Post on 23-Dec-2021
Need for IT Governance and Assurance
The COBIT® Framework
IT Assurance Approaches
How COBIT Supports IT Assurance Activities
USING COBIT®
The IT Governance Institute®
The IT Governance Institute (ITGITM) (www.itgi.org) was established in 1998 to advance international thinking and standards indirecting and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports businessgoals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers originalresearch, electronic resources and case studies to assist enterprise leaders and boards of directors in their IT governanceresponsibilities.
DisclaimerITGI (the ‘Owner’) has designed and created this publication, titled IT Assurance Guide: Using COBIT ® (the ‘Work’), primarilyas an educational resource for assurance professionals. The Owner makes no claim that use of any of the Work will assure asuccessful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusiveof other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the proprietyof any specific information, procedure or test, CIOs, senior management, IT management and control professionals should applytheir own professional judgement to the specific circumstances presented by the particular systems or IT environment.
Disclosure© 2007 IT Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced, modified,distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,photocopying, recording or otherwise), without the prior written authorisation of ITGI. Reproduction of selections of thispublication, for internal and non-commercial or academic use only, is permitted and must include full attribution of thematerial’s source. No other right or permission is granted with respect to this work.
IT Governance Institute3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.590.7491Fax: +1.847.253.1443E-mail: info@itgi.orgWeb site: www.itgi.org
ISBN 1-933284-74-9IT Assurance Guide: Using COBIT®
Printed in the United States of America
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E2
ACKNOWLEDGEMENTS
3I T G O V E R N A N C E I N S T I T U T E
ACKNOWLEDGEMENTS
IT Governance Institute wishes to recognise:Project Managers and Thought LeadersRoger S. Debreceny, Ph.D., FCPA, University of Hawaii, USAErik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium
Workshop Participants and Expert ReviewersMark Adler, CISA, CISM, CIA, CISSP, Allstate Insurance Co., USAPeter Andrews, CISA, CITP, MCMI, PJA Consulting, UKGeorges Ataya, CISA, CISM, CISSP, MSCS, PBA, Solvay Business School, BelgiumGary Austin, CISA, CIA, CISSP, CGFM, KPMG LLP, USAGary S. Baker, CA, Deloitte & Touche, CanadaDavid H. Barnett, CISM, CISSP, Applera Corp., USAChristine Bellino, CPA, CITP, Jefferson Wells, USA John W. Beveridge, CISA, CISM, CFE, CGFM, CQA, Massachusetts Office of the State Auditor, USAAlan Boardman, CISA, CISM, CA, CISSP, Fox IT, UKDavid Bonewell, CISA, CISSP-ISSEP, Accomac Consulting LLC, USADirk Bruyndonckx, CISA, CISM, KPMG Advisory, BelgiumDon Caniglia, CISA, CISM, USALuis A. Capua, CISM, Sindicatura General de la Nación, ArgentinaBoyd Carter, PMP, Elegantsolutions.ca, CanadaSean V. Casey, CISA, CPA, Ernst & Young LLP, USASushil Chatterji, Edutech, SingaporeEdward Chavannes, CISA, CISSP, Ernst & Young LLP, USAChristina Cheng, CISA, CISSP, SSCP, Deloitte & Touche LLP, USADharmesh Choksey, CISA, CPA, CISSP, PMP, KPMG LLP, USAJeffrey D. Custer, CISA, CPA, CIA, Ernst & Young LLP, USABeverly G. Davis, CISA, Federal Home Loan Bank of San Francisco, USAPeter De Bruyne, CISA, Banksys, BelgiumSteven De Haes, University of Antwerp Management School, BelgiumPhilip De Picker, CISA, MCA, National Bank of Belgium, BelgiumKimberly de Vries, CISA, PMP, Zurich Financial Services, USARoger S. Debreceny, Ph.D., FCPA, University of Hawaii, USAZama Dlamini, Deloitte & Touche, South AfricaTroy DuMoulin, Pink Elephant, CanadaBill A. Durrand, CISA, CISM, CA, Ernst & Young LLP, CanadaJustus Ekeigwe, CISA, MBCS, Deloitte & Touche LLP, USARafael Fabius, CISA, República AFAP SA, UruguayUrs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, SwitzerlandChristopher Fox, ACA, USABob Frelinger, CISA, Sun Microsystems Inc., USAZhiwei Fu, Ph. D, Fannie Mae, USAMonique Garsoux, Dexia Bank, BelgiumEdson Gin, CISA, CFE, SSCP, USASauvik Ghosh, CISA, CIA, CISSP, CPA, Ernst & Young LLP, USAGuy Groner, CISA, CIA, CISSP, USAErik Guldentops, CISA, CISM, University of Antwerp Management School, BelgiumGary Hardy, IT Winners, South AfricaJimmy Heschl, CISA, CISM, KPMG, AustriaBenjamin K. Hsaio, CISA, Federal Deposit Insurance Corp., USATom Hughes, Acumen Alliance, AustraliaMonica Jain, CSQA, Covansys Corp., USAvinash W. Kadam, CISA, CISM, CBCP, CISSP, MIEL e-Security Pvt. Ltd., IndiaJohn A. Kay, CISA, USALisa Kinyon, CISA, Countrywide, USARodney Kocot, Systems Control and Security Inc., USALuc Kordel, CISA, CISM, CISSP, CIA, RE, RFA, Dexia Bank, BelgiumLinda Kostic, CISA, CPA, USA
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E4
John W. Lainhart IV, CISA, CISM, IBM, USALynn Lawton, CISA, BA, FCA, FIIA, PII, KPMG LLP, UKPhilip Le Grand, Capita Education Services, UKElsa K. Lee, CISA, CISM, CSQA, AdvanSoft International Inc., USAKenny K. Lee, CISA, CISSP, Countrywide SMART Governance, USADebbie Lew, CISA, Ernst & Young LLP, USABjarne Lonberg, CISSP, A.P. Moller-Maersk A/S, DenmarkDonald Lorete, CPA, Deloitte & Touche LLP, USAAddie C.P. Lui, MCSA, MCSE, First Hawaiian Bank, USACharles Mansour, CISA, Charles Mansour Audit & Risk Service, UK Mario Micallef, CPAA, FIA, National Australia Bank Group, AustraliaNiels Thor Mikkelsen, CISA, CIA, Danske Bank, DenmarkJohn Mitchell, CISA, CFE, CITP, FBCS, FIIA, MIIA, QiCA, LHS Business Control, UKAnita Montgomery, CISA, CIA, Countrywide, USAKarl Muise, CISA, City National Bank, USAJay S. Munnelly, CISA, CIA, CGFM, Federal Deposit Insurance Corp., USAOrillo Narduzzo, CISA, CISM, Banca Popolare di Vicenza, ItalySang Nguyen, CISA, CISSP, MCSE, Nova Southeastern University, USAAnthony Noble, CISA, CCP, Viacom Inc., USAEd O’Donnell, Ph.D., CPA, University of Kansas, USASue Owen, Department of Veterans Affairs, AustraliaRobert G. Parker, CISA, CMC, FCA, Robert G. Parker Consulting, CanadaBart Peeters, PricewaterhouseCoopers LLP, BelgiumThomas Phelps IV, CISA, PricewaterhouseCoopers LLP, USAVitor Prisca, CISM, Novabase, PortugalClaus Rosenquist, CISA, TrygVesata, DenmarkJaco Sadie, Sasol, South AfricaMax Shanahan, CISA, FCPA, Max Shanahan & Associates, AustraliaCraig W. Silverthorne, CISA, CISM, CPA, IBM Business Consulting Services, USAChad Smith, Great-West Life, CanadaGustavo A. Solis, CISA, CISM, Grupo Cynthus, MexicoRoger Southgate, CISA, CISM, FCCA, CubeIT Management Ltd., UKPaula Spinner, CSC, USAMark Stanley, CISA, Toyota Financial Services, USADirk Steuperaert, CISA, PricewaterhouseCoopers, BelgiumRobert E. Stroud, CA Inc., USAScott L. Summers, Ph.D., Brigham Young University, USALance M. Turcato, CISA, CISM, CPA, City of Phoenix IT Audit Division, USAIngvar Van Droogenbroeck, PricewaterhouseCoopers, BelgiumWim Van Grembergen, Ph.D., University of Antwerp Management School, BelgiumJohan Van Grieken, CISA, Deloitte, BelgiumGreet Volders, Voquals NV, BelgiumRobert M. Walters, CISA, CPA, CGA, Office of the Comptroller General, CanadaTom Wong, CISA, CIA, CMA, Ernst & Young LLP, CanadaAmanda Xu, CISA, PMP, KPMG LLP, USA
The following professors and students for their work on the COBIT 4.1 control practices and assurance test stepsScott L. Summers, Ph.D., Brigham Young University, USAKeith Ballante, Brigham Young University, USADavid Butler, Brigham Young University, USAPhil Harrison, Brigham Young University, USAWilliam Lancaster, Brigham Young University, USAChase Manderino, Brigham Young University, USAPaul Schneider, Brigham Young University, USAJacob Sperry, Brigham Young University, USABrian Updike, Brigham Young University, USA
ITGI Board of TrusteesEverett C. Johnson, CPA, Deloitte & Touche LLP (retired), USA, International PresidentGeorges Ataya, CISA, CISM, CISSP, Solvay Business School, Belgium, Vice PresidentWilliam C. Boni, CISM, Motorola, USA, Vice PresidentAvinash Kadam, CISA, CISM, CISSP, CBCP, GSEC, GCIH, Miel e-Security Pvt. Ltd., India, Vice PresidentJean-Louis Leignel, MAGE Conseil, France, Vice PresidentLucio Augusto Molina Focazzio, CISA, Colombia, Vice PresidentHoward Nicholson, CISA, City of Salisbury, Australia, Vice PresidentFrank Yam, CISA, FHKIoD, FHKCS, FFA, CIA, CFE, CCP, CFSA, Focus Strategic Group, Hong Kong, Vice PresidentMarios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International PresidentRobert S. Roussey, CPA, University of Southern California, USA, Past International PresidentRonald Saull, CSP, Great-West Life and IGM Financial, Canada, Trustee
IT Governance CommitteeTony Hayes, FCPA, Queensland Government, Australia, ChairMax Blecher, Virtual Alliance, South AfricaSushil Chatterji, Edutech, SingaporeAnil Jogani, CISA, FCA, Tally Solutions Limited, UKJohn W. Lainhart IV, CISA, CISM, IBM, USARómulo Lomparte, CISA, Banco de Crédito BCP, PeruMichael Schirmbrand, Ph.D., CISA, CISM, CPA, KPMG LLP, AustriaRonald Saull, CSP, Great-West Life and IGM Financial, Canada
Assurance CommitteeLynn C. Lawton, CISA, BA, FCA, FIIA, PII, KPMG LLP, UKPippa G. Andrews, CISA, ACA, CIA, Amcor, AustraliaJohn Warner Beveridge, CISA, CISM, CFE, CGFM, Office of the Massachusetts State Auditor, USADaniel Patrick Casciano, CISA, Ernst & Young LLP, USAGregory T. Grocholski, CISA, The Dow Chemical Company, USAAvinash W. Kadam, CISA, CISM, CBCP, CISSP, MIEL e-Security Pvt. Ltd., IndiaAnthony P. Noble, CISA, CCP, Viacom Inc., USAGustavo A. Solis, Grupo Cynthus S.A. de C.V., MexicoPaul A. Zonneveld, CISA, CA, Deloitte & Touche, CanadaCorresponding Member Robert G. Parker, CISA, CA, CMC, FCA, Canada
COBIT Steering CommitteeRoger S. Debreceny, Ph.D., FCPA, University of Hawaii, USA, ChairGary S. Baker, CA, Deloitte & Touche, CanadaDan Casciano, CISA, Ernst & Young LLP, USASteven De Haes, University of Antwerp Management School, BelgiumPeter De Koninck, CISA, CFSA, CIA, SWIFT SC, BelgiumRafael Fabius, CISA, República AFAP SA, UruguayUrs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, SwitzerlandErik Guldentops, CISA, CISM, University of Antwerp Management School, BelgiumGary Hardy, IT Winners, South AfricaJimmy Heschl, CISA, CISM, KPMG LLP, AustriaDebbie Lew, CISA, Ernst & Young LLP, USAMax Shanahan, FCPA, CISA, Max Shanahan & Associates, AustraliaDirk Steuperaert, CISA, PricewaterhouseCoopers, BelgiumRobert E. Stroud, CA Inc., USA
ITGI Advisory PanelRonald Saull, CSP, Great-West Life and IGM Financial, Canada, ChairRoland Bader, F. Hoffmann-La Roche AG, SwitzerlandLinda Betz, IBM Corporation, USAJean-Pierre Corniou, Renault, FranceRob Clyde, CISM, Symantec, USARichard Granger, NHS Connecting for Health, UKHoward Schmidt, CISM, R&H Security Consulting LLC, USAAlex Siow Yuen Khong, StarHub Ltd., SingaporeAmit Yoran, Yoran Associates, USA
ACKNOWLEDGEMENTS
5I T G O V E R N A N C E I N S T I T U T E
ITGI Affiliates and SponsorsISACA chaptersAmerican Institute of Certified Public AccountantsASIS InternationalThe Center for Internet SecurityCommonwealth Association of Corporate GovernanceFIDA InformInformation Security ForumThe Information Systems Security Association (ISSA)Institut de la Gouvernance des Systèmes d’InformationInstitute of Management AccountantsISACAITGI JapanSolvay Business SchoolUniversity of Antwerp Management SchoolAldion Consulting Pte. Ltd.CAHewlett-PackardIBMITpreneurs Nederlands BVLogLogic Inc.Phoenix Business and Systems Process Inc.Project Rx Inc.Symantec CorporationWolcott Group LLCWorld Pass IT Solutions
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E6
TABLE OF CONTENTS
7I T G O V E R N A N C E I N S T I T U T E
TABLE OF CONTENTS
1. Introduction ......................................................................................................................................................9
Objectives of the Guide......................................................................................................................................9
Summary Overview of COBIT ...........................................................................................................................9
Target Audience................................................................................................................................................11
COBIT Guidance for IT Assurance Activities ..................................................................................................12
Components of IT Assurance Guide................................................................................................................12
Relationship With COBIT Control Practices....................................................................................................14
Document Road Map.......................................................................................................................................15
How to Use This Guide....................................................................................................................................15
2. IT Assurance Principles and Context ..........................................................................................................17
Introduction ......................................................................................................................................................17
Assurance Approach and Road Map ...............................................................................................................18
Relevant General Standards and Guidance .....................................................................................................22
Relevance for IT Assurance.............................................................................................................................23
3. Assurance Planning........................................................................................................................................25
Introduction ......................................................................................................................................................25
IT Assurance Universe .....................................................................................................................................25
Risk-based Assurance Planning.......................................................................................................................27
High-level Assessments ...................................................................................................................................29
Define the Scope and Objectives of the Assurance Initiative.........................................................................29
4. IT Resource and Control Scoping................................................................................................................31
Introduction ......................................................................................................................................................31
Steps in Scoping IT Resources and Control Objectives .................................................................................31
IT-related Business Goals and IT Goals ..........................................................................................................33
5. Assurance Initiative Execution .....................................................................................................................35
Introduction ......................................................................................................................................................35
Step 1—Refine Understanding........................................................................................................................35
Step 2—Refine Scope......................................................................................................................................35
Step 3—Test the Control Design .....................................................................................................................36
Step 4—Test the Outcome of the Control Objectives.....................................................................................37
Step 5—Document the Impact of Control Weaknesses..................................................................................37
Step 6—Develop and Report Overall Conclusion and Recommendations....................................................38
6. Assurance Guidance for COBIT Processes and Controls ..........................................................................39
Introduction ......................................................................................................................................................39
Generic Process Controls.................................................................................................................................39
Generic Control Practices ................................................................................................................................39
IT General Controls .........................................................................................................................................40
Application Controls ........................................................................................................................................40
Examples of the Use of Detailed Assurance Steps .........................................................................................41
7. How COBIT Components Support IT Assurance Activities ......................................................................43
Introduction ......................................................................................................................................................43
COBIOBIT Components .........................................................................................................................................43
IT Assurance Activities ....................................................................................................................................44
The Strongest Links .........................................................................................................................................44
Appendix I—Process Control (PC)..................................................................................................................45
Process Assurance Steps ..................................................................................................................................45
Appendix II—Plan and Organise (PO) ...........................................................................................................51
Process Assurance Steps ..................................................................................................................................51
Appendix III—Acquire and Implement (AI) ...............................................................................................115
Process Assurance Steps ................................................................................................................................115
Appendix IV—Deliver and Support (DS) .....................................................................................................153
Process Assurance Steps ................................................................................................................................153
Appendix V—Monitor and Evaluate (ME) ..................................................................................................225
Process Assurance Steps ................................................................................................................................225
Appendix VI—Application Control (AC)......................................................................................................253
Process Assurance Steps ................................................................................................................................253
Appendix VII—Maturity Model for Internal Control ................................................................................263
Appendix VIII—IT Scoping ...........................................................................................................................265
Appendix IX—COBIT and Related Products ...............................................................................................269
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E8
INTRODUCTION
9I T G O V E R N A N C E I N S T I T U T E
1. INTRODUCTION
OBJECTIVES OF THE GUIDEThe objective of IT Assurance Guide is to provide guidance on how to use COBIT to support a variety of IT assurance activities. Ifthe organisation is already using COBIT as a framework for IT governance, it will enable the leverage of COBIT when planning andperforming assurance reviews, so that the business, IT and assurance professionals are aligned around a common framework andcommon objectives.
This guide is designed to enable efficient and effective development of IT assurance initiatives, providing guidance on planning,scoping and executing assurance reviews using a road map based on well-accepted assurance approaches. Guidance is also providedon how the COBIT resources can be used during these stages supported by detailed tests based on COBIT’s processes and controlobjectives. The guidance and suggested tests, like all the COBIT resources, are not intended to be prescriptive, but should be tailoredto suit the specific assurance initiative.
This guide is aimed primarily at assurance professionals, but may be of interest to IT professionals and advisors.
SUMMARY OVERVIEW OF COBITControl Objectives for Information and related Technology (COBIT) is a comprehensive set of resources that contains all theinformation organisations need to adopt an IT governance and control framework. COBIT provides good practices across a domainand process framework in a manageable and logical structure to help optimise IT-enabled investments and ensure that IT issuccessful in delivering against business requirements.
COBIT contributes to enterprise needs by:• Making a measurable link between the business requirements and IT goals• Organising IT activities into a generally accepted process model• Identifying the major IT resources to be leveraged• Defining the management control objectives to be considered• Providing tools for management:
– Goals and metrics to enable IT performance to be measured– Maturity models to enable process capability to be benchmarked– Responsible, Accountable, Consulted and Informed (RACI) charts to clarify roles and responsibilities
COBIT is focused on what is required to achieve adequate governance, management and control of IT, and is positioned at a highlevel. COBIT has been aligned and harmonised with other, more detailed IT frameworks, standards and best practices. COBIT acts asan integrator of these different guidance materials, summarising key objectives under one umbrella framework that also links togovernance and business requirements. In this context, the Committee of Sponsoring Organisations of the Treadway Commission(COSO) Internal Control Framework and similar compliant frameworks are generally seen as the internal control frameworks forenterprises. COBIT is generally seen as the management and control framework for IT.
The benefits of implementing COBIT as a governance framework over IT include:• Better alignment of business and IT, based on a business focus• Shared understanding amongst all stakeholders, based on a common language• An understandable view of what IT does for business management • Clear ownership and responsibilities, based on a process orientation• Widespread acceptance by third parties and regulators• Fulfilment of the COSO requirements for the IT control environment
The COBIT framework is summarised in figure 1.
The COBIT products have been organised into three levels designed to support:• Boards of directors and executive management • Business and IT management• Governance, assurance, control and security professionals
Figure 2 illustrates the COBIT products within the IT governance body of knowledge aimed at each of these three levels.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E10
PO1 Define a strategic IT plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.
AI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes.AI7 Install and accredit solutions and changes.
DS1 Define and manage service levels. DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service. DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration.DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations.
ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control.ME3 Ensure compliance with external requirements.ME4 Provide IT governance.
EffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliability
INFORMATIONCRITERIA
ACQUIRE ANDIMPLEMENT
DELIVER ANDSUPPORT
MONITOR ANDEVALUATE PLAN AND
ORGANISE
ApplicationsInformationInfrastructurePeople
IT RESOURCES
BUSINESS OBJECTIVES
GOVERNANCE OBJECTIVES
COBIT
Figure 1—COBIT Framework
INTRODUCTION
11I T G O V E R N A N C E I N S T I T U T E
For more details on each product, see appendix X, COBIT and Related Products. For the most complete and up-to-date informationon COBIT and related products, case studies, training opportunities, newsletters and other COBIT-specific information, visitwww.isaca.org/cobit.
TARGET AUDIENCE This IT Assurance Guide provides detailed guidance for assurance and IT professionals on how COBIT can be used to support avariety of assurance activities for each of the 34 IT processes. Assurance steps and advice are provided for:• Generic controls that apply to all processes (identified within the COBIT framework by a PCn identifier)• Application controls (identified within the COBIT framework by an ACn identifier)• Specific process controls (identified within the COBIT framework by domain identification and process number,
e.g., PO6.3, AI4.1)
Assurance steps and guidelines are provided to:• Test the control design of the control objective• Test the outcome of the control objective (operational effectiveness)• Document control weaknesses and their impact
It is assumed that users of this guide are familiar with the concepts of COBIT and have a level of knowledge equivalent to at least theCOBIT foundation level (which can be tested online to obtain the COBIT® Foundation Certificate). If this is not the case, it isrecommended that the reader undertake the COBIT Foundation CourseTM. Information on these opportunities is available fromeducation@isaca.org and at www.isaca.org/cobitcampus.
The guide also assumes that the readers are familiar with assurance concepts in general.
Maturity models
Management guidelines
Board Briefing on ITGovernance, 2nd EditionHow
does theboard exercise
its responsibilities?
Executives and Boards
How do we measure performance?How do we compare to others?
And how do we improve over time?
Business and Technology Management
What is the IT governance
framework?
How do we assess the IT governance
framework?
How do weimplement it in the enterprise?
Governance, Assurance, Control and Security Professionals
IT GovernanceImplementation Guide,
2nd Edition
COBIT Control Practices,2nd Edition
Control objectives
IT Assurance GuideCOBIT and Val ITframeworks
Key managementpractices
This COBIT-based product diagram presents the generally applicable products and their primary audience. There are also derived products for specific purposes (IT Control Objectives for Sarbanes-Oxley, 2nd Edition), for domains such as security (COBIT Security Baseline and Information Security Governance: Guidance for Boards of Directors and Executive Management),or for specific enterprises (COBIT Quickstart for small and medium-sized enterprises or for large enterprises wishing to ramp up to a more extensive IT governance implementation).
Figure 2—Major COBIT-based Products
COBIT GUIDANCE FOR IT ASSURANCE ACTIVITIESThe COBIT framework, represented in figure 3, provides the basis for two guides:• IT Governance Implementation Guide: Using COBIT ® and Val IT TM, 2nd Edition, which provides a road map and process guidance
on how to implement IT governance using the COBIT resources• IT Assurance Guide: Using COBIT, which provides professional guidance for the assurance team and offers a structured assurance
approach linked to the COBIT framework that business and IT professionals can understand
As seen in figure 3, each guide is fed with different inputs. The IT Governance Implementation Guide leverages COBIT ControlPractices, whilst the IT Assurance Guide is based on assurance steps. The two inputs (control practices and assurance steps) areconsidered mutually exclusive, allowing the guides’ users to focus on either part of the IT governance process (implementation or assurance).
IT Assurance Guide provides assurance advice at different levels. At the process level, process-specific advice is provided on how totest whether control objectives are being achieved and on how to document control weaknesses. At the control objective level,assurance steps are provided to test the control design for each specific control objective based on its control practices. This detailedguidance can be found in appendices I through VI. In chapter 6, Assurance Guidance for COBIT Processes and Controls, someexamples can be found on how the detailed guidance can be leveraged for a specific assurance initiative.
At the different levels, generic advice is also provided. Generic advice applies to all processes or control objectives and can be usedin addition to, or as an alternative to, the specific advice. These processes are further described in chapter 6.
For the testing steps of the execution stage, this guide provides generic guidance as well as specific, more detailed guidance to assistthe IT assurance professional. Generic advice means that it can be applied to any process, control objective or control practicedepending on the type of advice. Specific advice refers to advice provided for a specific process, control objective or controlpractice. An overview of the IT assurance framework that underpins this process is shown in figure 4.
COMPONENTS OF IT ASSURANCE GUIDE
The content of the detailed assurance guidance is organised around the 34 COBIT processes and contains the following components:• Control objectives—Increasingly, organisations are recognising that control of IT is critical for ensuring that IT delivers value to
the organisation, risks are managed, regulatory requirements are met, and investments in IT deliver a reasonable return.
IT control objectives are statements of the desired result or purpose to be achieved by implementing control practices in aparticular IT process and often relate directly to specific activities within the process.
COBIT’s control objectives are high-level requirements to be considered for effective control of each IT process. They are written asshort, action-oriented management practices. Wherever possible, they follow a logical life cycle sequence.
Enterprise management has choices relative to control objectives. Members of management should:– Select applicable control objectives– Balance the investment required to implement management practices required to achieve each control objective with the risk that
arises in not achieving it
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E12
BoardBriefing*
ExecutiveBaseline for
IT Governance(in development)
IT GovernanceImplementation Guide: Using COBIT and Val IT,
2nd Edition
BoardBriefing*
Audit DirectorBaseline for
IT Governance(future development)
IT Assurance Guide:Using COBIT
Framework
ControlObjectives
ManagementGuidelines
MaturityModels
ControlObjective Value Risk
COBITControl
Practices,2nd Edition
AssuranceSteps
WHATHOW HOW
Figure 3—Implementation and Assurance Guides
* Board Briefing on IT Governance, 2nd Edition
– Decide which control practices to implement– Choose how to implement each control practice
COBIT’s more than 200 control objectives define what needs to be managed in each IT process to address business requirementsand manage risk. They help to define clear policies, foster good practices for IT controls and encourage process ownership. Theyalso provide the reference point for linking good practices to business requirements. Constructed by harmonising more than 40different control guidance sources, COBIT can be integrated with other standards and practices that focus on specific areas, such asthe ISO/IEC 27000 series on information security-related standards, ISO/IEC 9001:2000 Quality Management Systems—Requirements, IT Infrastructure Library (ITIL), Capability Maturity Model® Integration (CMMI®), Projects in ControlledEnvironments 2 (PRINCE2) and A Guide to the Project Management Body of Knowledge® (PMBOK®).
• Value and risk drivers—Value and risk drivers provide valuable inputs to professionals for use in communicating a businessjustification for achieving particular control objectives and implementing associated control practices. The value drivers provideexamples of the business benefits that can result from good control, whilst the risk drivers provide examples of the risks that mayneed to be avoided or mitigated. They provide to assurance professionals and IT governance implementors the argument forimplementing controls and substantiate the impact of not implementing them.
• Assurance testing steps—The assurance testing steps provide guidance at the control objective level for assurance professionalsconducting an IT assurance process. The steps are derived from the control practices, which, in turn, are derived from each controlobjective. The assurance testing steps: – Evaluate the design of the controls– Confirm that controls are placed in operation– Assess the operational effectiveness of the control
These different testing steps are elaborated in more in detail in chapter 6, Assurance Guidance for COBIT Processes and Controls.Generic assurance steps cover the existence and design effectiveness of the proposed control design as well as the associatedresponsibilities. Specific assurance steps test the effective operation of controls and are stated at the control objective level. Inaddition, assurance steps are provided to test the outcomes of control weakness or failure.
The assurance testing steps are designed to provide the first level of the development of an assurance programme by an internal orexternal assurance professional. The objective is not to provide a detailed assurance programme that can be used as is andexecuted. Rather, the intent is for an assurance professional with some experience to use it as the basis for efficiently developingcustomised assurance programmes that can be used and executed by staff members with less experience. The assuranceprofessional should take the testing steps as a foundation for implementing the assurance initiative. He/she should adjust thetesting steps for the reality of the organisation and the objectives of the assurance initiative. The steps are guidance only—they arenot a cookbook.
The combination of all assurance components provides a testing method to assist in forming opinions against assurance objectivesby combining one or more of the following test types:• Enquire (via a different source) and confirm. • Inspect (via walk-through, search, compare and review).
INTRODUCTION
13I T G O V E R N A N C E I N S T I T U T E
Generic ( ) and Specific ( ) Advice in the Assurance Guide
DocumentedControl
Weaknesses
improvedwith
assessedwith
derivedby
assessedwith
implementedwith
derivedfrom
controlledby
Testing theControl Objective
Outcome
ControlObjectives
Testing theControl Design
of theControl Objectives
ControlPractices
ITProcesses
Figure 4—Overview of the IT Assurance Advice Provided
• Observe (i.e., confirmation through observation).• Reperform or recalculate and analyse (often based on a sample).• Collect (e.g., sample, trace, extract) and analyse automated evidence.
RELATIONSHIP WITH COBIT CONTROL PRACTICES
IT Assurance Guide is part of the COBIT family of products. The assurance test steps have been derived from the COBIT ® ControlPractices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, and are expressed in a form usableby assurance professionals for testing activities.
COBIT Control Practices extends the capabilities of the COBIT framework and provides an additional level of detail. The COBIT ITprocesses, business requirements and control objectives define what needs to be done to implement an effective control structure.COBIT Control Practices provides the more detailed guidance at the control objective level on how to achieve the objectives. Thecontrol practices consist of the following elements for each of the COBIT control objectives:• Value and risk drivers, providing ‘why do it’ guidance• Control practices to be considered when assessing IT processes and implementing improvements
For each of the control objectives, a list of specific control practices is defined. In addition, three generic control practices aredefined, which are applicable to all control objectives. The complete set of generic and specific control practices provides one controlapproach, consisting of practices that are necessary for achieving the control objective. They provide high-level generic guidance, at amore detailed level under the control objective, for assessing process maturity, considering potential improvements and implementingthe controls. They do not describe specific solutions, and further guidance may need to be obtained from specific, relevant standardsand best practices, such as ITIL or PRINCE2. The control practices meet the following design criteria in that they:• Are relevant to the purpose of the control objective• Can be executed in a timely fashion• Are realistic and cost-effective• Are measurable• Provide for a definition of the roles involved and segregated roles, where appropriate• Are action-oriented • Are life-cycle-based, wherever possible
Control practices help ensure that the solutions put forward are more likely to be completely and successfully implemented, byproviding guidance on why controls are needed and what the good practices are for meeting specific control objectives.
The control practices are designed to support two audiences:• Implementors of IT governance (e.g., management, service providers, end users, control professionals) • Assurance professionals (e.g., internal and external assurance professionals)
For assurance purposes, all the control practices were used to develop detailed assurance steps. The assurance testing steps aredesigned to provide the first stage of the development of an assurance programme by an internal or external assurance professional.Therefore, professionals using this assurance guide need to take into account that the assurance steps are derived from the controlpractices. The control practices themselves are not provided in this guide.
The table in figure 5 provides an overview of the control material that is provided by COBIT and forms the basis for the assurancematerial in this guide.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E14
Figure 5—Control Objectives and Control Practices
CONTROLControl Objectives Control Practices
The COBIT framework provides six process When translating control objectives into practices,controls that apply to each process. When the first steps are always the same and cover reviewing a process, these control objectives designing, recording and communicating theGeneric and the associated practices and assurance steps approach for achieving the objective, andshould be added to the specific control assigning responsibility and accountability forobjectives material. making it happen.For each process, a number of specific control COBIT provides specific practices for eachobjectives are provided in the COBIT framework. control objective. Together with the generic
Specific practices they provide a control design consistingof the necessary and sufficient steps to achievethe control objective.
The table in figure 6 describes the assurance material that is derived from the COBIT control material and provided in this guide.
Finally, additional advice is provided on testing the six application controls (as provided in COBIT), again addressing design,outcome and impact testing.
COBIT, and many of its supporting products, provides detailed support in a wide range of IT assurance activities.
DOCUMENT ROAD MAPThe main sections of this document follow the structure of a suggested IT assurance road map. That road map will be explained inmore detail in chapter 2, IT Assurance Principles and Context. The main sections or titles of this road map are: • Planning• Scoping• Execution, including:
– Refining the understanding of the IT assurance subject– Refining the scope of key control objectives– Testing the effectiveness of control design– Testing the outcomes of key control objectives– Documenting the impact of control weaknesses– Developing/communicating conclusions and recommendations
Planning is elaborated in chapter 3, Assurance Planning. Scoping is addressed in chapter 4, IT Resource and Control Scoping, andchapter 5, Assurance Initiative Execution, addresses all of the execution steps.
Chapter 6, Assurance Guidelines for COBIT Processes and Controls, explains the structure of the assurance guidance provided for the COBIT processes and control objectives. Chapter 7 explains how COBIT components support IT assurance activities.Appendices I-VI provide the actual assurance tests.
HOW TO USE THIS GUIDEEven though COBIT has a wide potential audience and can be used by many within an organisation, this guide is particularlyintended for internal and external assurance professionals.
INTRODUCTION
15I T G O V E R N A N C E I N S T I T U T E
Figure 6—Linking General and Specific Advice to Classes of IT Assurance
ASSURANCETesting the Testing Control Documenting
Control Design Process Outcome Control WeaknessesThe generic control practices In addition or as an alternative As an alternative or in additionare translated into assurance to testing the control design, to the specific advice, some steps based on a standard set the outcome of a control standard approaches to of assurance methods. objective can be tested. Some documenting and putting
Generic standard approaches to looking control weaknesses in contextfor evidence are provided that are provided, largely focusedapply to any process. on identifying comparative data
(e.g., benchmarks,measurements, cases).
The specific control practices For each process, a number of For each process, specificare also translated into assurance steps are provided to advice is provided on how toassurance steps. Combined with test the outcome of the control document control weaknesses,
Specific the generic practices assurance objectives of the process. The relating to the goals, metrics,steps, they provide a complete generic advice can be used as activities and control objectivestest of the control design of an alternative or to complement of the process.the objective. the specific advice.
A major benefit of this guide is that users can rely on the consistency of the COBIT framework and its related products. The COBITframework is increasingly being used as an IT governance framework, helping align business and IT management and providing abasis for improving IT’s performance. If assurance professionals base their reviews on the same framework as business and ITmanagers who are improving IT governance and IT performance, everyone involved will be using a common language and it willbe easier to agree and implement any necessary control improvements.
This guide can be used by the assurance professional for many different purposes, including:• Obtaining a view on current good practices on assurance and testing principles• Learning how using different COBIT components and related concepts can help in planning and scoping assurance initiatives• Having available a comprehensive reference of all COBIT control objectives and supporting control practices and how they can be
tested to obtain assurance that they are effective
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E16
IT ASSURANCE PRINCIPLES AND CONTEXT
17I T G O V E R N A N C E I N S T I T U T E
2. IT ASSURANCE PRINCIPLES AND CONTEXT
INTRODUCTIONThis section describes the overall principles, components and context of IT assurance and explores the IT assurance road map,providing a high-level description of the major steps involved.
The objective of IT Assurance Guide is not to provide detailed assurance guidelines. Instead, the objective is to provide high-levelguidance on conducting assurance initiatives, and explain briefly a number of fundamental principles for understanding assuranceand some related techniques and contributory activities.
Formal standards such as the International Auditing and Assurance Standards Board’s (IAASB’s) International Framework forAssurance Engagements (IAASB Assurance Framework) may be referenced. However, in this manual, ‘assurance’ is the term usedconsistently, as it is broader than the term ‘audit’. Assurance also covers evaluation activities not governed by internal and/orexternal audit standards.
To be called an assurance initiative, five components must be present, as prescribed in the IAASB Assurance Framework and aslisted in figure 7.
The objective of an assurance initiative is for an assurance professional to measure or evaluate a subject matter that is theresponsibility of another party. For IT assurance initiatives, there is generally also a stakeholder involved who uses the subject matterbut who has delegated operation and custodianship of the subject matter to the responsible party. Hence, the stakeholder is the endcustomer of the evaluation and can approve the criteria of the evaluation with the responsible party and the assurance professional.
The conclusion of the evaluation provides an opinion as to whether the subject matter meets the needs of the stakeholder. Figure 8summarises the relationships in an assurance initiative.
1 2 3 4 5A three-partyrelationship involvinga responsible partyfor the subject matter,an assurance professional,and an intended user ofthe assurance report
A subject matterover which the assurance is to be provided (i.e., data, systems,processes)
Suitable criteriaagainst which the subject matter will be assessed (i.e., standards, benchmarks,legislation)
A process that the assurance professional willundertake
A conclusion issued by the assuranceprofessional
Figure 7—The Five Components of an Assurance Initiative
Stakeholderaccepts
accepts
accepts
manages
manages
uses
relies on
uses
reviewsagainstcriteria
reports
Suita
ble
crite
ria fo
r the
assu
ranc
e in
itiat
ive
ResponsibleParty
AssuranceProfessional
ConclusionSubjectMatter
BusinessProcess
AssuranceProcess
Figure 8—Relationships in the Assurance Initiative
ASSURANCE APPROACH AND ROAD MAP
IT Assurance Road MapTo provide assurance, it is important to follow a consistent methodology or approach. Whilst the specific approach may be unique toeach organisation and type of initiative, for the purposes of this guide a fairly common approach is used. It is based on three stages:planning, scoping and execution, with the final stage broken down into six steps. The stages and steps of the road map are presentedin figure 9.
For more significant assurance initiatives, additional information on breaking down the initiative into objectives, actions anddeliverables can be found in appendix VIII, IT Scoping. This breakdown provides more detailed guidance that can be applied to ITassurance activity scoping and IT control scoping.
PLANNINGThe establishment of the IT assurance universe for the assurance assignment serves as the beginning of every assurance initiative. Tocreate a comprehensive plan, the assurance professional needs to combine an understanding of the IT assurance universe and theselection of an appropriate IT control framework, such as COBIT. The aggregation of these two allows for risk-based planning of theassurance initiative. To set the correct assurance objectives, first a high-level assessment needs to be performed. The end deliverableof this stage is the IT assurance plan (usually annual).
SCOPINGThe scoping process can be performed in three different ways:• The most detailed scoping approach starts from defining business and IT goals for the environment under review and identifying a
set of IT processes and resources (i.e., assurance universe) required to support those goals. The goals that are subject to the ITassurance initiative can be scoped down to a lower granularity (i.e., key control objectives customised for the organisation).
• A high-level scoping approach may start from benchmarking research executed by ITGI, providing generic guidelines on therelationship of business goals, IT goals and IT processes, as described in COBIT. This generic cascade of goals and processes canbe used as a basis for more detailed scoping, as required for the specific environment being assessed.
• A hybrid scoping approach combines the detailed and high-level methods. This approach starts from the generic cascade of goalsand processes, but is adapted and modified to the specific environment before continuing the scoping to more detailed levels.
The end deliverables of this stage are the scope and objectives of the different IT assurance initiatives.
EXECUTIONThe third stage of the IT assurance road map is the execution stage. Figure 10 describes an approach that assurance professionalscan follow as they execute a particular assurance initiative. These steps cover the core testing activities that the assuranceprofessional executes. Chapter 5, Assurance Initiative Execution, describes each of the steps in more detail. The end deliverable ofthis stage is the conclusion of the individual IT assurance initiative.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E18
Business goals IT goals Key IT processes and key IT resources Key control objectives Customised key control objectives
• Establish the IT assurance universe.• Select an IT control framework.• Perform risk-based IT assurance planning.• Perform high-level assessments.• Scope and define the high-level objectives for the initiative.
Refine the understanding of the IT assurancesubject.
Refine scope of key control objectives for the IT assurancesubject.
Test the effectiveness of the control design of the key controlobjectives.
Alternatively/ additionally test the outcome of the key controlobjectives.
Document the impact of controlweaknesses.
Develop and communicate overall conclusion and recommen-dations.
SCOPINGPLANNING
EXECUTING
ASSURANCECONCLUSION
DETAILED SCOPEAND OBJECTIVES
IT ASSURANCEPLANS
Figure 9—IT Assurance Road Map
IT ASSURANCE PRINCIPLES AND CONTEXT
19I T G O V E R N A N C E I N S T I T U T E
IT Assurance ActivitiesThe approach presented in the previous section, IT Assurance Road Map, describes the stages and steps for providing assuranceservices and provides the structure for this guide. Some of the typical IT assurance activities that may be performed under each ofthese assurance approach stages are listed in figure 11.
Figure 11 introduces the typical assurance activities that can be used—and for which advice is provided—in the different stages andsteps of the IT assurance road map. Sometimes the step is the activity; sometimes an activity can be leveraged in several steps.
Whilst most of the advice in this guide focuses on the execution stage of the road map in figure 12 and Chapter 7, How COBITComponents Support IT Assurance Activities, additional advice is provided for the assurance activities listed, by identifying theCOBIT components that can provide a particular benefit for each of these activities. All IT assurance initiatives include most ofthese activities; therefore, most of the COBIT components can be leveraged in all types of IT-related assurance initiatives.
Figure 12 demonstrates a linkage between assurance activities and where COBIT components can provide a particular benefit. In addition, chapter 7, How COBIT Components Support IT Assurance Activities, provides suggestions on how the differentCOBIT components can be leveraged to improve the effectiveness and/or efficiency of different IT assurance activities.
Refine the understanding of the IT assurancesubject.
Refine scope of key control objectives for the IT assurancesubject.
Test the effectiveness of the control design of the key controlobjectives.
Alternatively/ additionally test the outcome of the key controlobjectives.
Document the impact of controlweaknesses.
Develop and communicate overall conclusion and recommen-dations.
Figure 10—Execution Road Map
Figure 11—IT Assurance Activities
• Plan:– Perform a quick risk assessment.– Assess threat, vulnerability and business impact.– Diagnose operational and project risk.– Plan risk-based assurance initiatives.– Identify critical IT processes based on value drivers.– Assess process maturity.
• Scope:– Scope and plan assurance initiatives.– Select the control objectives for critical processes.– Customise control objectives.
• Execute:1. Refine the understanding of the IT assurance subject:
– Identify/confirm critical IT processes.– Self-assess process maturity.
2. Refine the scope of the key control objectives for the IT assurance subject:– Update the control objective selection.– Customise control objectives.– Build a detailed audit programme.
3. Test the effectiveness of the control design of the key control objectives:– Test and evaluate controls.– Update/assess process maturity.
4. Test the outcome of the key control objectives:– Self-assess controls.– Test and evaluate controls.
5. Document the impact of control weaknesses:– Diagnose residual operational and/or project risk.– Substantiate risk.
6. Develop and communicate overall conclusion and recommendations:– Report assurance conclusions.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E20
Fig
ure
12—
Ass
ura
nce
Act
ivit
ies
Lin
ked
to
CO
BIT
Co
mp
on
ents
ITAs
sura
nce
Activ
ities
Perfo
rm a
qui
ck ri
sk a
sses
smen
t.✔
✔✔
✔✔
✔✔
✔✔
Asse
ss th
reat
, vul
nera
bilit
y an
d ✔
✔✔
✔✔
✔bu
sine
ss im
pact
.Di
agno
se o
pera
tiona
l and
/or
✔✔
✔✔
✔✔
✔pr
ojec
t ris
k.Pl
an ri
sk-b
ased
ass
uran
ce in
itiat
ives
.✔
✔✔
✔✔
✔✔
✔✔
✔✔
✔
Iden
tify
criti
cal I
Tpr
oces
ses
base
d✔
✔✔
✔✔
✔✔
✔✔
✔✔
on v
alue
driv
ers.
Asse
ss p
roce
ss m
atur
ity.
✔✔
✔✔
✔✔
✔✔
✔
Scop
e an
d pl
an a
ssur
ance
initi
ativ
es.
✔✔
✔✔
✔✔
✔
Sele
ct th
e co
ntro
l obj
ectiv
es fo
r ✔
✔✔
✔✔
✔cr
itica
l pro
cess
es.
Cust
omis
e co
ntro
l obj
ectiv
es.
✔✔
✔✔
✔✔
✔✔
Build
a d
etai
led
assu
ranc
e pr
ogra
mm
e.✔
✔✔
✔✔
✔✔
✔
Test
and
eva
luat
e co
ntro
ls.
✔✔
✔✔
✔✔
✔✔
Subs
tant
iate
risk
.✔
✔✔
✔✔
✔✔
✔✔
✔✔
✔
Repo
rt as
sura
nce
conc
lusi
ons.
✔✔
✔✔
✔✔
✔✔
✔✔
✔✔
✔
Self-
asse
ss p
roce
ss m
atur
ity.
✔✔
✔✔
✔✔
✔✔
✔
Self-
asse
ss c
ontro
ls.
✔✔
✔✔
✔✔
✔✔
Control Objectives
COBIT Control Practices
Value and Risk Statement
Maturity Model
Maturity Model Attributes
RACI (Key Activities andResponsibilities)
Goals and OutcomeMeasures
Performance Drivers
Management Awareness Tool
Information Criteria
Process List
Board Briefing on ITGovernance,2
ndEdition
ITRisk and ControlDiagnostics
COBITQuickstart
COBIT Online—Searching andBrowsing
COBIT Online—Benchmarking
IT Control Objectives forSarbanes-Oxley,2
ndEdition
COBI
T Co
mpo
nent
s
Reference to Other Assurance ModelsAssurance professionals may be familiar with the standards set by organisations, such as IAASB within the International Federationof Accountants (IFAC). IAASB has defined within its International Standards on Auditing stages of conducting an assuranceengagement in the context of the financial statement audit. Whilst these stages are specifically defined for the purposes of financialstatement audits, they are consistent with the suggested IT assurance processes in this guide. This is illustrated in figure 13.
IT ASSURANCE PRINCIPLES AND CONTEXT
21I T G O V E R N A N C E I N S T I T U T E
Dete
rmin
e th
e re
spon
sibl
epa
rty a
nd in
tend
ed u
ser o
fas
sura
nce
outp
ut.
Dete
rmin
e th
e na
ture
of
the
subj
ect m
atte
r.
Defin
e an
d ag
ree
on
eval
uatio
n cr
iteria
.
Colle
ct e
vide
nce.
Asse
ss e
vide
nce.
Mak
e ju
dgem
ent.
Repo
rt an
d co
nclu
de.
Assurance Stages (IAASB)
Planning ✔ ✔ ✔
Scoping ✔
Refine the understanding of the IT assurance subject. ✔ ✔ ✔
Refine the scope of key control objectives. ✔
Test the effectiveness of the control design. ✔ ✔
Test outcomes of key control objectives. ✔ ✔
Document the impact of control weaknesses. ✔ ✔
Develop and communicate the overall conclusion and recommendations. ✔ ✔
Exec
utio
nSt
ages
in th
e Ro
ad M
ap
The first two steps of the execution stage refine the analysis of the planning and scoping stages and, therefore, map in the samemanner to the IAASB standard. For internal assurance, the planning activity is considered to be the annual plan activity and‘refining the plan’ refers to planning aspects of individual assignments; whereas, for external audit, these two levels of planning mayhappen at the same time.
The suggested approach for IT assurance is to make a clear distinction amongst:• Testing the design of a control objective• Testing the outcome of a control objective• Documenting the impact of the weaknesses identified
Each of these three steps deals with collecting and assessing evidence, but in a different manner.
Type of Assurance Advice ProvidedFor the testing steps of the execution stage, this guide provides generic guidance as well as more specific advice to assist the ITassurance professional, as shown in figure 14. The graphic summarises relationships amongst the key COBIT components (process,control objective and control practice) with the steps in the IT assurance road map.
Generic advice means that it can be applied to any process, control objective or control practice depending on the type of advice.Specific advice refers to advice provided for a specific process, control objective or control practice.
The Historical Context—Statutory Audit (Financial Statement Audit)It is important to understand that, historically, IT assurance started in support of financial statement audits. This class of assurance isstill of great relevance, especially in light of the US Sarbanes-Oxley Act and similar regulations internationally.
The purpose of a financial audit is, typically, to express an opinion on financial statements, notably in respect of the followingassertions:• Existence or occurrence of the assets/liabilities/transactions reflected in the financial statements• Completeness of all financial information presented• Rights, obligations and relevant commitments appropriately presented in the financial statements• Valuation or allocation of the value of financial statement captions on a fair and consistent basis• Presentation and disclosure of values in the appropriate captions of the financial statements and relevant accounting principles or
additional information to help ensure correct interpretation
Figure 13—Correlation of IT Assurance and Assurance Stages
Together, these assertions, when met, allow the auditor to form and report an opinion on the financial condition of the related entity.
RELEVANT GENERAL STANDARDS AND GUIDANCE Current recognised guidelines for the external financial statement audit process are embodied in the International Standards onAuditing (ISA).1
ISA 315 sets out the requirements of the assurance professional to obtain an understanding of internal control relevant to the audit,which includes the following components: • The control environment • The entity’s risk assessment process • The information system, including the related business processes relevant to financial reporting, and communication • Control activities • Monitoring of controls
The ISA recognises that, generally speaking, IT provides potential benefits of effectiveness and efficiency for an entity’s internalcontrol, but also that it poses specific risks.
With respect to IT, the financial statement assertions can be translated into the following information processing objectives: • Completeness• Accuracy • Validity • Restricted access
The minimum requirement for the assurance professional is to understand the information systems underpinning business processesrelevant for financial reporting and how the entity has responded to risks arising from IT. Since the use of IT affects the way controlactivities are implemented in the business and related financial reporting, the assurance professional needs to consider whether theentity has responded adequately to the risks arising from IT by establishing effective general IT controls and application controls.
The ISA define general IT controls as policies and procedures that relate to many applications and support the effective functioningof application controls by helping to ensure the continued proper operation of information systems. General IT controls arecategorised in the ISA as follows: • Data centre and network operations • System software acquisition, change and maintenance
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E22
Generic ( ) and Specific ( ) Advice in the Assurance Guide
DocumentedControl
Weaknesses
improvedwith
assessedwith
derivedby
assessedwith
implementedwith
derivedfrom
controlledby
Testing theControl Objective
Outcome
ControlObjectives
Testing theControl Design
of theControl Objectives
ControlPractices
ITProcesses
Figure 14—Types of Advice Provided in This Guide
1 International Standards on Auditing (ISA) are professional standards for the performance of financial audit of financial information. These standards are issued byInternational Federation of Accountants (IFAC) and cover respective responsibilities, audit planning, internal control, audit evidence, using work of other experts,audit conclusions and audit report, and specialised areas.
IT ASSURANCE PRINCIPLES AND CONTEXT
23I T G O V E R N A N C E I N S T I T U T E
• Access security • Application system acquisition, development and maintenance
ISA 330 gives guidance on the nature, timing and extent of audit procedures to be adopted in response to identified risks. Somespecific requirements are set out in the ISA in relation to internal controls validation, including the following:• When the assurance professional’s assessment of risks of material misstatement at the assertion level includes an expectation that
controls are operating effectively, the assurance professional should perform tests of controls to obtain sufficient appropriate auditevidence that the controls were operating effectively at relevant times during the period under audit.
• When the assurance professional has determined that it is not possible or practicable to reduce the risks of material misstatement atthe assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, the assuranceprofessional should perform tests of relevant controls to obtain audit evidence about their operating effectiveness.
The ISA also specify on the type of procedures to be carried out, stating that, ‘the assurance professional should perform other auditprocedures in combination with inquiry to test the operating effectiveness of controls’.
RELEVANCE FOR IT ASSURANCESpecifically in relation to IT, the ISA state that the assurance professional considers the need to obtain audit evidence supporting theeffective operation of controls directly related to the assertions, as well as other indirect controls on which these controls depend,such as underlying general IT controls. For that purpose, the COBIT framework provides abundant guidance, and this guide providesan assurance approach that is in line with ISA guidance.
Because of the inherent consistency of IT processing, audit evidence about the implementation of an automated application control,when considered in combination with assurance evidence obtained regarding the operating effectiveness of the entity’s generalcontrols (and in particular system development life cycle controls, including change controls) may provide substantial assuranceevidence about its operating effectiveness during the relevant period. More guidance on these aspects is provided in chapter 6,Assurance Guidance for COBIT Processes and Controls.
MaterialityWhen conducting or supporting financial statement audits, assurance professionals ordinarily measure materiality in monetaryterms, since what they are auditing is also measured and reported in monetary terms. IT assurance professionals may conductassurance on non-financial items and, therefore, alternative measures are required. With respect to a specific control objective, amaterial control is a control or group of controls without which control procedures do not provide reasonable assurance that thecontrol objective will be met.
ISACA IS Auditing Guideline G6 (www.isaca.org/standard/guideline.htm) specifies that where the IT assurance objective relates tosystems or operations processing financial transactions, the value of the assets controlled by the system(s) or the value oftransactions processed per day/week/month/year should be considered in assessing materiality.
For systems and operations not affecting financial transactions, the following are examples of measures that should be considered toassess materiality:• Criticality of the business processes supported by the system or operation• Cost of the system or operation (i.e., hardware, software, staff, third-party services, overheads, a combination of these)• Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable development costs, cost of publicity required
for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high wastage, etc.)• Number of accesses/transactions/inquiries processed per period• Nature, timing and extent of reports prepared and files maintained• Nature and quantities of materials handled (e.g., where inventory movements are recorded without values)• Service level agreement (SLA) requirements and cost of potential penalties• Penalties for failure to comply with legal and contractual requirements
Assurance RiskAssurance risk is the risk that an incorrect opinion is reported by the assurance professional in the presence of material misstatementof the subject matter. Assurance risk is a function of the risk of material error and the risk that the assurance professional will notdetect associated errors or control failures.
The risk of material error has two components:• Inherent risk—The susceptibility of an assertion by the responsible party to a misstatement that could be material, individually or
when aggregated with other misstatements, assuming that there were no related internal controls2
• Control risk—The risk that a misstatement that could occur in an assertion and that could be material, individually or whenaggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal control
Detective risk is the risk that the assurance professional’s procedures will not detect a misstatement that exists in an assertion thatcould be material, individually or when aggregated with other misstatements. It is important when planning an assurance initiative toassess assurance risk and design an approach to ensure that the assurance objectives are met.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E24
2 These definitions are drawn from the International Accounting and Assurance Standards Board.
ASSURANCE PLANNING
25I T G O V E R N A N C E I N S T I T U T E
3. ASSURANCE PLANNING
INTRODUCTIONThe first phase of the IT assurance road map (illustrated in figure 9) is the planning phase. Before beginning an assurance initiative,the work of the IT assurance professional should be planned in a manner appropriate for meeting the assurance objectives. For aninternal assurance function, the assurance plan should be developed/updated/reviewed at least annually. The plan should act as aframework for assurance activities and serve to address responsibilities set by the assurance charter. For an external IT assuranceinitiative, a plan should normally be prepared for each initiative. Each type of assurance plan should clearly document the objectivesof the initiative and reflect the intended user’s strategy and priorities.
As part of the planning process, IT assurance professionals should obtain a good understanding of the assurance universe and theorganisation’s business goals for IT, IT goals, and how they are planned to be realised through IT processes and IT resources. Theextent of the knowledge required is determined by the nature of the organisation, its environment, risks and the objectives of theassurance initiative. To execute the assurance initiative and assurance planning work according to a standardised and structuredapproach, the IT assurance professional should also identify appropriate control frameworks that could be useful for the assuranceinitiatives (e.g., COSO, COBIT) or IT management frameworks or standards (e.g., ITIL, ISO/IEC 27000).
IT ASSURANCE UNIVERSEThe IT assurance universe defines the area of responsibility of the IT assurance provider; it is usually based on a high-level structurethat classifies and relates IT processes, resources, risks and controls, allowing for a risk-based selection of discrete IT assuranceinitiatives. The assurance universe needs to be defined at the enterprise level and must be composed of subjects, units, processes,procedures, systems, etc., that are capable of being defined and evaluated. The building blocks of the assurance universe are unitsunder which assurance can be conducted. For the purpose of IT Assurance Guide, COBIT provides a structure to define the ITassurance universe built around the four types of IT resources and 34 IT processes categorised into four domains. The four domainscover the traditional responsibilities in IT of plan, build, run and monitor.
The IT resources identified in COBIT are defined as follows:• Applications—The automated user systems and manual procedures that process the information• Information—The data input, processed and output by the information systems, in whatever form is used by the business• Infrastructure—The technology and facilities (i.e., hardware, operating systems, database management systems, networking,
multimedia, etc., and the environment that houses and supports them) that enable the processing of the applications• People—The personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information
systems and services. They may be internal, outsourced or contracted as required.
The four domains defined by COBIT are Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor andEvaluate. As shown in figure 15, IT processes deliver information to the business, run the applications, and need infrastructure andpeople. Together, they constitute the enterprise architecture for IT.
deliver
runIT Processes(including goals and
responsibilities)
Information
Applications
Infrastructureand Peopleneed
Figure 15–Enterprise Architecture for IT
The portfolio of assurance activities within the assurance universe needs to be prioritised by risk level, technological complexity,time since the most recent assurance initiative, strategic importance, age in technology, known control weaknesses, etc. By doing so,assurance resources can be assigned to the units carrying the highest risk for the organisation. The prioritisation is driven bybusiness and governance objectives (regarding functionality, agility, return, compliance and comfort), implying specific value andrisk drivers, as illustrated in figure 16. This figure also illustrates that it helps to think in terms of IT resources for translatingbusiness goals into IT goals (i.e., in terms of the services and information required) and in terms of the infrastructure and peopleresources required to provide and support the services and information needed. COBIT provides tables of generically applicableenterprise and IT goals that can—after adaptation to the situation at hand—help in determining the subjects in the assuranceuniverse that need the most attention.
The assurance universe resulting from the analysis work described previously results in most cases in a two-dimensional matrix,with one dimension describing the relevant elements from the enterprise architecture for IT and the other dimension indicating thepossible control objectives, as shown in the left part of figure 17.
Because the recommended framework is COBIT, with its process structure, a first step in scoping the assurance initiative can consistof selecting the processes, thereby reducing the control objectives in scope on the horizontal dimension. This also allows forsimplifying the vertical dimension by concentrating on the IT resources because the processes have been dealt with in the horizontalcontrol objective dimension. This then produces the right side of figure 17. If other control frameworks are used that are notprocess-oriented, the processes need to be retained in the vertical dimension. But even then, most frameworks can be mapped toCOBIT (see www.isaca.org/cobit) so that after mapping the simplified version can be used.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E26
Business Governance
Enterprise Goals for IT
Applications
Information
Infrastructure
People
Functionality Agility Return Compliance Comfort
IT Goals
IT Processes
Figure 16–Business and IT Goals as Drivers for Assurance Planning
IT Process Selection
IT R
esou
rces
Control Objectives Selection
Ente
rpris
e Ar
chite
ctur
e fo
r IT Control Objectives
Figure 17–Linking the Enterprise Architecture and Control Objectives
ASSURANCE PLANNING
27I T G O V E R N A N C E I N S T I T U T E
Other forms of representing the assurance universe are possible. Whatever representation is chosen, balance between completeness,consistency and manageability has to be preserved. Through the proposed technique, all relevant units can be identified anddescribed. Some examples are:• Applications can either be grouped (in line with the major business processes they support, e.g., sales, logistics, administration,
manufacturing, human resources) or listed individually; one can then identify a subset of the IT processes and control objectives tothe applications to identify (e.g., an assurance initiative on applications) the development cycle or portfolio management. Projects,which are very often reviewed through project assurance initiatives, can be considered as applications in the making.
• People and the way they are organised (i.e., organisational units) are part of the assurance universe horizontal dimension, allowing,for example, assurance on organisational entities.
• Infrastructure elements (e.g., data centre, networks, IT platforms) are another horizontal dimension, allowing identification of, forexample, security reviews of operating systems and networks, or physical reviews of data centres.
• Information includes databases, master files and transaction logs.
Specific topics currently high on the agenda of many IT departments include outsourcing projects and a variety of compliancerequirements. Through the process dimension of the assurance universe, the assurance professional can identify the relevant ITprocesses that manage outsourced IT services, for example, DS1 Define and manage service levels and DS2 Manage third-partyservices. By doing so, this specific topic can be included in the overall assurance universe.
RISK-BASED ASSURANCE PLANNINGThe assurance professional should use an appropriate risk assessment technique or approach in developing the overall plan for theeffective allocation of IT assurance resources. Risk assessment is a technique used to examine units in the assurance universe andselect those areas for review that have the greatest risk exposure. The risks associated with each IT layer cannot be determined byreviewing the IT-related risks in isolation, but must be considered in conjunction with the organisation’s processes and objectives.
