JP5088125B2 - Control processing system and control processing program - Google Patents

Description

  The present invention relates to a control processing system and a control processing program.

In recent years, financial internal control has been required. With regard to the financial internal control, “Internal Control – Integrated Framework” announced by COSO (Treadway Committee Organizing Committee) in 1992 has become the de facto standard.・ Board of Directors, Management and other organizations intended to provide reasonable assurance to achieve three objectives: efficiency, (2) reliability of financial statements, and (3) compliance with relevant laws and regulations. It is defined as a single process carried out by staff.
In financial internal control, it is necessary to organize the relationship between activities / systems / resources / knowledge information and document business processes. There are four documents for financial internal control: business description, business flow diagram, RCM (risk control matrix), and separation of duties table.

  As a technology related to these, for example, Patent Document 1 discloses a control device having a business flow creation processing function that acquires business conditions, with the object of improving reuse and quality uniformity in each business flow. The business hierarchy corresponding to the acquired business condition is acquired from the business condition management table representing the correspondence between the business condition and the business hierarchy, and the ID for identifying the business flow diagram corresponding to the acquired business hierarchy is assigned to the business hierarchy. And a business flow diagram representing the correspondence relationship between the business flow diagram ID and the business flow diagram identified by the acquired business flow diagram ID is collected from various business flow diagrams provided in advance. , It is disclosed that a business flow of a business flow diagram corresponding to the acquired business condition is created.

  Further, for example, Patent Document 2 has an object to provide a verification method and a verification system suitable for verifying the semantic correctness of business flow data related to a business support system. , Display the description content of the business flow data consisting of multiple business items that make up the business to be supported, the event that causes the execution of each business item, and the execution conditions specified by the combination of the events on the display screen. It is disclosed that the correctness of the description content can be verified by, for example, seeking the approval of a user who is familiar with the flow of business, and verifying the semantic correctness of the business flow data.

  For example, Patent Document 3 describes the format of an RCM form. In other words, management that integrates quality, environment, occupational safety and health, and CSR risks related to companies, protects corporate activities from damage caused by risks, and further enhances corporate social responsibility and aims for sustainable growth. The objective is to provide an integrated assessment and control table to be provided, a column for common items that lists events that should be controlled as risks, a column for multiple risk assessment items that are subject to risk assessment, and a risk reduction for targets to be managed A risk control item column for entering the results of the activities, and multiple risk assessment items consist of at least quality risk assessment, occupational safety and health risk assessment, environmental risk assessment, information security risk assessment, CSR assessment. By utilizing this, companies The risk in movement can more highly controlled, it is possible to protect the survival and the presence of the company.

The J-SOX (Japanese version of the Corporate Reform Act) requires the development of IT (Information Processing System) general controls as controls that support business controls. That is, it is a control for confirming that the IT system is not operating inappropriately. If the IT general control is effective, it is recognized that the operation test of the control automated by the IT system is simplified, and the benefit of the control implementer (for example, the company side) by reducing the burden is great.
On the other hand, since the maintenance of IT general control itself also involves work costs, it is not an IT general control of all IT systems, but an IT system that is effective in reducing the burden of operational control operation tests. It is desirable to develop general controls with priority.
JP 2003-196435 A JP 2003-256633 A JP 2006-110978 A

  The present invention relates to a control processing system that determines the priority of control of the information processing system that reduces the burden on the operation test of the business control when the result of the control operation test on the information processing system is used for the business control operation test. And to provide a control processing program.

The gist of the present invention for achieving the object lies in the inventions of the following items.
[1] The control for the business control related to the information processing system to be controlled and the risk corresponding to the control are acquired from the storage means storing the document describing the relationship between the control related to the business control and the risk. Control risk acquisition means;
Evaluation means for evaluating an index before approval of the business control based on the control and risk acquired by the control / risk acquisition means;
A tally unit that performs tally for weighting the index evaluated by the evaluator and determining the priority of the information processing system in executing control of the information processing system ;
An index indicating the importance of the risk as an index relating to risk, including the nature of the control as an index indicating whether the control is preventive or heuristic as the index regarding the acquired control The evaluation means evaluates the index before the approval of the business control by counting the index of the control and the score of the index of the risk,
The tabulation means is a control in which the nature of the control that is an index of the control is preventive with respect to the control of the information processing system, and the risk evaluation that is an index of the risk corresponding to the control is highly important Is a control processing system characterized in that priority is determined by performing high weighting, totaling the weighted results, and ranking the results .

[2] It further comprises a judging means for judging whether or not the approval in the business control has been performed using the progress data of the business control ,
If the evaluation means determines that the approval has been made by the determination means, based on the key control in the control acquired by the control / risk acquisition means, the score of only the control that is the key control The control processing system according to [1] , wherein the index after the approval of the business control is evaluated by summing up the business control.

