WAPO01 Manage The IT Management Framework Audit Assurance Program - Icq - Eng - 0814

APO01 Manage the IT Management Framework
Audit/Assurance Program
ISACA®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value
from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking,
and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers
the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity professionals, and COBIT ®, a business framework
that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical
skills and knowledge through the globally respected Certified Information Systems Auditor ® (CISA®), Certified Information Security
Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™
(CRISC™) credentials. The association has more than 200 chapters worldwide.
Disclaimer
ISACA has designed and created APO01 Manage the IT Management Framework Audit/Assurance Program (the ‘Work’) primarily as
an educational resource for assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful
outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other
information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, assurance professionals should apply their own professional judgement to the specific
circumstances presented by the particular systems or information technology environment.
Reservation of Rights
© 2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse .
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Align-Plan-and-Organise.aspx

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
ISBN 978-1-60420-567-1
APO01 Manage the IT Management Framework Audit/Assurance Program
© ISACA 2014 All rights reserved. 2

Acknowledgements
ISACA wishes to recognize:
Development Team
Stefanie Grijp, PwC, Belgium
Bart Peeters, CISA, PwC, Belgium
Dirk Steuperaert, CISA, CGEIT, CRISC, IT In Balance BVBA, Belgium
Sven Van Hoorebeeck, PwC, Belgium
Expert Reviewers
Steven De Haes, University of Antwerp - Antwerp Management School, Belgium
John E. Jasinski, CISA, CGEIT, ISO20K, ITIL Expert, SSBB, ITSMBP, USA
Joanna Karczewska, CISA, Poland
Patricia Prandini, CISA, CRISC, Universidad de Buenos Aires, Argentina
Abdul Rafeq, CISA, CGEIT, CIA, FCA, Wincer Infotech Limited, India
Claus Rosenquist, CISA, CISSP, Nets Holding, Denmark
Lily Shue, CISA, CISM, CGEIT, CRISC, LMS Associates LLC, USA
David A. Williams, CRISC, PMP, OceanFirst Bank, USA
Nikolaos Zacharopoulos, CISA, CISSP, MerckGroup, Germany
Daniel Zimerman, CISA, CRISC, CISSP, CEPT, CIH, GCIH, IQ Solutions, USA
Tichaona Zororo, CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT I Enterprise Governance of IT (Pty) Ltd., South Africa
ISACA Board of Directors

Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Adaptive Computing, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director
Knowledge Board:
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, ISO 27001 LA, CISSP, DHL Global Forwarding & Freight, Germany
Guidance and Practices Committee

Philip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
John Jasinski, CISA, CGEIT, ISO20K, ITIL Expert, SSBB, ITSMBP, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Brazil
Jotham Nyamari, CISA, Deloitte, USA
James Seaman, CISM, CRISC, A.Inst.IISP, CCP, QSA, RandomStorm Ltd, UK
Gurvinder Singh, CISA, CISM, CRISC, Australia
Siang Jun Julia Yeo, CISA, CRISC, CPA (Australia), MasterCard Asia/Pacific Pte. Ltd., Singapore
Nikolaos Zacharopoulos, CISA, CISSP, MerckGroup, Germany

Table of Contents
Page
Introduction.................................................................................................................................................................. 5
Assurance Engagement Approach Based on COBIT 5...............................................................................................5
Generic Audit/Assurance Program............................................................................................................................... 6
Customization of the Audit/Assurance Program...................................................................................................6
About the Example Audit/Assurance Program: APO01 .............................................................................................6
Assurance Engagement: Manage the IT Management Framework...........................................................................7
Assurance Topic.................................................................................................................................................... 7
Goal of the Review............................................................................................................................................... 7
Scoping................................................................................................................................................................. 7
COBIT 5-based Assurance Engagement Approach.....................................................................................................7
Phase A—Determine Scope of the Assurance Initiative.......................................................................................8
Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment...................13
Phase C—Communicate the Results of the Assessments.................................................................................31

Introduction
This document contains an example audit/assurance program for a COBIT 5 process, based on the generic structure
developed in section 2B of COBIT 5 for Assurance1.
Figure 1—Generic COBIT 5-based Assurance Engagement Approach
Important Note
The engagement approach is based on, but differs slightly from the generic approach described in COBIT 5 for
Assurance:
 The order in which the enablers are discussed is different: the engagement approach described here is a
process audit/assurance program; consequently the Process enabler is discussed first.
 The remaining six enablers are also included in the program, because they are relevant for a process assurance
engagement as well. They have been grouped together to make the program more compact.
Assurance Engagement Approach Based on COBIT 5

The COBIT 5 framework explains that the enablers are interconnected, e.g., processes use Organisational Structures
as well as Information items (inputs [I] and outputs [O]). When developing the audit/assurance program, it will become
clear that when all possible entities of all enablers are included in the scope and reviewed in detail, there is potential
for duplication.
In the development of this audit/assurance program, care has been taken to avoid or minimize duplication, meaning
that:
1
See www.isaca.org/COBIT/Pages/Assurance-product-page.aspx for more information on COBIT 5 for Assurance.

 Some aspects of a process also relate to another enabler and are assessed there, e.g., inputs and outputs can
also be classified under the Information enabler heading and covered in detail there.
 Some aspects relating to Skills and Competencies are to a large extent covered by process APO07 Manage
human resources.
In practice, assurance professionals will have to use their own professional judgment when developing their own
customized audit/assurance programs, to avoid duplication of work.
In addition, while audit/assurance programs will be available for each process, in practice, a group of processes are
often selected for audit. Therefore, a relevant set of audit/assurance programs of the applicable processes will need to
be selected for conducting assurance.
Generic Audit/Assurance Program

The assurance approach depicted in figure 1 is described in more detail and developed into a generic
audit/assurance program—including guidance on how to proceed during each step—in section 2B of COBIT 5 for
Assurance. This audit/assurance program is:
 Fully aligned with COBIT 5:
It explicitly references all seven enablers. In other words, it is no longer exclusively process-focused; it also
uses the different dimensions of the enabler model to cover all aspects contributing to the performance of the
enablers.
It references the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement
can be put into the enterprise and IT context, and concurrently it enables linkage of the assurance objectives
to enterprise and IT risk and benefits.
 Comprehensive yet flexible. The generic program is comprehensive because it contains assurance steps
covering all enablers in quite some detail, yet it is also flexible because this detailed structure enables clear and
well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set
of enablers or some enabler instances and, while the decision will reduce the scope and related assurance
engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement
user.
 Easy to understand, follow and apply because of its clear structure:
The table follows the flow described in figure 1, but splits each phase into different steps and substeps.
For each step, a short description is included, as is guidance for the assurance professional on how to
proceed with the step (text in italics).
Additional guidance on how to use other IT assurance-related standards for performing assurance can be found in
section 3 of COBIT 5 for Assurance.
Customization of the Audit/Assurance Program
Customization and completion of the example audit/assurance program in this document is required, and consists of
refining the scope by selecting goals and enabler instances—the lists included in the example are comprehensive, yet
still are examples (i.e., different strategic priorities of the enterprise may dictate a different scope). The lists can also
be considered prohibitive by some, as they can lead to a very broad scope, and therefore a very expensive assurance
engagement; selection and prioritization will be required. The assurance professional will need to consider the
following steps:
 Determine the stakeholders of the assurance initiative and their stake.
 Determine the assurance objectives based on assessment of the internal and external environment/context,
including the strategic objectives, goals (figures 40 and 41 of COBIT 5 for Assurance) and priorities of the
enterprise.
 Determine the enablers in scope and the instance(s) of the enablers in scope.
About the Example Audit/Assurance Program: APO01

In the next section, the assurance topic at hand—process APO01 Manage the IT management framework—is fully
addressed based on the generic audit/assurance program. The detailed program contains the following additional
information:
 In the Guidance column, the shaded text is specific to the example and provides practical guidance, e.g.,
examples of the Organisational Structures to include in scope, setting assessment criteria for the different
enablers and actually assessing the different enablers.

