IT审计与控制模型COBIT(同济大学刘仲英教授)

单击此处编辑母版标题样式,#,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,Advanced Information Technology and Management,IT Audit and Control Model of Information and Related Technology -COBIT,Hu kejin,Whzhu,ITAudit,ISACA,(,(Information SystemsAuditand,Control Association),CISA (CertifiedInformationSystem,Auditor),COBIT,-,-,-,Control ObjectivesFor,InformationandRelated,Technology,InformationSystems Audit andControl,Foundation,ITGovernance Institute,1.ITAuditOverview,2.COBITOverview,3.COBITArchitecture,4.Control Objectives,5.Management Guidelines,6.AuditGuidelines,1.ITAuditOverview,Auditing,Objectives,SecurityReliabilityEffectiveness,Scopeoftheaudit,1)InformationSystems,2)tocoverlife cycle of IS,AuditPlan,$DefinitionofScopeandObjectives.,$Analysisand understandingofstandardprocedures.,$Evaluationofsystemandinternalcontrols.,$AuditProceduresanddocumentationofevidence.,$Analysisoffactsencountered,.,.,$Formation of opinionoverthecontrols,.,.,$Presentation of reportandrecommendations.,AuditTechniques,$Compliancetests.,$Substantivetests,.,.,$Auditingprogram.,$IntegratedTestFacility.,$Parallel Simulation,.,.,$Snapshot,$Tracing,$ProgramCodeComparison,$Computer Assisted Audit Techniquesand Tools.,AuditWork Team,$Manager:Responsibleforthe audit and,quality control,.,.,$Senior,/,/teamleader,:,: Responsible forthe,work papers.,$Staff:Responsiblefor theperformance,oftheaudit,.,.,AuditReport,ProgressReports.,Work Papers.,OtherWork Papers.,PreliminaryReports.,FinalAuditReport,.,.,1）Whatisour mission,?,?,2）Whatare ourgoalsandhow will,weachieve them,?,?,3）Howcan we measureour performance?,4）Howwill we usethat information to,make improvements?,1）AccountingAudit,2）SystemAudit,3）Performance Audit,BusinessReferenceModel,(,(BRM), Lines of Business, Agencies,Customers, Partners,Service ComponentReferenceModel,(,(SRM),ServiceDomains,Service Types,Business,&,&Service Components,TechnicalReference Model (TRM,),),ServiceComponentInterfaces,Interoperability, Technologies,Recommendations,Data &InformationReference Model (DRM,),), Business-focusedDataStandardization, Cross-AgencyInformationExchanges,PerformanceandBusiness,-,-Driven,PerformanceReferenceModel,(,(PRM),Inputs,Outputs,andOutcomes,UniquelyTailoredITPerformanceIndicators,Component,-,-BasedArchitectures,PerformanceReferenceModel,(,(PRM),Inputs,Outputs,andOutcomes,UniquelyTailoredITPerformanceIndicators,BusinessReferenceModel,(,(BRM),LinesofBusiness, Agencies,Customers, Partners,Service ComponentReferenceModel,(,(SRM,),Service Domains, ServiceTypes,Business,&,&Service Components,TechnicalReference Model (TRM,),),Service ComponentInterfaces,Interoperability, Technologies,Recommendations,Data &InformationReference Model (DRM,),),Business-focused DataStandardization, Cross-AgencyInformationExchanges,PerformanceandBusiness,-,-Driven,Component,-,-BasedArchitectures,THEFEA REFERENCEMODELFRAMEWORK,HUMAN,CAPITAL,MISSION,AND,BUSINESS,RESULTS,CUSTOMER,RESULTD,VALUE,VALUE,STRATEGIC,OUTCOMS,INPUT,TECHONLOGY,OTHER,FIXED,ASSETS,PROCESSAND,ACTIVITY,Mission andbusiness-criticalresults,aligned withthe Business Reference,Model.Resultsmeasuredfrom acustomer,perspective,Thedirect effectsofday-to-dayactivities,andbroaderprocessesmeasuredasdriven,bydesired outcomes.Used to further,defineand measurethe ModeofDelivery,inThebusinessreference model.,Keyenablersmeasuredthrough,theircontributiontooutputs,andbyextension outcomes,Data andInformationReferenceModel,(,(DRM),Data andInformationReferenceModel,(,(DRM,),) is currentlyunderdevelopment,COBITisthemodelfor IT governance,!,!,2.COBITOverview,Business,Requirements,ITManagement,ITResources,1).Executive Summary,2).Framework,3).Control Objectives,4).Management Guidelines,5).AuditGuidelines,6).ImplementationTool set,Thecontrolof,whichsatisfy,isenabled by,considering,ITProcesses,Business,Requirements,Control,Statements,Control,Practices,Data,ApplicationSystems,Technology,Facilities,People,Events,BusinessObjectives,BusinessOpportunities,ExternalRequirements,Regulations,Risks,Information,Effectiveness,Confidentiality,Integrity,Availability,Compliance,Reliability,Message,input,Service,output,Business,Processes,Information,ITResources,ITResources,People,ApplicationSystems,Technology,Facilities,Data,InformationCriteria,effectiveness,confidentiality,integrity,availability,compliance,reliability,?,Dothey match,What youget,What youneed,Information,criteria,IT,domains,IT,resources,Planning,&,&,organization,Acquisition,&,&,implementation,Delivery,&,&,support,Monitoring,Domains,Processes,Activities,InformationCriteria,ITProcesses,ITResources,Quality,Fiduciary,Security,people,ApplicationSystems,Technology,Facilities,Data,Domains,Processes,Activities/Tasks,3.COBITArchitecture,Management,framework,Management,guidelines,Control,objectives,Audit,guidelines,Tool