Add to collection(s) Add to saved
  1. Business
  2. Finance

00philipYslidesV2.0

advertisement 
Information System Assurance Practices in China
Key players doing IS Assurance In China
Regulatory Regime and Professional Organizations
- Regulatory Authorities
- Professional Organizations
- Standards and Regulatory Requirement Examples
Types of IS Related Services by Public Accounting Firms
Key Challenges and Trends
Philip Yang
十月 2011
1
Key players doing IT Assurance In China
• Accounting firms, with the big 4 being the key players. Local firms
are lagging behind but starting to train their people and going after
both assurance and consulting projects.
• National Audit Office has a very large number of auditors with some
focusing on IT audit.
• Industry regulators, mainly bank regulator CBRC and insurance
regulator CIRC.
• Internal audit departments, depends on nature of business some
have IT audit departments, e.g. large banks, insurance companies,
telecom companies.
十月 2011
2
Regulatory Authorities
• Ministry of Finance
- Issues China accounting and reporting standards and
explanations.
- Internal control standards.
• Industry and security regulators
- CBRC
- CIRC
- CSRC
• Standardization Administration of the People's Republic of China
十月 2011
3
Professional Organizations
• China Institute of Certified Public Accountants
- Issues China CPA assurance standards.
- China CPA exams and certifications.
• China Institute of Internal Auditors
- Issues China internal audit standards, e.g. Internal Audit Standard
No. 28–Information System Audit.
- Agent of IIA on CIA exams and certifications.
• ISACA China Chapter (running out of Hong Kong)
• China Information Systems Auditor Union
十月 2011
4
F/S Audit Related CICPA Standards Related to IS
• AS1211 – Understanding of client and its environments
• AS1212 – Considerations on use of service organizations
• AS1231 – Audit procedures to address significant risks
• AS1314 – Sampling and other means of substantative tests
• AS1421 – Use of specialists
• AS1611 – Audit of commercial banks
• AS1633 – Impacts of e-commerce to F/S audit
十月 2011
5
Other IS Related Assurance Standards
• AS3101 – Standard on assurance of information other than historical
financial information (CICPA)
• Internal control audit guide (CICPA)
• Internal Audit Standard No. 28–Information System Audit (CIIA)
十月 2011
6
China Enterprise Internal Control Standards
Framework
Companies
Internal Control Assessment Guide
(MOF)
Auditors
Internal Control Audit Guide (CICPA)
Industry Regulator Requirements, e.g. Internal Control Guide for Commercial
Banks (CBRC)
Security Regulator and Stock Exchange Requirements, e.g. IPO
requirements, Annual Report requirements
Internal Control Application Guidelines (MOF)
18 Guidelines at this moment(see next page)
The Basic Standard for Enterprise Internal Control (MOF)
7
China Enterprise Internal Control Standards
Framework(cont’d)
Internal Control Application Guidelines
Internal Environments
(5)
Process Controls(9)
Organization Structure
Development Strategy
Human Resource
Social Responsibility
Enterprise Culture
Treasury
Procurement
Asset Management
Sales
Research &Development
Construction Projects
Guarantee
Outsourcing
Financial Reporting
Control Mechanism
(4)
Total Budgeting
Contract Management
Information and
Communication
Information System
8
IT Risk Management Guide for Commercial Banks
China Banking Regulatory Commission
• Chapter 1, General Guidelines
• Chapter 2, IT Governance
• Chapter 3, IT Risk Management Framework
• Chapter 4, Information Security
• Chapter 5, IT Application Development, Test and Maintenance
• Chapter 6, IT Operation
• Chapter 7, Business Continuity Management
• Chapter 8, Outsourcing
• Chapter 9, Internal Audit
• Chapter 10, External Audit
• Chapter 11, Other Matters
十月 2011
9
IT Risk Management Guide for Commercial Banks
China Banking Regulatory Commission
• Chapter 9, Internal Audit
- Internal Audit Department should have auditors with relevant IT audit
knowledge and experience
- Internal Audit should decide audit scope and frequency based on nature of
IT applications. A comprehensive IT audit should be done at least once in
every 3 years.
• Chapter 10, External Audit
- Banks may engage external auditors to conduct IT audit.
十月 2011
10
E-banking Security Assessment Guidelines for
Financial Institutions (CBRC)
Chapter 1, General Requirements
• E-banking security assessment covers security strategy, control
policies, risk responses, system security, client protection.
• Financial institutions providing e-banking services should have an
overall assessment at least once in every two years.
Chapter 2, Assessment Agent
• Either an independent specialists organization or a competent and
independent internal department may perform the assessment.
• An Institution may engage a security assessment organization
certified by CBRC or those that are not.
十月 2011
11
E-banking Security Assessment Guidelines for
Financial Institutions (CBRC) (cont’d)
Chapter 3, Execution of Security Assessment
• Scope of the assessment: Security strategy, Internal control policy,
Risk management status, System security, E-banking BCP,
Contingency plans, Risk monitor and alert system
• Assessment report should include at least: 1) Time, scope and other
key terms in the assessment contracts, 2) Assessment framework,
procedures, approach; Bios of the assessors, 3) Definition and
standard for risk weights, risk classification, and risk calculation, 4)
Description of assessment subjects and assessment activities, 5)
Conclusions, 6) Recommendations to the institution on e-banking
security, 7) Any other matters worth mentioning, 8) Terminologies
and international or domestic standards used, 9) Assessment work
program as attachments, 10) Name list of assessors.
十月 2011
12
E-banking Security Assessment Guidelines for
Financial Institutions (CBRC) (cont’d)
Chapter 4, Timing and Filing Requirements
• An assessment needs to be done before the roll out of e-business by a
financial institution.
• An assessment needs to be done when the following events occur:
1)
System down by attacks, 2) Prolonged downtime after system
changes, 3) Major hardware failures causing prolonged service
interruptions, 4) Any other events that an assessment is deemed
necessary.
• Branches of foreign Fis in China does not need to do an separate
assessment is their e-banking systems are located overseas and
assessments are done by their parents. However, they still need to fill
reports with CBRC on those assessments.
• Upon completion of an assessment report, the FI should file the
report with CBRC within one month.
十月 2011
13
Types of IS Related Services by Public Accounting
Firms
• Audit of IT for the purpose of F/S audit
• Audit of IT as part of internal control audit
• Compliance driven IT assurance work, especially for financial
institutions such as banks and insurance companies
• Audit report on internal controls of service organizations (ISAE3402)
• Consulting projects: IT strategy, IT governance, IT risk, IT security,
Data integrity, IT projects
十月 2011
14
Key Challenges and Trends
• Talents
• Standards
• IT strategy and planning
• IT investment management
• IT cost management
• IT GOVERNANCE
IS Assurance in China, Philip Yang
十月 2011
15
Thank you...
Philip Yang, Partner
PricewaterhouseCoopers
philip.yang@cn.pwc.com
(86) 10 – 6533-7308
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Presentation A&A Forum
Presentation A&A Forum
grp-2
grp-2
TH INSTITUTE OF CHARTERED ACCOUNTANTS OF
TH INSTITUTE OF CHARTERED ACCOUNTANTS OF
Subcommittee on Internal and External Audits Activity Report
Subcommittee on Internal and External Audits Activity Report
Finance & Investment Day-Audit Panel
Finance & Investment Day-Audit Panel
Download
advertisement