[ 3 ] Connect the computer
Control risk for acquiring control over the business control related to the information processing system that is the subject of control and the risk corresponding to the control from the storage means storing the document describing the relationship between the control related to the business control and the risk Acquisition means;
Evaluation means for evaluating an index before approval of the business control based on the control and risk acquired by the control / risk acquisition means;
The index evaluated by the evaluation means is weighted to function as an aggregation means for performing aggregation for determining the priority order of the information processing system in executing the control of the information processing system ,
An index indicating the importance of the risk as an index relating to risk, including the nature of the control as an index indicating whether the control is preventive or heuristic as the index regarding the acquired control The evaluation means evaluates the index before the approval of the business control by counting the index of the control and the score of the index of the risk,
The tabulation means is a control in which the nature of the control that is an index of the control is preventive with respect to the control of the information processing system, and the risk evaluation that is an index of the risk corresponding to the control is highly important Is a control processing program characterized in that priority is determined by performing high weighting, totaling the weighted results, and ranking the results .

According to the control processing system of claim 1, when the result of the control operation test for the information processing system is used for the operation control operation test, the control of the information processing system that reduces the burden in the operation control operation test. It becomes possible to determine the priority order. Priorities can be determined based on control and risk indicators. Priorities can be determined including indicators that are likely to be reflected after approval as indicators related to control and risk before approval.

  According to the control processing system of the second aspect, after the approval of the business control, the priority order of the control of the information processing system can be determined using the key control related to the business control. .

According to the control processing program of claim 3, when the result of the control operation test for the information processing system is used for the operation control operation test, the control of the information processing system that reduces the burden in the operation control operation test. It becomes possible to determine the priority order. Priorities can be determined based on control and risk indicators. Priorities can be determined including indicators that are likely to be reflected after approval as indicators related to control and risk before approval.

First, “Basic 4 Documents” of internal control will be described.
The four basic documents are basic documents created for each business process subject to financial internal control. Specifically, a business description, a business flow diagram, an RCM (risk control matrix), a job There is a separation table.
The business description is also called narrative. This is a documented flow of a series of operations from the start of the transaction to the final entry to the general ledger and reporting. Regulatory documents such as personnel regulations and accounting business regulations are higher-level documents of the business description, and the revision affects the business description. The business manual is a sub-document of the business description and is affected by the revision.
The business flow diagram is a visual flowchart of a series of business flows from the start of a transaction to the final entry to the general ledger and reporting. Risk and control are also placed on this flow.
The RCM (Risk Control Matrix) is a summary of internal control activities related to business processes, a summary of the control points to be achieved (assertion), assumed risks, and corresponding internal control activities. It is.
The segregation of duties table is used to check whether there is a duplication of processing by the same person in charge in the flow of business processes, which causes a problem in financial control.
Assertion is a precondition for financial information to be considered as reliable information. Specifically, reality, completeness, attribution of rights and obligations, validity of evaluation, period allocation The six items of adequacy and validity of display are generally used, but it is desirable that they can be customized because there are some changes by each company or audit corporation. In addition, financial risks need to be covered from the viewpoint of assertion, and it can be said that a risk corresponding to one of these six assertions is highly important.
Risk refers to an impediment to assertions assumed in business processes.
Control refers to internal control activities against risks. Control types include preventive and detective.
In addition, in financial internal control, a maintenance evaluation (hereinafter also referred to as a walk-through, also abbreviated as WT) that checks the legitimacy and accuracy of a document that analyzes financial-related work and summarizes the results. There are two types of evaluations: operational evaluations that test whether they are operating as documented.

In order to effectively balance the reduction of operational test burden on business control and the increase in maintenance cost burden on IT general control, the following three procedures are required.
(1) Identification of (automated) control using IT system in business control.
(2) Select important controls from the controls in (1) above.
(3) Identify IT systems on which the control in (2) depends. In other words, the target of IT general control is determined.
However, since the person in charge of the business control and the IT general control are different from each other, and the timing of the control maintenance is also different, when the IT system target selection in the IT general control is selected, the above-mentioned feedback ((1 ) Is necessary) in many cases, it has been a subjective choice. This embodiment is used in such a situation.

Hereinafter, an example of a preferred embodiment for realizing the present invention will be described with reference to the drawings.
FIG. 1 is a configuration diagram showing a configuration example of the entire system for realizing the present embodiment.
The entire system includes a business control support server 101, an IT general control support server 102, a business control manager terminal 103, an IT general control manager terminal 104, a business control documentation operator terminal 105, and an IT general control documentation worker terminal. 106 are connected via a LAN / WAN 199 which is a communication line.
The business control support server 101 performs processing related to business control in accordance with an instruction based on the operation of the business control administrator terminal 103 or the business control documentation operator terminal 105 in cooperation with the IT general control support server 102. More specifically, it will be described later with reference to FIGS.
The IT general control support server 102 is used in business in accordance with an instruction based on the operation of the operator of the IT general control manager terminal 104 or the IT general control documentation operator terminal 106 in cooperation with the business control support server 101. Performs processing related to existing IT systems. More specifically, it will be described later with reference to FIGS.

The business control manager terminal 103 is used by the business control manager and instructs the business control support server 101 or the business control documentation operator terminal 105 to perform processing related to business control.
The IT general control manager terminal 104 is used by the IT general control manager, and instructs the IT general control support server 102 or the IT general control documentation operator terminal 106 to perform processing related to the IT general control.
The business control documentation worker terminal 105 is used by the business control documentation worker, and creates a business control document based on an instruction from the business control support server 101 or the business control manager terminal 103. Then, the document is stored in the business control support server 101.
The IT general control documentation worker terminal 106 is used by the IT general control documentation worker, and generates a document for IT general control based on an instruction from the IT general control support server 102 or the IT general control manager terminal 104. create. Then, the document is stored in the IT general control support server 102.