Risk has two major attributes (probability and impact) and has a complex relationship amongst the attributes of the objects involved,which are:• Asset—Something of value (tangible or intangible) worth protecting• Threat—Any situation or event that has the potential to harm a system • Threat agent—Methods and things used to exploit a vulnerability (e.g., determination, capability, motive, resources) • Threat event—An instance of a threat acting upon a system vulnerability in which the system is adversely affected• Vulnerability—A weakness that could be exploited by a threat (e.g., an open firewall port, a password that is never changed, a
flammable carpet). A missing control is also considered a vulnerability.• Countermeasure—A synonym for control. The term ‘countermeasure’ can be used to refer to any type of control, but it is most
often used when referring to measures that increase resilience, fault tolerance or reliability of an IT service.• Risk—The potential that a given threat will exploit vulnerabilities of an asset to cause loss or damage to the asset• Residual risk—The risk associated with an event when the control is in place to reduce the effect or likelihood of that event being
taken into account
Figure 18 provides the relationship amongst the different components and the major attributes of each. These attributes are essentialto analyse the contribution of each component to the risk analysis process. A suggested approach for this process is provided infigure 19.
The suggested risk analysis approach starts from the valuation of assets, which in the COBIT framework consists of the informationthat has the required criteria to help achieve the business objectives (including all the resources necessary to produce thatinformation). The next step is the vulnerability analysis, which identifies the vulnerabilities that apply to the assets (e.g., a businessprocess that needs to comply with data privacy, a business product that deals with financial transactions or infrastructure elements)that determine the availability of many information services. The next phase identifies significant threats that may be able to exploita given vulnerability (e.g., unintentional events such as errors, omissions and accidents; intentional actions such as fraud, hacking ortheft). The probability of the threat, the degree of vulnerability and the severity of the impact are combined to developthreat/vulnerability scenarios and assess their risk. This is followed by the selection of countermeasures (controls) and an evaluationof their cost and effectiveness. After considering the impact of implementing selected controls, residual risk can be determined. Theconclusion is an action plan after which the cycle can start again.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E28
Owners
Countermeasures
Risks
Threat Agents Threats Vulnerabilities Assets
Threat/VulnerabilityScenarios
preventand
detect
from
avoid ormitigate
areconcerned
about
have
exploit
give rise to
impose
reduce
Figure 18–Relationship and Attributes of the Risk Analysis Components
Identifysignificant
threats.
Define relevantthreat/
vulnerabilityscenarios.
Assess risk(applicability,
probability andmateriality of
impact).
Evaluatecontrol cost andeffectiveness.
Inventoryuseful
countermeasures.
Determineresidual risk.
Identifyapplicable
vulnerabilities.
Identify criticalassets and
estimate theirvalue.
Develop a riskmitigation
action plan.
Figure 19—A Risk Analysis Approach Leveraging the Risk Components and Their Attributes
ASSURANCE PLANNING
29I T G O V E R N A N C E I N S T I T U T E
HIGH-LEVEL ASSESSMENTSHigh-level assessment can provide support in assurance planning by identifying processes where the maturity/control gap betweenas-is and to-be is the most significant. Several assessment techniques exist (covering the evaluation against performance and riskattributes, process maturity attributes, control objectives and maturity attributes) resulting in, for example, process complianceprofiles as shown in figure 21.
The results of such high-level assessment can be used to prioritise the IT assurance work. Specific benefits of such high-levelassessments are: • Making members of IT management aware of their accountability for controlling IT and gaining their buy-in• High-level checking of compliance with established IT control requirements• Optimising and prioritising IT assurance resources • Bridging to IT governance
DEFINE THE SCOPE AND OBJECTIVES OF THE ASSURANCE INITIATIVEIT assurance professionals should also clearly define the scope and objectives of the assurance work and perform a preliminaryassessment of internal control/maturity of the function/activities being reviewed to provide reasonable assurance that all materialitems will be adequately covered during the assurance initiative.
To execute high-level planning assessments, COBIT Quickstart can provide hands-on support (see www.isaca.org/cobit). Figures 20through 22 also demonstrate other possible templates that can be used for high-level control and maturity assessments. The firsttemplate, shown in figure 20, is a management awareness diagnostic that evaluates processes against some performance and riskattributes. Completing this template for specific IT processes provides a quick insight into the risks associated (importance andperformance), the responsibility (who does it), the formality (documentation), the assurance history and the accountability.
The next two templates provide examples of how to execute a process maturity assessment, using the maturity description ormaturity attributes. The first template in figure 21 starts from the process maturity description, which needs to be broken down intoseveral maturity statements. For each of the statements, a compliance value needs to be defined, which enables the IT assuranceprofessional to calculate a ‘compliance profile’.
Another approach in assessing process maturity is to leverage the maturity attributes (COBIT maturity models as explained in theCOBIT framework). The maturity of a process can be assessed against six maturity attributes: • Awareness and communication• Policies, plans and procedures• Tools and automation• Skills and expertise• Responsibility and accountability• Goal setting and measurement
Risk
Who IsAccountable?
Impo
rtan
cePe
rfor
man
ce
IT Othe
rOu
tsid
eDo
Not
Kno
wAu
dite
d?Fo
rmal
ityWho Does It?
PO1 Define a strategic IT plan.PO10 Manage projects.AI6 Manage changes.DS2 Manage third-party services.DS5 Ensure systems security.ME1 Monitor and evaluate IT performance.
Importance = How important for the organisation on a scale from 1 (not at all) to 5 (very)Performance = How well it is done from 1 (very well) to 5 (do not know or badly)Formality = Is there a contract, an SLA or a clearly documented procedure (Y, N or ?)Audited? = Y, N or ?Accountable = Name or ‘do not know’
COBIT Processes
Figure 20—Management Awareness Diagnostic
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E30
Assessment of these attributes on a template, as shown in figure 22, provides the IT assurance professional with a ‘rising starscheme’, indicating significant gaps between as is and to-be, areas as where attention is needed, and potential quick wins.
.50
.45
.40
.35
.30
.25
.20
.15
.10
.050
Level 1 Level 2 Level 3Level 4 Level 5
AI6—Manage Change
Maturity level 3, moving into level 4
ProcessName
ProcessID
No. Statement Weight
Maturity Level
Total Weight Compliance
0.00 0.33 0.66 1.00compliance value
Not
at
all
A li
ttle
To s
ome
degr
ee
Com
plet
ely
VALU
E
Figure 21—Assessing the Process Maturity Compliance Profile
Awareness and Policies, Plans Tools and Skills and Responsibility and Goal SettingCommunication and Procedures Automation Expertise Accountability and Measurement
5 There is advanced, External best practices and Standardised tool sets are The organisation formally Process owners are There is an integratedforward-looking standards are applied. used across the enterprise. encourages continuous empowered to make performance measurementunderstanding of improvement of skills, based decisions and take action. system linking IT performancerequirements. Process documentation is Tools are fully integrated on clearly defined personal The acceptance of to business goals by global
evolved to automated with other related tools to and organisational goals. responsibility has been application of the IT balancedProactive communication workflows. Processes, policies enable end-to-end cascaded down throughout scorecard. Exceptions areof issues based on trends and procedures are support of the processes. Training and education support the organisation in a globally and consistently exists, mature standardised and integrated external best practices consistent fashion. noted by management and are applied, and integrated management and support improvement of the concepts and techniques. root cause analysis is applied.communication techniques to enable end-to-end Tools are being used to and use of leading-edge Continuous improvement iscommunication tools are improvement. process and automatically Knowledge sharing is an a way of life.in use. detect control exceptions. enterprise culture, and
knowledge-based systemsare being deployed.External experts and industryleaders are used for guidance.
4 There is understanding The process is sound and Tools are implemented Skill requirements are routinely Process responsibility and Efficiency and effectivenessof the full requirements. complete; internal best according to a updated for all areas, accountability are accepted are measured and
practices are applied. standardised plan, and proficiency is ensured for all and working in a way that communicated and linked toMature communication some have been critical areas, and certification enables a process owner to business goals and the ITtechniques are applied and All aspects of the process integrated with other is encouraged. fully discharge his/her strategic plan. The IT balancedstandard communication are documented and repeatable. related tools. responsibilities. A reward scorecard is implementedtools are in use. Policies have been approved Mature training techniques culture is in place that in some areas with exceptions
and signed off on by Tools are being used in main are applied according to the motivates positive action. noted by management andmanagement. Standards for areas to automate management training plan, and knowledge root cause analysis is beingdeveloping and maintaining the of the process and monitor sharing is encouraged. All standardised. Continuousprocesses and procedures are critical activities and controls. internal domain experts are improvement is emerging.adopted and followed. involved, and the effectiveness
of the training plan is assessed.3 There is understanding Usage of good practices A plan has been defined Skill requirements are defined Process responsibility and Some effectiveness goals and
of the need to act. emerges. for use and standardisation and documented for all areas. accountability are defined measures are set, but are notof tools to automate the and process owners have communicated, and there is a
Management is more formal The process, policies and process. A formal training plan has been identified. The process clear link to business goals.and structured in its procedures are defined and been developed, but formal owner is unlikely to have Measurement processes communication. documented for all key Tools are being used for their training is still based on the full authority to exercise emerge, but are not
activities. basic purposes, but may not all individual initiatives. the responsibilities. consistently applied.be in accordance with the IT balanced scorecard areas agreed plan, and may not be are being adopted, as isintegrated with one another. occasional intuitive
application of root causeanalysis.
2 There is awareness of the Similar and common Common approaches to Minimum skill requirements An individual assumes his/her Some goal setting occurs;need to act. processes emerge, but are use of tools exist but are are identified for critical responsibility and is usually some financial measures are
largely intuitive because of based on solutions areas. held accountable, even if this established but are known Management communicates individual expertise. developed by key individuals. is not formally agreed. There only by senior management.the overall issues. Training is provided in is confusion about There is inconsistent
Some aspects of the process Vendor tools may have been response to needs, rather responsibility when problems monitoring in isolated areas.are repeatable because of acquired, but are probably not than on the basis of an occur, and a culture of individual expertise, and some applied correctly, and may agreed plan, and informal blame tends to exist.documentation and informal even be shelfware. training on the job occurs.understanding of policy and procedures may exist.
1 Recognition of the need for There are ad hoc approaches Some tools may exist; Skills required for the There is no definition of Goals are not clear and nothe process is emerging. to processes and practices. usage is based on standard process are not identified. accountability and measurement takes place.
desktop tools. responsibility. People takeThere is sporadic The process and policies A training plan does not ownership of issues basedcommunication of the are undefined. There is no planned exist and no formal training on their own initiative on aissues. approach to the tool usage. occurs. reactive basis.
Figure 22—Assessing Process Maturity Attributes
IT RESOURCE AND CONTROL SCOPING
31I T G O V E R N A N C E I N S T I T U T E
4. IT RESOURCE AND CONTROL SCOPING
INTRODUCTIONThe second stage of the IT assurance framework (illustrated in figure 23) is the scoping stage. This stage determines which IT resources and control objectives are covered within a given IT control framework in the execution stage of the initiative. Scoping consists of linking applicable IT resources (e.g., applications, information, infrastructure, people) to applicable IT controlobjectives and then assessing the materiality of the impact of not achieving a specific control objective. Figure 23 illustrates theeight-step scoping process.
Setting the scope for the initiative too narrowly may result in material factors not being considered. Setting the scope for theinitiative too broadly may result in inefficiencies and incorrect conclusions because of limited resources and time. Appendix VIII,IT Scoping, sets out a generic scoping methodology that can be applied to IT assurance initiatives and a variety of other IT governance programmes.
STEPS IN SCOPING IT RESOURCES AND CONTROL OBJECTIVESFigure 24 describes the eight steps within the scoping phase of conducting the IT assurance initiative. These steps are described inmore detail as follows.
Step 1—Establish Drivers for the Assurance InitiativeIn the first step, the drivers for the assurance initiative and the corresponding assurance objective are identified. As noted in chapter1, there are many possible drivers for assurance, including process improvement and meeting compliance needs in support of thefinancial statement audit. Verifying the drivers for the assurance initiative can be accomplished by activities such as interviewingkey stakeholders or inspecting assurance plans or charters.
A. Framework Criteria
• A common language for IT activities and key management practices• Business focus• Governance expectations• IT tasks and activities organised into discrete processes• Consistent with generally accepted IT good practices and corporate governance standards
• Select• Weigh• Cut off• Customise
B. Deciding What Is In
2 Document the enterprisearchitecture for IT
(clarify through interviewswith key IT staff members).
1 Establish drivers for theassurance initiative
(clarify through interviewswith stakeholders).
4 Select the IT process [B](document and validate the
link amongst business goal, IT goal and IT process).
3 Choose an IT controlframework [A]
(verify that it responds tominimum criteria).
7 Select initial control objectives [B]
(leverage controlframework mappings).
8 Refine controlobjectives selection
with risk analysis[B](linking significant threats to
applicable vulnerabilitiesto material impact).
5 Select IT component [B](record the important activities
and resources for theprocesses selected).
6 Refine componentselection with
cause/effect analysis[B](use the goals and metrics
chain: business-IT process-activity).
Figure 23—IT Scoping Road Map
More specifically, the boundaries of the entity under review need to be unambiguously described, together with the current roles andresponsibilities and the resources required by IT to support the defined business needs of the entity under review.
The assurance professional needs to interview appropriate management and staff members to obtain an understanding of:• Business requirements and associated risks• Organisation structure• Roles and responsibilities• Policies and procedures• Laws and regulations• Control measures in place• Management reporting (status, performance, actions)• Past issues and corrective actions taken• Current issues and concerns• What management hopes to obtain as a result of the assurance initiative
Step 2—Document Enterprise IT ArchitectureIn the second step, the enterprise IT architecture is documented. The concept and elements of the architecture are set out in chapter 3. The enterprise IT architecture can also be validated by interviews with key IT staff members.
Step 3—Select Control FrameworksAppropriate control frameworks are selected in the third step. Typically this will be COBIT, but for some initiatives it may be COSO,similar entity-level control frameworks, or more detailed frameworks or standards, such as one of the relevant ISO standards.
Step 4—Identify IT ProcessesAfter the appropriate control framework is chosen, the appropriate IT processes are selected and linked to appropriate IT resourcesin the next step. IT processes in scope can be identified through analysis of the relationship amongst business goals, IT goalsand IT processes.
Step 5—Select IT ComponentsStep five is described in chapter 2. IT resources are made up of:• Applications • Information• Infrastructure• People
A number of inputs can be used to determine the IT resources that are relevant to the initiative. The priority here should be oncompleteness because the subsequent risk analysis determines items that can be excluded from the scope of the initiative. However,efficiency needs to be taken into account as well, to keep the matrix to a reasonable/workable size. The different inputs are:• Drivers for the initiative—The drivers for the assurance initiative are the most important factors for determining the IT
components and the control objectives to review. Typical examples are major service breakdown, organisational change andregulatory compliance.
• Business control requirements—Given the focus of this guide on IT assurance, it is assumed that the analysis of the requiredand applicable business controls has occurred so that the scoping of IT controls is limited to how IT supports automatedbusiness controls.
• Enterprise architecture for IT—The enterprise architecture encompasses the processes involved to deliver the informationservices, the portfolio of applications and systems in use by the organisation, the technology used to run them, and the peopleneeded to plan, build, operate and support the applications. The relevant IT resources or groups of IT resources can be deducedfrom the architecture.
Step 6—Refine IT Component SelectionIn the initial linking of processes to resources, the assurance professional may derive a rather large portfolio, perhaps broader thancan be cost-effectively reviewed within the terms of the assurance initiative. In the sixth step, the assurance professional shouldrefine the selection of IT resources by ensuring that the resources have a direct relationship to the processes relevant to the initiative.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E32
IT RESOURCE AND CONTROL SCOPING
33I T G O V E R N A N C E I N S T I T U T E
Step 7—Select Control ObjectivesThe assurance professional makes a first selection of the COBIT control objectives that are relevant for the IT processes that are inscope for the assurance initiative. Often the control objectives need to be customised for the realities of the particular enterprisesituation. For most initiatives, scoping IT resources does not require substantial analysis, because it starts from a specific enterprisesituation. Conversely, scoping the control objectives needs more analysis because it starts from one or more generic frameworks.COBIT provides material that can support the latter step, by describing a ‘risk and value’ statement for each of the control objectives,demonstrating why specific controls are needed. Some mapping is required as well as customisation of the selected controlobjectives to the enterprise environment and the objective of the assurance initiative.
Step 8—Refine Control Objectives SelectionFinally, in the eighth step, the assurance professional links the refined portfolio of IT resources set out in step six to the first cut ofcontrol objectives selected in the seventh step. In an iterative process, the professional refines and often reduces the list of controlobjectives that are relevant for this particular assurance initiative. The process of linking IT resources to control objectives isillustrated in figure 24.
In this step, the assurance professional should analyse the risk of not achieving the selected control objectives for the selected ITresources, and retain only the IT resources and control objectives that have a material effect if the control objective is not achieved.The assurance professional should: • Review the horizontal lines of the matrix (figure 24) to determine if there is sufficient risk to keep the IT resource in scope and to
identify the resources with high risk that may require more in-depth review and testing• Review the vertical lines of the matrix (figure 24) to remove the control objectives that are low risk and to identify objectives that
require enterprisewide solutions as opposed to point solutions
The critical conclusion of this step, illustrated in figure 24, is to answer the question, ‘Will not achieving this control objective forthis class of IT resource be material for this particular assurance initiative?’ Only the cells for which the answer is ‘yes’ should beretained in the final IT control scope.
IT-RELATED BUSINESS GOALS AND IT GOALSTo assist the IT assurance professionals in assurance planning, COBIT provides a detailed cascade from IT-related business goals toIT goals to IT processes. COBIT defines 17 generic business goals, which encompass business drivers and services that directlyimpact IT. These are translated into supporting IT goals that, in turn, are linked to IT process goals (see appendix 1 in COBIT 4.1).This cascade of business, IT and process goals is particularly useful when analysing the assurance initiative drivers and how theyimpact the assurance universe.
IT Process Selection
Scop
ing
IT R
esou
rces
Scoping Control Objectives
BusinessControl
Requirements
BusinessControl
Requirements
EnterpriseArchitecture
for IT
AssuranceInitiativeDrivers
EnterpriseArchitecture
for IT
AssuranceInitiativeDrivers
IT ControlFramework
Will not achieving thiscontrol objective for thisIT resource be material?
Figure 24—Risk-based IT Resource and Control Scoping
This cascade of goals can help guide the assurance planning work. As shown in figure 25, if the assurance work focuses on aspecific business function, IT-related business goals and IT goals can be valuable input for the assurance planning work. Assurancework that focuses on a specific organisational component (e.g., a process) can use IT goals and IT process goals as a source ofinformation for assurance planning.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E34
MajorApplication
ImportantInfrastructure
ComponentOrganisational
ComponentMajor
ChangeBusinessFunction
Business Goals
IT Process Goals
(P=primary, S=secondary)
IT Goals
P
S
S
S
P
S
P
S
S
P
P
S
ASSURANCE SUBJECT
GOAL
INFO
RMAT
ION
Figure 25—IT-related Business, IT and IT Process Goals for IT Assurance Planning
ASSURANCE INITIATIVE EXECUTION
35I T G O V E R N A N C E I N S T I T U T E
5. ASSURANCE INITIATIVE EXECUTION
INTRODUCTIONThe third stage of the IT assurance framework (previously illustrated in figure 10) is the execution stage. Figure 10 describes aroad map that assurance professionals can follow as they execute a particular assurance initiative. The remainder of this section willanalyse the road map in detail.
STEP 1—REFINE UNDERSTANDINGThe assurance steps to be performed document the activities underlying the control objectives and identify the stated controlmeasures/procedures in place.
The first step of the execution stage is refining an understanding of the environment in which the testing is performed. This impliesunderstanding the organisation to select the correct assurance scope and objectives. The assurance scope and objectives need to becommunicated to and agreed upon by all stakeholders.
The output from this step consists of documented evidence regarding: • Who performs the task(s), where the task is performed and when the task is performed• The inputs required to perform the task and the outputs generated by the task• The stated procedures for performing the task
The assurance professional can structure this step along the following lines:• Interview and use activity lists and RACI charts.• Collect and read process description, policies, input/output, issues, meeting minutes, past assurance reports, past assurance
recommendations, business reports, etc.• Prepare the scoping task (objective of process, goals and metrics of process to be reviewed).• Build an understanding of enterprise IT architecture.
STEP 2—REFINE SCOPEThe assurance steps to be performed determine the scope of the assurance project.
Based on the current and detailed understanding of the IT environment, any revisions that may have been made to the businessand/or assurance objectives, and whilst planning a cost-effective testing plan, it may be appropriate to adjust the scope.
The scoping phase performed earlier may, therefore, need to be refined to determine a finalised subset of the assurance universe(e.g., process, system, application) and a set of controls to be reviewed.
Analyse Business and IT GoalsThe assurance objectives and approach to the current business objectives should be realigned, and the understanding of businessprocesses, the business goals, and the relevance of IT to the processes and objectives should be updated. The IT goals may need tobe adjusted, bearing in mind the latest assurance requirements and the IT organisation.
Refine the understanding of the IT assurancesubject.
Refine scope of key control objectives for the IT assurancesubject.
Test the effectiveness of the control design of the key controlobjectives.
Alternatively/ additionally test the outcome of the key controlobjectives.
Document the impact of controlweaknesses.
Develop and communicate overall conclusion and recommen-dations.
Figure 10—Execution Road Map
Select Processes and ControlsThe selection of the in-scope IT processes, IT control objectives and IT resources (i.e., applications, information, infrastructure,people) should be refined to establish the assurance boundaries. The selection of the processes, objectives and related resources isperformed by assessing if it is likely that non-achievement of the control objective for the IT component will have a material effect.
Analyse RisksThe scope may need to be further adjusted, based on an assessment of the inherent risk of material control objections not being met.This risk-adjusted scope determines the amount of assurance review and testing required.
Finalise ScopeThe assurance strategy should be set, and the scope and focus of the assurance approach should be finalised based on the latestunderstanding of objectives, optimum testing approach and assessed risk, as described previously. The IT processes, IT resourcesand IT control objectives selection should be adjusted as required by the strategy defined. The documentation required and thetesting approach should be determined to ensure the most effective and efficient coverage of assurance objectives.
STEP 3—TEST THE CONTROL DESIGNThis section lists the different techniques that will be used in the detailed assurance steps.
Testing is performed, covering the following main test objectives (also to be found in SAS 703 and SysTrust™4 assurance):• Evaluate the design of the controls.• Confirm that controls are placed in operation.• Assess the operational effectiveness of the controls.
In addition, control efficiency may also be tested.
In the testing phase, different types of testing can be applied. Five generic testing methods include:• Enquire and confirm:
– Search for exceptions/deviations and examine them.– Investigate unusual or non-routine transactions/events.– Check/determine whether something has (not) occurred (sample).– Corroborate management statements from independent sources.– Interview staff members and assess their knowledge and awareness.– Reconcile transactions (e.g., reconciling transactions to bank statements).– Ask management questions and obtain answers to confirm findings.
• Inspect:– Review plans, policies and procedures.– Search audit trails, problem logs, etc.– Trace transactions through the process/system.– Physically inspect presence (documentation, assets, etc.).– Walk through installations, plans, etc.– Perform a design or code walk-through.– Compare actual with expected findings.
• Observe:– Observe and describe the processes.– Observe and describe the procedures.– Compare actual with expected behaviour.
• Reperform and/or recalculate:– Independently develop and estimate the expected outcome.– Attempt what is prevented.– Reperform what is detected by detective controls.– Reperform transactions, control procedures, etc.– Recalculate independently.– Compare expected value with actual value.– Compare actual with expected behaviour.– Trace transactions through the process/system.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E36
3 Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognised auditing standard developed by the American Institute ofCertified Public Accountants (AICPA).
4 SysTrust is an assurance service developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA).
ASSURANCE INITIATIVE EXECUTION
37I T G O V E R N A N C E I N S T I T U T E
• Review automated evidenced collection:– Collect sample data.– Use embedded audit modules.– Analyse data using computer-assisted audit techniques (CAATs). – Extract exceptions or key transactions.
The assurance steps to be performed assess the adequacy of the design of controls. The following three assurance steps should beperformed:• Observe/inspect and review the control approach, and test the design for completeness, relevancy, timeliness and measurability.• Enquire whether and confirm that the responsibilities for the control practices and overall accountability have been assigned. Test
whether accountability and responsibilities are understood and accepted. Verify that the right skills and the necessary resources areavailable.
• Enquire through interviews with key staff members involved whether the control mechanism, its purpose, and the accountabilityand responsibilities are understood.
In summary, the assurance professional must determine whether:• Documented control processes exist• Appropriate evidence of control processes exists• Responsibility and accountability are clear and effective• Compensating controls exist, where necessary
Additionally and specifically in internal audit assignments, the cost-effectiveness of the control design should be verified with thefollowing assurance steps:• If the design of the control practice set is effective, investigate whether it can be made more efficient by optimising steps, looking
for synergies with other control mechanisms and reconsidering the balance of prevention vs. detection and correction. Consider theeffort spent in maintaining the control practices.
• If the control practice set is operating effectively, investigate whether it can be made more cost-effective. Consider analysingperformance metrics of the activities associated with this control practice set, automation opportunities and/or skill level.
STEP 4—TEST THE OUTCOME OF THE CONTROL OBJECTIVESThe assurance steps to be performed ensure that the control measures established are working as prescribed, consistently andcontinuously, and conclude on the appropriateness of the control environment.
To test the outcome or effectiveness of the control, the assurance professional needs to look for direct and indirect evidence of thecontrol’s impact on the quality of the process outputs. This implies the direct and indirect substantiation of measurable contributionof the control to the IT, process and activity goals, thereby recording direct and indirect evidence of actually achieving the outcomesas documented in COBIT.
The assurance professional should obtain direct or indirect evidence for selected items/periods to ensure that the control underreview is working effectively by applying a selection of testing techniques as presented in step three. The assurance professionalshould also perform a limited review of the adequacy of the process deliverables and determine the level of substantive testing andadditional work needed to provide assurance that the IT process is adequate.
STEP 5—DOCUMENT THE IMPACT OF CONTROL WEAKNESSES The assurance steps to be performed substantiate the risk of the control objective not being met by using analytical techniquesand/or consulting alternative sources.
When control weaknesses are found, they have to be properly documented, taking into account their often sensitive and confidentialnature. In addition, particular care is required to correctly analyse and assess the severity of the observed weaknesses and thepotential business impact they may have.
The objective of this step is to conduct the necessary testing to provide management with assurance (or non-assurance) about theachievement of a given business process and its related control objectives. More detailed analysis should occur when:• No control measures are in place• Controls are not working as expected• Controls are not consistently applied
This should result in a thorough understanding of the control weaknesses and the resulting threats and vulnerabilities, and anunderstanding of the potential impact of the control weaknesses.
The following assurance steps can be performed to document the impact of not achieving the control objective:• Relate the impact of not achieving the control objective to actual cases in the same industry and leverage industry benchmarks.• Link known performance indicators to known outcomes and, in their absence, link the cause to its effect (cause/effect analysis).• Illustrate what the impact would affect (e.g., business goals and objectives, enterprise architecture elements, capabilities,
resources).• Illustrate the impact of control weaknesses with numbers and scenarios of errors, inefficiencies and misuse.• Clarify vulnerabilities and threats that are more likely with controls not operating effectively.• Document the impact of actual control weaknesses in terms of bottom-line impact, integrity of financial reporting, hours lost in
staff time, loss of sales, ability to manage and react to the market, customer and shareholder requirements, etc.• Point out the consequence of non-compliance with regulatory requirements and contractual agreements.• Measure the actual impact of disruptions and outages on business processes and objectives, and on customers (e.g., number, effort,
downtime, customer satisfaction, cost).• Document the cost (i.e., customer and financial impact) of errors that could have been caught by effective controls.• Measure and document the cost of rework (e.g., ratio of rework to normal work) as an efficiency measure affected by control weaknesses.• Measure the actual business benefits and illustrate cost savings of effective controls after the fact.• Use benchmarking and survey results to compare the enterprise performance with others.• Use extensive graphics to illustrate the issues.
COBIT provides support in the following ways:• The business, IT and process goals and the information criteria in the process descriptions indicate what business values are at risk
if controls are not implemented properly. • For each control objective, there are value and risk driver statements that indicate the benefits to be gained and the risks to be
avoided by improving controls.• The RACI charts demonstrate which roles might be affected by the risk and, therefore, should be informed of the substantive
testing outcome.• Maturity models can be leveraged to benchmark internally and against other industries or competitors in an easy, accessible and
understandable manner, helping to influence management. Benchmarking data are available in COBIT Online.
STEP 6—DEVELOP AND REPORT OVERALL CONCLUSION AND RECOMMENDATIONS The assurance steps to be performed communicate the substantiated risk of the control weaknesses to the different stakeholders ofthe assurance initiative.
The assurance professional should document any identified control weaknesses and resulting threats and vulnerabilities, and identifyand document the actual and potential impact (e.g., through root cause analysis). In addition, the assurance professional may providecomparative information (e.g., through benchmarks) to establish a reference framework in which the test results ought to beevaluated. As potential guidance to this, a generic maturity model for internal control is provided in chapter 7, Maturity Model forInternal Control, showing the status of the internal control environment and the establishment of internal controls in an enterprise. Itshows how the management of internal control, and an awareness of the need to establish better internal controls, typically developsfrom an ad hoc to an optimised level.
The objective is to identify items of significance to be able to articulate to the stakeholder the recommended actions and reasons fortaking action. This phase includes aggregating the results of the previous phases, developing a conclusion concerning the identifiedcontrol weaknesses and communicating:• Recommended actions to mitigate the impact of the control weaknesses• Performance comparison to standards and best practices for a relative view on the results• The risk position regarding the process
The formulated conclusion and recommendations should allow the responsible party to take further steps and remedial actions.
When the assurance initiative is performed within an assurance context, the assurance professional needs to be thoughtful of formalassurance communication and compliant with assurance reporting standards and guidelines (available at www.isaca.org).
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E38
ASSURANCE GUIDANCE FOR COBIT PROCESSES AND CONTROLS
39I T G O V E R N A N C E I N S T I T U T E
6. ASSURANCE GUIDANCE FOR COBIT PROCESSES AND CONTROLS
INTRODUCTIONThis section describes the structure of the detailed testing guidance based on COBIT, covering six generic controls applicable to allIT processes, IT general controls based on the 34 COBIT IT processes and six application controls.
Guidance is provided for testing control design, testing control outcome and documenting the impact in appendices I through VI,according to the layout in figure 26.
GENERIC PROCESS CONTROLSEach COBIT process has generic control requirements that are identified by generic process controls within the Process Control (PC)domain (see appendix I). These are applicable for all COBIT processes and should be considered together with the detailed COBITcontrol objectives to have a complete view of control requirements.
The six generic process controls, detailed in appendix I, Process Control, are:• PC1 Process goals and objectives• PC2 Process ownership• PC3 Process repeatability• PC4 Roles and responsibilities• PC5 Policy, plans and procedures• PC6 Process performance improvement
GENERIC CONTROL PRACTICES Three generic control practices and, consequently, three generic assurance steps are defined. They are: • Approach• Accountability and responsibility• Communication and understanding
The complete set of generic and specific control practices provides one consistent control approach necessary and sufficient forachieving the stated control objectives. Other control approaches with different sets of practices may exist; hence, there is a need toalways verify the appropriateness of the control design at the outset of control implementation or at the outset of assurance activities.
ApproachThe generic approach control practice consists of:• Generic control practice—Designs the control approach for achieving this control objective, and defines and maintains the
control practices that implement this design• Assurance step—Enquires whether and confirms that a set of practices has been defined to achieve the objective;
observes/inspects and reviews the control approach, and tests the design for completeness, relevancy, timeliness and measurability
Control Objective
Assurance Steps for Testing Control Design
Assurance Steps for Testing the Outcome of the Control Objectives
Assurance Steps for Documenting the Impact of Control Weaknesses
Value Statements Risk Statements
Figure 26—Structure of the Detailed Assurance Advice in Appendices I to VI
Accountability and ResponsibilityThe generic accountability and responsibility control practice consists of:• Generic control practice—Defines and assigns accountability and responsibility for the control objective as a whole, and
responsibility for the different control practices (see RACI charts in COBIT); makes sure personnel have the right skills andnecessary resources to execute these responsibilities
• Assurance step—Enquires whether and confirms that responsibilities for the control practices as well as overall accountabilityhave been assigned in a cost-effective and efficient manner; tests whether accountability and responsibilities are understood andaccepted; verifies that the right skills and necessary resources are available
Communication and UnderstandingThe generic communication and understanding control practice consists of:• Generic control practices—Ensures the control practices, as implemented, address the control objectives and are communicated
and understood• Assurance step—Enquires through interviews with key staff members involved whether the control mechanism, its purpose, and
the accountability and responsibilities have been communicated and are understood
IT GENERAL CONTROLSGeneral controls relate to the environment within which automated application systems are developed, maintained and operated andwhich are, therefore, applicable to all the applications. They ensure the proper development, implementation and maintenance of allautomated applications, and the integrity of program and data files and of computer operations.
Guidance is provided on how to test COBIT’s 34 IT processes, organised into four appendices (see appendices II-V) based onCOBIT’s four domains.
APPLICATION CONTROLS Application controls relate to the transactions and standing data pertaining to each automated application system and are specific toeach such application. They ensure the completeness and accuracy of the records and the validity of the entries made in thetransactions and standing data resulting from both manual and automated processing. They are defined further in the ApplicationControl (AC) domain in appendix VI.
Relative to IT assurance, a distinction is made between application and general controls. General controls are controls embedded inthe IT organisation, its processes and services. Examples include:• Systems development• Change management• Security• Computer operations
Controls embedded in business process applications, on the other hand, are commonly referred to as application controls. Examples include:• Completeness• Accuracy• Validity• Authorisation• Segregation of duties
Therefore, the objectives of application controls generally involve ensuring that:• Data prepared for entry are complete, valid and reliable• Data are converted to an automated form and entered into the application accurately, completely, and on time• Data are processed by the application completely and on time, and in accordance with established requirements• Output is protected from unauthorised modification or damage and distributed in accordance with prescribed policies
COBIT assumes the design and implementation of automated application controls to be the responsibility of IT, covered in theAcquire and Implement (AI) domain, based on business requirements defined using COBIT’s information criteria. The operationalmanagement and control responsibility for application controls is not with IT, but with the business process owner. IT delivers andsupports the applications’ services and the supporting information databases and infrastructures. Therefore, the COBIT IT processescover general IT controls but not application controls, because these are the responsibility of business process owners and, asdescribed previously, are integrated into business processes.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E40
ASSURANCE GUIDANCE FOR COBIT PROCESSES AND CONTROLS
41I T G O V E R N A N C E I N S T I T U T E
Business controls are not in the scope of COBIT and IT Assurance Guide. Figure 27 sets the boundaries of IT general controls andapplication controls, delineating at the same time the extent to which COBIT handles business controls.
For automated services, the business is responsible for defining functional, as well as control, requirements to be included in allbusiness processes supported by applications. Subsequently, IT responsibilities include automation of the business functional andcontrol requirements and establishment of controls to maintain the integrity of the business applications.
Just as for the IT general controls and generic process controls, guidance is provided for testing the design and outcome anddocumenting impact for each of the six COBIT application controls, detailed in appendix VI, Application Control:• AC1 Source document preparation and authorisation• AC2 Source document collection and data entry• AC3 Accuracy, completeness and authenticity checks• AC4 Data processing integrity and validity• AC5 Output review, reconciliation and error handling• AC6 Transaction authentication and integrity
Application control weaknesses may have an impact on the entity’s ability to process business transactions through the impactedbusiness processes and applications. Application controls are a subcomponent of the entity’s business controls. Weaknesses inapplication controls may be mitigated by compensating manual business and organisational control activities. The impact ofapplication control weaknesses should be considered in the context of the underlying business process nature and relatedtransactions and the impact of other business process controls and, as such, should be considered in consultation with the businessprocess assurance provider.
EXAMPLES OF THE USE OF DETAILED ASSURANCE STEPSSome illustrative examples of how the assurance testing steps could be applied follow.
Example 1—Testing of Control DesignSITUATIONGeneral computer controls are reviewed in a transaction processing organisation with assessment of the process AI6 Managechanges, control objective AI6.2 Impact assessment, prioritisation and authorisation.
OBSERVATIONSFor the selected systems (e.g., application, platform, network), the assurance professional inventoried the types of changes that canbe implemented, the procedures (formal or informal) currently in place, all parties involved in the change management process,tools used, etc. This was done through interviews with involved persons and inquiries for documented procedures. The result of thiswork was a comprehensive and correct flowchart of the change management process.
Plan and Organise
IT General Controls
Acquireand
Implement
Deliverand
Support
Monitor and Evaluate
Application Controls
Business FunctionalRequirements
Business’s responsibilityto properly define
functional and controlrequirements
Business’s responsibilityto properly use
automated services
BusinessControls
IT’s responsibility to• Automate and implement business functional and control requirements• Establish controls to maintain the integrity of application controls
AutomatedServicesBusiness Control
RequirementsImplement
and
BusinessControls
Figure 27—IT General Controls and Application Controls
The assurance professional reviewed the identified process flow to determine whether there was a step defined in the procedure to assessthe impact of a change by a competent person or group of persons. The assurance professional observed that the template for requestingand approving changes included a section on impact assessment. However, the change management procedure did not mention that thisinformation is mandatory, and the absence of this information did not lead to a rejection of the change request. In addition, the proceduredid not mention any documentation standards or required verification and approval steps for the impact assessment.
CONCLUSIONThe design of this control is flawed because a fundamental component of the control (i.e., impact assessment) is incomplete at best.It is possible that changes have been implemented without proper risk assessment, which can lead to unplanned and difficult-to-contain operational disruptions or malfunctions.
Example 2—Testing for the Effectiveness of the Control SITUATIONGeneral computer controls are reviewed in a transaction processing organisation with assessment of the process AI6 Managechanges, control objective AI6.3 Emergency changes.
OBSERVATIONSAs part of the evaluation of the control design, the assurance professional identified that, for all relevant change managementprocedures, there is a control defined to help ensure that emergency change requests are reintroduced into the normal changemanagement cycle. In addition, the assurance professional found that there is a procedure that ensures that all emergency changesare appropriately logged in a change management tool.
As part of the control effectiveness testing, a sample of emergency change requests was selected from the change management tooland traced to its reintroduction as normal changes. This tracing included verification of whether the emergency change was actuallyintroduced again as a normal change and whether it was processed following the normal change management procedure.
The assurance professional observed that from the sample of 25 emergency changes selected, three of them were not subsequentlyreprocessed as normal changes. In addition, the assurance professional found that from the 22 emergency changes that had beenduly reintroduced, only 10 were discussed at the change management board—or at least that there was a trace available thatindicated that the 10 changes were discussed (trace included information stored in the change management tool).
CONCLUSIONThe emergency change procedure is not effective for two reasons:• Not all emergency changes are reintroduced in the system, leading to a risk of losing emergency changes from sight and not
learning from them.• Emergency changes that have been reintroduced are most likely inadequately discussed and documented, leading to the same risk.
Example 3—Documenting the Impact of Control WeaknessesSITUATIONGeneral computer controls are reviewed in a transaction processing organisation with assessment of the process AI6 Managechanges, control objective AI6.3 Emergency changes.
OBSERVATIONSUsing the situation as described, the assurance professional needed to gain additional information and perform further analysis toassess and document the impact of the control weaknesses. For the aforementioned examples, the assurance professional needed toconsider the types and numbers of changes affected by the control weaknesses.
Some of the required information might/should already be gathered at the planning stage. This information should be used toevaluate the materiality of the weaknesses noted. Notably, the changes affected should be mapped back to the relevant infrastructurecomponents and the applications/information they support/process. In addition, SLA penalties might apply. Furthermore, analysis ofproblems noted in the past can help establish the real potential impact of the weaknesses noted.
In this case, it turns out that, after discussion with the responsible change manager and confirmation with other change management boardmembers, the missing emergency changes relate to non-critical systems and the missing documentation was only a documentation issue,whereas the actual change, its cause and consequences had indeed been discussed but were not formally documented.
CONCLUSIONAlthough the control weaknesses remain as they have been observed, further analysis and documentation showed that theweaknesses were of a lesser importance than originally assessed.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E42
HOW COBIT COMPONENTS SUPPORT IT ASSURANCE ACTIVITIES
43I T G O V E R N A N C E I N S T I T U T E
7. HOW COBIT COMPONENTS SUPPORT IT ASSURANCE ACTIVITIES
INTRODUCTIONFigure 28 links the list of typical IT assurance activities to the COBIT components that can be leveraged to make the activities moreefficient and effective. It demonstrates how COBIT can support specific assurance-related activities, often performed as stand-alonetasks, in addition to how COBIT has provided support to the suggested IT assurance road map, described in the previous sections.
Links have been indicated only where there is specific and strong support for an IT assurance activity. There are some keycomponents, however, that support all activities. In practice, users of COBIT adapt and tailor the COBIT resources for their specificpurposes and discover how COBIT can add value to a particular task. The table is, therefore, only a guide.
Two of the most useful components are the goals and outcome measures and the RACI charts (key activities and responsibilities).They capture the essence of IT, its processes, activities and objectives and, hence, support all aspects of planning, scoping andassurance execution. Another important component for IT assurance activities is COBIT Online—its searching and browsingfunctions enable easier access to all the main COBIT content as well as useful benchmarking data. Those COBIT componentsimportant for assurance activities are shaded in figure 28.
The following sections summarise the most important relationships in figure 28, first from the components point of view and then from the activities point of view. To conclude, the strongest links between activities and components are circled in figure 28.
COBIT COMPONENTSControl objectives and practices are mostly useful for testing related activities, although since the control objectives are high-leveland similar to key management practices, they can be considered during planning activities. Both are also helpful for the selectionand customisation of control objectives for an assurance initiative.
Figure 28—Linking IT Assurance Activities and COBIT Components
IT Assurance ActivitiesPerform a quick risk assessment. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Assess threat, vulnerability and ✔ ✔ ✔ ✔ ✔ ✔business impact.Diagnose operational and project risk. ✔ ✔ ✔ ✔ ✔ ✔ ✔
Plan risk-based assurance initiatives. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Identify critical IT processes based ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔on value drivers.Assess process maturity. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Scope and plan assurance initiatives. ✔ ✔ ✔ ✔ ✔ ✔ ✔
Select the control objectives for ✔ ✔ ✔ ✔ ✔ ✔critical processes.Customise control objectives. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Build a detailed assurance programme. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Test and evaluate controls. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Substantiate risk. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Report assurance conclusions. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Self-assess process maturity. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Self-assess controls. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
COBI
T Co
ntro
l Pra
ctic
es
Cont
rol O
bjec
tives
Valu
e an
d Ri
sk S
tate
men
ts
Mat
urity
Mod
el
Mat
urity
Mod
el A
ttrib
utes
Goal
s an
d Ou
tcom
eM
easu
res
RACI
(Key
Act
iviti
es a
ndRe
spon
sibi
litie
s)
Perfo
rman
ce D
river
s
Man
agem
ent
Awar
enes
s To
ol
Info
rmat
ion
Crite
ria
Proc
ess
List
ITRi
sk a
nd C
ontro
lDi
agno
stic
s
Boar
d Br
iefin
g on
ITGo
vern
ance
,2nd
Editi
on
COBI
TQu
icks
tart
COBI
T On
line—
Sear
chin
gan
d Br
owsi
ng
COBI
T On
line—
Benc
hmar
king
IT C
ontr
ol O
bjec
tives
for
Sarb
anes
-Oxl
ey,2
ndEd
ition
COBIT Components
The list of COBIT processes and the domains provide a responsibility structure for IT and help ensure the completeness of theassurance coverage. The list is useful in the planning phase and also when summarising the conclusions of an assurance initiative.Similarly, information criteria provide a generic and simple high-level structure of the objectives of IT processes and are equallyuseful for structuring assurance plans and conclusions.
Maturity models are very useful tools for high-level assessments of processes, identification of key processes, planning which processesneed most attention in the assurance programme and also when summarising the assurance conclusions. The maturity attributes providemore details for process maturity assessment, and because they are generic for all processes, they are also an alternative to the specificprocess maturity descriptions provided for each COBIT process. Because maturity models describe how processes are managed, thedetailed attributes can be used to further customise control objectives, which usually describe only what needs to be done. Maturitymodels are increasingly being used by IT management for self-assessment and can, therefore, provide a common approach for both theassurance and IT professionals to understand and agree upon priorities and areas on which to focus attention.
Whereas performance drivers play an important role for assurance activities in the planning and reporting phases of an IT assuranceroad map, they are also a good source for customising control objectives because they imply that certain actions need to happen orconditions need to exist that will increase the probability of successfully achieving the process’s objectives and goals.
Value and risk statements provide the arguments to justify controls but are also primary inputs when performing high-level ordetailed risk assessments. They are also starting points when identifying critical processes and IT components.
The management awareness and diagnostic tools are provided in Supplemental Tools and Materials, available online and on CD-ROM with the IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition. They are tools to perform initial high-level assessments of process importance, significant risks and the state of process controls, typically done in the early stages ofthe IT assurance initiative.
The assessment form presentation of COBIT Quickstart lends itself easily for quick or high-level assessments as well as for efficientself-assessments.
Benchmarking data and functionality as provided in COBIT Online are useful to portray how the entity compares on processmanagement and controls with other enterprises in the same industry, geography or size segment. The comparison is supported withpie chart and spider diagrams. Such benchmarks lend a lot of credibility to the conclusions of assurance activities but can also beused earlier in the assurance life cycle (e.g., to identify processes that need early or in-depth assurance coverage because of gapswith the rest of the industry).
IT ASSURANCE ACTIVITIESTo gain insight into the entity where the IT assurance activities are to be performed, the COBIT components that provide the bestsupport for the assurance professional are the process structure, maturity models, goals, outcome measures and performance drivers.
Risk-based IT assurance planning has become common practice and is well supported by COBIT’s maturity modelling and COBITOnline’s benchmarking to identify where the highest potential risks are. The risk and value statements of the control objectivesprovide additional support if more detailed risk assessment is required to drive the assurance plan. Quickstart as well as theawareness and diagnostic tools are aids to perform high-level assessments quickly and efficiently.
Planning and reporting—and scoping to a lesser extent—use most of the COBIT components but usually only as input or reference.On the other hand, detailed planning and scoping, as well as testing, are activities that use fewer of the COBIT components but theytend to use them more intensely. Planning, scoping and testing are also the IT assurance activities that extensively use the materialthat is at the ‘heart’ of COBIT: the control objectives.
THE STRONGEST LINKSSome of the strongest links between COBIT components and IT assurance activities (i.e., where activities can benefit the most fromthe COBIT materials) are as follows:• Goals and outcome measures with planning risk-based assurance initiatives• Risk and value statements with risk assessments and risk substantiation • Key activities and RACI charts with detailed assurance planning• Control objectives and practices with testing and evaluating controls• Maturity models and attributes with process maturity and other high-level assessments
The ITGI publication IT Control Objectives for Sarbanes-Oxley, 2nd Edition, also provides strong links between COBIT componentsand IT assurance activities.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E44
APPENDIX I
45I T G O V E R N A N C E I N S T I T U T E
APP
EN
DIX
I—PR
OC
ESS
CO
NT
RO
L(P
C)
PR
OC
ESS
ASS
UR
AN
CE
STEP
S
Def
ine
and
com
mun
icat
e sp
ecif
ic, m
easu
rabl
e, a
ctio
nabl
e, r
ealis
tic,
resu
lts-o
rien
ted
and
timel
y (S
MA
RR
T)
proc
ess
goal
s an
d ob
ject
ives
for
the
effe
ctiv
e ex
ecut
ion
of e
ach
IT p
roce
ss. E
nsur
e th
at th
ey a
re li
nked
to th
ebu
sine
ss g
oals
and
sup
port
ed b
y su
itabl
e m
etri
cs.
Test
the
Con
trol
Des
ign
• E
nsur
e th
at a
for
mal
pro
cess
exi
sts
for
com
mun
icat
ing
goal
s an
d ob
ject
ives
and
that
, whe
n up
date
d, s
uch
com
mun
icat
ion
is r
epea
ted.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
roce
ss g
oals
and
obj
ectiv
es h
ave
been
def
ined
. Ver
ify
that
pro
cess
sta
keho
lder
s un
ders
tand
thes
e go
als.
•
Enq
uire
whe
ther
and
con
firm
that
the
IT p
roce
ss g
oals
link
bac
k to
bus
ines
s go
als.
•
Con
firm
thro
ugh
inte
rvie
ws
with
pro
cess
sta
keho
lder
s th
at th
e IT
pro
cess
goa
ls a
re S
MA
RR
T.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at o
utpu
ts a
nd a
ssoc
iate
d qu
ality
targ
ets
are
defi
ned
for
each
IT
pro
cess
. •
Wal
k th
roug
h th
e pr
oces
s de
sign
with
sel
ecte
d pr
oces
s st
akeh
olde
rs a
nd v
erif
y w
heth
er th
e pr
oces
s is
und
erst
ood
and
likel
y to
ach
ieve
its
obje
ctiv
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• K
ey p
roce
sses
mea
sure
d ef
fici
ently
and
effe
ctiv
ely
• Pr
oces
ses
in li
ne w
ith b
usin
ess
obje
ctiv
es
Ris
k D
river
s
• Pr
oces
s ef
fect
iven
ess
diff
icul
t to
mea
sure
• B
usin
ess
obje
ctiv
es n
ot s
uppo
rted
by
proc
esse
s
PC
1 P
roce
ss G
oals
and
Obj
ecti
ves
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• A
naly
se p
roce
ss m
etri
cs, t
arge
ts a
nd p
erfo
rman
ce r
epor
ts to
ver
ify
that
pro
cess
goa
ls h
ave
SMA
RR
T c
hara
cter
istic
s an
d ar
e be
ing
mea
sure
d ef
fect
ivel
y an
d ef
fici
ently
.• A
sses
s th
e ef
fect
iven
ess
of c
omm
unic
atin
g th
e pr
oces
s go
als
and
obje
ctiv
es th
roug
h di
scus
sion
s w
ith p
erso
nnel
at v
ario
us le
vels
and
exa
min
atio
n of
trai
ning
mat
eria
ls,
mem
os a
nd o
ther
doc
umen
tatio
n.•
Test
the
appr
opri
aten
ess
of th
e fr
eque
ncy
of c
omm
unic
atio
n of
goa
ls a
nd o
bjec
tives
.•
Ens
ure
that
bus
ines
s go
als
are
supp
orte
d by
IT
pro
cess
es b
y tr
acin
g be
twee
n th
e tw
o an
d id
entif
ying
uns
uppo
rted
bus
ines
ses
goal
s.
Doc
umen
t th
e Im
pact
of C
ontr
ol W
eakn
esse
s
• D
eter
min
e th
e bu
sine
ss im
pact
if p
roce
ss g
oals
and
obj
ectiv
es a
re n
ot li
nked
to th
e bu
sine
ss g
oals
.•
Ass
ess
the
impa
ct o
n bu
sine
ss p
roce
ssin
g in
the
even
t tha
t pro
cess
goa
ls a
re n
ot d
efin
ed in
a S
MA
RR
T m
anne
r.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E46
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n ow
ner
exis
ts f
or e
ach
IT p
roce
ss.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at r
oles
and
res
pons
ibili
ties
have
bee
n de
fine
d. V
erif
y th
at th
e ow
ners
und
erst
and
and
acce
pt th
ese
resp
onsi
bilit
ies.
• C
onfi
rm w
ith th
e pr
oces
s ow
ner
and
dire
ct s
uper
viso
r th
at s
uffi
cien
t aut
hori
ty h
as b
een
prov
ided
to s
uppo
rt th
e ro
le a
nd r
espo
nsib
ilitie
s.•
Ens
ure
that
pro
cess
es a
re in
pla
ce to
ass
ign
owne
rshi
p an
d ac
coun
tabi
lity
for
proc
esse
s an
d de
liver
able
s, in
clud
ing
com
mun
icat
ions
.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• R
evie
w jo
b de
scri
ptio
ns a
nd p
erfo
rman
ce a
ppra
isal
s of
the
proc
ess
owne
r to
ver
ify
assi
gnm
ent,
unde
rsta
ndin
g an
d ac
cept
ance
of
owne
rshi
p.•
Rev
iew
the
role
s an
d re
spon
sibi
litie
s to
ens
ure
that
they
are
com
plet
e an
d ap
prop
riat
e.•
Rev
iew
org
anis
atio
n ch
arts
and
rep
ortin
g lin
es to
ver
ify
actu
al a
utho
rity
.•
Ver
ify
that
pro
cess
es a
re in
tera
ctin
g w
ith e
ach
othe
r ef
fect
ivel
y.•
Ver
ify
that
pro
cess
ow
ners
are
dri
ving
con
tinuo
us im
prov
emen
t.
Doc
umen
t th
e Im
pact
of C
ontr
ol W
eakn
esse
s
Ass
ess
whe
ther
the
proc
ess
owne
rshi
p su
ffic
ient
ly s
uppo
rts
achi
evin
g bu
sine
ss p
roce
ssin
g se
rvic
es to
mee
t sho
rt-
and
long
-ran
ge o
rgan
isat
iona
l obj
ectiv
es.
Ass
ign
an o
wne
r fo
r ea
ch I
T p
roce
ss, a
nd c
lear
ly d
efin
e th
e ro
le a
ndre
spon
sibi
litie
s of
the
proc
ess
owne
r. In
clud
e, f
or e
xam
ple,
res
pons
ibili
ty f
orpr
oces
s de
sign
, int
erac
tion
with
oth
er p
roce
sses
, acc
ount
abili
ty f
or th
e en
dre
sults
, mea
sure
men
t of
proc
ess
perf
orm
ance
and
the
iden
tific
atio
n of
impr
ovem
ent o
ppor
tuni
ties.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
oces
ses
oper
atin
g sm
ooth
ly a
ndre
liabl
y•
Proc
esse
s in
tera
ctin
g w
ith e
ach
othe
ref
fect
ivel
y•
Proc
ess
prob
lem
s an
d is
sues
iden
tifie
dan
d re
solv
ed•
Proc
esse
s co
ntin
ually
impr
oved
Ris
k D
river
s
• Pr
oces
ses
perf
orm
ing
unre
liabl
y•
Proc
esse
s no
t wor
king
toge
ther
effe
ctiv
ely
• G
aps
in p
roce
ss c
over
age
likel
y•
Proc
ess
erro
rs n
ot r
ectif
ied
PC
2 P
roce
ss O
wne
rshi
p
APPENDIX I
47I T G O V E R N A N C E I N S T I T U T E
Des
ign
and
esta
blis
h ea
ch k
ey I
T p
roce
ss s
uch
that
it is
rep
eata
ble
and
cons
iste
ntly
pro
duce
s th
e ex
pect
ed r
esul
ts. P
rovi
de f
or a
logi
cal b
ut f
lexi
ble
and
scal
able
seq
uenc
e of
act
iviti
es th
at w
ill le
ad to
the
desi
red
resu
lts a
nd is
agi
leen
ough
to d
eal w
ith e
xcep
tions
and
em
erge
ncie
s. U
se c
onsi
sten
t pro
cess
es,
whe
re p
ossi
ble,
and
tailo
r on
ly w
hen
unav
oida
ble.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
effi
cien
cy a
nd e
ffec
tiven
ess
of r
ecur
ring
act
iviti
es•
Eas
e of
pro
cess
mai
nten
ance
• Abi
lity
to d
emon
stra
te p
roce
ssef
fect
iven
ess
to a
udito
rs a
ndre
gula
tors
• Pr
oces
ses
supp
ortin
g th
e ov
eral
l IT
orga
nisa
tion
goal
s an
d en
hanc
ing
ITva
lue
deliv
ery
Ris
k D
river
s
• In
cons
iste
nt p
roce
ss r
esul
ts a
ndlik
elih
ood
of p
roce
ss e
rror
s•
Hig
h re
lianc
e on
pro
cess
spe
cial
ists
• Pr
oces
ses
unab
le to
rea
ct to
pro
blem
san
d ne
w r
equi
rem
ents
PC
3 P
roce
ss R
epea
tabi
lity
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
roce
ss r
epea
tabi
lity
is a
man
agem
ent o
bjec
tive.
• Fo
r im
port
ant a
nd h
igh-
risk
pro
cess
es, r
evie
w th
e pr
oces
s st
eps
in d
etai
l and
ens
ure
that
they
pro
vide
for
evi
denc
e of
man
agem
ent r
evie
w.
• C
onfi
rm w
hich
goo
d pr
actic
es a
nd in
dust
ry s
tand
ards
wer
e us
ed w
hen
defi
ning
the
IT p
roce
sses
. •
Inte
rvie
w s
elec
ted
proc
ess
stak
ehol
ders
and
det
erm
ine
adhe
renc
e to
the
proc
ess.
•
Ens
ure
that
sys
tem
s ar
e de
sign
ed f
or s
cala
bilit
y an
d fl
exib
ility
.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• W
alk
thro
ugh
the
proc
ess
desi
gn w
ith th
e pr
oces
s ow
ner,
and
veri
fy w
heth
er th
e st
eps
are
logi
cal a
nd li
kely
to c
ontr
ibut
e to
the
end
resu
lt.•
Rev
iew
pro
cess
doc
umen
tatio
n to
ver
ify
the
adop
tion
of a
pplic
able
pro
cess
sta
ndar
ds a
nd d
egre
e of
cus
tom
isat
ion.
• A
sses
s th
e m
atur
ity a
nd le
vel o
f in
tegr
atio
n of
sup
port
ing
tool
s us
ed f
or th
e pr
oces
s.
Doc
umen
t th
e Im
pact
of C
ontr
ol W
eakn
esse
s
Sele
ct d
ata
abou
t pro
cess
res
ults
not
mee
ting
obje
ctiv
es, a
nd a
naly
se w
heth
er th
e ca
uses
rel
ate
to p
roce
ss d
esig
n, o
wne
rshi
p, r
espo
nsib
ilitie
s or
inco
nsis
tent
app
licat
ion.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E48
Def
ine
the
key
activ
ities
and
end
del
iver
able
s of
the
proc
ess.
Ass
ign
and
com
mun
icat
e un
ambi
guou
s ro
les
and
resp
onsi
bilit
ies
for
effe
ctiv
e an
d ef
fici
ent
exec
utio
n of
the
key
activ
ities
and
thei
r do
cum
enta
tion
as w
ell a
s ac
coun
tabi
lity
for
the
proc
ess’
s en
d de
liver
able
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
effi
cien
cy a
nd e
ffec
tiven
ess
of r
ecur
ring
act
iviti
es•
Staf
f m
embe
rs k
now
ing
wha
t to
doan
d w
hy, i
mpr
ovin
g m
oral
e an
d jo
bsa
tisfa
ctio
n
Ris
k D
river
s
• U
ncon
trol
led,
unr
elia
ble
proc
esse
s•
Proc
esse
s no
t sup
port
ing
the
busi
ness
obje
ctiv
es•
Proc
esse
s no
t per
form
ed a
s in
tend
ed•
Prob
lem
s an
d er
rors
like
ly to
rem
ain
unre
solv
ed•
Proc
ess
perf
orm
ance
like
ly to
be
vari
able
and
unr
elia
ble
PC
4 R
oles
and
Res
pons
ibili
ties
Test
the
Con
trol
Des
ign
• E
nsur
e th
at a
pro
cess
is in
pla
ce to
def
ine
and
mai
ntai
n in
form
atio
n ab
out t
he k
ey a
ctiv
ities
and
del
iver
able
s. E
nsur
e th
at th
e pr
oces
s in
clud
es th
e de
velo
pmen
t of
supp
ortin
g po
licie
s, p
roce
dure
s an
d gu
idan
ce.
• E
nsur
e th
at p
roce
sses
are
des
igne
d to
cap
ture
acc
ompl
ishm
ents
and
incl
ude
them
in e
mpl
oyee
per
form
ance
info
rmat
ion.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• C
onfi
rm th
roug
h in
terv
iew
s an
d do
cum
enta
tion
revi
ew th
at k
ey a
ctiv
ities
and
end
del
iver
able
s fo
r th
e pr
oces
s ha
ve b
een
iden
tifie
d an
d re
cord
ed.
