Introduction:

Information system special audit is a process of obtaining and evaluating evidence to determine whether a computer system can ensure the security of assets, the integrity of data and the efficient utilization of organizational resources and the effective realization of organizational objectives. The special audit of information systems here refers to the special audit of information systems of listed companies to meet the requirements of the CSRC and other regulatory agencies for the authenticity, accuracy and completeness of information systems of listed companies.

Contents:

Includes general control audit and application control audit, general control audit mainly for information technology infrastructure, information system security control, information system operation and maintenance, information system business continuity and so on. While application control audit mainly for business process control, input, processing and output control, parameter control, interface control, data management.

Benefits:

Through the special audit of information system, check and evaluate the security, reliability, economy and legitimacy of information system, check whether the organization has necessary application control, reveal the risk of the information system, put forward the opinions and suggestions of improving the information system audit, promote the information system to achieve the organization goal, and meet the requirements of the relevant regulatory authorities.

Project cycle: 2 months

Introduction:

Information system special audit is a process of obtaining and evaluating evidence to determine whether a computer system can ensure the security of assets, the integrity of data and the efficient utilization of organizational resources and the effective realization of organizational objectives. The special audit of information systems here refers to the special audit of information systems of listed companies to meet the requirements of the CSRC and other regulatory agencies for the authenticity, accuracy and completeness of information systems of listed companies.

Contents:

Includes general control audit and application control audit, general control audit mainly for information technology infrastructure, information system security control, information system operation and maintenance, information system business continuity and so on. While application control audit mainly for business process control, input, processing and output control, parameter control, interface control, data management.

Benefits:

Through the special audit of information system, check and evaluate the security, reliability, economy and legitimacy of information system, check whether the organization has necessary application control, reveal the risk of the information system, put forward the opinions and suggestions of improving the information system audit, promote the information system to achieve the organization goal, and meet the requirements of the relevant regulatory authorities.

Project cycle: 2 months

Introduction:

Cybersecurity special audit is to carry out separate inspection to the control mechanism, process and strategy of cybersecurity, so as to understand the current situation of organization's network security, reveal security risk, and provide suggestions for network security improvement, so as to effectively promote the improvement and effectiveness of organization's network security system, and ensure the healthy and stable development of business and the realization of organization's goals.

Contents:

Network security special audit is for the organization's security management system, security management organization, security management personnel, security construction management, security operation and maintenance management, security physical environment, security communication network, security area boundary, security computing environment and security management center and others.

Benefit: 

By checking the appropriateness and effectiveness of network security management and technical control measures, audit reveals the hidden risks in network security control of the organization as a whole, so that the organization can effectively avoid the major network security risks, improve network security management level, and ensure the security, stability and efficient operation of the business through appropriate improvement and optimization.

Project cycle: 2 months

Introduction:

Cybersecurity special audit is to carry out separate inspection to the control mechanism, process and strategy of cybersecurity, so as to understand the current situation of organization's network security, reveal security risk, and provide suggestions for network security improvement, so as to effectively promote the improvement and effectiveness of organization's network security system, and ensure the healthy and stable development of business and the realization of organization's goals.

Contents:

Network security special audit is for the organization's security management system, security management organization, security management personnel, security construction management, security operation and maintenance management, security physical environment, security communication network, security area boundary, security computing environment and security management center and others.

Benefit: 

By checking the appropriateness and effectiveness of network security management and technical control measures, audit reveals the hidden risks in network security control of the organization as a whole, so that the organization can effectively avoid the major network security risks, improve network security management level, and ensure the security, stability and efficient operation of the business through appropriate improvement and optimization.

Project cycle: 2 months

Introduction:

Carry out special audit on the organization's risk management of information science and technology, evaluate the effectiveness of risk prevention and control of information science and technology in an all-round way. On the basis of supervision requirements and best practice at home and abroad, find out shortcomings of risk management of information science and technology, and considering organization's actual situation, put forward constructive suggestions for improvement, and issue relevant audit reports.

Contents:

Including information technology governance, information technology risk management, information security, information technology operation, information system development testing and maintenance, business continuity, outsourcing risk, internal audit management and so on.

Benefit:

To meet the audit requirements of the organization's internal control and supervision institutions, improve the ability and level of the organization's information technology risk management, ensure the stability of important business and systems, promote the improvement of the organization's information technology risk management system, and meet the needs of the organization's business strategy and business development.

