- 论坛徽章:
- 0
|
:right: 同意 michael和Jacky的观点 。由于内容较杂,故再开新贴。请michael见谅\r\n\r\n[B]首先,What is Information System Audit?与Information Security Audit区别:[/B] \r\n\r\n当前,国内的一个非常流行的概念就是:Information System Audit=Information Security Audit,即把信息系统审计与信息安全审计混为一谈,这是对IS Audit的一个重大误解,是十分有害的。因为前者包含后者,但其范围要大得多。对两者的定义上也看出来:\r\n“It is defined as any Audit that encompasses the review and\r\nevaluation of all aspects (or any portion ) of Automated\r\ninformation processing systems, including related and nonautomated\r\nprocesses and the interface between them...” -ISACA\r\n\r\nArkansas Shared Technical Architecture (STA) 的对Information System A定义为:\r\n\"Information System Audit is series of tests to insure that adequate controls are in place over the Information System system (1) General controls (2)Application controls\". \r\n而Software Environments Research Group, Leeds Metropolitan University, Beckett Park Campus, Leeds, LS6 3QS, UK的定义为: \"An Information System Audit is generally a post-event activity which involves the systematic collecting and evaluation of evidence which reflects the planning, development, implementation and operation of information systems.\"\r\n\r\n\r\n而SecurityFocus对Information Security Audit的定义是:\r\n“information security audits; that is, an audit of how the confidentiality, availability and integrity of an organization\'s information is assured. ”或是“a computer security audit is a systematic, measurable technical assessment of how the organization\'s security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.”\r\n\r\n从这些定义里大家应当能够看出两者的重要区别。\r\n\r\n其次,需要会计或财务知识吗?\r\n\r\n答案是:需要。进一步讲,IT AuditFinance(财务)和Account(会计)息息相关的(即不仅仅是Account)。理由如下:\r\n\r\n 1、IT Audit或IS Audit,其内容涵盖非常广泛:\r\n a. 宏观上:对企业信息化建设远期战略、近期目标、实施过程和效果的总体评估。\r\n b. 微观上:包括了对每个项目或服务的评估,如可行性分析、验收等各个环节。\r\n\r\n 2、IT Audit是为IT Governance和Enterprise Governance服务的,因此,无论是其过程还是目标都需要量化(或在定性基础上最大程度的定量),都需要与一系列的指标(KPI、KGI)联系\r\n 3、IS Audit的基础是Risk-based,即以风险为依据的审计。因此,无论是审计过程本身,还是审计的Subject和Object,都需要进行相关的、准确的风险分析,然后才能对症下药。\r\n\r\n 4、Risk-based的前提是必须对Asset、Risk有量化的经济指标。你说这是高风险区,何以见得?当然是对Asset Value和Risk loss的分析了。\r\n\r\n 5、那Asset Value、Risk Loss如何界定?如何以数据说话,以理服人,而不是以德服人?这就需要会计的能力了。例如:一个RAID,硬件本身的价值相比大家都比较清楚了,但其中数据的价格如何度量?受到各种威胁后的loss怎么算?对于各种风险采取何种对应的策略才能最优(技术和经济两方面)?\r\n\r\n 6、不仅在audit preparation中,而且在audit processing和post-audit也需要很多的财务知识,才能找到最佳的审计,降低审计风险,得出最合理的审计结论。再举一个例子,你在对一个项目的审计过程中发现项目刚进行一半,但预算费用即已所剩无几,你应该怎么办?当然是先对当前的现象分析,并在可能的情况下与Project Manager&Team、Project sponsor、project commitee的有关人员进行沟通,甚至还要到会计部门找相关凭证进行分析,然后你才可能提出审计结论,并提出若干建议。在这个审计过程中和对你所提建议的分析,都需要有数字支持,比如,“项目当前的成本、费用各是多少?产出如何?新建议的ROI是多少?如何控制?”等等,这些需要财务知识\r\n\r\n 7、此外,IS审计另外一块重要的内容,是substantive test,即实质性测试,这些包括对企业各主要财务报表(如平衡表、损益表)的分析,这与传统意义的审计已经很类似了。\r\n\r\n\r\n\r\n一点个人意见,供大家参考。欢迎讨论 |
|