FIG. 2 is a conceptual block diagram illustrating a configuration example of the present embodiment.
Each component generally refers to components such as software (computer program) and hardware that can be logically separated. Therefore, the component in the present embodiment indicates not only a module in a computer program but also a module in a hardware configuration. Therefore, the present embodiment also serves as an explanation of a computer program, a system, and a method. However, for the sake of explanation, the words “store”, “store”, and equivalents thereof are used. However, when the embodiment is a computer program, these words are stored in a storage device or stored in memory. It is the control to be stored in the device. In addition, each component corresponds to the function almost one-to-one. However, in implementation, one component may be configured by one program, or a plurality of components may be configured by one program. In addition, one component may be composed of a plurality of programs. Further, the plurality of components may be executed by one computer, or one component may be executed by a plurality of computers in a distributed or parallel environment. One component may include other components. In the following, “connection” includes not only physical connection but also logical connection (data exchange, instruction, reference relationship between data, etc.). For example, data being connected to each other means that a part of the data is the same data, that one is pointing to the other by a pointer or a link.
In addition, the system or device is configured by connecting a plurality of computers, hardware, devices, and the like by a communication means such as a network (including one-to-one correspondence communication connection), and the like. The case where it implement | achieves by etc. is also included.
The operator is also referred to as a creator, a verifier, a user, or the like depending on the context.
The term “input” refers to accepting data by an operator's operation on the business control manager terminal 103, the IT general control manager terminal 104, the business control documentation operator terminal 105, and the IT general control documentation worker terminal 106; This is used when the component receives data from other components.

The configuration example of the present embodiment illustrated in FIG. 2 includes an IT general control support system 210 and a business control support system 260.
The IT general control support system 210 includes a priority evaluation unit 220, an evaluation condition storage unit 230, an evaluation condition input unit 240, and a priority display unit 250, and constitutes a part of the IT general control support server 102. Yes. This is a system that supports control of the IT system, and a part or all of the IT system that is the subject of control is also a target of control in the business control supported by the business control support system 260. The IT general control support system 210 calculates the importance of the IT system using the information accumulated in the control documentation process as a parameter, and prioritizes (ranks) the candidate systems for the IT general control target. In addition, the type of parameter used for ranking calculation is selected according to the phase (whether or not it is approved), and the ranking is presented even during the maintenance of the business control.

The business control support system 260 includes IT system data 261, business control progress data 262, and business control document data 263, and constitutes a part of the business control support server 101. An IT system is included in a part of a system that supports business control and is subject to control. The IT system is also subject to control by the IT general control support system 210. That is, common IT systems are included in the IT systems that are the targets of control (or part of the targets of control) of the IT general control support system 210 and the business control support system 260.
The IT system data 261, the business control progress data 262, and the business control document data 263 are referred to from the business control information acquisition unit 221 of the priority order evaluation unit 220, respectively. The IT system data 261 stores information related to the IT system that is the subject of control. The business control progress data 262 stores business control progress data. The business control document data 263 stores four basic documents in business control.

The evaluation condition input unit 240 is connected to the evaluation condition storage unit 230 and causes the evaluation condition storage unit 230 to store the evaluation condition. Received and received an instruction from the IT general control manager who is the operator of the IT general control manager terminal 104 (evaluation conditions for determining priorities in executing the IT system control operation test). Is stored in the evaluation condition storage unit 230.
The evaluation condition storage unit 230 is referred to by the priority order evaluation unit 220 and is connected to the evaluation condition input unit 240. The evaluation condition received by the evaluation condition input unit 240 is stored. The evaluation condition is referred to by the priority evaluation unit 220.

  The priority evaluation unit 220 includes a business control information acquisition unit 221, a control evaluation unit 222, and an IT system order totaling unit 223. Refer to the data and evaluation condition storage unit 230 stored in the business control support system 260. To do. The priority order evaluation unit 220 is an IT system that preferentially develops general controls from an IT system that is effective in reducing the burden in the operational control operation test supported by the business control support system 260. This is to evaluate the control and calculate the priority.

The business control information acquisition unit 221 is connected to the control evaluation unit 222, and refers to the IT system data 261, business control progress data 262, and business control document data 263 of the business control support system 260. The business control information acquisition unit 221 acquires control for business control related to the IT system that is the target of control and the risk corresponding to the control. More specifically, the business control information acquisition unit 221 refers to the IT system data 261 to acquire information related to the IT system that is the subject of control, and refers to the business control progress data 262 to determine the IT Acquires the progress data of business control including the system as a control target, and further refers to the basic four documents (at least including RCM) related to the IT system in the business control document data 263. Control and the risk associated with that control. The acquired data is passed to the control evaluation unit 222.
The control includes key control. Key control is the main control, which must be performed during operational control operational testing.