Project cycle: 2 months

Introduction:

Carry out special audit on the organization's risk management of information science and technology, evaluate the effectiveness of risk prevention and control of information science and technology in an all-round way. On the basis of supervision requirements and best practice at home and abroad, find out shortcomings of risk management of information science and technology, and considering organization's actual situation, put forward constructive suggestions for improvement, and issue relevant audit reports.

Contents:

Including information technology governance, information technology risk management, information security, information technology operation, information system development testing and maintenance, business continuity, outsourcing risk, internal audit management and so on.

Benefit:

To meet the audit requirements of the organization's internal control and supervision institutions, improve the ability and level of the organization's information technology risk management, ensure the stability of important business and systems, promote the improvement of the organization's information technology risk management system, and meet the needs of the organization's business strategy and business development.

Project cycle: 2 months

Introduction:

Special audit of important information systems is to examine the management status and specific control measures of the entire life cycle of organization's important information systems (including project establishment, development, testing, maintenance, commissioning and change management, configuration management, etc.), identify the problems and risk existing in entire life cycle management of important information systems, analyze the reasons, put forward suggestions to solve the problems and control the risks, and issue special audit reports of important information systems.

Contents:

Including project management, development management, test management, procurement management, production management, change management, problem management, post-project evaluation and so on.

Benefit:

Through the special audit of the important information system, find out problems in construction and operation of important information system, check hidden trouble, provide risk early warning for the follow-up important information system project, improve management and control ability and level of organization information system project management, and maintain security and stability of system  operation.

Project cycle: 2 months

Introduction:

Special audit of important information systems is to examine the management status and specific control measures of the entire life cycle of organization's important information systems (including project establishment, development, testing, maintenance, commissioning and change management, configuration management, etc.), identify the problems and risk existing in entire life cycle management of important information systems, analyze the reasons, put forward suggestions to solve the problems and control the risks, and issue special audit reports of important information systems.

Contents:

Including project management, development management, test management, procurement management, production management, change management, problem management, post-project evaluation and so on.

Benefit:

Through the special audit of the important information system, find out problems in construction and operation of important information system, check hidden trouble, provide risk early warning for the follow-up important information system project, improve management and control ability and level of organization information system project management, and maintain security and stability of system  operation.

Project cycle: 2 months

Introduction

Audit the organization's IT infrastructure (including data center, disaster preparedness center, etc.), fully identify and evaluate the operation and management risks, evaluate the effectiveness of its control measures, discover hidden risks in the process of operation and management, according to the regulatory requirements and best practices at home and abroad, and combine with the actual situation of the organization, put forward constructive improvement suggestions, and issue special audit reports on IT infrastructure.

Contents:

Audit IT infrastructure (data center and disaster recovery center infrastructure and environment audit). Data center establishment and change, data center risk management, operation environment management, operation and maintenance management, disaster recovery management, outsourcing management, physical security, fire prevention, waterproof, moisture-proof, anti-static, electromagnetic protection, temperature and humidity control, power supply and so on.

Benefit:

Through special audit of IT infrastructure, strengthen and standardize the internal control of IT infrastructure, promote and improve its operation and management level, enhance the ability of risk prevention and control, and ensure the safe, stable and efficient operation of organization's information system.

Project cycle: 2 months

Introduction

Audit the organization's IT infrastructure (including data center, disaster preparedness center, etc.), fully identify and evaluate the operation and management risks, evaluate the effectiveness of its control measures, discover hidden risks in the process of operation and management, according to the regulatory requirements and best practices at home and abroad, and combine with the actual situation of the organization, put forward constructive improvement suggestions, and issue special audit reports on IT infrastructure.

Contents:

Audit IT infrastructure (data center and disaster recovery center infrastructure and environment audit). Data center establishment and change, data center risk management, operation environment management, operation and maintenance management, disaster recovery management, outsourcing management, physical security, fire prevention, waterproof, moisture-proof, anti-static, electromagnetic protection, temperature and humidity control, power supply and so on.

Benefit:

Through special audit of IT infrastructure, strengthen and standardize the internal control of IT infrastructure, promote and improve its operation and management level, enhance the ability of risk prevention and control, and ensure the safe, stable and efficient operation of organization's information system.

