信息系统审计方法论.pptVIP

定期的管理报告 agenda 财务相关的IT审计特点 基于风险的信息系统审计方法 财务相关的IT审计项目 IT一般控制审计检查表 问题讨论 IT Audit Presentation * Prepared by Craig Adams * IT Audit Presentation * Prepared by Craig Adams * IT Audit Presentation * Prepared by Craig Adams * IT Audit Presentation * Prepared by Craig Adams * When considering controls to implement and in determining areas to focus audit resources during reviews of the entire IT operating environment, this hierarchy represents a logical “top-down” approach, from the overall high-level policy statements issued by management and endorsed by the board of directors, down to the specific control mechanisms incorporated into application systems. The different elements of the hierarchy are not mutually exclusive; they are all connected and can intermingle. Many of the control types within the elements are described below. IT Audit Presentation * Prepared by Craig Adams * IT Audit Presentation * Prepared by Craig Adams * IT Audit Presentation * Prepared by Craig Adams * IT Audit Presentation * Prepared by Craig Adams * IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified — through experience or formal risk assessment — suitable risk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying a wide range of specific controls, including insurance. It would be a relatively straightforward task to create a list of recommended IT controls that must be implemented within each organization. However, each control has a specific cost that may not be justified in terms of cost effectiveness when considering the type of business done by the organization. Furthermore, no list of controls is universally applicable across all types of organizations. While much good advice is available on the choice of suitable controls, strong judgment must be used. Controls must be appropriate for the level of risk faced by the organization. IT Audit Presentation *