1 / 15

Information System Assurance Practices in China

Information System Assurance Practices in China. Key players doing IT Assurance In China Professional Organizations Types of IT Related Services by Public Accounting Firms Assurance Standards China Internal Control Standard Framework

tricia
Download Presentation

Information System Assurance Practices in China

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information System Assurance Practices in China • Key players doing IT Assurance In China • Professional Organizations • Types of IT Related Services by Public Accounting Firms • Assurance Standards • China Internal Control Standard Framework • E-banking Security Assessment Guidelines for Financial Institutions (CBRC) • IT Risk Management Guide for Commercial Banks • Key Challenges and Trends Philip Yang

  2. Key players doing IT Assurance In China • Accounting firms, with the big 4 being the key players. Local firms are lagging behind but starting to train their people and going after both assurance and consulting projects. • National Audit Office has a very large number of auditors with some focusing on IT audit. • Industry regulators, mainly bank regulator CBRC and insurance regulator CIRC. • Internal audit departments, depends on nature of business some have IT audit departments, e.g. large banks, insurance companies, telecom companies.

  3. Professional Organizations • China Institute of Certified Public Accountants • Issues China CPA assurance standards. • China CPA exams and certifications. • China Institute of Internal Auditors • Issues China internal audit standards, e.g. Internal Audit Standard No. 28–Information System Audit. • Agent of IIA on CIA exams and certifications. • ISACA China Chapter (running out of Hong Kong) • China Information Systems Auditor Union

  4. Types of IT Related Services by Public Accounting Firms • Audit of IT for the purpose of F/S audit • Audit of IT as part of internal control audit • Compliance driven IT assurance work, especially for financial institutions such as banks and insurance companies • Audit report on internal controls of service organizations (ISAE3402) • Consulting projects: IT strategy, IT governance, IT risk, IT security, Data integrity, IT projects

  5. F/S Audit Related CICPA Standards • AS1211 – Understanding of client and its environments • AS1212 – Considerations on use of service organizations • AS1231 – Audit procedures to address significant risks • AS1314 – Sampling and other means of substantative tests • AS1421 – Use of specialists • AS1611 – Audit of commercial banks • AS1633 – Impacts of e-commerce to F/S audit

  6. Other IT Related Assurance Standards • AS3101 – Standard on assurance of information other than historical financial information (CICPA) • Internal control audit guide (CICPA) • Internal Audit Standard No. 28–Information System Audit (CIIA)

  7. China Enterprise Internal Control Standards Framework Companies Auditors Internal Control Assessment Guide (MOF) Internal Control Audit Guide (CICPA) Industry Regulator Requirements, e.g. Internal Control Guide for Commercial Banks (CBRC) Security Regulator and Stock Exchange Requirements, e.g. IPO requirements, Annual Report requirements Internal Control Application Guidelines (MOF) 18 Guidelines at this moment(see next page) The Basic Standard for Enterprise Internal Control (MOF)

  8. China Enterprise Internal Control Standards Framework(cont’d)Internal Control Application Guidelines

  9. IT Risk Management Guide for Commercial BanksChina Banking Regulatory Commission • 第一章 总 则 Chapter 1, General Guidelines • 第二章 信息科技治理 Chapter 2, IT Governance • 第三章 信息科技风险管理 Chapter 3, IT Risk Management Framework • 第四章 信息安全 Chapter 4, Information Security • 第五章 信息系统开发、测试和维护 Chapter 5, IT Application Development, Test and Maintenance • 第六章 信息科技运行 Chapter 6, IT Operation • 第七章 业务连续性管理 Chapter 7, Business Continuity Management • 第八章 外 包 Chapter 8, Outsourcing • 第九章 内部审计 Chapter 9, Internal Audit • 第十章 外部审计 Chapter 10, External Audit • 第十一章 附 则 Chapter 11, Other Matters

  10. IT Risk Management Guide for Commercial BanksChina Banking Regulatory Commission • 第九章 内部审计 Chapter 9, Internal Audit • Internal Audit Department should have auditors with relevant IT audit knowledge and experience • Internal Audit should decide audit scope and frequency based on nature of IT applications. A comprehensive IT audit should be done at least once in every 3 years. • 第十章 外部审计 Chapter 10, External Audit • Banks may engage external auditors to conduct IT audit.

  11. E-banking Security Assessment Guidelines for Financial Institutions (CBRC) • Chapter 1, General Requirements • E-banking security assessment covers security strategy, control policies, risk responses, system security, client protection. • Financial institutions providing e-banking services should have an overall assessment at least once in every two years. Chapter 2, Assessment Agent • Either an independent specialists organization or a competent and independent internal department may perform the assessment. • An Institution may engage a security assessment organization certified by CBRC or those that are not.

  12. E-banking Security Assessment Guidelines for Financial Institutions (CBRC) (cont’d) • Chapter 3, Execution of Security Assessment • Scope of the assessment: Security strategy, Internal control policy, Risk management status, System security, E-banking BCP, Contingency plans, Risk monitor and alert system • Assessment report should include at least:1) Time, scope and other key terms in the assessment contracts, 2) Assessment framework, procedures, approach; Bios of the assessors, 3) Definition and standard for risk weights, risk classification, and risk calculation, 4) Description of assessment subjects and assessment activities, 5) Conclusions, 6) Recommendations to the institution on e-banking security, 7) Any other matters worth mentioning, 8) Terminologies and international or domestic standards used, 9) Assessment work program as attachments, 10) Name list of assessors.

  13. E-banking Security Assessment Guidelines for Financial Institutions (CBRC) (cont’d) • Chapter 4, Timing and Filing Requirements • An assessment needs to be done before the roll out of e-business by a financial institution. • An assessment needs to be done when the following events occur:1)System down by attacks, 2) Prolonged downtime after system changes, 3) Major hardware failures causing prolonged service interruptions, 4) Any other events that an assessment is deemed necessary. • Branches of foreign Fis in China does not need to do an separate assessment is their e-banking systems are located overseas and assessments are done by their parents. However, they still need to fill reports with CBRC on those assessments. • Upon completion of an assessment report, the FI should file the report with CBRC within one month.

  14. Key Challenges and Trends • Talents • Standards • IT strategy and planning • IT investment management • IT cost management • IT GOVERNANCE ISAssurance in China, Philip Yang

  15. Thank you... • Philip Yang, Partner • PricewaterhouseCoopers • philip.yang@cn.pwc.com • (86) 10 – 6533-7308

More Related