Project cycle: 2 months

Introduction:

Fully understand and grasp the status quo of IT outsourcing management, identify and analyze the risks existing in IT outsourcing management, reveal the shortcomings and problems, and, in accordance with regulatory requirements and best practices at home and abroad, make suggestions for improvement and issue special audit reports on IT outsourcing in light of the actual situation of organization.

Contents:

Audit IT outsourcing of the organization, including IT outsourcing management organization framework, IT outsourcing strategy and strategy, IT outsourcing risk management, IT outsourcing project management, IT outsourcing procurement management, IT outsourcing supplier management, IT outsourcing organization centralized risk management, key IT outsourcing service management, IT outsourcing service implementation management, IT outsourcing service security management, IT outsourcing business continuity management, etc.

Benefit:

Effectively control the risk of IT outsourcing, promote overall management and service level of IT outsourcing, improve the organization's supplier access and exit mechanism, enhance the ability of monitoring and evaluation of outsourcing services, reduce the risk of outsourcing management, and meet the regulatory requirements.

Project cycle: 2 months

Introduction:

Fully understand and grasp the status quo of IT outsourcing management, identify and analyze the risks existing in IT outsourcing management, reveal the shortcomings and problems, and, in accordance with regulatory requirements and best practices at home and abroad, make suggestions for improvement and issue special audit reports on IT outsourcing in light of the actual situation of organization.

Contents:

Audit IT outsourcing of the organization, including IT outsourcing management organization framework, IT outsourcing strategy and strategy, IT outsourcing risk management, IT outsourcing project management, IT outsourcing procurement management, IT outsourcing supplier management, IT outsourcing organization centralized risk management, key IT outsourcing service management, IT outsourcing service implementation management, IT outsourcing service security management, IT outsourcing business continuity management, etc.

Benefit:

Effectively control the risk of IT outsourcing, promote overall management and service level of IT outsourcing, improve the organization's supplier access and exit mechanism, enhance the ability of monitoring and evaluation of outsourcing services, reduce the risk of outsourcing management, and meet the regulatory requirements.

Project cycle: 2 months

Introduction:

Fully understand and grasp the status quo of organizational business continuity management, systematically identify and analyze the risks associated with business continuity, reveal the deficiencies and problems in the management of organizational business continuity, and, in accordance with the regulatory requirements and best practices at home and abroad, make suggestions for improvement and issue relevant audit reports in light of the actual situation of the organization.

Contents:

Including business continuity organization structure, risk assessment, business impact analysis, business continuity plan, business continuity resource construction, business continuity plan and plan rehearsal, operation interruption emergency management, emergency plan, maintenance and improvement of business continuity plan, etc.

Benefit:

Effectively control organization system interruption risk, improve organization's information technology emergency ability, improve organization business continuity management system.

Project cycle: 2 months

Introduction:

Fully understand and grasp the status quo of organizational business continuity management, systematically identify and analyze the risks associated with business continuity, reveal the deficiencies and problems in the management of organizational business continuity, and, in accordance with the regulatory requirements and best practices at home and abroad, make suggestions for improvement and issue relevant audit reports in light of the actual situation of the organization.

Contents:

Including business continuity organization structure, risk assessment, business impact analysis, business continuity plan, business continuity resource construction, business continuity plan and plan rehearsal, operation interruption emergency management, emergency plan, maintenance and improvement of business continuity plan, etc.

Benefit:

Effectively control organization system interruption risk, improve organization's information technology emergency ability, improve organization business continuity management system.

Project cycle: 2 months

Introduction:

Master the systems, procedures and methods for the production change of important information systems, check the appropriateness and effectiveness of relevant systems and their control,  identify and analyze the risks existing in production change of important information systems, make recommendations for improvement and issue relevant audit reports in accordance with the requirements of supervision and best practices at home and abroad, and in light of the actual situation of the organization.

Contents:

Including the organization structure and function distribution of key information systems, system construction, risk assessment, production and change control, information plan of production and change report, life cycle management of important information systems, project management of production and change, outsourcing management, etc.

Benefit:

Improve the system of important information systems production change , strengthen management and technical control, improve project management capability, ensure that the start-up and change of important information systems can meet the business needs and be running smoothly.

Project cycle: 2 months

Introduction:

Master the systems, procedures and methods for the production change of important information systems, check the appropriateness and effectiveness of relevant systems and their control,  identify and analyze the risks existing in production change of important information systems, make recommendations for improvement and issue relevant audit reports in accordance with the requirements of supervision and best practices at home and abroad, and in light of the actual situation of the organization.