The control evaluation unit 222 is connected to the business control information acquisition unit 221 and the IT system rank totaling unit 223. The control evaluation unit 222 evaluates an index before approval of business control based on the control and risk acquired by the business control information acquisition unit 221. More specifically, the control evaluation unit 222 uses the business control progress data acquired by the business control information acquisition unit 221 to determine whether the approval of control documentation in the business control maintenance has been performed. To do. If it is determined that the approval has been made, the IT system index after the approval of the business control is evaluated based on the key control in the control acquired by the business control information acquisition unit 221. If it is determined that the approval has not yet been made, the IT system index before the approval of the business control is evaluated based on the control and risk acquired by the business control information acquisition unit 221. Then, the evaluation result is passed to the IT system rank totaling unit 223.
The control-related indicators evaluated by the control evaluation unit 222 include one or more of the control frequency, the nature of the control, and the number of trails. The risk-related indicators include risk evaluation, risk classification, important account items, assertions. Any one or more of the above.

The IT system order totaling unit 223 is connected to the control evaluation unit 222 and the priority order display unit 250. The index evaluated by the control evaluation unit 222 is weighted, and totalization is performed to determine priorities for executing control of the IT system. Then, the counting result is passed to the priority display unit 250.
The priority display unit 250 is connected to the IT system rank totaling unit 223 of the priority evaluation unit 220. The totaling result by the IT system rank totaling unit 223 is transmitted to the IT general control manager terminal 104. The IT general control manager terminal 104 receives the tabulation result, displays it on the output unit (for example, a liquid crystal display) of the IT general control manager terminal 104, and presents it to the operator.

FIG. 3 is a flowchart showing an example of processing according to this embodiment.
In step S302, the evaluation condition input unit 240 acquires the IT system selected by the operator of the IT general control manager terminal 104 and the evaluation conditions for the control of the IT system.
In step S <b> 304, the business control information acquisition unit 221 acquires process progress data in business control maintenance from the business control progress data 262.
In step S306, the priority evaluation unit 220 determines whether the progress data acquired in step S304 has been approved for the documenting process. If the documenting process has been approved, the process proceeds to step S318. If the documenting process has not been approved, the process proceeds to step S308.

In step S <b> 308, the business control information acquisition unit 221 acquires the control related to the target business control IT system from the business control document data 263.
In step S310, the business control information acquisition unit 221 acquires the risk corresponding to the control acquired in step S308 from the business control document data 263. To obtain the risk associated with the control, determine with reference to the RCM.
In step S312, the control evaluation unit 222 evaluates the index before approval.

In step S314, the control evaluation unit 222 calculates points (evaluation points) for each IT system based on the evaluation result in step S312.
In step S318, the business control information acquisition unit 221 acquires from the business control document data 263 key control in the control related to the target business control IT system.
In step S320, the control evaluation unit 222 calculates points for each IT system based on the key control acquired in step S318.

In step S316, the IT system ranking totaling unit 223 performs totaling of points for each IT system based on the points calculated in step S314 or step S320 (summing (including weighted summing)).
In step S322, the priority evaluation unit 220 determines whether all processes have been evaluated. If there is a process that has not been evaluated yet, the process returns to step S304, and if all processes have been evaluated, the process proceeds to step S324.
In step S324, the IT system ranking totaling unit 223 sorts by IT system points, and the priority ranking display unit 250 displays the priority order of the IT system to be targeted based on the sorting result.

FIG. 4 is an explanatory diagram showing an example of the relationship between the IT general control support system 410 and the business control support system 420.
The IT general control support system 410 includes an IT platform 411 and an IT system 412, and the IT platform 411 and the IT system 412 are connected. There may be a plurality of IT systems 412, and each IT system 412 is connected to the IT infrastructure 411. The IT platform 411 includes an IT system 412 and is a subject of general IT control.

The business control support system 420 includes an IT system 421, a control control unit 422, a risk control unit 423, and a risk control matrix control unit 424.
The IT system 421 is connected to the control control unit 422. The IT system 421 is the same as the IT system 412. The IT general control support system 410 constitutes the IT base 411. In the business control support system 420, the control control unit 422 controls the control target. It is what is done. In other words, the IT system 412 (421) is a system on which control of business control depends, and is a system that is subject to maintenance of general IT control.
The control control unit 422 is connected to the IT system 421 and the risk control matrix control unit 424, the risk control unit 423 is connected to the risk control matrix control unit 424, and the risk control matrix control unit 424 includes the control control unit 422, A risk control unit 423 is connected.
The risk control matrix control unit 424 specifies a control corresponding to the risk controlled by the risk control unit 423 based on the RCM, and manages control by the control control unit 422 for the control.

FIG. 5 is an explanatory diagram illustrating an example of an index. In other words, the index here is used to preferentially select an IT system that is effective in reducing the burden in the operational control operational test, and includes an index related to the control 510 and an index related to the risk 550. .
As indices relating to the control 510, there are a control type (automatic) 520, a control frequency 531, a control property (prevention / discovery) 532, the number of trails 533, and a key control 540.
The control type (automatic) 520 is an indispensable index in the present embodiment. That is, if the control is not the control type (automatic) 520, it is not adopted as an index. The types of controls are: (1) Manual (controls are checked manually only), (2) IT-dependent manuals (controls are checked by the IT system, but are finally checked manually) (3) IT system (one that automatically checks control only with the IT system). In FIG. 5, only the control type (automatic) 520 is used as an index, but “control type (IT dependent manual)” may be included.