• R
evie
w jo
b de
scri
ptio
ns, a
nd v
erif
y th
at r
oles
and
res
pons
ibili
ties
for
key
activ
ities
and
pro
cess
doc
umen
tatio
n ar
e re
cord
ed a
nd c
omm
unic
ated
. •
Ver
ify
thro
ugh
inte
rvie
ws
with
ow
ners
, man
agem
ent a
nd s
taff
mem
bers
that
acc
ount
abili
ty f
or th
e pr
oces
s an
d its
out
puts
are
ass
igne
d, c
omm
unic
ated
, und
erst
ood
and
acce
pted
. Cor
robo
rate
inte
rvie
w f
indi
ngs
thro
ugh
anal
ysis
of
the
reso
lutio
n to
sig
nifi
cant
pro
cess
inci
dent
s an
d re
view
of
a sa
mpl
e of
job
perf
orm
ance
app
rais
als.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at r
egul
ar jo
b pe
rfor
man
ce a
ppra
isal
is p
erfo
rmed
to a
sses
s ac
tual
per
form
ance
aga
inst
pro
cess
res
pons
ibili
ties,
suc
h as
:–
Exe
cutin
g ro
les
and
resp
onsi
bilit
ies
as d
efin
ed–
Perf
orm
ing
proc
ess-
rela
ted
activ
ities
in li
ne w
ith g
oals
and
obj
ectiv
es–
Con
trib
utin
g to
the
qual
ity o
f th
e pr
oces
s en
d de
liver
able
s •
Rev
iew
the
reso
lutio
n to
sig
nifi
cant
pro
cess
inci
dent
s, a
nd r
evie
w a
sam
ple
of jo
b pe
rfor
man
ce a
ppra
isal
s to
ver
ify
whe
ther
res
pons
ibili
ties
and
acco
unta
bilit
ies
are
enfo
rced
.•
Rev
iew
rol
es a
nd r
espo
nsib
ilitie
s w
ith v
ario
us s
taff
mem
bers
and
asc
erta
in th
eir
unde
rsta
ndin
g, w
heth
er th
e al
loca
tions
are
app
ropr
iate
and
whe
ther
the
repo
rtin
gre
latio
nshi
ps a
re e
ffec
tive.
• A
sses
s w
heth
er th
e ro
les
and
resp
onsi
bilit
ies
are
desi
gned
to s
uppo
rt c
ompl
ianc
e w
ith v
ario
us a
ctiv
ities
with
in th
e ro
les.
Doc
umen
t th
e Im
pact
of C
ontr
ol W
eakn
esse
s
Ass
ess
whe
ther
the
role
s an
d re
spon
sibi
litie
s su
ffic
ient
ly s
uppo
rt th
e ac
hiev
emen
t of
busi
ness
pro
cess
ing
serv
ices
to m
eet s
hort
- an
d lo
ng-r
ange
org
anis
atio
nal o
bjec
tives
.
APPENDIX I
49I T G O V E R N A N C E I N S T I T U T E
Def
ine
and
com
mun
icat
e ho
w a
ll po
licie
s, p
lans
and
pro
cedu
res
that
dri
ve a
n IT
pro
cess
are
doc
umen
ted,
rev
iew
ed, m
aint
aine
d, a
ppro
ved,
sto
red,
com
mun
icat
ed a
nd u
sed
for
trai
ning
. Ass
ign
resp
onsi
bilit
ies
for
each
of
thes
eac
tiviti
es a
nd, a
t app
ropr
iate
tim
es, r
evie
w w
heth
er th
ey a
re e
xecu
ted
corr
ectly
.E
nsur
e th
at th
e po
licie
s, p
lans
and
pro
cedu
res
are
acce
ssib
le, c
orre
ct, u
nder
stoo
dan
d up
to d
ate.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
staf
f aw
aren
ess
of w
hat t
odo
and
why
• D
ecre
asin
g nu
mbe
r of
inci
dent
s fr
om p
olic
y vi
olat
ions
• Po
licie
s an
d as
soci
ated
pro
cedu
res
rem
aini
ng c
urre
nt a
nd e
ffec
tive
Ris
k D
river
s
• Pr
oces
ses
not a
ligne
d w
ith b
usin
ess
obje
ctiv
es•
Staf
f m
embe
rs n
ot k
now
ing
how
tope
rfor
m c
ritic
al ta
sks
• Po
licy
viol
atio
ns
PC
5 P
olic
y, P
lans
and
Pro
cedu
res
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
uch
rule
s ex
ist a
nd a
re c
omm
unic
ated
, kno
wn
and
appl
ied
to h
ow a
ll IT
pro
cess
-rel
ated
doc
umen
tatio
n (e
.g.,
polic
ies,
pla
ns,
proc
edur
es, g
uide
lines
, ins
truc
tions
, met
hodo
logi
es)
that
dri
ves
an I
T p
roce
ss w
ill b
e de
velo
ped,
doc
umen
ted,
rev
iew
ed, m
aint
aine
d, a
ppro
ved,
sto
red,
use
d fo
r tr
aini
ngan
d co
mm
unic
ated
. •
Insp
ect s
elec
ted
polic
ies,
pla
ns a
nd p
roce
dure
s to
ver
ify
if th
ey w
ere
crea
ted
follo
win
g th
e ru
les
and
are
kept
up
to d
ate.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at r
espo
nsib
ilitie
s ar
e de
fine
d fo
r de
velo
ping
, mai
ntai
ning
, sto
ring
and
com
mun
icat
ing
proc
ess-
rela
ted
docu
men
tatio
n.•
Enq
uire
whe
ther
and
con
firm
that
ther
e ar
e do
cum
ente
d pr
oces
ses
unde
r w
hich
pol
icie
s an
d pr
oced
ures
are
iden
tifie
d, d
evel
oped
, app
rove
d, r
evie
wed
and
mai
ntai
ned
topr
ovid
e co
nsis
tent
gui
danc
e.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• V
erif
y th
at th
ose
who
per
form
the
activ
ities
und
erst
and
thei
r re
spon
sibi
lity.
•
Insp
ect s
elec
ted
docu
men
ts to
ver
ify
that
they
are
up
to d
ate
and
unde
rsto
od.
• R
evie
w I
T p
roce
ss-r
elat
ed d
ocum
enta
tion
and
veri
fy if
sig
n-of
f is
don
e at
the
appr
opri
ate
leve
l.•
Rev
iew
if I
T p
roce
ss-r
elat
ed d
ocum
enta
tion
is a
cces
sibl
e, c
orre
ct, u
nder
stoo
d an
d up
to d
ate.
•
Ens
ure
that
pol
icie
s ar
e ef
fect
ivel
y pr
omul
gate
d th
roug
h aw
aren
ess
and
trai
ning
.•
Ass
ess,
thro
ugh
inte
rvie
ws
at a
ll st
aff
leve
ls, w
heth
er th
e po
licie
s an
d pr
oced
ures
are
cle
arly
und
erst
ood
and
supp
ort t
he b
usin
ess
obje
ctiv
es.
Doc
umen
t th
e Im
pact
of C
ontr
ol W
eakn
esse
s
Ass
ess
whe
ther
all
polic
ies,
pla
ns a
nd p
roce
dure
s su
ffic
ient
ly s
uppo
rt a
chie
ving
bus
ines
s pr
oces
sing
ser
vice
s to
mee
t sho
rt-
and
long
-ran
ge o
rgan
isat
iona
l obj
ectiv
es.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E50
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
is in
pla
ce to
est
ablis
h ke
y m
etri
cs d
esig
ned
to p
rovi
de a
hig
h le
vel o
f in
sigh
t int
o th
e op
erat
ions
with
lim
ited
effo
rt.
• V
erif
y th
at th
e de
sign
of
the
met
rics
ena
bles
mea
sure
men
t of
achi
evem
ent o
f th
e pr
oces
s go
als,
res
ourc
e ut
ilisa
tion,
out
put q
ualit
y an
d th
roug
hput
tim
e to
sup
port
impr
ovem
ent o
f th
e pr
oces
s pe
rfor
man
ce a
nd o
utco
me.
•
Enq
uire
whe
ther
and
con
firm
that
rel
atio
nshi
ps b
etw
een
outc
ome
and
perf
orm
ance
met
rics
hav
e be
en d
efin
ed a
nd in
tegr
ated
into
the
ente
rpri
se’s
per
form
ance
man
agem
ent s
yste
m (
e.g.
, bal
ance
d sc
orec
ard)
whe
re a
ppro
pria
te.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
roce
dure
s ha
ve b
een
desi
gned
to id
entif
y sp
ecif
ic ta
rget
s fo
r pr
oces
s go
als
and
perf
orm
ance
dri
vers
. The
pro
cedu
res
shou
ld d
efin
eho
w th
e da
ta w
ill b
e ob
tain
ed, i
nclu
ding
mec
hani
sms
to f
acili
tate
pro
cess
mea
sure
men
t (e.
g., a
utom
ated
and
inte
grat
ed to
ols,
tem
plat
es).
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
roce
sses
exi
st to
obt
ain
and
com
pare
act
ual r
esul
ts to
est
ablis
hed
inte
rnal
and
ext
erna
l ben
chm
arks
and
goa
ls. V
erif
y th
at f
or k
eypr
oces
ses,
man
agem
ent c
ompa
res
proc
ess
perf
orm
ance
and
pro
cess
out
com
es a
gain
st in
tern
al a
nd e
xter
nal b
ench
mar
ks a
nd c
onsi
ders
the
resu
lt of
the
anal
ysis
for
proc
ess
impr
ovem
ent.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ppro
pria
te m
etri
cs a
re d
efin
ed to
ass
ess
proc
ess
perf
orm
ance
and
ach
ieve
men
t of
the
proc
ess
goal
s.
• A
naly
se s
ome
of th
e ke
y m
etri
cs a
nd c
orro
bora
te, v
ia o
ther
mea
ns, w
heth
er th
ey p
rovi
de s
uffi
cien
t ins
ight
into
goa
ls.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at ta
rget
s ha
ve b
een
defi
ned
for
proc
ess
goal
s an
d pe
rfor
man
ce d
rive
rs. R
evie
w ta
rget
s an
d as
sess
whe
ther
they
alig
n to
the
goal
s an
den
able
eff
icie
nt a
nd a
ppro
pria
te id
entif
icat
ion
of c
orre
ctiv
e ac
tion.
• R
evie
w th
e pr
oced
ures
for
col
lect
ing
data
and
mea
sure
men
t to
asce
rtai
n th
e ef
fect
iven
ess
and
effi
cien
cy o
f m
onito
ring
.•
Inte
rvie
w p
roce
ss o
wne
rs a
nd s
take
hold
ers
to a
sses
s th
e ap
prop
riat
enes
s of
the
mea
sure
men
t met
hod
and
mec
hani
sms.
• Fo
r si
gnif
ican
t goa
ls o
f im
port
ant p
roce
sses
, rep
erfo
rm d
ata
colle
ctio
n an
d m
easu
rem
ent o
f ta
rget
s.•
Insp
ect a
sam
ple
of p
roce
ss m
etri
cs to
ass
ess
the
appr
opri
aten
ess
of r
elat
ions
hips
bet
wee
n m
etri
cs (
i.e.,
whe
ther
a p
erfo
rman
ce m
etri
c pr
ovid
es in
sigh
t int
o th
e lik
ely
achi
evem
ent o
f th
e pr
oces
s ou
tcom
e).
• O
btai
n an
d re
view
maj
or d
evia
tions
aga
inst
targ
ets
and
conf
irm
that
act
ion
was
take
n. I
nspe
ct th
e lis
t of
actio
ns ta
ken
as a
res
ult o
f m
easu
rem
ent,
and
veri
fy w
heth
er th
eyha
ve le
d to
act
ual i
mpr
ovem
ents
.•
Enq
uire
if in
tern
al a
nd e
xter
nal b
ench
mar
ks a
re u
sed
and,
if s
o, a
sses
s th
eir
rele
vanc
e an
d id
entif
y if
app
ropr
iate
act
ion
is ta
ken
on s
igni
fica
nt d
evia
tions
aga
inst
the
benc
hmar
ks.
Doc
umen
t th
e Im
pact
of C
ontr
ol W
eakn
esse
s
Det
erm
ine
the
busi
ness
impa
ct if
a s
et o
f ke
y m
etri
cs is
not
ava
ilabl
e to
mea
sure
the
achi
evem
ent o
f th
e pr
oces
s go
als,
res
ourc
e ut
ilisa
tion,
out
put q
ualit
y an
d th
roug
hput
time
to s
uppo
rt im
prov
emen
t of
the
proc
ess
perf
orm
ance
and
out
com
e.
Iden
tify
a se
t of
met
rics
that
pro
vide
s in
sigh
t int
o th
e ou
tcom
es a
nd p
erfo
rman
ceof
the
proc
ess.
Est
ablis
h ta
rget
s th
at r
efle
ct o
n th
e pr
oces
s go
als
and
the
perf
orm
ance
dri
vers
that
ena
ble
the
achi
evem
ent o
f pr
oces
s go
als.
Def
ine
how
the
data
are
to b
e ob
tain
ed. C
ompa
re a
ctua
l mea
sure
men
t to
the
targ
et a
nd ta
keac
tion
upon
dev
iatio
ns, w
here
nec
essa
ry. A
lign
met
rics
, tar
gets
and
met
hods
with
IT’s
ove
rall
perf
orm
ance
mon
itori
ng a
ppro
ach.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
oces
s co
sts
optim
ised
• Pr
oces
ses
nim
ble
and
resp
onsi
ve to
busi
ness
nee
ds
Ris
k D
river
s
• Pr
oces
s ou
tcom
es a
nd d
eliv
erab
les
not
in li
ne w
ith o
vera
ll IT
and
bus
ines
sob
ject
ives
• Pr
oces
ses
too
cost
ly•
Proc
esse
s sl
ow to
rea
ct to
bus
ines
sne
eds
PC
6 P
roce
ss P
erfo
rman
ce Im
prov
emen
t
51I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIA
PPE
ND
IXII
—PL
AN
AN
DO
RG
AN
ISE
(PO
)
PR
OC
ESS
ASS
UR
AN
CE
STEP
S
PO
1 D
efin
e a
Str
ateg
ic IT
Pla
n
IT s
trat
egic
pla
nnin
g is
req
uire
d to
man
age
and
dire
ct a
ll IT
res
ourc
es in
line
with
the
busi
ness
str
ateg
y an
d pr
iori
ties.
The
IT
fun
ctio
n an
d bu
sine
ss s
take
hold
ers
are
resp
onsi
ble
for
ensu
ring
that
opt
imal
val
ue is
rea
lised
fro
m p
roje
ct a
nd s
ervi
ce p
ortf
olio
s. T
he s
trat
egic
pla
n sh
ould
impr
ove
key
stak
ehol
ders
’und
erst
andi
ng o
f IT
oppo
rtun
ities
and
lim
itatio
ns, a
sses
s cu
rren
t per
form
ance
and
cla
rify
the
leve
l of
inve
stm
ent r
equi
red.
The
bus
ines
s st
rate
gy a
nd p
rior
ities
are
to b
e re
flec
ted
in p
ortf
olio
s an
dex
ecut
ed b
y th
e IT
tact
ical
pla
n(s)
, whi
ch e
stab
lishe
s co
ncis
e ob
ject
ives
, pla
ns a
nd ta
sks
unde
rsto
od a
nd a
ccep
ted
by b
oth
busi
ness
and
IT.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e pr
oces
s fo
r pr
epar
ing
a bu
sine
ss c
ase
exis
ts (
e.g.
, the
pro
cess
will
gui
de e
ntry
/exi
t cri
teri
a fo
r bu
sine
ss c
ase
deve
lopm
ent,
the
revi
ew p
roce
ss, m
easu
rem
ents
, the
cha
nge
man
agem
ent p
roce
ss f
or th
e bu
sine
ss c
ase)
.•
Enq
uire
whe
ther
and
con
firm
that
the
mon
itori
ng p
roce
ss f
or th
e bu
sine
ss c
ase
is b
ased
upo
n es
tabl
ishe
d be
nchm
arks
, suc
h as
thos
e in
org
anis
atio
nal S
LA
s or
indu
stry
and
tech
nica
l sta
ndar
ds.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e su
cces
ses
and
failu
res
of I
T in
vest
men
t pro
gram
mes
are
rev
iew
ed a
nd th
e bu
sine
ss c
ase
anal
ysis
pro
cess
is e
nhan
ced
as r
equi
red
(e.g
., hi
stor
ical
dat
a sh
ould
be
anal
ysed
, and
impr
ovem
ents
, les
sons
lear
ned
and
best
pra
ctic
es s
houl
d be
ref
eren
ced)
.
Test
the
Con
trol
Des
ign
PO
1.1
IT V
alue
Man
agem
ent
Wor
k w
ith th
e bu
sine
ss to
ens
ure
that
the
ente
rpri
se p
ortf
olio
of
IT-e
nabl
edin
vest
men
ts c
onta
ins
prog
ram
mes
that
hav
e so
lid b
usin
ess
case
s. R
ecog
nise
that
ther
e ar
e m
anda
tory
, sus
tain
ing
and
disc
retio
nary
inve
stm
ents
that
dif
fer
inco
mpl
exity
and
deg
ree
of f
reed
om in
allo
catin
g fu
nds.
IT
pro
cess
es s
houl
dpr
ovid
e ef
fect
ive
and
effi
cien
t del
iver
y of
the
IT c
ompo
nent
s of
pro
gram
mes
and
earl
y w
arni
ng o
f an
y de
viat
ions
fro
m p
lan,
incl
udin
g co
st, s
ched
ule
orfu
nctio
nalit
y, th
at m
ight
impa
ct th
e ex
pect
ed o
utco
mes
of
the
prog
ram
mes
. IT
serv
ices
sho
uld
be e
xecu
ted
agai
nst e
quita
ble
and
enfo
rcea
ble
SLA
s.A
ccou
ntab
ility
for
ach
ievi
ng th
e be
nefi
ts a
nd c
ontr
ollin
g th
e co
sts
shou
ld b
ecl
earl
y as
sign
ed a
nd m
onito
red.
Est
ablis
h fa
ir, t
rans
pare
nt, r
epea
tabl
e an
dco
mpa
rabl
e ev
alua
tion
of b
usin
ess
case
s, in
clud
ing
fina
ncia
l wor
th, t
he r
isk
ofno
t del
iver
ing
a ca
pabi
lity
and
the
risk
of
not r
ealis
ing
the
expe
cted
ben
efits
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• IT
inve
stm
ents
’ben
efit
tran
spar
ent
and
effe
ctiv
e to
the
ente
rpri
se• A
n ef
fect
ive
deci
sion
-mak
ing
proc
ess
to e
nsur
e th
at in
vest
men
ts in
IT
deliv
er ta
ngib
le b
usin
ess
bene
fit
• IT
inve
stm
ents
in li
ne w
ith th
ebu
sine
ss o
bjec
tives
• Sh
ared
und
erst
andi
ng r
egar
ding
cos
t,ri
sk a
nd b
enef
its o
f IT
-ena
bled
busi
ness
initi
ativ
es•
Dir
ect r
elat
ions
hip
betw
een
busi
ness
goal
s an
d us
e of
res
ourc
es f
or I
T
Ris
k D
river
s
• In
effe
ctiv
e de
cisi
on m
akin
g le
adin
g to
inve
stm
ents
in I
T th
at h
ave
insu
ffic
ient
ret
urn
or a
neg
ativ
eim
pact
on
the
orga
nisa
tion
• IT
not
alig
ned
with
the
busi
ness
• IT
val
ue m
anag
emen
t lac
king
the
supp
ort a
nd c
omm
itmen
t of
seni
orm
anag
emen
t•
Und
efin
ed o
r co
nfus
ing
acco
unta
bilit
yan
d re
spon
sibi
lity
• C
osts
, ben
efits
and
ris
ks o
f IT
-ena
bled
busi
ness
initi
ativ
es u
ncle
ar o
rm
isun
ders
tood
• IT
not
com
plia
nt w
ith g
over
nanc
ere
quir
emen
ts, p
oten
tially
impa
ctin
gm
anag
emen
t’s a
nd th
e bo
ard’
s pu
blic
resp
onsi
bilit
y
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E52
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at th
e pr
oces
s fo
r co
mm
unic
atin
g bu
sine
ss o
ppor
tuni
ties
with
IT
man
agem
ent i
s re
view
ed a
nd th
e im
port
ance
of
the
proc
ess
is c
omm
unic
ated
to th
e bu
sine
ssan
d IT
. Con
side
r th
e up
date
fre
quen
cy o
f th
ose
proc
esse
s.•
Enq
uire
whe
ther
and
con
firm
thro
ugh
inte
rvie
ws
with
mem
bers
of
IT m
anag
emen
t tha
t the
y he
lped
def
ine
ente
rpri
se g
oals
. Ask
them
abo
ut th
eir
acco
unta
bilit
y fo
rac
hiev
ing
ente
rpri
se g
oals
, det
erm
ine
if th
ey u
nder
took
wha
t-if
ana
lyse
s an
d co
nfir
m th
eir
com
mitm
ent t
o th
e go
als.
• E
nqui
re w
ith b
usin
ess
man
agem
ent a
nd I
T m
anag
emen
t to
iden
tify
busi
ness
pro
cess
es th
at a
re d
epen
dent
on
IT. C
onsi
der
whe
ther
the
bus
ines
s an
d IT
sha
re th
e sa
me
view
of
syst
ems,
incl
udin
g th
eir
criti
calit
y, u
sage
and
rep
ortin
g.
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
PO
1.2
Bus
ines
s-IT
Alig
nmen
t E
stab
lish
proc
esse
s of
bi-
dire
ctio
nal e
duca
tion
and
reci
proc
al in
volv
emen
t in
stra
tegi
c pl
anni
ng to
ach
ieve
bus
ines
s an
d IT
alig
nmen
t and
inte
grat
ion.
Med
iate
betw
een
busi
ness
and
IT
impe
rativ
es s
o pr
iori
ties
can
be m
utua
lly a
gree
d.
• IT
alig
ned
with
the
orga
nisa
tion’
sm
issi
on a
nd g
oals
• IT
ena
blin
g th
e ac
hiev
emen
t of
the
stra
tegi
c bu
sine
ss o
bjec
tives
• O
ptim
ised
ret
urn
on I
T in
vest
men
t •
Opp
ortu
nitie
s fo
r in
nova
tion
iden
tifie
dan
d ex
ploi
ted
• IT
see
n as
a c
ost f
acto
r•
The
ent
erpr
ise’
s m
issi
on n
ot b
eing
supp
orte
d by
its
IT•
IT m
anag
emen
t dec
isio
ns n
otfo
llow
ing
the
busi
ness
dir
ectio
n•
Lac
k of
com
mon
und
erst
andi
ng o
fbu
sine
ss a
nd I
T p
rior
ities
, lea
ding
toco
nflic
ts a
bout
allo
catio
n of
res
ourc
esan
d pr
iori
ties
• M
isse
d op
port
uniti
es to
exp
loit
new
IT c
apab
ilitie
s
PO
1 D
efin
e a
Str
ateg
ic IT
Pla
n (c
ont.
)
53I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at a
ppro
pria
te c
rite
ria,
sta
ndar
ds a
nd p
erfo
rman
ce in
dica
tors
hav
e be
en e
stab
lishe
d an
d us
ed to
ass
ess
and
repo
rt p
erfo
rman
ce to
man
agem
ent a
nd k
eyst
akeh
olde
rs. A
n ac
tion
plan
for
var
iatio
ns a
nd a
dev
iatio
n pr
oces
s sh
ould
exi
st.
• R
evie
w th
e pe
rfor
man
ce in
dica
tors
est
ablis
hed
for
key
syst
ems
and
proc
esse
s (e
.g.,
stre
ngth
s an
d w
eakn
esse
s, f
unct
iona
lity,
deg
ree
of b
usin
ess
auto
mat
ion,
sta
bilit
y,co
mpl
exity
, dev
elop
men
t req
uire
men
ts, t
echn
olog
y al
ignm
ent a
nd d
irec
tion,
sup
port
and
mai
nten
ance
req
uire
men
ts, c
osts
, ext
erna
l par
ties’
inpu
t).
• C
onfi
rm th
at r
evie
ws
exis
t with
reg
ard
to th
e ac
hiev
emen
t of
agre
ed-u
pon
targ
ets
defi
ned
with
in th
e pr
evio
us ta
ctic
al I
T p
lan.
• C
onfi
rm th
at a
com
pari
son
agai
nst w
ell-
unde
rsto
od a
nd r
elia
ble
indu
stry
, tec
hnol
ogy
or o
ther
rel
evan
t ben
chm
arks
is p
erfo
rmed
to h
elp
asse
ss e
xist
ing
syst
ems
and
capa
bilit
ies.
Con
trol
Obj
ecti
veR
isk
Driv
ers
Valu
e D
river
s
PO
1.3
Ass
essm
ent
of C
urre
nt C
apab
ility
and
Per
form
ance
A
sses
s th
e cu
rren
t cap
abili
ty a
nd p
erfo
rman
ce o
f so
lutio
n an
d se
rvic
e de
liver
y to
esta
blis
h a
base
line
agai
nst w
hich
fut
ure
requ
irem
ents
can
be
com
pare
d. D
efin
epe
rfor
man
ce in
term
s of
IT
’s c
ontr
ibut
ion
to b
usin
ess
obje
ctiv
es, f
unct
iona
lity,
stab
ility
, com
plex
ity, c
osts
, str
engt
hs a
nd w
eakn
esse
s.
• IT
pla
ns c
ontr
ibut
ing
tran
spar
ently
toth
e or
gani
satio
n’s
mis
sion
and
goa
ls•
Cla
rity
of
cost
s, b
enef
its a
nd r
isks
of
IT’s
cur
rent
per
form
ance
• Te
chno
logi
cal o
ppor
tuni
ties
iden
tifie
dan
d ca
pabi
litie
s le
vera
ged
• IT
capa
bilit
ies
know
n an
dop
erat
iona
lised
eff
ectiv
ely
and
effi
cien
tly to
del
iver
the
requ
ired
solu
tions
and
ser
vice
s
• IT
cap
abili
ties
not c
ontr
ibut
ing
to th
eor
gani
satio
n’s
mis
sion
and
goa
ls•
Inve
stm
ent d
ecis
ions
take
n to
o la
te•
Opp
ortu
nitie
s an
d ca
pabi
litie
s no
tle
vera
ged
• In
effe
ctiv
e us
e of
exi
stin
g re
sour
ces
• In
abili
ty to
iden
tify
base
lines
for
curr
ent,
and
requ
irem
ents
for
fut
ure,
syst
em c
apab
ility
and
per
form
ance
PO
1 D
efin
e a
Str
ateg
ic IT
Pla
n (c
ont.
)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E54
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
was
fol
low
ed to
doc
umen
t IT
’s g
oals
and
obj
ectiv
es n
eces
sary
to p
erfo
rm it
s ta
sks.
The
y sh
ould
be
defi
ned,
doc
umen
ted
and
com
mun
icat
ed, i
nclu
ding
the:
– A
chie
vem
ent o
f th
e be
nefi
ts a
nd m
anag
emen
t of
the
risk
s of
the
IT c
apab
ilitie
s–
Est
ablis
hmen
t of
the
curr
ent a
nd f
utur
e pe
rfor
man
ce r
equi
red
to r
espo
nd to
bus
ines
s ex
pect
atio
ns–
Prov
isio
n of
info
rmat
ion
on tr
ansp
aren
cy a
nd h
ow I
T d
eliv
ers
valu
e to
the
busi
ness
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
ere
is a
tim
e fr
ame
for
the
deve
lopm
ent a
nd e
xecu
tion
of th
e st
rate
gic
and
tact
ical
pla
ns. T
his
time
fram
e sh
ould
incl
ude
the
inte
rrel
atio
nshi
ps a
nd d
epen
denc
ies
of th
e ex
ecut
ion
of th
e ta
ctic
al p
lans
. The
tim
e fr
ame
coul
d va
ry b
ased
on
scop
e, f
undi
ng a
nd p
rior
itisa
tion.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
to c
aptu
re o
utco
me
mea
sure
s, r
epre
sent
ed b
y m
etri
cs (
wha
t) a
nd ta
rget
s (h
ow m
uch)
, of
IT o
bjec
tives
exi
sts
and
that
the
mea
sure
s re
late
to b
usin
ess-
iden
tifie
d be
nefi
ts a
nd th
e st
rate
gy’s
dir
ectio
n.
• C
onfi
rm a
nd r
evie
w th
e po
licie
s an
d pr
oced
ures
sup
port
ing
the
stru
ctur
ed p
lann
ing
appr
oach
to d
eter
min
e if
they
eff
ectiv
ely
supp
ort t
he p
roce
ss f
or c
reat
ing
an I
T
stra
tegi
c pl
an.
PO
1.4
IT S
trat
egic
Pla
n C
reat
e a
stra
tegi
c pl
an th
at d
efin
es, i
n co
-ope
ratio
n w
ith r
elev
ant s
take
hold
ers,
how
IT
goa
ls w
ill c
ontr
ibut
e to
the
ente
rpri
se’s
str
ateg
ic o
bjec
tives
and
rel
ated
cost
s an
d ri
sks.
It s
houl
d in
clud
e ho
w I
T w
ill s
uppo
rt I
T-en
able
d in
vest
men
tpr
ogra
mm
es, I
T s
ervi
ces
and
IT a
sset
s. I
T s
houl
d de
fine
how
the
obje
ctiv
es w
illbe
met
, the
mea
sure
men
ts to
be
used
and
the
proc
edur
es to
obt
ain
form
al s
ign-
off
from
the
stak
ehol
ders
. The
IT
str
ateg
ic p
lan
shou
ld c
over
inve
stm
ent/o
pera
tiona
l bud
get,
fund
ing
sour
ces,
sou
rcin
g st
rate
gy, a
cqui
sitio
nst
rate
gy, a
nd le
gal a
nd r
egul
ator
y re
quir
emen
ts. T
he s
trat
egic
pla
n sh
ould
be
suff
icie
ntly
det
aile
d to
allo
w f
or th
e de
fini
tion
of ta
ctic
al I
T p
lans
.
• St
rate
gic
IT p
lans
con
sist
ent w
ithbu
sine
ss o
bjec
tives
• St
rate
gic
obje
ctiv
es a
nd a
ssoc
iate
dac
coun
tabi
litie
s cl
ear
and
unde
rsto
odby
all
• IT
str
ateg
ic o
ptio
ns id
entif
ied
and
stru
ctur
ed, a
nd in
tegr
ated
with
the
busi
ness
pla
ns•
Red
uced
like
lihoo
d of
unn
eces
sary
IT
initi
ativ
es•
Stra
tegi
c IT
pla
ns c
ompl
ete
and
usab
le
• B
usin
ess
requ
irem
ents
not
und
erst
ood
or a
ddre
ssed
by
IT m
anag
emen
t•
No
regu
lar
and
form
al c
onsu
ltatio
nbe
twee
n IT
man
agem
ent a
nd b
usin
ess
and
seni
or m
anag
emen
t•
IT p
lans
not
alig
ned
with
bus
ines
sne
eds
• U
nnec
essa
ry I
T in
itiat
ives
and
inve
stm
ents
• IT
pla
ns in
cons
iste
nt w
ith th
eor
gani
satio
n’s
expe
ctat
ions
or
requ
irem
ents
• IT
not
foc
used
on
the
righ
t pri
oriti
es
PO
1 D
efin
e a
Str
ateg
ic IT
Pla
n (c
ont.
)
Ris
k D
river
sVa
lue
Driv
ers
Con
trol
Obj
ecti
ve
55I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at ta
ctic
al I
T p
lans
exi
st a
nd th
at th
ey h
ave
been
bas
ed o
n th
e IT
str
ateg
ic p
lan.
•
Con
firm
that
this
is d
one
in a
str
uctu
red
man
ner
in a
ccor
danc
e w
ith e
stab
lishe
d pr
oces
ses
and
that
ther
e is
no
undu
e de
lay
betw
een
upda
tes
of th
e st
rate
gic
plan
and
the
subs
eque
nt u
pdat
e of
the
tact
ical
pla
ns.
• V
alid
ate
that
the
cont
ents
of
the
IT ta
ctic
al p
lan
are
adeq
uate
and
that
it c
onta
ins
prop
er p
roje
ct d
efin
ition
s, p
lann
ing
info
rmat
ion,
del
iver
able
s an
d qu
antif
ied
estim
ated
bene
fits
. •
Rev
iew
whe
ther
the
tact
ical
pla
n ad
dres
ses
IT-r
elat
ed r
isk.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
is in
pla
ce th
at e
nabl
es id
entif
icat
ion
and
prio
ritis
atio
n (b
ased
on
busi
ness
ben
efits
) of
IT
pro
gram
mes
and
pro
ject
ssu
ppor
ting
the
IT ta
ctic
al p
lan.
•
Con
firm
that
this
pro
cess
of
port
folio
man
agem
ent u
ses
appr
opri
ate
crite
ria
to d
efin
e an
d pr
iori
tise
the
diff
eren
t pro
ject
s an
d pr
ogra
mm
es.
• V
erif
y w
heth
er b
usin
ess
goal
s an
d ex
pect
ed b
usin
ess
outc
omes
are
doc
umen
ted
and
reas
onab
le, a
nd w
heth
er s
uffi
cien
t inf
orm
atio
n re
late
d to
bud
get a
nd e
ffor
t is
pres
ent.
• C
onfi
rm th
at th
e pr
ogra
mm
e/pr
ojec
t out
com
es a
re d
uly
com
mun
icat
ed to
all
stak
ehol
ders
.
PO
1.5
IT T
acti
cal P
lans
C
reat
e a
port
folio
of
tact
ical
IT
pla
ns th
at a
re d
eriv
ed f
rom
the
IT s
trat
egic
pla
n.T
he ta
ctic
al p
lans
sho
uld
addr
ess
IT-e
nabl
ed p
rogr
amm
e in
vest
men
ts, I
T s
ervi
ces
and
IT a
sset
s. T
he ta
ctic
al p
lans
sho
uld
desc
ribe
req
uire
d IT
initi
ativ
es, r
esou
rce
requ
irem
ents
, and
how
the
use
of r
esou
rces
and
ach
ieve
men
t of
bene
fits
will
be
mon
itore
d an
d m
anag
ed. T
he ta
ctic
al p
lans
sho
uld
be s
uffi
cien
tly d
etai
led
toal
low
the
defi
nitio
n of
pro
ject
pla
ns. A
ctiv
ely
man
age
the
set o
f ta
ctic
al I
T p
lans
and
initi
ativ
es th
roug
h an
alys
is o
f pr
ojec
t and
ser
vice
por
tfol
ios.
• L
ong-
rang
e st
rate
gic
IT p
lans
cap
able
of b
eing
ope
ratio
nalis
ed b
y sh
ort-
rang
e ta
ctic
al I
T p
lans
• E
ffec
tive
IT r
esou
rce
allo
catio
n•
IT p
lans
cap
able
of
bein
gco
ntin
uous
ly m
onito
red
and
eval
uate
d•
Day
-to-
day
perf
orm
ance
and
res
ourc
eus
age
capa
ble
of b
eing
mon
itore
dag
ains
t str
ateg
ic ta
rget
s•
Focu
s pr
ovid
ed f
or I
T d
epar
tmen
t an
d st
aff
• IT
long
-ran
ge p
lans
not
ach
ieve
d• A
vaila
ble
IT r
esou
rces
not
leve
rage
dfo
r bu
sine
ss b
enef
its•
Dev
iatio
ns in
IT
pla
ns n
ot id
entif
ied
• IT
’s p
rior
ities
mis
unde
rsto
od a
ndsu
bjec
t to
chan
ge•
Info
rmat
ion
to m
onito
r IT
’spe
rfor
man
ce n
ot a
vaila
ble
PO
1 D
efin
e a
Str
ateg
ic IT
Pla
n (c
ont.
)
Ris
k D
river
sVa
lue
Driv
ers
Con
trol
Obj
ecti
ve
PO
1.6
IT P
ortf
olio
Man
agem
ent
Act
ivel
y m
anag
e w
ith th
e bu
sine
ss th
e po
rtfo
lio o
f IT
-ena
bled
inve
stm
ent
prog
ram
mes
req
uire
d to
ach
ieve
spe
cifi
c st
rate
gic
busi
ness
obj
ectiv
es b
yid
entif
ying
, def
inin
g, e
valu
atin
g, p
rior
itisi
ng, s
elec
ting,
initi
atin
g, m
anag
ing
and
cont
rolli
ng p
rogr
amm
es. T
his
shou
ld in
clud
e cl
arif
ying
des
ired
bus
ines
sou
tcom
es, e
nsur
ing
that
pro
gram
me
obje
ctiv
es s
uppo
rt a
chie
vem
ent o
f th
eou
tcom
es, u
nder
stan
ding
the
full
scop
e of
eff
ort r
equi
red
to a
chie
ve th
eou
tcom
es, a
ssig
ning
cle
ar a
ccou
ntab
ility
with
sup
port
ing
mea
sure
s, d
efin
ing
proj
ects
with
in th
e pr
ogra
mm
e, a
lloca
ting
reso
urce
s an
d fu
ndin
g, d
eleg
atin
gau
thor
ity, a
nd c
omm
issi
onin
g re
quir
ed p
roje
cts
at p
rogr
amm
e la
unch
.
• E
ffic
ient
IT
res
ourc
e m
anag
emen
t•
IT in
itiat
ives
con
tinuo
usly
mon
itore
dan
d ev
alua
ted
• T
he r
ight
mix
of
IT in
itiat
ives
for
apo
sitiv
e an
d ri
sk-a
djus
ted
retu
rn o
nin
vest
men
t (R
OI)
• Pe
rfor
man
ce a
nd r
esou
rce
requ
irem
ents
of
IT in
itiat
ives
mon
itore
d ag
ains
t def
ined
targ
ets
• M
isse
d bu
sine
ss o
ppor
tuni
ties
due
to a
too-
cons
erva
tive
port
folio
• L
ow R
OI
due
to a
too-
aggr
essi
vepo
rtfo
lio• A
vaila
ble
IT r
esou
rces
not
leve
rage
d•
Dev
iatio
ns in
IT
pla
ns n
ot id
entif
ied
Ris
k D
river
sVa
lue
Driv
ers
Con
trol
Obj
ecti
ve
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E56
Take the following steps to test the outcome of the control objectives:• Confirm through interviews with steering committee members and other sources that the steering committee members are
appropriately represented by IT and business unit leadership (e.g., awareness of roles, responsibility, decision matrix and theirownership).
• Review the approved steering committee charter and assess for relevance (e.g., roles, responsibility, authority, accountability, scopeand objectives are communicated and understood by all members of the committee).
• Inspect business cases to determine that the documentation has appropriate content (e.g., scope, objectives, cost-benefit analysis,high-level road map, measures for success, roles and responsibilities, impact of existing IT investment programmes) and that the business cases were developed and approved in a timely manner. Confirm through interviews whether IT-enabled investment programmes, IT services and IT assets are evaluated against the prioritisation criteria (review thedocumented prioritisation criteria).
• Confirm through interviews with members of IT management that they are informed of future business directions and goals, long-term and short-terms goals, mission, and values.
• Enquire whether and confirm that enterprisewide goals and objectives are incorporated into IT strategic and tactical planningprocesses and that the strategic planning process includes all business and support activities.
• Confirm by examining documentation, such as meeting minutes or correspondence, that business and IT are both involved inleveraging current technology to create new business opportunities.
• Confirm that a report on current information systems (including feedback on the system, use of the system improvements ofchanges done on the system) is maintained on regular basis.
• Review the achievement of agreed-upon targets defined within the previous tactical IT plan (e.g., outcome of the performanceevaluation could include, but may not be restricted to, current requirements, current delivery compared with requirements, barriersto achieving requirements, and the steps and costs required to achieve agreed-upon business goals and performance requirements).
• Enquire whether and confirm that the risk and cost implications of the required IT capabilities have been documented in the ITstrategic plan.
• Confirm that the outcome measures that relate to business-identified benefits have been signed off on by the stakeholders and thatthe feedback from stakeholders has been taken into consideration.
• Enquire whether and confirm that the approved IT strategic plan is communicated and that there is a process to determine that theplan is clearly understood.
• Confirm through interviews, meeting minutes, presentations and correspondence that the IT strategic plan has been approved bythe IT steering committee and the board. Enquire whether and confirm that a formal approval process was followed.
• Enquire whether and confirm that tactical plans are aligned to strategic plans and regularly updated. Confirm through interviewsthat tactical plans are used as the basis for identifying and planning the projects, acquiring and scheduling resources, andimplementing monitoring techniques.
• Enquire whether and confirm that the content of the tactical plans includes clearly stated project definitions, project time framesand deliverables, the required resources and the business benefits to be monitored, performance indicator goals, mitigation plan,contingency plan, communication protocol, roles, and responsibilities.
• Confirm that the selected portfolio/project has been translated into the required effort, resources, finding, achievement, etc., and isapproved by business (e.g., meeting minutes, senior management review records).
• Confirm that the required authority to launch the approved projects within the selected programmes has been obtained (meetingminutes, formal approval process, communication of approved project) from business and IT.
• Confirm that projects that have been delayed or postponed or that have not proceeded are communicated to business owners andinvolved IT staff members.
Take the following steps to document the impact of the control weaknesses:• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to the improper allocation of
IT investment.• Assess the additional cost due to the return on investment (ROI) not being maximised in terms of business goals.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to the IT investments not being properly
aligned with the overall business strategy.• Assess the impact of the business investing in self-contained IT systems to meet its requirements.• Assess the possibility of business dissatisfaction with IT service delivery.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to the inability to execute IT strategic plans.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to projects being started and then failing or
incurring unnecessary expenditure.• Assess the additional cost due to the implementation of a suboptimal solution.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to business outcomes not being understood
and, hence, being less effective.
57I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIP
O2 D
efin
e th
e In
form
atio
n A
rchi
tect
ure
The
info
rmat
ion
syst
ems
func
tion
crea
tes
and
regu
larl
y up
date
s a
busi
ness
info
rmat
ion
mod
el a
nd d
efin
es th
e ap
prop
riat
e sy
stem
s to
opt
imis
e th
e us
e of
this
info
rmat
ion.
Thi
s en
com
pass
es th
e de
velo
pmen
t of
a co
rpor
ate
data
dic
tiona
ry w
ith th
e or
gani
satio
n’s
data
syn
tax
rule
s, d
ata
clas
sifi
catio
n sc
hem
e an
d se
curi
ty le
vels
. Thi
s pr
oces
sim
prov
es th
e qu
ality
of
man
agem
ent d
ecis
ion
mak
ing
by m
akin
g su
re th
at r
elia
ble
and
secu
re in
form
atio
n is
pro
vide
d, a
nd it
ena
bles
rat
iona
lisin
g in
form
atio
n sy
stem
sre
sour
ces
to a
ppro
pria
tely
mat
ch b
usin
ess
stra
tegi
es. T
his
IT p
roce
ss is
als
o ne
eded
to in
crea
se a
ccou
ntab
ility
for
the
inte
grity
and
sec
urity
of
data
and
to e
nhan
ce th
eef
fect
iven
ess
and
cont
rol o
f sh
arin
g in
form
atio
n ac
ross
app
licat
ions
and
ent
ities
.
Test
the
Con
trol
Des
ign
• V
erif
y w
heth
er a
n en
terp
rise
info
rmat
ion
mod
el e
xist
s, b
ased
on
wel
l-ac
cept
ed s
tand
ards
, and
whe
ther
it is
kno
wn
by a
ppro
pria
te b
usin
ess
and
IT s
take
hold
ers.
•
Ver
ify
whe
ther
the
mod
el is
eff
ectiv
ely
used
and
mai
ntai
ned
in p
aral
lel w
ith th
e pr
oces
s th
at tr
ansl
ates
IT
str
ateg
y in
to I
T ta
ctic
al p
lans
and
tact
ical
pla
ns
into
pro
ject
s.
• Ass
ess
whe
ther
the
mod
el c
onsi
ders
fle
xibi
lity,
fun
ctio
nalit
y, c
ost-
effe
ctiv
enes
s, s
ecur
ity, f
ailu
re r
esili
ency
, com
plia
nce,
etc
.
PO
2.1
Ent
erpr
ise
Info
rmat
ion
Arc
hite
ctur
e M
odel
E
stab
lish
and
mai
ntai
n an
ent
erpr
ise
info
rmat
ion
mod
el to
ena
ble
appl
icat
ions
deve
lopm
ent a
nd d
ecis
ion-
supp
ortin
g ac
tiviti
es, c
onsi
sten
t with
IT
pla
ns a
sde
scri
bed
in P
O1.
The
mod
el s
houl
d fa
cilit
ate
the
optim
al c
reat
ion,
use
and
shar
ing
of in
form
atio
n by
the
busi
ness
in a
way
that
mai
ntai
ns in
tegr
ity a
nd is
flex
ible
, fun
ctio
nal,
cost
-eff
ectiv
e, ti
mel
y, s
ecur
e an
d re
silie
nt to
fai
lure
.
• Im
prov
ed d
ecis
ion
mak
ing
base
d on
rele
vant
, rel
iabl
e an
d us
able
info
rmat
ion
• Im
prov
ed I
T a
gilit
y an
dre
spon
sive
ness
to b
usin
ess
requ
irem
ents
• Su
ppor
t for
bus
ines
s fu
nctio
nsth
roug
h ac
cura
te, c
ompl
ete
and
valid
dat
a•
Eff
icie
nt d
ata
man
agem
ent a
ndre
duce
d re
dund
ancy
and
dup
licat
ion
• Im
prov
ed d
ata
inte
grity
• M
eetin
g fi
duci
ary
requ
irem
ents
rega
rdin
g co
mpl
ianc
e re
port
ing,
secu
rity
and
pri
vacy
of
data
• In
adeq
uate
info
rmat
ion
for
busi
ness
func
tions
• In
cons
iste
ncy
betw
een
info
rmat
ion
requ
irem
ents
and
app
licat
ion
deve
lopm
ents
• D
ata
inco
nsis
tenc
y be
twee
n th
eor
gani
satio
n an
d sy
stem
s•
Hig
h ef
fort
req
uire
d or
inab
ility
toco
mpl
y w
ith f
iduc
iary
obl
igat
ions
(e.g
., co
mpl
ianc
e re
port
ing,
sec
urity
,pr
ivac
y)•
Inef
fici
ent p
lann
ing
of I
T-en
able
din
vest
men
t pro
gram
mes
due
to la
ck
of in
form
atio
n• A
ccum
ulat
ion
of d
ata
that
are
not
rele
vant
, con
sist
ent o
r us
able
in a
nec
onom
ical
man
ner
Ris
k D
river
sVa
lue
Driv
ers
Con
trol
Obj
ecti
ve
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E58
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at d
ata
synt
ax g
uide
lines
are
mai
ntai
ned.
•
Enq
uire
whe
ther
and
con
firm
that
the
data
dic
tiona
ry is
def
ined
to id
entif
y re
dund
ancy
and
inco
mpa
tibili
ty o
f da
ta a
nd th
at th
e im
pact
of
any
mod
ific
atio
ns to
the
data
dict
iona
ry a
nd c
hang
es m
ade
to th
e da
ta d
ictio
nary
are
eff
ectiv
ely
com
mun
icat
ed.
• R
evie
w v
ario
us a
pplic
atio
n sy
stem
s an
d de
velo
pmen
t pro
ject
s to
ver
ify
that
the
data
dic
tiona
ry is
use
d fo
r da
ta d
efin
ition
s.•
Enq
uire
whe
ther
and
con
firm
that
sen
ior
man
ager
s ag
ree
upon
the
proc
ess
for
defi
ning
dat
a sy
ntax
rul
es, d
ata
valid
atio
n ru
les
and
busi
ness
rul
es (
e.g.
, con
sist
ency
,in
tegr
ity, q
ualit
y).
• In
spec
t the
dat
a qu
ality
pro
gram
me’
s pl
ans,
pol
icie
s an
d pr
oced
ures
to e
valu
ate
its e
ffec
tiven
ess.
PO
2.2
Ent
erpr
ise
Dat
a D
icti
onar
y an
d D
ata
Synt
ax R
ules
M
aint
ain
an e
nter
pris
e da
ta d
ictio
nary
that
inco
rpor
ates
the
orga
nisa
tion’
s da
tasy
ntax
rul
es. T
his
dict
iona
ry s
houl
d en
able
the
shar
ing
of d
ata
elem
ents
am
ongs
tap
plic
atio
ns a
nd s
yste
ms,
pro
mot
e a
com
mon
und
erst
andi
ng o
f da
ta a
mon
gst I
Tan
d bu
sine
ss u
sers
, and
pre
vent
inco
mpa
tible
dat
a el
emen
ts f
rom
bei
ng c
reat
ed.
• C
omm
on u
nder
stan
ding
of
busi
ness
data
acr
oss
the
ente
rpri
se•
Faci
litat
ed s
hari
ng o
f da
ta a
mon
gst a
llap
plic
atio
ns, s
yste
ms
and
entit
ies
• R
educ
ed c
osts
for
app
licat
ion
deve
lopm
ent a
nd m
aint
enan
ce•
Impr
oved
dat
a in
tegr
ity
• C
ompr
omis
ed in
form
atio
n in
tegr
ity•
Inco
mpa
tible
and
inco
nsis
tent
dat
a•
Inef
fect
ive
appl
icat
ion
cont
rols
PO
2 D
efin
e th
e In
form
atio
n A
rchi
tect
ure
(con
t.)
Valu
e D
river
sR
isk
Driv
ers
Con
trol
Obj
ecti
ve
59I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• R
evie
w th
e da
ta c
lass
ific
atio
n sc
hem
e an
d ve
rify
that
all
sign
ific
ant c
ompo
nent
s ar
e co
vere
d an
d co
mpl
eted
, and
that
the
sche
me
is r
easo
nabl
e in
bal
anci
ng c
ost v
s. r
isk.
Thi
s in
clud
es d
ata
owne
rshi
p w
ith b
usin
ess
owne
rs a
nd d
efin
ition
of
appr
opri
ate
secu
rity
mea
sure
s re
late
d to
cla
ssif
icat
ion
leve
ls.
• V
erif
y th
at s
ecur
ity c
lass
ific
atio
ns h
ave
been
cha
lleng
ed a
nd c
onfi
rmed
with
the
busi
ness
ow
ners
at r
egul
ar in
terv
als.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at in
tegr
ity a
nd c
onsi
sten
cy c
rite
ria
for
all i
nfor
mat
ion
are
defi
ned
in c
olla
bora
tion
with
bus
ines
s m
anag
emen
t. •
Enq
uire
whe
ther
and
con
firm
that
pro
cedu
res
are
impl
emen
ted
to m
anag
e an
d m
aint
ain
data
inte
grity
and
con
sist
ency
thro
ugho
ut th
e co
mpl
ete
data
pro
cess
and
lif
e cy
cle.
•
Enq
uire
whe
ther
and
con
firm
that
a d
ata
qual
ity p
rogr
amm
e is
impl
emen
ted
to v
alid
ate
and
ensu
re d
ata
inte
grity
and
con
sist
ency
on
a re
gula
r ba
sis.
Test
the
Con
trol
Des
ign
Ris
k D
river
sVa
lue
Driv
ers
Con
trol
Obj
ecti
ve
PO
2.3
Dat
a C
lass
ific
atio
n Sc
hem
e E
stab
lish
a cl
assi
fica
tion
sche
me
that
app
lies
thro
ugho
ut th
e en
terp
rise
, bas
ed o
nth
e cr
itica
lity
and
sens
itivi
ty (
e.g.
, pub
lic, c
onfi
dent
ial,
top
secr
et)
of e
nter
pris
eda
ta. T
his
sche
me
shou
ld in
clud
e de
tails
abo
ut d
ata
owne
rshi
p; d
efin
ition
of
appr
opri
ate
secu
rity
leve
ls a
nd p
rote
ctio
n co
ntro
ls; a
nd a
bri
ef d
escr
iptio
n of
da
ta r
eten
tion
and
dest
ruct
ion
requ
irem
ents
, cri
tical
ity a
nd s
ensi
tivity
. It s
houl
dbe
use
d as
the
basi
s fo
r ap
plyi
ng c
ontr
ols
such
as
acce
ss c
ontr
ols,
arc
hivi
ng
or e
ncry
ptio
n.
• E
nsur
ed a
vaila
bilit
y of
info
rmat
ion
that
sup
port
s de
cisi
on m
akin
g •
The
foc
us o
f se
curi
ty in
vest
men
tsba
sed
on c
ritic
ality
• D
efin
ed a
ccou
ntab
ility
for
info
rmat
ion
inte
grity
, ava
ilabi
lity
and
secu
rity
• D
ata
acce
ss c
onsi
sten
tly p
erm
itted
base
d on
def
ined
sec
urity
leve
ls
• In
appr
opri
ate
secu
rity
req
uire
men
ts
• In
adeq
uate
or
exce
ssiv
e in
vest
men
ts in
secu
rity
con
trol
s•
Occ
urre
nce
of p
riva
cy, d
ata
conf
iden
tialit
y, in
tegr
ity a
ndav
aila
bilit
y in
cide
nts
• N
on-c
ompl
ianc
e w
ith r
egul
ator
y or
thir
d-pa
rty
requ
irem
ents
• In
effi
cien
t or
inco
nsis
tent
info
rmat
ion
for
deci
sion
mak
ing
PO
2 D
efin
e th
e In
form
atio
n A
rchi
tect
ure
(con
t.)
PO
2.4
Inte
grit
y M
anag
emen
t D
efin
e an
d im
plem
ent p
roce
dure
s to
ens
ure
the
inte
grity
and
con
sist
ency
of
all
data
sto
red
in e
lect
roni
c fo
rm, s
uch
as d
atab
ases
, dat
a w
areh
ouse
s an
d da
taar
chiv
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onsi
sten
cy o
f da
ta in
tegr
ity a
cros
s al
lda
ta s
tore
d•
Impr
oved
dat
a in
tegr
ity
Ris
k D
river
s
• D
ata
inte
grity
err
ors
and
inci
dent
s•
Unr
elia
ble
data
on
whi
ch to
bas
ebu
sine
ss d
ecis
ions
• N
on-c
ompl
ianc
e w
ith r
egul
ator
y or
thir
d-pa
rty
requ
irem
ents
• U
nrel
iabl
e ex
tern
al r
epor
ts
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E60
Take the following steps to test the outcome of the control objectives:• Review documentation of the information architecture model to determine whether it addresses all significant applications and
their interfaces and relationships.• Review information architecture documentation to verify that it is consistent with the organisation’s strategy and strategic and
tactical IT plans. • Ensure that changes made to the information architecture model reflect those in the IT strategic and tactical plans and that
associated costs and risks are identified.• Enquire whether and confirm that business management and IT understand relevant parts of the information architecture model
(e.g., data ownership, accountability, data governance).• Enquire whether and confirm that the information architecture model is regularly checked for adequacy, flexibility, integrity and
security and that it is subject to frequent user reviews (e.g., impact of information system changes).• Enquire whether and confirm that data administration controls exist, and co-ordinate the definitions and usage of reliable and
relevant data consistent with the enterprise information model.• Review the data dictionary and verify that all significant data elements are described properly as per the defined process.• Verify defined data syntax rules, data validation rules and business rules as per the defined process.• Enquire whether and confirm that metadata in data dictionaries are sufficiently detailed to communicate syntax in an integrated
manner across applications and that they include data attributes and security levels for each data item.• Enquire whether and confirm that data dictionary management is implemented, maintained and reviewed periodically to manage
the organisation’s data dictionary and data syntax rules.• Verify whether the system covers all relevant data elements by comparing a list of data with actual implementation in the tool.• Enquire whether and confirm that a data quality programme is implemented to increase data integrity, standardisation, consistency,
one-time data entry and storage (e.g., use automated evidence collection when possible to test data integrity, standardisation,consistency, one-time data-entry and storage from sample data, embedded audit modules, data analysis using audit software orother integration tools). Use automated tools (e.g., computer-assisted audit techniques [CAATs]) to verify data integrity.
• Enquire whether and confirm that a data classification scheme is defined and approved (e.g, security levels, access levels anddefaults are appropriate).
• Enquire whether and confirm that data classification levels are defined based on organisation needs for information protection andthe business impact of unprotected information.
• Verify that business owners review the actual classification of information and are aware of their roles, responsibilities andaccountability for data.
• Enquire whether and confirm that components inherit the classification of the original assets.• Verify that all deviations from the data classification inheritance policy have been approved by the data owner.• Enquire whether and confirm that information and data (including hard copies of data) are labelled, handled, protected and
otherwise secured in a manner consistent with the data classification categories. • Inspect evidence that the required integrity and consistency criteria for data are defined and implemented (e.g., data stored in
databases and data warehouses are consistent).• Enquire whether and confirm that a data quality programme is implemented to validate and ensure data integrity and consistency
on a regular basis.
Take the following steps to document the impact of the control weaknesses:• Assess the impact of inconsistency amongst IT plans described in strategic planning and the enterprise information
architecture model.• Assess the impact of ineffective interface between business and IT decision making. • Assess the vulnerability to disclosure of sensitive information.
61I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIP
O3 D
eter
min
e Te
chno
logic
al D
irec
tion
The
info
rmat
ion
serv
ices
fun
ctio
n de
term
ines
the
tech
nolo
gy d
irec
tion
to s
uppo
rt th
e bu
sine
ss. T
his
requ
ires
the
crea
tion
of a
tech
nolo
gica
l inf
rast
ruct
ure
plan
and
an
arch
itect
ure
boar
d th
at s
ets
and
man
ages
cle
ar a
nd r
ealis
tic e
xpec
tatio
ns o
f w
hat t
echn
olog
y ca
n of
fer
in te
rms
of p
rodu
cts,
ser
vice
s an
d de
liver
y m
echa
nism
s. T
he p
lan
isre
gula
rly
upda
ted
and
enco
mpa
sses
asp
ects
suc
h as
sys
tem
s ar
chite
ctur
e, te
chno
logi
cal d
irec
tion,
acq
uisi
tion
plan
s, s
tand
ards
, mig
ratio
n st
rate
gies
and
con
tinge
ncy.
Thi
sen
able
s tim
ely
resp
onse
s to
cha
nges
in th
e co
mpe
titiv
e en
viro
nmen
t, ec
onom
ies
of s
cale
for
info
rmat
ion
syst
ems
staf
fing
and
inve
stm
ents
, as
wel
l as
impr
oved
inte
rope
rabi
lity
of p
latf
orm
s an
d ap
plic
atio
ns.
Test
the
Con
trol
Des
ign
• R
evie
w th
e pr
oces
s of
str
engt
hs, w
eakn
esse
s, o
ppor
tuni
ties
and
thre
ats
(SW
OT
) an
alys
is p
erfo
rman
ce to
ens
ure
effe
ctiv
enes
s of
pro
cess
(e.
g., c
heck
for
mea
sure
men
ts o
fth
e pr
oces
s an
d ch
ange
s m
ade
to th
e pr
oces
s as
a r
esul
t of
impr
ovem
ent)
. •
Con
firm
thro
ugh
inte
rvie
ws
with
the
CIO
and
oth
er m
embe
rs o
f se
nior
man
agem
ent t
hat a
n ap
prop
riat
e te
chno
logi
cal r
isk
appe
tite
has
been
est
ablis
hed
base
d on
the
busi
ness
str
ateg
y.
PO
3.1
Tec
hnol
ogic
al D
irec
tion
Pla
nnin
g A
naly
se e
xist
ing
and
emer
ging
tech
nolo
gies
, and
pla
n w
hich
tech
nolo
gica
ldi
rect
ion
is a
ppro
pria
te to
rea
lise
the
IT s
trat
egy
and
the
busi
ness
sys
tem
sar
chite
ctur
e. A
lso
iden
tify
in th
e pl
an w
hich
tech
nolo
gies
hav
e th
e po
tent
ial t
ocr
eate
bus
ines
s op
port
uniti
es. T
he p
lan
shou
ld a
ddre
ss s
yste
ms
arch
itect
ure,
tech
nolo
gica
l dir
ectio
n, m
igra
tion
stra
tegi
es a
nd c
ontin
genc
y as
pect
s of
infr
astr
uctu
re c
ompo
nent
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed le
vera
ging
of
tech
nolo
gy f
orbu
sine
ss o
ppor
tuni
ties
• Im
prov
ed in
tegr
atio
n of
infr
astr
uctu
rean
d ap
plic
atio
ns v
ia d
efin
ed s
tand
ards
for
tech
nica
l dir
ectio
n•
Impr
oved
use
of
reso
urce
s an
dca
pabi
litie
s•
Red
uced
cos
ts f
or te
chno
logi
cal
acqu
isiti
ons
thro
ugh
redu
ced
plat
form
s an
d in
crem
enta
lly m
anag
edin
vest
men
ts
Ris
k D
river
s
• Te
chno
logi
cal a
cqui
sitio
nsin
cons
iste
nt w
ith s
trat
egic
pla
ns•
IT in
fras
truc
ture
inap
prop
riat
e fo
ror
gani
satio
nal r
equi
rem
ents
• D
evia
tions
fro
m th
e ap
prov
edte
chno
logi
cal d
irec
tion
• In
crea
sed
cost
s du
e to
unc
o-or
dina
ted
and
unst
ruct
ured
acq
uisi
tion
plan
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E62
Test
the
Con
trol
Des
ign
• D
eter
min
e w
heth
er, b
y w
hom
and
how
cur
rent
and
fut
ure
tren
ds a
nd r
egul
atio
ns a
re m
onito
red
(e.g
., te
chno
logi
cal d
evel
opm
ents
, com
petit
or a
ctiv
ities
, inf
rast
ruct
ure
issu
es, l
egal
req
uire
men
ts a
nd r
egul
ator
y en
viro
nmen
t cha
nges
, thi
rd-p
arty
exp
erts
) an
d w
heth
er r
elat
ed r
isks
or
rela
ted
oppo
rtun
ities
for
val
ue c
reat
ion
are
prop
erly
asse
ssed
.•
Ver
ify
whe
ther
the
resu
lt of
the
mon
itori
ng is
con
sist
ently
pas
sed
on to
the
appr
opri
ate
bodi
es (
e.g.