Contents:

Including the organization structure and function distribution of key information systems, system construction, risk assessment, production and change control, information plan of production and change report, life cycle management of important information systems, project management of production and change, outsourcing management, etc.

Benefit:

Improve the system of important information systems production change , strengthen management and technical control, improve project management capability, ensure that the start-up and change of important information systems can meet the business needs and be running smoothly.

Project cycle: 2 months

Introduction:

By checking main system management data, Verify the accuracy and reliability of data collection, identify security policies and safeguards for the integrity, confidentiality, backup, and recovery of information and important business data, verify the process and result of collecting data, transforming data and processing data of the information system are accurate and reliable, and then verify the conformity, consistency and accuracy of information system related data, so as to analyze and evaluate related indexes of information system.

Contents:

Financial data and business data are the main data directly related to the operation of the organization under auditing and directly reflect management status of the organization. Management data refers to the configuration information used in management information system, such as operating system, database management and business system configuration information, and authentication data refers to the information used to confirm the authenticity of identity, such as user name, password and CA certificate, etc. In addition to the above content of data security control, but also includes data acquisition verification, data conversion verification and data processing verification.

Benefit:

The integrity, confidentiality, backup and recovery of the management data, identification information and important business data in the organization system, as well as the conformance, reliability and accuracy of the relevant data, reflect the technical level of data security and data quality management level of the organization under auditing.

Project cycle: 2 months

Introduction:

By checking main system management data, Verify the accuracy and reliability of data collection, identify security policies and safeguards for the integrity, confidentiality, backup, and recovery of information and important business data, verify the process and result of collecting data, transforming data and processing data of the information system are accurate and reliable, and then verify the conformity, consistency and accuracy of information system related data, so as to analyze and evaluate related indexes of information system.

Contents:

Financial data and business data are the main data directly related to the operation of the organization under auditing and directly reflect management status of the organization. Management data refers to the configuration information used in management information system, such as operating system, database management and business system configuration information, and authentication data refers to the information used to confirm the authenticity of identity, such as user name, password and CA certificate, etc. In addition to the above content of data security control, but also includes data acquisition verification, data conversion verification and data processing verification.

Benefit:

The integrity, confidentiality, backup and recovery of the management data, identification information and important business data in the organization system, as well as the conformance, reliability and accuracy of the relevant data, reflect the technical level of data security and data quality management level of the organization under auditing.

Project cycle: 2 months

Introduction:

Through supervision and inspection of the performance of information system project in the stages of planning, development and application, auditors make an appropriate evaluation of the project performance from the aspects of promoting project development performance and improving investment efficiency, taking into account the nature of the system function design and the environment for the application of the system.Propose improvement opinions and issue information system project performance audit report.

Contents:

Project planning performance, including the degree of conformity between project planning and organizational goals, business requirements, the necessity of project establishment, the adequacy and rationality of project requirements, whether the project planning embodies top-level design, whether carry out overall planning and resource integration for major projects.

Project development performance, including project bidding and procurement, contract execution and acceptance, system construction goal realization, project construction goal completion quality, construction fund use, project training and after-sales service, project change, etc.

Project application performance, including system promotion and practical application level, the role of project construction in improving organizational business efficiency and management level, social and economic benefits brought about by development project input and application, system resource utilization rate, system operation stability, whether there is waste of function modules or resources, and the degree of mastery and use of system functions of target users.

Benefit:

Through the audit of information system project planning, development and application, the management can grasp the project performance, understand the function and benefit of information system project to the organization, and judge whether it meets the goal, improves the utilization of resources, and is beneficial to the clean and honest development.

Project cycle: 2 months

Introduction:

Through supervision and inspection of the performance of information system project in the stages of planning, development and application, auditors make an appropriate evaluation of the project performance from the aspects of promoting project development performance and improving investment efficiency, taking into account the nature of the system function design and the environment for the application of the system.Propose improvement opinions and issue information system project performance audit report.

Contents:

Project planning performance, including the degree of conformity between project planning and organizational goals, business requirements, the necessity of project establishment, the adequacy and rationality of project requirements, whether the project planning embodies top-level design, whether carry out overall planning and resource integration for major projects.

