资源描述
单击此处编辑母版标题样式,*,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,Advanced Information Technology and Management,IT Audit and Control Model of Information and Related Technology -COBIT,Hu kejin,Whzhu,IT Audit,ISACA (Information Systems Audit and,Control Association),CISA (Certified Information System,Auditor),COBIT,-,Control Objectives For,Information and Related,Technology,Information Systems Audit and Control,Foundation,IT Governance Institute,1. IT Audit Overview,2. COBIT Overview,3. COBIT Architecture,4. Control Objectives,5. Management Guidelines,6. Audit Guidelines,1. IT Audit Overview,Auditing,Objectives,Security Reliability Effectiveness,Scope of the audit,1) Information Systems,2) to cover life cycle of IS,Audit Plan,$ Definition of Scope and Objectives.,$ Analysis and understanding of standard procedures.,$ Evaluation of system and internal controls.,$ Audit Procedures and documentation of evidence.,$ Analysis of facts encountered.,$ Formation of opinion over the controls.,$ Presentation of report and recommendations.,Audit Techniques,$ Compliance tests.,$ Substantive tests.,$ Auditing program.,$ Integrated Test Facility.,$ Parallel Simulation.,$ Snapshot,$ Tracing,$ Program Code Comparison,$ Computer Assisted Audit Techniques and Tools.,Audit Work Team,$ Manager: Responsible for the audit and,quality control.,$ Senior/team leader: Responsible for the,work papers.,$ Staff: Responsible for the performance,of the audit.,Audit Report,Progress Reports.,Work Papers.,Other Work Papers.,Preliminary Reports.,Final Audit Report.,1)What is our mission?,2)What are our goals and how will,we achieve them?,3) How can we measure our performance?,4)How will we use that information to,make improvements?,1)Accounting Audit,2)System Audit,3)Performance Audit,Business Reference Model (BRM), Lines of Business, Agencies, Customers, Partners,Service Component Reference Model (SRM),Service Domains, Service Types,Business & Service Components,Technical Reference Model (TRM),Service Component Interfaces, Interoperability, Technologies, Recommendations,Data & Information Reference Model (DRM), Business-focused Data Standardization, Cross-Agency Information Exchanges,Performance and Business-Driven,Performance Reference Model (PRM),Inputs, Outputs, and Outcomes,Uniquely Tailored IT Performance Indicators,Component-Based Architectures,Performance Reference Model (PRM),Inputs, Outputs, and Outcomes,Uniquely Tailored IT Performance Indicators,Business Reference Model (BRM),Lines of Business, Agencies, Customers, Partners,Service Component Reference Model (SRM,),Service Domains, Service Types,Business & Service Components,Technical Reference Model (TRM),Service Component Interfaces, Interoperability, Technologies, Recommendations,Data & Information Reference Model (DRM),Business-focused Data Standardization, Cross-Agency Information Exchanges,Performance and Business-Driven,Component-Based Architectures,THE FEA REFERENCE MODEL FRAMEWORK,HUMAN,CAPITAL,MISSION,AND,BUSINESS,RESULTS,CUSTOMER,RESULTD,VALUE,VALUE,STRATEGIC,OUTCOMS,INPUT,TECHONLOGY,OTHER,FIXED,ASSETS,PROCESS AND,ACTIVITY,Mission and business-critical results,aligned with the Business Reference,Model. Results measured from a customer,perspective,The direct effects of day-to-day activities,and broader processes measured as driven,by desired outcomes. Used to further,define and measure the Mode of Delivery,in The business reference model,.,Key enablers measured through,their contribution to outputs ,and by extension outcomes,Data and Information Reference Model (DRM),Data and Information Reference Model (DRM) is currently under development,COBIT is the model for IT governance!,2. COBIT Overview,Business,Requirements,IT Management,IT Resources,1). Executive Summary,2). Framework,3).Control Objectives,4).Management Guidelines,5).Audit Guidelines,6).Implementation Tool set,The control of,which satisfy,is enabled by,considering,IT Processes,Business,Requirements,Control,Statements,Control,Practices,Data,Application Systems,Technology,Facilities,People,Events,Business Objectives,Business Opportunities,External Requirements,Regulations,Risks,Information,Effectiveness,Confidentiality,Integrity,Availability,Compliance,Reliability,Message,input,Service,output,Business,Processes,Information,IT Resources,IT Resources,People,Application Systems,Technology,Facilities,Data,Information Criteria,effectiveness,confidentiality,integrity,availability,compliance,reliability,?,Do they match,What you get,What you need,Information,criteria,IT,domains,IT,resources,Planning &,organization,Acquisition &,implementation,Delivery &,support,Monitoring,Domains,Processes,Activities,Information Criteria,IT Processes,IT Resources,Quality,Fiduciary,Security,people,Application