecontrolofwhichsatisfyisenabledbyconsideringITProcessesBusinessRequirementsControlStatementsControlPracticesDataApplicationSystemsTechnologyFacilitiesPeopleEventsBusinessObjectivesBusinessOpportunitiesExternalRequirementsRegulationsRisksInformationEffectivenessConfidentialityIntegrityAvailabilityComplianceReliabilityMessageinputServiceoutputBusinessProcessesInformationITResourcesITResourcesPeopleApplicationSystemsTechnologyFacilitiesDataInformationCriteriaeffectivenessconfidentialityintegrityavailabilitycompliancereliability?DotheymatchWhatyougetWhatyouneedInformationcriteriaITdomainsITresourcesPlanning&organizationAcquisition&implementationDelivery&supportMonitoringDomainsProcessesActivitiesInformationCriteriaITProcessespeopleDomainsProcessesActivities/Tasks3.COBITArchitectureManagementframeworkManagementguidelinesControlobjectivesAuditguidelinesToolsetManagementguidelinesMaturitymodelsCriticalsuccessfactorsKeygoalindicatorsKeyperformanceindicatorsITdomainsPlanning&OrganizationAcquisition&ImplementationDelivery&SupportMonitoringCOBITITProcessesDefinedWithintheFourDomainsCOBITBusinessObjectivesInformationITResourcesPlanning&OrganizationAcquisition&ImplementationDelivery&SupportMonitoringITResourcesITResourcesApplicationSystemsDataApplicationSystemsTechnologyFacilitiesPeopleDomainsProcessesProcessesActivities/TasksInformationCriteriaQualityFiduciarySecurityQualityCostDeliveryEffectivenessEfficiencyReliabilityComplianceConfidentialityIntegrityAvailability4.ControlObjectivesHigh--LevelControlObjectives34(ControlOvertheITProcess)ControlObjectives318(ControlOvertheActivities/Tasks)Planning&OrganizationPO1defineastrategicITplanPO2definetheinfo