Ming Hu

Thanks for your sharing, I like the word “complementary”, both of them share the same objectives from different view and focus on different aspects.

Thanks for your sharing. I noticed the differences you listed “ITIL focus more on ITSM”, it confused me because COBIT is also focus on ITSM, so what is that mean?

Thanks for you sharing. I think the point is that control framework directs IT auditors to conduct their auditing,

Q: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding

Comparison between COBIT and ITIL
Function: Mapping IT Process vs Mapping IT Service Level Management
Area: 4 Process and 34 Domain vs 9 Process
Issuer: ISACA vs OGC
Implementation: Information System Audit vs Manage Service Level
Consultant;…[Read more]

Q: Why do we need control framework to guide IT auditing?

Control framework organizes and categorizes an organization’s internal controls, it provides guidelines and standards for IT auditing to achieve compliance with applicable laws and regulations, effectiveness and efficiency of operations and reliability of reports.

Q： Explain the key IT audit phases. What are the key activities within each phase?

Planning – determine the objectives and scope of the audit
Key activities: performs preliminary surveys; collaborates with customers; assessment

Field work and documentation – analyze the potential risks and determine which risks have not been mitigated a…[Read more]

Preventive controls – these controls proactively mitigate risks by preventing from occurrence, such as password protection, identity authentication, etc.
Detective controls – these controls are designed to find errors and within the organization, include audits, reviews of performance, etc.
Corrective controls – these controls help mitigate…[Read more]

The article talks about a malware designed for Android users by using Twitter instead of command-and-control (C&C) servers for an Android botnet, it’s innovative and even harder to discover or block. The threat spreads through SMS or malicious URLs sent to its victims, then may download malicious application without victims’ consciousness, switch…[Read more]

Q: What is the purpose of all auditors having some understanding of technology?

A: IT-related tools have been proved powerful and sophisticated for auditors to conduct audit, auditors may use features or services provided by these tools that command large amounts of system resources (memory, processing cycles, and storage) to gain deeper…[Read more]

Q: How does the control environment affect IT?

A: Control environment is the foundation for all other components of internal control, it affects IT by providing discipline and structure to deploy the definition, installation, configuration, integration and maintenance of organization’s IT infrastructure. In the meantime, IT could also affect…[Read more]

Q: What are some current system-related risks that you have experienced in your organization?

A: As a salesman interned at China Telecom in summer, I have experienced some system-related risks in my organization. All of us interns were untrained, the safety index of our hard devices was quite low, U-disks were non-encrypted, laptops could be…[Read more]

Q: What issues did you identify from this video?

A: The video shows how critical it is to provide professional training to staff to awake their awareness and attitude toward information security so as to achieve it, without proper training, there’s high risk for an organization to suffer from valuable information disclosure due to staff’s…[Read more]

There is no doubt that information security is both a technical and business problem and everyone should be responsible for it.

From the technical view, physical protection is greatly needed, proper information protection infrastructure ought to be established, such as the technology of firewall, encryption, identification, etc, so as to…[Read more]

That’s where divisions exist. To a specific organization, in compliance with certain provisions or standards may be very costly just like you described above. But from an overall aspect, compliance focuses on ensuring that the whole industry is on right track which may lead to increasing profitability of industry as a whole rather than reduces one…[Read more]

I agree with you, whether control environment of an organization is weak or effective, to a large extent, up to its upper management’s attitude and awareness toward the importance of control environment. The establishment of an organization’s culture, ethic and standards, structures highly hinges on upper management’s attention and participation…[Read more]

Great explanation. The occurrence of such shocking financial scandals arose from serious control failure, By enacting a series of legal provisions with which organizations must be in compliance, to raise the importance of ICS within organizations as you said above so as to create a legal and effective control mechanism, not only for evaluation but…[Read more]

As you said, there are no legal regulations that require an organization to choose the lowest-priced vendor, but there are regulations that such selection or transaction must be in compliance with, such as the selection should be legal or satisfies certain standards, so that is still compliance-driven. Only if certain conditions are fulfilled, you…[Read more]

Q2: The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.

We all know that the Sarbanes-Oxley Act resulted from a series of high profile financial scandals that occurred at…[Read more]

Answer to Q 2.

Sarbanes-Oxley act was implemented in the year 2002 following the major corporate and accounting scandals including Enron and WorldCom. Since then, there have been many question marks on whether the law is a sufficient reaction to the failures or are they just an overreaction.

We all know that the Sarbanes-Oxley Act resulted…[Read more]