set,Management,guidelines,Maturity,models,Criticalsuccess,factors,Keygoal,indicators,Keyperformance,indicators,ITdomains,Planning,&,&,Organization,Acquisition,&,&,Implementation,Delivery,&,&,Support,Monitoring,COBITITProcessesDefined,Withinthe FourDomains,COBIT,Business,Objectives,Information,ITResources,Planning,&,&,Organization,Acquisition,&,&,Implementation,Delivery,&,&,Support,Monitoring,ITResources,ITResources,ApplicationSystems,Data,ApplicationSystems,Technology,Facilities,People,Domains,Processes,Processes,Activities/,Tasks,Information,Criteria,Quality,Fiduciary,Security,Quality,Cost,Delivery,Effectiveness,Efficiency,Reliability,Compliance,Confidentiality,Integrity,Availability,4.ControlObjectives,High-LevelControl Objectives34,(ControlOver theITProcess),Control Objectives318,(ControlOver theActivities/Tasks),Planning,&,&,Organization,PO1definea strategicITplan,PO2definetheinformationarchitecture,PO3determinethetechnologicaldirection,PO4definetheITorganization andrelationships,PO5managetheITinvestment,PO6communicate managementaimsanddirection,PO7managehumanresources,PO8ensurecompliance withexternalrequirements,PO9assessrisks,PO10 manageprojects,PO11 managequality,Acquisition,&,&,Implementation,AI1identify solutions,AI2acquireand maintain application software,AI3acquireand maintain technologyarchitecture,AI4developand maintain IT procedures,AI5installand accredit systems,AI6manage changes,Delivery,&,&,Support,DS1defineservice levels,DS2managethird-partyservices,DS3manageperformanceandcapacity,DS4ensurecontinuous service,DS5ensuresystems security,DS6identify andattributecosts,DS7educateand train users,DS8assistandadvise IT customers,DS9managetheconfiguration,DS10 manageproblemsandincidents,DS11 managedata,DS12 managefacilities,DS13 manageoperations,Monitoring,M1monitortheprocesses,M2assess internal controladequacy,M3obtain independent assurance,M4provideforindependentaudit,DOMAIN,Process,Information,Criteria,ITResources,Planning,&,&,Organization,PO1,PO2,PO3,PO4,PO5,PO6,PO7,PO8,PO9,PO10,PO11,Effectiveness,Efficiency,Confidentiality,Integrity,Availability,Compliance,Reliability,People,ApplicationSystems,Technology,Facilities,Data,DOMAIN,Process,Information,Criteria,IT,Resources,People,ApplicationSystems,Technology,Facilities,Data,Effectiveness,Efficiency,Confidentiality,Integrity,Availability,Compliance,Reliability,PO1define a,strategicITplan,Planning,&,&,Organization,PO2definethe,information,architecture,PSSS,PS,ManagementsQuestion,1.Howdoresponsiblemanagers,“keeptheshiponcourse,”,”?,2.Howtoachieveresults thatare,satisfactoryfor thelargest possible,segment of ourstakeholders,?,?,3.Howtotimely adapt theorganization,totrendsand developmentsinthe,enterprisesenvironment,?,?,Dashboards,Scorecards,Benchmarking,Benchmarking,5.Management Guidelines,MaturityModels,CSF,KGI,KPI,Generic Maturity Model,0Non,-,-Existent,1Initial,2Repeatable,3Defined,4Managed,5Optimized,0,1,2,3,4,5,Non,-,-,Existent,Initial,Repeatable,Defined,Managed,Optimized,Enterprise CurrentStatus,International Standard Guidelines,IndustryBest Practice,Enterprise Strategy,Goals,Enablers,BalancedBusiness,Scorecard,Information,Technology,Measure,(Outcome),Measure,(Performance,),),CriticalSuccess,Factors (CSF,),),Definethe mostimportant issuesoractions,formanagementtoachieve controloverand,withinits IT processes.,KeyGoalIndicators,(KGI),Definemeasuresthattell management,-after thefact-,whether an IT processhas achieved its,businessrequirements,KeyPerformance,Indicators (KPI,),),Definemeasurestodetermine howwell the,ITprocess is performinginenablingthe goal,tobereached,GOAL,Compare,Process,Activities,Control,Information,Objectives,Plan,Do,Check,Correct,ITGovernance,Control,Direct,Plan,Do,Check,Correct,ITActivities,PlanningandOrganization,AcquisitionandImplementation,DeliveryandSupport,Monitoring,ManagerisksRealizeBenefits,Objectives,Report,Goals,Enablers,BalancedBusiness,Scorecard,Information,Technology,KGI,(measureofoutcome),KPI,(measureofperformance),FinancialPerspective,GoalMeasures,CustomerPerspective,GoalMeasures,InternalProcesses,GoalMeasures,LearnandInnovate,GoalMeasures,Effectiveness,Efficiency,Confidentiality,Integrity,Availability,Compliance,Reliability,Goals,Enablers,KGI,(measureofoutcome),KPI,(measureofperformance),6.AuditGuidelines,AuditGuidelines,AuditGuidelines,Standards,Guidelines,Procedures,Effectiveness,Reliability,Security,Auditing,Objectives,