Construction Of An IT Risk Framework Based On IT Government

In recent years, there have emerged many scandals in the world such as the bankrupt of Enron, the financial abuses of the WorldCom and the cheats on several listed companies in China as well, which make the whole world focus on many facts on financial report. As a result of the bad effect of the scandals and the pressure of the congress of United States, the Sarbanes-Oxley Act of 2002 was enacted on July 30, 2002.Then the SEC and NYSE promulgated the rules and the restrictions one after another, which cause deep influences on corporation governance and internal control.Bill 302 of the bill asks CEO and CFO for their internal control systems reports, and it also need the signature in the financial statements submitted to the SEC - as a guarantee, therefore, this law will force senior executives to ensure that the corporation's internal control system to be appropriate, while Bill 404 requires companies to: (1) Presentation of management to establish and maintain adequate internal controls and financial reporting responsibilities; (2) at the end of the financial year, listed companies make effects assessment on the internal control structure and financial reporting procedures. It's the first time that NYSE requires all listed companies must register with the internal audit function.In 1994, revised COSO Report was born, which is also referred to the image of the internal control "Bible." September 2004, COSO proposed a "corporate risk management - the overall framework," It is not just the advanced "Internal Control - the overall framework", it shows the meaning of the transformation of internal control and the extension in the notion defining, target system and elements of the structure. COBIT as an international well known Information Systems Audit common standards have been updated to the birth of the fourth edition since 1996 it was first enacted, which has strengthened its control of the IT risk targets, put forward a number of new issues to the Information Systems Audit At the same time, Many information security standards put forward their own risk management control framework in the worldwide scope which appears to be a period of time showing a picture of flowers contend. This paper includes several internal control frameworks with wide implications such as ITIL, ISO17799, CMMI, Prince2, NIST and ITGI.Most of the IT governance frameworks bring forward the concept of the IT governance or propose doing IT research on the premise of the internal risk control. IT Governance seems to be an important direction of the corporate governance. In today's global business environment, the importance of information was widely accepted and the information systems have been in a wide range use. The growing dependence on information systems and the business risks, benefits and opportunities makes IT Governance increasingly become key part of corporate governance. Presently, IT governance theory has become a hot spot in the field of internal controls and audit information system research.Enterprises rely on IT system more often than before, but there're not too much reasonable IT risk management frameworks for the corporation to manage the IT risks well, which led the growing demand for an appropriate risk management framework. The purpose of this paper is to establish a risk management framework against the information technology sector maturity in the companies whose information technology is at a higher mature levelThis paper's first chapter introduces the background, necessity, but also outlines the IT Governance concepts of the risk management framework. Chapter II introduced the demand for risk management framework focusing mainly on rules requirements from both domestic and abroad. The third chapter includes the international epidemic control framework and standards. Chapters IV and V is the core of this paper, Chapter IV gives a comprehensive perspective of the various internal control framework after the in-depth comparison. Then Chapter V builds a new risk management framework with deep analysis, and proposed the approach of implementation. Chapter VI of the articles gives suggestions and enlightenment on IT technical audit of internal control through a case under the direction of a new framework. Finally goes the conclusions.