  The key control 540 is an index after approval of the documentation process. It should be noted that the business control manager determines whether key control is performed. Further, the control evaluation unit 222 evaluates the control frequency 531, the nature of the control (prevention / discovery) 532, and the number of trails 533 as a whole (for example, the control frequency 531 for each control, the nature of the control (prevention / discovery) ) 532 and the number of trails 533 are counted)) may be determined.

The control frequency 531 is an index indicating how often the control is executed. For example, weekly, monthly, yearly, etc. as needed. The higher the frequency, the higher the importance of the control.
The nature of control (prevention / discovery) 532 is an index indicating the nature of the control, that is, whether the control is preventive or heuristic.
The number of trails 533 is an index indicating the number of trails (for example, documents such as bills) to be checked in the control. The greater the number, the more important the control.

As indices relating to the risk 550, there are a risk evaluation 534, a risk classification (finance / others) 535, an important account item 536, and an assertion 537.
The risk evaluation 534 is an index indicating the importance of the risk. For example, (the frequency of the risk) × (the degree of influence of the risk).
The risk classification (finance / others) 535 is an index indicating which field the risk is related to. For example, J-SOX needs to be a financial risk.
The important account item 536 is an account item that is regarded as important in the business (business) of a person (including a company) receiving control.
As described above, assertion 537 specifically measures financial risk in terms of six items: existence, completeness, attribution of rights and obligations, validity of evaluation, appropriateness of period allocation, and appropriateness of labeling. It is an index that indicates whether it is covered.
The pre-approval index 530 includes a control frequency 531, the nature of the control (prevention / discovery) 532, the number of trails 533, a risk assessment 534, a risk classification (finance / others) 535, an important account item 536, and an assertion 537. .

FIG. 6 is an explanatory diagram showing a ranking example before approval.
As shown in FIG. 6A, each system (Sys1, Sys2, Sys3) has two controls (C1 and C2 for Sys1, C3 and C4 for Sys2, C5 and C6 for Sys3), Since the controls C1, C3, C4, and C6 are 1 point, and the controls C2 and C5 are 0 points, when summed up by system, Sys1 is 1 point, Sys2 is 2 points, and Sys3 is 1 point. Before approval in business control is performed (that is, before key control is determined), each control point is determined from the evaluation of the index, that is, the control type (automatic) 520 and the pre-approval index 530. Each system is an IT system that depends on control. In addition, the control that is one point here has a high risk index corresponding to the control and is a preventive control.
When this is displayed as a ranking, as shown in FIG. 6B, the IT system that should be the subject of the control operation test is Sys2, the second is Sys1, and Sys3. This is displayed on the business control manager terminal 103 by the priority display unit 250.

FIG. 7 is an explanatory diagram showing an example of ranking in the approved state.
As shown in FIG. 7A, each system (Sys1, Sys2, and Sys3) has two controls (C1 and C2 for Sys1, C3 and C4 for Sys2, C5 and C6 for Sys3), Since the controls C1, C3, C4, C5, and C6 are 1 point and the control C2 is 0 points, if this is totaled by system, Sys1 is 1 point, Sys2 is 2 points, and Sys3 is 2 points. The control that is one point here is a key control. In other words, after approval, points are counted only by whether or not the key control.
When this is displayed as a ranking, as shown in FIG. 7B, the IT system that should be the target of the operation test for the control is Sys2, Sys3, and the second is Sys1. This is displayed on the business control manager terminal 103 by the priority display unit 250.
6 shows the ranking before approval, while FIG. 7 shows the ranking after approval for the same system. In other words, after approval, the ranking can be determined depending on how many key controls are included. However, since the key control is unknown before approval, the indicators (control type (automatic) 520, pre-approval indicator 530) can be substituted. Etc.). In other words, the index is such that it is close to the ranking after approval even before approval.

Next, an example of calculation of control points is shown. For example, an example will be described in which two indicators, risk evaluation 534 and control properties (prevention / discovery) 532, are selected as evaluation targets. Note that the selection of the index is accepted by the evaluation condition input unit 240.
First, the first calculation example will be described. 1 point is given when the control property (prevention / discovery) 532 that is an index of the target control is preventive and the risk assessment 534 is highly important, and 0 points otherwise.
A second calculation example will be described. There are two types of risk assessment 534: “High”, “Medium”, and “Low”, and the nature of control (prevention / discovery) 532: “Preventive” and “Heuristic”. A point determination table 800 (see FIG. 8) for determining points is created in advance. Then, the control evaluation unit 222 uses the point determination table 800 to extract the corresponding points of control.