 Two additional columns are included, in which the assurance professional can identify and cross-reference issues
and record comments.
Assurance Engagement: Manage the IT Management Framework
Assurance Topic
The topic covered by this document is process APO01 Manage the IT management framework.
Goal of the Review
The goal of the review is to provide assurance over the APO012 process that ensures:
 A consistent management approach that enables the enterprises governance requirements to be met is provided,
covering management processes, organisational structures, roles and responsibilities, reliable and repeatable
activities, and skills and competencies.
Scoping
The scope of the assurance engagement is expressed as a function of the seven COBIT 5 enablers, with a focus on
the Process enabler. The process content is taken directly from the detailed process descriptions in COBIT 5:
Enabling Processes, i.e., these are standard COBIT 5 processes. Other enablers are also directly based on the same
process descriptions, e.g., the Organisational Structures and Information items.
Other enablers are described in a more generic way and may require customization before the audit/assurance
program can be applied.
COBIT 5-based Assurance Engagement Approach

The audit/assurance program is divided into three sections:
 Phase A—Determine Scope of the Assurance Initiative—In phase A of the assurance workflow, the auditor
scopes the assurance engagement. This process defines the scope in the COBIT 5 terms of enterprise goals, IT-
related goals and enablers.
 Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment—In phase
B of the assurance workflow, the auditor:
– Builds an understanding of the subject matter over which assurance needs to be provided. The subject
matter is expressed in terms of COBIT 5 enablers.
– Obtains agreement over the assessment criteria that will be used during the assurance engagement.
– Assesses the design and outcomes of the enablers.
 Phase C—Communicate the Results of the Assessments—In phase C of the assurance workflow, the auditor
communicates the observations to the initiative stakeholders. This includes carefully documenting all weaknesses
or exceptions found and communicating them to stakeholders effectively and efficiently, with a view to initiating
the appropriate response.
2
Additional related guidance for APO01 can be found in COBIT 5: Enabling Processes, p. 56.

Phase A—Determine Scope of the Assurance Initiative

Issue Cross-
Ref. Assurance Step Guidance Comment
reference
Determine the stakeholders of the
A-1
assurance initiative and their stake.
A-1.1 Identify the intended user(s) of the Intended user(s) of Describe the users of the assurance report and their stakes.
assurance report and their stake in the the assurance report
assurance engagement. This is the
assurance objective.
A-1.2 Identify the interested parties, Accountable and Describe the accountable and responsible parties for the
accountable and responsible for the responsible parties subject matter over which assurance is to be provided; COBIT
subject matter over which assurance for the subject matter 5 includes a summary description of a comprehensive set of
needs to be provided. roles that can be used as starting point for this audit step
(COBIT 5 framework, appendix 6, p. 76); COBIT 5 for
Assurance also provides a summary description of a
comprehensive set of assurance roles; see section 2A,
chapter 4, p.37.
Determine the assurance objectives Assurance objectives are essentially a more detailed and tangible expression of those
based on assessment of the internal and enterprise objectives relevant to the subject of the assurance engagement.
external environment/context and of the
relevant risk and related opportunities Enterprise objectives can be formulated in terms of the generic enterprise goals (COBIT 5
A-2 (i.e., not achieving the enterprise goals). framework) or they can be expressed more specifically.
Objectives of the assurance engagement can be expressed using the COBIT 5

enterprise goals, the IT-related goals (which relate more to technology),
information goals or any other set of specific goals.
Understand the enterprise strategy and Inquire with executive management or through available documentation (corporate
A-2.1 priorities. strategy, annual report, etc.) about the enterprise strategy and priorities for the coming
period, and document them to the extent the process under review is relevant.
A-2.2 Understand the internal context of the Identify all internal environmental factors that could influence the performance of the
enterprise. process under review.
A-2.3 Understand the external context of the Identify all external environmental factors that could influence the performance of the
enterprise. process under review.
A-2.4 Given the overall assurance objective, The following goals can be retained as key goals to be supported, in reflection of
translate the identified strategic priorities enterprise strategy and priorities.3
Key goals Enterprise goals:


Issue Cross-
reference
into concrete objectives for the  EG02 Portfolio of competitive products and services
assurance engagement.  EG08 Agile responses to a changing business environment
IT-related goals:
 ITG01 Alignment of IT and business strategy
A-2.4  ITG02 IT compliance and support for business compliance with
Cont. external laws and regulations
 ITG09 IT Agility
 ITG11 Optimisation of IT assets, resources and capabilities
 ITG15 IT compliance with internal policies
 ITG16 Competent and motivated business and IT personnel
 ITG17 Knowledge, expertise and initiatives for business
innovation
Additional goals Enterprise goals:
 EG01 Stakeholder value of business investments
 EG03 Managed business risks (safeguarding of assets)
 EG04 Compliance with external laws and regulations
 EG06 Customer-oriented service culture
 EG09 Information-based strategic decision making
 EG10 Optimisation of service delivery costs
 EG11 Optimisation of business process functionality
 EG12 Optimisation of business process costs
 EG13 Managed business change programmes
 EG14 Operational and staff productivity
 EG15 Compliance with internal policies
 EG16 Skilled and motivated people
 EG17 Product and business innovation culture
IT-related goals:
 ITG03 Commitment of executive management for making IT-
related decisions
 ITG04 Managed IT-related business risk
 ITG07 Delivery of IT services in line with business requirements
 ITG10 Security of information, processing infrastructure and
applications
 ITG12 Enablement and support of business processes by
integrating applications and technology into business
processes
 ITG13 Delivery of programmes delivering benefits on time, on
budget, and meeting requirements and quality standards
 ITG14 Availability of reliable and useful information for decision
making
A-2.5 Define the organizational boundaries of Describe the organizational boundaries of the assurance engagement, i.e., to which
the assurance initiative. organizational entities the review is limited. All other aspects of scope limitation are
identified during phase A-3.
A-3 Determine the enablers in scope and The scope of this assurance engagement is a process. Nevertheless, as per the COBIT 5


Issue Cross-
reference
enabler model, all related enablers will have to be considered for inclusion in the scope
the instance(s) of the enablers in scope.
as well.
A-3.1 Define the Process in scope of the The following process as defined in COBIT 5: Enabling Processes is in scope of this
review. assurance engagement: APO01 Manage the IT management framework.
A-3.2 Define the related enablers. Principles, Policies and Frameworks: In the context of this process review, and taking
into account the goals identified in A-2.4, the following Principles, Policies and
Frameworks could be considered in scope of the review4:
Related enablers include:
 Enterprise governance guiding principles
 Principles, Policies and
 IT-related policies
Frameworks
 Policy and objectives for business continuity
 Organisational Structures
 Security policies for end point devices
 Culture, Ethics and Behaviour
 Environmental policies
 Information
 Principles for safeguarding resources (including malicious software prevention
 Services, Infrastructure and
policy, connectivity security policy, and security policies for end point devices)
Applications
 Other relevant Principles, Policies and Frameworks
 Peoples, Skills and Competencies
Organisational Structures: Based on the process under review, the following
Organisational Structures and functions are considered to be in scope of this assurance
engagement, and available resources will determine which ones will be reviewed in
detail:5
 Chief executive officer (CEO)
 Chief financial officer (CFO)
 Chief operating officer (COO)
 Business executives
 Business process owners
 Strategy executive committee
 Project management office
 Chief risk officer (CRO)
 Chief information security officer (CISO)
 Architecture board
 Head of human resources
 Chief information officer (CIO)
 Head architect
 Head of development
 Head IT operations
 Head IT administration
3
The suggested set of enterprise goals can and should vary with enterprise strategy and priorities. However, in this generic program the following logic was applied: first the mapping table between
IT processes and IT-related goals (COBIT 5: Enabling Processes, appendix B, p. 227-229) was used. The mappings between the process at hand and the IT goals listed as ‘P’ are retained as key
IT-related goals. The mappings listed as ‘S’ are retained as additional IT-related goals. Next, the mapping table between enterprise goals and IT-related goals (COBIT 5: Enabling Processes,
appendix B, p. 226) is used. The previously selected key IT-related goals are looked up, and those enterprise goals that support half or more of the IT-related goals as ‘P’ are retained as key
enterprise goals. The remaining enterprise goals listed as ‘P’ are retained as additional enterprise goals. Again, after application of the logic described here, the resulting set of goals should
be reviewed and tailored if necessary.
4
The logic applied here is the following: if there are any Policies or Frameworks identified as inputs or outputs of any of the process practices of the process under review, they will be included
here.
5
Only those roles that have an ‘A’ or ‘R’ in the RACI chart of the process are included here. Roles are taken from the RACI charts in COBIT 5: Enabling Processes; some more specific roles may
be taken from COBIT 5 for Assurance, COBIT 5 for Risk or COBIT 5 for Information Security.

