Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.

Published byFinn Mickle Modified over 9 years ago

Similar presentations

Presentation on theme: "Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory."— Presentation transcript:

1 Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory Authorities -Professional OrganizationsProfessional Organizations -Standards and Regulatory Requirement ExamplesStandards and Regulatory Requirement Examples Types of IS Related Services by Public Accounting Firms Key Challenges and Trends 1 十月 2011 Philip Yang

2 Key players doing IT Assurance In China Accounting firms, with the big 4 being the key players. Local firms are lagging behind but starting to train their people and going after both assurance and consulting projects. National Audit Office has a very large number of auditors with some focusing on IT audit. Industry regulators, mainly bank regulator CBRC and insurance regulator CIRC. Internal audit departments, depends on nature of business some have IT audit departments, e.g. large banks, insurance companies, telecom companies. 2 十月 2011

3 Regulatory Authorities Ministry of Finance -Issues China accounting and reporting standards and explanations. -Internal control standards. Industry and security regulators -CBRC -CIRC -CSRC Standardization Administration of the People's Republic of China 3 十月 2011

4 Professional Organizations China Institute of Certified Public Accountants -Issues China CPA assurance standards. -China CPA exams and certifications. China Institute of Internal Auditors -Issues China internal audit standards, e.g. Internal Audit Standard No. 28–Information System Audit. -Agent of IIA on CIA exams and certifications. ISACA China Chapter (running out of Hong Kong) China Information Systems Auditor Union 4 十月 2011

5 F/S Audit Related CICPA Standards Related to IS AS1211 – Understanding of client and its environments AS1212 – Considerations on use of service organizations AS1231 – Audit procedures to address significant risks AS1314 – Sampling and other means of substantative tests AS1421 – Use of specialists AS1611 – Audit of commercial banks AS1633 – Impacts of e-commerce to F/S audit 5 十月 2011

6 Other IS Related Assurance Standards AS3101 – Standard on assurance of information other than historical financial information (CICPA) Internal control audit guide (CICPA) Internal Audit Standard No. 28–Information System Audit (CIIA) 6 十月 2011

7 China Enterprise Internal Control Standards Framework Internal Control Application Guidelines (MOF) 18 Guidelines at this moment(see next page) Internal Control Audit Guide (CICPA) Internal Control Assessment Guide (MOF) The Basic Standard for Enterprise Internal Control (MOF) CompaniesAuditors Industry Regulator Requirements, e.g. Internal Control Guide for Commercial Banks (CBRC) Security Regulator and Stock Exchange Requirements, e.g. IPO requirements, Annual Report requirements 7

8 China Enterprise Internal Control Standards Framework(cont’d) Internal Control Application Guidelines 8 Internal Environments ( 5 ) Process Controls ( 9 ) Control Mechanism ( 4 ) Organization Structure Development Strategy Human Resource Social Responsibility Enterprise Culture Treasury Procurement Asset Management Sales Research &Development Construction Projects Guarantee Outsourcing Financial Reporting Total Budgeting Contract Management Information and Communication Information System

9 IT Risk Management Guide for Commercial Banks China Banking Regulatory Commission Chapter 1, General Guidelines Chapter 2, IT Governance Chapter 3, IT Risk Management Framework Chapter 4, Information Security Chapter 5, IT Application Development, Test and Maintenance Chapter 6, IT Operation Chapter 7, Business Continuity Management Chapter 8, Outsourcing Chapter 9, Internal Audit Chapter 10, External Audit Chapter 11, Other Matters 9 十月 2011

10 IT Risk Management Guide for Commercial Banks China Banking Regulatory Commission Chapter 9, Internal Audit -Internal Audit Department should have auditors with relevant IT audit knowledge and experience -Internal Audit should decide audit scope and frequency based on nature of IT applications. A comprehensive IT audit should be done at least once in every 3 years. Chapter 10, External Audit -Banks may engage external auditors to conduct IT audit. 10 十月 2011

11 E-banking Security Assessment Guidelines for Financial Institutions (CBRC) Chapter 1, General Requirements E-banking security assessment covers security strategy, control policies, risk responses, system security, client protection. Financial institutions providing e-banking services should have an overall assessment at least once in every two years. 11 十月 2011 Chapter 2, Assessment Agent Either an independent specialists organization or a competent and independent internal department may perform the assessment. An Institution may engage a security assessment organization certified by CBRC or those that are not.

