IT審計與控制模型COBIT(同濟(jì)大學(xué)劉仲英教授)

1、Advanced Information Technology and ManagementIT Audit and Control Model of Information and Related Technology -COBITHu kejin WITAuditISACA(Information SystemsAuditandControl Association)CISA (CertifiedInformationSystemAuditor)COBIT-Control ObjectivesForInformationandRelatedTechnologyInformationSyst

2、ems Audit andControlFoundationITGovernance Institute1.ITAuditOverview2.COBITOverview3.COBITArchitecture4.Control Objectives5.Management Guidelines6.AuditGuidelines1.ITAuditOverviewAuditingObjectivesSecurityReliabilityEffectivenessScopeoftheaudit1)InformationSystems2)tocoverlife cycle of ISAuditPlan$

3、DefinitionofScopeandObjectives.$Analysisand understandingofstandardprocedures.$Evaluationofsystemandinternalcontrols.$AuditProceduresanddocumentationofevidence.$Analysisoffactsencountered.$Formation of opinionoverthecontrols.$Presentation of reportandrecommendations.AuditTechniques$Compliancetests.$

4、Substantivetests.$Auditingprogram.$IntegratedTestFacility.$Parallel Simulation.$Snapshot$Tracing$ProgramCodeComparison$Computer Assisted Audit Techniquesand Tools.AuditWork Team$Manager:Responsibleforthe audit andquality control.$Senior/teamleader: Responsible forthework papers.$Staff:Responsiblefor

5、 theperformanceoftheaudit.AuditReportProgressReports.Work Papers.OtherWork Papers.PreliminaryReports.FinalAuditReport.1）Whatisour mission?2）Whatare ourgoalsandhow willweachieve them?3）Howcan we measureour performance?4）Howwill we usethat information tomake improvements?1）AccountingAudit2）SystemAudit

6、3）Performance AuditBusinessReferenceModel(BRM) Lines of Business Agencies,Customers, PartnersService ComponentReferenceModel(SRM)ServiceDomains,Service TypesBusiness&Service ComponentsTechnicalReference Model (TRM)ServiceComponentInterfaces,Interoperability Technologies,RecommendationsData &Informat

7、ionReference Model (DRM) Business-focusedDataStandardization Cross-AgencyInformationExchangesPerformanceandBusiness-DrivenPerformanceReferenceModel(PRM)Inputs,Outputs,andOutcomesUniquelyTailoredITPerformanceIndicatorsComponent-BasedArchitecturesPerformanceReferenceModel(PRM)Inputs,Outputs,andOutcome

8、sUniquelyTailoredITPerformanceIndicatorsBusinessReferenceModel(BRM)LinesofBusiness Agencies,Customers, PartnersService ComponentReferenceModel(SRM)Service Domains, ServiceTypesBusiness&Service ComponentsTechnicalReference Model (TRM)Service ComponentInterfaces,Interoperability Technologies,Recommend

9、ationsData &InformationReference Model (DRM)Business-focused DataStandardization Cross-AgencyInformationExchangesPerformanceandBusiness-DrivenComponent-BasedArchitecturesTHEFEA REFERENCEMODELFRAMEWORKHUMANCAPITALMISSIONANDBUSINESSRESULTSCUSTOMERRESULTDVALUEVALUESTRATEGICOUTCOMSINPUTTECHONLOGYOTHERFI

10、XEDASSETSPROCESSANDACTIVITYMission andbusiness-criticalresultsaligned withthe Business ReferenceModel.Resultsmeasuredfrom acustomerperspectiveThedirect effectsofday-to-dayactivitiesandbroaderprocessesmeasuredasdrivenbydesired outcomes.Used to furtherdefineand measurethe ModeofDeliveryinThebusinessre

11、ference model.Keyenablersmeasuredthroughtheircontributiontooutputsandbyextension outcomesData andInformationReferenceModel(DRM)Data andInformationReferenceModel(DRM) is currentlyunderdevelopmentCOBITisthemodelfor IT governance!2.COBITOverviewBusinessRequirementsITManagementITResources1).Executive Su

12、mmary2).Framework3).Control Objectives4).Management Guidelines5).AuditGuidelines6).ImplementationTool setThecontrolofwhichsatisfyisenabled byconsideringITProcessesBusinessRequirementsControlStatementsControlPracticesDataApplicationSystemsTechnologyFacilitiesPeopleEventsBusinessObjectivesBusinessOppo

