Guidelines for the Application of Internal Control in Enterprises No. 18 - Information Systems

企业内部控制应用指引第18号——信息系统

Promulgating Institution: Ministry of Finance; China Securities Regulatory Commission; National Auditing Office; China Banking Regulatory Commission; China Insurance Regulatory Commission

Document Number: Cai Kuai [2010] No. 11

Promulgating Date: 04/15/2010

Effective Date: 04/15/2010

颁布机关: 财政部; 中国证券监督管理委员会; 审计署; 中国银行业监督管理委员会; 中国保险监督管理委员会

文   号: 财会[2010]11号

颁布时间: 04/15/2010

实施时间: 04/15/2010

Chapter 1: General Provisions

第一章 总 则

 Article 1  With a view to pushing enterprises to exercise effective internal control, improving the modern management level of enterprises, and reducing human factors, these Guidelines are formulated in accordance with the relevant laws and regulations, as well as the Basic Norms for the Internal Control of Enterprises.

   第一条 为了促进企业有效实施内部控制，提高企业现代化管理水平，减少人为因素，根据有关法律法规和《企业内部控制基本规范》，制定本指引。

 Article 2  For the purpose of these Guidelines, information systems shall refer to the information management platform formed as a result of the integration, conversion and upgrading of internal control by an enterprise by making use of computers and communication technologies.

   第二条 本指引所称信息系统，是指企业利用计算机和通信技术，对内部控制进行集成、转化和提升所形成的信息化管理平台。

 Article 3  An enterprise shall, at least, pay attention to the following risks in exercising internal control by use of information systems:

(1) The risks of the lack of an information system or the risks of unreasonable planning, which may result in information silos or redundant information building, leading to inefficient operation and management of the enterprise;

(2) The risks that system development fails to meet the requirements of internal control, and that authorization fails to be properly managed, which may make it impossible for the enterprise to exercise effective control by information technologies; and

(3) The risks that system operation maintenance and security measures are not in place, which may lead to information leakage or damage, or affect proper system function.

   第三条 企业利用信息系统实施内部控制至少应当关注下列风险：

  （一）信息系统缺乏或规划不合理，可能造成信息孤岛或重复建设，导致企业经营管理效率低下。

  （二）系统开发不符合内部控制要求，授权管理不当，可能导致无法利用信息技术实施有效控制。

  （三）系统运行维护和安全措施不到位，可能导致信息泄漏或毁损，系统无法正常运行。

 Article 4  An enterprise shall pay attention to the role of information systems in internal control, formulate the overall planning of the building of information systems according to internal control requirements and in light of its organizational structure, business scope, geographical distribution, technical capacity and other factors, increase investment, and organize the development, operation and maintenance of information systems in an orderly manner, optimize management processes, and guard against operational risks, so as to upgrade the level of its modern management in an all-round manner.

The enterprise shall designate a department to manage the building of information systems on a centralized basis, specify the duties and authority of relevant units, and establish an effective working mechanism. The enterprise may entrust a professional agency with the development, operation and maintenance of its information systems.

The person in charge of the enterprise shall be responsible for the building of the information systems.

   第四条 企业应当重视信息系统在内部控制中的作用，根据内部控制要求，结合组织架构、业务范围、地域分布、技术能力等因素，制定信息系统建设整体规划，加大投入力度，有序组织信息系统开发、运行与维护，优化管理流程，防范经营风险，全面提升企业现代化管理水平。

  企业应当指定专门机构对信息系统建设实施归口管理，明确相关单位的职责权限，建立有效工作机制。企业可委托专业机构从事信息系统的开发、运行和维护工作。

  企业负责人对信息系统建设工作负责。

Chapter 2: Development of Information Systems

第二章 信息系统的开发

 Article 5  An enterprise shall propose project development plans according to the overall planning of the building of information systems, make clear the goals, staffing, division of responsibilities, funding and schedule related to information system building, and start developing the systems after examination and approval in accordance with the prescribed authority and procedures.

The centralized information system management department of the enterprise shall organize relevant internal units to state their development needs and critical control points, standardize the development process, make clear the management requirements of the entire process covering system design, programming, installation, testing, final acceptance and official launch, and organize the development in strict accordance with the development plans, development process and relevant requirements.