Project development performance, including project bidding and procurement, contract execution and acceptance, system construction goal realization, project construction goal completion quality, construction fund use, project training and after-sales service, project change, etc.

Project application performance, including system promotion and practical application level, the role of project construction in improving organizational business efficiency and management level, social and economic benefits brought about by development project input and application, system resource utilization rate, system operation stability, whether there is waste of function modules or resources, and the degree of mastery and use of system functions of target users.

Benefit:

Through the audit of information system project planning, development and application, the management can grasp the project performance, understand the function and benefit of information system project to the organization, and judge whether it meets the goal, improves the utilization of resources, and is beneficial to the clean and honest development.

Project cycle: 2 months

Introduction:

In early 2017, the German Association of the Automotive Industry (VDA) and the ENX Association jointly launched a reliable exchange mechanism, TISAX (Trusted Information Security Assessment Exchange), to achieve the information security credibility assessment of the digital automotive industry, the process and standards of the assessment began to become mandatory requirements, globally, all relevant suppliers, including components vendors and peripheral service providers, are required to establish and maintain an industry-based information security management system and shall pass the TISAX certification at the corresponding level. "TISAX certification" is used by the relevant parties in the European auto industry for internal evaluation, supplier evaluation, is a general information security evaluation mechanism for mutual information exchange, and is also the threshold for the European auto industry to provide services.

Contents:

Different audit levels are determined by the protection level expected to be reached by participants. TISAX distinguishes three different "protection levels" (normal, high and very high), which correspond to the audit levels of AL1, AL2 and AL3. If it's just an AL1-level audit, external auditor is unnecessary, self-assessment of participant would be OK, but note that this level doesn't get the TISAX label; therefore, the enterprise usually requires an external certification auditor to perform an AL2 or AL3-level audit to achieve a high and very high level of protection.

Benefit:

At present, TISAX certification is from the mandatory requirements of main engine plants, to obtain certification is to meet the direct requirements of external demand. Through the corresponding level of TISAX audit, obtain the LableID registered in the TISAX official website, realize the exchange with customer information or consult other company information of the related supply chain. At the same time, enhance the security awareness and ability of employees, enhance the market competitiveness of enterprises, and, as a highly authoritative third-party certification, TISAX certification is extremely recognized and respected by the industry and individual customers, after first audit, in 3 years validity period, all the main engine plants can check the audit information, do not need to repeat the audit, in the case of high recognition, it not only avoid multiple inspections, but also save time saving and effectively manage costs.

Project cycle: 2 months

Introduction:

In early 2017, the German Association of the Automotive Industry (VDA) and the ENX Association jointly launched a reliable exchange mechanism, TISAX (Trusted Information Security Assessment Exchange), to achieve the information security credibility assessment of the digital automotive industry, the process and standards of the assessment began to become mandatory requirements, globally, all relevant suppliers, including components vendors and peripheral service providers, are required to establish and maintain an industry-based information security management system and shall pass the TISAX certification at the corresponding level. "TISAX certification" is used by the relevant parties in the European auto industry for internal evaluation, supplier evaluation, is a general information security evaluation mechanism for mutual information exchange, and is also the threshold for the European auto industry to provide services.

Contents:

Different audit levels are determined by the protection level expected to be reached by participants. TISAX distinguishes three different "protection levels" (normal, high and very high), which correspond to the audit levels of AL1, AL2 and AL3. If it's just an AL1-level audit, external auditor is unnecessary, self-assessment of participant would be OK, but note that this level doesn't get the TISAX label; therefore, the enterprise usually requires an external certification auditor to perform an AL2 or AL3-level audit to achieve a high and very high level of protection.

Benefit:

At present, TISAX certification is from the mandatory requirements of main engine plants, to obtain certification is to meet the direct requirements of external demand. Through the corresponding level of TISAX audit, obtain the LableID registered in the TISAX official website, realize the exchange with customer information or consult other company information of the related supply chain. At the same time, enhance the security awareness and ability of employees, enhance the market competitiveness of enterprises, and, as a highly authoritative third-party certification, TISAX certification is extremely recognized and respected by the industry and individual customers, after first audit, in 3 years validity period, all the main engine plants can check the audit information, do not need to repeat the audit, in the case of high recognition, it not only avoid multiple inspections, but also save time saving and effectively manage costs.

Project cycle: 2 months