, IT
ste
erin
g co
mm
ittee
) an
d to
the
IT ta
ctic
al a
nd in
fras
truc
ture
plan
ning
pro
cess
es f
or a
ctio
n.
PO
3.3
Mon
itor
Fut
ure
Tre
nds
and
Reg
ulat
ions
E
stab
lish
a pr
oces
s to
mon
itor
the
busi
ness
sec
tor,
indu
stry
, tec
hnol
ogy,
infr
astr
uctu
re, l
egal
and
reg
ulat
ory
envi
ronm
ent t
rend
s. I
ncor
pora
te th
eco
nseq
uenc
es o
f th
ese
tren
ds in
to th
e de
velo
pmen
t of
the
IT te
chno
logy
infr
astr
uctu
re p
lan.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed a
war
enes
s of
tech
nolo
gica
lop
port
uniti
es a
nd im
prov
ed s
ervi
ces
• Im
prov
ed a
war
enes
s of
tech
nica
l and
regu
lato
ry r
isks
• Im
prov
ed e
valu
atio
n of
tech
nolo
gica
lch
ange
s in
line
with
the
busi
ness
pla
n
Ris
k D
river
s
• N
on-c
ompl
ianc
e w
ith r
egul
ator
yre
quir
emen
ts•
Hig
h ef
fort
req
uire
d to
ach
ieve
com
plia
nce
beca
use
of w
rong
or
late
deci
sion
s•
Tech
nica
l inc
ompa
tibili
ties
orm
aint
enan
ce is
sues
with
in th
e IT
infr
astr
uctu
re•
Org
anis
atio
nal f
ailu
re to
max
imis
e th
eus
e of
em
ergi
ng te
chno
logi
cal
oppo
rtun
ities
to im
prov
e bu
sine
ss a
ndIT
cap
abili
ty
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
a te
chno
logy
infr
astr
uctu
re p
lan
base
d on
the
IT s
trat
egic
and
tact
ical
pla
ns is
cre
ated
.•
Rev
iew
the
plan
to c
onfi
rm th
at it
incl
udes
fac
tors
suc
h as
con
sist
ent i
nteg
rate
d te
chno
logi
es, b
usin
ess
syst
ems
arch
itect
ure
and
cont
inge
ncy
aspe
cts
of in
fras
truc
ture
com
pone
nts,
tran
sitio
nal a
nd o
ther
cos
ts, c
ompl
exity
, tec
hnic
al r
isks
, fut
ure
flex
ibili
ty v
alue
, and
pro
duct
/ven
dor
sust
aina
bilit
y an
d di
rect
ions
for
acq
uisi
tion
of I
T a
sset
s.
• E
nqui
re w
ith k
ey s
taff
mem
bers
and
insp
ect t
he te
chno
logy
infr
astr
uctu
re p
lan
to c
onfi
rm th
at c
hang
es in
the
com
petit
ive
envi
ronm
ent,
econ
omie
s of
sca
le f
orin
form
atio
n sy
stem
s st
affi
ng a
nd in
vest
men
ts, a
nd im
prov
ed in
tero
pera
bilit
y of
pla
tfor
ms
and
appl
icat
ions
are
iden
tifie
d.
PO
3 D
eter
min
e Te
chno
logic
al D
irec
tion
(co
nt.)
PO
3.2
Tec
hnol
ogy
Infr
astr
uctu
re P
lan
Cre
ate
and
mai
ntai
n a
tech
nolo
gy in
fras
truc
ture
pla
n th
at is
in a
ccor
danc
e w
ithth
e IT
str
ateg
ic a
nd ta
ctic
al p
lans
. The
pla
n sh
ould
be
base
d on
the
tech
nolo
gica
ldi
rect
ion
and
incl
ude
cont
inge
ncy
arra
ngem
ents
and
dir
ectio
n fo
r ac
quis
ition
of
tech
nolo
gy r
esou
rces
. It s
houl
d co
nsid
er c
hang
es in
the
com
petit
ive
envi
ronm
ent,
econ
omie
s of
sca
le f
or in
form
atio
n sy
stem
s st
affi
ng a
ndin
vest
men
ts, a
nd im
prov
ed in
tero
pera
bilit
y of
pla
tfor
ms
and
appl
icat
ions
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed in
tero
pera
bilit
y•
Impr
oved
eco
nom
ies
of s
cale
for
inve
stm
ents
and
sup
port
sta
ffin
g• A
tech
nolo
gy p
lan
with
goo
d ba
lanc
ein
cos
t, re
quir
emen
ts a
gilit
y an
d ri
sks
• Su
ffic
ient
, sta
ble
and
flex
ible
tech
nolo
gica
l inf
rast
ruct
ure
to r
espo
ndto
info
rmat
ion
requ
irem
ents
Ris
k D
river
s
• In
cons
iste
nt s
yste
m im
plem
enta
tions
• D
evia
tions
fro
m th
e ap
prov
edte
chno
logi
cal d
irec
tion
• In
crea
sed
cost
s du
e to
unc
o-or
dina
ted
and
unst
ruct
ured
acq
uisi
tion
plan
s•
Org
anis
atio
nal f
ailu
re to
max
imis
e th
eus
e of
em
ergi
ng te
chno
logi
cal
oppo
rtun
ities
to im
prov
e bu
sine
ss a
ndIT
cap
abili
ty
63I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• V
erif
y th
at th
e co
rpor
ate
tech
nolo
gy s
tand
ards
are
bei
ng a
ppro
ved
by th
e IT
arc
hite
ctur
e bo
ard.
Ass
ess
the
effe
ctiv
enes
s of
the
proc
ess
for
com
mun
icat
ion
of te
chni
cal
stan
dard
s to
IT
sta
ff m
embe
rs (
e.g.
, pro
ject
man
ager
s, in
form
atio
n ar
chite
cts)
. Int
ervi
ew r
elev
ant I
T p
erso
nnel
to d
eter
min
e th
eir
unde
rsta
ndin
g of
tech
nica
l sta
ndar
ds.
• A
scer
tain
fro
m I
T m
anag
emen
t tha
t mon
itori
ng a
nd b
ench
mar
king
pro
cess
es a
re p
ut in
pla
ce to
con
firm
com
plia
nce
to e
stab
lishe
d te
chno
logy
sta
ndar
ds a
nd g
uide
lines
.•
Eva
luat
e te
chni
cal f
easi
bilit
y an
alys
is d
ocum
enta
tion
for
sele
cted
pro
ject
s to
ass
ess
com
plia
nce
with
cor
pora
te te
chno
logy
sta
ndar
ds.
Test
the
Con
trol
Des
ign
• R
evie
w th
e gu
idel
ines
, pla
ns, p
roce
sses
and
mee
ting
min
utes
of
the
arch
itect
ure
boar
d. V
erif
y w
heth
er th
ey p
rovi
de a
rchi
tect
ure
guid
elin
es a
nd r
elat
ed a
dvic
e in
line
with
the
busi
ness
str
ateg
y an
d es
tabl
ishe
d in
form
atio
n ar
chite
ctur
e.
• V
erif
y w
heth
er th
e ar
chite
ctur
e bo
ard
has
cons
ider
ed r
egul
ator
y co
mpl
ianc
e an
d bu
sine
ss c
ontin
uity
in it
s de
cisi
ons.
•
Ver
ify
that
mec
hani
sms
are
in p
lace
that
ens
ure
dete
ctio
n of
non
-com
plia
nce
with
the
stan
dard
s an
d gu
idel
ines
of
the
arch
itect
ure
boar
d w
ithin
the
proj
ect m
anag
emen
tpr
oces
s.• A
sses
s th
e ro
le o
f th
e ar
chite
ctur
e bo
ard
in f
ollo
win
g th
roug
h on
req
uire
d co
rrec
tions
ari
sing
fro
m n
on-c
ompl
ianc
e w
ith s
tand
ards
in th
e pr
ojec
t man
agem
ent p
roce
ss.
PO
3.4
Tec
hnol
ogy
Stan
dard
s To
pro
vide
con
sist
ent,
effe
ctiv
e an
d se
cure
tech
nolo
gica
l sol
utio
nsen
terp
rise
wid
e, e
stab
lish
a te
chno
logy
for
um to
pro
vide
tech
nolo
gy g
uide
lines
,ad
vice
on
infr
astr
uctu
re p
rodu
cts
and
guid
ance
on
the
sele
ctio
n of
tech
nolo
gy,
and
mea
sure
com
plia
nce
with
thes
e st
anda
rds
and
guid
elin
es. T
his
foru
m s
houl
ddi
rect
tech
nolo
gy s
tand
ards
and
pra
ctic
es b
ased
on
thei
r bu
sine
ss r
elev
ance
, ris
ksan
d co
mpl
ianc
e w
ith e
xter
nal r
equi
rem
ents
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
cont
rol o
ver
info
rmat
ion
syst
ems
asse
t acq
uisi
tions
, cha
nges
and
disp
osal
s•
Stan
dard
ised
acq
uisi
tions
sup
port
ing
the
tech
nolo
gica
l dir
ectio
n, in
crea
sing
alig
nmen
t and
red
ucin
g ri
sks
• Sc
alab
le in
form
atio
n sy
stem
s re
duci
ngre
plac
emen
t cos
ts•
Con
sist
ency
in te
chno
logy
thro
ugho
utth
e en
terp
rise
, im
prov
ing
effi
cien
cyan
d re
duci
ng s
uppo
rt, l
icen
sing
and
mai
nten
ance
cos
ts
Ris
k D
river
s
• In
com
patib
ilitie
s be
twee
n te
chno
logy
plat
form
s an
d ap
plic
atio
ns•
Dev
iatio
ns f
rom
the
appr
oved
tech
nolo
gica
l dir
ectio
n•
Lic
ensi
ng v
iola
tions
• In
crea
sed
supp
ort,
repl
acem
ent a
ndm
aint
enan
ce c
osts
• In
abili
ty to
acc
ess
hist
oric
al d
ata
onun
supp
orte
d te
chno
logy
PO
3 D
eter
min
e Te
chno
logic
al D
irec
tion
(co
nt.)
PO
3.5
IT A
rchi
tect
ure
Boa
rd
Est
ablis
h an
IT
arc
hite
ctur
e bo
ard
to p
rovi
de a
rchi
tect
ure
guid
elin
es a
nd a
dvic
eon
thei
r ap
plic
atio
n, a
nd to
ver
ify
com
plia
nce.
Thi
s en
tity
shou
ld d
irec
t IT
arch
itect
ure
desi
gn, e
nsur
ing
that
it e
nabl
es th
e bu
sine
ss s
trat
egy
and
cons
ider
sre
gula
tory
com
plia
nce
and
cont
inui
ty r
equi
rem
ents
. Thi
s is
rel
ated
/link
ed to
P
O2
Def
ine
the
info
rmat
ion
arch
itec
ture
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
acco
unta
bilit
y an
dre
spon
sibi
lity
for
arch
itect
ural
deci
sion
s•
Incr
ease
d al
ignm
ent b
etw
een
busi
ness
stra
tegy
and
tech
nica
l IT
dir
ectio
n•
Con
sist
ent u
nder
stan
ding
of
tech
nolo
gy a
rchi
tect
ure
thro
ugho
ut th
een
terp
rise
Ris
k D
river
s
• In
com
patib
ilitie
s be
twee
n te
chno
logy
plat
form
s an
d ap
plic
atio
ns•
Dev
iatio
ns f
rom
the
appr
oved
tech
nolo
gica
l dir
ectio
n•
Unc
ontr
olle
d ac
quis
ition
, use
and
poss
ible
pro
lifer
atio
n of
info
rmat
ion
syst
ems
asse
ts
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E64
Take the following steps to test the outcome of the control objectives:• Review the result of the SWOT analysis to verify that business systems architecture, technological direction, migration strategies
and contingency aspects are included in the technological direction and infrastructure plans. • Review appropriate documents to confirm whether market evolutions, legal and regulatory conditions, and emerging technologies
(e.g., technological developments, competitor activities, infrastructure issues, legal requirements and regulatory environmentchanges, third-party experts) are being monitored (e.g., review the output and results of the monitoring activity and verify theaction taken based on the analysis).
• Review the IT strategy and IT technological infrastructure plan to ensure that it is aligned with the latest developments in IT thathave the potential to impact the success of the business.
• Confirm with the chief architect that ongoing assessments of current status vs. planned infrastructure are taking place. Review thecorrective actions identified and executed, and compare these against the approved technology infrastructure plans.
• Inspect the technology infrastructure plan to confirm that changes in the competitive environment, economies of scale forinformation systems staffing and investments, and improved interoperability of platforms and applications are identified.
• Enquire whether the technology research budget is used in an effective and efficient manner (e.g., number of improvements basedon research, improvement in services).
• Inspect technology guidelines to determine that they appropriately support the technological solutions, accurately represent theorganisation’s technological direction and provide sufficient direction for a wide range of problems.
• Enquire whether and confirm that an IT architecture board has been established and roles, responsibility and accountability havebeen formally defined.
• Confirm with members of the IT architecture board that meetings are held frequently (e.g., periodic/event basis).• Determine that all agreed-upon actions from IT architecture board meetings are appropriately recorded, tracked and implemented.
Take the following steps to document the impact of the control weaknesses:• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that the organisation may not select appropriate
technologies that achieve business goals or create new business opportunities (e.g., market leadership).• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that the technology plans may not consider
changes in the competitive environment.• Assess the impact of economies of scale for information systems staffing and investments that are not achieved.• Assess the opportunity cost of not realising opportunities to integrate platforms and applications. • Assess the opportunity cost that potential business opportunities may not be realised.• Assess the opportunity cost that technology trends may not be taken into account in the development of the IT technology
infrastructure plan.• Assess the risk of non-compliance to legal and regulatory regulations.
65I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIP
O4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps
An
IT o
rgan
isat
ion
is d
efin
ed b
y co
nsid
erin
g re
quir
emen
ts f
or s
taff
, ski
lls, f
unct
ions
, acc
ount
abili
ty, a
utho
rity
, rol
es a
nd r
espo
nsib
ilitie
s, a
nd s
uper
visi
on. T
his
orga
nisa
tion
isem
bedd
ed in
to a
n IT
pro
cess
fra
mew
ork
that
ens
ures
tran
spar
ency
and
con
trol
as
wel
l as
the
invo
lvem
ent o
f se
nior
exe
cutiv
es a
nd b
usin
ess
man
agem
ent.
A s
trat
egy
com
mitt
eeen
sure
s bo
ard
over
sigh
t of
IT, a
nd o
ne o
r m
ore
stee
ring
com
mitt
ees
in w
hich
bus
ines
s an
d IT
par
ticip
ate
dete
rmin
e th
e pr
iori
tisat
ion
of I
T r
esou
rces
in li
ne w
ith b
usin
ess
need
s.Pr
oces
ses,
adm
inis
trat
ive
polic
ies
and
proc
edur
es a
re in
pla
ce f
or a
ll fu
nctio
ns, w
ith s
peci
fic
atte
ntio
n to
con
trol
, qua
lity
assu
ranc
e, r
isk
man
agem
ent,
info
rmat
ion
secu
rity
, dat
aan
d sy
stem
s ow
ners
hip,
and
seg
rega
tion
of d
utie
s. T
o en
sure
tim
ely
supp
ort o
f bu
sine
ss r
equi
rem
ents
, IT
is to
be
invo
lved
in r
elev
ant d
ecis
ion
proc
esse
s.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– T
he I
T p
roce
sses
req
uire
d to
rea
lise
the
IT s
trat
egic
pla
n ha
ve b
een
iden
tifie
d an
d co
mm
unic
ated
– A
fra
mew
ork
to e
nabl
e th
e de
fini
tion
and
follo
w-u
p of
pro
cess
goa
ls, m
easu
res,
con
trol
s an
d m
atur
ity h
as b
een
defi
ned
and
impl
emen
ted
– R
elat
ions
hips
and
touc
hpoi
nts
(e.g
., in
puts
/out
puts
, and
am
ongs
t the
IT
pro
cess
es, e
nter
pris
e po
rtfo
lio m
anag
emen
t and
bus
ines
s pr
oces
ses)
hav
e be
en d
efin
ed.
PO
4.1
IT P
roce
ss F
ram
ewor
k D
efin
e an
IT
pro
cess
fra
mew
ork
to e
xecu
te th
e IT
str
ateg
ic p
lan.
Thi
s fr
amew
ork
shou
ld in
clud
e an
IT
pro
cess
str
uctu
re a
nd r
elat
ions
hips
(e.
g., t
o m
anag
e pr
oces
sga
ps a
nd o
verl
aps)
, ow
ners
hip,
mat
urity
, per
form
ance
mea
sure
men
t,im
prov
emen
t, co
mpl
ianc
e, q
ualit
y ta
rget
s an
d pl
ans
to a
chie
ve th
em. I
t sho
uld
prov
ide
inte
grat
ion
amon
gst t
he p
roce
sses
that
are
spe
cifi
c to
IT,
ent
erpr
ise
port
folio
man
agem
ent,
busi
ness
pro
cess
es a
nd b
usin
ess
chan
ge p
roce
sses
. The
IT p
roce
ss f
ram
ewor
k sh
ould
be
inte
grat
ed in
to a
qua
lity
man
agem
ent s
yste
m(Q
MS)
and
the
inte
rnal
con
trol
fra
mew
ork.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onsi
sten
t app
roac
h fo
r th
e de
fini
tion
of I
T p
roce
sses
• O
rgan
isat
ion
of k
ey a
ctiv
ities
into
logi
cal,
inte
rdep
ende
nt p
roce
sses
• C
lear
def
initi
on o
f ow
ners
hip
of a
ndre
spon
sibi
lity
for
proc
esse
s an
d ke
yac
tiviti
es•
Rel
iabl
e an
d re
peat
able
exe
cutio
n of
key
activ
ities
• Fl
exib
le a
nd r
espo
nsiv
e IT
pro
cess
es
Ris
k D
river
s
• Fr
amew
ork
not b
eing
acc
epte
d by
the
busi
ness
and
IT
pro
cess
es n
ot b
eing
rela
ted
to b
usin
ess
requ
irem
ents
• In
com
plet
e fr
amew
ork
of I
T p
roce
sses
• C
onfl
icts
and
unc
lear
inte
rdep
ende
ncie
s am
ongs
t pro
cess
es•
Ove
rlap
s be
twee
n ac
tiviti
es•
Infl
exib
le I
T o
rgan
isat
ion
• G
aps
betw
een
proc
esse
s•
Dup
licat
ion
of p
roce
sses
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E66
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e:–
Cha
rter
, sco
pe, o
bjec
tives
, mem
bers
hip,
rol
es, r
espo
nsib
ilitie
s, e
tc.,
of th
e IT
str
ateg
y co
mm
ittee
hav
e be
en d
efin
ed in
a m
anne
r th
at w
ill e
nsur
e co
mpl
ianc
e w
ithst
rate
gic
dire
ctio
ns o
f th
e en
terp
rise
– IT
str
ateg
y co
mm
ittee
is c
ompo
sed
of b
oard
and
non
-boa
rd m
embe
rs w
ith a
ppro
pria
te e
xper
tise
on th
e or
gani
satio
n’s
depe
nden
cy o
n IT
and
opp
ortu
nitie
s pr
ovid
ed
by I
T•
Rev
iew
age
ndas
, pap
ers
and
min
utes
of
the
IT s
trat
egy
com
mitt
ee to
:–
Ens
ure
that
the
com
mitt
ee m
eets
on
a re
gula
r ba
sis
to a
ddre
ss s
trat
egic
issu
es, i
nclu
ding
maj
or in
vest
men
t dec
isio
ns, r
aise
d by
the
boar
d of
dir
ecto
rs o
r th
e or
gani
satio
n–
Ass
ess
that
the
com
mitt
ee is
giv
ing
appr
opri
ate
guid
ance
to th
e bo
ard
of d
irec
tors
on
ITgo
vern
ance
and
IT
str
ateg
ic is
sues
PO
4.2
IT S
trat
egy
Com
mit
tee
Est
ablis
h an
IT
str
ateg
y co
mm
ittee
at t
he b
oard
leve
l. T
his
com
mitt
ee s
houl
den
sure
that
IT
gov
erna
nce,
as
part
of
ente
rpri
se g
over
nanc
e, is
ade
quat
ely
addr
esse
d; a
dvis
e on
str
ateg
ic d
irec
tion;
and
rev
iew
maj
or in
vest
men
ts o
n be
half
of th
e fu
ll bo
ard.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Su
ppor
t of
the
boar
d•
Boa
rd in
sigh
t int
o IT
val
ue a
nd r
isks
• Fa
ster
dec
isio
ns o
n im
port
ant
inve
stm
ents
• C
lear
res
pons
ibili
ty a
nd a
ccou
ntab
ility
for
stra
tegi
c de
cisi
ons
• IT
gov
erna
nce
inte
grat
ed in
toco
rpor
ate
gove
rnan
ce•
Wel
l-go
vern
ed I
T f
unct
ion
Ris
k D
river
s
• L
ack
of r
epre
sent
atio
n of
IT
on
the
boar
d ag
enda
• IT
-rel
ated
ris
ks a
nd v
alue
unk
now
n at
the
boar
d le
vel
• D
ecis
ions
on
inve
stm
ents
and
prio
ritie
s no
t bas
ed o
n jo
int (
busi
ness
and
IT)
prio
ritie
s•
IT g
over
nanc
e se
para
te f
rom
cor
pora
tego
vern
ance
• IT
not c
ompl
iant
with
gov
erna
nce
requ
irem
ents
, pot
entia
lly im
pact
ing
man
agem
ent’s
and
the
boar
d’s
publ
icac
coun
tabi
lity
PO
4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
67I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIP
O4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e ch
arte
r, sc
ope,
obj
ectiv
es, m
embe
rshi
ps, r
oles
, res
pons
ibili
ties,
etc
., of
the
IT s
teer
ing
com
mitt
ee r
esul
t in
appr
opri
ate
impl
emen
tatio
n of
the
IT s
trat
egic
dir
ectio
ns o
f th
e en
terp
rise
.•
Insp
ect d
ocum
ents
suc
h as
mee
ting
min
utes
and
the
IT s
teer
ing
com
mitt
ee c
hart
er to
iden
tify
the
part
icip
ants
invo
lved
in th
e co
mm
ittee
, the
ir r
espe
ctiv
e jo
b fu
nctio
nsan
d th
e re
port
ing
rela
tions
hip
of th
e co
mm
ittee
to e
xecu
tive
man
agem
ent (
e.g.
, det
erm
ine
prio
ritis
atio
n of
IT-
enab
led
inve
stm
ent p
rogr
amm
es, t
rack
sta
tus
of p
roje
cts,
and
mon
itor
serv
ice
leve
ls a
nd s
ervi
ce im
prov
emen
ts).
• E
nqui
re a
nd c
onfi
rm w
ith b
usin
ess
man
agem
ent t
o en
sure
that
the
busi
ness
take
s an
act
ive
role
in th
e w
ork
of th
e IT
ste
erin
g co
mm
ittee
and
man
agem
ent i
sap
prop
riat
ely
cons
ulte
d.
PO
4.3
IT S
teer
ing
Com
mit
tee
Est
ablis
h an
IT
ste
erin
g co
mm
ittee
(or
equ
ival
ent)
com
pose
d of
exe
cutiv
e,bu
sine
ss a
nd I
T m
anag
emen
t to:
• D
eter
min
e pr
iori
tisat
ion
of I
T-en
able
d in
vest
men
t pro
gram
mes
in li
ne w
ith th
een
terp
rise
’s b
usin
ess
stra
tegy
and
pri
oriti
es•
Tra
ck s
tatu
s of
pro
ject
s an
d re
solv
e re
sour
ce c
onfl
ict
• M
onito
r se
rvic
e le
vels
and
ser
vice
impr
ovem
ents
Valu
e D
river
sC
ontr
ol O
bjec
tive
• IT
str
ateg
y in
line
with
the
orga
nisa
tion’
s st
rate
gy•
IT-e
nabl
ed in
vest
men
t pro
gram
mes
inlin
e w
ith th
e or
gani
satio
n’s
stra
tegy
• B
usin
ess
and
IT in
volv
emen
t in
the
prio
ritis
atio
n pr
oces
s•
Bus
ines
s an
d IT
invo
lvem
ent i
nco
nflic
t res
olut
ion
• B
usin
ess
and
IT in
volv
emen
t in
mon
itori
ng p
erfo
rman
ce
Ris
k D
river
s
• IT
str
ateg
y no
t in
line
with
the
orga
nisa
tion’
s st
rate
gy•
IT-e
nabl
ed in
vest
men
t pro
gram
mes
not i
n su
ppor
t of
the
orga
nisa
tiona
lgo
als
and
obje
ctiv
es•
Insu
ffic
ient
sup
port
and
invo
lvem
ent
of I
T a
nd s
enio
r or
gani
satio
nal
man
agem
ent i
n ke
y de
cisi
on-m
akin
gpr
oces
ses
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E68
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e IT
fun
ctio
n is
:–
Hea
ded
by a
CIO
or
sim
ilar
func
tion,
of
whi
ch th
e au
thor
ity, r
espo
nsib
ility
, acc
ount
abili
ty a
nd r
epor
ting
line
are
com
men
sura
te w
ith th
e im
port
ance
of
IT w
ithin
th
e en
terp
rise
– D
efin
ed a
nd f
unde
d in
suc
h a
way
that
indi
vidu
al u
ser
grou
ps/d
epar
tmen
ts c
anno
t exe
rt u
ndue
infl
uenc
e ov
er th
e IT
fun
ctio
n an
d un
derm
ine
the
prio
ritie
s ag
reed
upo
nby
the
IT s
trat
egy
com
mitt
ee a
nd I
T s
teer
ing
com
mitt
ee–
App
ropr
iate
ly r
esou
rced
(e.
g., s
taff
ing,
con
tinge
nt w
orke
rs, b
udge
t) to
ena
ble
the
impl
emen
tatio
n an
d m
anag
emen
t of
appr
opri
ate
IT s
olut
ions
and
ser
vice
s to
sup
port
the
busi
ness
and
to e
nabl
e re
latio
nshi
ps w
ith th
e bu
sine
ss
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– Pe
riod
ic r
evie
ws
are
perf
orm
ed o
ver
the
impa
ct o
f or
gani
satio
nal c
hang
es a
s th
ey a
ffec
t the
ove
rall
orga
nisa
tion
and
the
stru
ctur
e of
the
IT f
unct
ion
itsel
f–
The
IT
org
anis
atio
n ha
s fl
exib
le r
esou
rce
arra
ngem
ents
, suc
h as
the
use
of e
xter
nal c
ontr
acto
rs a
nd f
lexi
ble
thir
d-pa
rty
serv
ice
arra
ngem
ents
, to
supp
ort c
hang
ing
busi
ness
nee
ds
PO
4.4
Org
anis
atio
nal P
lace
men
t of
the
IT
Fun
ctio
n Pl
ace
the
IT f
unct
ion
in th
e ov
eral
l org
anis
atio
nal s
truc
ture
with
a b
usin
ess
mod
el c
ontin
gent
on
the
impo
rtan
ce o
f IT
with
in th
e en
terp
rise
, spe
cifi
cally
its
criti
calit
y to
bus
ines
s st
rate
gy a
nd th
e le
vel o
f op
erat
iona
l dep
ende
nce
on I
T.
The
rep
ortin
g lin
e of
the
chie
f in
form
atio
n of
fice
r (C
IO)
shou
ld b
eco
mm
ensu
rate
with
the
impo
rtan
ce o
f IT
with
in th
e en
terp
rise
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• IT
res
ourc
es a
ligne
d to
the
stra
tegi
cpr
iori
ties
• E
ffec
tive
man
agem
ent o
f IT
supp
ortin
g th
e bu
sine
ss o
bjec
tives
• Se
nior
man
agem
ent c
omm
itmen
t in
ITde
cisi
on m
akin
g at
the
appr
opri
ate
leve
l•
Bus
ines
s/IT
alig
nmen
t at t
heor
gani
satio
nal l
evel
Ris
k D
river
s
• In
suff
icie
nt c
omm
itmen
t fro
m s
enio
ror
gani
satio
nal m
anag
emen
t•
IT r
esou
rces
not
eff
ectiv
ely
supp
ortin
gth
e bu
sine
ss•
IT n
ot g
iven
suf
fici
ent s
trat
egic
impo
rtan
ce•
IT r
egar
ded
as s
epar
ate
from
the
busi
ness
and
vic
e ve
rsa
• L
ack
of b
usin
ess
dire
ctio
n an
dco
mm
unic
atio
n of
bus
ines
s in
itiat
ives
PO
4.5
IT O
rgan
isat
iona
l Str
uctu
re
Est
ablis
h an
inte
rnal
and
ext
erna
l IT
org
anis
atio
nal s
truc
ture
that
ref
lect
sbu
sine
ss n
eeds
. In
addi
tion,
put
a p
roce
ss in
pla
ce f
or p
erio
dica
lly r
evie
win
g th
eIT
org
anis
atio
nal s
truc
ture
to a
djus
t sta
ffin
g re
quir
emen
ts a
nd s
ourc
ing
stra
tegi
esto
mee
t exp
ecte
d bu
sine
ss o
bjec
tives
and
cha
ngin
g ci
rcum
stan
ces.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
and
effi
cien
t sup
port
for
the
busi
ness
• St
affi
ng r
equi
rem
ents
and
sou
rcin
gst
rate
gies
that
sup
port
str
ateg
icbu
sine
ss g
oals
• Fl
exib
le a
nd r
espo
nsiv
e IT
orga
nisa
tiona
l str
uctu
re•
Bus
ines
s/IT
alig
nmen
t at t
heor
gani
satio
nal l
evel
Ris
k D
river
s
• In
suff
icie
nt b
usin
ess
supp
ort
• In
suff
icie
nt s
taff
ing
requ
irem
ents
• In
appr
opri
ate
sour
cing
str
ateg
ies
• In
flex
ibili
ty o
f IT
to c
hang
es in
busi
ness
nee
ds
PO
4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
69I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIP
O4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– E
ach
IT ta
sk h
as b
een
form
alis
ed b
y re
view
ing
docu
men
tatio
n an
d de
term
inin
g w
heth
er I
T ta
sk d
escr
iptio
ns a
re a
ppro
pria
te a
nd u
pdat
ed a
s re
quir
ed–
A r
ole
has
been
ass
igne
d to
IT
per
sonn
el w
ith c
orre
spon
ding
IT
task
s. A
sses
s w
heth
er p
erso
nnel
und
erst
and
the
role
and
task
s th
at h
ave
been
ass
igne
d, a
nd th
at th
eta
sks
are
bein
g pe
rfor
med
.–
Acc
ount
abili
ties
and
resp
onsi
bilit
ies
have
bee
n as
sign
ed to
rol
es. V
erif
y by
insp
ectio
n of
job
desc
ript
ions
, cha
rter
s, e
tc.,
that
eac
h ro
le h
as th
e ne
cess
ary
acco
unta
bilit
ies
and
resp
onsi
bilit
ies
to e
xecu
te th
e ro
le.
– IT
per
sonn
el h
ave
been
info
rmed
of
thei
r ro
les.
Ass
ess
whe
ther
cha
nges
are
com
mun
icat
ed to
IT
per
sonn
el a
nd w
heth
er th
e ch
ange
s ar
e be
ing
impl
emen
ted.
– M
anag
ers
peri
odic
ally
con
firm
the
accu
racy
of
the
role
des
crip
tions
. Rev
iew
rol
e de
scri
ptio
ns to
det
erm
ine
whe
ther
they
acc
urat
ely
refl
ect t
he r
oles
of
team
mem
bers
.–
Rol
e de
scri
ptio
ns o
utlin
e ke
y go
als
and
obje
ctiv
es a
nd in
clud
e SM
AR
RT
mea
sure
s–
SMA
RR
T m
easu
res
are
used
in s
taff
per
form
ance
eva
luat
ions
– A
ll ro
le d
escr
iptio
ns in
the
orga
nisa
tion
incl
ude
resp
onsi
bilit
ies
rega
rdin
g in
form
atio
n sy
stem
s, in
tern
al c
ontr
ol a
nd s
ecur
ity–
Man
agem
ent t
rain
s st
aff
mem
bers
reg
ular
ly o
n th
eir
role
s. I
nter
view
sta
ff m
embe
rs to
det
erm
ine
whe
ther
a k
now
ledg
e of
the
role
has
bee
n co
mm
unic
ated
an
d un
ders
tood
.•
To d
eter
min
e w
heth
er e
mpl
oyee
s ar
e pr
ovid
ed w
ith e
nter
pris
ewid
e an
d de
part
men
tal p
olic
ies
and
proc
edur
es, r
evie
w th
e:–
Ann
ual p
olic
y ac
know
ledg
emen
t–
HR
rec
ords
indi
catin
g w
heth
er e
mpl
oyee
s w
ere
prov
ided
with
pol
icy
docu
men
tatio
n du
ring
new
hir
e or
ient
atio
n–
Em
ploy
ee tr
aini
ng r
ecor
ds
PO
4.6
Est
ablis
hmen
t of
Rol
es a
nd R
espo
nsib
iliti
es
Est
ablis
h an
d co
mm
unic
ate
role
s an
d re
spon
sibi
litie
s fo
r IT
per
sonn
el a
nd e
ndus
ers
that
del
inea
te b
etw
een
IT p
erso
nnel
and
end
-use
r au
thor
ity, r
espo
nsib
ilitie
san
d ac
coun
tabi
lity
for
mee
ting
the
orga
nisa
tion’
s ne
eds.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
indi
vidu
al p
erfo
rman
ce
• Act
iviti
es a
lloca
ted
to s
peci
fic
posi
tions
• E
ffic
ient
rec
ruitm
ent o
f ap
prop
riat
ely
skill
ed a
nd e
xper
ienc
ed I
T s
taff
• E
ffec
tive
staf
f pe
rfor
man
ce
Ris
k D
river
s
• N
on-c
ompl
ianc
e w
ith r
egul
atio
ns•
Com
prom
ised
info
rmat
ion
• R
ecru
itmen
t of
staf
f no
t wor
king
as
inte
nded
• Fr
audu
lent
sys
tem
usa
ge•
Non
-res
pons
ive
IT o
rgan
isat
ion
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E70
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e Q
A f
unct
ion
incl
udes
:–
A r
epor
ting
line
such
that
it c
an o
pera
te w
ith a
dequ
ate
inde
pend
ence
and
rep
ort i
ts f
indi
ngs
obje
ctiv
ely
– M
onito
ring
pro
cess
es to
ens
ure
com
plia
nce
with
the
orga
nisa
tion’
s Q
A-r
elat
ed p
olic
ies,
sta
ndar
ds a
nd p
roce
dure
s (e
.g.,
com
plia
nce
with
the
orga
nisa
tion’
s de
velo
pmen
t met
hodo
logy
)–
Act
ing
as a
cen
tre
of e
xper
tise
for
the
deve
lopm
ent o
f Q
A-r
elat
ed p
olic
ies
(e.g
., Q
A r
equi
rem
ents
in a
sys
tem
s de
velo
pmen
t lif
e cy
cle)
, sta
ndar
ds a
nd p
roce
dure
s–
A p
roce
ss a
dopt
ed a
nd a
ligne
d w
ith Q
A b
est p
ract
ices
and
sta
ndar
ds–
Staf
f le
vels
and
ski
lls c
omm
ensu
rate
with
the
size
of
the
orga
nisa
tion
and
the
QA
fun
ctio
n’s
resp
onsi
bilit
ies.
Ass
ess
the
skill
s to
ver
ify
that
they
incl
ude
qual
ityas
sura
nce,
IT,
con
trol
s, p
roce
sses
and
com
mun
icat
ion.
– A
ctiv
e su
ppor
t fro
m s
enio
r m
anag
emen
t spo
nsor
s–
A d
efin
ed a
nd d
ocum
ente
d pr
oces
s fo
r id
entif
ying
, esc
alat
ing
and
reso
lvin
g is
sues
iden
tifie
d to
the
QA
pro
cess
– A
pro
cess
to r
epor
t per
iodi
cally
on
its f
indi
ngs
and
reco
mm
enda
tions
PO
4.7
Res
pons
ibili
ty f
or I
T Q
ualit
y A
ssur
ance
A
ssig
n re
spon
sibi
lity
for
the
perf
orm
ance
of
the
qual
ity a
ssur
ance
(Q
A)
func
tion
and
prov
ide
the
QA
gro
up w
ith a
ppro
pria
te Q
A s
yste
ms,
con
trol
s an
dco
mm
unic
atio
ns e
xper
tise.
Ens
ure
that
the
orga
nisa
tiona
l pla
cem
ent a
nd th
ere
spon
sibi
litie
s an
d si
ze o
f th
e Q
A g
roup
sat
isfy
the
requ
irem
ents
of
the
orga
nisa
tion.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Q
ualit
y as
sura
nce
as a
n in
tegr
al p
art
of I
T’s
res
pons
ibili
ties
• Pr
oces
ses
in li
ne w
ith th
eor
gani
satio
n’s
qual
ity e
xpec
tatio
ns•
Proa
ctiv
e id
entif
icat
ion
ofim
prov
emen
ts to
IT
fun
ctio
nalit
y an
dbu
sine
ss p
roce
sses
• Pr
oact
ive
iden
tific
atio
n of
qua
lity
issu
es a
nd b
usin
ess
risk
s
Ris
k D
river
s
• R
eput
atio
nal d
amag
e•
Und
etec
ted
qual
ity-r
elat
ed r
isks
that
impa
ct th
e ov
eral
l bus
ines
s•
Incr
ease
d co
sts
and
time
dela
ys d
ue to
poor
qua
lity
cont
rol
• Q
ualit
y as
sura
nce
not a
pplie
dco
nsis
tent
ly o
r ef
fect
ivel
y•
Inco
nsis
tenc
ies
in q
ualit
y ac
ross
the
orga
nisa
tion
• R
educ
ed b
usin
ess
perf
orm
ance
PO
4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
71I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIP
O4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– Se
nior
man
agem
ent h
as e
stab
lishe
d an
org
anis
atio
nwid
e, a
dequ
atel
y st
affe
d ri
sk m
anag
emen
t and
info
rmat
ion
secu
rity
fun
ctio
n w
ith o
vera
ll ac
coun
tabi
lity
for
risk
man
agem
ent a
nd in
form
atio
n se
curi
ty. V
erif
y by
inte
rvie
win
g ke
y pe
rson
nel t
hat t
he r
epor
ting
line
of th
e ri
sk m
anag
emen
t and
info
rmat
ion
secu
rity
fun
ctio
n is
suc
hth
at it
can
eff
ectiv
ely
desi
gn, i
mpl
emen
t and
, in
conj
unct
ion
with
line
man
agem
ent,
enfo
rce
com
plia
nce
with
the
orga
nisa
tion’
s ri
sk m
anag
emen
t and
info
rmat
ion
secu
rity
pol
icie
s, s
tand
ards
and
pro
cedu
res.
– R
oles
and
res
pons
ibili
ties
for
the
risk
man
agem
ent a
nd in
form
atio
n se
curi
ty f
unct
ion
have
bee
n fo
rmal
ised
and
doc
umen
ted
– R
espo
nsib
ilitie
s ha
ve b
een
allo
cate
d to
app
ropr
iate
ly s
kille
d an
d ex
peri
ence
d st
aff
mem
bers
and
, in
the
case
of
info
rmat
ion
secu
rity
, und
er th
e di
rect
ion
of a
nin
form
atio
n se
curi
ty o
ffic
er–
The
res
ourc
e re
quir
emen
ts in
rel
atio
n to
ris
k m
anag
emen
t and
info
rmat
ion
secu
rity
hav
e be
en r
egul
arly
ass
esse
d by
man
agem
ent t
o en
sure
that
app
ropr
iate
res
ourc
esar
e pr
ovid
ed to
mee
t the
nee
ds o
f th
e bu
sine
ss–
A p
roce
ss is
in p
lace
to o
btai
n se
nior
man
agem
ent g
uida
nce
conc
erni
ng th
e ri
sk p
rofi
le a
nd a
ccep
tanc
e of
sig
nifi
cant
res
idua
l ris
ks. V
erif
y th
at it
fun
ctio
ns p
rope
rly
byex
amin
ing
rece
nt s
ituat
ions
.
PO
4.8
Res
pons
ibili
ty f
or R
isk,
Secu
rity
and
Com
plia
nce
Em
bed
owne
rshi
p an
d re
spon
sibi
lity
for
IT-r
elat
ed r
isks
with
in th
e bu
sine
ss a
t an
appr
opri
ate
seni
or le
vel.
Def
ine
and
assi
gn r
oles
cri
tical
for
man
agin
g IT
ris
ks,
incl
udin
g th
e sp
ecif
ic r
espo
nsib
ility
for
info
rmat
ion
secu
rity
, phy
sica
l sec
urity
and
com
plia
nce.
Est
ablis
h ri
sk a
nd s
ecur
ity m
anag
emen
t res
pons
ibili
ty a
t the
ente
rpri
se le
vel t
o de
al w
ith o
rgan
isat
ionw
ide
issu
es. A
dditi
onal
sec
urity
man
agem
ent r
espo
nsib
ilitie
s m
ay n
eed
to b
e as
sign
ed a
t a s
yste
m-s
peci
fic
leve
lto
dea
l with
rel
ated
sec
urity
issu
es. O
btai
n di
rect
ion
from
sen
ior
man
agem
ent o
nth
e ap
petit
e fo
r IT
ris
k an
d ap
prov
al o
f an
y re
sidu
al I
T r
isks
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed p
rote
ctio
n an
d in
tegr
ity o
fin
form
atio
n as
sets
• R
isk,
sec
urity
and
com
plia
nce
resp
onsi
bilit
ies
embe
dded
at s
enio
rm
anag
emen
t lev
el•
Seni
or m
anag
emen
t sup
port
in r
isk,
secu
rity
and
com
plia
nce
issu
es•
Secu
rity
mec
hani
sms
as e
ffec
tive
and
effi
cien
t cou
nter
mea
sure
s fo
r th
eor
gani
satio
n’s
thre
ats
• Pr
oact
ive
iden
tific
atio
n an
d re
solu
tion
of r
isk,
sec
urity
and
com
plia
nce
issu
es
Ris
k D
river
s
• Im
prop
er p
rote
ctio
n of
info
rmat
ion
asse
ts•
Los
s of
con
fide
ntia
l inf
orm
atio
n•
Fina
ncia
l los
ses
• L
ack
of m
anag
emen
t com
mitm
ent f
oror
gani
satio
nwid
e se
curi
ty•
Non
-com
plia
nce
risk
• U
ncle
ar u
nder
stan
ding
of
the
orga
nisa
tion’
s IT
ris
k ap
petit
e
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E72
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pol
icy
for
data
cla
ssif
icat
ion
and
syst
em o
wne
rshi
p ha
s be
en d
evel
oped
and
com
mun
icat
ed.
• V
alid
ate
that
the
polic
y ha
s be
en a
pplie
d to
maj
or a
pplic
atio
n sy
stem
s an
d en
terp
rise
arc
hite
ctur
e an
d in
tern
al a
nd e
xter
nal d
ata
com
mun
icat
ion.
• V
erif
y th
at th
e po
licy
for
data
cla
ssif
icat
ion
and
syst
em o
wne
rshi
p su
ppor
ts th
e pr
otec
tion
of in
form
atio
n as
sets
, ena
bles
eff
icie
nt d
eliv
ery
and
use
of b
usin
ess
appl
icat
ions
, and
fac
ilita
tes
effe
ctiv
e se
curi
ty d
ecis
ion
mak
ing.
•
Obs
erve
the
proc
ess
to r
egis
ter
and
mai
ntai
n sy
stem
ow
ners
hip
and
data
cla
ssif
icat
ion,
and
ass
ess
whe
ther
the
proc
ess
is b
eing
con
sist
ently
app
lied.
PO
4.9
Dat
a an
d Sy
stem
Ow
ners
hip
Prov
ide
the
busi
ness
with
pro
cedu
res
and
tool
s, e
nabl
ing
it to
add
ress
its
resp
onsi
bilit
ies
for
owne
rshi
p of
dat
a an
d in
form
atio
n sy
stem
s. O
wne
rs s
houl
dm
ake
deci
sion
s ab
out c
lass
ifyi
ng in
form
atio
n an
d sy
stem
s an
d pr
otec
ting
them
in li
ne w
ith th
is c
lass
ific
atio
n.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• U
sers
con
trol
ling
thei
r da
ta a
ndsy
stem
s•
Def
ined
acc
ount
abili
ty f
or th
em
aint
enan
ce o
f da
ta a
nd s
yste
mse
curi
ty m
easu
res
• E
ffec
tive
and
timel
y in
form
atio
nm
anag
emen
t pro
cess
es•
Red
uced
fin
anci
al lo
sses
cau
sed
byth
eft o
f as
sets
Ris
k D
river
s
• Im
prop
erly
sec
ured
bus
ines
s da
ta•
Impr
oper
pro
tect
ion
of in
form
atio
nas
sets
• R
equi
rem
ents
for
pro
tect
ing
busi
ness
data
not
in li
ne w
ith th
e bu
sine
ssre
quir
emen
ts•
Inad
equa
te s
ecur
ity m
easu
res
for
data
and
syst
ems
• B
usin
ess
proc
ess
owne
rs n
ot ta
king
resp
onsi
bilit
y fo
r da
ta
PO
4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s th
at s
uper
viso
ry p
ract
ices
hav
e be
en e
stab
lishe
d, in
clud
ing
guid
ance
and
trai
ning
for
per
form
ance
rev
iew
s.
• R
evie
w r
ecor
ds to
ass
ess
the
freq
uenc
y an
d ex
tent
of
supe
rvis
ory
revi
ews
and
staf
f ap
prai
sals
. • A
sses
s w
heth
er r
evie
ws
have
a s
ound
set
of
perf
orm
ance
exp
ecta
tions
and
per
form
ance
cri
teri
a.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at f
indi
ngs
from
sup
ervi
sory
rev
iew
s an
d st
aff
appr
aisa
ls a
re p
rope
rly
esca
late
d, c
omm
unic
ated
and
fol
low
ed u
p.
PO
4.10
Sup
ervi
sion
Im
plem
ent a
dequ
ate
supe
rvis
ory
prac
tices
in th
e IT
fun
ctio
n to
ens
ure
that
rol
esan
d re
spon
sibi
litie
s ar
e pr
oper
ly e
xerc
ised
, to
asse
ss w
heth
er a
ll pe
rson
nel h
ave
suff
icie
nt a
utho
rity
and
res
ourc
es to
exe
cute
thei
r ro
les
and
resp
onsi
bilit
ies,
and
to g
ener
ally
rev
iew
key
per
form
ance
indi
cato
rs.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
and
effi
cien
t exe
cutio
n of
IT’s
rol
es a
nd r
espo
nsib
ilitie
s• A
ppro
pria
te c
ontr
ols
over
IT
fun
ctio
ns•
Prom
pt id
entif
icat
ion
of r
esou
rcin
gis
sues
• Pr
ompt
iden
tific
atio
n of
per
form
ance
issu
es
Ris
k D
river
s
• O
rgan
isat
ion’
s go
als
and
obje
ctiv
esno
t met
• R
esou
rcin
g an
d pe
rfor
man
ce is
sues
not i
dent
ifie
d an
d re
solv
ed
• M
alfu
nctio
n of
IT
and
bus
ines
spr
oces
ses
• In
adeq
uate
mon
itori
ng o
f co
ntro
ls a
ndob
ject
ives
• K
ey r
oles
and
res
pons
ibili
ties
not
exer
cise
d
73I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
vaila
ble
and
requ
ired
IT
ski
lls a
nd c
ompe
tenc
ies
are
regu
larl
y re
view
ed a
nd th
eir
impa
ct o
n IT
sta
ffin
g is
ana
lyse
d, e
scal
ated
and
acte
d up
on, a
s ne
eded
. •
Rev
iew
maj
or b
usin
ess
and
oper
atio
nal c
hang
es, a
nd a
sses
s w
heth
er th
eir
impa
ct o
n sk
ills,
com
pete
ncie
s an
d st
affi
ng r
equi
rem
ents
are
ass
esse
d an
d fo
llow
ed u
p.
• Ass
ess
the
sour
cing
str
ateg
ies
and
veri
fy th
at th
ey s
uppo
rt th
e sk
ill a
nd c
ompe
tenc
y re
quir
emen
ts.
PO
4.12
IT
Sta
ffin
g E
valu
ate
staf
fing
req
uire
men
ts o
n a
regu
lar
basi
s or
upo
n m
ajor
cha
nges
to th
ebu
sine
ss, o
pera
tiona
l or
IT e
nvir
onm
ents
to e
nsur
e th
at th
e IT
fun
ctio
n ha
ssu
ffic
ient
res
ourc
es to
ade
quat
ely
and
appr
opri
atel
y su
ppor
t the
bus
ines
s go
als
and
obje
ctiv
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Abi
lity
of I
T s
taff
to s
uppo
rt b
usin
ess
need
s•
Cos
t con
trol
• App
ropr
iate
siz
e of
the
IT d
epar
tmen
t• A
ppro
pria
te s
kills
in th
e IT
depa
rtm
ent
Ris
k D
river
s
• IT
sta
ff r
esou
rces
una
ble
to m
eet
busi
ness
nee
ds•
Exc
essi
ve I
T in
tern
al a
nd/o
r ex
tern
alst
affi
ng c
osts
• U
nder
- or
ove
rres
ourc
ed I
Tde
part
men
t•
Lac
k of
app
ropr
iate
ski
lls in
the
ITde
part
men
t
PO
4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
tand
ards
hav
e be
en e
stab
lishe
d to
enf
orce
and
ens
ure
appr
opri
ate
segr
egat
ion
of d
utie
s an
d th
at th
ese
stan
dard
s ar
e re
view
ed a
ndch
ange
d as
nee
ded.
• A
sses
s w
heth
er s
tand
ards
hav
e be
en im
plem
ente
d in
ass
igni
ng r
oles
and
res
pons
ibili
ties.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
exi
sts
to id
entif
y cr
itica
l pos
ition
s an
d pr
oces
ses
that
mus
t be
subj
ect t
o se
greg
atio
n of
dut
ies.
PO
4.11
Seg
rega
tion
of
Dut
ies
Impl
emen
t a d
ivis
ion
of r
oles
and
res
pons
ibili
ties
that
red
uces
the
poss
ibili
ty f
ora
sing
le in
divi
dual
to c
ompr
omis
e a
criti
cal p
roce
ss. M
ake
sure
that
per
sonn
elar
e pe
rfor
min
g on
ly a
utho
rise
d du
ties
rele
vant
to th
eir
resp
ectiv
e jo
bs a
ndpo
sitio
ns.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
and
effi
cien
t fun
ctio
ning
of
busi
ness
-cri
tical
sys
tem
s an
dpr
oces
ses
• Pr
oper
pro
tect
ion
of in
form
atio
nas
sets
• R
educ
ed r
isk
of f
inan
cial
loss
and
repu
tatio
nal d
amag
e
Ris
k D
river
s
• In
appr
opri
ate
subv
ersi
on o
f cr
itica
lpr
oces
ses
• Fi
nanc
ial l
oss
and
repu
tatio
nal
dam
age
• M
alic
ious
or
unin
tent
iona
l dam
ages
• N
on-c
ompl
ianc
e w
ith e
xter
nal
requ
irem
ents
for
seg
rega
tion
ofm
ater
ially
sig
nifi
cant
sys
tem
s an
dbu
sine
ss p
roce
sses
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E74
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at m
anag
emen
t has
for
mal
pro
cedu
res
for
cons
ider
ing
the
staf
fing
cov
erag
e fo
r ke
y pr
oces
ses
whe
n ap
prov
ing
or b
eing
not
ifie
d of
abs
ence
s.
• Ass
ess
whe
ther
man
agem
ent r
evie
ws
its d
epen
denc
y on
key
sta
ff m
embe
rs a
nd h
as c
onsi
dere
d co
ntin
genc
y ac
tions
suc
h as
alte
rnat
ive
sour
cing
, doc
umen
ting
key
know
ledg
e, tr
aini
ng o
f ot
her
staf
f m
embe
rs, a
nd tr
ansf
erri
ng r
espo
nsib
ilitie
s fr
om k
ey s
taff
mem
bers
to o
ther
s.
Test
the
Con
trol
Des
ign
• In
spec
t the
pol
icie
s an
d pr
oced
ures
des
crib
ing
whe
n, h
ow a
nd w
hat t
ype
of w
ork
can
be o
utso
urce
d, a
nd d
eter
min
e w
heth
er th
ey a
re b
eing
impl
emen
ted.
•
Insp
ect t
he p
olic
ies
and
proc
edur
es f
or in
form
atio
n se
curi
ty r
espo
nsib
ilitie
s of
con
trac
tors
, and
ass
ess
thro
ugh
enqu
iry
whe
ther
they
are
bei
ng f
ollo
wed
(e.
g., b
ackg
roun
dch
ecks
are
con
duct
ed, p
hysi
cal a
nd lo
gica
l acc
ess
cont
rol r
equi
rem
ents
are
fol
low
ed, p
erso
nal i
dent
ific
atio
n is
sec
ure,
and
con
trac
tors
are
adv
ised
that
man
agem
ent
rese
rves
the
righ
t to
mon
itor
and
insp
ect a
ll us
age
of I
T r
esou
rces
, inc
ludi
ng e
-mai
l, vo
ice
com
mun
icat
ions
, and
all
prog
ram
s an
d da
ta f
iles)
. •
Rev
iew
the
polic
ies
and
proc
edur
es f
or s
elec
ting
a co
ntra
ctor
, and
ass
ess
whe
ther
they
are
bei
ng im
plem
ente
d.
PO
4.13
Key
IT
Per
sonn
el
Def
ine
and
iden
tify
key
IT p
erso
nnel
(e.
g., r
epla
cem
ents
/bac
kup
pers
onne
l), a
ndm
inim
ise
relia
nce
on a
sin
gle
indi
vidu
al p
erfo
rmin
g a
criti
cal j
ob f
unct
ion.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
oper
ly tr
aine
d ke
y IT
per
sonn
el•
Red
uced
dep
ende
ncy
on in
divi
dual
key
IT p
erso
nnel
•
Kno
wle
dge
shar
ing
• C
ontin
uity
of
IT s
ervi
ces
• C
ritic
al I
T r
oles
rel
iabl
y su
ppor
ted
• Su
cces
sion
pla
nnin
g
Ris
k D
river
s
• In
suff
icie
nt s
kills
of
key
IT p
erso
nnel
• R
elia
nce
on s
ingl
e kn
owle
dge
expe
rts
• In
adeq
uate
kno
wle
dge
shar
ing
orsu
cces
sion
pla
nnin
g•
Cri
tical
task
s an
d ro
les
not p
erfo
rmed
PO
4.14
Con
trac
ted
Staf
f P
olic
ies
and
Pro
cedu
res
Ens
ure
that
con
sulta
nts
and
cont
ract
per
sonn
el w
ho s
uppo
rt th
e IT
fun
ctio
nkn
ow a
nd c
ompl
y w
ith th
e or
gani
satio
n’s
polic
ies
for
the
prot
ectio
n of
the
orga
nisa
tion’
s in
form
atio
n as
sets
suc
h th
at th
ey m
eet a
gree
d-up
on c
ontr
actu
alre
quir
emen
ts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
ontr
acte
d st
aff
supp
ortin
g th
e ne
eds
of th
e bu
sine
ss•
Kno
wle
dge
shar
ing
and
rete
ntio
nw
ithin
the
orga
nisa
tion
• Pr
otec
tion
of th
e in
form
atio
n as
sets
• C
ontr
ol o
ver
the
cont
ract
edpe
rson
nel’s
act
iviti
es
Ris
k D
river
s
• In
crea
sed
depe
nden
ce o
n ke
y(c
ontr
acte
d) in
divi
dual
s•
Gap
s be
twee
n ex
pect
atio
ns a
nd th
eca
pabi
lity
of c
ontr
acte
d pe
rson
nel
• W
ork
perf
orm
ed n
ot a
ligne
d w
ithbu
sine
ss r
equi
rem
ents
• N
o kn
owle
dge
capt
ure
or s
kills
tran
sfer
fro
m c
ontr
acte
d pe
rson
nel
• In
effi
cien
t and
inef
fect
ive
use
ofco
ntra
cted
sta
ff•
Failu
re o
f co
ntra
cted
sta
ff to
adh
ere
toor
gani
satio
nal p
olic
ies
for
the
prot
ectio
n of
info
rmat
ion
asse
ts•
Liti
gatio
n co
sts
from
dis
agre
emen
tsov
er e
xpec
tatio
ns f
or r
espo
nsib
ility
and
acco
unta
bilit
y
PO
4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
75I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
for
iden
tifyi
ng s
take
hold
ers
has
been
def
ined
and
that
a c
omm
unca
tions
cha
nnel
and
com
mun
icat
ion
plan
hav
e be
enes
tabl
ishe
d fo
r ea
ch.
• V
erif
y th
roug
h in
terv
iew
s w
ith k
ey s
take
hold
ers
thei
r sa
tisfa
ctio
n w
ith I
T’s
com
mun
icat
ions
, the
eff
ectiv
enes
s of
IT
’s c
omm
unic
atio
ns a
nd th
e ad
equa
cy w
ith w
hich
feed
back
fro
m s
take
hold
ers
is b
eing
dea
lt.
PO
4.15
Rel
atio
nshi
ps
Est
ablis
h an
d m
aint
ain
an o
ptim
al c
o-or
dina
tion,
com
mun
icat
ion
and
liais
onst
ruct
ure
betw
een
the
IT f
unct
ion
and
vari
ous
othe
r in
tere
sts
insi
de a
nd o
utsi
deth
e IT
fun
ctio
n, s
uch
as th
e bo
ard,
exe
cutiv
es, b
usin
ess
units
, ind
ivid
ual u
sers
,su
pplie
rs, s
ecur
ity o
ffic
ers,
ris
k m
anag
ers,
the
corp
orat
e co
mpl
ianc
e gr
oup,
outs
ourc
ers
and
offs
ite m
anag
emen
t.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffic
ient
iden
tific
atio
n an
d re
solu
tion
of is
sues
• Alig
nmen
t of
goal
s an
d ap
proa
ches
with
bus
ines
s ob
ject
ives
and
met
hodo
logi
es•
Posi
tive
invo
lvem
ent o
f st
akeh
olde
rs•
Cle
arly
def
ined
ow
ners
hip
and
acco
unta
bilit
y fo
r re
latio
nshi
pm
anag
emen
t
Ris
k D
river
s
• E
xten
ded
gaps
bet
wee
n th
eid
entif
icat
ion
and
reso
lutio
n of
issu
es•
Inad
equa
te id
entif
icat
ion
ofim
prov
emen
ts•
Gap
s be
twee
n bu
sine
ss o
bjec
tives
and
IT p
olic
ies,
gui
delin
es a
ndm
etho
dolo
gies
PO
4 D
efin
e th
e IT
Pro
cess
es, O
rgan
isat
ion
and
Rel
atio
nshi
ps (
cont
.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E76
Take the following steps to test the outcome of the control objectives:• Review the IT process framework and determine if it supports the IT strategic plan and integrates with the business process, IT
processes and enterprise portfolio management.• Enquire through interviews whether this framework is being communicated, executed and understood by business and IT.• Enquire whether and confirm that the IT process framework has been integrated with the quality management system and internal
control framework.• Enquire whether and confirm that the scope, membership, responsibilities, etc., of the IT strategy committee are defined, that the
committee is composed of board and non-board members, and that each has appropriate expertise.• Confirm through interviews, meeting minutes and reports to the board of directors that the IT strategy committee reports to the
board on governance and IT strategic issues.• Enquire whether and confirm that senior IT management understands which processes are used to monitor, measure and report on
IT function performance.• Confirm the existence of an IT steering committee with representation from the executive level, key business operations areas, IT
and key business support areas. • Enquire whether and confirm that formal documentation of the role and authority of the IT steering committee includes key
sponsorship at the executive level.• Inspect documents such as meeting minutes and an IT steering committee charter to identify the participants involved in the
committee, their respective job functions and the reporting relationship of the committee to executive management.• Enquire whether and confirm that IT is headed by a CIO or similar function and the reporting line is commensurate with the
importance of IT.• Confirm through interviews and organisational chart reviews that no individual user groups/departments can exert undue influence
over the IT function (e.g., reporting relationship of the IT function and its independence from a single business unit or department,and identifying how projects are funded).