Issue Cross-
reference
 Service manager
 Information security manager
 Business continuity manager
CuIture, Ethics and Behaviour: In the context of this process review, the following
enterprisewide Behaviours are in scope:
A-3.2  <list here the most relevant Behaviour elements>
Cont.
Information items: Based on the process under review, the following Information items
are considered to be in scope of this assurance engagement, and available resources will
determine which ones will be reviewed in detail.6
APO01.01:
 Decision-making model (I)
 Enterprise governance guiding principles (I)
 Definition of Organisational Structure and functions (O)
 Process architecture model (I)
 Organisational operational guidelines (O)
 Communication ground rules (O)
APO01.02:
 Authority levels (I)
 Definition of IT-related roles and responsibilities (O)
 Assigned responsibilities for resource management (I)
 Definition of supervisory practices (O)
 Skill development plans (I)
 Skill and competencies matrix (I)
 Quality management system (QMS) roles, responsibilities and decision rights (I)
 Information security management system (ISMS) scope statement (I)
 Allocated levels of authority (I)
 Allocated roles and responsibilities (I)
APO01.03:
 Enterprise governance guiding principles (I)
 IT-related policies (O)
 Strategic road map (I)
 Emerging risk issues and factors (I)
 Risk analysis results (I)
APO01.04:
 Enterprise governance communication (I)
 Communication on IT objectives (O)
 Principles of safeguarding resources (I)
 Risk impact communication (I)
6
Leverage the inputs and outputs (also referred to as work products) described for each process practice in COBIT 5: Enabling Processes to identify the most relevant or important information
items. All inputs and outputs are listed here, with those work products written in italic font to be dealt with (in more detail) as part of the Information enabler.

Issue Cross-
reference
 Communication on value of knowledge (I)
 Policy and objectives for business continuity (I)
 Malicious software prevention policy (I)
 Connectivity security policy (I)
 Security policies for end point devices (I)
A-3.2
Cont. APO01.05:
 Enterprise operating model (I)
 Evaluation of options for IT organisation (O)
 Enterprise strategy (I)
 Defined operational placement of IT function (O)
APO01.06:
 Data classification guidelines (O)
 Data security and control guidelines (O)
 Data integrity procedures (O)
APO01.07:
 Feedback on governance effectiveness and performance (I)
 Process capability assessments (O)
 Updated policies, principles, procedures and standards (I)
 Process improvement opportunities (O)
 Performance goals and metrics for process improvement tracking (O)
APO01.08:
 Environmental policies (I)
 Non-compliance remedial actions (O)
Services, Infrastructure and Applications: In the context of this process review, and
taking into account the goals identified in A-2.4, the following Services and related
Infrastructure or Applications could be considered in scope of the review:
 Inventory of information (systems and data) that includes a listing of owners,
custodians and classifications
 Other relevant Services, Infrastructure and Applications
People, Skills and Competencies: In the context of this process review, taking into
account key processes and key roles, the following Skill sets are included in scope:
 Knowledge of IT policy formulation
 Other relevant Skill sets required


Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment
Issue Cross-
Ref. Assurance Steps and Guidance Comment
reference
B-1 Agree on metrics and criteria for enterprise goals and IT-related goals.
Assess enterprise goals and IT-related goals.
B-1.1 Obtain (and agree on) metrics for enterprise goals and expected values of the metrics and assess whether enterprise goals in scope
are achieved.
Leverage the list of suggested metrics for the enterprise goals to define, discuss and agree on a set of relevant, customized metrics
for the enterprise goals, taking care that the suggested metrics are driven by the performance of the topic of this assurance
initiative.
Next, agree on the expected values for these metrics, i.e., the values against which the assessment will take place.
The following metrics and expected values are agreed on for the key enterprise goals defined in step A-2.4.
Enterprise Goal Metric Expected Outcome (Ex) Assessment Step
EG02 Portfolio of  Percent of products and services that Agree on the expected In this step, the related
competitive products meet or exceed targets in revenues values for these metrics, metrics for each goal will
and services and/or market share i.e., the values against be reviewed and an
 Ratio of products and services per life which the assessment will assessment will be made
cycle phase take place. whether the defined
 Percent of products and services that criteria are achieved.
meet or exceed customer satisfaction
targets
 Percent of products and services that
provide competitive advantage
EG08 Agile responses to  Level of board satisfaction with Agree on the expected In this step, the related
a changing business enterprise responsiveness to new values for these metrics, metrics for each goal will
environment requirements i.e., the values against be reviewed and an
 Number of critical products and which the assessment will assessment will be made
services supported by up-to-date take place. whether the defined
business processes criteria are achieved.
 Average time to turn strategic
enterprise objectives into an agreed
on and approved initiative
B-1.2 Obtain (and agree on) metrics for IT-related goals and expected values of the metrics and assess whether IT-related goals in scope
are achieved.
The following metrics and expected values are agreed on for the key IT-related goals defined in Step A-2.4.
IT-related Goal Metric Expected Outcome (Ex) Assessment Step
ITG01 Alignment of IT  Percent of enterprise strategic goals Agree on the expected In this step, the related
and business strategy and requirements supported by IT values for the IT-related metrics for each goal will
strategic goals goal metrics, i.e., the be reviewed and an
 Level of stakeholder satisfaction with values against which the assessment will be made
scope of the planned portfolio of assessment will take place. whether the defined
programmes and services criteria are achieved.
 Percent of IT value drivers mapped to
business value drivers

Issue Cross-
reference
ITG02 IT compliance  Cost of IT non-compliance, including Agree on the expected In this step, the related
and support for business settlements and fines, and the impact values for the IT-related metrics for each goal will
compliance with external of reputational loss goal metrics, i.e., the be reviewed and an
laws and regulations  Number of IT-related non-compliance values against which the assessment will be made
B-1.2 issues reported to the board or assessment will take place. whether the defined
Cont. causing public comment or criteria are achieved.
embarrassment
 Number of non-compliance issues
relating to contractual agreements
with IT service providers
 Coverage of compliance assessments
ITG09 IT agility  Level of satisfaction of business Agree on the expected In this step, the related
executives with IT's responsiveness values for the IT-related metrics for each goal will
to new requirements goal metrics, i.e., the be reviewed and an
 Number of critical business processes values against which the assessment will be made
supported by up-to-date infrastructure assessment will take place. whether the defined
and applications criteria are achieved.
 Average time to turn strategic IT
objectives into an agreed-on and
approved initiative
ITG11 Optimisation of IT  Frequency of capability maturity and Agree on the expected In this step, the related
assets, resources and cost optimisation assessments values for the IT-related metrics for each goal will
capabilities  Trend of assessment results goal metrics, i.e., the be reviewed and an
 Satisfaction levels of business and IT values against which the assessment will be made
executives with IT-related costs and assessment will take place. whether the defined
capabilities criteria are achieved.
ITG15 IT compliance  Number of incidents related to non- Agree on the expected In this step, the related
with internal policies compliance to policy values for the IT-related metrics for each goal will
 Percent of stakeholders who goal metrics, i.e., the be reviewed and an
understand policies values against which the assessment will be made
 Percent of policies supported by assessment will take place. whether the defined
effective standards and working criteria are achieved.
practices
 Frequency of policies review and
update
ITG16 Competent and  Percent of staff whose IT-related skills Agree on the expected In this step, the related
motivated business and are sufficient for the competency values for the IT-related metrics for each goal will
IT personnel required for their role goal metrics, i.e., the be reviewed and an
 Percent of staff satisfied with their IT- values against which the assessment will be made
related roles assessment will take place. whether the defined
 Number of learning/training hours per criteria are achieved.
staff member