12 E-banking Security Assessment Guidelines for Financial Institutions (CBRC) (cont’d) Chapter 3, Execution of Security Assessment Scope of the assessment: Security strategy, Internal control policy, Risk management status, System security, E-banking BCP, Contingency plans, Risk monitor and alert system Assessment report should include at least: 1) Time, scope and other key terms in the assessment contracts, 2) Assessment framework, procedures, approach; Bios of the assessors, 3) Definition and standard for risk weights, risk classification, and risk calculation, 4) Description of assessment subjects and assessment activities, 5) Conclusions, 6) Recommendations to the institution on e-banking security, 7) Any other matters worth mentioning, 8) Terminologies and international or domestic standards used, 9) Assessment work program as attachments, 10) Name list of assessors. 12 十月 2011

13 E-banking Security Assessment Guidelines for Financial Institutions (CBRC) (cont’d) Chapter 4, Timing and Filing Requirements An assessment needs to be done before the roll out of e-business by a financial institution. An assessment needs to be done when the following events occur : 1 ) System down by attacks, 2) Prolonged downtime after system changes, 3) Major hardware failures causing prolonged service interruptions, 4) Any other events that an assessment is deemed necessary. Branches of foreign Fis in China does not need to do an separate assessment is their e-banking systems are located overseas and assessments are done by their parents. However, they still need to fill reports with CBRC on those assessments. Upon completion of an assessment report, the FI should file the report with CBRC within one month. 13 十月 2011

14 Types of IS Related Services by Public Accounting Firms Audit of IT for the purpose of F/S audit Audit of IT as part of internal control audit Compliance driven IT assurance work, especially for financial institutions such as banks and insurance companies Audit report on internal controls of service organizations (ISAE3402) Consulting projects: IT strategy, IT governance, IT risk, IT security, Data integrity, IT projects 14 十月 2011

15 Key Challenges and Trends Talents Standards IT strategy and planning IT investment management IT cost management IT GOVERNANCE 15 十月 2011 IS Assurance in China, Philip Yang

16 Thank you... Philip Yang, Partner PricewaterhouseCoopers philip.yang@cn.pwc.com (86) 10 – 6533-7308

Download ppt "Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory."

Similar presentations

New IA IA Clinic March 30, 2013. Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed.

New IA IA Clinic March 30, Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed.
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 2 - 1 The CPA Profession Chapter 2.

©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
1 Chapter 3 Homework. 2 3-18- Violation of Commission Rule CPA cannot accept any form of commission related to a client for which he/she also audits or.

1 Chapter 3 Homework Violation of Commission Rule CPA cannot accept any form of commission related to a client for which he/she also audits or.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
The Demand for Audit and Other Assurance Services Chapter 1.

The Demand for Audit and Other Assurance Services Chapter 1.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Internal Control and Internal Audit

Internal Control and Internal Audit
External Quality Assessments

External Quality Assessments
Euseden INTERNAL AUDIT & ASSURANCE SERVICES.

Euseden INTERNAL AUDIT & ASSURANCE SERVICES.
Lecture 8 Understanding entity and its environment

Lecture 8 Understanding entity and its environment
What are the challenges of implementing ISSAIs in NAO of Estonia? Krista Zibo Audit manager of Financial Audit Department Meeting of Experts of SAIs of.

What are the challenges of implementing ISSAIs in NAO of Estonia? Krista Zibo Audit manager of Financial Audit Department Meeting of Experts of SAIs of.
Corporate Ethics Compliance *

Corporate Ethics Compliance *
ISA 220 – Quality Control for Audits of Historical Financial Information

ISA 220 – Quality Control for Audits of Historical Financial Information
BRIEFING TO THE PORTFOLIO COMMITTEE ON THE DPSA’S RISK MANAGEMENT STRATEGY PRESENTATION TO THE PORTFOLIO COMMITTEE 12 MAY 2010 1.

BRIEFING TO THE PORTFOLIO COMMITTEE ON THE DPSA’S RISK MANAGEMENT STRATEGY PRESENTATION TO THE PORTFOLIO COMMITTEE 12 MAY
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Similar presentations

Ads by Google