• Confirm through interviews and documentation reviews that the IT function is adequately resourced and funded to support thebusiness function (e.g., review the business case, IT strategy and IT tactical plan for resource requirements).
• Enquire whether and confirm that periodic reviews of the IT organisational structure occur, with the aim of ensuring that theyreflect business needs.
• Confirm with the head of IT administration that access to external resources is available as needed.• Confirm through interviews with IT personnel that a role has been assigned to each with corresponding IT tasks (e.g., assess
whether personnel understand the role and tasks that have been assigned and the tasks are being performed).• Enquire whether and confirm that responsibilities have been assigned to roles (e.g., verify that each role has the necessary
responsibilities to execute the role).• Enquire whether and confirm that role descriptions have been created, and delineate authority and responsibilities.• Enquire whether and confirm that a QA function exists. • Determine the role of the QA functions (e.g., monitoring processes to ensure compliance with the organisation’s QA-related
policies, standards and procedures; and acting as a centre of expertise for the development of QA-related policies, standards andprocedures).
• Enquire whether and confirm that the QA function is adequately staffed with the appropriate skills.• Enquire whether and confirm that members of senior management have established risk management and information security
functions that are accountable for the respective areas.• Enquire whether and confirm that the reporting line of the risk management and security function allows it to effectively design,
implement and, in conjunction with line management, enforce compliance with the organisation’s policies and procedures.• Enquire whether and confirm that a process is in place to obtain senior management guidance on the acceptable level of risk
associated with IT.• Enquire whether and confirm that roles and responsibilities for the risk management and information security function have been
formalised and documented and that responsibilities have been appropriately allocated. Review the documentation and determinewhether roles and responsibilities are being fulfiled as outlined.
• Enquire whether and confirm that resource requirements are assessed regularly and are provided as needed. Assess whether thestaffing levels are appropriate based on the the results of the resource requirement assessments.
• Confirm through interview and documentation reviews that an inventory of information assets has been created, tracked andmaintained.
• Confirm through interviews that supervisors have the required skill set to perform supervisory functions (e.g., tracking of criticaltasks, key performance indicators, staff performance appraisals and risk assessment).
• Review the escalation procedure and verify that it has been implemented and is being applied consistently (e.g., issues arerecorded, tracked and analysed periodically).
• Enquire whether and confirm during periodic employee reviews that supervisory skills are assessed and required actions are takento ensure competency.
• Enquire whether and confirm that there is a process to identify conflicting functions.• Enquire whether and confirm that conflicting functions have been remediated.• Enquire whether and confirm that procedures address how appropriate segregation is maintained during periods when typical
personnel are unavailable.
77I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
• Enquire whether segregation of duties is reviewed when job roles and responsibilities are created or updated and whetherresponsibilities are reassigned where necessary. Determine whether the changes are implemented (e.g., job descriptions clearlydelineate authority and responsibility).
• Enquire whether and confirm that compensating controls have been designed and implemented as necessary (e.g., confirm withsenior IT management or supervisors on the effectiveness of the compensating controls). Enquire whether and confirm thatmanagement periodically reviews staffing requirements in consideration of business/IT environment and strategy, and identifiesskills and resource gaps.
• Enquire whether and confirm that management is evaluating sourcing strategies (e.g., business/IT staff co-location, cross-functional training and job rotation) in conjunction with reviewing staffing requirements.
• Enquire whether and confirm that management periodically identifies key processes, skills required to support the processes andkey areas that lack job redundancy (e.g., determine the availability of individuals with relevant skills, experience and knowledge tofulfil the critical roles, and inspect documentation that lists the key processes and the designated individuals who support them).
• Enquire whether and confirm that management has considered outsourcing or other support arrangements to provide jobredundancy for key processes (e.g., inspect available contracts with third parties to identify the existence of outsourcingprovisions).
• Confirm the existence and maintenance of key contact lists and their availability to the appropriate personnel in a timely manner.Confirm that backup personnel are cross-trained.
• Enquire whether and confirm that the policies, procedures, rules and responsibilities are being communicated to the contractor andthat the contractor understands that management reserves the right to monitor and inspect all usage of IT resources.
• Enquire whether and confirm that an appropriate individual has responsibility for reviewing the contractor’s work and approvalof payments.
• Enquire whether and confirm that IT management has defined the key stakeholders and relationships and that roles andresponsibilities are communicated with stakeholders (e.g., users, suppliers, security officers, risk managers, regulators).
• Confirm with management that appropriately skilled IT personnel are assigned to manage the relationship (e.g., inspect documentsthat list the IT contact for each key stakeholder).
• Enquire whether and confirm that feedback is obtained from the key stakeholders (e.g., issues, action items, reports), and assesswhether the feedback is being properly used to drive continuous improvement.
Take the following steps to document the impact of the control weaknesses:• Assess the risk (e.g., threats, potential vulnerabilities, security, internal controls) that a road map to achieve the strategic goals will
not be established. • Assess the risk and additional cost due to IT not being organised optimally to achieve strategic goals. • Assess the risk (e.g., threats, potential vulnerabilities, security, internal controls) that an IT strategic plan may not be effectively
executed.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) of overreliance on key IT personnel.• Assess the additional cost of staffing requirements and sourcing strategies not being adjusted to meet expected business objectives
and changing circumstances.• Assess the additional cost of personnel performing unauthorised duties relevant to their respective jobs and positions.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that uncontrolled activities of external personnel
may compromise the organisation’s information assets.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E78
PO
5 M
anag
e th
e IT
Inv
estm
ent
A f
ram
ewor
k is
est
ablis
hed
and
mai
ntai
ned
to m
anag
e IT
-ena
bled
inve
stm
ent p
rogr
amm
es a
nd th
at e
ncom
pass
es c
ost,
bene
fits
, pri
oriti
satio
n w
ithin
bud
get,
a fo
rmal
budg
etin
g pr
oces
s an
d m
anag
emen
t aga
inst
the
budg
et. S
take
hold
ers
are
cons
ulte
d to
iden
tify
and
cont
rol t
he to
tal c
osts
and
ben
efits
with
in th
e co
ntex
t of
the
IT s
trat
egic
and
tact
ical
pla
ns, a
nd in
itiat
e co
rrec
tive
actio
n w
here
nee
ded.
The
pro
cess
fos
ters
par
tner
ship
bet
wee
n IT
and
bus
ines
s st
akeh
olde
rs; e
nabl
es th
e ef
fect
ive
and
effi
cien
t use
of
IT r
esou
rces
; and
pro
vide
s tr
ansp
aren
cy a
nd a
ccou
ntab
ility
into
the
tota
l cos
t of
owne
rshi
p, th
e re
alis
atio
n of
bus
ines
s be
nefi
ts a
nd th
e R
OI
of I
T-en
able
d in
vest
men
ts.
Test
the
Con
trol
Des
ign
• V
erif
y th
at a
fin
anci
al m
anag
emen
t fra
mew
ork
exis
ts, i
nclu
ding
pro
cess
es a
nd r
espo
nsib
ilitie
s, a
s a
basi
s fo
r co
st, b
enef
it an
d bu
dget
man
agem
ent.
Enq
uire
whe
ther
and
conf
irm
that
inpu
ts a
nd o
utpu
ts o
f th
e fi
nanc
ial f
ram
ewor
k ha
ve b
een
defi
ned
and
that
man
agem
ent m
akes
reg
ular
impr
ovem
ents
to th
e fr
amew
ork
base
d on
ava
ilabl
efi
nanc
ial i
nfor
mat
ion.
•
Ver
ify
that
a p
ortf
olio
of
inve
stm
ent p
rogr
amm
es, s
ervi
ces
and
asse
ts h
as b
een
crea
ted
and
mai
ntai
ned.
Per
form
a h
igh-
leve
l rev
iew
of
the
port
folio
to c
heck
for
com
plet
enes
s an
d al
ignm
ent w
ith th
e st
rate
gic
and
tact
ical
IT
pla
ns.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
exi
sts
to c
omm
unic
ate
rele
vant
cos
t and
ben
efit
aspe
cts
of th
e po
rtfo
lio to
the
appr
opri
ate
budg
et p
rior
itisa
tion
(bus
ines
sca
ses)
, cos
t man
agem
ent a
nd b
enef
it m
anag
emen
t pro
cess
es.
• C
onfi
rm th
at th
e co
mm
unic
ated
cos
t and
ben
efit
inpu
ts a
re c
ompa
rabl
e an
d co
nsis
tent
. •
Ver
ify
that
the
crea
ted
IT b
udge
t inc
lude
s pr
ojec
ts, a
sset
s an
d se
rvic
es.
PO
5.1
Fin
anci
al M
anag
emen
t F
ram
ewor
k E
stab
lish
and
mai
ntai
n a
fina
ncia
l fra
mew
ork
to m
anag
e th
e in
vest
men
t and
cos
tof
IT
ass
ets
and
serv
ices
thro
ugh
port
folio
s of
IT-
enab
led
inve
stm
ents
, bus
ines
sca
ses
and
IT b
udge
ts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
sigh
t int
o th
e va
lue
of I
T’s
cont
ribu
tion
to th
e bu
sine
ss, b
y us
ing
stan
dard
ised
inve
stm
ent c
rite
ria
• IT
pri
oriti
es b
ased
on
IT v
alue
cont
ribu
tion
• C
lear
and
agr
eed-
upon
bud
gets
• Im
prov
ed a
bilit
y to
ass
ign
prio
ritie
sba
sed
on b
usin
ess
case
s
Ris
k D
river
s
• U
ncle
ar p
rior
ities
for
IT
pro
ject
s•
Inef
fici
ent p
roce
ss f
or f
inan
cial
man
agem
ent
• IT
bud
get n
ot r
efle
ctin
g bu
sine
ssne
eds
• W
eak
cont
rol o
ver
IT b
udge
ts•
Failu
re o
f se
nior
man
agem
ent t
oap
prov
e th
e IT
bud
gets
• L
ack
of s
enio
r m
anag
emen
t sup
port
79I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
and
dec
isio
n-m
akin
g co
mm
ittee
for
the
prio
ritis
atio
n of
IT
initi
ativ
es a
nd r
esou
rces
has
bee
n cr
eate
d. V
erif
y th
at th
eco
mm
ittee
’s r
espo
nsib
ilitie
s ha
ve b
een
defi
ned
in r
elat
ion
to o
ther
com
mitt
ees.
•
Enq
uire
whe
ther
and
con
firm
that
all
IT in
itiat
ives
are
pri
oriti
sed
with
in p
ortf
olio
s ba
sed
on b
usin
ess
case
s an
d st
rate
gic
and
tact
ical
pla
ns.
• R
evie
w th
e al
loca
ted
budg
ets
and
cut-
offs
for
con
sist
ency
and
acc
urac
y.
• V
erif
y th
roug
h in
spec
tion
of m
eetin
g m
inut
es w
heth
er th
e pr
iort
isia
tion
deci
sion
s ha
ve b
een
com
mun
icat
ed, a
nd e
nqui
re th
roug
h in
terv
iew
s w
heth
er th
e de
cisi
ons
are
revi
ewed
by
the
budg
et s
take
hold
er.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
exi
sts
to id
entif
y, c
omm
unic
ate
and
reso
lve
sign
ific
ant b
udge
t dec
isio
ns th
at im
pact
the
busi
ness
cas
e, p
ortf
olio
or
stra
tegi
c pl
ans.
•
Ver
ify
that
the
ITst
rate
gy c
omm
ittee
and
exe
cutiv
e co
mm
ittee
hav
e ra
tifie
d ch
ange
s to
the
over
all I
T b
udge
t for
item
s th
at n
egat
ivel
y im
pact
the
entit
y’s
stra
tegi
c or
tact
ical
pla
ns a
nd h
ave
sugg
este
d ac
tions
to r
esol
ve th
ese
impa
cts.
PO
5.2
Pri
orit
isat
ion
Wit
hin
IT B
udge
t Im
plem
ent a
dec
isio
n-m
akin
g pr
oces
s to
pri
oriti
se th
e al
loca
tion
of I
T r
esou
rces
for
oper
atio
ns, p
roje
cts
and
mai
nten
ance
to m
axim
ise
IT’s
con
trib
utio
n to
optim
isin
g th
e re
turn
on
the
ente
rpri
se’s
por
tfol
io o
f IT
-ena
bled
inve
stm
ent
prog
ram
mes
and
oth
er I
T s
ervi
ces
and
asse
ts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
iori
ties
that
ref
lect
IT
goa
ls a
ndre
quir
emen
ts o
f th
e bu
sine
ss a
nd a
retr
ansp
aren
t to
all s
take
hold
ers
• Fo
cuse
d us
e of
res
ourc
es• A
ppro
pria
te d
ecis
ion
mak
ing,
bal
anci
ngco
st, c
ontin
uous
impr
ovem
ent,
qual
ityan
d re
adin
ess
for
the
futu
re
Ris
k D
river
s
• In
effi
cien
t res
ourc
e m
anag
emen
t•
Inab
ility
to o
ptim
ise
goal
s an
dob
ject
ives
• C
onfu
sion
, dem
otiv
atio
n an
d lo
ss o
fag
ility
due
to u
ncle
ar p
rior
ities
• IT
bud
get n
ot in
line
with
the
ITst
rate
gy a
nd in
vest
men
t dec
isio
ns
PO
5 M
anag
e th
e IT
Inve
stm
ent
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E80
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
met
hodo
logy
has
bee
n im
plem
ente
d to
est
ablis
h, c
hang
e, a
ppro
ve a
nd c
omm
unic
ate
a fo
rmal
IT
bud
get.
• R
evie
w th
e IT
bud
get t
o ve
rify
whe
ther
rel
evan
t ele
men
ts (
e.g.
, aut
hori
sed
sour
ces
of f
undi
ng, i
nter
nal r
esou
rce
cost
s, th
ird-
part
y co
sts,
cap
ital a
nd o
pera
tiona
l exp
ense
s)ar
e ta
ken
into
acc
ount
whe
n cr
eatin
g th
e bu
dget
. •
Enq
uire
whe
ther
and
con
firm
that
bud
get c
ontin
genc
ies
have
bee
n id
entif
ied
and
a ra
tiona
le f
or th
ese
cont
inge
ncie
s ha
s be
en a
ppro
ved.
•
Ver
ify
that
the
effe
ctiv
enes
s of
the
budg
etin
g pr
oces
s is
mon
itore
d (c
ost a
lloca
tion,
ser
vice
cos
t allo
catio
n an
d bu
dget
var
ianc
e an
alys
is),
and
rev
iew
rep
orts
to v
erif
y th
atle
sson
s le
arne
d ar
e re
cord
ed to
mak
e fu
ture
bud
getin
g m
ore
accu
rate
and
rel
iabl
e.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e pe
ople
invo
lved
in th
e bu
dget
ing
proc
ess
(e.g
., pr
oces
s, s
ervi
ce a
nd p
rogr
amm
e ow
ners
, ass
et m
anag
ers)
are
pro
perl
y in
stru
cted
. •
Enq
uire
whe
ther
and
con
firm
that
ther
e is
an
appr
oved
and
con
sist
ent b
udge
t cre
atio
n pr
oces
s (e
.g.,
revi
ew th
e bu
dget
pla
ns, m
ake
deci
sion
s ab
out b
udge
t allo
catio
ns,
and
com
pile
and
com
mun
icat
e th
e ov
eral
l IT
bud
gets
, pro
ject
cos
t allo
catio
n, s
ervi
ce c
ost a
lloca
tion
and
budg
et v
aria
nce
anal
ysis
).
PO
5.3
IT B
udge
ting
Est
ablis
h an
d im
plem
ent p
ract
ices
to p
repa
re a
bud
get r
efle
ctin
g th
e pr
iori
ties
esta
blis
hed
by th
e en
terp
rise
’s p
ortf
olio
of
IT-e
nabl
ed in
vest
men
t pro
gram
mes
,an
d in
clud
ing
the
ongo
ing
cost
s of
ope
ratin
g an
d m
aint
aini
ng th
e cu
rren
tin
fras
truc
ture
. The
pra
ctic
es s
houl
d su
ppor
t dev
elop
men
t of
an o
vera
ll IT
bud
get
as w
ell a
s de
velo
pmen
t of
budg
ets
for
indi
vidu
al p
rogr
amm
es, w
ith s
peci
fic
emph
asis
on
the
IT c
ompo
nent
s of
thos
e pr
ogra
mm
es. T
he p
ract
ices
sho
uld
allo
w f
or o
ngoi
ng r
evie
w, r
efin
emen
t and
app
rova
l of
the
over
all b
udge
t and
the
budg
ets
for
indi
vidu
al p
rogr
amm
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• An
effe
ctiv
e de
cisi
on-m
akin
g pr
oces
sfo
r bu
dget
for
ecas
ting
and
allo
catio
n•
Form
ally
def
ined
spe
ctru
m o
f fu
ndin
gop
tions
for
IT
ope
ratio
ns•
Iden
tifie
d an
d cl
assi
fied
IT
cos
ts•
Cle
ar a
ccou
ntab
ility
for
spe
ndin
g
Ris
k D
river
s
• R
esou
rce
conf
licts
• In
appr
opri
ate
allo
catio
n of
fin
anci
alre
sour
ces
of I
T o
pera
tions
• Fi
nanc
ial r
esou
rces
not
alig
ned
with
the
orga
nisa
tion’
s go
als
• L
ack
of e
mpo
wer
men
t, le
adin
g to
loss
of a
gilit
y•
Lac
k of
sen
ior
man
agem
ent s
uppo
rtfo
r th
e IT
bud
get
PO
5 M
anag
e th
e IT
Inve
stm
ent
(con
t.)
81I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
fra
mew
ork
has
been
def
ined
to m
anag
e IT
-rel
ated
cos
ts a
nd th
at I
T e
xpen
ditu
re c
ateg
orie
s ar
e co
mpr
ehen
sive
, app
ropr
iate
and
prop
erly
cla
ssif
ied.
• C
onfi
rm th
at th
ere
is a
ppro
pria
te in
depe
nden
ce b
etw
een
indi
vidu
als
who
cap
ture
, ana
lyse
and
rep
ort f
inan
cial
info
rmat
ion,
and
the
IT b
udge
t hol
ders
. •
Rev
iew
est
ablis
hed
times
cale
s to
det
erm
ine
whe
ther
they
are
alig
ned
with
bud
getin
g an
d ac
coun
ting
requ
irem
ents
and
, with
in I
T p
roje
cts,
whe
ther
they
are
str
uctu
red
acco
rdin
g to
the
deliv
erab
les
timet
able
. •
Enq
uire
whe
ther
and
con
firm
that
a m
etho
d ha
s be
en d
efin
ed th
at c
olle
cts
data
to id
entif
y sp
ecif
ied
devi
atio
ns.
• V
erif
y th
at s
yste
ms
from
whi
ch d
ata
are
colle
cted
hav
e be
en id
entif
ied.
•
Det
erm
ine
whe
ther
the
info
rmat
ion
prov
ided
by
the
syst
ems
is c
ompl
ete,
acc
urat
e an
d co
nsis
tent
. •
Det
erm
ine
how
cos
t-re
late
d in
form
atio
n is
con
solid
ated
, how
it is
pre
sent
ed a
t var
ious
leve
ls in
the
orga
nisa
tion
and
to s
take
hold
ers,
and
whe
ther
it h
elps
ena
ble
the
timel
y id
entif
icat
ion
of r
equi
red
corr
ectiv
e ac
tions
.
PO
5.4
Cos
t M
anag
emen
t Im
plem
ent a
cos
t man
agem
ent p
roce
ss c
ompa
ring
act
ual c
osts
to b
udge
ts. C
osts
shou
ld b
e m
onito
red
and
repo
rted
. Whe
re th
ere
are
devi
atio
ns, t
hese
sho
uld
beid
entif
ied
in a
tim
ely
man
ner
and
the
impa
ct o
f th
ose
devi
atio
ns o
n pr
ogra
mm
essh
ould
be
asse
ssed
. Tog
ethe
r w
ith th
e bu
sine
ss s
pons
or o
f th
ose
prog
ram
mes
,ap
prop
riat
e re
med
ial a
ctio
n sh
ould
be
take
n an
d, if
nec
essa
ry, t
he p
rogr
amm
ebu
sine
ss c
ase
shou
ld b
e up
date
d.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Acc
urat
e an
d tim
ely
iden
tific
atio
n of
budg
et v
aria
nces
• M
axim
ised
and
cos
t-ef
fici
ent
utili
satio
n of
IT
res
ourc
es•
Con
sist
ently
pri
ced
serv
ice
deliv
ery
• T
rans
pare
nt I
T v
alue
con
trib
utio
n•
Bus
ines
s un
ders
tand
ing
of a
ctua
l cos
tan
d be
nefi
t of
IT
Ris
k D
river
s
• M
issp
endi
ng o
f IT
inve
stm
ents
• In
appr
opri
ate
serv
ice
pric
ing
• IT
val
ue c
ontr
ibut
ion
not t
rans
pare
nt
PO
5 M
anag
e th
e IT
Inve
stm
ent
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E82
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e co
st m
anag
emen
t pro
cess
pro
vide
s su
ffic
ient
info
rmat
ion
to id
entif
y, q
uant
ify
and
qual
ify
bene
fits
of
deliv
erin
g IT
sol
utio
ns,
prov
idin
g IT
ser
vice
s an
d m
anag
ing
IT a
sset
s.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e al
loca
tion
of b
enef
its a
cros
s tim
e al
low
s fo
r m
eani
ngfu
l ana
lysi
s of
ben
efits
.•
Rev
iew
the
proc
ess
for
deve
lopi
ng m
etri
cs f
or m
easu
ring
ben
efits
(e.
g., o
btai
ning
gui
danc
e fr
om e
xter
nal e
xper
ts, i
ndus
try
lead
ers
and
com
para
tive
benc
hmar
king
dat
a).
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
ere
is a
rem
edia
tion
proc
ess
for
iden
tifie
d be
nefi
t dev
iatio
ns.
PO
5.5
Ben
efit
Man
agem
ent
Impl
emen
t a p
roce
ss to
mon
itor
the
bene
fits
fro
m p
rovi
ding
and
mai
ntai
ning
appr
opri
ate
IT c
apab
ilitie
s. I
T’s
con
trib
utio
n to
the
busi
ness
, eith
er a
s a
com
pone
nt o
f IT
-ena
bled
inve
stm
ent p
rogr
amm
es o
r as
par
t of
regu
lar
oper
atio
nal s
uppo
rt, s
houl
d be
iden
tifie
d an
d do
cum
ente
d in
a b
usin
ess
case
,ag
reed
to, m
onito
red
and
repo
rted
. Rep
orts
sho
uld
be r
evie
wed
and
, whe
re th
ere
are
oppo
rtun
ities
to im
prov
e IT
’s c
ontr
ibut
ion,
app
ropr
iate
act
ions
sho
uld
bede
fine
d an
d ta
ken.
Whe
re c
hang
es in
IT
’s c
ontr
ibut
ion
impa
ct th
e pr
ogra
mm
e, o
rw
here
cha
nges
to o
ther
rel
ated
pro
ject
s im
pact
the
prog
ram
me,
the
prog
ram
me
busi
ness
cas
e sh
ould
be
upda
ted.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Acc
urat
e id
entif
icat
ion
of b
enef
itva
rian
ces
duri
ng a
nd a
fter
impl
emen
tatio
n• A
ccur
ate
info
rmat
ion
for
port
folio
deci
sion
s, i.
e., c
ontin
ue, a
djus
t or
retir
e pr
ogra
mm
es•
Prop
erly
pri
ced
serv
ice
deliv
ery
• T
rans
pare
ncy
of I
T’s
con
trib
utio
n to
the
busi
ness
• B
usin
ess
unde
rsta
ndin
g of
act
ual c
ost
and
bene
fit o
f IT
Ris
k D
river
s
• M
issp
endi
ng o
f IT
inve
stm
ents
• In
appr
opri
ate
serv
ice
pric
ing
• IT
val
ue c
ontr
ibut
ion
not t
rans
pare
nt•
Inco
rrec
t per
cept
ion
of I
T v
alue
cont
ribu
tion
PO
5 M
anag
e th
e IT
Inve
stm
ent
(con
t.)
83I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Take the following steps to test the outcome of the control objectives:• Enquire whether and confirm that a financial management framework, processes and responsibilities have been defined and
maintained to enable fair, transparent, repeatable and comparable estimation of IT costs and benefits for input to the portfolio ofIT-enabled business programmes.
• Assess whether the financial management framework provides information to enable effective and efficient IT investment andportfolio decisions, enables estimation of IT costs and benefits, and provides input into the maintenance of IT asset and servicesportfolios. Determine whether the financial management framework and processes provide sufficient financial information toassist in the development of business cases and facilitate the budget process.
• Verify that investments, IT assets and services are being taken into account in preparing IT budgets.• Enquire whether and confirm that the current IT budget is tracked against actual costs and that variations are analysed.• Enquire whether and confirm that information provided by the budgeting process is sufficient to track project costs and assist in
the allocation of IT resources.• Enquire whether and confirm that an effective decision-making process is implemented to prioritise all IT initiatives and allocate
budgets accordingly.• Enquire whether and confirm that a methodology has been implemented to establish, maintain and communicate for change and
approval of a formal IT budget.• Enquire whether and confirm that process, service and programme owners as well as project and asset managers have been
instructed in how to capture budget requirements and plan budgets.• Confirm that there is a budgeting process and that this process is reviewed/improved on a periodic basis.• Review the cost management framework and verify that it defines all IT-related costs. Verify that the tools used to monitor costs
are effective and used properly (i.e., how costs are allocated across budgets and projects, how costs are captured and analysed, andto whom and how they are reported).
• Enquire whether and confirm that the allocation of the budget across time is aligned with IT projects and support activities toallow for meaningful analysis of budget variances.
• Enquire whether and confirm that IT financial management members have been instructed in how to capture, consolidate andreport the cost data.
• Enquire whether and confirm that the appropriate level of management reviews the results of cost analysis and approves corrective actions.
• Enquire whether and confirm that responsibility and accountability for achieving benefits as recorded in the business case have been assigned.
• Enquire whether and confirm that the metrics for monitoring IT’s and the business’s contribution to the business case are collected,reported and analysed at regular intervals.
• Enquire whether and confirm that the identified budget deviations are approved by business and IT management.
Take the following steps to document the impact of the control weaknesses:• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that:
– Input into business cases may not take into account current IT asset and service portfolios– New investment and maintenance may not influence the future IT budget– Cost/benefit aspects of projects may not be communicated to the budget prioritisation, cost management and benefit
management processes– The allocation of IT resources may not be prioritised as a result of IT’s contribution to optimising ROI– Ongoing review, refinement and approval of the overall budget and the budgets for individual programmes may not occur– Cost deviations may not be identified in a timely manner and the impact of those deviations may not be assessed – Opportunities to improve IT’s contribution to business solutions may not be considered– Not all benefits may be identified in a cost-benefits analysis, resulting in poor prioritisation of projects and projects that could
have been considered may be rejected
PO
6 C
omm
unic
ate
Man
agem
ent
Aim
s an
d D
irec
tion
Man
agem
ent d
evel
ops
an e
nter
pris
e IT
con
trol
fra
mew
ork
and
defi
nes
and
com
mun
icat
es p
olic
ies.
An
ongo
ing
com
mun
icat
ion
prog
ram
me
is im
plem
ente
d to
art
icul
ate
the
mis
sion
, ser
vice
obj
ectiv
es, p
olic
ies
and
proc
edur
es, e
tc.,
appr
oved
and
sup
port
ed b
y m
anag
emen
t. T
he c
omm
unic
atio
n su
ppor
ts a
chie
vem
ent o
f IT
obj
ectiv
es a
nd e
nsur
esaw
aren
ess
and
unde
rsta
ndin
g of
bus
ines
s an
d IT
ris
ks, o
bjec
tives
and
dir
ectio
n. T
he p
roce
ss e
nsur
es c
ompl
ianc
e w
ith r
elev
ant l
aws
and
regu
latio
ns.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E84
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
e ex
iste
nce
of f
orm
al ‘
tone
at t
he to
p’co
mm
unic
atio
n (e
.g.,
CIO
new
slet
ter
or in
tran
et p
age,
per
iodi
c e-
mai
ls, I
T v
isio
n or
gui
ding
prin
cipl
es)
desi
gned
to d
efin
e an
d m
anag
e th
e IT
ris
k an
d co
ntro
l env
iron
men
t and
ens
ure
that
it a
ligns
with
the
orga
nisa
tion’
s ge
nera
l ris
k an
d co
ntro
l env
iron
men
t. •
Det
erm
ine
whe
ther
acc
ount
abili
ty a
nd r
espo
nsib
ility
hav
e be
en a
ssig
ned
to in
divi
dual
s fo
r es
tabl
ishi
ng a
nd r
einf
orci
ng th
e co
mm
unic
atio
ns o
f th
e co
ntro
l cul
ture
. •
Con
firm
the
exis
tenc
e of
pol
icie
s an
d pr
actic
es to
sup
port
the
cont
rol e
nvir
onm
ent (
e.g.
, acc
epta
ble
use
polic
ies,
bac
kgro
und
chec
ks).
•
Insp
ect f
or e
vide
nce
of p
erio
dic
awar
enes
s tr
aini
ng o
n th
ese
polic
ies
and
prac
tices
. •
Det
erm
ine
if a
pro
cess
exi
sts
to p
erio
dica
lly (
at le
ast a
nnua
lly)
reas
sess
the
adeq
uacy
of
the
cont
rol e
nvir
onm
ent a
nd r
isk
appe
tite
to e
nsur
e th
at it
is a
ligne
d w
ith th
eor
gani
satio
n’s
chan
ging
env
iron
men
t. •
Enq
uire
whe
ther
and
con
firm
that
HR
pol
icie
s (e
.g.,
back
grou
nd c
heck
s on
job
appl
ican
ts, a
war
enes
s tr
aini
ng f
or n
ew h
ires
, sig
ned
code
of
cond
uct d
ocum
enta
tion,
appr
opri
ate
cons
eque
nces
for
une
thic
al b
ehav
iour
) su
ppor
t the
IT
con
trol
env
iron
men
t.
PO
6.1
IT P
olic
y an
d C
ontr
ol E
nvir
onm
ent
Def
ine
the
elem
ents
of
a co
ntro
l env
iron
men
t for
IT,
alig
ned
with
the
ente
rpri
se’s
man
agem
ent p
hilo
soph
y an
d op
erat
ing
styl
e. T
hese
ele
men
ts s
houl
d in
clud
eex
pect
atio
ns/r
equi
rem
ents
reg
ardi
ng d
eliv
ery
of v
alue
fro
m I
T in
vest
men
ts,
appe
tite
for
risk
, int
egri
ty, e
thic
al v
alue
s, s
taff
com
pete
nce,
acc
ount
abili
ty a
ndre
spon
sibi
lity.
The
con
trol
env
iron
men
t sho
uld
be b
ased
on
a cu
lture
that
supp
orts
val
ue d
eliv
ery
whi
lst m
anag
ing
sign
ific
ant r
isks
, enc
oura
ges
cros
s-di
visi
onal
co-
oper
atio
n an
d te
amw
ork,
pro
mot
es c
ompl
ianc
e an
d co
ntin
uous
proc
ess
impr
ovem
ent,
and
hand
les
proc
ess
devi
atio
ns (
incl
udin
g fa
ilure
) w
ell.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
ompr
ehen
sive
IT
con
trol
envi
ronm
ent
• C
ompr
ehen
sive
set
of
IT p
olic
ies
• In
crea
sed
awar
enes
s of
the
orga
nisa
tion’
s m
issi
on•
Prop
er u
se o
f ap
plic
atio
ns a
nd I
Tse
rvic
es
Ris
k D
river
s
• M
isco
mm
unic
atio
ns a
bout
orga
nisa
tiona
l mis
sion
•
Man
agem
ent’s
phi
loso
phy
mis
inte
rpre
ted
• Act
ions
not
alig
ned
with
the
orga
nisa
tion’
s bu
sine
ss o
bjec
tives
• N
o tr
ansp
aren
t IT
con
trol
env
iron
men
t•
Com
plia
nce
and
secu
rity
issu
es
85I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
for
mal
IT
ris
k an
d co
ntro
l fra
mew
ork
exis
ts b
ased
on
ackn
owle
dged
indu
stry
sta
ndar
ds/le
adin
g pr
actic
es (
e.g.
, CO
SO, C
OSO
-ER
M,
CO
BIT
).• A
sses
s w
heth
er th
e IT
ris
k an
d co
ntro
l fra
mew
ork
is a
ligne
d w
ith th
e or
gani
satio
n’s
ente
rpri
se r
isk
and
cont
rol f
ram
ewor
k an
d co
nsid
ers
the
ente
rpri
se r
isk
tole
ranc
e le
vel.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e IT
ris
k an
d co
ntro
l fra
mew
ork
spec
ifie
s its
sco
pe a
nd p
urpo
se a
nd o
utlin
es m
anag
emen
t’s e
xpec
tatio
ns o
f w
hat n
eeds
to
be
cont
rolle
d.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e st
ruct
ure
of th
e IT
ris
k an
d co
ntro
l fra
mew
ork
is w
ell d
efin
ed a
nd r
espo
nsib
ilitie
s ha
ve b
een
clea
rly
stat
ed a
nd a
ssig
ned
toap
prop
riat
e in
divi
dual
s.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
is in
pla
ce to
per
iodi
cally
rev
iew
(pr
efer
ably
ann
ually
) th
e IT
ris
k an
d co
ntro
l fra
mew
ork
to m
aint
ain
its a
dequ
acy
and
rele
vanc
y.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
hie
rarc
hica
l set
of
polic
ies,
sta
ndar
ds a
nd p
roce
dure
s ha
ve b
een
crea
ted
and
alig
n w
ith th
e IT
str
ateg
y an
d co
ntro
l env
iron
men
t. •
Enq
uire
whe
ther
and
con
firm
that
spe
cifi
c po
licie
s ex
ist o
n re
leva
nt k
ey to
pics
, suc
h as
qua
lity,
sec
urity
, con
fide
ntia
lity,
inte
rnal
con
trol
s, e
thic
s an
d in
telle
ctua
l pr
oper
ty r
ight
s.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pol
icy
upda
te p
roce
ss h
as b
een
defi
ned
that
req
uire
s, a
t min
imum
, ann
ual r
evie
ws.
•
Enq
uire
whe
ther
and
con
firm
that
pro
cedu
res
are
in p
lace
to tr
ack
com
plia
nce
and
defi
ne c
onse
quen
ces
of n
on-c
ompl
ianc
e.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ccou
ntab
ility
has
bee
n de
fine
d an
d do
cum
ente
d fo
r fo
rmul
atin
g, d
evel
opin
g, d
ocum
entin
g, r
atif
ying
, dis
sem
inat
ing
and
cont
rolli
ngpo
licie
s to
ens
ure
that
all
elem
ents
of
the
polic
y m
anag
emen
t pro
cess
hav
e be
en a
ssig
ned
to a
ccou
ntab
le in
divi
dual
s.
PO
6.2
Ent
erpr
ise
IT R
isk
and
Con
trol
Fra
mew
ork
Dev
elop
and
mai
ntai
n a
fram
ewor
k th
at d
efin
es th
e en
terp
rise
’s o
vera
ll ap
proa
chto
IT
ris
k an
d co
ntro
l and
that
alig
ns w
ith th
e IT
pol
icy
and
cont
rol e
nvir
onm
ent
and
the
ente
rpri
se r
isk
and
cont
rol f
ram
ewor
k.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
ompr
ehen
sive
IT
con
trol
and
ris
kfr
amew
ork
• IT
ris
k an
d co
ntro
l aw
aren
ess
and
unde
rsta
ndin
g•
Red
uctio
n of
neg
ativ
e bu
sine
ss im
pact
whe
n pl
anne
d an
d un
plan
ned
issu
esoc
cur
Ris
k D
river
s
• Se
nsiti
ve c
orpo
rate
info
rmat
ion
disc
lose
d•
Irre
gula
ritie
s no
t ide
ntif
ied
• Fi
nanc
ial l
osse
s•
Com
plia
nce
and
secu
rity
issu
es
PO
6 C
omm
unic
ate
Man
agem
ent
Aim
s an
d D
irec
tion
(co
nt.)
PO
6.3
IT P
olic
ies
Man
agem
ent
Dev
elop
and
mai
ntai
n a
set o
f po
licie
s to
sup
port
IT
str
ateg
y. T
hese
pol
icie
ssh
ould
incl
ude
polic
y in
tent
; rol
es a
nd r
espo
nsib
ilitie
s; e
xcep
tion
proc
ess;
com
plia
nce
appr
oach
; and
ref
eren
ces
to p
roce
dure
s, s
tand
ards
and
gui
delin
es.
The
ir r
elev
ance
sho
uld
be c
onfi
rmed
and
app
rove
d re
gula
rly.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• App
ropr
iate
pol
icie
s an
d pr
oced
ures
for
the
orga
nisa
tion
• Q
ualit
y w
ithin
the
orga
nisa
tion
• Pr
oper
use
of
appl
icat
ions
and
IT
serv
ices
• T
rans
pare
ncy
and
unde
rsta
ndin
g of
IT
cost
s, b
enef
its, s
trat
egy
and
secu
rity
leve
ls
Ris
k D
river
s
• G
reat
er n
umbe
r an
d im
pact
of
secu
rity
brea
ches
• U
nacc
epte
d or
unk
now
n po
licie
s•
Mis
unde
rsta
ndin
g of
man
agem
ent’s
aim
s an
d di
rect
ions
• O
ut-o
f-da
te o
r in
com
plet
e po
licie
s•
Poor
org
anis
atio
nal s
ecur
ity c
ultu
re•
Lac
k of
tran
spar
ency
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E86
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
is in
pla
ce to
tran
slat
e IT
pol
icie
s an
d st
anda
rds
into
ope
ratio
nal p
roce
dure
s.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at e
mpl
oym
ent c
ontr
acts
and
ince
ntiv
e m
echa
nism
s ar
e al
igne
d w
ith p
olic
ies.
•
Enq
uire
whe
ther
and
con
firm
that
a p
roce
ss is
in p
lace
to r
equi
re u
sers
to e
xplic
itly
ackn
owle
dge
that
they
rec
eive
d, u
nder
stan
d an
d ac
cept
rel
evan
t IT
pol
icie
s, s
tand
ards
and
proc
edur
es. T
he a
ckno
wle
dgem
ent s
houl
d be
per
iodi
cally
ref
resh
ed (
e.g.
, bia
nnua
lly).
•
Enq
uire
whe
ther
suf
fici
ent a
nd s
kille
d re
sour
ces
are
avai
labl
e to
sup
port
pol
icy
rollo
ut.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
ere
are
man
agem
ent p
roce
sses
to r
egul
arly
com
mun
icat
e IT
obj
ectiv
es a
nd d
irec
tion.
•
Ver
ify
with
a r
epre
sent
ativ
e sa
mpl
e of
sta
ff m
embe
rs a
t dif
fere
nt le
vels
that
IT
obj
ectiv
es h
ave
been
cle
arly
com
mun
icat
ed a
nd u
nder
stoo
d.
• R
evie
w p
ast c
omm
unic
atio
ns a
nd v
erif
y th
at th
ey c
over
the
mis
sion
, ser
vice
obj
ectiv
es, s
ecur
ity, i
nter
nal c
ontr
ols,
qua
lity,
cod
e of
eth
ics/
cond
uct,
polic
ies
and
proc
edur
es, e
tc.
PO
6.4
Pol
icy,
Stan
dard
and
Pro
cedu
res
Rol
lout
R
oll o
ut a
nd e
nfor
ce I
T p
olic
ies
to a
ll re
leva
nt s
taff
, so
they
are
bui
lt in
to a
nd a
rean
inte
gral
par
t of
ente
rpri
se o
pera
tions
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• App
ropr
iate
pro
tect
ion
of th
eor
gani
satio
n’s
asse
ts•
Dec
isio
ns a
ligne
d w
ith th
eor
gani
satio
n’s
busi
ness
obj
ectiv
es•
Eff
icie
nt m
anag
emen
t of
the
orga
nisa
tion’
s as
sets
• Pr
oper
use
of
IT r
esou
rces
and
IT
serv
ices
Ris
k D
river
s
• O
rgan
isat
ion’
s po
licie
s, s
tand
ards
and
proc
edur
es u
nkno
wn
or n
ot a
ccep
ted
• L
ack
of c
omm
unic
atio
n of
man
agem
ent’s
aim
s an
d di
rect
ions
• C
ontr
ol c
ultu
re n
ot a
ligne
d w
ithm
anag
emen
t’s a
ims
• Po
licie
s m
isun
ders
tood
or
not
acce
pted
• B
usin
ess
risk
of
polic
ies
and
proc
edur
es n
ot f
ollo
wed
PO
6 C
omm
unic
ate
Man
agem
ent
Aim
s an
d D
irec
tion
(co
nt.)
PO
6.5
Com
mun
icat
ion
of I
T O
bjec
tive
s an
d D
irec
tion
C
omm
unic
ate
awar
enes
s an
d un
ders
tand
ing
of b
usin
ess
and
IT o
bjec
tives
and
dire
ctio
n to
app
ropr
iate
sta
keho
lder
s an
d us
ers
thro
ugho
ut th
e en
terp
rise
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
lear
ly c
omm
unic
ated
man
agem
ent
philo
soph
y•
Incr
ease
d aw
aren
ess
of th
eor
gani
satio
n’s
mis
sion
• Aw
aren
ess
and
unde
rsta
ndin
g of
ris
ks,
secu
rity
, obj
ectiv
es, e
tc.,
with
in th
eor
gani
satio
n•
Dec
isio
ns a
ligne
d w
ith th
eor
gani
satio
n’s
busi
ness
obj
ectiv
es
Ris
k D
river
s
• IT
obj
ectiv
es n
ot a
chie
ved
• Po
or a
ccep
tanc
e or
und
erst
andi
ng o
fth
e or
gani
satio
nal p
olic
y•
Bus
ines
s th
reat
s no
t ide
ntif
ied
in a
timel
y m
anne
r•
Lac
k of
und
erst
andi
ng o
fm
anag
emen
t’s a
ims
and
dire
ctio
ns•
Lac
k of
con
fide
nce
and
trus
t in
IT’s
mis
sion
• B
reak
dow
n in
con
trol
and
sec
urity
cultu
re
87I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Take the following steps to test the outcome of the control objectives:• Assess the frequency, format and content of the communication of the ‘tone at the top’ messages to determine if it will effectively
define and reinforce the control culture, risk appetite, ethical values, code of conduct and requirements of management integrity.
• Inspect for evidence of periodic awareness training on policies and practices that are relevant to support the control environment(e.g., annual code of conduct or ethics training, periodic acknowledgement of acceptable use policies). Assess employees’understanding of IT management’s philosophy and risk appetite to determine the extent to which it is aligned with management.Assess through inquiry and observation whether there is a general understanding of key risks and regulatory requirements thataffect the IT control environment, or a general understanding of the importance of adhering to IT policies and procedures.
• Determine whether there is an IT risk and control framework that defines the enterprise’s overall approach to IT risk and controland that aligns the IT policy and control environment to the enterprise risk and control framework.
• Determine whether the responsibilities associated with implementing and maintaining the IT risk and control framework are beingadequately carried out by qualified individuals. Inspect defined risks and controls to determine their adequacy in controlling theconfidentiality, integrity and availability of information systems and networks.
• Review IT policies to determine the frequency of updates and whether a re-evaluation has occurred at least annually. Makenecessary adjustments and amendments, and determine whether updated IT policies are appropriately communicated across the enterprise.
• Confirm through interviews that resources have been allocated to those who perform appropriate roles and responsibilities forformulating, developing, documenting, ratifying, disseminating and controlling IT policies.
• Verify that sufficient and skilled resources have been allocated to support the rollout process, including monitoring and enforcingcompliance. Examine and verify through interviews that operational procedures that support the IT policies and standards havebeen communicated, understood and accepted by appropriate staff.
• Inspect documentation of acknowledgement and acceptance of IT policies for a sample of employees to determine that it is beingconsistently administered and periodically refreshed.
• Inspect evidence to ensure that communication takes place to articulate IT objectives and direction and that managementsupport is visible.
• Enquire whether and confirm that the communication process has the necessary resources and skills for effective communication.
Take the following steps to document the impact of the control weaknesses:• Determine whether lack of appropriate IT policy management has resulted in lack of adequate control over IT resources and lack
of achievement of business objectives.• Determine whether lack of adequate communication, monitoring, and enforcement of IT policies and standards has resulted in a
lack of compliance with those standards and the associated non-achievement of business goals.• Determine whether lack of awareness of IT objectives and direction has resulted in the lack of achievement of business goals.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E88
PO
7 M
anag
e IT
Hum
an R
esou
rces
A c
ompe
tent
wor
kfor
ce is
acq
uire
d an
d m
aint
aine
d fo
r th
e cr
eatio
n an
d de
liver
y of
IT
ser
vice
s to
the
busi
ness
. Thi
s is
ach
ieve
d by
fol
low
ing
defi
ned
and
agre
ed-u
pon
prac
tices
sup
port
ing
recr
uitin
g, tr
aini
ng, e
valu
atin
g pe
rfor
man
ce, p
rom
otin
g an
d te
rmin
atin
g. T
his
proc
ess
is c
ritic
al, a
s pe
ople
are
impo
rtan
t ass
ets,
and
gov
erna
nce
and
the
inte
rnal
con
trol
env
iron
men
t are
hea
vily
dep
ende
nt o
n th
e m
otiv
atio
n an
d co
mpe
tenc
e of
per
sonn
el.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n IT
HR
man
agem
ent p
lan
exis
ts th
at r
efle
cts
the
defi
nitio
n of
ski
ll re
quir
emen
ts a
nd p
refe
rred
pro
fess
iona
l qua
lific
atio
ns to
mee
tta
ctic
al a
nd s
trat
egic
IT
nee
ds o
f th
e or
gani
satio
n. T
he p
lan
shou
ld b
e up
date
d at
leas
t ann
ually
and
sho
uld
incl
ude
spec
ific
rec
ruitm
ent a
nd r
eten
tion
actio
n pl
ans
toad
dres
s cu
rren
t and
fut
ure
requ
irem
ents
. It s
houl
d al
so in
clud
e po
licie
s fo
r th
e en
forc
emen
t of
unin
terr
upte
d ho
liday
pol
icy
proc
edur
es, a
s ap
plic
able
.•
Enq
uire
whe
ther
and
con
firm
that
a d
ocum
ente
d pr
oces
s fo
r th
e re
crui
tmen
t and
ret
entio
n of
IT
per
sonn
el is
in p
lace
and
ref
lect
s th
e ne
eds
iden
tifie
d in
the
IT H
R p
lan.
•
Con
firm
that
HR
pro
fess
iona
ls r
egul
arly
rev
iew
and
app
rove
the
IT r
ecru
itmen
t and
ret
entio
n pr
oces
s to
ens
ure
alig
nmen
t with
org
anis
atio
nal p
olic
ies.
Test
the
Con
trol
Des
ign
• In
spec
t a s
ampl
e of
job
desc
ript
ions
for
a c
ompl
ete
and
appr
opri
ate
desc
ript
ion
of r
equi
red
skill
s, c
ompe
tenc
ies
and
qual
ific
atio
ns.
• V
erif
y th
at p
roce
sses
exi
st a
nd a
re c
ondu
cted
on
a re
gula
r ba
sis
to r
evie
w a
nd r
efre
sh jo
b de
scri
ptio
ns.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at m
anag
emen
t has
iden
tifie
d sk
ill n
eeds
, inc
ludi
ng a
ppro
pria
te e
duca
tion,
cro
ss-t
rain
ing
and
cert
ific
atio
n re
quir
emen
ts to
add
ress
spec
ific
req
uire
men
ts o
f th
e or
gani
satio
n.
PO
7.1
Per
sonn
el R
ecru
itm
ent
and
Ret
enti
on
Mai
ntai
n IT
per
sonn
el r
ecru
itmen
t pro
cess
es in
line
with
the
over
all
orga
nisa
tion’
s pe
rson
nel p
olic
ies
and
proc
edur
es (
e.g.
, hir
ing,
pos
itive
wor
ken
viro
nmen
t, or
ient
ing)
. Im
plem
ent p
roce
sses
to e
nsur
e th
at th
e or
gani
satio
n ha
san
app
ropr
iate
ly d
eplo
yed
IT w
orkf
orce
with
the
skill
s ne
cess
ary
to a
chie
veor
gani
satio
nal g
oals
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• IT
ski
lls o
ptim
ised
and
alig
ned
with
orga
nisa
tiona
l goa
ls•
Impr
oved
rec
ruitm
ent a
nd r
eten
tion
ofth
e ri
ght I
T s
kills
to s
uppo
rt f
utur
ebu
sine
ss r
equi
rem
ents
Ris
k D
river
s
• IT
ser
vice
s fo
r bu
sine
ss-c
ritic
alpr
oces
ses
not s
uppo
rted
ade
quat
ely
• In
effe
ctiv
e IT
sol
utio
ns•
Lac
k of
app
ropr
iate
IT
ski
lls d
ue to
IT
hum
an r
esou
rces
man
agem
ent n
otbe
ing
in li
ne w
ith m
arke
t con
ditio
ns
PO
7.2
Per
sonn
el C
ompe
tenc
ies
Reg
ular
ly v
erif
y th
at p
erso
nnel
hav
e th
e co
mpe
tenc
ies
to f
ulfi
l the
ir r
oles
on
the
basi
s of
thei
r ed
ucat
ion,
trai
ning
and
/or
expe
rien
ce. D
efin
e co
re I
T c
ompe
tenc
yre
quir
emen
ts a
nd v
erif
y th
at th
ey a
re b
eing
mai
ntai
ned,
usi
ng q
ualif
icat
ion
and
cert
ific
atio
n pr
ogra
mm
es w
here
app
ropr
iate
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• App
ropr
iate
ly q
ualif
ied
and
expe
rien
ced
staf
f fo
r sp
ecif
ic jo
bre
spon
sibi
litie
s•
Impr
oved
per
sona
l car
eer
deve
lopm
ent,
cont
ribu
tion
and
job
satis
fact
ion
• C
ontin
uous
dev
elop
men
t of
skill
s in
line
with
bus
ines
s ne
eds
Ris
k D
river
s
• IT
sta
ff n
ot s
kille
d as
req
uire
d fo
rbu
sine
ss c
ritic
al r
equi
rem
ents
• IT
sta
ff d
issa
tisfi
ed w
ith c
aree
rpr
ogre
ssio
n•
Mor
e in
cide
nts
and
erro
rs w
ith
grea
ter
impa
ct
89I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• In
spec
t a s
ampl
e of
rol
e de
scri
ptio
ns to
ens
ure
incl
usio
n of
an
adeq
uate
def
initi
on o
f re
spon
sibi
litie
s, c
ompe
tenc
ies,
and
sen
sitiv
e se
curi
ty a
nd c
ompl
ianc
e re
quir
emen
ts.
• In
spec
t a s
ampl
e of
ack
now
ledg
emen
ts f
or a
ccep
tanc
e of
rol
e de
scri
ptio
ns a
nd r
espo
nsib
ilitie
s fo
r IT
per
sonn
el.
• R
evie
w te
rms
and
cond
ition
s of
em
ploy
men
t for
exi
sten
ce o
f no
n-di
sclo
sure
, int
elle
ctua
l pro
pert
y ri
ghts
, res
pons
ibili
ty f
or in
form
atio
n se
curi
ty, i
nter
nal c
ontr
ol,
appl
icab
le la
ws
and
requ
irem
ents
. The
se s
houl
d al
ign
with
the
orga
nisa
tion’
s re
quir
emen
ts f
or n
on-d
iscl
osur
e of
con
fide
ntia
l inf
orm
atio
n.
• In
spec
t the
sam
ple
of jo
b de
scri
ptio
ns f
or h
igh-
risk
pos
ition
s to
det
erm
ine
whe
ther
the
span
of
cont
rol a
nd r
equi
red
supe
rvis
ion
is a
ppro
pria
te f
or e
ach
role
.
PO
7.3
Staf
fing
of
Rol
esD
efin
e, m
onito
r an
d su
perv
ise
role
s, r
espo
nsib
ilitie
s an
d co
mpe
nsat
ion
fram
ewor
ks f
or p
erso
nnel
, inc
ludi
ng th
e re
quir
emen
t to
adhe
re to
man
agem
ent
polic
ies
and
proc
edur
es, t
he c
ode
of e
thic
s, a
nd p
rofe
ssio
nal p
ract
ices
. The
leve
lof
sup
ervi
sion
sho
uld
be in
line
with
the
sens
itivi
ty o
f th
e po
sitio
n an
d ex
tent
of
resp
onsi
bilit
ies
assi
gned
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
omm
unic
atio
n of
and
adh
eren
ce
to o
rgan
isat
ion
polic
ies,
pra
ctic
es
and
ethi
cs•
Cle
ar a
ccou
ntab
ility
and
res
pons
ibili
tyfo
r ke
y fu
nctio
ns•
Impr
oved
alig
nmen
t of
staf
fco
ntri
butio
n to
bus
ines
s go
als
Ris
k D
river
s
• In
corr
ect a
ctio
ns a
nd d
ecis
ions
bas
edon
unc
lear
dir
ectio
n se
tting
• In
crea
sed
erro
rs a
nd in
cide
nts
caus
edby
lack
of
supe
rvis
ion
• St
aff
diss
atis
fact
ion
thro
ugh
poor
man
agem
ent a
nd o
vers
ight
PO
7 M
anag
e IT
Hum
an R
esou
rces
(co
nt.)
Test
the
Con
trol
Des
ign
• W
alk
thro
ugh
the
trai
ning
eff
ectiv
enes
s m
easu
rem
ent p
roce
ss to
con
firm
that
the
criti
cal t
rain
ing
and
awar
enes
s re
quir
emen
ts a
re in
clud
ed.
• In
spec
t tra
inin
g pr
ogra
mm
e co
nten
t for
com
plet
enes
s an
d ap
prop
riat
enes
s. I
nspe
ct d
eliv
ery
mec
hani
sms
to d
eter
min
e w
heth
er th
e in
form
atio
n is
del
iver
ed to
all
user
s of
IT r
esou
rces
, inc
ludi
ng c
onsu
ltant
s, c
ontr
acto
rs, t
empo
rary
sta
ff m
embe
rs a
nd, w
here
app
licab
le, c
usto
mer
s an
d su
pplie
rs.
• In
spec
t tra
inin
g pr
ogra
mm
e co
nten
t to
dete
rmin
e if
all
inte
rnal
con
trol
fra
mew
orks
and
sec
urity
req
uire
men
ts a
re in
clud
ed b
ased
on
the
orga
nisa
tion’
s se
curi
ty p
olic
ies
and
inte
rnal
con
trol
s (e
.g.,
impa
ct o
f no
n-ad
here
nce
to s
ecur
ity r
equi
rem
ents
, app
ropr
iate
use
of
com
pany
res
ourc
es a
nd f
acili
ties,
inci
dent
han
dlin
g, e
mpl
oyee
resp
onsi
bilit
y fo
r in
form
atio
n se
curi
ty).
•
Enq
uire
whe
ther
and
con
firm
that
trai
ning
mat
eria
ls a
nd p
rogr
amm
es h
ave
been
rev
iew
ed r
egul
arly
for
ade
quac
y.•
Insp
ect t
he p
olic
y fo
r de
term
inin
g tr
aini
ng r
equi
rem
ents
. Con
firm
that
the
trai
ning
req
uire
men
t’s p
olic
y en
sure
s th
at th
e or
gani
satio
n’s
criti
cal r
equi
rem
ents
are
ref
lect
edin
trai
ning
and
aw
aren
ess
prog
ram
mes
.
PO
7.4
Per
sonn
el T
rain
ing
Prov
ide
IT e
mpl
oyee
s w
ith a
ppro
pria
te o
rien
tatio
n w
hen
hire
d an
d on
goin
gtr
aini
ng to
mai
ntai
n th
eir
know
ledg
e, s
kills
, abi
litie
s, in
tern
al c
ontr
ols
and
secu
rity
aw
aren
ess
at th
e le
vel r
equi
red
to a
chie
ve o
rgan
isat
iona
l goa
ls.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
nhan
ced
pers
onal
con
trib
utio
n an
dpe
rfor
man
ce to
war
d or
gani
satio
nal
succ
ess
• E
ffec
tive
and
effi
cien
t del
iver
y of
each
em
ploy
ee’s
rol
e•
Supp
ort o
f te
chni
cal a
nd m
anag
emen
tde
velo
pmen
t, in
crea
sing
per
sonn
elre
tent
ion
• In
crea
se in
em
ploy
ees’
valu
e to
th
e en
terp
rise
Ris
k D
river
s
• In
suff
icie
nt s
ecur
ity a
war
enes
s,ca
usin
g er
rors
or
inci
dent
s•
Kno
wle
dge
gaps
reg
ardi
ng p
rodu
cts,
serv
ices
and
pra
ctic
es•
Insu
ffic
ient
ski
lls, l
eadi
ng to
ser
vice
degr
adat
ion
and
incr
ease
d er
rors
and
inci
dent
s
Test
the
Con
trol
Des
ign
• In
spec
t doc
umen
tatio
n on
key
rol
e pe
rson
nel f
or r
elia
nce
on s
ingl
e in
divi
dual
s fo
r cr
itica
l pro
cess
es w
ithin
the
IT o
rgan
isat
ion.
• E
nqui
re w
heth
er tr
aini
ng p
rogr
amm
es in
corp
orat
e te
chni
ques
to m
itiga
te th
e ri
sk o
f ov
erde
pend
ence
on
key
reso
urce
s. P
rogr
amm
es s
houl
d in
clud
e cr
oss-
trai
ning
,do
cum
enta
tion
of k
ey ta
sks,
job
rota
tion,
kno
wle
dge
shar
ing
and
succ
essi
on p
lann
ing
for
criti
cal r
oles
with
in th
e or
gani
satio
n.
Test
the
Con
trol
Des
ign
• In
spec
t sel
ectio
n cr
iteri
a fo
r pe
rfor
man
ce o
f se
curi
ty c
lear
ance
bac
kgro
und
chec
ks.
• R
evie
w f
or a
ppro
pria
te d
efin
ition
of
criti
cal r
oles
, for
whi
ch s
ecur
ity c
lear
ance
che
cks
are
requ
ired
. Thi
s sh
ould
app
ly to
em
ploy
ees,
con
trac
tors
and
ven
dors
.•
Enq
uire
whe
ther
and
con
firm
that
hir
ing
proc
esse
s in
clud
e cl
eara
nce
back
grou
nd c
heck
s. I
nspe
ct h
irin
g do
cum
enta
tion
for
a re
pres
enta
tive
sam
ple
of I
T s
taff
mem
bers
toev
alua
te w
heth
er b
ackg
roun
d ch
ecks
hav
e be
en c
ompl
eted
and
eva
luat
ed.
PO
7.5
Dep
ende
nce
Upo
n In
divi
dual
s M
inim
ise
the
expo
sure
to c
ritic
al d
epen
denc
y on
key
indi
vidu
als
thro
ugh
know
ledg
e ca
ptur
e (d
ocum
enta
tion)
, kno
wle
dge
shar
ing,
suc
cess
ion
plan
ning
and
staf
f ba
ckup
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Ade
quat
ely
supp
orte
d cr
itica
l IT
activ
ities
that
con
tinua
lly m
eet
obje
ctiv
es•
Con
tinge
ncy
in p
lace
for
non
-av
aila
bilit
y of
key
per
sonn
el•
Red
uced
ris
k of
inci
dent
s by
inte
rnal
IT s
taff
Ris
k D
river
s
• In
crea
sed
num
ber
and
impa
ct o
fin
cide
nts
caus
ed b
y un
avai
labi
lity
ofes
sent
ial s
kills
to p
erfo
rm a
cri
tical
role
• St
aff
diss
atis
fact
ion
due
to la
ck o
fsu
cces
sion
pla
nnin
g an
d jo
bad
vanc
emen
t opp
ortu
nitie
s•
Inab
ility
to p
erfo
rm c
ritic
al I
Tac
tiviti
es
PO
7 M
anag
e IT
Hum
an R
esou
rces
(co
nt.)