The enterprise may develop information systems on its own, by testing and adjusting purchased systems, or by business outsourcing. In the latter two cases, the enterprise shall select the suppliers or developers based on merits by open bidding or other means.

   第五条 企业应当根据信息系统建设整体规划提出项目建设方案，明确建设目标、人员配备、职责分工、经费保障和进度安排等相关内容，按照规定的权限和程序审批后实施。

  企业信息系统归口管理部门应当组织内部各单位提出开发需求和关键控制点，规范开发流程，明确系统设计、编程、安装调试、验收、上线等全过程的管理要求，严格按照建设方案、开发流程和相关要求组织开发工作。

  企业开发信息系统，可以采取自行开发、外购调试、业务外包等方式。选定外购调试或业务外包方式的，应当采用公开招标等形式择优确定供应商或开发单位。

 Article 6  During the development of its information systems, an enterprise shall embed the business process, critical control points and processing rules of its production, operation and management into system programs, so as to achieve the control functions that are difficult to be operated manually.

During system development, the enterprise shall control the operating authority of different users by the access management function of information systems in accordance with the control requirements applicable to different business, so as to avoid granting the authorities to deal with incompatible duties to the same user.

The enterprise shall, in response to the entry methods of different data, consider developing a function to check and verify the data to enter the systems. In addition, it shall strengthen the management of necessary back office operations, establish a standardized workflow system, and conduct monitoring or audit of the operating conditions.

The enterprise shall make available the function to log operations in its information systems to ensure that the operations can be audited. The information systems shall be designed in such a way that abnormal transactions and data, or those in violation of the internal control requirements are automatically reported, followed up and processed by the systems.

   第六条 企业开发信息系统，应当将生产经营管理业务流程、关键控制点和处理规则嵌入系统程序，实现手工环境下难以实现的控制功能。

  企业在系统开发过程中，应当按照不同业务的控制要求，通过信息系统中的权限管理功能控制用户的操作权限，避免将不相容职责的处理权限授予同一用户。

  企业应当针对不同数据的输入方式，考虑对进入系统数据的检查和校验功能。对于必需的后台操作，应当加强管理，建立规范的流程制度，对操作情况进行监控或者审计。

  企业应当在信息系统中设置操作日志功能，确保操作的可审计性。对异常的或者违背内部控制要求的交易和数据，应当设计由系统自动报告并设置跟踪处理机制。

 Article 7  The centralized information system management department of an enterprise shall strengthen the follow-up management of the entire process of information system development, organize developers and various internal units to conduct daily communication and coordination, urge the developers to complete programming tasks in accordance with the development plans, the planned schedule and quality requirements, carry out inspection and final acceptance of the hardware equipment and system software equipped, and organize the official launch and operation of the systems.

   第七条 企业信息系统归口管理部门应当加强信息系统开发全过程的跟踪管理，组织开发单位与内部各单位的日常沟通和协调，督促开发单位按照建设方案、计划进度和质量要求完成编程工作，对配备的硬件设备和系统软件进行检查验收，组织系统上线运行等。

 Article 8  An enterprise shall organize a professional agency independent of the developers to conduct testing and final acceptance of the information systems developed so as to ensure that the systems meet the development needs in terms of their functions, performance, control requirements and security.

   第八条 企业应当组织独立于开发单位的专业机构对开发完成的信息系统进行验收测试，确保在功能、性能、控制要求和安全性等方面符合开发需求。

 Article 9  An enterprise shall well prepare itself for the official launch of information systems, provide training for personnel engaging in business operations and system management, formulate scientific system launch plans and transition programs for old and new system versions, and give consideration to the formulation of emergency plans, so as to ensure a smooth switch and transition between old and new system versions. Where data migration is involved, detailed data migration plans shall also be formulated.

   第九条 企业应当切实做好信息系统上线的各项准备工作，培训业务操作和系统管理人员，制定科学的上线计划和新旧系统转换方案，考虑应急预案，确保新旧系统顺利切换和平稳衔接。系统上线涉及数据迁移的，还应制定详细的数据迁移计划。

Chapter 3: Operation and Maintenance of Information Systems

第三章 信息系统的运行与维护

 Article 10  An enterprise shall strengthen the management of the operation and maintenance of its information systems, formulate the work processes of information systems, information management systems and the specific operating rules of the sub-systems of each module, and track, identify and resolve problems in system operation in a timely manner, thus ensuring that the information systems operate in a continuous and stable manner in accordance with the prescribed procedures, systems and operating rules.