13、rtunitiesExternalRequirementsRegulationsRisksInformationEffectivenessConfidentialityIntegrityAvailabilityComplianceReliabilityMessageinputServiceoutputBusinessProcessesInformationITResourcesITResourcesPeopleApplicationSystemsTechnologyFacilitiesDataInformationCriteriaeffectivenessconfidentialityinte

14、grityavailabilitycompliancereliability?Dothey matchWhat yougetWhat youneedInformationcriteriaITdomainsITresourcesPlanning&organizationAcquisition&implementationDelivery&supportMonitoringDomainsProcessesActivitiesInformationCriteriaITProcessesITResourcesQualityFiduciarySecuritypeopleApplicationSystem

15、sTechnologyFacilitiesDataDomainsProcessesActivities/Tasks3.COBITArchitectureManagementframeworkManagementguidelinesControlobjectivesAuditguidelinesTool setManagementguidelinesMaturitymodelsCriticalsuccessfactorsKeygoalindicatorsKeyperformanceindicatorsITdomainsPlanning&OrganizationAcquisition&Implem

16、entationDelivery&SupportMonitoringCOBITITProcessesDefinedWithinthe FourDomainsCOBITBusinessObjectivesInformationITResourcesPlanning&OrganizationAcquisition&ImplementationDelivery&SupportMonitoringITResourcesITResourcesApplicationSystemsDataApplicationSystemsTechnologyFacilitiesPeopleDomainsProcesses

17、ProcessesActivities/TasksInformationCriteriaQualityFiduciarySecurityQualityCostDeliveryEffectivenessEfficiencyReliabilityComplianceConfidentialityIntegrityAvailability4.ControlObjectives High-LevelControl Objectives34(ControlOver theITProcess)Control Objectives318(ControlOver theActivities/Tasks)Pla

18、nning&OrganizationPO1definea strategicITplanPO2definetheinformationarchitecturePO3determinethetechnologicaldirectionPO4definetheITorganization andrelationshipsPO5managetheITinvestmentPO6communicate managementaimsanddirectionPO7managehumanresourcesPO8ensurecompliance withexternalrequirementsPO9assess

19、risksPO10 manageprojectsPO11 managequalityAcquisition&ImplementationAI1identify solutionsAI2acquireand maintain application softwareAI3acquireand maintain technologyarchitectureAI4developand maintain IT proceduresAI5installand accredit systemsAI6manage changesDelivery&SupportDS1defineservice levelsD

20、S2managethird-partyservicesDS3manageperformanceandcapacityDS4ensurecontinuous serviceDS5ensuresystems securityDS6identify andattributecostsDS7educateand train usersDS8assistandadvise IT customersDS9managetheconfigurationDS10 manageproblemsandincidentsDS11 managedataDS12 managefacilitiesDS13 manageop

21、erationsMonitoringM1monitortheprocessesM2assess internal controladequacyM3obtain independent assuranceM4provideforindependentauditDOMAINProcessInformationCriteriaITResourcesPlanning&OrganizationPO1PO2PO3PO4PO5PO6PO7PO8PO9PO10PO11EffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceRe

22、liabilityPeopleApplicationSystemsTechnologyFacilitiesDataDOMAINProcessInformationCriteriaIT ResourcesPeopleApplicationSystemsTechnologyFacilitiesDataEffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliabilityPO1define astrategicITplanPlanning&OrganizationPO2definetheinformationa

23、rchitecturePSSSPSManagementsQuestion1.Howdoresponsiblemanagers“keeptheshiponcourse”?2.Howtoachieveresults thataresatisfactoryfor thelargest possiblesegment of ourstakeholders?3.Howtotimely adapt theorganizationtotrendsand developmentsintheenterprisesenvironment?DashboardsScorecardsBenchmarkingBenchm

24、arking5.Management GuidelinesMaturityModelsCSFKGIKPIGeneric Maturity Model0Non-Existent1Initial2Repeatable3Defined4Managed5Optimized012345Non-ExistentInitialRepeatableDefinedManagedOptimizedEnterprise CurrentStatusInternational Standard GuidelinesIndustryBest PracticeEnterprise StrategyGoalsEnablers

25、BalancedBusinessScorecardInformationTechnologyMeasure(Outcome)Measure(Performance)CriticalSuccessFactors (CSF)Definethe mostimportant issuesoractionsformanagementtoachieve controloverandwithinits IT processes.KeyGoalIndicators(KGI)Definemeasuresthattell management-after thefact-whether an IT processhas achieved itsbusinessrequirementsKeyPerformanceIndica