Issue Cross-
reference
ITG17 Knowledge,  Level of business executive Agree on the expected In this step, the related
expertise and initiatives awareness and understanding of IT values for the IT-related metrics for each goal will
for business innovation innovation possibilities goal metrics, i.e., the be reviewed and an
 Level of stakeholder satisfaction with values against which the assessment will be made
levels of IT innovation expertise and assessment will take place. whether the defined
ideas criteria are achieved.
 Number of approved initiatives
resulting from innovative IT ideas
Obtain understanding of the Process in scope and set suitable assessment criteria.
B-2
Assess the Process. 7
B-2.1 Understand the Process purpose.
The purpose of process APO01 is as per the standard COBIT 5 process statement: ‘Provide a consistent management approach to
enable the enterprise governance requirements to be met, covering management processes, organisational structures, roles and
responsibilities, reliable and repeatable activities, and skills and competencies’.
B-2.2 Understand the Process goals and related metrics and define expected values (criteria), and assess whether the Process goals
(outcomes) are achieved, i.e., assess the effectiveness of the Process.
The process APO01 Manage the IT management framework has two standard defined process
goals, as described in COBIT 5: Enabling Processes, chapter 5, p. 51. Based on these goals and
their related metrics, the subset of following goals and associated metrics are defined for this process.
Process Goal Related Metric Criteria/Expected Value Assessment Step
An effective set of  Percent of active policies, standards Agree on the expected In this step, the related
policies is defined and and other enablers documented and values for the Process goal metrics for each goal will
maintained. up to date metrics, i.e., the values be reviewed and an
 Date of last updates to the framework against which the assessment will be made
and enablers assessment will take place. whether the defined
 Number of risk exposures due to criteria are achieved.
inadequacies in the design of the
control environment
Everyone is aware of the  Number of staff who attended training Agree on the expected In this step, the related
policies and how they or awareness sessions values for the Process goal metrics for each goal will
should be implemented.  Percent of third-party suppliers who metrics, i.e., the values be reviewed and an
have contracts defining control against which the assessment will be made
requirements assessment will take place. whether the defined
criteria are achieved.
The process APO01 Manage the IT management framework is Each practice is typically implemented through a number
described in COBIT 5: Enabling Processes. of activities, and a well-designed process will implement
The Process requires a number of management practices to be all these practices and activities.
implemented, as described in the process description in the same
guide. These are:
 A sound process design
 The reference against which the process will be assessed in
phase C, with the criteria as mentioned, i.e., all management
practices are expected to be fully implemented.
7
Because this is a process audit/assurance program, several of the assurance steps from COBIT 5 for Assurance have been combined or removed.
Issue Cross-
reference
Reference Assessment Step
Process Practice
APO01.01 Define the Assess by applying appropriate audit techniques (interview, observation, testing) whether the
organisational structure. management practice is effectively implemented through the following typical (control) activities:
1. Define the scope, internal and external functions, internal and external roles, and capabilities and
decision rights required, including those IT activities performed by third parties.
2. Identify decisions required for the achievement of enterprise outcomes and the IT strategy, and for
the management and execution of IT services.
B-2.2 3. Establish the involvement of stakeholders who are critical to decision making (accountable,
Cont. responsible, consulted or informed).
4. Align the IT-related organisation with enterprise architecture organisational models.
5. Define the focus, roles and responsibilities of each function within the IT-related organisational
structure.
6. Define the management structures and relationships to support the functions and roles of
management and execution, in alignment with the governance direction set.
7. Establish an IT strategy committee (or equivalent) at the board level. This committee should ensure
that governance of IT, as part of enterprise governance, is adequately addressed; advise on
strategic direction; and review major investments on behalf of the full board.
8. Establish an IT steering committee (or equivalent) composed of executive, business and IT
management to determine prioritisation of IT-enabled investments programmes in line with the
enterprise’s business strategy and priorities; track status of projects and resolve resource conflicts;
and monitor service levels and service improvements.
9. Provide guidelines for each management structure (including mandate, objectives, meeting
attendees, timing, tracking, supervision and oversight) as well as required inputs for and expected
outcomes of meetings.
10. Define ground rules for communication by identifying communication needs, and implementing
plans based on those needs, considering top-down, bottom-up and horizontal communication.
11. Establish and maintain an optimal co-ordination, communication and liaison structure between the
business and IT functions within the enterprise and with entities outside the enterprise.
12. Regularly verify the adequacy and effectiveness of the organisational structure.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with
the actual accountability and responsibility for this practice and assess whether:
 Accountability and responsibility are assigned and assumed.
 Accountability and responsibility are assigned at the appropriate level in the organisation.

Issue Cross-
reference
APO01.02 Establish Assess by applying appropriate audit techniques (interview, observation, testing) whether the
roles and management practice is effectively implemented through the following typical (control) activities:
responsibilities.
1. Establish, agree on and communicate IT-related roles and responsibilities for all personnel in the
enterprise, in alignment with business needs and objectives. Clearly delineate responsibilities and
accountabilities, especially for decision making and approvals.
2. Consider requirements from enterprise and IT service continuity when defining roles, including staff
back-up and cross-training requirements.
3. Provide input to the IT service continuity process by maintaining up-to-date contact information and
role descriptions in the enterprise.
4. Include in role and responsibility descriptions adherence to management policies and procedures,
the code of ethics, and professional practices.
5. Implement adequate supervisory practices to ensure that roles and responsibilities are properly
exercised, to assess whether all personnel have sufficient authority and resources to execute their
roles and responsibilities, and to generally review performance. The level of supervision should be
in line with the sensitivity of the position and extent of responsibilities assigned.
6. Ensure that accountability is defined through roles and responsibilities.
7. Structure roles and responsibilities to reduce the possibility for a single role to compromise a
critical process.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with the
actual accountability and responsibility for this practice and assess whether:
B-2.2  Accountability and responsibility are assigned and assumed.
Cont.  Accountability and responsibility are assigned at the appropriate level in the organisation.

