I審計(jì)與控制模型COBI同濟(jì)大學(xué)劉仲英教授

AdvancedInformationTechnologyandManagementITAuditandControlModelofInformationandRelatedTechnology-----COBITHukejin

ITAuditISACA(InformationSystemsAuditandControlAssociation)CISA(CertifiedInformationSystemAuditor)COBIT----ControlObjectivesForInformationandRelatedTechnologyInformationSystemsAuditandControlFoundationITGovernanceInstitute1.ITAuditOverview2.COBITOverview3.COBITArchitecture4.ControlObjectives5.ManagementGuidelines6.AuditGuidelines1.ITAuditOverviewAuditingObjectivesSecurityReliabilityEffectivenessScopeoftheaudit1)InformationSystems2)tocoverlifecycleofISAuditPlan$DefinitionofScopeandObjectives.$Analysisandunderstandingofstandardprocedures.$Evaluationofsystemandinternalcontrols.$AuditProceduresanddocumentationofevidence.$Analysisoffactsencountered.$Formationofopinionoverthecontrols.$Presentationofreportandrecommendations.AuditTechniques$Compliancetests.$Substantivetests.$Auditingprogram.$IntegratedTestFacility.$ParallelSimulation.$Snapshot$Tracing$ProgramCodeComparison$ComputerAssistedAuditTechniquesandTools.AuditWorkTeam$Manager:Responsiblefortheauditandqualitycontrol.$Senior/teamleader:Responsiblefortheworkpapers.$Staff:Responsiblefortheperformanceoftheaudit.AuditReportProgressReports.WorkPapers.OtherWorkPapers.PreliminaryReports.FinalAuditReport.1）Whatisourmission?2）Whatareourgoalsandhowwillweachievethem?3）Howcanwemeasureourperformance?4）Howwillweusethatinformationtomakeimprovements?1）AccountingAudit2）SystemAudit3）PerformanceAuditBusinessReferenceModel(BRM)?LinesofBusiness?Agencies,Customers,PartnersServiceComponentReferenceModel(SRM)?ServiceDomains,ServiceTypes?Business&ServiceComponentsTechnicalReferenceModel(TRM)?ServiceComponentInterfaces,Interoperability?Technologies,RecommendationsData&InformationReferenceModel(DRM)?Business-focusedDataStandardization?Cross-AgencyInformationExchangesPerformanceandBusiness-DrivenPerformanceReferenceModel(PRM)?Inputs,Outputs,andOutcomes?UniquelyTailoredITPerformanceIndicatorsComponent-BasedArchitecturesPerformanceReferenceModel(PRM)?Inputs,Outputs,andOutcomes?UniquelyTailoredITPerformanceIndicatorsBusinessReferenceModel(BRM)?LinesofBusiness?Agencies,Customers,PartnersServiceComponentReferenceModel(SRM)?ServiceDomains,ServiceTypes?Business&ServiceComponentsTechnicalReferenceModel(TRM)?ServiceComponentInterfaces,Interoperability?Technologies,RecommendationsData&InformationReferenceModel(DRM)?Business-focusedDataStandardization?Cross-AgencyInformationExchangesPerformanceandBusiness-DrivenComponent-BasedArchitecturesTHEFEAREFERENCEMODELFRAMEWORKHUMANCAPITALMISSIONANDBUSINESSRESULTSCUSTOMERRESULTDVALUEVALUESTRATEGICOUTCOMSINPUTTECHONLOGYOTHERFIXEDASSETSPROCESSANDACTIVITYMissionandbusiness-criticalresultsalignedwiththeBusinessReferenceModel.ResultsmeasuredfromacustomerperspectiveThedirecteffectsofday-to-dayactivitiesandbroaderprocessesmeasuredasdrivenbydesiredoutcomes.UsedtofurtherdefineandmeasuretheModeofDeliveryinThebusinessreferencemodel.Keyenablersmeasuredthroughtheircontributiontooutputs–andbyextensionoutcomesDataandInformationReferenceModel(DRM)DataandInformationReferenceModel(DRM)iscurrentlyunderdevelopmentCOBITisthemodelforITgovernance!!!2.COBITOverviewBusinessRequirementsITManagementITResources1).ExecutiveSummary2).Framework3).ControlObjectives4).ManagementGuidelines5).AuditGuidelines6).ImplementationToolsetThecontrolofwhichsatisfyisenabledbyconsideringITProcessesBusinessRequirementsControlStatementsControlPracticesDataApplicationSystemsTechnologyFacilitiesPeopleEventsBusinessObjectivesBusinessOpportunitiesExternalRequirementsRegulationsRisksInformationEffectivenessConfidentialityIntegrityAvailabilityComplianceReliabilityMessageinputServiceoutputBusinessProcessesInformationITResourcesITResourcesPeopleApplicationSystemsTechnologyFacilitiesDataInformationCriteriaeffectivenessconfidentialityintegrityavailabilitycompliancereliability?DotheymatchWhatyougetWhatyouneedInformationcriteriaITdomainsITresourcesPlanning&organizationAcquisition&implementationDelivery&supportMonitoringDomainsProcessesActivitiesInformationCriteriaITProcessesITResourcesQualityFiduciarySecuritypeopleApplicationSystemsTechnologyFacilitiesDataDomainsProcessesActivities/Tasks3.COBITArchitectureManagementframeworkManagementguidelinesControlobjectivesAuditguidelinesToolsetManagementguidelinesMaturitymodelsCriticalsuccessfactorsKeygoalindicatorsKeyperformanceindicatorsITdomainsPlanning&OrganizationAcquisition&ImplementationDelivery&SupportMonitoringCOBITITProcessesDefinedWithintheFourDomainsCOBITBusinessObjectivesInformationITResourcesPlanning&OrganizationAcquisition&ImplementationDelivery&SupportMonitoringITResourcesITResourcesApplicationSystemsDataApplicationSystemsTechnologyFacilitiesPeopleDomainsProcessesProcessesActivities/TasksInformationCriteriaQualityFiduciarySecurityQualityCostDeliveryEffectivenessEfficiencyReliabilityComplianceConfidentialityIntegrityAvailability4.ControlObjectivesHigh--LevelControlObjectives34(ControlOvertheITProcess)ControlObjectives318(ControlOvertheActivities/Tasks)Planning&OrganizationPO1defineastrategicITplanPO2definetheinformationarchitecturePO3determinethetechnologicaldirectionPO4definetheITorganizationandrelationshipsPO5managetheITinvestmentPO6communicatemanagementaimsanddirectionPO7managehumanresourcesPO8ensurecompliancewithexternalrequirementsPO9assessrisksPO10manageprojectsPO11managequalityAcquisition&ImplementationAI1identifysolutionsAI2acquireandmaintainapplicationsoftwareAI3acquireandmaintaintechnologyarchitectureAI4developandmaintainITproceduresAI5installandaccreditsystemsAI6managechangesDelivery&SupportDS1defineservicelevelsDS2managethird-partyservicesDS3manageperformanceandcapacityDS4ensurecontinuousserviceDS5ensuresystemssecurityDS6identifyandattributecostsDS7educateandtrainusersDS8assistandadviseITcustomersDS9managetheconfigurationDS10manageproblemsandincidentsDS11managedataDS12managefacilitiesDS13manageoperationsMonitoringM1monitortheprocessesM2assessinternalcontroladequacyM3obtainindependentassuranceM4provideforindependentauditDOMAINProcessInformationCriteriaITResourcesPlanning&OrganizationPO1PO2PO3PO4PO5PO6PO7PO8PO9PO10PO11EffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliabilityPeopleApplicationSystemsTechnologyFacilitiesDataDOMAINProcessInformationCriteriaITResourcesPeopleApplicationSystemsTechnologyFacilitiesDataEffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliabilityPO1defineastrategicITplanPlanning&OrganizationPO2definetheinformationarchitecturePSSSPSManagement’’sQuestion1.Howdoresponsiblemanagers“keeptheshiponcourse”?2.Howtoachieveresultsthataresatisfactoryforthelargestpossiblesegmentofourstakeholders?3.Howtotimelyadapttheorganizationtotrendsanddevelopmentsintheenterprise’’senvironment?DashboardsScorecardsBenchmarkingBenchmarking5.ManagementGuidelinesMaturityModelsCSFKGIKPIGenericMaturityModel0Non--Existent1Initial2Repeatable3Defined4Managed5Optimized012345Non-ExistentInitialRepeatableDefinedManagedOptimizedEnterpriseCurrentStatusInternationalStandardGuidelinesIndustryBestPracticeEnterpriseStrategyGoalsEnablersBalancedBusinessScorecardInformationTechnologyMeasure(Outcome)Measure(Performance)CriticalSuccessFactors(CSF)DefinethemostimportantissuesoractionsformanagementtoachievecontroloverandwithinitsITprocesses.KeyGoalIndicators(KGI)Definemeasuresthattellmanagement--afterthefact--whetheranITprocesshasachieveditsbusinessrequirementsKeyPerformanceIndicators(KPI)