PO
7.6
Per
sonn
el C
lear
ance
Pro
cedu
res
Incl
ude
back
grou
nd c
heck
s in
the
IT r
ecru
itmen
t pro
cess
. The
ext
ent a
ndfr
eque
ncy
of p
erio
dic
revi
ews
of th
ese
chec
ks s
houl
d de
pend
on
the
sens
itivi
tyan
d/or
cri
tical
ity o
f th
e fu
nctio
n an
d sh
ould
be
appl
ied
for
empl
oyee
s,co
ntra
ctor
s an
d ve
ndor
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• R
ecru
itmen
t of
appr
opri
ate
pers
onne
l•
Proa
ctiv
e pr
even
tion
of in
form
atio
ndi
sclo
sure
and
con
fide
ntia
lity
stan
dard
s
Ris
k D
river
s
• In
crea
sed
risk
of
thre
ats
occu
rrin
gfr
om w
ithin
the
IT o
rgan
isat
ion
• D
iscl
osur
e of
cus
tom
er o
r co
rpor
ate
info
rmat
ion
and
incr
ease
d ex
posu
re o
fco
rpor
ate
asse
ts
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E90
91I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• In
spec
t a r
epre
sent
ativ
e sa
mpl
e of
em
ploy
ee jo
b pe
rfor
man
ce e
valu
atio
ns to
det
erm
ine
whe
ther
cri
teri
a fo
r go
al s
ettin
g in
clud
es S
MA
RR
T o
bjec
tives
. The
se s
houl
dre
flec
t the
cor
e co
mpe
tenc
ies,
com
pany
val
ues
and
skill
s re
quir
ed f
or e
ach
role
. Wal
k th
roug
h th
e jo
b pe
rfor
man
ce e
valu
atio
n pr
oces
s to
det
erm
ine
whe
ther
pol
icie
s an
dpr
oced
ures
for
the
use
and
stor
age
of p
erso
nal i
nfor
mat
ion
are
clea
r an
d co
mpl
y w
ith th
e ap
plic
able
legi
slat
ion.
•
Insp
ect t
he r
emun
erat
ion/
reco
gniti
on p
roce
ss to
det
erm
ine
if it
is in
line
with
per
form
ance
goa
ls a
nd o
rgan
isat
iona
l pol
icy.
•
Insp
ect p
erfo
rman
ce im
prov
emen
t pla
ns to
det
erm
ine
alig
nmen
t with
org
anis
atio
nal p
olic
ies
and
cons
iste
nt a
pplic
atio
n th
roug
hout
the
IT o
rgan
isat
ion.
Per
form
ance
impr
ovem
ent p
lans
sho
uld
incl
ude
spec
ific
ally
def
ined
goa
ls, t
imel
ines
for
com
plet
ion
and
an a
ppro
pria
te le
vel o
f di
scip
linar
y ac
tion
if im
prov
emen
ts a
re n
ot a
chie
ved.
Test
the
Con
trol
Des
ign
• E
nqui
re a
nd in
spec
t whe
ther
exi
t pro
cedu
res
for
volu
ntar
y te
rmin
atio
n of
em
ploy
men
t are
doc
umen
ted
and
cont
ain
all r
equi
red
elem
ents
, suc
h as
nec
essa
ry k
now
ledg
etr
ansf
er, t
imel
y se
curi
ng o
f lo
gica
l and
phy
sica
l acc
ess,
ret
urn
of th
e or
gani
satio
n’s
asse
ts, a
nd c
ondu
ctin
g of
exi
t int
ervi
ews.
• E
nqui
re w
heth
er jo
b ch
ange
pro
cedu
res
are
docu
men
ted
and
cont
ain
all r
equi
red
elem
ents
to m
inim
ise
disr
uptio
n of
bus
ines
s pr
oces
ses.
Exa
mpl
es in
clud
e th
e ne
ed f
orjo
b m
ento
ring
, job
han
d-ov
er s
teps
and
pre
para
tory
for
mal
trai
ning
. Ins
pect
job
chan
ge p
roce
dure
s to
det
erm
ine
if th
e pr
oced
ures
are
con
sist
ently
fol
low
ed.
• Acq
uire
thro
ugh
HR
a li
st o
f te
rmin
ated
/tran
sfer
red
user
s (f
or th
e pa
st s
ix m
onth
s to
one
yea
r).
PO
7.7
Em
ploy
ee J
ob P
erfo
rman
ce E
valu
atio
n R
equi
re a
tim
ely
eval
uatio
n to
be
perf
orm
ed o
n a
regu
lar
basi
s ag
ains
t ind
ivid
ual
obje
ctiv
es d
eriv
ed f
rom
the
orga
nisa
tion’
s go
als,
est
ablis
hed
stan
dard
s an
dsp
ecif
ic jo
b re
spon
sibi
litie
s. E
mpl
oyee
s sh
ould
rec
eive
coa
chin
g on
per
form
ance
and
cond
uct w
hene
ver
appr
opri
ate.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed in
divi
dual
and
col
lect
ive
perf
orm
ance
and
con
trib
utio
n to
orga
nisa
tiona
l goa
ls•
Impr
oved
sta
ff s
atis
fact
ion
• Im
prov
ed m
anag
emen
t per
form
ance
from
sta
ff f
eedb
ack
and
revi
ewpr
oces
ses
• E
ffec
tive
use
of I
T s
taff
Ris
k D
river
s
• In
abili
ty to
iden
tify
inef
fici
ent
oper
atio
ns•
Inef
fect
ive
trai
ning
pro
gram
me
• D
issa
tisfi
ed a
nd d
isgr
untle
d st
aff,
lead
ing
to r
eten
tion
prob
lem
s an
dpo
ssib
le in
cide
nts
• L
oss
of c
ompe
tent
sta
ff m
embe
rs a
ndre
late
d co
rpor
ate
know
ledg
e
PO
7 M
anag
e IT
Hum
an R
esou
rces
(co
nt.)
PO
7.8
Job
Cha
nge
and
Ter
min
atio
n Ta
ke e
xped
ient
act
ions
reg
ardi
ng jo
b ch
ange
s, e
spec
ially
job
term
inat
ions
.K
now
ledg
e tr
ansf
er s
houl
d be
arr
ange
d, r
espo
nsib
ilitie
s re
assi
gned
and
acc
ess
righ
ts r
emov
ed s
uch
that
ris
ks a
re m
inim
ised
and
con
tinui
ty o
f th
e fu
nctio
n is
guar
ante
ed.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffic
ient
and
eff
ectiv
e co
ntin
uatio
n of
busi
ness
-cri
tical
ope
ratio
ns
• Im
prov
ed s
taff
ret
entio
n• A
mor
e se
cure
info
rmat
ion
envi
ronm
ent t
hrou
gh ti
mel
y an
dap
prop
riat
e re
stri
ctio
n of
acc
ess
Ris
k D
river
s
• U
naut
hori
sed
acce
ss w
hen
empl
oyee
sar
e te
rmin
ated
• L
ack
of s
moo
th c
ontin
uatio
n of
busi
ness
-cri
tical
ope
ratio
ns
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E92
Take the following steps to test the outcome of the control objectives:• Inspect the IT human resource plan to verify that the IT needs of the organisation are defined. The IT human resource plan should
be based on organisational objectives and include strategic initiatives, applicable regulatory requirements and the associated ITskills required.
• Ensure that current and future needs are assessed against currently available skills and that gaps are translated into action plans. • Inspect the IT HR management plan and determine whether it addresses retention practices within the IT organisation, including
the identification of critical and scarce skills, consideration of personal evaluations, compensation and incentives, developmentplans, and individual training needs.
• Verify that job descriptions are periodically reviewed and that job descriptions include skill set competencies and qualifications ofcurrent personnel. Compare the skill sets of current employees to job description requirements. Inspect professional developmentplans from a sample of employees to determine the adequacy of career planning. Development plans should include encouragementof competency development, opportunities for personal advancement and measures to reduce dependence on key individuals.
• Review job descriptions to ensure that each is current and relevant. Include the employee handbook/third-party agreements toconfirm that the obligations of employees and third-party personnel are clearly stated and appropriate for the given role. Inspectfor employee acknowledgement of conditions for employment, including responsibility for information security, internal control,regulatory compliance, protection of intellectual property and non-disclosure of confidential information. Observe whether theamount of supervision applied to high-risk roles is appropriate. Review procedures governing the activities of high-risk roles todetermine if supervisory approval is required and has been performed for critical decisions.
• Determine whether appropriate benchmarking of human resource management activities has been performed against similarorganisations, appropriate international standards or industry best practices on a periodic basis. Confirm that the level ofsupervision is appropriate for the sensitivity of the position and responsibilities assigned.
• Inspect automation controls to track changes to privilege user permissions.• Verify that the personnel training process is being delivered to all new users prior to granting access and is redelivered on an
annual basis. Inspect the personnel training programme content for completeness and appropriateness (such as education on theorganisation’s requirements for internal control and ethical conduct).
• Inspect delivery mechanisms to determine if information is delivered to all users of IT resources, including consultants, contractorsand temporary staff members. Where applicable, it should include customers and suppliers as well.
• Verify that the personnel training programme includes certification and recertification processes for appropriate roles. • Enquire whether and confirm that training materials and programmes have been reviewed regularly for adequacy and include
impact on all necessary skills. • Confirm that a process exists to measure the completion and effectiveness of critical employee training and awareness programmes
and requirements. • Review documented strategies for the reduction of dependence on single individuals in critical roles. Verify the inclusion of
segregation of duties. Inspect the process to identify roles suitable for rotation, and confirm that rotation is occurring. Enquire ofemployees to determine whether knowledge sharing is occurring.
• Inspect the compiled performance evaluation information to assess whether it was compiled completely and accurately. Validatethat the information is used in an appropriate manner. Enquire of employees whether management provides appropriate feedbackregarding performance during, and following, the performance evaluation. Determine that performance is evaluated against theindividual’s goals and performance criteria established for the position. Determine if the performance evaluation process is appliedconsistently and is in line with performance goals and organisational policies.
• Inspect exit procedures and processes for evidence of consistent application throughout the organisation. • Review the appropriateness of access rights (logical and physical access) related to job changes. Determine the effects on
segregation of duties and compensating controls if old access permissions are retained during a period of transition.• Verify that user accounts have been disabled for terminated users and appropriate access has been applied for transferred users.
Take the following steps to document the impact of the control weaknesses:• Assess the organisation’s dependency on key individuals to ensure that loss of capability and historical knowledge is not realised.• Assess whether appropriate monitoring and supervision exist to ensure adherence to management policies and procedures, code of
ethics, professional practices, terms and conditions of employment, internal controls, information security policy and procedures,and compliance with regulatory requirements.
• Assess the level of awareness for security requirements to ensure compliance with regulatory requirements, protection ofintellectual property, organisational reputation and strategic position.
• Determine the adequacy of personnel training programmes to ensure the organisation’s ability to attract and retain qualified personnel.
• Assess dependence on key individuals and the IT organisation’s ability to provide continuous support of business processes in anefficient and effective manner. Determine whether appropriate segregation of duties exist for key roles to ensure that criticalcontrols function as intended.
• Assess the appropriateness of security-checking mechanisms for key employees to ensure that control over threats within theorganisation, such as theft, disclosure and compromise of sensitive corporate assets, is appropriately addressed.
• Determine whether a well-defined, timely and consistently applied performance evaluation process exists and results in theefficient and effective use of IT resources.
• Assess the level of appropriateness and consistency applied to job change policies and procedures to ensure that disruptions ofbusiness-critical operations and unauthorised access to secure environments and organisational assets do not occur.
93I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIP
O8 M
anag
e Q
ualit
y
A q
uali
ty m
anag
emen
t sy
stem
is
deve
lope
d an
d m
aint
aine
d th
at i
nclu
des
prov
en d
evel
opm
ent
and
acqu
isit
ion
proc
esse
s an
d st
anda
rds.
Thi
s is
ena
bled
by
plan
ning
,im
plem
enti
ng a
nd m
aint
aini
ng t
he Q
MS
by
prov
idin
g cl
ear
qual
ity
requ
irem
ents
, pro
cedu
res
and
poli
cies
. Qua
lity
req
uire
men
ts a
re s
tate
d an
d co
mm
unic
ated
in
quan
tifi
able
and
ach
ieva
ble
indi
cato
rs. C
onti
nuou
s im
prov
emen
t is
ach
ieve
d by
ong
oing
mon
itor
ing,
ana
lysi
s an
d ac
ting
upo
n de
viat
ions
, and
com
mun
icat
ing
resu
lts
to s
take
hold
ers.
Qua
lity
man
agem
ent
is e
ssen
tial
to
ensu
re t
hat
IT i
s de
liver
ing
valu
e to
the
bus
ines
s, c
onti
nuou
s im
prov
emen
t an
d tr
ansp
aren
cy f
or s
take
hold
ers.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er th
e Q
MS
was
dev
elop
ed w
ith in
put f
rom
IT
man
agem
ent,
othe
r st
akeh
olde
rs a
nd r
elev
ant e
nter
pris
ewid
e fr
amew
orks
.•
Enq
uire
whe
ther
fin
ding
s fr
om e
ach
qual
ity r
evie
w a
re c
omm
unic
ated
to I
T m
anag
emen
t and
oth
er s
take
hold
ers
in a
tim
ely
man
ner
to e
nabl
e re
med
ial a
ctio
n to
be
take
n.
• D
eter
min
e w
heth
er I
T q
ualit
y pl
ans
are
alig
ned
with
ent
erpr
ise
qual
ity m
anag
emen
t cri
teri
a an
d po
licie
s.
PO
8.1
Qua
lity
Man
agem
ent
Syst
em
Est
ablis
h an
d m
aint
ain
a Q
MS
that
pro
vide
s a
stan
dard
, for
mal
and
con
tinuo
usap
proa
ch r
egar
ding
qua
lity
man
agem
ent t
hat i
s al
igne
d w
ith b
usin
ess
requ
irem
ents
. The
QM
S sh
ould
iden
tify
qual
ity r
equi
rem
ents
and
cri
teri
a; k
ey I
Tpr
oces
ses
and
thei
r se
quen
ce a
nd in
tera
ctio
n; a
nd th
e po
licie
s, c
rite
ria
and
met
hods
for
def
inin
g, d
etec
ting,
cor
rect
ing
and
prev
entin
g no
n-co
nfor
mity
. The
QM
S sh
ould
def
ine
the
orga
nisa
tiona
l str
uctu
re f
or q
ualit
y m
anag
emen
t,co
veri
ng th
e ro
les,
task
s an
d re
spon
sibi
litie
s. A
ll ke
y ar
eas
shou
ld d
evel
op th
eir
qual
ity p
lans
in li
ne w
ith c
rite
ria
and
polic
ies
and
reco
rd q
ualit
y da
ta. M
onito
ran
d m
easu
re th
e ef
fect
iven
ess
and
acce
ptan
ce o
f th
e Q
MS,
and
impr
ove
it w
hen
need
ed.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Alig
nmen
t with
and
ach
ieve
men
t of
busi
ness
req
uire
men
ts f
or I
T•
Stak
ehol
der
satis
fact
ion
ensu
red
• C
onsi
sten
t QA
env
iron
men
tun
ders
tood
and
fol
low
ed b
y al
l sta
ffm
embe
rs•
Eff
icie
nt, e
ffec
tive
and
stan
dard
ised
oper
atio
n of
IT
pro
cess
es
Ris
k D
river
s
• In
suff
icie
nt q
ualit
y in
ser
vice
s an
dso
lutio
ns, r
esul
ting
in f
aults
, rew
ork
and
incr
ease
d co
sts
•A
d ho
can
d, th
eref
ore,
unr
elia
ble
QA
activ
ities
• M
isal
ignm
ent w
ith in
dust
ry g
ood
prac
tices
and
bus
ines
s ob
ject
ives
• Am
bigu
ous
resp
onsi
bilit
y fo
r qu
ality
,le
adin
g to
qua
lity
redu
ctio
n
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E94
Test
the
Con
trol
Des
ign
• R
evie
w I
T s
tand
ards
and
fra
mew
orks
to d
eter
min
e if
they
are
app
ropr
iate
for
the
syst
ems,
dat
a an
d in
form
atio
n in
the
envi
ronm
ent.
• In
spec
t the
aut
hori
satio
n of
dev
iatio
ns to
IT
sta
ndar
ds to
val
idat
e ad
here
nce
to o
r no
n-co
mpl
ianc
e w
ith m
anda
ted
or a
dopt
ed s
tand
ards
.•
Insp
ect m
ajor
mile
ston
es in
key
pro
ject
s to
ver
ify
that
the
QM
S ha
s be
en a
pplie
d.•
Con
firm
the
proc
ess
for
appl
ying
cha
nges
in m
anda
ted
or a
dopt
ed s
tand
ards
with
in th
e or
gani
satio
n.
PO
8 M
anag
e Q
ualit
y (c
ont.
)
PO
8.2
IT S
tand
ards
and
Qua
lity
Pra
ctic
es
Iden
tify
and
mai
ntai
n st
anda
rds,
pro
cedu
res
and
prac
tices
for
key
IT
pro
cess
es to
guid
e th
e or
gani
satio
n in
mee
ting
the
inte
nt o
f th
e Q
MS.
Use
indu
stry
goo
dpr
actic
es f
or r
efer
ence
whe
n im
prov
ing
and
tailo
ring
the
orga
nisa
tion’
s qu
ality
prac
tices
.
Valu
e D
river
s
• Alig
nmen
t of
the
QM
S to
bus
ines
sre
quir
emen
ts a
nd p
olic
ies
• C
onsi
sten
cy a
nd r
elia
bilit
y of
the
gene
ral q
ualit
y pl
an•
Eff
ectiv
e an
d ef
fici
ent o
pera
tion
of th
e Q
MS
• In
crea
sed
assu
ranc
e fo
r en
terp
rise
wid
em
anag
emen
t tha
t IT
sta
ndar
ds,
polic
ies,
pro
cess
es, p
ract
ices
and
ris
km
anag
emen
t are
eff
ectiv
e an
def
fici
ent
Ris
k D
river
s
• U
ndef
ined
res
pons
ibili
ties
with
inpr
ojec
ts a
nd s
ervi
ces
• Q
ualit
y fa
ilure
s in
key
IT
pro
cess
es•
Non
-com
plia
nce
with
def
ined
stan
dard
s an
d pr
oced
ures
• IT
pol
icie
s, s
tand
ards
, pro
cess
es a
ndpr
actic
es in
cons
iste
nt w
ith c
urre
ntgo
od p
ract
ices
• Fa
ilure
of
IT p
olic
ies,
sta
ndar
ds,
proc
esse
s an
d pr
actic
es to
mee
ten
terp
rise
obj
ectiv
es
Con
trol
Obj
ecti
ve
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er d
evel
opm
ent a
nd a
cqui
sitio
n st
anda
rds
for
chan
ges
to e
xist
ing
IT r
esou
rces
are
app
lied
(e.g
., se
cure
cod
ing
prac
tices
; sof
twar
e co
ding
sta
ndar
ds; n
amin
gco
nven
tions
; file
for
mat
s; s
chem
a an
d da
ta d
ictio
nary
des
ign
stan
dard
s; u
ser
inte
rfac
e st
anda
rds;
inte
rope
rabi
lity;
sys
tem
per
form
ance
eff
icie
ncy;
sca
labi
lity;
sta
ndar
dsfo
r de
velo
pmen
t and
test
ing;
val
idat
ion
agai
nst r
equi
rem
ents
; tes
t pla
ns; u
nit,
regr
essi
on a
nd in
tegr
atio
n te
stin
g).
• E
nqui
re o
r in
spec
t whe
ther
dev
elop
men
t and
acq
uisi
tion
stan
dard
s en
able
an
appr
opri
ate
leve
l of
cont
rol f
or c
hang
es to
exi
stin
g IT
res
ourc
es.
• E
nqui
re w
heth
er d
evel
opm
ent a
nd a
cqui
sitio
n gu
idan
ce is
inco
rpor
ated
into
IT
sta
ndar
ds a
nd f
ram
ewor
ks.
PO
8.3
Dev
elop
men
t an
d A
cqui
siti
on S
tand
ards
A
dopt
and
mai
ntai
n st
anda
rds
for
all d
evel
opm
ent a
nd a
cqui
sitio
n th
at f
ollo
w th
elif
e cy
cle
of th
e ul
timat
e de
liver
able
, and
incl
ude
sign
-off
at k
ey m
ilest
ones
base
d on
agr
eed-
upon
sig
n-of
f cr
iteri
a. C
onsi
der
soft
war
e co
ding
sta
ndar
ds;
nam
ing
conv
entio
ns; f
ile f
orm
ats;
sch
ema
and
data
dic
tiona
ry d
esig
n st
anda
rds;
user
inte
rfac
e st
anda
rds;
inte
rope
rabi
lity;
sys
tem
per
form
ance
eff
icie
ncy;
scal
abili
ty; s
tand
ards
for
dev
elop
men
t and
test
ing;
val
idat
ion
agai
nst
requ
irem
ents
; tes
t pla
ns; a
nd u
nit,
regr
essi
on a
nd in
tegr
atio
n te
stin
g.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffic
ient
and
eff
ectiv
e us
e of
tech
nolo
gy to
ena
ble
timel
yac
hiev
emen
t of
busi
ness
obj
ectiv
es•
Prop
er id
entif
icat
ion,
doc
umen
tatio
nan
d ex
ecut
ion
of k
ey a
cqui
sitio
n an
dde
velo
pmen
t act
iviti
es•
Form
ally
def
ined
, sta
ndar
dise
d an
dre
peat
able
app
roac
h fo
r m
anag
ing
acqu
isiti
ons
and
deve
lopm
ents
Ris
k D
river
s
• In
accu
rate
est
imat
ions
of
proj
ect
times
cale
s an
d bu
dget
s•
Unc
lear
res
pons
ibili
ties
with
inpr
ojec
ts•
Dev
elop
men
t and
impl
emen
tatio
ner
rors
, cau
sing
del
ays,
rew
ork
and
incr
ease
d co
sts
• In
tero
pera
bilit
y an
d in
tegr
atio
npr
oble
ms
• Su
ppor
t and
mai
nten
ance
pro
blem
s•
Uni
dent
ifie
d er
rors
occ
urri
ng in
prod
uctio
n
95I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er f
indi
ngs
from
eac
h qu
ality
rev
iew
are
com
mun
icat
ed to
IT
man
agem
ent a
nd o
ther
sta
keho
lder
s in
a ti
mel
y m
anne
r to
ena
ble
rem
edia
l act
ion
to b
e ta
ken.
•
Ens
ure
the
staf
f tr
aini
ng p
rogr
amm
e in
clud
es e
ffec
tive
cont
inuo
us im
prov
emen
t met
hodo
logi
es.
• E
valu
ate
whe
ther
con
tinuo
us im
prov
emen
t act
iviti
es a
re a
ctiv
ely
prom
oted
, eff
ectiv
ely
man
aged
and
impl
emen
ted
with
in th
e qu
ality
sta
ndar
ds, p
olic
ies,
pra
ctic
es a
ndpr
oced
ures
.•
Enq
uire
whe
ther
and
con
firm
that
a q
ualit
y m
anag
emen
t pla
n is
def
ined
. Ins
pect
the
plan
and
doc
umen
tatio
n to
val
idat
e th
e ap
prop
riat
enes
s of
the
lear
ning
and
know
ledg
e-sh
arin
g pr
oces
s.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er c
usto
mer
vie
ws
on th
e qu
ality
man
agem
ent p
roce
ss a
re o
btai
ned.
Rev
iew
the
proc
ess
to v
erif
y th
at v
iew
s ar
e ob
tain
ed p
erio
dica
lly.
• In
spec
t for
eff
ectiv
enes
s th
e qu
estio
nnai
res,
sur
veys
, fee
dbac
k fo
rms,
inte
rvie
ws,
etc
., fr
om c
usto
mer
s.•
Enq
uire
whe
ther
cus
tom
er v
iew
s on
the
qual
ity m
anag
emen
t pro
cess
are
obt
aine
d. R
evie
w th
e pr
oces
s to
ver
ify
that
vie
ws
are
obta
ined
per
iodi
cally
.•
Insp
ect t
he o
utpu
ts f
rom
the
follo
w-u
p pr
oces
s to
det
erm
ine
if th
e fe
edba
ck is
org
anis
ed a
nd u
sefu
l for
impr
ovin
g th
e co
mpl
aint
-han
dlin
g pr
oces
s.•
Insp
ect t
he d
ocum
enta
tion
of r
oles
and
res
pons
ibili
ties
to d
eter
min
e if
they
allo
w f
or e
ffec
tive
conf
lict r
esol
utio
n of
cus
tom
er c
ompl
aint
s.•
Enq
uire
whe
ther
and
con
firm
that
cus
tom
er in
tera
ctio
n as
pect
s ar
e in
clud
ed in
trai
ning
pro
gram
mes
.
PO
8.4
Cus
tom
er F
ocus
Fo
cus
qual
ity m
anag
emen
t on
cust
omer
s by
det
erm
inin
g th
eir
requ
irem
ents
and
alig
ning
them
to th
e IT
sta
ndar
ds a
nd p
ract
ices
. Def
ine
role
s an
d re
spon
sibi
litie
sco
ncer
ning
con
flic
t res
olut
ion
betw
een
the
user
/cus
tom
er a
nd th
e IT
orga
nisa
tion.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed c
usto
mer
sat
isfa
ctio
n•
Qua
lity
man
agem
ent a
ligne
d w
ithcu
stom
er e
xpec
tatio
ns
• C
lari
ty o
f ro
les
and
resp
onsi
bilit
ies
Ris
k D
river
s
• G
aps
betw
een
expe
ctat
ions
and
deliv
ery
• Fa
ilure
to a
dequ
atel
y un
ders
tand
cust
omer
exp
ecta
tions
• Fa
ilure
to a
dequ
atel
y re
spon
d to
cust
omer
dis
pute
s an
d fe
edba
ck•
Inap
prop
riat
e or
inef
fect
ive
cust
omer
disp
ute
reso
lutio
n pr
oces
ses
• In
appr
opri
ate
prio
rity
giv
en to
diff
eren
t ser
vice
s pr
ovid
ed•
Dis
pute
s w
ith d
eliv
erab
les
and
qual
ity d
efec
ts
PO
8 M
anag
e Q
ualit
y (c
ont.
)
PO
8.5
Con
tinu
ous
Impr
ovem
ent
Mai
ntai
n an
d re
gula
rly
com
mun
icat
e an
ove
rall
qual
ity p
lan
that
pro
mot
esco
ntin
uous
impr
ovem
ent.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed q
ualit
y of
ser
vice
s an
d so
lutio
ns•
Impr
oved
eff
icie
ncy
and
effe
ctiv
enes
sin
del
iver
y•
Impr
oved
sta
ff m
oral
e an
d jo
bsa
tisfa
ctio
n
Ris
k D
river
s
• U
ncon
trol
led
and
inef
fect
ive
serv
ice
deliv
ery
• Se
rvic
e fa
ilure
s•
Dev
elop
men
t fau
lts
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E96
Test
the
Con
trol
Des
ign
• R
evie
w e
xecu
tive-
leve
l rep
ortin
g on
qua
lity
perf
orm
ance
(e.
g., d
ashb
oard
rep
ortin
g an
d/or
bal
ance
d sc
orec
ard)
to id
entif
y tr
ends
of
stre
ngth
s an
d w
eakn
esse
s.•
Insp
ect w
heth
er th
e qu
ality
met
rics
inco
rpor
ate
the
achi
evem
ent o
f bu
sine
ss a
nd I
T s
trat
egy,
fin
anci
al c
ost,
risk
rat
ings
and
ava
ilabl
e in
dust
ry d
ata.
Rev
iew
whe
ther
the
mon
itori
ng p
roce
ss e
nabl
es c
orre
ctiv
e an
d pr
even
tive
actio
ns to
take
pla
ce.
• Pe
rfor
m a
wal
k-th
roug
h of
the
qual
ity m
anag
emen
t pro
cess
to v
erif
y th
at it
con
side
rs r
elev
ance
, app
licab
ility
, lat
est i
ndus
try
data
and
the
valu
e of
con
trib
utio
n to
cont
inuo
us im
prov
emen
t pro
gram
mes
with
in th
e or
gani
satio
n.
PO
8.6
Qua
lity
Mea
sure
men
t,M
onit
orin
g an
d R
evie
w
Def
ine,
pla
n an
d im
plem
ent m
easu
rem
ents
to m
onito
r co
ntin
uing
com
plia
nce
toth
e Q
MS,
as
wel
l as
the
valu
e th
e Q
MS
prov
ides
. Mea
sure
men
t, m
onito
ring
and
reco
rdin
g of
info
rmat
ion
shou
ld b
e us
ed b
y th
e pr
oces
s ow
ner
to ta
keap
prop
riat
e co
rrec
tive
and
prev
entiv
e ac
tions
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• St
aff
mem
bers
aw
are
of q
ualit
ype
rfor
man
ce•
Con
sist
ent r
epor
ting
• Q
ualit
y re
port
ing
inte
grat
ed in
to a
ndfa
cilit
atin
g th
e or
gani
satio
n’s
QM
S•
Mea
sura
ble
and
tang
ible
val
ue o
f th
e Q
MS
• Fe
edba
ck c
once
rnin
g co
mpl
ianc
e w
ithan
d us
eful
ness
of
the
QM
S
Ris
k D
river
s
• L
ack
of c
lear
and
con
sist
ent q
ualit
yob
ject
ives
• Pr
even
tive
and
corr
ectiv
e ac
tions
unid
entif
ied
• In
cons
iste
nt q
ualit
y re
port
ing
• R
epor
ts f
ailin
g to
con
trib
ute
to th
een
terp
rise
’s Q
MS
• L
ack
of c
lari
fied
obj
ectiv
es•
Inco
nsis
tent
qua
lity
repo
rtin
g•
Failu
re o
f th
e Q
MS
to e
nhan
ce th
eor
gani
satio
n’s
obje
ctiv
es•
QM
S no
t tak
en s
erio
usly
or
com
plie
d w
ith b
y th
e or
gani
satio
n•
Wea
knes
ses
and
stre
ngth
s w
ithin
the
QM
S no
t rec
ogni
sed
• N
on-c
ompl
ianc
e no
t ide
ntif
ied
• Pr
ojec
ts a
t ris
k to
be
over
tim
e an
dbu
dget
and
del
iver
ed w
ith p
oor
qual
ity
PO
8 M
anag
e Q
ualit
y (c
ont.
)
97I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Take the following steps to test the outcome of the control objectives:• Inspect the QMS to verify that it provides a standard and continuous approach for quality management.• Verify IT management’s approval of the QMS.• Review the periodic performance reviews to determine whether the review programme includes all necessary elements. • Inspect the results of the periodic independent performance reviews of the QMS. • Inspect whether follow-up reviews in quality assurance plans exist where significant findings have arisen, and inspect the follow-
up reviews to verify that corrective action has been effective.• Inspect QMS benchmark results to determine if appropriate industry guidelines, standards and enterprises were included in the
comparison.• Inspect the authorisation of deviations to IT standards to validate adherence to or non-compliance with stakeholder requirements.• Inspect major milestones to verify that the QMS is in operation.• Inspect the customer quality standards and metric requirements for completeness (i.e., questionnaires, surveys, feedback forms,
interviews).• Inspect the outputs from the QMS follow-up process to determine if the feedback is organised and useful for improving the
complaint-handling process. • Inspect the documentation of roles and responsibilities to determine if it allows for effective conflict resolution of customer
complaints.• Inspect the training programme to verify the existence of customer care content.• Walk through the periodic performance reviews to determine whether the review programme includes necessary QMS elements. • Inspect the results of the periodic independent performance reviews of the QMS. • Inspect whether the quality metrics incorporate the achievement of business and IT strategy, financial cost, risk ratings, and
available industry data. • Review whether the monitoring process enables corrective and preventive actions to take place.• Perform a walk-through of the QMS process to verify that it considers relevance, applicability, latest industry data and the value of
contribution to the continuous improvement programme within the organisation.• Determine the reliability of quality assurance activities by assessing alignment with industry best practices and gaps between
current procedures and business expectations.
Take the following steps to document the impact of the control weaknesses:• Determine the level of compliance with organisational IT standards and quality practices to assess deviations that may result in
incompatible system architecture, leading to increased costs and the project not meeting goals and objectives. • Determine if development and acquisition standards include processes for accurate estimation of project timescales and budgets to
ensure efficient and effective use of IT and business resources and the attainment of strategic goals and objectives. • Confirm that quality management processes include mechanisms for conflict resolution and the determination of consistency of
understanding regarding customer expectations and product/process capability. • Assess whether customer requirements align with IT standards. • Determine whether the continuous improvement policy and procedures enable the organisation’s ability to maintain a
competitive advantage.• Assess whether quality measurement processes and reporting mechanisms enable corrective actions to be performed in a
timely manner.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E98
PO
9 A
sses
s an
d M
anag
e IT
Ris
ks
A r
isk
man
agem
ent f
ram
ewor
k is
cre
ated
and
mai
ntai
ned.
The
fra
mew
ork
docu
men
ts a
com
mon
and
agr
eed-
upon
leve
l of
IT r
isks
, miti
gatio
n st
rate
gies
and
res
idua
l ris
ks.
Any
pot
entia
l im
pact
on
the
goal
s of
the
orga
nisa
tion
caus
ed b
y an
unp
lann
ed e
vent
is id
entif
ied,
ana
lyse
d an
d as
sess
ed. R
isk
miti
gatio
n st
rate
gies
are
ado
pted
to m
inim
ise
resi
dual
ris
k to
an
acce
pted
leve
l. T
he r
esul
t of
the
asse
ssm
ent i
s un
ders
tand
able
to th
e st
akeh
olde
rs a
nd e
xpre
ssed
in f
inan
cial
term
s, to
ena
ble
stak
ehol
ders
to a
lign
risk
toan
acc
epta
ble
leve
l of
tole
ranc
e.
Test
the
Con
trol
Des
ign
• In
spec
t whe
ther
the
IT r
isk
man
agem
ent f
ram
ewor
k al
igns
with
the
risk
man
agem
ent f
ram
ewor
k fo
r th
e or
gani
satio
n (e
nter
pris
e) a
nd in
clud
es b
usin
ess-
driv
enco
mpo
nent
s fo
r st
rate
gy, p
rogr
amm
es, p
roje
cts
and
oper
atio
ns. R
evie
w th
e IT
ris
k cl
assi
fica
tions
to v
erif
y th
at th
ey a
re b
ased
on
a co
mm
on s
et o
f ch
arac
teri
stic
s fr
om th
een
terp
rise
ris
k m
anag
emen
t fra
mew
ork.
Ins
pect
whe
ther
IT
ris
k m
easu
rem
ents
are
sta
ndar
dise
d an
d pr
iori
tised
and
whe
ther
they
incl
ude
impa
ct, a
ccep
tanc
e of
res
idua
lri
sk a
nd p
roba
bilit
ies
alig
ned
with
the
ente
rpri
se r
isk
man
agem
ent f
ram
ewor
k.
• V
erif
y w
heth
er I
T r
isks
are
con
side
red
in th
e de
velo
pmen
t and
rev
iew
of
IT s
trat
egic
pla
ns.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n ap
prop
riat
e ri
sk c
onte
xt h
as b
een
defi
ned
in li
ne w
ith e
nter
pris
e ri
sk m
anag
emen
t pol
icie
s an
d pr
inci
ples
and
incl
udes
pro
cess
es,
such
as
syst
ems,
pro
ject
man
agem
ent,
appl
icat
ion
soft
war
e lif
e cy
cles
, man
agem
ent o
f IT
ope
ratio
ns a
nd s
ervi
ces.
Int
erna
l and
ext
erna
l ris
k fa
ctor
s sh
ould
be
incl
uded
. •
Det
erm
ine
whe
ther
the
IT r
isk
cont
ext i
s co
mm
unic
ated
and
und
erst
ood.
PO
9.1
IT R
isk
Man
agem
ent
Fra
mew
ork
Est
ablis
h an
IT
ris
k m
anag
emen
t fra
mew
ork
that
is a
ligne
d to
the
orga
nisa
tion’
s(e
nter
pris
e’s)
ris
k m
anag
emen
t fra
mew
ork.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onsi
sten
t app
roac
h fo
r IT
ris
km
anag
emen
t•
Eff
ectiv
e m
anag
emen
t of
IT r
isks
• C
ontin
uous
eva
luat
ion
of c
urre
nt I
Tri
sks
and
thre
ats
to th
e or
gani
satio
n•
Bro
aden
ed I
T r
isk
man
agem
ent
appr
oach
Ris
k D
river
s
• IT
ris
ks a
nd b
usin
ess
risk
s m
anag
edin
depe
nden
tly•
The
impa
ct o
f an
IT
ris
k on
the
busi
ness
und
etec
ted
• L
ack
of c
ost c
ontr
ol f
or r
isk
man
agem
ent
• E
ach
risk
see
n as
a s
ingl
e th
reat
rat
her
than
in a
n ov
eral
l con
text
• In
effe
ctiv
e su
ppor
t for
ris
k as
sess
men
tby
sen
ior
man
agem
ent
PO
9.2
Est
ablis
hmen
t of
Ris
k C
onte
xt
Est
ablis
h th
e co
ntex
t in
whi
ch th
e ri
sk a
sses
smen
t fra
mew
ork
is a
pplie
d to
ensu
re a
ppro
pria
te o
utco
mes
. Thi
s sh
ould
incl
ude
dete
rmin
ing
the
inte
rnal
and
exte
rnal
con
text
of
each
ris
k as
sess
men
t, th
e go
al o
f th
e as
sess
men
t, an
d th
ecr
iteri
a ag
ains
t whi
ch r
isks
are
eva
luat
ed.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
and
effi
cien
t use
of
reso
urce
sfo
r m
anag
emen
t of
risk
s• A
lignm
ent o
f ri
sk m
anag
emen
tpr
iori
ties
to b
usin
ess
need
s• A
foc
us o
n re
leva
nt a
nd s
igni
fica
nt r
isks
• Pr
iori
tisat
ion
of r
isks
Ris
k D
river
s
• Ir
rele
vant
ris
ks c
onsi
dere
d im
port
ant
• Si
gnif
ican
t ris
ks n
ot g
iven
app
ropr
iate
atte
ntio
n•
Inap
prop
riat
e ap
proa
ch to
ris
kas
sess
men
t
99I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• In
spec
t the
pro
cess
use
d to
iden
tify
pote
ntia
l eve
nts
and
dete
rmin
e if
all
IT p
roce
sses
are
incl
uded
in th
e an
alys
is. T
he d
esig
n of
the
proc
ess
shou
ld c
over
inte
rnal
and
exte
rnal
eve
nts.
Ide
ntif
icat
ion
of p
oten
tial e
vent
s m
ay in
clud
e re
sults
of
form
er a
udits
, ins
pect
ions
and
iden
tifie
d in
cide
nts,
usi
ng c
heck
lists
, wor
ksho
ps a
nd p
roce
ss f
low
anal
ysis
. Tra
ce id
entif
ied
impa
cts
to th
e ri
sk r
egis
try
to d
eter
min
e if
the
regi
stry
is c
ompl
ete,
cur
rent
and
alig
ned
with
the
ente
rpri
se r
isk
man
agem
ent f
ram
ewor
kte
rmin
olog
y.
• E
nqui
re w
heth
er a
ppro
pria
te c
ross
-fun
ctio
nal t
eam
s ar
e in
volv
ed in
the
diff
eren
t eve
nt a
nd im
pact
iden
tific
atio
n ac
tiviti
es. R
evie
w a
sam
ple
of th
e ri
sk r
egis
try
for
rele
vanc
e of
thre
ats,
sig
nifi
canc
e of
vul
nera
bilit
ies
and
impo
rtan
ce o
f im
pact
, and
ana
lyse
the
effe
ctiv
enes
s of
the
proc
ess
to id
entif
y, r
ecor
d an
d ju
dge
risk
s.
Test
the
Con
trol
Des
ign
• W
alk
thro
ugh
the
risk
man
agem
ent p
roce
ss to
det
erm
ine
if in
here
nt a
nd r
esid
ual r
isks
are
def
ined
and
doc
umen
ted.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e ri
sk m
anag
emen
t pro
cess
ass
esse
s id
entif
ied
risk
s qu
alita
tivel
y an
d/or
qua
ntita
tivel
y.
• In
spec
t pro
ject
and
oth
er d
ocum
enta
tion
to a
sses
s th
e ap
prop
riat
enes
s of
qua
litat
ive
or q
uant
itativ
e ri
sk a
sses
smen
t. •
Wal
k th
roug
h th
e pr
oces
s to
det
erm
ine
if th
e so
urce
s of
info
rmat
ion
used
in th
e an
alys
is a
re r
easo
nabl
e.
• In
spec
t the
use
of
stat
istic
al a
naly
sis
and
prob
abili
ty d
eter
min
atio
ns to
mea
sure
the
likel
ihoo
d qu
alita
tivel
y or
qua
ntita
tivel
y.
• E
nqui
re o
r in
spec
t whe
ther
any
cor
rela
tion
betw
een
risk
s is
iden
tifie
d. R
evie
w a
ny c
orre
latio
n to
ver
ify
that
it e
xpos
es s
igni
fica
ntly
dif
fere
nt li
kelih
ood
and
impa
ct r
esul
tsar
isin
g fr
om s
uch
rela
tions
hip(
s).
PO
9.3
Eve
nt I
dent
ific
atio
n Id
entif
y ev
ents
(an
impo
rtan
t rea
listic
thre
at th
at e
xplo
its a
sig
nifi
cant
app
licab
levu
lner
abili
ty)
with
a p
oten
tial n
egat
ive
impa
ct o
n th
e go
als
or o
pera
tions
of
the
ente
rpri
se, i
nclu
ding
bus
ines
s, r
egul
ator
y, le
gal,
tech
nolo
gy, t
radi
ng p
artn
er,
hum
an r
esou
rces
and
ope
ratio
nal a
spec
ts. D
eter
min
e th
e na
ture
of
the
impa
ctan
d m
aint
ain
this
info
rmat
ion.
Rec
ord
and
mai
ntai
n re
leva
nt r
isks
in a
ris
kre
gist
ry.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onsi
sten
t app
roac
h to
ris
k ev
ent
iden
tific
atio
n•
Focu
s on
sig
nifi
cant
ris
k ev
ents
Ris
k D
river
s
• Ir
rele
vant
ris
k ev
ents
iden
tifie
d an
dfo
cuse
d on
whi
lst m
ore
impo
rtan
tev
ents
are
mis
sed
PO
9 A
sses
s an
d M
anag
e IT
Ris
ks
(con
t.)
PO
9.4
Ris
k A
sses
smen
t A
sses
s on
a r
ecur
rent
bas
is th
e lik
elih
ood
and
impa
ct o
f al
l ide
ntif
ied
risk
s,us
ing
qual
itativ
e an
d qu
antit
ativ
e m
etho
ds. T
he li
kelih
ood
and
impa
ct a
ssoc
iate
dw
ith in
here
nt a
nd r
esid
ual r
isk
shou
ld b
e de
term
ined
indi
vidu
ally
, by
cate
gory
and
on a
por
tfol
io b
asis
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed p
lann
ing
and
use
of I
T r
isk
man
agem
ent s
kills
and
res
ourc
es•
Org
anis
atio
nal c
redi
bilit
y of
IT
ris
kas
sess
men
t fun
ctio
n te
ams
• K
now
ledg
e tr
ansf
er b
etw
een
risk
man
ager
s•
Cre
atio
n of
IT
ass
et v
alue
aw
aren
ess
Ris
k D
river
s
• Ir
rele
vant
ris
ks c
onsi
dere
d im
port
ant
• E
ach
risk
see
n as
a s
ingl
e ev
ent r
athe
rth
an in
an
over
all c
onte
xt•
Inab
ility
to e
xpla
in s
igni
fica
nt r
isks
tom
anag
emen
t•
Sign
ific
ant r
isks
pos
sibl
y m
isse
d•
Los
s of
IT
ass
ets
• C
onfi
dent
ialit
y or
inte
grity
bre
ach
ofIT
ass
ets
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E100
Test
the
Con
trol
Des
ign
Insp
ect w
heth
er r
isk
asse
ssm
ent r
esul
ts w
ere
allo
cate
d to
a m
itiga
ting
resp
onse
to a
void
, tra
nsfe
r, re
duce
, sha
re o
r ac
cept
eac
h ri
sk a
nd a
lign
with
the
mec
hani
sms
used
tom
anag
e ri
sk in
the
orga
nisa
tion.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
ccep
ted
risk
s ar
e fo
rmal
ly r
ecog
nise
d an
d re
cord
ed in
a r
isk
actio
n pl
an.
• Ass
ess
the
appr
opri
aten
ess
of th
e el
emen
ts o
f th
e ri
sk m
anag
emen
t pla
n.•
Enq
uire
or
insp
ect w
heth
er e
xecu
tion,
rep
ort p
rogr
ess
and
devi
atio
ns a
re m
onito
red.
•
Insp
ect r
isk
resp
onse
s fo
r ap
prop
riat
e ap
prov
als.
•
Rev
iew
act
ions
to v
erif
y w
heth
er o
wne
rshi
p is
ass
igne
d an
d do
cum
ente
d.
• In
spec
t whe
ther
the
risk
act
ion
plan
is e
ffec
tivel
y m
aint
aine
d an
d ad
just
ed.
PO
9.5
Ris
k R
espo
nse
Dev
elop
and
mai
ntai
n a
risk
res
pons
e pr
oces
s de
sign
ed to
ens
ure
that
cos
t-ef
fect
ive
cont
rols
miti
gate
exp
osur
e to
ris
ks o
n a
cont
inui
ng b
asis
. The
ris
kre
spon
se p
roce
ss s
houl
d id
entif
y ri
sk s
trat
egie
s su
ch a
s av
oida
nce,
red
uctio
n,sh
arin
g or
acc
epta
nce;
det
erm
ine
asso
ciat
ed r
espo
nsib
ilitie
s; a
nd c
onsi
der
risk
tole
ranc
e le
vels
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
man
agem
ent o
f ri
sks
• C
onsi
sten
t app
roac
h fo
r ri
skm
itiga
tion
• C
ost-
effe
ctiv
e ri
sk r
espo
nse
Ris
k D
river
s
• R
isk
resp
onse
s no
t eff
ectiv
e•
Uni
dent
ifie
d re
sidu
al b
usin
ess
risk
s•
Inef
fect
ive
use
of r
esou
rces
to r
espo
ndto
ris
ks•
Ove
rrel
ianc
e on
exi
stin
g po
or c
ontr
ols
PO
9 A
sses
s an
d M
anag
e IT
Ris
ks
(con
t.)
PO
9.6
Mai
nten
ance
and
Mon
itor
ing
of a
Ris
k A
ctio
n P
lan
Prio
ritis
e an
d pl
an th
e co
ntro
l act
iviti
es a
t all
leve
ls to
impl
emen
t the
ris
kre
spon
ses
iden
tifie
d as
nec
essa
ry, i
nclu
ding
iden
tific
atio
n of
cos
ts, b
enef
its a
ndre
spon
sibi
lity
for
exec
utio
n. O
btai
n ap
prov
al f
or r
ecom
men
ded
actio
ns a
ndac
cept
ance
of
any
resi
dual
ris
ks, a
nd e
nsur
e th
at c
omm
itted
act
ions
are
ow
ned
byth
e af
fect
ed p
roce
ss o
wne
r(s)
. Mon
itor
exec
utio
n of
the
plan
s, a
nd r
epor
t on
any
devi
atio
ns to
sen
ior
man
agem
ent.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
man
agem
ent o
f ri
sks
• C
ontin
uous
eva
luat
ion
of c
urre
nt r
isks
and
thre
ats
for
the
orga
nisa
tion
Ris
k D
river
s
• R
isk
miti
gatio
n co
ntro
ls th
at d
o no
top
erat
e as
inte
nded
• C
ompe
nsat
ing
cont
rols
that
dev
iate
from
the
iden
tifie
d ri
sks
101I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Take the following steps to test the outcome of the control objectives:• Enquire whether the IT risk management tolerance levels are aligned with enterprise risk tolerance levels. Determine whether
organisational risk tolerance is used as input for both business and the IT strategy development. • Enquire whether a process exists to apply enterprise risk tolerance levels to IT risk management decisions. Consider whether
benchmarking of the risk assessment framework against similar organisations, appropriate international standards and industry bestpractices has been performed.
• Test whether risk-related accountability and responsibilities are understood and accepted. Verify that the right skills and necessaryresources are available for risk management.
• Enquire through interviews with key staff members involved whether the control mechanism and its purpose, accountability andresponsibilities are understood and applied.
• Inspect whether the activities are effectively integrated into IT management processes. • Inspect whether the identified impacts are relevant and significant for the enterprise and whether they are either over- or under-
estimated. Determine whether cross-functional teams contribute to the event analysis process. Verify through interviews andimpact reports whether the members of the event identification work group are properly trained on the enterprise risk managementframework. Verify whether interdependencies and probabilities are accurately identified during impact assessment. Review anycorrelation to verify that it exposes significantly different likelihood and impact results arising from such relationships.
• Inspect the risk management process to determine if the sources of information used in the analysis are reasonable. • Inspect the use of statistical analysis and probability determinations to measure the risk likelihood qualitatively or quantitatively. • Walk through the process to determine if inherent and residual risks are defined and documented. • Inspect the risk action plan to determine if it identifies the priorities, responsibilities, schedules, expected outcome, risk mitigation,
costs, benefits, performance measures and review process to be established.• Inspect risk responses for appropriate approvals. Review actions to verify whether ownership is assigned and documented. • Inspect whether the risk management plan is effectively maintained/adjusted.• Inspect and review the action plan results to determine if they are performed consistently with the risk framework guidelines and
reflect changes to business objective. Review the plan to verify that it is designed in terms of risk avoidance, reduction andsharing. Inspect whether the risk responses to be included are selected on benefit and cost considerations.
Take the following steps to document the impact of the control weaknesses:• Assess the IT risk management strategy to determine whether it is aligned with the enterprise risk management strategy and
organisational risk appetite. Confirm that the potential for unidentified risks, misapplication of IT resources, non-compliance withregulatory requirements and organisational goals has been addressed.
• Assess the accuracy and completeness of event identification, including undetected risk, inefficient and ineffective costcontainment, unmitigated risks, uncontrolled aggregated risk levels, loss of organisational assets, harmed reputation, unmetstrategic goals, and non-compliance with regulatory requirements.
• Assess the risk action plan’s effectiveness at mitigating risks across the enterprise, and examine the correlation of risk andmitigation.
• Review the result of the risk action plan to evaluate effectiveness and ascertain whether owners are responsive and timely inmitigation activities.
• Review risk mitigation activities applied to high-risk threats to assess the effectiveness of the prioritisation.
PO
10 M
anag
e P
roje
cts
A p
rogr
amm
e an
d pr
ojec
t man
agem
ent f
ram
ewor
k fo
r th
e m
anag
emen
t of
all I
T p
roje
cts
is e
stab
lishe
d. T
he f
ram
ewor
k en
sure
s th
e co
rrec
t pri
oriti
satio
n an
d co
-ord
inat
ion
ofal
l pro
ject
s. T
he f
ram
ewor
k in
clud
es a
mas
ter
plan
, ass
ignm
ent o
f re
sour
ces,
def
initi
on o
f de
liver
able
s, a
ppro
val b
y us
ers,
a p
hase
d ap
proa
ch to
del
iver
y, Q
A, a
for
mal
test
plan
, and
test
ing
and
post
-im
plem
enta
tion
revi
ew a
fter
inst
alla
tion
to e
nsur
e pr
ojec
t ris
k m
anag
emen
t and
val
ue d
eliv
ery
to th
e bu
sine
ss. T
his
appr
oach
red
uces
the
risk
of
unex
pect
ed c
osts
and
pro
ject
can
cella
tions
, im
prov
es c
omm
unic
atio
ns to
and
invo
lvem
ent o
f bu
sine
ss a
nd e
nd u
sers
, ens
ures
the
valu
e an
d qu
ality
of
proj
ect d
eliv
erab
les,
and
max
imis
es th
eir
cont
ribu
tion
to I
T-en
able
d in
vest
men
t pro
gram
mes
.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E102
Test
the
Con
trol
Des
ign
• R
evie
w th
e pr
ogra
mm
e m
anag
emen
t fra
mew
ork
to v
erif
y:–
Tha
t the
fra
mew
ork
is a
dequ
atel
y de
sign
ed to
ass
ess
the
aggr
egat
ed p
ortf
olio
of
IT p
roje
cts
agai
nst p
rogr
amm
e ob
ject
ives
– T
hat t
he p
rogr
amm
e sp
ecif
ies
requ
ired
res
ourc
es, i
nclu
ding
fun
ding
, pro
ject
man
ager
s, p
roje
ct te
ams,
IT
res
ourc
es a
nd b
usin
ess
reso
urce
s, w
here
app
licab
le, a
nd th
atth
e pr
ogra
mm
e m
anag
emen
t tea
m a
ssig
ns a
ccou
ntab
ility
for
eac
h pr
ojec
t, in
clud
ing
achi
evin
g th
e be
nefi
ts, c
ontr
ollin
g th
e co
sts,
man
agin
g th
e ri
sks,
and
co-
ordi
natin
gth
e pr
ojec
t act
iviti
es c
lear
ly a
nd u
nam
bigu
ousl
y.
– W
here
acc
ount
abili
ty is
ass
igne
d, th
at s
uch
acco
unta
bilit
y w
as a
ccep
ted;
ther
e is
a c
lear
man
date
and
sco
pe; a
nd th
e pe
rson
acc
ount
able
has
suf
fici
ent a
utho
rity
and
latit
ude
to a
ct, r
equi
site
com
pete
nce,
com
men
sura
te r
esou
rces
, cle
ar li
nes
of a
ccou
ntab
ility
, an
unde
rsta
ndin
g of
rig
hts
and
oblig
atio
ns, a
nd r
elev
ant p
erfo
rman
cem
easu
res.
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at th
e pr
ogra
mm
e m
anag
emen
t tea
m:
– D
eter
min
es th
e in
terd
epen
denc
ies
of m
ultip
le p
roje
cts
in th
e pr
ogra
mm
e –
Dev
elop
s a
sche
dule
for
com
plet
ion
that
will
ena
ble
the
over
all p
rogr
amm
e sc
hedu
le to
be
met
–
Iden
tifie
s pr
ogra
mm
e st
akeh
olde
rs in
side
and
out
side
the
ente
rpri
se
– E
stab
lishe
s ap
prop
riat
e le
vels
of
co-o
rdin
atio
n, c
omm
unic
atio
n an
d lia
ison
with
pro
gram
me
stak
ehol
ders
– M
aint
ains
com
mun
icat
ion
for
the
dura
tion
of th
e pr
ogra
mm
e w
ith p
rogr
amm
e st
akeh
olde
rs•
Ver
ify
that
, on
a re
gula
r ba
sis,
the
prog
ram
me
man
agem
ent t
eam
: –
Ver
ifie
s w
ith b
usin
ess
man
agem
ent t
hat t
he c
urre
nt p
rogr
amm
e as
des
igne
d w
ill m
eet b
usin
ess
requ
irem
ents
, and
mak
es a
djus
tmen
ts a
s ne
cess
ary
– R
evie
ws
prog
ress
of
indi
vidu
al p
roje
cts
and
adju
sts
the
avai
labi
lity
of r
esou
rces
, as
nece
ssar
y, to
mee
t sch
edul
e m
ilest
ones
– E
valu
ates
cha
nges
in te
chno
logy
and
IT
mar
kets
to d
eter
min
e if
adj
ustm
ents
to th
e pr
ogra
mm
e sh
ould
be
mad
e to
avo
id n
ewly
occ
urri
ng r
isks
, tak
es a
dvan
tage
of
new
er a
nd m
ore
effe
ctiv
e te
chno
logi
cal s
olut
ions
, or
take
s ad
vant
age
of c
hang
es in
the
mar
ket t
hat c
an lo
wer
cos
ts
PO
10.1
Pro
gram
me
Man
agem
ent
Fra
mew
ork
Mai
ntai
n th
e pr
ogra
mm
e of
pro
ject
s, r
elat
ed to
the
port
folio
of
IT-e
nabl
edin
vest
men
t pro
gram
mes
, by
iden
tifyi
ng, d
efin
ing,
eva
luat
ing,
pri
oriti
sing
,se
lect
ing,
initi
atin
g, m
anag
ing
and
cont
rolli
ng p
roje
cts.
Ens
ure
that
the
proj
ects
supp
ort t
he p
rogr
amm
e’s
obje
ctiv
es. C
o-or
dina
te th
e ac
tiviti
es a
ndin
terd
epen
denc
ies
of m
ultip
le p
roje
cts,
man
age
the
cont
ribu
tion
of a
ll th
epr
ojec
ts w
ithin
the
prog
ram
me
to e
xpec
ted
outc
omes
, and
res
olve
res
ourc
ere
quir
emen
ts a
nd c
onfl
icts
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• An
optim
ised
app
roac
h fo
rpr
ogra
mm
e m
anag
emen
t• A
sta
ndar
dise
d, r
elia
ble
and
effi
cien
tap
proa
ch f
or p
rogr
amm
e m
anag
emen
tac
ross
the
orga
nisa
tion
• E
nhan
ced
abili
ty to
foc
us o
n ke
ypr
ojec
ts w
ithin
the
prog
ram
me
Ris
k D
river
s
• In
appr
opri
ate
proj
ect p
rior
itisa
tion
• D
isor
gani
sed
and
inef
fect
ive
appr
oach
to p
roje
ct p
rogr
amm
es•
Mis
alig
nmen
t of
proj
ect a
ndpr
ogra
mm
e ob
ject
ives
103I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at th
e pr
ojec
t man
agem
ent f
ram
ewor
k:–
Is c
onsi
sten
t with
, and
an
inte
gral
com
pone
nt o
f, th
e or
gani
satio
n’s
prog
ram
me
man
agem
ent f
ram
ewor
k–
Incl
udes
a c
hang
e co
ntro
l pro
cess
for
rec
ordi
ng, e
valu
atin
g, c
omm
unic
atin
g an
d au
thor
isin
g ch
ange
s to
the
proj
ect s
cope
– Is
sub
ject
to p
erio
dic
asse
ssm
ent t
o en
sure
its
ongo
ing
appr
opri
aten
ess
in li
ght o
f ch
angi
ng c
ondi
tions
– In
clud
es g
uida
nce
on th
e ro
le a
nd u
se o
f an
exi
stin
g pr
ogra
mm
e or
pro
ject
off
ice,
or
the
crea
tion
of s
uch
a fu
nctio
n fo
r a
proj
ect
PO
10.2
Pro
ject
Man
agem
ent
Fra
mew
ork
Est
ablis
h an
d m
aint
ain
a pr
ojec
t man
agem
ent f
ram
ewor
k th
at d
efin
es th
e sc
ope
and
boun
dari
es o
f m
anag
ing
proj
ects
, as
wel
l as
the
met
hod
to b
e ad
opte
d an
dap
plie
d to
eac
h pr
ojec
t und
erta
ken.
The
fra
mew
ork
and
supp
ortin
g m
etho
dsh
ould
be
inte
grat
ed w
ith th
e pr
ogra
mm
e m
anag
emen
t pro
cess
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
likel
ihoo
d of
pro
ject
suc
cess
• R
educ
ed c
ost a
ssoc
iate
d w
ithes
tabl
ishi
ng p
roje
ct m
anag
emen
tac
tiviti
es a
nd d
isci
plin
es•
Eff
ectiv
e co
mm
unic
atio
n of
pro
ject
obje
ctiv
es, p
roje
ct m
anag
emen
tac
tiviti
es a
nd p
roje
ct p
rogr
ess
• C
onsi
sten
t app
roac
h, to
ols
and
proc
esse
s
Ris
k D
river
s
• D
iffe
rent
pro
ject
man
agem
ent
appr
oach
es w
ithin
the
orga
nisa
tion
• L
ack
of c
ompl
ianc
e w
ith th
eor
gani
satio
n’s
repo
rtin
g st
ruct
ure
• In
cons
iste
nt to
ols
for
proj
ect
man
agem
ent
PO
10 M
anag
e P
roje
cts
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E104
Test
the
Con
trol
Des
ign
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at:
– Pr
ior
to e
ach
proj
ect’s
initi
atio
n, th
e pr
ogra
mm
e m
anag
emen
t tea
m e
stab
lishe
s a
proj
ect m
anag
emen
t gov
erna
nce
stru
ctur
e ap
prop
riat
e to
the
proj
ect’s
siz
e, c
ompl
exity
and
risk
s (i
nclu
ding
lega
l, re
gula
tory
and
rep
utat
iona
l ris
ks).