Issue Cross-
reference
APO01.03 Maintain the Assess by applying appropriate audit techniques (interview, observation, testing) whether the
enablers of the management practice is effectively implemented through the following typical (control) activities:
management system.
1. Obtain an understanding of the enterprise vision, direction and strategy
2. Consider the enterprise’s internal environment, including management culture and philosophy, risk
tolerance, security, ethical values, code of conduct, accountability, and requirements for
management integrity.
3. Derive and integrate IT principles with business principles.
4. Align the IT control environment with the overall IT policy environment, IT governance and IT
process frameworks, and existing enterprise-level risk and control frameworks. Assess industry-
specific good practices or requirements (e.g., industry-specific regulations) and integrate them
where appropriate.
5. Align with any applicable national and international governance and management standards and
codes of practice, and evaluate available good practices such as COSO’s Internal Control—
Integrated Framework and COSO’s Enterprise Risk Management—Integrated Framework.
6. Create a set of policies to drive the IT control expectations on relevant key topics such as quality,
security, confidentiality, internal controls, usage of IT assets, ethics and intellectual property rights.
7. Evaluate and update the policies at least yearly to accommodate changing operating or business
environments.
8. Roll out and enforce IT policies to all relevant staff, so they are built into, and are an integral part
of, enterprise operations.
9. Ensure that procedures are in place to track compliance with policies and define the consequences
of non-compliance.
AP001.04 Communicate Assess by applying appropriate audit techniques (interview, observation, testing) whether the
management objectives management practice is effectively implemented through the following typical (control) activities:
and direction.
1. Continuously communicate IT objectives and direction. Ensure that communications are supported
by executive management in action and words, using all available channels.
2. Ensure that the information communicated encompasses a clearly articulated mission, service
objectives, security, internal controls, quality, code of ethics/conduct, policies and procedures, roles
and responsibilities, etc. Communicate the information at the appropriate level of detail for the
respective audiences within the enterprise.
3. Provide sufficient and skilled resources to support the communication process.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with
the actual accountability and responsibility for this practice and assess whether:

Issue Cross-
reference
AP001.05 Optimise the Assess by applying appropriate audit techniques (interview, observation, testing) whether the
placement of the IT management practice is effectively implemented through the following typical (control) activities:
function.
B-2.2 1. Understand the context for the placement of the IT function, including an assessment of the
Cont. enterprise strategy and operating model (centralised, federated, decentralised, hybrid), importance
of IT, and sourcing situation and options.
2. Identify, evaluate and prioritise options for organisational placement, sourcing and operating
models.
3. Define placement of the IT function and obtain agreement.
AP001.06 Define Assess by applying appropriate audit techniques (interview, observation, testing) whether the
information (data) and management practice is effectively implemented through the following typical (control) activities:
system ownership.
1. Provide policies and guidelines to ensure appropriate and consistent enterprisewide classification
of information (data).
2. Define, maintain and provide appropriate tools, techniques and guidelines to provide effective
security and controls over information and information systems in collaboration with the owner.
3. Create and maintain an inventory of information (systems and data) that includes a listing of
owners, custodians and classifications. Include systems that are outsourced and those for which
ownership should stay within the enterprise.
4. Define and implement procedures to ensure the integrity and consistency of all information stored
in electronic form such as databases, data warehouses and data archives.

Issue Cross-
reference
AP001.07 Manage Assess by applying appropriate audit techniques (interview, observation, testing) whether the
continual improvement management practice is effectively implemented through the following typical (control) activities:
of processes.
1. Identify business-critical processes based on performance and conformance drivers and related
risk. Assess process capability and identify improvement targets. Analyse gaps in process
capability and control. Identify options for improvement and redesign of the process. Prioritise
initiatives for process improvement based on potential benefits and costs.
2. Implement agreed-on improvements, operate as normal business practice, and set performance
goals and metrics to enable monitoring of process improvements.
3. Consider ways to improve efficiency and effectiveness (e.g., through training, documentation,
standardisation and automation of the process).
4. Apply quality management practices to update the process.
5. Retire outdated processes, process components or enablers.
AP001.08 Maintain Assess by applying appropriate audit techniques (interview, observation, testing) whether the
compliance with policies management practice is effectively implemented through the following typical (control) activities:
and procedures.
B-2.2 1. Track compliance with policies and procedures.
Cont. 2. Analyse non-compliance and take appropriate action (this could include changing requirements).
3. Integrate performance and compliance into individual staff members’ performance objectives.
4. Regularly assess the performance of the framework’s enablers and take appropriate action.
5. Analyse trends in performance and compliance and take appropriate action.
B-2.3 Agree on the Process work products (inputs and outputs as defined in the process practices description) that are expected to be
present (process design).
Assess the extent to which the process work products are available.
The Process APO01 identifies a set of inputs and outputs for the different management practices. The Criteria: All listed work
most relevant of these work products (and those not assessed as Information items in scope in products should
section A-3.2) are identified as follows, as well as the criteria against which they will be assessed, i.e., demonstrably exist and be
existence and usage. used.
Process Practice Work Product8 Assessment Step
APO01.01  Decision-making model (I) Apply appropriate auditing
 Enterprise governance guiding principles (I) techniques to determine
 Process architecture model (I) for each work product:
8
Only the work products not already dealt with (in more detail) as part of the Information enabler are listed here.
Issue Cross-
reference
APO01.02  Authority levels (I)
 Assigned responsibilities for resource management (I)
 Definition of supervisory practices (O)
 Skill development plans (I)
 Skill and competencies matrix (I)
 Quality management system (QMS) roles, responsibilities and
decision rights (I)
 Information security management system (ISMS) scope statement
(I)
 Allocated levels of authority (I)
 Allocated roles and responsibilities (I)
APO01.03  Enterprise governance guiding principles (I)
 Strategic road map (I)
 Emerging risk issues and factors (I)
 Risk analysis results (I)
APO01.04  Enterprise governance communication (I)
 Principles of safeguarding resources (I)  Existence of the work
 Risk impact communication (I) product
 Communication on value of knowledge (I)  Appropriate use of
 Policy and objectives for business continuity (I) the work product
 Malicious software prevention policy (I)
 Connectivity security policy (I)
B-2.3  Security policies for end point devices (I)
Cont.  Communication on IT objectives (O)
APO01.05  Enterprise operating model (I)
 Enterprise strategy (I)
 Evaluation of options for IT organisation (O)
APO01.06  Data classification guidelines (O)
 Data security and control guidelines (O)
 Data integrity procedures (O)
APO01.07  Feedback on governance effectiveness and performance (I)
 Process capability assessments (O)
APO01.08  Environmental policies (I)
 Non-compliance remedial actions (O)
B-2.4 Agree on the Process capability level to be achieved by the process.
Process APO01 is—given the strategic priorities—important, and will require the following Process capability level and attributes,
which is equivalent to achieving a Process capability level _____.9
B-3 Obtain understanding of the Principles, Policies and Frameworks in scope.
Assess Principles, Policies and Frameworks.
Repeat steps B-3.1 through B-3.5 for all Principles, Policies and Frameworks in scope.
9
This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which
no reference practices, work products or outcomes are approved, cannot use this assessment method; therefore, the concept capability level does not apply.
Issue Cross-
reference
B-3.1 Understand the Principles, Policies and Frameworks context.
Obtain understanding of the overall system of internal control and the associated Principles, Policies and Frameworks.
B-3.2 Understand the stakeholders of the Principles, Policies and Frameworks
Understand the stakeholders in the policies. The stakeholders for the policies include those setting the policies and those who need
to be in compliance with the policies.
B-3.3 Understand the goals for the Principles, Policies and Frameworks, and the related metrics, and agree on expected values.
Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the
Principles, Policies and Frameworks.
Goal Criteria Assessment Step
Comprehensiveness The set of policies is comprehensive in its Verify that the set of policies is comprehensive in its
coverage. coverage.
Currency The set of policies is up to date. This at Verify that the set of policies is up to date. This at least
least requires: requires:
 A regular validation of all policies  A regular validation of all policies whether they are
whether they are still up to date still up to date
 An indication of the policies’ expiration  An indication of the policies’ expiration date or date
date or date of last update of last update
Flexibility The set of policies is flexible. It is Verify the flexibility of the set of policies, i.e., that it is
structured in such a way that it is easy to structured in such a way that it is easy to add or update
add or update policies as circumstances policies as circumstances require.
require.
Availability  Policies are available to all stakeholders.  Verify that policies are available to all stakeholders.
 Policies are easy to navigate and have a  Verify that policies are easy to navigate and have a
logical and hierarchical structure. logical and hierarchical structure.
B-3.4 Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria. Assess to what
extent the Principles, Policies and Frameworks life cycle is managed.
The life cycle of the IT-related policies is managed by the Process APO01. Therefore, in the context of this process, the review of
this life cycle is already covered by definition.
B-3.5 Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies
and Frameworks design, i.e., assess the extent to which expected good practices are applied.
The assurance professional will, by using appropriate auditing techniques assess the following aspects.
Good Practice Criteria Assessment Step
Scope and validity The scope is described and the validity Verify that the scope of the framework is described and
date is indicated. the validity date is indicated.
Exception and  The exception and escalation  Verify that the exception and escalation procedure is
escalation procedure is explained and commonly described, explained and commonly known.
known.  Through observation of a representative sample,
 The exception and escalation verify that the exception and escalation procedure
procedure has not become de facto has not become de facto standard procedure.
standard procedure.
Compliance The compliance checking mechanism and Verify that the compliance checking mechanism and non-
non-compliance consequences are clearly compliance consequences are clearly described and
described and enforced. enforced.
B-4 Obtain understanding of the Organisational Structures in scope.
Assess the Organisational Structures.
Repeat steps B-4.1 through B-4.5 for each Organisational Structure in scope, as determined in step A-3.2.