An example of ranking timing will be described with reference to FIGS.
FIG. 15 is an explanatory diagram showing an example of control timing in the prior art. The business control operation test 1502 needs to be completed by the end of the fiscal year 1599.
The business control maintenance 1501 starts at the business control maintenance start time 1591 and ends at the business control maintenance end time 1593. Similarly, the business control operation test 1502 starts at the business control operation test start time 1596 and ends at the business control operation test end time 1597. In parallel with these, another person in charge (IT general control manager) starts the IT general control 1520 of the A system at the IT general control maintenance start timing 1594 and ends at the IT general control operation test end timing 1598. To do. Also, the IT general control 1510 of the B system starts at the IT general control maintenance start timing 1592 and ends at the IT general control operation test end timing 1595. The A system IT general control 1520 includes an IT general control maintenance 1521 and an IT general operation test 1522, and the B system IT general control 1510 includes an IT general control maintenance 1511 and an IT general operation test 1512.

  In such a case, the IT general control maintenance start time 1592 of the IT general control 1510 of the B system is in the middle of the business control maintenance 1501 (that is, the state before the approval of control documentation at the business control maintenance end time 1593). Yes, since the IT general control maintenance 1511 must be performed, the IT general control administrator of the B system IT general control 1510 must subjectively select the system without receiving feedback from the business control maintenance 1501. (The B system was selected in FIG. 15). Since the IT general control operation test end time 1595 is before the business control operation test start time 1596, it can contribute to reducing the load of the business control operation test 1502 (that is, the result of the IT general control 1510 of the B system It can be applied to the control operation test 1502), but there is a high possibility that the IT general control 1510 of the B system is wasted. That is, there is a possibility that a system with a low ranking (Sys1 in the example of FIG. 7) is selected at the IT general control maintenance start timing 1592.

Since the IT general control maintenance start time 1594 of the IT general control 1520 of the A system is after the business control maintenance end time 1593, the target is based on the key control determined after the control documentation is completed. A system can be selected (A system was selected in FIG. 15). That is, the waste of system selection is reduced.
However, the end of the IT general control maintenance 1521 is not in time for the business control operation test start timing 1596 of the business control operation test 1502. That is, a system with a low ranking is not selected, but the load on the business control operation test 1502 cannot be reduced.

FIG. 9 is an explanatory diagram showing an example of ranking timing when the present embodiment is used. The business control operation test 902 needs to be completed by the end of the fiscal year 999.
The business control maintenance 901 starts at the business control maintenance start timing 991 and ends at the business control maintenance end timing 994. Similarly, the business control operation test 902 starts at the business control operation test start time 997 and ends at the business control operation test end time 998. In parallel with these, another person in charge (IT general control manager) starts the IT general control 910 of the system at the IT general control maintenance start timing 992 and ends at the IT general control operation test end timing 996. . The system IT general control 910 includes an IT general control maintenance 911 and an IT general control operation test 912.

In such a case, the IT system selection according to the present embodiment is performed at the IT system selection timing 993 in the initial stage of the IT general control maintenance 911. In the present embodiment, as shown in FIG. 6B, the ranking displays Sys2 921 in the first place, Sys1 922, and Sys3 923 in the first place. Here, the IT general control administrator selects Sys2 921 in the first place and instructs to perform IT general control 910 of the system.
Then, an interim review 930 according to the present embodiment is performed at an interim review period 995 after the business control maintenance 901 is completed (that is, after the key control is confirmed). At this time, as shown in FIG. 7B, the ranking is Sys2 931, Sys3 932 in the first place, and Sys1 933 in the second place. At this point, the IT general control manager may add the first-ranked Sys3 932 as a target of the IT general control maintenance 911.

  Since the IT general control operation test end time 996 of the IT general control 910 of the system is before the business control operation test start time 997 of the business control operation test 902, the IT general control in the business control operation test 902 The result of the operation test 912 can be used. That is, when only the Sys2 921 which is the first place in the IT system selection 920 is selected, the controls C3 and C4 can be simplified as shown in FIG. Further, when Sys3 932 is added by the interim review 930, the controls C3, C4, C5, and C6 can be simplified as shown in FIG. That is, when the IT system is selected, any one of the top two systems, that is, the combination of Sys2 and Sys1 or the combination of Sys2 and Sys3 is selected, and the control review C1, C3, C4, or Any one of C1, C5, and C6 can only be simplified, but if the period is reviewed according to the ranking, further simplification becomes possible.

FIG. 11 is an explanatory diagram illustrating a display example of the ranking screen 1100. The priority display unit 250 is displayed on the output unit of the IT general control manager terminal 104. The IT general control manager who is the operator of the IT general control manager terminal 104 selects the one with the highest ranking as the target of control.
The ranking screen 1100 includes a ranking table 1110, an unapproved process exclusion check field 1120, an update button 1130, and a download button 1140. The ranking table 1110 includes a rank column 1111, a system name column 1112, an approval / process column 1113, a Key / Ctrl number column 1114, and an IT general control target column 1115.
The ranking column 1111 and the system name column 1112 display the priority order of the corresponding IT system according to the points tabulated by the IT system ranking tabulating unit 223.