The
pro
ject
man
agem
ent g
over
nanc
e st
ruct
ure
shou
ld a
ssig
n th
e re
spon
sibi
lity
and
acco
unta
bilit
y of
the
prog
ram
me
spon
sor,
proj
ect m
anag
er, a
nd, a
s ne
cess
ary,
thos
e of
a s
teer
ing
com
mitt
ee a
nd a
pro
ject
man
agem
ent o
ffic
e.–
The
pro
gram
me
man
agem
ent t
eam
ass
igns
eac
h IT
pro
ject
one
or
mor
e sp
onso
rs w
ith s
uffi
cien
t aut
hori
ty to
man
age
exec
utio
n of
the
proj
ect w
ithin
the
over
all s
trat
egic
prog
ram
me.
Thi
s as
sign
men
t is
mad
e un
ambi
guou
sly,
rol
es a
nd r
espo
nsib
ilitie
s ar
e m
ade
plai
n, a
nd th
e re
spon
sibi
lity
is a
ccep
ted
by th
e as
sign
ee(s
).•
Enq
uire
whe
ther
and
con
firm
that
eff
ectiv
e m
echa
nism
s to
trac
k th
e ex
ecut
ion
of th
e pr
ojec
t (e.
g., r
egul
ar r
epor
ting,
sta
ge r
evie
ws)
are
put
in p
lace
. Rev
iew
pla
ns,
polic
ies,
pro
cedu
res
and
repo
rts
to v
erif
y th
at th
e m
echa
nism
s ar
e de
sign
ed e
ffec
tivel
y by
the
prog
ram
me
man
agem
ent t
eam
and
that
they
are
use
d to
iden
tify
and
man
age
devi
atio
ns in
a ti
mel
y m
anne
r.
PO
10.3
Pro
ject
Man
agem
ent A
ppro
ach
Est
ablis
h a
proj
ect m
anag
emen
t app
roac
h co
mm
ensu
rate
with
the
size
,co
mpl
exity
and
reg
ulat
ory
requ
irem
ents
of
each
pro
ject
. The
pro
ject
gov
erna
nce
stru
ctur
e ca
n in
clud
e th
e ro
les,
res
pons
ibili
ties
and
acco
unta
bilit
ies
of th
epr
ogra
mm
e sp
onso
r, pr
ojec
t spo
nsor
s, s
teer
ing
com
mitt
ee, p
roje
ct o
ffic
e an
dpr
ojec
t man
ager
, and
the
mec
hani
sms
thro
ugh
whi
ch th
ey c
an m
eet t
hose
resp
onsi
bilit
ies
(suc
h as
rep
ortin
g an
d st
age
revi
ews)
. Mak
e su
re a
ll IT
pro
ject
sha
ve s
pons
ors
with
suf
fici
ent a
utho
rity
to o
wn
the
exec
utio
n of
the
proj
ect w
ithin
the
over
all s
trat
egic
pro
gram
me.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• O
ptim
ised
use
of
reso
urce
s fo
r pr
ojec
tm
anag
emen
t•
Cle
ar r
oles
and
res
pons
ibili
ties
ensu
ring
cle
ar a
ccou
ntab
ility
and
com
mitm
ent f
or k
ey d
ecis
ions
and
task
s•
Enh
ance
d al
ignm
ent o
f pr
ojec
tob
ject
ives
with
bus
ines
s ob
ject
ives
• T
imel
y an
d ni
mbl
e ab
ility
to r
eact
toan
d de
al w
ith p
roje
ct is
sues
Ris
k D
river
s
• C
onfu
sion
and
unc
erta
inty
cau
sed
bydi
ffer
ent p
roje
ct m
anag
emen
tap
proa
ches
with
in th
e or
gani
satio
n•
Lac
k of
com
plia
nce
with
the
orga
nisa
tion’
s re
port
ing
stru
ctur
e•
Failu
re to
res
pond
to p
roje
ct is
sues
with
opt
imal
and
app
rove
d de
cisi
ons
PO
10 M
anag
e P
roje
cts
(con
t.)
105I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– T
he p
roje
ct m
anag
emen
t fra
mew
ork
prov
ides
for
com
mitm
ent a
nd p
artic
ipat
ion
by k
ey s
take
hold
ers,
incl
udin
g m
anag
emen
t of
the
affe
cted
use
r de
part
men
t and
key
end
user
s, in
the
initi
atio
n, d
efin
ition
and
aut
hori
satio
n of
a p
roje
ct–
Key
sta
keho
lder
and
end
-use
r pa
rtic
ipat
ion
is s
ough
t dur
ing
proj
ect i
nitia
tion
and
furt
her
refi
ned
duri
ng th
e pr
ojec
t lif
e cy
cle
• R
evie
w p
roje
ct r
epor
ting
to v
erif
y th
at o
ngoi
ng in
volv
emen
t inc
lude
s pr
ojec
t app
rova
l, pr
ojec
t pha
se a
ppro
val,
proj
ect c
heck
poin
t rep
ortin
g, p
roje
ct b
oard
rep
rese
ntat
ion,
proj
ect p
lann
ing,
pro
duct
test
ing,
use
r tr
aini
ng, u
ser
proc
edur
es d
ocum
enta
tion
and
proj
ect c
omm
unic
atio
n m
ater
ials
dev
elop
men
t.•
Inte
rvie
w k
ey s
take
hold
ers
and
end
user
s, a
nd in
spec
t res
ults
of
post
-im
plem
enta
tion
revi
ews
to v
erif
y th
at in
volv
emen
t was
use
d to
impr
ove
the
qual
ity a
nd a
ccep
tanc
eof
pro
ject
del
iver
able
s.
Test
the
Con
trol
Des
ign
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at:
– T
he p
roje
ct m
anag
emen
t fra
mew
ork
prov
ides
to th
e st
akeh
olde
rs a
cle
ar, w
ritte
n st
atem
ent d
efin
ing
the
obje
ctiv
e, s
cope
and
bus
ines
s va
lue
of e
very
pro
ject
, bef
ore
wor
k on
the
proj
ect b
egin
s, to
cre
ate
a co
mm
on u
nder
stan
ding
of
proj
ect s
cope
am
ongs
t sta
keho
lder
s–
Req
uire
men
ts f
or th
e pr
ojec
t are
agr
eed
upon
and
acc
epte
d by
key
sta
keho
lder
s an
d pr
ogra
mm
e an
d pr
ojec
t spo
nsor
s w
ithin
the
orga
nisa
tion
and
IT, i
nclu
ding
initi
alco
nsid
erat
ion
of h
igh-
leve
l cri
tical
suc
cess
fac
tors
and
key
per
form
ance
indi
cato
rs–
All
subs
eque
nt c
hang
es to
the
proj
ect s
cope
are
app
ropr
iate
ly d
ocum
ente
d an
d ap
prov
ed b
y st
akeh
olde
rs
PO
10 M
anag
e P
roje
cts
(con
t.)
PO
10.4
Sta
keho
lder
Com
mit
men
t O
btai
n co
mm
itmen
t and
par
ticip
atio
n fr
om th
e af
fect
ed s
take
hold
ers
in th
ede
fini
tion
and
exec
utio
n of
the
proj
ect w
ithin
the
cont
ext o
f th
e ov
eral
l IT-
enab
led
inve
stm
ent p
rogr
amm
e.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
likel
ihoo
d of
the
proj
ect
bein
g dr
iven
by,
and
del
iver
ing,
busi
ness
ben
efits
• C
omm
on u
nder
stan
ding
of
the
proj
ect
obje
ctiv
es a
cros
s th
e bu
sine
ss, e
ndus
ers
and
IT•
Use
r co
mm
itmen
t and
buy
-in
for
the
proj
ect
Ris
k D
river
s
• U
ncle
ar r
espo
nsib
ilitie
s an
dac
coun
tabi
litie
s fo
r en
suri
ng c
ost
cont
rol a
nd p
roje
ct s
ucce
ss•
Insu
ffic
ient
sta
keho
lder
par
ticip
atio
nin
def
inin
g re
quir
emen
ts a
ndre
view
ing
deliv
erab
les
• R
educ
ed u
nder
stan
ding
and
del
iver
yof
bus
ines
s be
nefi
ts
PO
10.5
Pro
ject
Sco
pe S
tate
men
t D
efin
e an
d do
cum
ent t
he n
atur
e an
d sc
ope
of th
e pr
ojec
t to
conf
irm
and
dev
elop
amon
gst s
take
hold
ers
a co
mm
on u
nder
stan
ding
of
proj
ect s
cope
and
how
itre
late
s to
oth
er p
roje
cts
with
in th
e ov
eral
l IT-
enab
led
inve
stm
ent p
rogr
amm
e.T
he d
efin
ition
sho
uld
be f
orm
ally
app
rove
d by
the
prog
ram
me
and
proj
ect
spon
sors
bef
ore
proj
ect i
nitia
tion.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• B
asel
ine
prov
ided
aga
inst
whi
ch th
epr
ogre
ss a
nd, u
ltim
atel
y, th
e su
cces
s of
the
proj
ect c
an b
e m
easu
red
• Acc
ount
abili
ties
incl
udin
g th
ose
ofke
y bu
sine
ss s
take
hold
ers
assi
gned
and
clar
ifie
d•
Eff
ectiv
e us
e of
res
ourc
es f
or th
epr
ojec
ts•
Prep
arat
ion
of a
mas
ter
proj
ect p
lan
faci
litat
ed
Ris
k D
river
s
• M
isun
ders
tand
ing
of p
roje
ctob
ject
ives
and
req
uire
men
ts•
Failu
re o
f pr
ojec
ts to
mee
t bus
ines
san
d us
er r
equi
rem
ents
• M
isun
ders
tand
ing
of th
e im
pact
of
this
proj
ect w
ith o
ther
rel
ated
pro
ject
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E106
PO
10 M
anag
e P
roje
cts
(con
t.)
Test
the
Con
trol
Des
ign
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at th
e pr
ojec
t man
agem
ent f
ram
ewor
k pr
ovid
es f
or d
esig
nate
d m
anag
ers
and
end
user
s of
the
affe
cted
bus
ines
s an
d IT
func
tions
to a
ppro
ve a
nd s
ign
off
on th
e de
liver
able
s pr
oduc
ed in
eac
h pr
ojec
t pha
se (
e.g.
, req
uire
men
ts a
naly
sis,
des
ign,
bui
ld, t
est,
go-l
ive)
of
the
syst
ems
deve
lopm
ent
life
cycl
e, b
efor
e w
ork
on th
e ne
xt p
hase
beg
ins.
•
Enq
uire
whe
ther
and
con
firm
that
the
appr
oval
pro
cess
is b
ased
on
clea
rly
defi
ned
acce
ptan
ce c
rite
ria
agre
ed u
pon
with
key
sta
keho
lder
s pr
ior
to w
ork
com
men
cing
on
the
proj
ect p
hase
del
iver
able
and
, at a
min
imum
, in
adva
nce
of th
e co
mpl
etio
n of
the
deliv
erab
les
for
a ph
ase.
•
Rev
iew
pla
ns, p
olic
ies
and
proc
edur
es to
ver
ify
that
pha
se in
itiat
ion
and
appr
oval
incl
udes
con
side
ratio
n of
act
ual c
osts
, tim
e an
d pr
ogre
ss f
or th
e ph
ase
vs. t
he
budg
eted
val
ues.
•
Rev
iew
pla
ns, p
olic
ies
and
proc
edur
es to
ver
ify
that
sig
nifi
cant
var
ianc
es a
re a
sses
sed
agai
nst t
he p
roje
ct’s
exp
ecte
d be
nefi
ts, a
ppro
ved
by th
e ap
prop
riat
e pr
ogra
mm
ego
vern
ance
fun
ctio
n an
d re
flec
ted
in th
e pr
ogra
mm
e’s
busi
ness
cas
e.
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at, p
rior
to im
plem
enta
tion,
the
read
ines
s of
the
proj
ect t
o go
live
is a
ppro
ved
thro
ugh
a fo
rmal
ly c
ondu
cted
‘st
op/g
o’as
sess
men
t bas
ed o
n pr
edet
erm
ined
cri
tical
suc
cess
fac
tors
aim
ed a
t det
erm
inin
g sy
stem
qua
lity
and
the
prep
ared
ness
of
the
busi
ness
and
sup
port
fun
ctio
ns to
use
and
mai
ntai
n th
e sy
stem
.
PO
10.6
Pro
ject
Pha
se I
niti
atio
n A
ppro
ve th
e in
itiat
ion
of e
ach
maj
or p
roje
ct p
hase
and
com
mun
icat
e it
to a
llst
akeh
olde
rs. B
ase
the
appr
oval
of
the
initi
al p
hase
on
prog
ram
me
gove
rnan
cede
cisi
ons.
App
rova
l of
subs
eque
nt p
hase
s sh
ould
be
base
d on
rev
iew
and
acce
ptan
ce o
f th
e de
liver
able
s of
the
prev
ious
pha
se, a
nd a
ppro
val o
f an
upd
ated
busi
ness
cas
e at
the
next
maj
or r
evie
w o
f th
e pr
ogra
mm
e. I
n th
e ev
ent o
fov
erla
ppin
g pr
ojec
t pha
ses,
an
appr
oval
poi
nt s
houl
d be
est
ablis
hed
bypr
ogra
mm
e an
d pr
ojec
t spo
nsor
s to
aut
hori
se p
roje
ct p
rogr
essi
on.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onsi
sten
t pro
ject
goa
ls in
line
with
the
orga
nisa
tion’
s vi
sion
• Pr
iori
tised
pro
ject
exe
cutio
n•
Con
form
ance
of
proj
ect p
hase
s w
ithth
e pr
ojec
t def
initi
on• A
bilit
y to
mon
itor
and
com
mun
icat
eth
e pr
ogre
ss o
f th
e pr
ojec
t
Ris
k D
river
s
• L
ack
of a
lignm
ent o
f pr
ojec
ts to
the
orga
nisa
tion’
s vi
sion
• W
rong
pri
oriti
satio
n of
pro
ject
s•
Und
etec
ted
devi
atio
ns f
rom
the
over
all
proj
ect p
lan
• Po
or u
tilis
atio
n of
res
ourc
es
107I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at th
e in
tegr
ated
pro
ject
pla
n pr
ovid
es in
form
atio
n to
per
mit
man
agem
ent t
o co
ntro
l pro
ject
pro
gres
s an
d th
at th
e pl
anin
clud
es a
sta
tem
ent o
f sc
ope,
det
ails
of
proj
ect p
rodu
cts
and
deliv
erab
les,
req
uire
d re
sour
ces
and
resp
onsi
bilit
ies,
cle
ar w
ork
brea
kdow
n st
ruct
ures
and
wor
k pa
ckag
es,
estim
ates
of
reso
urce
s re
quir
ed, m
ilest
ones
, key
dep
ende
ncie
s, a
nd id
entif
icat
ion
of a
cri
tical
pat
h.
• E
nqui
re w
heth
er a
nd e
nsur
e th
at th
e in
tegr
ated
pro
ject
pla
n an
d an
y de
pend
ent p
lans
are
upd
ated
with
the
agre
emen
t pla
n ow
ner
to r
efle
ct th
e ac
tual
pro
gres
s an
dm
ater
ial c
hang
es f
rom
mas
ter
proj
ect p
lan
chec
kpoi
nts.
•
Enq
uire
whe
ther
and
con
firm
that
the
proj
ect p
lan
incl
udes
a c
omm
unic
atio
n pl
an th
at a
ddre
sses
cha
nges
and
sta
tus
repo
rtin
g to
key
sta
keho
lder
s.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at r
esou
rce
need
s ar
e id
entif
ied
for
the
proj
ect a
nd a
ppro
pria
te r
oles
and
res
pons
ibili
ties
are
clea
rly
map
ped
out,
with
esc
alat
ion
and
deci
sion
-mak
ing
auth
oriti
es a
gree
d to
and
und
erst
ood.
•
Enq
uire
whe
ther
and
con
firm
that
rol
es a
re id
entif
ied
and
staf
fed
with
app
ropr
iate
per
sonn
el.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n ex
peri
ence
d pr
ojec
t man
agem
ent r
esou
rce
and
team
lead
er a
re u
tilis
ed, w
ith s
kills
app
ropr
iate
to th
e si
ze, c
ompl
exity
and
ris
k of
the
proj
ect b
eing
und
erta
ken.
•
Insp
ect p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at th
e ro
les
and
resp
onsi
bilit
ies
of o
ther
inte
rest
ed p
artie
s ar
e co
nsid
ered
and
cle
arly
def
ined
(e
.g.,
inte
rest
ed p
artie
s in
clud
e, b
ut a
re n
ot li
mite
d to
, int
erna
l aud
it, c
ompl
ianc
e, f
inan
ce, l
egal
, pro
cure
men
t and
HR
).•
Enq
uire
whe
ther
and
con
firm
that
res
pons
ibili
ty f
or p
rocu
rem
ent a
nd m
anag
emen
t of
thir
d-pa
rty
proj
ect a
nd s
yste
m s
uppo
rt r
elat
ions
hips
is c
lear
ly d
efin
ed.
PO
10.7
Int
egra
ted
Pro
ject
Pla
n E
stab
lish
a fo
rmal
, app
rove
d in
tegr
ated
pro
ject
pla
n (c
over
ing
busi
ness
and
info
rmat
ion
syst
ems
reso
urce
s) to
gui
de p
roje
ct e
xecu
tion
and
cont
rol
thro
ugho
ut th
e lif
e of
the
proj
ect.
The
act
iviti
es a
nd in
terd
epen
denc
ies
ofm
ultip
le p
roje
cts
with
in a
pro
gram
me
shou
ld b
e un
ders
tood
and
doc
umen
ted.
The
pro
ject
pla
n sh
ould
be
mai
ntai
ned
thro
ugho
ut th
e lif
e of
the
proj
ect.
The
proj
ect p
lan,
and
cha
nges
to it
, sho
uld
be a
ppro
ved
in li
ne w
ith th
e pr
ogra
mm
ean
d pr
ojec
t gov
erna
nce
fram
ewor
k.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
prob
abili
ty th
at p
roje
ctm
ilest
ones
for
tim
e, b
udge
t or
scop
ear
e m
et•
Incr
ease
d m
anag
emen
t aw
aren
ess
ofpo
tent
ial p
roje
ct s
lippa
ge, a
nd th
eab
ility
to r
eact
in a
tim
ely
man
ner
• A m
echa
nism
for
sha
ring
pro
ject
pla
nan
d pr
ogre
ss d
etai
ls in
a c
onsi
sten
tm
anne
r w
ithin
, and
ext
erna
l to,
the
proj
ect
• Pr
ogre
ss o
f pr
ojec
t evi
denc
ed a
ndco
mm
unic
ated
Ris
k D
river
s
• U
ndet
ecte
d er
rors
in p
roje
ct p
lann
ing
and
budg
etin
g•
Lac
k of
alig
nmen
t of
proj
ects
to th
eor
gani
satio
n’s
obje
ctiv
es a
nd to
oth
erin
terd
epen
dent
pro
ject
s•
Und
etec
ted
devi
atio
ns f
rom
the
proj
ect p
lan
PO
10 M
anag
e P
roje
cts
(con
t.)
PO
10.8
Pro
ject
Res
ourc
es
Def
ine
the
resp
onsi
bilit
ies,
rel
atio
nshi
ps, a
utho
ritie
s an
d pe
rfor
man
ce c
rite
ria
ofpr
ojec
t tea
m m
embe
rs, a
nd s
peci
fy th
e ba
sis
for
acqu
irin
g an
d as
sign
ing
com
pete
nt s
taff
mem
bers
and
/or
cont
ract
ors
to th
e pr
ojec
t. T
he p
rocu
rem
ent o
fpr
oduc
ts a
nd s
ervi
ces
requ
ired
for
eac
h pr
ojec
t sho
uld
be p
lann
ed a
nd m
anag
edto
ach
ieve
pro
ject
obj
ectiv
es u
sing
the
orga
nisa
tion’
s pr
ocur
emen
t pra
ctic
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Sk
ills
and
reso
urce
s ef
fici
ently
and
effe
ctiv
ely
allo
cate
d an
d as
sign
edw
ithin
the
proj
ect
• T
imel
y de
tect
ion
of r
esou
rce
gaps
• Pr
ojec
t res
ourc
e al
loca
tion
in li
ne w
ithth
e co
rpor
ate
proc
urem
ent p
olic
y
Ris
k D
river
s
• G
aps
in s
kills
and
res
ourc
esje
opar
disi
ng c
ritic
al p
roje
ct ta
sks
• In
effi
cien
t use
of
reso
urce
s•
Con
trac
t dis
pute
s w
ith o
utso
urce
dre
sour
ces
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E108
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
for
mal
pro
ject
ris
k m
anag
emen
t fra
mew
ork
has
been
est
ablis
hed.
•
Rev
iew
pla
ns, p
olic
ies
and
proc
edur
es to
ver
ify
that
res
pons
ibili
ty f
or e
xecu
ting
the
orga
nisa
tion’
s pr
ojec
t ris
k m
anag
emen
t fra
mew
ork
with
in a
pro
ject
is c
lear
ly a
ssig
ned
to a
n ap
prop
riat
ely
skill
ed in
divi
dual
. •
Rev
iew
pla
ns, p
olic
ies
and
proc
edur
es to
ver
ify
that
this
rol
e m
ay b
e pe
rfor
med
by
the
proj
ect m
anag
er o
r de
lega
ted
by th
e pr
ojec
t man
ager
to a
noth
er m
embe
r of
the
proj
ect t
eam
. •
Enq
uire
whe
ther
and
con
firm
that
a p
roje
ct r
isk
asse
ssm
ent w
as p
erfo
rmed
to id
entif
ied
proj
ect r
isks
and
issu
es.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
roje
ct r
isks
are
rea
sses
sed
peri
odic
ally
, inc
ludi
ng a
t ent
ry in
to e
ach
maj
or p
roje
ct p
hase
and
as
part
of
maj
or c
hang
e re
ques
tas
sess
men
ts.
• In
spec
t doc
umen
tatio
n to
ver
ify
that
ris
k an
d is
sue
owne
rs a
re id
entif
ied;
act
ions
for
ris
k av
oida
nce,
acc
epta
nce
or m
itiga
tion
(i.e
., co
ntin
genc
y pl
an)
are
iden
tifie
d fo
rth
ese
risk
s; c
orre
ctiv
e ac
tions
are
ass
igne
d to
ow
ners
; cos
t im
plic
atio
ns a
re c
onsi
dere
d; a
nd a
ctio
ns a
re m
anag
ed to
agr
eed-
upon
act
ion
due
date
s.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
ject
ris
k lo
g an
d a
proj
ect i
ssue
s lo
g ar
e m
aint
aine
d an
d re
view
ed r
egul
arly
.
PO
10.9
Pro
ject
Ris
k M
anag
emen
t E
limin
ate
or m
inim
ise
spec
ific
ris
ks a
ssoc
iate
d w
ith in
divi
dual
pro
ject
s th
roug
ha
syst
emat
ic p
roce
ss o
f pl
anni
ng, i
dent
ifyi
ng, a
naly
sing
, res
pond
ing
to,
mon
itori
ng a
nd c
ontr
ollin
g th
e ar
eas
or e
vent
s th
at h
ave
the
pote
ntia
l to
caus
eun
wan
ted
chan
ge. R
isks
fac
ed b
y th
e pr
ojec
t man
agem
ent p
roce
ss a
nd th
epr
ojec
t del
iver
able
sho
uld
be e
stab
lishe
d an
d ce
ntra
lly r
ecor
ded.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
arly
iden
tific
atio
n of
pot
entia
lsh
owst
oppe
rs w
hen
cons
ider
ing
proj
ect f
easi
bilit
y an
d ap
prov
al•
Man
agem
ent a
ble
to id
entif
y an
d pl
anfo
r co
ntin
genc
ies
and
coun
term
easu
res
to r
educ
e ri
sk im
pact
• C
lear
ly id
entif
iabl
e ri
sk a
nd is
sue
owne
rs•
Miti
gatin
g ac
tions
mon
itore
d•
Con
sist
ent a
nd e
ffic
ient
app
roac
h fo
rri
sk m
anag
emen
t with
in p
roje
cts
alig
ned
to th
e or
gani
satio
n’s
risk
man
agem
ent f
ram
ewor
k
Ris
k D
river
s
• U
ndet
ecte
d pr
ojec
t ris
ks•
Lac
k of
miti
gatin
g ac
tions
for
iden
tifie
d ri
sks
• U
ndet
ecte
d pr
ojec
t sho
wst
oppe
rs
PO
10 M
anag
e P
roje
cts
(con
t.)
109I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
cha
nge
cont
rol p
roce
ss e
xist
s to
man
age,
ass
ess,
just
ify
and
appr
ove
proj
ect c
hang
es. A
sses
s th
e ap
prop
riat
enes
s of
the
chan
gere
ques
t as
part
of
the
proc
ess.
•
Insp
ect a
sam
ple
of p
roje
ct c
hang
e re
ques
ts to
det
erm
ine
whe
ther
they
are
initi
ated
by
desi
gnat
ed in
divi
dual
s an
d co
ntai
n a
com
plet
e de
scri
ptio
n of
the
chan
ge,
asso
ciat
ed r
isks
and
exp
ecte
d be
nefi
ts.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e pr
ogra
mm
e an
d pr
ojec
t pla
n an
d do
cum
enta
tion
are
upda
ted
for
appr
oved
cha
nges
.
PO
10 M
anag
e P
roje
cts
(con
t.)
Test
the
Con
trol
Des
ign
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at th
e qu
ality
pla
n cl
earl
y id
entif
ies
owne
rshi
p/re
spon
sibi
litie
s, p
roce
sses
and
met
rics
to p
rovi
de q
ualit
y as
sura
nce
ofth
e pr
ojec
t del
iver
able
s th
at m
ake
up th
e pr
ojec
t qua
lity
syst
em.
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at th
e qu
ality
pla
n ou
tline
s th
e re
quir
emen
ts, w
here
app
ropr
iate
, for
inde
pend
ent v
alid
atio
n an
d ve
rifi
catio
n of
the
busi
ness
and
tech
nica
l sol
utio
n.
PO
10.1
0 P
roje
ct Q
ualit
y P
lan
Prep
are
a qu
ality
man
agem
ent p
lan
that
des
crib
es th
e pr
ojec
t qua
lity
syst
em a
ndho
w it
will
be
impl
emen
ted.
The
pla
n sh
ould
be
form
ally
rev
iew
ed a
nd a
gree
d to
by a
ll pa
rtie
s co
ncer
ned
and
then
inco
rpor
ated
into
the
inte
grat
ed p
roje
ct p
lan.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Alig
nmen
t of
the
proj
ect q
ualit
y pl
anw
ith th
e co
rpor
ate
qual
ity f
ram
ewor
k•
Incr
ease
d lik
elih
ood
of th
eim
plem
ente
d sy
stem
or
syst
emm
odif
icat
ion
mee
ting
busi
ness
and
user
req
uire
men
ts• A
con
sist
ent l
evel
of
qual
ity a
ssur
ance
activ
ity a
cros
s th
e pr
ojec
t, in
clud
ing
thir
d pa
rtie
s
Ris
k D
river
s
• Pr
ojec
t del
iver
able
s fa
iling
to m
eet
busi
ness
and
use
r re
quir
emen
ts•
Gap
s in
exp
ecte
d an
d de
liver
ed q
ualit
yw
ithin
the
proj
ects
• In
effi
cien
t and
fra
gmen
ted
appr
oach
to q
ualit
y as
sura
nce
• Im
plem
ente
d sy
stem
or
chan
ges
adve
rsel
y im
pact
exi
stin
g sy
stem
s an
din
fras
truc
ture
PO
10.1
1 P
roje
ct C
hang
e C
ontr
ol
Est
ablis
h a
chan
ge c
ontr
ol s
yste
m f
or e
ach
proj
ect,
so a
ll ch
ange
s to
the
proj
ect
base
line
(e.g
., co
st, s
ched
ule,
sco
pe, q
ualit
y) a
re a
ppro
pria
tely
rev
iew
ed,
appr
oved
and
inco
rpor
ated
into
the
inte
grat
ed p
roje
ct p
lan
in li
ne w
ith th
epr
ogra
mm
e an
d pr
ojec
t gov
erna
nce
fram
ewor
k.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
lear
pri
oriti
es f
or m
anag
ing
reso
urce
conf
licts
• Abi
lity
to tr
ack
the
proj
ect s
cope
• D
ecis
ions
rel
atin
g to
cha
nges
in th
epr
ojec
t mad
e sa
fely
and
eff
icie
ntly
Ris
k D
river
s
• L
ack
of c
ontr
ol o
ver
proj
ect s
cope
,co
st a
nd s
ched
ule
• L
ost b
usin
ess
focu
s•
Inab
ility
to m
anag
e re
sour
ces
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E110
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e IT
pro
gram
me,
pro
ject
gov
erna
nce
and
man
agem
ent f
ram
ewor
ks c
onsi
st o
f th
e pr
esen
ce o
f ke
y IT
pro
ject
per
form
ance
cri
teri
a,in
clud
ing
scop
e, s
ched
ule,
qua
lity,
cos
t and
leve
l of
risk
. •
Rev
iew
bas
elin
e pr
ojec
t pla
ns to
det
erm
ine
if th
e IT
pro
gram
me
man
agem
ent t
eam
rec
omm
ends
, im
plem
ents
and
mon
itors
rem
edia
l act
ion
whe
n re
quir
ed. T
he p
lans
shou
ld b
e in
line
with
the
prog
ram
me
and
proj
ect g
over
nanc
e fr
amew
ork.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
roje
ct m
anag
emen
t sta
ndar
ds a
nd p
roce
dure
s in
clud
e st
eps
to c
onsi
der
com
plia
nce
requ
irem
ents
(e.
g., t
estin
g in
tern
al c
ontr
ols
and
secu
rity
req
uire
men
ts).
• In
spec
t pro
ject
man
agem
ent s
tand
ards
and
pro
cedu
res
to d
eter
min
e if
they
incl
ude
step
s to
con
side
r co
mpl
ianc
e re
quir
emen
ts. I
nspe
ct r
equi
rem
ents
doc
umen
tatio
n fo
rpr
ojec
ts im
pact
ing
com
plia
nce
to d
eter
min
e th
at a
ppro
pria
te c
ompl
ianc
e st
akeh
olde
rs a
re in
volv
ed a
nd r
equi
rem
ents
are
app
rove
d.•
Insp
ect d
ocum
enta
tion
for
proj
ects
that
incl
ude
syst
ems
with
acc
redi
tatio
n, a
ssur
ance
or
valid
atio
n re
quir
emen
ts to
det
erm
ine
if a
ppro
pria
te s
ubje
ct m
atte
r sp
ecia
lists
wer
e in
volv
ed in
req
uire
men
ts te
stin
g an
d ap
prov
ing
resu
lts.
PO
10 M
anag
e P
roje
cts
(con
t.)
PO
10.1
2 P
roje
ct P
lann
ing
of A
ssur
ance
Met
hods
Id
entif
y as
sura
nce
task
s re
quir
ed to
sup
port
the
accr
edita
tion
of n
ew o
r m
odif
ied
syst
ems
duri
ng p
roje
ct p
lann
ing,
and
incl
ude
them
in th
e in
tegr
ated
pro
ject
pla
n.T
he ta
sks
shou
ld p
rovi
de a
ssur
ance
that
inte
rnal
con
trol
s an
d se
curi
ty f
eatu
res
mee
t the
def
ined
req
uire
men
ts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
xter
nal r
equi
rem
ents
for
ass
uran
ce(e
.g.,
exte
rnal
aud
it) s
atis
fied
in a
timel
y an
d co
st-e
ffec
tive
man
ner
• E
xter
nal a
ccre
dita
tion
of s
yste
ms
orsy
stem
s m
odif
icat
ions
fac
ilita
ted
• K
ey s
take
hold
ers’
incr
ease
d co
nfid
ence
that
the
proj
ect i
s un
der
cont
rol a
nd o
ntr
ack
to r
ealis
e bu
sine
ss b
enef
its
Ris
k D
river
s
• U
ntru
stw
orth
y as
sura
nce
activ
ities
• In
effe
ctiv
e an
d/or
inef
fici
ent
assu
ranc
e ac
tiviti
es• A
ccre
dita
tion
and
impl
emen
tatio
nde
lays
PO
10.1
3 P
roje
ct P
erfo
rman
ce M
easu
rem
ent,
Rep
orti
ng a
nd M
onit
orin
g M
easu
re p
roje
ct p
erfo
rman
ce a
gain
st k
ey p
roje
ct p
erfo
rman
ce s
cope
, sch
edul
e,qu
ality
, cos
t and
ris
k cr
iteri
a. I
dent
ify
any
devi
atio
ns f
rom
the
plan
. Ass
ess
the
impa
ct o
f de
viat
ions
on
the
proj
ect a
nd o
vera
ll pr
ogra
mm
e, a
nd r
epor
t res
ults
toke
y st
akeh
olde
rs. R
ecom
men
d, im
plem
ent a
nd m
onito
r re
med
ial a
ctio
n, w
hen
requ
ired
, in
line
with
the
prog
ram
me
and
proj
ect g
over
nanc
e fr
amew
ork.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed c
usto
mer
sat
isfa
ctio
n an
d fo
cus
• St
rong
cus
tom
er b
ias
in th
e cu
lture
of
the
IT o
rgan
isat
ion
for
all I
T p
roje
cts
• D
evia
tions
to th
e pl
an p
rom
ptly
iden
tifie
d •
Posi
tive
resu
lts c
omm
unic
ated
and
built
upo
n to
boo
st s
take
hold
erco
nfid
ence
and
com
mitm
ent
Ris
k D
river
s
• In
effe
ctiv
e re
port
ing
on p
roje
ctpr
ogre
ss a
nd u
nide
ntif
ied
issu
es•
Lac
k of
con
trol
ove
r pr
ojec
t pro
gres
s•
Los
s of
foc
us o
n cu
stom
erex
pect
atio
ns a
nd b
usin
ess
need
s
111I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at I
T p
olic
ies
and
proc
edur
es in
clud
e ke
y st
eps
for
proj
ect c
losu
re, i
nclu
ding
an
effe
ctiv
e po
st-i
mpl
emen
tatio
n re
view
. •
Insp
ect d
ocum
enta
tion
of a
sam
ple
of p
ost-
impl
emen
tatio
n re
view
s to
det
erm
ine
if th
e re
view
s ar
e ef
fect
ivel
y pl
anne
d an
d ex
ecut
ed.
• W
alk
thro
ugh
the
proc
ess
used
to id
entif
y, c
omm
unic
ate
and
trac
k an
y un
com
plet
ed a
ctiv
ities
req
uire
d to
ach
ieve
pro
ject
pro
gram
me
bene
fits
. Ins
pect
pos
t-im
plem
enta
tion
docu
men
tatio
n to
det
erm
ine
if u
ncom
plet
ed a
ctiv
ities
are
iden
tifie
d, c
omm
unic
ated
and
res
olve
d.•
Wal
k th
roug
h th
e pr
oces
s us
ed to
col
lect
less
ons
lear
ned
to d
eter
min
e if
the
proc
ess
is e
ffec
tive
in im
prov
ing
futu
re p
roje
cts.
Ass
ess
cust
omer
invo
lvem
ent i
n th
e re
view
and
anal
ysis
pro
cess
.
PO
10 M
anag
e P
roje
cts
(con
t.)
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
likel
ihoo
d th
at th
e pr
ojec
tw
ill r
ealis
e ex
pect
ed a
nd a
gree
d-up
onbu
sine
ss b
enef
its•
Impr
ovem
ents
iden
tifie
d in
pro
ject
man
agem
ent a
nd s
yste
m d
evel
opm
ent
for
futu
re p
roje
cts
• In
crea
sed
focu
s on
exe
cutin
gre
mai
ning
act
ions
for
del
iver
y of
prom
ised
ben
efits
Ris
k D
river
s
• U
ndet
ecte
d pr
ojec
t man
agem
ent
wea
knes
ses
• M
isse
d op
port
uniti
es f
rom
less
ons
lear
ned
PO
10.1
4 P
roje
ct C
losu
re
Req
uire
that
, at t
he e
nd o
f ea
ch p
roje
ct, t
he p
roje
ct s
take
hold
ers
asce
rtai
nw
heth
er th
e pr
ojec
t del
iver
ed th
e pl
anne
d re
sults
and
ben
efits
. Ide
ntif
y an
dco
mm
unic
ate
any
outs
tand
ing
activ
ities
req
uire
d to
ach
ieve
the
plan
ned
resu
ltsof
the
proj
ect a
nd th
e be
nefi
ts o
f th
e pr
ogra
mm
e, a
nd id
entif
y an
d do
cum
ent
less
ons
lear
ned
for
use
on f
utur
e pr
ojec
ts a
nd p
rogr
amm
es.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E112
Take the following steps to test the outcome of the control objectives:• Inspect documentation of the programme management framework to verify that the programme adequately assesses the aggregated
portfolio of IT projects against programme objectives. The programme should specify required resources, including funding,project managers, project teams, IT resources and business resources, where applicable.
• Inspect documentation and trace activities through the process to verify that the programme management team also specifiesrequired resources, including funding, project managers, project teams, IT resources and business resources, where applicable.
• Inspect documentation and trace activities through the process to verify that the programme management team effectively assignsaccountability for each project and that, where accountability is assigned, such accountability is accepted and the personaccountable has sufficient authority and latitude to act, requisite competence, commensurate resource, clear lines of accountability,an understanding of rights and obligations, and relevant performance measures.
• Inspect schedules and other documentation to determine whether the programme management team effectively discovered theinterdependencies of multiple projects in the programme and developed a schedule for their completion that enables the overallprogramme schedule to be met.
• Inspect communications and other documents to determine that the programme management team effectively determinesprogramme stakeholders inside and outside the enterprise; establishes appropriate levels of co-ordination, communication andliaison with these parties; and maintains communication with them for the duration of the programme.
• Inspect periodic assessments and other documents to verify that the project management framework is used effectively as anintegral component of, and is consistent with, the organisation’s programme management approach, and that it is appropriate inlight of changing conditions.
• Inspect major milestones to validate that appropriate sign-offs have been achieved before proceeding to the next phase (e.g., a review committee consisting of sponsors and end users to ensure that scope and requirements are appropriate).
• Inspect documentation to verify that the programme management team effectively assigns each IT project one or more sponsorswith sufficient authority to manage execution of the project within the overall strategic programme, the assignment is madeunambiguously, roles and responsibilities are made clear, and the responsibility is accepted by the assignee(s).
• Inspect documentation such as meeting minutes and sign-off documentation to verify that the project management team effectivelyprovides for commitment and participation by key stakeholders, including management of the affected user department and keyusers, in the initiation, definition and authorisation of a project.
• Inspect documents such as meeting minutes and sign-off documentation and trace activities through the process to verify that theongoing key stakeholder commitment and participation for the remainder of the project life cycle is effectively outlined during theproject initiation and an effective refining process is used further during the process.
• Verify that the project/programme communication plan is effectively maintained throughout the project.• Sample change requests to verify that stakeholders provided appropriate sign-off.• Inspect plans, policies and procedures to verify that the project management framework is designed effectively to provide for
designated managers and end users of the affected business and IT functions to approve and sign off on the deliverables producedin each project phase of the system development life cycle, before work on the next phase begins.
• Inspect documentation to verify that the basis of the approval process is effective to clearly define acceptance criteria agreed uponwith key stakeholders prior to work commencing on the project phase deliverable and, at a minimum, in advance of the completionof the deliverables for a phase.
• Inspect plans, policies and procedures to verify that phase initiation and approval is designed effectively to consider actual costs,time and progress management, and to assess significant variances against the project’s expected benefits.
• Inspect plans, policies and procedures to verify that the appropriate programme governance function is designed effectively toapprove assessments of significant variances and that the significant variances are reflected in the programme’s business case.
• Physically inspect documentation and search audit trails to verify that the integrated project plan permits management to controlproject progress.
• Inspect documents to evaluate that the integrated project plan and any dependent plans are kept up to date with the agreement planholder, to reflect actual progress and material changes from the programme management framework.
• Inspect the project manager organisation chart or RACI chart for completeness.• Review the project risk assessment and related documentation/meeting minutes to verify that risks (internal and external) are
managed and discussed at an appropriate level within the project governance structure throughout the project. • Determine that the risk management plan is integrated with the overall project plan. • Inspect assessments and reassessments of risk, change request assessments, and other documents to verify that periodic
reassessments are effective and responding to changes in risk over the course of the project. • Verify that any necessary updates are performed to the risk management plan.• Inspect documents, search audit trails, and trace transactions through the process to verify that project risk management is being
performed effectively, including workarounds for unexpected risks. • Inspect the project risk log, project issues log and other documents to verify that the project risk log and project issues log are
maintained along with corrective actions.• Inspect documentation to verify that the scope that documents project objectives and major project deliverables is included and a
quality process is defined.
113I T G O V E R N A N C E I N S T I T U T E
APPENDIX II
Take the following steps to document the impact of the control weaknesses:• Assess the adequacy of the aggregated portfolio of projects to determine whether it adequately meets business objectives.• Assess whether resource conflicts exist, project interdependencies are not understood and projects successfully provide ROI. • Assess the organisation’s ability to manage resources effectively and efficiently.• Assess whether different project management approaches within the organisation utilise resources effectively. • Assess the organisational reporting structure for appropriate separation of duties.• Assess project management tools for effective monitoring and reporting.• Assess compliance with regulatory requirements to determine if resources are utilised effectively to avoid adverse impacts on time,
schedule and performance.• Assess the project sponsor’s review and approval of the project scope statement to ensure that objectives are clearly defined and
aligned with the IT-enabled investment programme.• Assess the approved integrated project plan for interdependencies of multiple projects to ensure that project execution and project
control exist throughout the life of the project.• Assess the changes to the integrated project plan for approval and alignment with the programme and project governance
framework to identify impacts to costs, schedule and performance.• Assess whether the project has defined an appropriate governance body to review and provide acceptance to major project phases.• Assess the organisation’s procurement practices to determine whether procurement processes are performed in a timely manner for
acquiring and assigning competent staff members and/or contractors to manage the projects cost, schedule and performance. • Assess the quality management plan to determine consistent levels of quality assurance activity across the project, including
third parties. • Assess whether quality management considerations have been incorporated in a timely manner to ensure cost containment and
alignment to the master project plan.• Assess whether changes are approved or justified and that they meet initial goals and objectives, including any negative impacts to
budget, schedules and performance. • Assess whether assurance tasks provide an appropriate level of system accreditation to provide assurance that internal controls and
security features meet the defined requirements.• Assess whether effective reporting mechanisms exist to monitor project progress.• Determine management’s ability to effectively and efficiently manage project risks.• Assess project closure for feedback to support future projects of similar type or scope to determine impacts on costs, schedule and
performance (e.g., collection of best practices/lessons learned).
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E114
Page intentionally left blank
115I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIIA
PPE
ND
IXII
I—A
CQ
UIR
EA
ND
IMPL
EM
EN
T(A
I)
PR
OC
ESS
ASS
UR
AN
CE
STEP
S
AI1
Ide
ntify
Aut
omat
ed S
olut
ions
The
nee
d fo
r a
new
app
licat
ion
or f
unct
ion
requ
ires
ana
lysi
s be
fore
acq
uisi
tion
or c
reat
ion
to e
nsur
e th
at b
usin
ess
requ
irem
ents
are
sat
isfi
ed in
an
effe
ctiv
e an
d ef
fici
ent
appr
oach
. Thi
s pr
oces
s co
vers
the
defi
nitio
n of
the
need
s, c
onsi
dera
tion
of a
ltern
ativ
e so
urce
s, r
evie
w o
f te
chno
logi
cal a
nd e
cono
mic
fea
sibi
lity,
exe
cutio
n of
a r
isk
anal
ysis
and
cost
-ben
efit
anal
ysis
, and
con
clus
ion
of a
fin
al d
ecis
ion
to ‘
mak
e’or
‘bu
y’. A
ll th
ese
step
s en
able
org
anis
atio
ns to
min
imis
e th
e co
st to
acq
uire
and
impl
emen
t sol
utio
nsw
hils
t ens
urin
g th
at th
ey e
nabl
e th
e bu
sine
ss to
ach
ieve
its
obje
ctiv
es.
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
bus
ines
s fu
nctio
nal a
nd te
chni
cal r
equi
rem
ents
hav
e be
en d
efin
ed a
nd a
mai
nten
ance
pro
cess
has
bee
n ag
reed
upon
. Ins
pect
doc
umen
tatio
n of
req
uire
men
ts a
nd m
aint
enan
ce p
roce
sses
, and
ens
ure
that
the
desi
gn is
app
ropr
iate
to th
e si
ze, c
ompl
exity
, obj
ectiv
es a
nd r
isks
of
the
acqu
isiti
on a
nd h
as b
een
appr
oved
by
the
rele
vant
ow
ner/
spon
sor.
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
all
requ
irem
ents
and
acc
epta
nce
crite
ria
have
bee
n co
nsid
ered
, cap
ture
d, p
rior
itise
d an
d re
cord
ed in
a w
ay th
at is
unde
rsta
ndab
le to
sta
keho
lder
s an
d sp
onso
rs.
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
app
licat
ion
and
infr
astr
uctu
re te
chni
cal r
equi
rem
ents
mee
t the
nee
ds o
f th
e or
gani
satio
n’s
info
rmat
ion
arch
itect
ure
stan
dard
s an
d st
rate
gic
tech
nica
l dir
ectio
n.
• R
evie
w p
lans
, pol
icie
s an
d pr
oced
ures
to id
entif
y ex
cept
ions
/dev
iatio
ns f
rom
the
info
rmat
ion
arch
itect
ure
stan
dard
s an
d st
rate
gic
tech
nica
l dir
ectio
n.
AI1
.1 D
efin
itio
n an
d M
aint
enan
ce o
f B
usin
ess
Fun
ctio
nal a
nd
Tec
hnic
al R
equi
rem
ents
Id
entif
y, p
rior
itise
, spe
cify
and
agr
ee o
n bu
sine
ss f
unct
iona
l and
tech
nica
lre
quir
emen
ts c
over
ing
the
full
scop
e of
all
initi
ativ
es r
equi
red
to a
chie
ve th
eex
pect
ed o
utco
mes
of
the
IT-e
nabl
ed in
vest
men
t pro
gram
me.
• All
sign
ific
ant f
unct
iona
l and
tech
nica
l req
uire
men
ts ta
ken
into
acco
unt w
hen
cons
ider
ing
pote
ntia
lso
lutio
ns•
Com
plet
e an
d ac
cura
te s
et o
ffu
nctio
nal a
nd te
chni
cal r
equi
rem
ents
avai
labl
e be
fore
dev
elop
men
t or
acqu
isiti
on b
egin
s•
Func
tiona
l and
tech
nica
l req
uire
men
tsde
fine
d ef
fect
ivel
y an
d ef
fici
ently
• Se
lect
ed s
olut
ion
likel
y to
be
impl
emen
ted
mor
e qu
ickl
y an
d w
ithle
ss r
ewor
k
Ris
k D
river
s
• In
corr
ect s
olut
ion
sele
cted
on
the
basi
s of
an
inad
equa
te u
nder
stan
ding
of r
equi
rem
ents
• Si
gnif
ican
t req
uire
men
ts d
isco
vere
dla
ter,
caus
ing
cost
ly r
ewor
king
and
impl
emen
tatio
n de
lays
Con
trol
Obj
ecti
veVa
lue
Driv
ers
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E116
Test
the
Con
trol
Des
ign
• E
nqui
re th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
whe
ther
a f
easi
bilit
y st
udy
proc
ess
exis
ts th
at s
ets
out a
ltern
ativ
e co
urse
s of
act
ion
that
will
sat
isfy
the
busi
ness
func
tiona
l and
tech
nica
l req
uire
men
ts (
e.g.
, fun
ctio
nalit
y m
eets
the
need
s of
bus
ines
s an
d te
chni
cal r
equi
rem
ents
).
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at m
anag
emen
t and
key
sta
ff m
embe
rs h
ave
dete
rmin
ed r
esou
rces
to b
e us
ed a
nd a
re a
war
e of
go/
no-g
o co
ntro
l che
ckpo
ints
. •
Con
firm
with
key
sta
ff m
embe
rs th
at th
e fe
asib
ility
stu
dy in
clud
es th
e po
tent
ial c
ost-
bene
fit a
naly
sis
of e
ach
of th
e id
entif
ied
alte
rnat
ives
and
sys
tem
fun
ctio
nalit
y.
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
, ins
pect
ion
of p
roje
ct d
ocum
enta
tion,
etc
., th
at a
hol
istic
app
roac
h to
the
risk
ana
lysi
s of
the
auto
mat
ed s
olut
ion
is u
sed.
• C
onfi
rm th
roug
h in
terv
iew
s th
at s
take
hold
ers
are
invo
lved
, inc
ludi
ng r
epre
sent
ativ
es f
rom
bot
h bu
sine
ss a
nd I
T.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ppro
pria
te r
isk
miti
gatio
n m
echa
nism
s ar
e co
nsid
ered
in th
e de
sign
of
the
solu
tion
and
built
in f
rom
the
outs
et, i
f ju
stif
ied
by th
e ri
sks
the
orga
nisa
tion
is f
acin
g.
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI1
.3 F
easi
bilit
y St
udy
and
Form
ulat
ion
of A
lter
nati
ve C
ours
es o
f Act
ion
Dev
elop
a f
easi
bilit
y st
udy
that
exa
min
es th
e po
ssib
ility
of
impl
emen
ting
the
requ
irem
ents
. Bus
ines
s m
anag
emen
t, su
ppor
ted
by th
e IT
fun
ctio
n, s
houl
d as
sess
the
feas
ibili
ty a
nd a
ltern
ativ
e co
urse
s of
act
ion
and
mak
e a
reco
mm
enda
tion
toth
e bu
sine
ss s
pons
or.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• T
he m
ost e
ffec
tive
and
effi
cien
tso
lutio
n ch
osen
for
the
ente
rpri
se•
Res
ourc
es a
vaila
ble
to im
plem
ent a
ndop
erat
e th
e se
lect
ed s
olut
ion
• Si
gnif
ican
t req
uire
men
ts v
erif
ied
befo
re c
omm
itmen
t to
acqu
ire
• Se
lect
ion
deci
sion
mak
ing
base
d on
valid
just
ific
atio
ns
Ris
k D
river
s
• So
lutio
n fa
iling
to m
eet r
equi
rem
ents
• So
lutio
n fa
iling
to p
erfo
rm a
sex
pect
ed•
Solu
tion
faili
ng to
inte
grat
e w
ithex
istin
g in
fras
truc
ture
AI1
.2 R
isk
Ana
lysi
s R
epor
t Id
entif
y, d
ocum
ent a
nd a
naly
se r
isks
ass
ocia
ted
with
the
busi
ness
req
uire
men
tsan
d so
lutio
n de
sign
as
part
of
the
orga
nisa
tion’
s pr
oces
s fo
r th
e de
velo
pmen
t of
requ
irem
ents
.
• E
arly
iden
tific
atio
n of
acq
uisi
tion
risk
s en
ablin
g th
e re
duct
ion
orav
oida
nce
of p
oten
tial i
mpa
ct•
Incr
ease
d m
anag
emen
t aw
aren
ess
ofpo
tent
ial r
isks
• Po
tent
ially
sig
nifi
cant
acq
uisi
tion
risk
sno
t ide
ntif
ied
• M
anag
emen
t una
war
e of
ris
ks a
ndfa
ilure
to a
pply
app
ropr
iate
con
trol
s•
Syst
em s
ecur
ity c
ompr
omis
ed
AI1
Ide
ntify
Aut
omat
ed S
olut
ions
(co
nt.)
117I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s w
ith th
e bu
sine
ss s
pons
or th
at q
ualit
y re
view
s ar
e be
ing
perf
orm
ed f
or b
usin
ess
func
tiona
l and
tech
nica
l req
uire
men
ts a
nd f
easi
bilit
y st
udy
repo
rts
and
that
the
busi
ness
spo
nsor
is a
war
e of
the
orig
inal
acc
epta
nce
crite
ria.
•
Eva
luat
e pr
ojec
t doc
umen
tatio
n fo
r a
repr
esen
tativ
e sa
mpl
e of
pro
ject
s to
ens
ure
that
the
busi
ness
spo
nsor
has
sig
ned
off
on th
e bu
sine
ss f
unct
iona
l and
tech
nica
lre
quir
emen
ts a
nd f
easi
bilit
y re
port
s.
AI1
.4 R
equi
rem
ents
and
Fea
sibi
lity
Dec
isio
n an
d A
ppro
val
Ver
ify
that
the
proc
ess
requ
ires
the
busi
ness
spo
nsor
to a
ppro
ve a
nd s
ign
off
onbu
sine
ss f
unct
iona
l and
tech
nica
l req
uire
men
ts a
nd f
easi
bilit
y st
udy
repo
rts
atpr
edet
erm
ined
key
sta
ges.
The
bus
ines
s sp
onso
r sh
ould
mak
e th
e fi
nal d
ecis
ion
with
res
pect
to th
e ch
oice
of
solu
tion
and
acqu
isiti
on a
ppro
ach.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• So
lutio
n lik
ely
to m
eet b
usin
ess
requ
irem
ents
• So
lutio
n ha
ving
bus
ines
s co
mm
itmen
tan
d in
volv
emen
t dur
ing
impl
emen
tatio
n•
Bus
ines
s ha
ving
a b
ette
r un
ders
tand
ing
of th
e na
ture
of
the
solu
tion
and
the
impa
ct it
will
hav
e on
the
busi
ness
proc
esse
s an
d or
gani
satio
n
Ris
k D
river
s
• So
lutio
ns f
ailin
g to
mee
t bus
ines
sre
quir
emen
ts• A
ltern
ativ
e so
lutio
ns n
ot id
entif
ied
prop
erly
• B
usin
ess
proc
ess
and
orga
nisa
tion
aspe
cts
of th
e po
tent
ial s
olut
ion
inad
equa
tely
con
side
red
AI1
Ide
ntify
Aut
omat
ed S
olut
ions
(co
nt.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E118
Take the following steps to test the outcome of the control objectives:• Inspect a selection of correspondence between business sponsors and stakeholders to ensure that key requirements (e.g., definition
of user requirements; formulation of alternative courses of action; identification of commercial software packages; performance oftechnology feasibility, economic feasibility, information architecture and risk analysis studies) have been captured and considered.
• Inspect a selection of requirements documentation to determine whether a proposed new or modified system has been clearlydefined, reviewed and approved in writing by the cognisant user before the development, implementation or modification of the project.
• Inspect a selection of application and infrastructure technical requirements documentation to determine if the requirement meetsthe organisation’s information architecture standards and strategic direction (e.g., business continuity planning, disaster recoveryplanning, security and legal requirements).
• Inspect a selection of risk analysis documentation, and determine whether business and IT risks are identified, examined, assessedand understood by both the business and IT and whether internal control measures and audit trails are identified as part of the riskanalysis (e.g., risks on business continuity planning, disaster recovery planning, security and legal requirements).
• Inspect a selection of risk analysis documentation to determine whether risk analysis documentation was signed off on by the keystakeholders, including representatives from the business and IT.
• Inspect a selection of project, audit or other assessment reports and corroborate through interviews with compliance, audit, riskmanagement and security staff members to determine whether a proper balance between detection and prevention controls isconsidered in the design of the risk response mechanisms.
• Inspect the feasibility study documentation to confirm that technical and economic feasibility met the needs of business andtechnical requirements.
• Inspect a selection of the feasibility study documentation to confirm that the plan sufficiently accounts for each stage of theacquisition or development life cycle and includes go/no-go control checkpoints.
• Inspect a selection of the technological and economic feasibility study documentation to confirm that identifiable costs andbenefits for each of the identified alternatives and system functionalities has been properly supported and included as part of therequired technological and economic feasibility study.
Take the following steps to document the impact of the control weaknesses:• Assess the impact to the time and cost of the project if requirements do not meet user needs. • Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that were not identified due to system
development efforts not including robust risk analyses.• Assess the impact to the time and cost of the project if system development efforts do not comply with policies, laws and
regulations.• Assess the additional cost of the key owner/sponsor not considering alternative courses of action, thereby resulting in a more costly
solution.• Identify deficiencies in the organisation’s system development life cycle methodology.• Identify solutions that do not meet user requirements.• Identify system development efforts that:
– Did not consider alternative courses of action, thereby resulting in a more costly solution– Did not consider commercial software packages that could have been implemented in less time and at less cost– Did not consider the technological feasibility of the alternatives or inappropriately considered the technological feasibility of the
chosen solution and, as a result, could not implement the solution as originally designed– Made erroneous assumptions in the economic feasibility study and, as a result, chose the wrong course of action– Did not consider the information architecture/enterprise data model and, as a result, chose the wrong course of action– Did not conduct robust risk analyses and, thus, either did not adequately identify risks (including threats, potential vulnerabilities
and impacts) or did not identify appropriate security and internal controls for reducing or eliminating identified risks• Identify solutions that:
– Were either overcontrolled or undercontrolled because the cost-effectiveness of control and security was improperly examined– Did not have adequate audit trails– Did not consider user-friendly design and ergonomic issues, thereby resulting in data input errors that could have been avoided– Did not follow the organisation’s established procurement approach and, thus, resulted in additional costs being borne by the
organisation
119I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIIA
I2 A
cqui
re a
nd M
aint
ain
App
licat
ion
Sof
twar
e
App
licat
ions
are
mad
e av
aila
ble
in li
ne w
ith b
usin
ess
requ
irem
ents
. Thi
s pr
oces
s co
vers
the
desi
gn o
f th
e ap
plic
atio
ns, t
he p
rope
r in
clus
ion
of a
pplic
atio
n co
ntro
ls a
ndse
curi
ty r
equi
rem
ents
, and
the
deve
lopm
ent a
nd c
onfi
gura
tion
in li
ne w
ith s
tand
ards
. Thi
s al
low
s or
gani
satio
ns to
pro
perl
y su
ppor
t bus
ines
s op
erat
ions
with
the
corr
ect
auto
mat
ed a
pplic
atio
ns.
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith k
ey I
T s
taff
mem
bers
that
a h
igh-
leve
l des
ign
spec
ific
atio
n is
def
ined
that
tran
slat
es th
e bu
sine
ss r
equi
rem
ents
for
the
soft
war
e de
velo
pmen
t. •
Obt
ain
and
revi
ew a
sam
ple
of a
pro
ject
des
ign
spec
ific
atio
n to
det
erm
ine
whe
ther
it a
ddre
sses
all
the
busi
ness
req
uire
men
ts.
• C
onfi
rm w
ith k
ey I
T s
taff
mem
bers
whe
ther
the
proj
ect d
esig
n ap
proa
ch c
onfo
rms
with
the
orga
nisa
tion’
s de
sign
sta
ndar
d.
• R
evie
w h
igh-
leve
l des
ign
docu
men
tatio
n to
det
erm
ine
if th
e or
gani
satio
n’s
desi
gn s
tand
ards
are
bei
ng f
ollo
wed
. •
Rev
iew
pro
ject
doc
umen
tatio
n, s
uch
as th
e pr
ojec
t pla
n an
d sc
opin
g do
cum
ent,
to d
eter
min
e if
rol
es a
nd r
espo
nsib
ilitie
s of
use
rs in
the
desi
gn p
roce
ss a
re
prop
erly
incl
uded
. •
Cor
robo
rate
man
agem
ent’s
vie
ws
rega
rdin
g us
er in
volv
emen
t with
use
rs/s
take
hold
ers
to c
onfi
rm th
at u
sers
’/st
akeh
olde
rs’e
xper
tise
and
know
ledg
e ar
e co
nsid
ered
in th
ede
sign
pro
cess
of
new
sys
tem
s.
• R
evie
w s
uppo
rtin
g do
cum
ents
for
una
mbi
guou
s cr
oss-
refe
renc
es, i
nclu
ding
title
and
dat
e.