Issue Cross-
reference
B-4.1 Understand the Organisational Structure context.
Identify and document all elements that can help to understand the context in which the Organisational Structure/role has to
operate, including:
 The overall organisation
 Management/process framework
 History of the role/structure
 Contribution of the Organisational Structure to achievement of goals
B-4.2 Understand all stakeholders of the Organisational Structure/function.
Determine through documentation review (policies, management communications, etc.) the key stakeholders of the role, i.e.:
 Incumbent of the role and/or members of the Organisational Structure
 Other key stakeholders affected by the decisions of the Organisational Structure/role
B-4.3 Understand the goals of the Organisational Structure, the related metrics and agree on expected values. Understand how these
goals contribute to the achievement of the enterprise goals and IT-related goals.
Organisational Structure Goal Assessment Step
Determine through interviews with key stakeholders and This step only applies if specific goals are defined. In that
documentation review the goals of the Organisational Structures, i.e., case, the assurance professional will use appropriate
the decisions for which they are accountable10,11. auditing techniques to:
Note: Very often, the goals of an Organisational Structure—making  Identify the decisions made by the Organisational
decisions—are already described by some of the process practices Structure.
and/or process activities in COBIT 5: Enabling Processes. Therefore,  Assess whether decisions are appropriately
they will be part of the process review and should not be repeated documented and communicated.
here. Only when very specific decisions would be required is there a  Evaluate the decisions by, assessing whether:
need to list them explicitly in this step. They have contributed to the achievement of
the IT-related and enterprise goals as
anticipated.
Decisions are duly executed on a timely basis.
B-4.4 Agree on the expected good practices for the Organisational Structure against which it will be assessed.
Assess the Organisational Structure design, i.e., assess the extent to which expected good practices are applied.
Operating principles  Operating principles are documented.  Verify whether operating principles are
 Regular meetings take place as defined in appropriately documented.
operating principles.  Verify that regular meetings take place as
 Meeting reports/minutes are available and are defined in the operating principles.
meaningful.  Verify that meeting reports/minutes are
available and are meaningful.
Composition The organisational structure’s composition is Assess whether the Organisational Structure’s
balanced and complete, i.e., all required composition is balanced and complete, i.e., all
stakeholders are sufficiently represented. required stakeholders are sufficiently
represented.
10
The RACI charts in COBIT 5: Enabling Processes can be leveraged as a starting point for the expected goals of a role or Organisational Structure.
11
The Organisational Structure/role as described may not exist under the same name in the enterprise; in that case, the closest Organisational Structure assuming the same responsibilities and
accountability should be considered.
Issue Cross-
reference
Span of control  The span of control of The Organisational  Verify whether the span of control of the
Structure is defined. Organisational Structure is defined.
 The span of control is adequate, i.e., the  Assess whether the span of control is
Organisational Structure has the right to make adequate, i.e., the Organisational Structure
all decisions it should. has the right to make all decisions it should.
 The span of control is in line with the overall  Verify and assess whether the span of
enterprise governance arrangements. control is in line with the overall enterprise
governance arrangements.
Level of authority/  Decision rights of the Organisation Structure  Verify that decision rights of the
B-4.4 decision rights are defined and documented. Organisation Structure are defined and
Cont.  Decision rights of the Organisational Structure documented.
are respected and complied with (also a  Verify whether decision rights of the
culture/behaviour issue). Organisational Structure are complied with
and respected.
Delegation of authority Delegation of authority is implemented in a Verify whether delegation of authority is
meaningful way. implemented in a meaningful way.
Escalation procedures Escalation procedures are defined and applied. Verify the existence and application of escalation
procedures.
B-4.5 Understand the life cycle and agree on expected values.
Assess the extent to which the Organisational Structure life cycle is managed.
Life Cycle Element Criteria Assessment Steps
Mandate  The Organisational Structure is  Verify through interviews and observations that the
formally established. Organisational Structure is formally established.
 The Organisational Structure has a  Verify through interviews and observations that the
clear, documented and well- Organisational Structure has a clear, documented
understood mandate. and well-understood mandate.
Monitoring  The performance of the  Verify whether the performance of the
Organisational Structure and its Organisational Structure and its members is
members should be regularly regularly monitored and evaluated by competent
monitored and evaluated by and independent assessors.
competent and independent  Verify whether the regular evaluations have resulted
assessors. in improvements to the Organisational Structure, in
 The regular evaluations should result its composition, mandate or any other parameter.
in the required continuous
improvements to the Organisational
Structure, either in its composition,
mandate or any other parameter.
B-5 Obtain understanding of the Culture, Ethics and Behaviour in scope.
Assess Culture, Ethics and Behaviour.
Repeat steps B-5.1 through B-5.5 for each Culture, Ethics, and Behaviour aspect in scope.
B-5.1 Understand the Culture, Ethics and Behaviour context.
Understand the context of the Culture/Ethics/Behaviour, i.e.:
 What the overall corporate Culture is like
 Understand the interconnection with other enablers in scope:
Identify roles and structures that could be affected by the Culture.
Identify processes that could be affected by Culture, Ethics and Behaviour, including any processes in scope of the review.

Issue Cross-
reference
B-5.2 Understand the major stakeholders of the Culture, Ethics and Behaviour.
Understand to whom the behaviour requirements will apply, i.e., understand who embodies the roles/structures expected to
demonstrate the correct set of Behaviours. This is usually linked to the roles and Organisational Structures identified in scope.
B-5.3 Understand the goals for the Culture, Ethics and Behaviour, and the related metrics and agree on expected values.
Assess whether the Culture, Ethics and Behaviour goals (outcomes) are achieved, i.e., assess the effectiveness of the Culture,
Ethics and Behaviour.
Define what constitutes desired and undesirable Behaviours and why Culture and especially Behaviours are associated to
they are so classified, i.e., relate Behaviours to the organisational individuals and the Organisational Structures of which
ethics and values by which the enterprise wants to live in support of they are a part, therefore, by using appropriate auditing
enterprise goals. techniques, the assurance professional will:
 Identify individuals who must comply with the
Behaviours under review.
 Identify the Organisational Structures involved.
 Assess whether desired Behaviours can be
observed.
 Assess whether undesirable Behaviours are absent.
Desired Behaviour (Culture, Ethics and Behaviour Goal) Assessment Step
B-5.4 Understand the life cycle stages of the Culture, Ethics and Behaviour, and agree on the relevant criteria.
Assess the extent to which the Culture, Ethics and Behaviour life cycle is managed.
(This aspect is already covered by the assessment of the good practices, so no additional assurance steps are defined here.)
B-5.5 Understand good practice when dealing with Culture, Ethics and Behaviour, and agree on relevant criteria.
Assess the Culture, Ethics and Behaviour design, i.e., assess to what extent expected good practices are applied.
Communication, Existence and quality of the Apply appropriate auditing techniques to assess whether
enforcement and rules communication the good practice is adequately applied, i.e., assessment
Incentives and rewards Existence and application of appropriate criteria are met.
rewards and incentives
Awareness Awareness of desired Behaviours

Issue Cross-
reference
B-6 Obtain understanding of the Information items in scope.
Assess Information items.
Repeat steps B-6.1 through B-6.5 for each Information item defined in scope in A-3.2.
B-6.1 Understand the Information item context:
 Where and when is it used?
 For what purpose is it used?
 Understand the connection with other enablers in scope, e.g.:
Used by which processes?
Which Organisational Structures are involved (see also B-4.2)?
Which services/applications are involved?
B-6.2 Understand the major stakeholders of the Information item.
Understand the stakeholders for the Information item, i.e., identify the:
 Information producer
 Information custodian
 Information consumer
Stakeholders should be at the appropriate organisational level.
B-6.3 Understand the major quality criteria for the Information item, the related metrics and agree on expected values.
Assess whether the Information item quality criteria (outcomes) are achieved, i.e., assess the effectiveness of the Information
item.
Leverage the COBIT 5 Information enabler model12 focussing on the quality goals description The assurance professional will,
to select the most relevant Information quality criteria for the Information item at hand. by using appropriate auditing
Document expectations regarding information criteria. The COBIT 5 Information enabler techniques, verify all quality
model identifies 15 different quality criteria—although all of them are relevant, it is nonetheless criteria in scope and assess
possible and recommended to focus on a subset of the most important criteria for the whether the criteria are met.
Information item at hand.
Mark the quality dimensions with a ‘’ that are deemed most important (key criteria), and by
consequence will be assessed against the described criteria.
Quality Dimension Key Criteria Description Assessment Step
Accuracy
Objectivity
Believability
Reputation
Relevancy
Completeness
Currency
Amount of information
Concise representation
Consistent
representation
Interpretability
B-6.3 Understandability

Issue Cross-
reference
Manipulation
Availability
Cont.
Restricted access
B-6.4 Understand the life cycle stages of the Information item, and agree on the relevant criteria.
Assess to what extent the Information item life cycle is managed.
The life cycle of any Information item is managed through several business and IT-related processes. The scope of this review
already includes a review of (IT-related) processes so this aspect does not need to be duplicated here.
 When the Information item is internal to IT, the process review will have covered the life cycle aspects sufficiently.
 When the Information item also involves other stakeholders outside IT or other non-IT processes, some of the life cycle
aspects need to be assessed.
Mark the life cycle stages with a ‘’ that are deemed most important (key criteria), and by consequence will be assessed against
the described criteria.
Life Cycle Stage Key Criteria Description Assessment Step
Plan
Design
Build/acquire
Use/operate
Evaluate/monitor
Update/dispose
B-6.5 Understand important attributes of the Information item and expected values.
Assess the Information item design, i.e., assess the extent to which expected good practices are applied.
Good practices for Information items are defined as a series of attributes for the Information item 13. The assurance professional
will, by using appropriate audit techniques, verify all attributes in scope and assess whether the attributes are adequately defined.
Mark the attributes with a ‘’ that are deemed most important (key criteria), and by consequence will be assessed against the
described criteria.
Attribute Key Criteria Description Assessment Step
Physical
Empirical
Syntactic
Semantic
Pragmatic
Social
12
COBIT 5 framework, appendix G, p.81-84
13
COBIT 5 framework, appendix G, p. 81-84
Issue Cross-
reference
B-7 Obtain understanding of the Services, Infrastructure and Applications in scope.
Assess the Services, Infrastructure and Applications.
Repeat steps B-7.1 through B-7.5 for each Service, Infrastructure and Applications element in scope.
B-7.1 Understand the Services, Infrastructure and Applications context.
Understand the organisational and technological context of this service. Refer to step A-2.2 and A-2.3 and re-use that information
to understand the significance of this Service, Infrastructure and Application.
B-7.2 Understand the major stakeholders of the Services, Infrastructure and Applications.
Understand who will be the major stakeholders of the service, i.e., the sponsor, provider and users. Stakeholders will include a
number of organisational roles but could also link to Processes.
B-7.3 Understand the major goals for the Services, Infrastructure and Applications, the related metrics and agree on expected values.
Assess whether the Services, Infrastructure and Applications goals (outcomes) are achieved, i.e., assess the effectiveness of the
Services, Infrastructure and Applications.
Service description  The Service is clearly described.  Verify that the Service exists and is clearly
 The Service is available to all described.
potential stakeholders  Assess the quality of the Service description and of
the Service offered.
 Verify the accessibility of the Service to all potential
stakeholders.
Service level definition Service levels are defined for:  Verify that the following aspects are dealt with in the
 Quality of the service deliverables Service level definitions:
 Cost Quality of the Service deliverables
 Timeliness Cost
Timeliness
 Verify to what extent Service levels are achieved.
Contribution to related The Service contributes to the Assess to what extent the Service contributes to the
enabler, IT-related and achievement of related enabler and IT- achievement of the related enabler goals and to the
enterprise goals related and enterprise goals. overall IT-related and enterprise goals.
B-7.4 Understand the life cycle stages of the Services, Infrastructure and Applications, and agree on the relevant criteria.
Assess the extent to which the Services, Infrastructure and Applications life cycle is managed.14
B-7.5 Understand good practice related to the Services, Infrastructure and Applications and expected values.
Assess the Services, Infrastructure and Applications design, i.e., assess to what extent expected good practices are applied.
Leverage the description of Services, Infrastructure and Applications in the COBIT 5 framework 15 to identify good practices
related to Services, Infrastructure And Applications. In general the following practices need to be implemented:
 Buy/build decision needs to be taken.
 Use of the Service needs to be clear.
14
The life cycle of a service will be governed and managed by numerous of the COBIT 5 processes. As a consequence, a subset of the BAI and APO processes may have to be added to the scope
of the assurance engagement should it be required.
15
COBIT 5 framework, appendix G, p.85-86
Issue Cross-
reference
Sourcing (buy/build) A formal decision—based on a business  Verify that a formal decision—based on a business
case—needs to be taken regarding the case—was taken regarding the sourcing of the
sourcing of the Service. Service.
 Verify the validity and quality of the business case.
 Verify that the sourcing decision has been duly
executed.
Use The use of the Service needs to be  Verify that the use of the Service is clear, i.e., it is
clear: known when and by whom the service needs to be
 When it needs to be used and by used.
whom  Verify that actual use is in line with requirement
 The required compliance levels above.
with the Service’s output  Verify that the actual Service output is adequately
B-7.5 used.
Cont.  Verify that Service levels are monitored and
achieved.

Issue Cross-
reference
B-8 Obtain understanding of the People, Skills and Competencies in scope.
Assess People, Skills and Competencies.
Repeat steps B-8.1 through B-8.5 for each People, Skill and Competency aspect in scope.
B-8.1 Understand the People, Skills and Competencies context.
Understand the context of the Skill/Competency, i.e.:
 Where and when is it used?
 For what purpose is it used?
 Understand the connection with other enablers in scope, e.g.:
In which roles and structures is the Skill/Competency used? (See also B-4.1.)
Which behaviours are associated with the Skill/Competency?
B-8.2 Understand the major stakeholders for People, Skills and Competencies.
Identify to whom in the organisation the skill requirement applies.
B-8.3 Understand the major goals for the People, Skills and Competencies, the related metrics and agree on expected values.
Assess whether the People, Skills and Competencies goals (outcomes) are achieved, i.e., assess the effectiveness of the
People, Skills and Competencies.
For the People, Skills and Competencies at hand, the following goals and associated criteria can be addressed.
Experience Apply appropriate auditing techniques to assess whether
Education the People, Skills and Competencies goals are
Qualification adequately achieved, i.e., that assessment criteria are
met.
Knowledge
Technical skills
Behavioural skills
Number of people with
appropriate skill level
B-8.4 Understand the life cycle stages of the People, Skills and Competencies, and agree on the relevant criteria.
Assess to what extent the People, Skills and Competencies life cycle is managed.
For the People, Skills and Competencies at hand, the life cycle phases and For the People, Skills and Competencies at
associated criteria can be expressed in function of the process APO07. hand the assurance professional will
perform the following assessment steps.
Life Cycle Element Criteria Assessment Step
Plan Practice APO07.03, activity 1 (Define the required and Assess whether practice APO07.03 activity
currently available skills and competencies of internal 1 is implemented in relation to this skill.
and external resources to achieve enterprise, IT and
process goals.) is implemented in relation to this skill.

