信息化绩效评价.pptVIP

COSO and COBIT are probably the best known Control Frameworks associated with Sarbox. All three of these frameworks were built with the knowledge of each other. COSO came from the accounting business and is higher level – COSO is directed towards internal controls in general. COSO does not provide specifics for IT. COBIT was then defined to provide specific control objectives for IT. Both of these have broader ramifications than just Sarbox. Some critics claim that COBIT is too broad and cumbersome to follow for Sarbox. SysTrust is somewhat of an abbreviated version dealing with “system trust” issues. As such, it more succinctly ties to the integrity and operations risk management issues being addressed by Sarbox. COSO: COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. COBIT, COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners. issued by the IT Governance Institute and now in its third edition, is increasingly internationally accepted as good practice for control over information, IT and related risks. Its guidance enables an enterprise to implement effective governance over the IT that is pervasive and intrinsic throughout the enterprise. In particular, COBITs Management Guidelines component contains a framework responding to managements need for control and measurability of IT by providing tools to assess and measure the enterprise’s IT capability for the 34 COBIT IT processes. SysTrust Standards to address marketplace needs for assurance about s