Systems,Technology,Facilities,Data,Domains,Processes,Activities/Tasks,3. COBIT Architecture,Management,framework,Management,guidelines,Control,objectives,Audit,guidelines,Tool set,Management,guidelines,Maturity,models,Critical success,factors,Key goal,indicators,Key performance,indicators,IT domains,Planning &,Organization,Acquisition &,Implementation,Delivery &,Support,Monitoring,COBIT IT Processes Defined,Within the Four Domains,COBIT,Business,Objectives,Information,IT Resources,Planning &,Organization,Acquisition &,Implementation,Delivery &,Support,Monitoring,IT Resources,IT Resources,Application Systems,Data,Application Systems,Technology,Facilities,People,Domains,Processes,Processes,Activities/,Tasks,Information,Criteria,Quality,Fiduciary,Security,Quality,Cost,Delivery,Effectiveness,Efficiency,Reliability,Compliance,Confidentiality,Integrity,Availability,4.Control Objectives,High-Level Control Objectives 34,(Control Over the IT Process),Control Objectives 318,(Control Over the Activities/Tasks),Planning &,Organization,PO1 define a strategic IT plan,PO2 define the information architecture,PO3 determine the technological direction,PO4 define the IT organization and relationships,PO5 manage the IT investment,PO6 communicate management aims and direction,PO7 manage human resources,PO8 ensure compliance with external requirements,PO9 assess risks,PO10 manage projects,PO11 manage quality,Acquisition &,Implementation,AI1 identify solutions,AI2 acquire and maintain application software,AI3 acquire and maintain technology architecture,AI4 develop and maintain IT procedures,AI5 install and accredit systems,AI6 manage changes,Delivery &,Support,DS1 define service levels,DS2 manage third-party services,DS3 manage performance and capacity,DS4 ensure continuous service,DS5 ensure systems security,DS6 identify and attribute costs,DS7 educate and train users,DS8 assist and advise IT customers,DS9 manage the configuration,DS10 manage problems and incidents,DS11 manage data,DS12 manage facilities,DS13 manage operations,Monitoring,M1 monitor the processes,M2 assess internal control adequacy,M3 obtain independent assurance,M4 provide for independent audit,DOMAIN,Process,Information,Criteria,IT Resources,Planning &,Organization,PO1,PO2,PO3,PO4,PO5,PO6,PO7,PO8,PO9,PO10,PO11,Effectiveness,Efficiency,Confidentiality,Integrity,Availability,Compliance,Reliability,People,Application Systems,Technology,Facilities,Data,DOMAIN,Process,Information,Criteria,IT,Resources,People,Application Systems,Technology,Facilities,Data,Effectiveness,Efficiency,Confidentiality,Integrity,Availability,Compliance,Reliability,PO1 define a,strategic IT plan,Planning &,Organization,PO2 define the,information,architecture,P S S S,P S,Managements Question,1. How do responsible managers,“keep the ship on course”?,2. How to achieve results that are,satisfactory for the largest possible,segment of our stakeholders?,3. How to timely adapt the organization,to trends and developments in the,enterprises environment?,Dashboards,Scorecards,Benchmarking,Benchmarking,5. Management Guidelines,Maturity Models,CSF,KGI,KPI,Generic Maturity Model,0 Non-Existent,1 Initial,2 Repeatable,3 Defined,4 Managed,5 Optimized,0,1,2,3,4,5,Non-,Existent,Initial,Repeatable,Defined,Managed,Optimized,Enterprise Current Status,International Standard Guidelines,Industry Best Practice,Enterprise Strategy,Goals,Enablers,Balanced Business,Scorecard,Information,Technology,Measure,(Outcome),Measure,(Performance),Critical Success,Factors (CSF),Define the most important issues or actions,for management to achieve control over and,within its IT processes.,Key Goal Indicators,(KGI),Define measures that tell management,-after the fact-,whether an IT process has achieved its,business requirements,Key Performance,Indicators (KPI),Define measures to determine how well the,IT process is performing in enabling the goal,to be reached,GOAL,Compare,Process,Activities,Control,Information,Objectives,Plan,Do,Check,Correct,IT Governance,Control,Direct,Plan,Do,Check,Correct,IT Activities,Planning and Organization,Acquisition and Implementation,Delivery and Support,Monitoring,Manage risks Realize Benefits,Objectives,Report,Goals,Enablers,Balanced Business,Scorecard,Information,Technology,KGI,(measure of outcome),KPI,(measure of performance),Financial Perspective,Goal Measures,Customer Perspective,Goal Measures,Internal Processes,Goal Measures,Learn and Innovate,Goal Measures,Effectiveness,Efficiency,Confidentiality,Integrity,Availability,Compliance,Reliability,Goals,Enablers,KGI,(measure of outcome),KPI,(measure of performance),6. Audit Guidelines,Audit Guidelines,Audit Guidelines,Standards,Guidelines,Procedures,Effectiveness,Reliability,Security,Auditing,Objectives,演讲完毕,谢谢观看!,
展开阅读全文