Issue Cross-
reference
Design
Practice APO07.03 activity 2 (Provide formal career Assess whether practice APO07.03 activity
planning and professional development to encourage 2 is implemented in relation to this skill.
competency development, opportunities for personal
advancement and reduced dependence on key
individuals.) is implemented in relation to this skill.
Assess whether practice APO07.03 activity
Practice APO07.03 activity 3 (Provide access to 3 is implemented in relation to this skill.
knowledge repositories to support the development of
skills and competencies.) is implemented in relation to
this skill.
Build Practice APO07.03 activity 4 (Identify gaps between Assess whether practice APO07.03 activity
required and available skills and develop action plans 4 is implemented in relation to this skill.
to address them on an individual and collective basis,
such as training [technical and behavioural skills],
recruitment, redeployment and changed sourcing
strategies.) is implemented in relation to this skill.
Operate Practice APO07.03 activity 5 (Develop and deliver Assess whether practice APO07.03 activity
training programmes based on organisational and 5 is implemented in relation to this skill.
process requirements, including requirements for
enterprise knowledge, internal control, ethical conduct
and security.) is implemented in relation to this skill.
Evaluate Practice APO07.03 activity 6 (Conduct regular reviews Assess whether practice APO07.03 activity
to assess the evolution of the skills and competencies 6 is implemented in relation to this skill.
B-8.4 of the internal and external resources. Review
Cont. succession planning.) is implemented in relation to this
skill.
Update/dispose Practice APO07.03 activity 7 (Review training Assess whether practice APO07.03 activity
materials and programmes on a regular basis to 7 is implemented in relation to this skill.
ensure adequacy with respect to changing enterprise
requirements and their impact on necessary
knowledge, skills and abilities.) is implemented in
relation to this skill.
B-8.5 Understand good practice related to the People, Skills and Competencies and expected values.
Assess the People, Skills and Competencies design, i.e., assess to what extent expected good practices are applied.
Good Practice Assessment Step
Skill set and Competencies are defined.  Determine that an inventory of Skills and Competencies is
maintained by organisational unit, job function and individual.
 Evaluate the relevance and the contribution of the Skills and
Competencies to the achievement of the goals of the
Organisational Structure, and by consequence, IT-related
goals and enterprise goals.
 Evaluate the gap analysis between necessary portfolio of Skills
and Competencies and current inventory of skills and
capabilities.

Issue Cross-
reference
Skill levels are defined.  Assess the flexibility and performance of meeting Skills
development to address identified gaps between necessary
and current Skill levels.
 Assess the process for 360-degree performance evaluations.

Phase C—Communicate the Results of the Assessment

Ref. Assurance Step Guidance
C-1 Document exceptions and gaps.
C-1.1 Understand and document weaknesses and their impact on the • Illustrate the impact of enabler failures or weaknesses with numbers and scenarios of errors,
achievement of process goals. inefficiencies and misuse.
• Clarify vulnerabilities, threats and missed opportunities that are likely to occur if enablers do not perform
effectively.
C-1.2 Understand and document weaknesses and their impact on enterprise • Illustrate what the weaknesses would affect (e.g., business goals and objectives, enterprise architecture
goals. elements, capabilities, resources). Relate the impact of not achieving the enabler goals to actual cases
in the same industry and leverage industry benchmarks.
• Document the impact of actual enabler weaknesses in terms of bottom-line impact, integrity of financial
reporting, hours lost in staff time, loss of sales, ability to manage and react to the market, customer and
shareholder requirements, etc.
• Point out the consequence of non-compliance with regulatory requirements and contractual agreements.
• Measure the actual impact of disruptions and outages on business processes and objectives, and on
customers (e.g., number, effort, downtime, customer satisfaction, cost).
C-2 Communicate the work performed and findings.
C-2.1 Communicate the work performed.  Communicate regularly to the stakeholders identified in A-1 on progress of the work performed.
C-2.2 Communicate preliminary findings to the assurance engagement • Document the impact (i.e., customer and financial impact) of errors that could have been caught by
stakeholders defined in A-1. effective enablers.
• Measure and document the impact of rework (e.g., ratio of rework to normal work) as an efficiency
measure affected by enabler weaknesses.
• Measure the actual business benefits and illustrate cost savings of effective enablers after the fact.
• Use benchmarking and survey results to compare the enterprise’s performance with others.
• Use extensive graphics to illustrate the issues.
• Inform the person responsible for the assurance activity about the preliminary findings and verify his/her
correct understanding of those findings.
C-2.3 Deliver a report (aligned with the terms of reference, scope and agreed-
on reporting standards) that supports the results of the initiative and
enables a clear focus on key issues and important actions.

WAPO01 Manage The IT Management Framework Audit Assurance Program - Icq - Eng - 0814

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

WAPO01 Manage The IT Management Framework Audit Assurance Program - Icq - Eng - 0814

Загружено:

Авторское право:

Доступные форматы

APO01 Manage the IT Management Framework

Provide feedback: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Align-Plan-and-Organise.aspx

© ISACA 2014 All rights reserved. 2

ISACA Board of Directors

Guidance and Practices Committee

© ISACA 2014 All rights reserved. 3

© ISACA 2014 All rights reserved. 4

Figure 1—Generic COBIT 5-based Assurance Engagement Approach

Assurance Engagement Approach Based on COBIT 5

© ISACA 2014 All rights reserved. 5

Generic Audit/Assurance Program

Customization of the Audit/Assurance Program

About the Example Audit/Assurance Program: APO01

© ISACA 2014 All rights reserved. 6

Assurance Engagement: Manage the IT Management Framework

Goal of the Review

COBIT 5-based Assurance Engagement Approach

© ISACA 2014 All rights reserved. 7

Phase A—Determine Scope of the Assurance Initiative

Objectives of the assurance engagement can be expressed using the COBIT 5

© ISACA 2014 All rights reserved. 8

Phase A—Determine Scope of the Assurance Initiative

© ISACA 2014 All rights reserved. 9

Phase A—Determine Scope of the Assurance Initiative

Phase A—Determine Scope of the Assurance Initiative

Phase A—Determine Scope of the Assurance Initiative

© ISACA 2014 All rights reserved. 12

© ISACA 2014 All rights reserved. 13

© ISACA 2014 All rights reserved. 14

© ISACA 2014 All rights reserved. 15

© ISACA 2014 All rights reserved. 17

© ISACA 2014 All rights reserved. 18

© ISACA 2014 All rights reserved. 19

© ISACA 2014 All rights reserved. 20

© ISACA 2014 All rights reserved. 23

© ISACA 2014 All rights reserved. 25

© ISACA 2014 All rights reserved. 26

© ISACA 2014 All rights reserved. 27

© ISACA 2014 All rights reserved. 30

© ISACA 2014 All rights reserved. 31

© ISACA 2014 All rights reserved. 32

© ISACA 2014 All rights reserved. 33

Phase C—Communicate the Results of the Assessment

© ISACA 2014 All rights reserved. 34

Вам также может понравиться