English
Chinese English
Expert in intelligent information system audit
POWERTIME

What is information system audit

Process that acquire and assess evidences to judge whether information system protects organization asset, utilizes organization resource, guarantee data security and conformity, and achieve the business goal of organization effectively.


Process that acquire and assess evidences to judge whether information system protects organization asset, utilizes organization resource, guarantee data security and conformity, and achieve the business goal of organization effectively.


Why do information system audit

  • Need for internal control of the enterprise itself

  • Requirement of industry regulatory

  • Expectation of users and other interested parties

Aim and contents of Information system audit

Aim

Judge the design effectiveness and execution effectiveness of IT control measures

  • Security

    Security of information system project development, infrastructure, data management, operation and maintenance

  • Reliability

    Reliability of information system hardware, system software, application software, network environment and data

  • Economy

    Refers to the economy, efficiency, effect of information system development, application, operation and maintenance

  • Legality

    Legality of information system life cycle, business process and internal control

Information system audit contents

1
information system general control audit

Protect controls that guarantee normal operation of information system stability, effectiveness, security and other aspects.

General controls include:
  • Entity security control
  • Access control
  • Application Software Development and Change Control
  • System software control
  • Duty separation control
  • Service continuity control
Organization

· IT governance

· IT organization pattern, architecture, responsibilities

Supplier

· IT supplier management, copyright and intellectual property

· Guarantee of non-core business service level

Foundation setting

· Computer room environment and disaster prevention

· Host, communication network, storage, access contro

Business continuity

·  Assets, risks, threats, strategies and safeguards

·  Business continuity requirements for IT continuity, backup and recovery

IT project management and control

· Quality and security of development and acquisition process

· Change management

Network security

·  Network configuration, log checking

· Vulnerability scanning and penetration testing

2
Information system application

protect controls of authenticity, integrity and reliability of the data produced by the information system.

Application control includes:
  • Authorization control
  • Integrity control
  • Accuracy control
  • Integrity control of data files and processing
Service

· User Problem Tracking

· Functional testing, code analysis, scene simulation or tracking

IO

· Input control

· Output control

Performance

·  Availability

·  Reliability

Data

·  Business data, log

·  Authenticity,1 causality, accuracy

Code

· Security, normative

· Process logic, back door

Service system

· Business processes and offline activities

· Interface and data

Information system audit basis

laws and regulations

  • February 18, 1994, Regulations of the People's Republic of China on the Protection of Computer Information System Security
  • Feb. 28, 2006, Audit Law of the People's Republic of China (revised version)
  • Nov. 7, 2016, Cybersecurity Law of the People`s Republic of China
  • June 27, 2018, Regulations on Cybersecurity Classified Protection (draft for comments)
  • August 31, 2018, E-Commerce Law of the People's Republic of China
  • Oct. 26, 2019, Cryptography Law of the People`s Republic of China

Industry supervision

  • Feb. 1, 2012, Information Systems Audit Guide - Notice No.34 of Computer Audit Practice
  • Feb. 28, 2006, Audit Law of the People's Republic of China (revised version)
  • Nov. 7, 2016, Cybersecurity Law of the People`s Republic of Chin
  • June 27, 2018, Regulations on Cybersecurity Classified Protection (draft for comments)
  • August 31, 2018, E-Commerce Law of the People's Republic of China
  • Oct. 26, 2019, Cryptography Law of the People`s Republic of China

Industry supervision

  • Feb. 1, 2012, Information Systems Audit Guide - Notice No.34 of Computer Audit Practice
  • August 20, 2013, National Internal Audit Criteria -No. 2203 Internal Audit Specific Rules- Information System Audit
  • Sept. 1, 2010, National Audit Criteria of the People's Republic of China
  • CBRC March 2, 2009, Guidelines on Risk Management of Information Technology in Commercial Banks
  • February 16, 2013, Guidelines on the Supervision of Information Technology Outsourcing Risk in Banking Financial Institutions
  • Dec. 26, 2016, Guiding Opinions on the Development and Management of Information Technology in Non-bank Financial Organizations
  • Dec. 29, 2009, Guidelines for the Management of Informatization of Insurance Companies
  • CSBC Dec. 26, 2014, Code for Audit of Information System of Securities and Futures Industry
  • Nov. 8, 2016, Guidelines on Audit of Information System of Securities and Futures Industry

It audit standards

  • August 6, 2008, Circular on Strengthening Information Security Risk Assessment of National E-Government Development Projects
  • Feb. 16, 2013, Opinions on Strengthening and Improving National E-Government Project Development Management
  • Jan. 30, 2015, Opinions on the Performance Evaluation of National E-Government Project
  • SASAC July 16, 2008, Interim Measures for the Evaluation of Informatization Level of Central Enterprises
  • March 25, 2010, Interim Provisions on the Protection of Trade Secrets of Central Enterprises
  • Jan. 10, 2017, National Cybersecurity Incident Emergency Plan
  • April 11, 2017, Measures for the Assessment of Exit Security of Personal Information and Important Data (draft for comments)
  • July 10, 2017, Regulations on Security Protection of Key Infrastructure Security Protection (draft for comments)

Our Information System Audit Service

IT audit workflow

  • Follow-up audit activities

    1. · Unqualified item tracking

  • Report audit findings

    1. · Audit report
    2. · Risk Reminder
    3. · Risk Suggestions

  • On-site audit

    1. · Audit plan
    2. · Audit findings
    3. · Audit conclusions

  • Form an audit team

    1. · Form an audit team
    2. · Audit leader

  • Specify audit basis

    1. · Organization syste
    2. · Industry norms
    3. · Standards and Regulations

  • Determine the scope of purpose

    1. · Department

    2. ·  Application System

Service flow

  • Communications

  • Enter into a contract

  • Determine the range

  • Specify the basis

  • Form a team

  • On-site audit

  • Problem confirmation

  • Prepare a report

  • Tracking service

Now choose us, you can enjoy professional service

INSTITUTE OF SAFETY

Classified protection

IT Audit Service

Security Service

About us

  • QQ: 3471814603
  • Tel: 010 58732083
  • Phone: 13601264474
  • Email: service@powertime.cn
  • Address: 15F, Bldg B, In-Do Mansion, No. 48. Zhichun Rd, Haidian Dist, Beijing
POWERTIME-MLPS and IT Audit All rights reserved ICP:13008575
Free calls

返回
顶部