The enterprise shall define the processes to manage changes of its information systems, and such changes shall be effected in strict accordance with the management process. Information system operators are not allowed to delete, modify and carry out other operations of system software, or upgrade or change the system software version without authorization. Nor are they allowed to change the environmental configuration of system software without authorization.

   第十条 企业应当加强信息系统运行与维护的管理，制定信息系统工作程序、信息管理制度以及各模块子系统的具体操作规范，及时跟踪、发现和解决系统运行中存在的问题，确保信息系统按照规定的程序、制度和操作规范持续稳定运行。

  企业应当建立信息系统变更管理流程，信息系统变更应当严格遵照管理流程进行操作。信息系统操作人员不得擅自进行系统软件的删除、修改等操作；不得擅自升级、改变系统软件版本；不得擅自改变软件系统环境配置。

 Article 11  An enterprise shall classify the level of security of its information systems based on business nature, the degree of importance and the confidentiality status, establish the system of access to, and use of information of different levels, and adopt corresponding technical means to ensure the safe and orderly operation of information systems.

The enterprise shall establish a system to ensure the security and confidentiality of information systems and a system to hold accountable the parties responsible for information divulgence. Where a professional agency is to be entrusted with the management of system operation and maintenance, the enterprise shall review the qualifications of the agency, and sign a service contract and a confidentiality agreement with the agency.

The enterprise shall install security software or take other measures to prevent viruses and other malicious software from infecting and destructing the information systems.

   第十一条 企业应当根据业务性质、重要性程度、涉密情况等确定信息系统的安全等级，建立不同等级信息的授权使用制度，采用相应技术手段保证信息系统运行安全有序。

  企业应当建立信息系统安全保密和泄密责任追究制度。委托专业机构进行系统运行与维护管理的，应当审查该机构的资质，并与其签订服务合同和保密协议。

  企业应当采取安装安全软件等措施防范信息系统受到病毒等恶意软件的感染和破坏。

 Article 12  An enterprise shall establish a user management system, strengthen the access management over critical business systems, and review system accounts on a regular basis, to avoid inappropriate authorization or unauthorized accounts, and prohibit cross operation by user accounts representing incompatible duties.

   第十二条 企业应当建立用户管理制度，加强对重要业务系统的访问权限管理，定期审阅系统账号，避免授权不当或存在非授权账号，禁止不相容职务用户账号的交叉操作。

 Article 13  An enterprise shall make comprehensive utilization of firewalls, routers and other network devices, take advantage of vulnerability scanning, intrusion detection and other software technologies, and adopt remote access security policy and other means to enhance network safety, and guard against network-based attacks and illegal intrusion.

The enterprise shall encrypt confidential or critical data transmitted via the network to ensure the confidentiality, accuracy and integrity of information transmission.

   第十三条 企业应当综合利用防火墙、路由器等网络设备，漏洞扫描、入侵检测等软件技术以及远程访问安全策略等手段，加强网络安全，防范来自网络的攻击和非法侵入。

  企业对于通过网络传输的涉密或关键数据，应当采取加密措施，确保信息传递的保密性、准确性和完整性。

 Article 14  An enterprise shall establish rules of regular system data backup, and specify the back-up scope, frequency and methods, the persons responsible, the servers for saving the back-up data, the effectiveness inspection, etc.

   第十四条 企业应当建立系统数据定期备份制度，明确备份范围、频度、方法、责任人、存放地点、有效性检查等内容。

 Article 15  An enterprise shall strengthen the management of critical information equipment such as the servers, establish a favorable physical environment, designate personnel to be responsible for inspection, and deal with unusual circumstances in a timely manner. Unauthorized access to critical information equipment is prohibited.

   第十五条 企业应当加强服务器等关键信息设备的管理，建立良好的物理环境，指定专人负责检查，及时处理异常情况。未经授权，任何人不得接触关键信息设备。