The approval / process column 1113 displays the ratio between the number of approved items and the number of all processes in which the IT system is involved.
The Key / Ctrl number column 1114 displays the ratio of the key control to the control in the control in which the IT system is involved.
The IT general control target column 1115 is a column from which an operator should select a target of IT general control.
When the unapproved process exclusion check column 1120 is selected by the operation of the operator, the unapproved process is excluded and the approval / process column 1113, the Key / Ctrl number column 1114, and the IT general control target column 1115 are displayed.
When the update button 1130 is selected by the operation of the operator, the current ranking is displayed again.
When the download button 1140 is selected by the operation of the operator, the contents of the ranking table 1110 are downloaded to the IT general control manager terminal 104 in the form of a form (see FIG. 12).
Data to be displayed in the approval / process column 1113, the Key / Ctrl number column 1114, and the IT general control target column 1115 are displayed by the priority display unit 250 from the business control information acquisition unit 221, the control evaluation unit 222, and the IT system rank totaling unit 223. receive.

FIG. 12 is an explanatory diagram illustrating an example of a form 1200. FIG. 12 shows the contents of a form 1200 that is downloaded when the download button 1140 shown in FIG. 11 is selected.
The form 1200 includes a rank column 1201, a system name column 1202, an approval column 1203, a process name column 1204, a key column 1205, and a control 1206.
The ranking column 1201 and the system name column 1202 are the same as the ranking column 1111 and the system name column 1112 of the ranking table 1110 shown in FIG.
The approval column 1203 displays whether or not each process displayed in the process name column 1204 is approved.
The process name column 1204 displays processes in the IT system.
The Key column 1205 displays whether or not the control is a key control for each control displayed on the control 1206.
The control 1206 displays the contents of the control.

FIG. 13 is an explanatory diagram illustrating a display example of the setting screen 1300. The evaluation condition input unit 240 is displayed on the output unit of the IT general control manager terminal 104. The IT general control manager who is an operator of the IT general control manager terminal 104 inputs an index as an evaluation condition for selecting a control target.
The setting screen 1300 includes a setting item table 1310, an OK button 1320, and a cancel button 1330.
The setting item table 1310 has an item column 1311 and a setting value column 1312.

The item column 1311 displays an index. The set value column 1312 displays a set value corresponding to the index.
In the example shown in FIG. 13, items displayed in the item column 1311 are “control type (IT-dependent manual)”, “control index before process approval”, “risk index before process approval”, “key control before approval”. There are four. In addition to “control type (IT dependent manual)”, as described above, “control type (IT system)” (see control type (automatic) 520 in FIG. 5) may be included. The “control index before process approval” displays the control frequency 531, the nature of control (prevention / discovery) 532, and the number of trails 533 shown in FIG. 5 in the set value column 1312 and is selected by the operator. The “risk index before process approval” displays the risk evaluation 534, the risk classification (finance / others) 535, the important account item 536, and the assertion 537 shown in FIG. 5 in the set value column 1312 and is selected by the operator. “Pre-approval key control” displays “include” or “not include” in the setting value column 1312 and is selected by the operator.

  When the OK button 1320 is selected by the operator, the evaluation condition input unit 240 stores the state of the setting item table 1310 in the evaluation condition storage unit 230. When the cancel button 1330 is selected in the same manner, the state of the setting item table 1310 is initialized.

  Note that the hardware configuration of a computer on which the program according to the present embodiment is executed is a general computer as illustrated in FIG. 14, specifically, a personal computer, a computer that can be a server, or the like. A CPU 1401 that executes programs such as a business control information acquisition unit 221, a control evaluation unit 222, and an IT system rank totaling unit 223, a RAM 1402 that stores the programs and data, a program for starting the computer, and the like are stored. ROM 1403, an auxiliary storage device HD 1404 (for example, a hard disk can be used), an input device 1406 for inputting data such as a keyboard and a mouse, an output device 1405 such as a CRT and a liquid crystal display, and a communication network A communication line interface 1407 (for example, a network interface card can be used), and a bus 1408 for connecting them to exchange data. A plurality of these computers may be connected to each other via a network.

Among the above-described embodiments, the computer program is a computer program that reads the computer program, which is software, in the hardware configuration system, and the software and hardware resources cooperate with each other. Is realized.
Note that the hardware configuration shown in FIG. 14 shows one configuration example, and the present embodiment is not limited to the configuration shown in FIG. 14, and the configuration that can execute the configuration units described in the present embodiment. If it is. For example, some components may be configured with dedicated hardware (eg, ASIC), some components may be in an external system and connected via a communication line, and A plurality of systems shown in FIG. 14 may be connected to each other via a communication line so as to cooperate with each other. In particular, in addition to personal computers, information appliances, copiers, fax machines, scanners, printers, and multifunction machines (image processing apparatuses having two or more functions of scanners, printers, copiers, fax machines, etc.) Etc. may be incorporated.

  In the above-described embodiment, the initial selection time in the control of the IT system and the review time during the period are shown as the use time of the present embodiment, but the maintenance plan time in the next year may be used. Further, the business control information acquisition unit 221 acquires information on the progress of business control from the business control progress data 262 of the business control support system 260, and controls the control according to the acquired progress and the implementation timing of this embodiment. The evaluation unit 222 may be evaluated with different indexes. That is, the priority order of the IT system to be controlled may be determined according to the progress status of the general control and the implementation timing of the IT system control.

