Professional Documents
Culture Documents
Information System Auditing: Yu Xiaobing (余小兵) CISA
Information System Auditing: Yu Xiaobing (余小兵) CISA
Information System Auditing: Yu Xiaobing (余小兵) CISA
Yu Xiaobing(余小兵) CISA
• Classifications of IT controls
Manage
Measure Response
Risk
Identify
Assess
• Mitigate
Manage • Avoid
Measure Response
Risk
• Share
• Ignore
Identify
Evaluate
• Mitigate Controls
Manage • Avoid
Assess Response
Risk
• Share
• Ignore
Measure
• Two components
– Automation of business controls
(Application Controls)
– Control of IT(General Controls)
Nanjing Audit University
IT Controls Definition
• Availability
• Integrity
• Confidentiality
• Effectiveness
• Efficiency
• Reliability
• Compliance
• Classification
– Preventative
– Detective
– Corrective
• Classification
– Governance controls
– Management controls
– Technical controls
Applications Application
IT General Controls
Controls Application A Application B Application C
•Systems Development • Authorization
•Change Management • Integrity
•Physical controls • Availability
•Service & Support IT Infrastructure • Confidentiality
•Backup & Restore • Segregation of duties
•…. Database
Operating System
Network/Physical
• Classification
– Preventive
– Detective
– Corrective
• Classification
– Governance controls
– Management controls
– Technical controls
• Examples:
– correction of data-entry errors
– removing unauthorized users
– recovery from incidents, disruptions, or disasters
• Classification
– Preventative
– Detective
– Corrective
• Classification
– Governance controls
– Management controls
– Technical controls
• Board
One important role of the full board of
directors is to determine and approve
strategies, set objectives, and ensure the
objectives are being met to support the
strategies.
Evaluate
• Mitigate Controls
Manage • Avoid
Assess Response
Risk
• Share
• Ignore
Measure
40 minutes
Nanjing Audit University
Reference