The program described above may be provided by being stored in a recording medium, or the program may be provided by communication means. In that case, for example, the above-described program may be regarded as an invention of a “computer-readable recording medium recording the program”.
The “computer-readable recording medium on which a program is recorded” refers to a computer-readable recording medium on which a program is recorded, which is used for program installation, execution, program distribution, and the like.
The recording medium is, for example, a digital versatile disc (DVD), which is a standard established by the DVD Forum, such as “DVD-R, DVD-RW, DVD-RAM,” and DVD + RW. Standards such as “DVD + R, DVD + RW, etc.”, compact discs (CDs), read-only memory (CD-ROM), CD recordable (CD-R), CD rewritable (CD-RW), etc. MO), flexible disk (FD), magnetic tape, hard disk, read only memory (ROM), electrically erasable and rewritable read only memory (EEPROM), flash memory, random access memory (RAM), etc. It is.
The program or a part of the program may be recorded on the recording medium for storage or distribution. Also, by communication, for example, a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), a wired network used for the Internet, an intranet, an extranet, etc., or wireless communication It may be transmitted using a transmission medium such as a network or a combination of these, or may be carried on a carrier wave.
Furthermore, the program may be a part of another program, or may be recorded on a recording medium together with a separate program. Moreover, it may be divided and recorded on a plurality of recording media. Further, it may be recorded in any manner as long as it can be restored, such as compression or encryption.

It is a block diagram which shows the structural example of the whole system in implement | achieving this Embodiment. It is a conceptual block block diagram about the structural example of this Embodiment. It is a flowchart which shows the process example by this Embodiment. It is explanatory drawing which shows the example of a relationship between IT general control support system and business control support system. It is explanatory drawing which shows the example of an parameter | index. It is explanatory drawing which shows the example of ranking before approval. It is explanatory drawing which shows the example of ranking in approved. It is explanatory drawing which shows the example of a point determination table. It is explanatory drawing which shows the example of a timing of ranking. It is explanatory drawing which shows the example of a ranking. It is explanatory drawing which shows the example of a display of a ranking screen. It is explanatory drawing which shows the example of a form. It is explanatory drawing which shows the example of a display of a setting screen. It is a block diagram which shows the hardware structural example of the computer which implement | achieves this Embodiment. It is explanatory drawing which shows the example of the timing of control in a prior art.

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 ... Business control support server 102 ... IT general control support server 103 ... Business control manager terminal 104 ... IT general control manager terminal 105 ... Business control documentation worker terminal 106 ... IT general control documentation worker terminal 199 ... LAN / WAN
210 ... IT general control support system 220 ... Priority order evaluation unit 221 ... Business control information acquisition unit 222 ... Control evaluation unit 223 ... IT system rank totaling unit 230 ... Evaluation condition storage unit 240 ... Evaluation condition input unit 250 ... Priority order display unit 260 ... Business control support system 261 ... IT system data 262 ... Business control progress data 263 ... Business control document data 410 ... IT general control support system 411 ... IT base 412 ... IT system 420 ... Business control support system 421 ... IT system 422 ... Control control unit 423 ... Risk control unit 424 ... Risk control matrix control unit

Claims (3)

Control risk for acquiring control over the business control related to the information processing system that is the subject of control and the risk corresponding to the control from the storage means storing the document describing the relationship between the control related to the business control and the risk Acquisition means;
Evaluation means for evaluating an index before approval of the business control based on the control and risk acquired by the control / risk acquisition means;
A tally unit that performs tally for weighting the index evaluated by the evaluator and determining the priority of the information processing system in executing control of the information processing system ;
An index indicating the importance of the risk as an index relating to risk, including the nature of the control as an index indicating whether the control is preventive or heuristic as the index regarding the acquired control The evaluation means evaluates the index before the approval of the business control by counting the index of the control and the score of the index of the risk,
The tabulation means is a control in which the nature of the control that is an index of the control is preventive with respect to the control of the information processing system, and the risk evaluation that is an index of the risk corresponding to the control is highly important Is a control processing system characterized in that priority is determined by performing high weighting, totaling the weighted results, and ranking the results . A judgment means for judging whether approval in the business control has been performed or not using progress data of the business control ;
If the evaluation means determines that the approval has been made by the determination means, based on the key control in the control acquired by the control / risk acquisition means, the score of only the control that is the key control 2. The control processing system according to claim 1 , wherein the index after the approval of the business control is evaluated by summing up . Computer
Control risk for acquiring control over the business control related to the information processing system that is the subject of control and the risk corresponding to the control from the storage means storing the document describing the relationship between the control related to the business control and the risk Acquisition means;
Evaluation means for evaluating an index before approval of the business control based on the control and risk acquired by the control / risk acquisition means;
The index evaluated by the evaluation means is weighted to function as an aggregation means for performing aggregation for determining the priority order of the information processing system in executing the control of the information processing system ,
An index indicating the importance of the risk as an index relating to risk, including the nature of the control as an index indicating whether the control is preventive or heuristic as the index regarding the acquired control The evaluation means evaluates the index before the approval of the business control by counting the index of the control and the score of the index of the risk,
The tabulation means is a control in which the nature of the control that is an index of the control is preventive with respect to the control of the information processing system, and the risk evaluation that is an index of the risk corresponding to the control is highly important Is a control processing program characterized in that priority is determined by performing high weighting, totaling the weighted results, and ranking the results .

Images