• C
onfi
rm w
ith s
take
hold
ers
(IT
and
bus
ines
s) th
at th
ey h
ave
appr
oved
and
sig
ned
off
on th
e hi
gh-l
evel
des
ign
and
that
thei
r in
puts
hav
e be
en in
corp
orat
ed in
to th
e de
sign
(e.g
., pr
oces
s ow
ners
, inf
orm
atio
n ow
ners
, sec
urity
, use
r re
pres
enta
tives
).
• C
onfi
rm w
ith s
take
hold
ers
(IT
and
bus
ines
s) th
at th
e hi
gh-l
evel
des
ign
cons
titut
es a
sol
utio
n th
at th
e or
gani
satio
n ca
n de
liver
, ope
rate
and
mai
ntai
n (e
.g.,
IT s
pons
or,
busi
ness
spo
nsor
).
AI2
.1 H
igh-
leve
l Des
ign
Tra
nsla
te b
usin
ess
requ
irem
ents
into
a h
igh-
leve
l des
ign
spec
ific
atio
n fo
rso
ftw
are
acqu
isiti
on, t
akin
g in
to a
ccou
nt th
e or
gani
satio
n’s
tech
nolo
gica
ldi
rect
ion
and
info
rmat
ion
arch
itect
ure.
Hav
e th
e de
sign
spe
cifi
catio
ns a
ppro
ved
by m
anag
emen
t to
ensu
re th
at th
e hi
gh-l
evel
des
ign
resp
onds
to th
ere
quir
emen
ts. R
eass
ess
whe
n si
gnif
ican
t tec
hnic
al o
r lo
gica
l dis
crep
anci
es o
ccur
duri
ng d
evel
opm
ent o
r m
aint
enan
ce.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• R
educ
ed c
osts
• C
onsi
sten
cy b
etw
een
busi
ness
requ
irem
ents
and
hig
h-le
vel d
esig
nre
sults
• Im
prov
ed ti
me
to d
eliv
ery
Ris
k D
river
s
• D
epen
denc
y on
kno
wle
dge
held
by
key
indi
vidu
als
• U
ndef
ined
dev
elop
men
t sco
pe•
Solu
tions
fai
ling
to d
eliv
er b
usin
ess
requ
irem
ents
• So
lutio
ns n
ot a
ligne
d w
ith s
trat
egic
IT
plan
, inf
orm
atio
n ar
chite
ctur
e an
dte
chno
logy
dir
ectio
n•
Hig
h co
sts
of f
ragm
ente
d so
lutio
ns
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E120
Test
the
Con
trol
Des
ign
• Pe
rfor
m c
ode
wal
k-th
roug
h an
d ex
amin
e do
cum
enta
tion
asso
ciat
ed w
ith d
ata
inpu
ts a
nd o
utpu
ts to
det
erm
ine
whe
ther
pro
per
stor
age,
loca
tion
and
retr
ieva
l met
hods
are
impl
emen
ted
acco
rdin
g to
dat
a di
ctio
nary
sta
ndar
ds.
• E
xam
ine
info
rmat
ion
arch
itect
ure
and
data
dic
tiona
ry d
ocum
enta
tion
to id
entif
y de
viat
ions
fro
m th
e da
ta d
ictio
nary
sta
ndar
ds in
the
prog
ram
me
desi
gn.
• E
nqui
re o
f ke
y st
aff
mem
bers
whe
ther
dat
a di
ctio
nary
sta
ndar
ds a
re b
eing
use
d, a
nd c
ompa
re a
ctua
l per
form
ance
of
data
inpu
ts/o
utpu
ts w
ith r
espo
nses
fro
m k
ey
staf
f m
embe
rs.
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
sou
rce
data
col
lect
ion
desi
gn is
spe
cifi
ed th
at in
corp
orat
es c
ompu
ted
and
stor
ed d
ata.
•
Perf
orm
cod
e w
alk-
thro
ugh
and
insp
ect p
lans
to c
onfi
rm th
at d
ata
are
colle
cted
and
val
idat
ed f
or p
roce
ssin
g tr
ansa
ctio
ns.
• C
onfi
rm w
ith k
ey I
T s
taff
mem
bers
that
ade
quat
e re
dund
ancy
, fai
lure
rec
over
y an
d ba
ckup
arr
ange
men
ts a
re d
efin
ed a
nd in
clud
ed in
the
deta
iled
desi
gn s
peci
fica
tion.
•
Rev
iew
the
back
up p
lan
and
proc
edur
es to
det
erm
ine
that
they
ade
quat
ely
addr
ess
the
avai
labi
lity
requ
irem
ents
of
the
new
sys
tem
and
are
cos
t-ef
fect
ive.
•
Enq
uire
of
key
IT s
taff
mem
bers
and
rev
iew
rel
evan
t pro
ject
doc
umen
tatio
n to
det
erm
ine
whe
ther
file
req
uire
men
ts f
or s
tora
ge, l
ocat
ion
and
retr
ieva
l of
data
are
def
ined
in th
e de
tail
desi
gn s
peci
fica
tion.
•
Rev
iew
pro
ject
doc
umen
tatio
n to
det
erm
ine
if b
est p
ract
ices
, suc
h as
ava
ilabi
lity,
con
trol
and
aud
itabi
lity,
sec
urity
, and
net
wor
k re
quir
emen
ts, a
re c
onsi
dere
d.
• E
nqui
re o
f ke
y st
aff
mem
bers
and
insp
ect r
elev
ant p
roje
ct d
ocum
enta
tion
to d
eter
min
e w
heth
er p
roce
ssin
g st
eps,
incl
udin
g tr
ansa
ctio
n ty
pes,
pro
cess
ing
rule
s in
clud
ing
logi
c tr
ansf
orm
atio
ns o
r sp
ecif
ic c
alcu
latio
ns a
re d
efin
ed a
nd in
clud
ed in
the
deta
iled
desi
gn s
peci
fica
tion.
•
Enq
uire
of
key
staf
f m
embe
rs a
nd in
spec
t rel
evan
t pro
ject
doc
umen
tatio
n to
det
erm
ine
whe
ther
inte
grat
ion
of s
yste
m (
exis
ting
or p
lann
ed s
ubsy
stem
s an
d ac
quir
edpa
ckag
ed s
oftw
are)
and
infr
astr
uctu
re a
re a
ddre
ssed
con
tinuo
usly
thro
ugho
ut th
e pr
oces
s lif
e cy
cle.
•
Con
firm
with
key
IT
sta
ff m
embe
rs th
at a
ll id
entif
ied
outp
ut d
ata
requ
irem
ents
are
pro
perl
y de
fine
d.
• R
evie
w d
etai
l des
ign
docu
men
tatio
n to
det
erm
ine
that
per
tinen
t des
ign
deta
ils, s
uch
as d
iffe
rent
type
s of
rec
ipie
nts,
usa
ge, d
etai
ls r
equi
red,
fre
quen
cy a
nd m
etho
d of
gene
ratio
n, a
re c
onsi
dere
d.
• R
evie
w d
etai
l des
ign
requ
irem
ent d
ocum
enta
tion
to d
eter
min
e if
the
avai
labi
lity,
com
plet
enes
s, in
tegr
ity a
nd c
onfi
dent
ialit
y of
out
put d
ata
as w
ell a
s th
e im
pact
of
data
outp
uts
to o
ther
pro
gram
mes
are
app
ropr
iate
ly a
ddre
ssed
. •
Con
firm
with
key
sta
ff m
embe
rs th
at th
e in
terf
ace
betw
een
the
user
and
the
syst
em a
pplic
atio
n is
def
ined
and
incl
uded
in th
e de
taile
d de
sign
spe
cifi
catio
n.
• In
spec
t the
det
aile
d de
sign
spe
cifi
catio
n to
con
firm
that
it a
dequ
atel
y ad
dres
ses
user
inte
rfac
e re
quir
emen
ts.
• E
nqui
re a
bout
the
syst
em d
esig
n re
asse
ssm
ent p
roce
dure
s th
at a
ddre
ss d
esig
n ch
ange
s as
a r
esul
t of
sign
ific
ant t
echn
olog
ical
and
/or
logi
cal d
iscr
epan
cies
. •
Rev
iew
doc
umen
ts s
uch
as s
yste
m d
esig
n an
alys
is r
epor
ts o
r sy
stem
des
ign
chan
ge r
eque
sts
to c
onfi
rm th
at th
e sy
stem
des
ign
reas
sess
men
t pro
cedu
res
are
follo
wed
(e.g
., ch
ange
in s
yste
m d
esig
n ne
eds
to b
e ap
prov
ed b
y bu
sine
ss a
nd I
T s
pons
ors)
.•
Rev
iew
det
aile
d de
sign
spe
cifi
catio
n do
cum
enta
tion
to d
eter
min
e if
it w
as p
repa
red
in c
onfo
rman
ce w
ith o
rgan
isat
ion-
and
indu
stry
-acc
epte
d sp
ecif
icat
ion
stan
dard
s an
dth
e in
form
atio
n ar
chite
ctur
e.
• C
onfi
rm w
ith I
T a
nd b
usin
ess
stak
ehol
ders
that
a d
esig
n w
alk-
thro
ugh
take
s pl
ace
befo
re d
evel
opm
ent c
omm
ence
s.
• R
evie
w th
e de
taile
d de
sign
spe
cifi
catio
n to
con
firm
that
a d
esig
n w
alk-
thro
ugh
is c
ondu
cted
for
all
stak
ehol
ders
and
that
sta
keho
lder
sig
n-of
f ha
s be
en in
itiat
ed b
efor
ede
velo
pmen
t (e.
g., s
igna
ture
and
dat
e or
e-m
ail c
onfi
rmat
ion)
.
AI2
.2 D
etai
led
Des
ign
Prep
are
deta
iled
desi
gn a
nd te
chni
cal s
oftw
are
appl
icat
ion
requ
irem
ents
. Def
ine
the
crite
ria
for
acce
ptan
ce o
f th
e re
quir
emen
ts. H
ave
the
requ
irem
ents
app
rove
dto
ens
ure
that
they
cor
resp
ond
to th
e hi
gh-l
evel
des
ign.
Per
form
rea
sses
smen
tw
hen
sign
ific
ant t
echn
ical
or
logi
cal d
iscr
epan
cies
occ
ur d
urin
g de
velo
pmen
t or
mai
nten
ance
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• R
educ
ed c
osts
• E
ffic
ient
app
licat
ion
codi
ng a
ndm
aint
enan
ce•
Prio
ritis
atio
n on
impo
rtan
t fea
ture
s• A
void
ance
of
data
red
unda
ncy
• App
licat
ion
mee
ting
usab
ility
requ
irem
ents
Ris
k D
river
s
• Pr
oces
sing
of
inva
lid tr
ansa
ctio
ns•
Incr
easi
ng c
osts
for
sys
tem
red
esig
n•
Dat
a in
app
licat
ion
syst
ems
proc
esse
din
corr
ectly
AI2
Acq
uire
and
Mai
ntai
n A
pplic
atio
n Sof
twar
e (c
ont.
)
121I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• R
evie
w th
e re
quir
emen
ts d
ocum
enta
tion
for
desi
gn o
f co
ntro
ls to
det
erm
ine
that
aut
omat
ed a
pplic
atio
n co
ntro
ls a
re d
efin
ed b
ased
on
busi
ness
pro
cess
co
ntro
l req
uire
men
ts.
• R
evie
w th
e re
quir
emen
ts d
ocum
enta
tion
for
desi
gn o
f co
ntro
ls, a
nd id
entif
y in
stan
ces
whe
re a
utho
risa
tion,
inpu
t, pr
oces
sing
, out
put a
nd b
ound
ary
cont
rols
ar
e in
adeq
uate
. •
Rev
iew
pla
ns f
or im
plem
entin
g au
tom
ated
con
trol
fun
ctio
ns in
pac
kage
d ap
plic
atio
n so
ftw
are,
and
det
erm
ine
that
bus
ines
s pr
oces
s co
ntro
l req
uire
men
ts a
re
adeq
uate
ly a
ddre
ssed
.•
Con
firm
with
bus
ines
s pr
oces
s ow
ners
and
IT
tech
nica
l des
ign
auth
oriti
es th
at d
esig
n sp
ecif
icat
ions
for
all
auto
mat
ed a
pplic
atio
n co
ntro
ls in
dev
elop
men
t or
purc
hase
dap
plic
atio
ns a
re a
ppro
ved.
•
Rev
iew
des
ign
spec
ific
atio
n fo
r al
l aut
omat
ed a
pplic
atio
n co
ntro
ls in
dev
elop
ed o
r pu
rcha
sed/
pack
aged
app
licat
ions
to c
onfi
rm th
at th
ey a
re a
ppro
ved.
•
Con
firm
with
pro
ject
per
sonn
el th
at a
utom
ated
con
trol
s ha
ve b
een
defi
ned
with
in th
e ap
plic
atio
n th
at s
uppo
rt g
ener
al c
ontr
ol o
bjec
tives
, suc
h as
sec
urity
, dat
a in
tegr
ity,
audi
t tra
ils, a
cces
s co
ntro
l and
dat
abas
e in
tegr
ity c
ontr
ols.
•
Perf
orm
wal
k-th
roug
hs o
f ap
plic
atio
n co
ntro
ls in
dev
elop
ed a
nd p
urch
ased
pac
kage
d so
ftw
are,
trac
e tr
ansa
ctio
ns, a
nd r
evie
w d
ocum
enta
tion
to e
nsur
e th
at g
ener
al c
ontr
olob
ject
ives
(e.
g., s
ecur
ity, d
ata
inte
grity
, aud
it tr
ails
, acc
ess
cont
rol,
data
base
inte
grity
con
trol
s) a
re a
ddre
ssed
ade
quat
ely.
• R
evie
w p
roje
ct d
ocum
enta
tion
to c
onfi
rm th
at d
esig
n sp
ecif
icat
ions
hav
e be
en a
sses
sed
agai
nst t
he in
tern
al a
udit,
con
trol
and
ris
k m
anag
emen
t sta
ndar
ds a
nd o
bjec
tives
. •
Rev
iew
pro
ject
doc
umen
tatio
n to
det
erm
ine
if th
e ef
fect
s of
com
pens
atin
g co
ntro
ls o
utsi
de th
e ap
plic
atio
n so
ftw
are
real
m h
ave
been
con
side
red.
•
Rev
iew
evi
denc
e of
hig
h-le
vel r
evie
w c
ondu
cted
to e
nsur
e th
at a
utom
ated
app
licat
ion
and
gene
ral c
ontr
ols
obje
ctiv
es a
re m
et (
e.g.
, ava
ilabi
lity,
sec
urity
, acc
urac
y,co
mpl
eten
ess,
tim
elin
ess,
aut
hori
satio
n, a
udita
bilit
y).
AI2
.3 A
pplic
atio
n C
ontr
ol a
nd A
udit
abili
ty
Impl
emen
t bus
ines
s co
ntro
ls, w
here
app
ropr
iate
, int
o au
tom
ated
app
licat
ion
cont
rols
suc
h th
at p
roce
ssin
g is
acc
urat
e, c
ompl
ete,
tim
ely,
aut
hori
sed
and
audi
tabl
e.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onsi
sten
t app
licat
ion
cont
rols
esta
blis
hed
• E
nsur
ed d
ata
inte
grity
• T
rans
actio
n da
ta h
isto
ry a
ble
to b
eva
lidat
ed a
nd r
econ
stru
cted
, if
need
ed
Ris
k D
river
s
• C
ostly
com
pens
atin
g co
ntro
ls•
Dat
a in
tegr
ity is
sues
• G
aps
betw
een
appl
icat
ion
cont
rols
and
actu
al th
reat
s an
d ri
sks
• Pr
oces
sing
res
ults
and
dat
are
posi
tori
es f
ailin
g to
mee
tco
mpl
ianc
e re
quir
emen
ts
AI2
Acq
uire
and
Mai
ntai
n A
pplic
atio
n Sof
twar
e (c
ont.
)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E122
Test
the
Con
trol
Des
ign
• E
nqui
re w
ith k
ey s
taff
mem
bers
to a
sses
s kn
owle
dge
and
awar
enes
s of
how
sol
utio
ns f
or s
ecur
ity a
nd a
vaila
bilit
y in
the
infr
astr
uctu
re w
ill b
e in
tegr
ated
with
the
appl
icat
ion.
•
Rev
iew
app
licat
ion
acqu
isiti
on, i
mpl
emen
tatio
n an
d te
stin
g pl
ans
to c
onfi
rm th
at a
pplic
atio
n se
curi
ty a
nd a
vaila
bilit
y w
ithin
the
inte
grat
ed e
nvir
onm
ent h
ave
been
addr
esse
d.•
Enq
uire
whe
ther
and
con
firm
that
ava
ilabi
lity
desi
gn h
as b
een
appr
oved
by
tech
nica
l aut
hori
ties.
•
Insp
ect d
ocum
enta
tion
sign
-off
by
appr
opri
ate
stak
ehol
ders
. •
Inte
rvie
w b
usin
ess
spon
sors
and
rev
iew
wal
k-th
roug
h do
cum
enta
tion
to a
sses
s un
ders
tand
ing
and
adeq
uacy
of
avai
labi
lity
desi
gn; e
nqui
re w
heth
er th
e de
sign
is li
kely
tom
eet t
he s
ecur
ity a
nd a
vaila
bilit
y re
quir
emen
ts.
Test
the
Con
trol
Des
ign
• E
nqui
re o
f bu
sine
ss p
roce
ss o
wne
rs a
nd k
ey s
taff
mem
bers
to d
eter
min
e w
heth
er th
eir
inpu
t and
gui
danc
e ha
ve b
een
solic
ited
and
refl
ecte
d in
the
appl
icat
ion
cust
omis
atio
n an
d co
nfig
urat
ion.
Ide
ntif
y in
stan
ces
whe
re b
usin
ess
proc
ess
owne
r in
put h
as n
ot b
een
solic
ited.
•
Con
firm
with
key
sta
ff m
embe
rs w
heth
er th
e ap
plic
atio
n so
ftw
are
is c
usto
mis
ed a
nd c
onfi
gure
d ut
ilisi
ng b
est p
ract
ice
as a
dvis
ed b
y ve
ndor
s an
d in
con
form
ance
with
inte
rnal
arc
hite
ctur
e st
anda
rds.
•
Insp
ect b
est p
ract
ices
sup
plie
d by
ven
dors
, com
pare
with
the
impl
emen
tatio
n st
rate
gy, a
nd id
entif
y in
appr
opri
ate
conf
igur
atio
n an
d cu
stom
isat
ion.
•
Con
firm
with
key
sta
ff m
embe
rs th
at te
stin
g pr
oced
ures
are
in p
lace
that
cov
er v
erif
icat
ion
of a
cqui
red
appl
icat
ion
cont
rol o
bjec
tives
(e.
g., f
unct
iona
lity,
inte
rope
rabi
lity
with
exi
stin
g ap
plic
atio
ns a
nd in
fras
truc
ture
, sys
tem
s pe
rfor
man
ce e
ffic
ienc
y, in
tegr
atio
n, c
apac
ity a
nd lo
ad s
tres
s te
stin
g, d
ata
inte
grity
).
• In
spec
t uni
t and
inte
grat
ion
test
doc
umen
tatio
n an
d w
alk-
thro
ugh
test
ing
proc
edur
es to
ver
ify
the
adeq
uacy
of
the
test
s.
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
all
user
and
ope
ratio
n m
anua
ls a
re c
ompl
ete
and/
or u
pdat
ed w
here
nec
essa
ry. T
race
a s
ampl
e of
cus
tom
isat
ions
to u
ser
and
oper
atio
nal m
anua
ls to
con
firm
doc
umen
tatio
n up
date
s.
AI2
.4 A
pplic
atio
n Se
curi
ty a
nd A
vaila
bilit
y A
ddre
ss a
pplic
atio
n se
curi
ty a
nd a
vaila
bilit
y re
quir
emen
ts in
res
pons
e to
iden
tifie
d ri
sks
and
in li
ne w
ith th
e or
gani
satio
n’s
data
cla
ssif
icat
ion,
info
rmat
ion
arch
itect
ure,
info
rmat
ion
secu
rity
arc
hite
ctur
e an
d ri
sk to
lera
nce.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
even
tive
and
dete
ctiv
e se
curi
tyco
ntro
ls e
stab
lishe
d as
nec
essa
ry•
Ens
ured
dat
a co
nfid
entia
lity,
inte
grity
and
avai
labi
lity
• M
aint
aine
d sy
stem
ava
ilabi
lity
for
busi
ness
pro
cess
ing
Ris
k D
river
s
• U
ndet
ecte
d se
curi
ty v
iola
tions
•
Cos
tly c
ompe
nsat
ing
cont
rols
• G
aps
betw
een
cons
ider
ed s
ecur
ityco
ntro
ls a
nd a
ctua
l thr
eats
and
ris
ks
AI2
Acq
uire
and
Mai
ntai
n A
pplic
atio
n Sof
twar
e (c
ont.
)
AI2
.5 C
onfi
gura
tion
and
Im
plem
enta
tion
of A
cqui
red
App
licat
ion
Soft
war
e C
onfi
gure
and
impl
emen
t acq
uire
d ap
plic
atio
n so
ftw
are
to m
eet b
usin
ess
obje
ctiv
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Acq
uire
d sy
stem
con
figu
red
to m
eet
busi
ness
-def
ined
req
uire
men
ts• A
cqui
red
syst
em c
ompl
iant
with
exis
ting
arch
itect
ure
Ris
k D
river
s
• L
oss
of b
usin
ess
focu
s•
Inab
ility
to a
pply
fut
ure
upda
tes
effe
ctiv
ely
• R
educ
ed s
yste
m a
vaila
bilit
y an
din
tegr
ity o
f in
form
atio
n
123I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith k
ey s
taff
mem
bers
and
insp
ect r
elev
ant d
ocum
enta
tion
to d
eter
min
e th
at im
pact
ass
essm
ent o
f m
ajor
upg
rade
s ha
s be
en m
ade
to a
ddre
ss th
e sp
ecif
ied
obje
ctiv
e cr
iteri
a (s
uch
as b
usin
ess
requ
irem
ent)
, the
ris
k in
volv
ed (
such
as
impa
ct o
n ex
istin
g sy
stem
s an
d pr
oces
ses
or s
ecur
ity),
cos
t-be
nefi
t jus
tific
atio
n an
d ot
her
requ
irem
ents
.•
Insp
ect r
elev
ant d
ocum
enta
tion
to id
entif
y de
viat
ions
fro
m n
orm
al d
evel
opm
ent a
nd im
plem
enta
tion
proc
esse
s.
• E
nqui
re o
f bu
sine
ss s
pons
ors
and
othe
r af
fect
ed s
take
hold
ers
and
insp
ect r
elev
ant d
ocum
enta
tion
to d
eter
min
e w
heth
er a
gree
men
t and
app
rova
l hav
e be
en o
btai
ned
for
the
deve
lopm
ent a
nd im
plem
enta
tion
proc
ess.
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
all
deve
lopm
ent a
ctiv
ity h
as b
een
esta
blis
hed
to e
nsur
e ad
here
nce
to d
evel
opm
ent s
tand
ards
and
that
dev
elop
ed s
oftw
are
is b
ased
on
agre
ed-u
pon
spec
ific
atio
ns to
mee
t bus
ines
s, f
unct
iona
l and
tech
nica
l req
uire
men
ts.
• In
spec
t rel
evan
t doc
umen
tatio
n (s
uch
as d
esig
n, c
ode
revi
ew a
nd w
alk-
thro
ughs
) to
iden
tify
exce
ptio
ns to
spe
cifi
catio
ns a
nd s
tand
ards
.•
Obt
ain
and
revi
ew a
sses
smen
t doc
umen
tatio
n of
the
deve
lope
d so
ftw
are
to c
onfi
rm a
dequ
acy.
•
Con
firm
with
key
sta
ff m
embe
rs th
at te
chni
cal a
utho
ritie
s an
d op
erat
ions
man
agem
ent a
pplic
atio
ns a
re r
eady
and
sui
tabl
e fo
r m
igra
tion
to th
e pr
oduc
tion
envi
ronm
ent.
• Pe
rfor
m a
wal
k-th
roug
h of
cod
e an
d id
entif
y pr
oble
ms/
exce
ptio
ns.
• E
nqui
re o
f ke
y st
aff
mem
bers
to d
eter
min
e co
mpl
ianc
e w
ith a
ll ob
ligat
ions
and
req
uire
men
ts.
• R
evie
w c
ontr
actu
al o
blig
atio
ns a
nd li
cens
ing
requ
irem
ents
rel
atin
g to
thir
d-pa
rty
deve
lope
rs.
AI2
.6 M
ajor
Upg
rade
s to
Exi
stin
g Sy
stem
s In
the
even
t of
maj
or c
hang
es to
exi
stin
g sy
stem
s th
at r
esul
t in
sign
ific
ant
chan
ge in
cur
rent
des
igns
and
/or
func
tiona
lity,
fol
low
a s
imila
r de
velo
pmen
tpr
oces
s as
that
use
d fo
r th
e de
velo
pmen
t of
new
sys
tem
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onsi
sten
t sys
tem
ava
ilabi
lity
• M
aint
aine
d co
nfid
entia
lity,
inte
grity
and
avai
labi
lity
of th
e pr
oces
sed
data
• C
ost a
nd q
ualit
y co
ntro
l for
deve
lopm
ents
• M
aint
aine
d co
mpa
tibili
ty w
ithte
chni
cal i
nfra
stru
ctur
e
Ris
k D
river
s
• R
educ
ed s
yste
m a
vaila
bilit
y•
Com
prom
ised
con
fide
ntia
lity,
inte
grity
and
ava
ilabi
lity
of
proc
esse
d da
ta
• L
ack
of c
ost c
ontr
ol f
or m
ajor
deve
lopm
ents
AI2
Acq
uire
and
Mai
ntai
n A
pplic
atio
n Sof
twar
e (c
ont.
)
AI2
.7 D
evel
opm
ent
of A
pplic
atio
n So
ftw
are
Ens
ure
that
aut
omat
ed f
unct
iona
lity
is d
evel
oped
in a
ccor
danc
e w
ith d
esig
nsp
ecif
icat
ions
, dev
elop
men
t and
doc
umen
tatio
n st
anda
rds,
QA
req
uire
men
ts,
and
appr
oval
sta
ndar
ds. E
nsur
e th
at a
ll le
gal a
nd c
ontr
actu
al a
spec
ts a
reid
entif
ied
and
addr
esse
d fo
r ap
plic
atio
n so
ftw
are
deve
lope
d by
thir
d pa
rtie
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
nsur
ing
that
bus
ines
s, c
usto
mer
and
user
nee
ds a
re m
et• A
bilit
y to
man
age
and
prio
ritis
ere
sour
ces
• App
licat
ion
soft
war
e cr
eatin
gca
pabi
litie
s fo
r th
e bu
sine
ss• A
pplic
atio
n m
eetin
g us
abili
tyre
quir
emen
ts
Ris
k D
river
s
• W
aste
of
reso
urce
s•
Los
t foc
us o
n bu
sine
ss r
equi
rem
ents
• H
igh
num
ber
of f
ailu
res
• In
abili
ty to
mai
ntai
n ap
plic
atio
nsef
fect
ivel
y
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E124
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
the
soft
war
e Q
A p
lan
has
been
def
ined
, inc
ludi
ng s
peci
fica
tion
of q
ualit
y cr
iteri
a, v
alid
atio
n an
d ve
rifi
catio
n pr
oces
ses,
and
defi
nitio
n of
how
qua
lity
will
be
revi
ewed
.•
Rev
iew
the
plan
for
the
crite
ria
liste
d ab
ove,
and
ens
ure
that
QA
rev
iew
s ar
e co
nduc
ted
inde
pend
ent o
f th
e de
velo
pmen
t tea
m.
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
a p
roce
ss f
or m
onito
ring
sof
twar
e qu
ality
has
bee
n de
sign
ed a
nd e
stab
lishe
d.•
Rev
iew
rel
evan
t doc
umen
tatio
n to
con
firm
that
the
proc
ess
is b
ased
on
proj
ect r
equi
rem
ents
, ent
erpr
ise
polic
ies,
qua
lity
man
agem
ent p
roce
dure
s an
d ac
cept
ance
cri
teri
a.•
Con
firm
with
key
sta
ff m
embe
rs th
at a
ll qu
ality
exc
eptio
ns a
re id
entif
ied
and
that
cor
rect
ive
actio
ns a
re ta
ken.
• In
spec
t rel
evan
t doc
umen
tatio
n of
QA
rev
iew
s, r
esul
ts, e
xcep
tions
and
cor
rect
ions
to d
eter
min
e th
at Q
A r
evie
ws
are
repe
ated
whe
n ne
cess
ary.
AI2
.8 S
oftw
are
Qua
lity
Ass
uran
ce
Dev
elop
, res
ourc
e an
d ex
ecut
e a
soft
war
e Q
A p
lan
to o
btai
n th
e qu
ality
spe
cifi
edin
the
requ
irem
ents
def
initi
on a
nd th
e or
gani
satio
n’s
qual
ity p
olic
ies
and
proc
edur
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• A
ll-em
brac
ing
test
app
roac
h•
Perf
orm
ed te
sts
refl
ectin
g th
e bu
sine
sspr
oces
ses
and
requ
irem
ents
• Fo
rmal
ly a
ccep
ted
soft
war
e
Ris
k D
river
s
• Po
or s
oftw
are
qual
ity•
Ret
estin
g of
dev
elop
ed s
oftw
are
• Te
sts
faili
ng to
ref
lect
cur
rent
bus
ines
spr
oces
ses
• Te
st d
ata
mis
used
and
com
prom
isin
gco
rpor
ate
secu
rity
• In
suff
icie
nt te
stin
g•
Bre
ach
of c
ompl
ianc
e re
quir
emen
ts
AI2
Acq
uire
and
Mai
ntai
n A
pplic
atio
n Sof
twar
e (c
ont.
)
Test
the
Con
trol
Des
ign
• E
nsur
e an
d co
nfir
m th
at c
hang
es to
indi
vidu
al r
equi
rem
ents
are
mon
itore
d, r
evie
wed
and
app
rove
d by
the
stak
ehol
ders
invo
lved
.•
Insp
ect r
elev
ant d
ocum
enta
tion
to c
onfi
rm th
at a
ll ch
ange
s an
d st
atus
of
chan
ges
are
reco
rded
in th
e ch
ange
man
agem
ent s
yste
m.
• Id
entif
y an
d re
port
cha
nges
that
are
not
trac
ked.
AI2
.9 A
pplic
atio
ns R
equi
rem
ents
Man
agem
ent
Tra
ck th
e st
atus
of
indi
vidu
al r
equi
rem
ents
(in
clud
ing
all r
ejec
ted
requ
irem
ents
)du
ring
the
desi
gn, d
evel
opm
ent a
nd im
plem
enta
tion,
and
app
rove
cha
nges
tore
quir
emen
ts th
roug
h an
est
ablis
hed
chan
ge m
anag
emen
t pro
cess
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Fo
rmal
ly d
efin
ed r
equi
rem
ents
and
clar
ifie
d bu
sine
ss e
xpec
tatio
ns•
Com
plia
nce
with
the
esta
blis
hed
chan
ge m
anag
emen
t pro
cedu
res
• An
agre
ed-u
pon
stan
dard
ised
appr
oach
for
per
form
ing
chan
ges
toth
e ap
plic
atio
ns in
an
effe
ctiv
e m
anne
r
Ris
k D
river
s
• U
naut
hori
sed
chan
ges
• C
hang
es n
ot a
pplie
d to
the
desi
red
syst
ems
• G
aps
betw
een
expe
ctat
ions
and
requ
irem
ents
125I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIIA
I2 A
cqui
re a
nd M
aint
ain
App
licat
ion
Sof
twar
e (c
ont.
)
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
an
effe
ctiv
e an
d ef
fici
ent p
roce
ss f
or a
pplic
atio
n so
ftw
are
mai
nten
ance
act
iviti
es h
as b
een
desi
gned
to e
nsur
eun
ifor
m a
pplic
atio
n fo
r al
l cha
nges
and
can
be
perf
orm
ed q
uick
ly a
nd e
ffec
tivel
y.•
Rev
iew
the
proc
ess
docu
men
tatio
n to
det
erm
ine
that
rel
evan
t iss
ues
(inc
ludi
ng r
elea
se p
lann
ing
and
cont
rol,
reso
urce
pla
nnin
g, b
ug f
ixin
g an
d fa
ult c
orre
ctio
n, m
inor
enha
ncem
ents
, mai
nten
ance
of
docu
men
tatio
n, e
mer
genc
y ch
ange
s, in
terd
epen
denc
ies
with
oth
er a
pplic
atio
ns a
nd in
fras
truc
ture
, upg
rade
str
ateg
ies,
con
trac
tual
cond
ition
s su
ch a
s su
ppor
t iss
ues
and
upgr
ades
, per
iodi
c re
view
aga
inst
bus
ines
s ne
eds,
ris
ks, a
nd s
ecur
ity r
equi
rem
ents
) ar
e in
clud
ed.
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
all
mai
nten
ance
cha
nges
com
ply
with
the
form
al c
hang
e m
anag
emen
t pro
cess
, inc
ludi
ng im
pact
on
exis
ting
appl
icat
ions
an
d in
fras
truc
ture
.•
Insp
ect r
elev
ant d
ocum
enta
tion
to c
onfi
rm th
at c
hang
es a
re p
rior
itise
d to
iden
tify
thos
e th
at w
ould
be
bette
r m
anag
ed a
s a
form
al r
edev
elop
men
t. Id
entif
y an
y de
viat
ions
from
the
form
al c
hang
e m
anag
emen
t pro
cess
.•
Enq
uire
and
con
firm
with
key
sta
ff w
heth
er c
hang
es a
pplie
d w
ithou
t fol
low
ing
the
form
al c
hang
e m
anag
emen
t pro
cess
hav
e be
en r
evie
wed
and
app
rove
d.•
Rev
iew
rel
evan
t doc
umen
tatio
n to
iden
tify
chan
ges
that
hav
e no
t bee
n re
view
ed a
nd a
ppro
ved.
• E
nqui
re a
nd c
onfi
rm w
ith k
ey s
taff
whe
ther
pat
tern
s an
d vo
lum
e of
mai
nten
ance
act
iviti
es a
re a
sses
sed
peri
odic
ally
for
abn
orm
al tr
ends
.•
Insp
ect r
elev
ant a
naly
tical
res
ults
doc
umen
tatio
n to
con
firm
that
all
unde
rlyi
ng q
ualit
y or
per
form
ance
pro
blem
s ar
e ap
prop
riat
ely
anal
ysed
and
rep
orte
d.•
Con
firm
with
key
sta
ff m
embe
rs th
at a
ll m
aint
enan
ce a
ctiv
ity h
as b
een
com
plet
ed s
ucce
ssfu
lly a
nd th
orou
ghly
.•
Perf
orm
a w
alk-
thro
ugh
of m
aint
enan
ce a
ctiv
ities
to e
nsur
e th
at a
ll ta
sks
and
phas
es h
ave
been
add
ress
ed, i
nclu
ding
upd
atin
g us
er, s
yste
ms
and
oper
atio
nal
docu
men
tatio
n an
d in
terd
epen
denc
ies.
• Id
entif
y al
l cha
nges
in c
ontr
actu
al c
ondi
tions
, bus
ines
s tr
ends
or
othe
r up
grad
es th
at h
ave
not b
een
addr
esse
d.
AI2
.10
App
licat
ion
Soft
war
e M
aint
enan
ce
Dev
elop
a s
trat
egy
and
plan
for
the
mai
nten
ance
of
soft
war
e ap
plic
atio
ns.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
ompl
ianc
e w
ith th
e es
tabl
ishe
dch
ange
man
agem
ent p
roce
dure
s• A
n ag
reed
-upo
n st
anda
rdis
edap
proa
ch f
or p
erfo
rmin
g ch
ange
s to
the
appl
icat
ions
in a
n ef
fect
ive
man
ner
Ris
k D
river
s
• U
naut
hori
sed
chan
ges
• C
hang
es n
ot a
pplie
d to
the
desi
red
syst
ems
• G
aps
betw
een
expe
ctat
ions
and
requ
irem
ents
• R
educ
ed s
yste
m a
vaila
bilit
y
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E126
Take the following steps to test the outcome of the control objectives:• Review project design documentation to confirm that the design is consistent with business plans, strategies, applicable regulations
and IT plans. • Obtain and review a sample of project sign-off documentation to determine whether the projects have gone through QA sign-off
and have proceeded with proper approval of the high-level design by IT and business stakeholders (project sponsors). • Corroborate with IT management and review relevant documentation to determine if the sampled project design specification
aligns with the organisation’s technological direction and information architecture.• Review the integration plan and procedures to determine their adequacy. • Review project documentation to determine if the impact of the new implementation on existing applications and infrastructure
has been assessed and appropriate integration approaches have been considered. • Review end-of-stage documentation to confirm that all development activities have been monitored and that change requests and
quality performance and design reviews have been tracked and considered at formal end-of-stage discussions. Also confirm thatstakeholders have been fully represented and that the end-of-stage reviews incorporate approval criteria. Inspect problem logs,review documentation and sign-offs to confirm the adequacy of the development activities and identify deviations.
• Review design documentation to confirm that appropriate solutions and approaches to security and availability are designed toadequately meet the defined requirements and build on or extend the existing infrastructure capability.
• Review QA documentation and fault logs to ensure that all significant quality exceptions are identified and corrective actions aretaken. Inspect relevant documentation of QA reviews, results, exceptions and corrections to determine that QA reviews arerepeated when necessary.
• Obtain and inspect change requests to determine that they are categorised and prioritised. Confirm with key staff members that theimpact of all change requests has been assessed.
• Review change control documentation to confirm that changes applied without following the formal change management processhave been reviewed and approved and to identify changes that have not been reviewed and approved.
• Inspect the risk analysis documentation, and determine whether business and IT risks are identified, examined, assessed andunderstood by both the business and IT and that there is evidence that all stakeholders are involved.
• Review the feasibility study documentation to confirm that both technical and economic feasibility have been adequately considered.
• Review quality review documentation, compare with original acceptance criteria, and identify exceptions or deviations fromoriginal acceptance criteria.
• Review end-of-stage documentation to confirm that sign-off has been obtained for proposed approaches and/or feedback requiringfurther feasibility analysis.
Take the following steps to document the impact of the control weaknesses:• Identify design specifications that do not reflect user requirements.• Identify data management requirements that are not consistent with the organisation’s data dictionary rules.• Identify new system development or modification projects that contain inadequately defined file, programme, source data
selection, input, user-machine interface, processing, and output and/or controllability requirements.• Identify designs where security and availability were not adequately considered. • Identify data integrity design deficiencies.• Identify test plan requirement deficiencies.• Identify significant technical and/or logical discrepancies that have occurred during system development or maintenance and did
not result in reassessment of the system design and, therefore, went uncorrected or resulted in inefficient, ineffective anduneconomical patches to the system.
127I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIIA
I3 A
cqui
re a
nd M
aint
ain
Tech
nolo
gy
Infr
astr
uctu
re
Org
anis
atio
ns h
ave
proc
esse
s fo
r th
e ac
quis
ition
, im
plem
enta
tion
and
upgr
ade
of th
e te
chno
logy
infr
astr
uctu
re. T
his
requ
ires
a p
lann
ed a
ppro
ach
to a
cqui
sitio
n, m
aint
enan
cean
d pr
otec
tion
of in
fras
truc
ture
in li
ne w
ith a
gree
d-up
on te
chno
logy
str
ateg
ies
and
the
prov
isio
n of
dev
elop
men
t and
test
env
iron
men
ts. T
his
ensu
res
that
ther
e is
ong
oing
tech
nolo
gica
l sup
port
for
bus
ines
s ap
plic
atio
ns.
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith s
taff
mem
bers
that
a p
lan
for
the
acqu
isiti
on, i
mpl
emen
tatio
n an
d up
grad
e of
the
tech
nolo
gy in
fras
truc
ture
has
bee
n cr
eate
d th
at s
atis
fies
the
busi
ness
func
tiona
l and
tech
nica
l req
uire
men
ts.
• R
evie
w th
e pl
an to
con
firm
that
it c
onfo
rms
with
the
orga
nisa
tion’
s es
tabl
ishe
d te
chno
logy
dir
ectio
n an
d th
at a
ll ke
y as
pect
s ar
e in
clud
ed.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
has
bee
n de
fine
d an
d im
plem
ente
d to
cre
ate
and
mai
ntai
n an
infr
astr
uctu
re a
cqui
sitio
n pl
an th
at is
alig
ned
with
the
orga
nisa
tion’
s te
chno
logy
dir
ectio
n.•
Insp
ect t
he in
fras
truc
ture
acq
uisi
tion
plan
to id
entif
y ar
eas
whe
re k
ey a
spec
ts, s
uch
as r
equi
rem
ents
, ris
ks, t
rans
ition
and
mig
ratio
n, h
ave
not b
een
addr
esse
d.•
Rev
iew
the
fina
ncia
l app
rais
al f
or a
ccur
acy
and
over
all c
over
age.
AI3
.1 T
echn
olog
ical
Inf
rast
ruct
ure
Acq
uisi
tion
Pla
n Pr
oduc
e a
plan
for
the
acqu
isiti
on, i
mpl
emen
tatio
n an
d m
aint
enan
ce o
f th
ete
chno
logi
cal i
nfra
stru
ctur
e th
at m
eets
est
ablis
hed
busi
ness
fun
ctio
nal a
ndte
chni
cal r
equi
rem
ents
and
is in
acc
ord
with
the
orga
nisa
tion’
s te
chno
logy
dire
ctio
n.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onsi
sten
t tec
hnol
ogic
al p
lann
ing
• E
nhan
ced
syst
em s
ecur
ity•
Bal
ance
d ha
rdw
are
and
soft
war
eut
ilisa
tion
• Alig
nmen
t with
str
ateg
ic I
T p
lan,
info
rmat
ion
arch
itect
ure
and
tech
nolo
gy d
irec
tion
• E
nhan
ced
fina
ncia
l pla
nnin
g
Ris
k D
river
s
• N
o ac
quis
ition
mod
el•
Inco
nsis
tent
tech
nolo
gica
lin
fras
truc
ture
• Te
chno
logy
fai
ling
to s
uppo
rt
busi
ness
nee
ds•
Info
rmat
ion
secu
rity
com
prom
ises
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E128
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
all
infr
astr
uctu
re d
ata
and
soft
war
e ar
e ba
cked
up
prio
r to
inst
alla
tion
and/
or m
aint
enan
ce ta
sks.
Ins
pect
bac
kup
logs
to c
onfi
rm th
atin
fras
truc
ture
dat
a an
d so
ftw
are
are
succ
essf
ully
bac
ked
up.
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
all
appl
icat
ion
soft
war
e is
test
ed p
rior
to in
stal
latio
n in
an
envi
ronm
ent s
epar
ate
from
, but
suf
fici
ently
sim
ilar
to, p
rodu
ctio
n.R
evie
w te
st s
peci
fica
tions
and
pro
cedu
res
to c
onfi
rm th
at te
sts
incl
ude
func
tiona
lity,
sec
urity
, ava
ilabi
lity
and
inte
grity
con
ditio
n, a
nd a
ny o
ther
ven
dor
reco
mm
enda
tions
.•
Insp
ect t
he s
oftw
are
conf
igur
atio
n to
con
firm
that
key
asp
ects
hav
e be
en a
ddre
ssed
, inc
ludi
ng th
e m
odif
icat
ion
of d
efau
lt pa
ssw
ords
, ini
tial a
pplic
atio
n pa
ram
eter
set
tings
rela
tive
to s
ecur
ity a
nd a
ny o
ther
ven
dor
defa
ults
.•
Enq
uire
whe
ther
and
con
firm
that
tem
pora
ry a
cces
s gr
ante
d fo
r in
stal
latio
n pu
rpos
es is
mon
itore
d an
d th
at p
assw
ords
are
cha
nged
imm
edia
tely
aft
er in
stal
latio
n is
com
plet
ed. I
nspe
ct th
e ap
plic
atio
n se
curi
ty s
ettin
gs to
con
firm
com
plia
nce.
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
onl
y ap
prop
riat
ely
licen
sed
soft
war
e is
test
ed a
nd in
stal
led
and
that
inst
alla
tions
are
per
form
ed in
acc
orda
nce
with
ven
dor
guid
elin
es. I
dent
ify
inst
ance
s w
here
ven
dor
guid
elin
es w
ere
not f
ollo
wed
, and
con
firm
that
ven
dors
wer
e co
nsul
ted
rega
rdin
g th
e po
tent
ial i
mpa
ct.
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
an
inde
pend
ent g
roup
(e.
g., l
ibra
rian
) is
gra
nted
acc
ess
for
the
mov
emen
t of
the
prog
ram
s an
d da
ta a
mon
gst l
ibra
ries
. Whe
reap
plic
able
, ins
pect
use
r ac
cess
to th
e lib
rary
man
agem
ent s
yste
m.
• T
race
all
user
s w
ith a
cces
s to
che
ck-i
n/ch
eck-
out p
rogr
ams
and
data
fro
m th
e lib
rari
es to
thei
r or
igin
atin
g ac
cess
req
uest
for
ms,
and
con
firm
app
rova
l by
an a
ppro
pria
tese
nior
sta
ff m
embe
r.•
Enq
uire
with
sta
ff m
embe
rs w
heth
er a
ccep
tanc
e pr
oced
ures
are
enf
orce
d us
ing
obje
ctiv
e ac
cept
ance
cri
tieri
a an
d w
heth
er a
ccep
tanc
e cr
iteri
a en
sure
s th
at p
rodu
ctpe
rfor
man
ce is
con
sist
ent w
ith a
gree
d-up
on s
peci
fica
tions
and
req
uire
men
ts. R
evie
w a
gree
d-up
on s
peci
fica
tions
and
/or
SLA
req
uire
men
ts, a
nd c
ompa
re w
ith a
ccep
tanc
epr
oced
ures
iden
tifyi
ng a
reas
whe
re p
roce
dure
s ar
e no
t ade
quat
ely
follo
wed
.•
Con
firm
with
key
sta
ff m
embe
rs th
at a
cces
s to
mai
nten
ance
act
iviti
es o
ver
sens
itive
infr
astr
uctu
re c
ompo
nent
s is
logg
ed a
nd r
egul
arly
rev
iew
ed b
y a
resp
onsi
ble
seni
orst
aff
mem
ber.
• R
evie
w m
aint
enan
ce lo
gs a
nd c
onfi
rm th
at a
ll ite
ms
have
bee
n re
cord
ed. R
evie
w r
elev
ant d
ocum
enta
tion
(e.g
., th
e lo
g re
view
mat
rix
and
peri
odic
sys
tem
sec
urity
repo
rts)
to c
onfi
rm th
at lo
gs a
re r
evie
wed
on
a re
gula
r ba
sis.
AI3
.2 I
nfra
stru
ctur
e R
esou
rce
Pro
tect
ion
and
Ava
ilabi
lity
Impl
emen
t int
erna
l con
trol
, sec
urity
and
aud
itabi
lity
mea
sure
s du
ring
conf
igur
atio
n, in
tegr
atio
n an
d m
aint
enan
ce o
f ha
rdw
are
and
infr
astr
uctu
ral
soft
war
e to
pro
tect
res
ourc
es a
nd e
nsur
e av
aila
bilit
y an
d in
tegr
ity. R
espo
nsib
ilitie
sfo
r us
ing
sens
itive
infr
astr
uctu
re c
ompo
nent
s sh
ould
be
clea
rly
defi
ned
and
unde
rsto
od b
y th
ose
who
dev
elop
and
inte
grat
e in
fras
truc
ture
com
pone
nts.
The
irus
e sh
ould
be
mon
itore
d an
d ev
alua
ted.
• C
onsi
sten
t tec
hnol
ogic
al p
lann
ing
• E
nhan
ced
syst
em s
ecur
ity•
Bal
ance
d ha
rdw
are
and
soft
war
eut
ilisa
tion
• D
ata
inte
grity
and
con
fide
ntia
lity
mai
ntai
ned
in a
ll sy
stem
sta
ges
• D
isru
ptio
ns in
pro
duct
ion
proc
essi
ng•
Und
etec
ted
bypa
ssin
g of
acc
ess
cont
rols
• U
naut
hori
sed
acce
ss to
sen
sitiv
eso
ftw
are
• B
usin
ess
need
s no
t sup
port
ed b
yte
chno
logy
AI3
Acq
uire
and
Mai
ntai
n Te
chno
logy
Infr
astr
uctu
re (
cont
.)C
ontr
ol O
bjec
tive
Valu
e D
river
sR
isk
Driv
ers
129I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
mai
nten
ance
of
the
inst
alle
d sy
stem
sof
twar
e pr
oces
s ut
ilise
s th
e sa
me
proc
ess
as a
pplic
atio
n up
date
s, w
here
app
licab
le. I
nspe
ct th
epl
anne
d sy
stem
sof
twar
e m
aint
enan
ce a
nd id
entif
y de
viat
ions
fro
m th
e no
rmal
pro
cess
for
app
licat
ion
upda
tes
and/
or e
xcep
tions
to v
endo
r pr
oced
ures
and
gui
delin
es.
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
doc
umen
tatio
n of
sys
tem
sof
twar
e is
mai
ntai
ned,
kep
t cur
rent
and
upd
ated
with
ven
dor
docu
men
tatio
n fo
r al
l sys
tem
m
aint
enan
ce a
ctiv
ity.
• In
spec
t rel
evan
t doc
umen
tatio
n an
d id
entif
y ar
eas
whe
re it
is in
com
plet
e or
out
of
date
.•
Enq
uire
of
key
staf
f m
embe
rs to
con
firm
the
proc
ess
or m
etho
d us
ed to
obt
ain
timel
y no
tific
atio
n of
ava
ilabi
lity
of v
endo
r up
grad
es a
nd/o
r pa
tche
s (e
.g.,
a sp
ecif
icve
ndor
agr
eem
ent,
mem
bers
hip
in a
pro
duct
use
r gr
oup,
sub
scri
ptio
ns to
a tr
ade
jour
nal)
.•
Insp
ect a
sam
ple
of s
yste
m s
oftw
are
and
conf
irm
that
upg
rade
s an
d/or
pat
ches
hav
e be
en a
pplie
d in
a ti
mel
y m
anne
r.•
Iden
tify
all d
evia
tions
and
/or
exce
ptio
ns.
• E
nqui
re o
f ke
y st
aff
mem
bers
whe
ther
the
amou
nt o
f m
aint
enan
ce b
eing
per
form
ed, t
he v
ulne
rabi
lity
to u
nsup
port
ed in
fras
truc
ture
, and
fut
ure
risk
s an
d se
curi
tyvu
lner
abili
ties
are
revi
ewed
on
a re
gula
r ba
sis.
• Pe
rfor
m a
n as
sess
men
t of
thes
e re
view
s an
d no
te a
reas
whe
re r
isks
iden
tifie
d by
the
asse
ssm
ent h
ave
not b
een
disc
usse
d by
key
sta
ff m
embe
rs.
• In
spec
t mai
nten
ance
trac
king
logs
and
fee
dbac
k to
ols
to e
nsur
e th
at th
e re
sults
of
thes
e re
view
s ar
e co
mm
unic
ated
to th
e IT
cou
ncil
or e
quiv
alen
t gro
up f
or c
onsi
dera
tion
with
in th
e in
fras
truc
ture
pla
nnin
g pr
oces
s.
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
an
appr
oach
com
men
sura
te w
ith s
trat
egic
tech
nolo
gy p
lans
is d
esig
ned
that
will
ena
ble
the
crea
tion
of s
uita
ble
test
ing
and
sim
ulat
ion
envi
ronm
ents
to h
elp
veri
fy th
e fe
asib
ility
of
plan
ned
acqu
isiti
ons
or d
evel
opm
ents
.
AI3
.3 I
nfra
stru
ctur
e M
aint
enan
ce
Dev
elop
a s
trat
egy
and
plan
for
infr
astr
uctu
re m
aint
enan
ce, a
nd e
nsur
e th
atch
ange
s ar
e co
ntro
lled
in li
ne w
ith th
e or
gani
satio
n’s
chan
ge m
anag
emen
tpr
oced
ure.
Inc
lude
per
iodi
c re
view
s ag
ains
t bus
ines
s ne
eds,
pat
ch m
anag
emen
t,up
grad
e st
rate
gies
, ris
ks, v
ulne
rabi
litie
s as
sess
men
t and
sec
urity
req
uire
men
ts.
• M
onito
red
mai
nten
ance
con
trac
ts•
Eff
ectiv
e m
aint
enan
ce p
roce
sses
• O
pera
tiona
l cha
nge
man
agem
ent f
orre
plac
emen
t of
soft
war
e
• D
isru
ptio
ns in
pro
duct
ion
proc
essi
ng•
Una
utho
rise
d ac
cess
to s
ensi
tive
soft
war
e•
Tech
nolo
gy f
ailin
g to
sup
port
bu
sine
ss n
eeds
• V
iola
tion
of li
cenc
e ag
reem
ents
Con
trol
Obj
ecti
veVa
lue
Driv
ers
Ris
k D
river
s
AI3
.4 F
easi
bilit
y T
est
Env
iron
men
t E
stab
lish
deve
lopm
ent a
nd te
st e
nvir
onm
ents
to s
uppo
rt e
ffec
tive
and
effi
cien
tfe
asib
ility
and
inte
grat
ion
test
ing
of in
fras
truc
ture
com
pone
nts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
supp
ort f
or p
rovi
ngre
plac
emen
t of
soft
war
e•
Det
ectio
n of
err
ors
and
issu
es b
efor
eth
ey im
pact
pro
duct
ion
proc
essi
ng
Ris
k D
river
s
• B
usin
ess
disr
uptio
ns•
Mal
icio
us d
amag
es
AI3
Acq
uire
and
Mai
ntai
n Te
chno
logy
Infr
astr
uctu
re (
cont
.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E130
Take the following steps to test the outcome of the control objectives:• Review acquisition infrastructure plans to confirm that they have been reviewed and approved and that risks, costs and benefits,
and technical conformance have been considered. Inspect the plans to confirm sign-off by the IT council or equivalent.• Confirm with key staff members that all security requirements associated with the application software installation and
maintenance processes have been addressed and any new risks have been assessed and actioned. • Confirm with the training department and key personnel who use sensitive infrastructure components that appropriate training has
been provided.• Confirm with key staff members that a plan and strategy are in place to guide infrastructure maintenance in line with change
management procedures. Inspect relevant plan documentation to confirm that all aspects of the infrastructure maintenancerequirements (including change requests, patches, upgrades, fixes) are included. Also confirm that the strategy and plan are in linewith the organisation’s technology direction, are reviewed in a timely manner and are approved by the responsible management.
• Confirm that the method used to segregate system environments into development and testing is adequate.• Confirm that a test environment has been created that appropriately considers functionality, hardware and software configuration,
integration and performance testing, migration between environments, version control, test data and tools, and security.
Take the following steps to document the impact of the control weaknesses:• Identify performance problems that have impacted the overall performance of the system.• Identify preventive maintenance problems that have impacted the overall performance of the system.• Identify weaknesses in the setup, installation and maintenance of system software (including the selection of inappropriate system
software parameters) that have jeopardised the security of the data and programmes being stored on the system.• Identify weaknesses in the testing of system software that could jeopardise the security of the data and programmes being stored
on the system.• Identify weaknesses in the system software change control process that could jeopardise the security of the data and programmes
being stored on the system.
131I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIIA
I4 E
nabl
e O
pera
tion
and
Use
Kno
wle
dge
abou
t new
sys
tem
s is
mad
e av
aila
ble.
Thi
s pr
oces
s re
quir
es th
e pr
oduc
tion
of d
ocum
enta
tion
and
man
uals
for
use
rs a
nd I
T, a
nd p
rovi
des
trai
ning
to e
nsur
e th
epr
oper
use
and
ope
ratio
n of
app
licat
ions
and
infr
astr
uctu
re.
Test
the
Con
trol
Des
ign
• C
onfi
rm w
ith k
ey s
taff
mem
bers
that
ope
ratio
nal p
roce
dure
s an
d us
er d
ocum
enta
tion
(inc
ludi
ng o
nlin
e as
sist
ance
) ha
ve b
een
defi
ned
and
docu
men
ted
prio
r to
impl
emen
tatio
n of
new
or
upgr
aded
aut
omat
ed s
yste
ms
or in
fras
truc
ture
.•
Insp
ect r
elev
ant d
ocum
enta
tion
to c
onfi
rm r
espo
nsib
ility
for
the
prod
uctio
n of
man
agem
ent,
user
and
ope
ratio
nal p
roce
dure
s in
rel
atio
n to
the
new
or
upgr
aded
auto
mat
ed s
yste
ms
or in
fras
truc
ture
.
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
man
agem
ent’s
aw
aren
ess
and
know
ledg
e of
the
proc
ess
to e
nabl
e ow
ners
hip
and
oper
atio
n of
the
syst
em (
e.g.
, acc
ess
appr
oval
, pri
vile
ge m
anag
emen
t, se
greg
atio
n of
dut
ies,
aut
omat
ed b
usin
ess
cont
rols
, bac
kup
reco
very
, phy
sica
l sec
urity
, sou
rce
docu
men
t arc
hiva
l).
• R
evie
w tr
aini
ng a
nd im
plem
enta
tion
mat
eria
ls to
det
erm
ine
if th
e de
fine
d pr
oces
s in
clud
es th
e re
quir
ed c
onte
nt.
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
man
agem
ent i
s aw
are
of a
nd a
ble
to u
se th
e fe
edba
ck m
echa
nism
to a
sses
s ad
equa
cy o
f th
e su
ppor
tdo
cum
enta
tion,
pro
cedu
res
and
rela
ted
trai
ning
.•
Inte
rvie
w b
usin
ess
man
agem
ent p
erso
nnel
to a
sses
s th
eir
abili
ty to
use
the
syst
em e
ffec
tivel
y.•
Wal
k th
roug
h ke
y sy
stem
fun
ctio
ns w
ith b
usin
ess
man
agem
ent p
erso
nnel
to id
entif
y ar
eas
whe
re a
dditi
onal
trai
ning
wou
ld b
e he
lpfu
l.•
Rev
iew
and
ass
ess
trai
ning
mat
eria
ls f
or a
reas
that
are
not
cov
ered
or
are
uncl
ear.
AI4
.1 P
lann
ing
for
Ope
rati
onal
Sol
utio
ns
Dev
elop
a p
lan
to id
entif
y an
d do
cum
ent a
ll te
chni
cal,
oper
atio
nal a
nd u
sage
aspe
cts
such
that
all
thos
e w
ho w
ill o
pera
te, u
se a
nd m
aint
ain
the
auto
mat
edso
lutio
ns c
an e
xerc
ise
thei
r re
spon
sibi
lity.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onsi
sten
t use
r an
d op
erat
ions
man
uals
• Su
ppor
t of
user
trai
ning
• E
nhan
ced
serv
ice
qual
ity
Ris
k D
river
s
• O
verd
ue c
hang
es•
Gap
s be
twee
n ex
pect
atio
ns a
ndca
pabi
lity
• In
appr
opri
ate
prio
rity
giv
en to
diff
eren
t ser
vice
s pr
ovid
ed•
Inad
equa
te b
udge
ts a
nd r
esou
rces
toad
dres
s ga
ps
AI4
.2 K
now
ledg
e T
rans
fer
to B
usin
ess
Man
agem
ent
Tra
nsfe
r kn
owle
dge
to b
usin
ess
man
agem
ent t
o al
low
thos
e in
divi
dual
s to
take
owne
rshi
p of
the
syst
em a
nd d
ata,
and
exe
rcis
e re
spon
sibi
lity
for
serv
ice
deliv
ery
and
qual
ity, i
nter
nal c
ontr
ol, a
nd a
pplic
atio
n ad
min
istr
atio
n.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• K
now
ledg
e tr
ansf
er w
ithin
the
orga
nisa
tion
• C
onsi
sten
t qua
lity
over
all
affe
cted
team
s•
Eff
icie
nt s
uppo
rt f
or b
usin
ess
• U
ser
man
uals
sup
port
ing
busi
ness
proc
esse
s
Ris
k D
river
s
• In
crea
sed
relia
nce
on k
ey s
taff
mem
bers
• Pr
oble
ms
in d
aily
ope
ratio
ns•
Inci
dent
s en
coun
tere
d an
d re
peat
ed•
Hel
p de
sk o
verl
oad
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E132
Test
the
Con
trol
Des
ign
• In
terv
iew
key
sta
ff m
embe
rs a
bout
the
user
gro
up’s
aw
aren
ess
and
know
ledg
e of
the
proc
ess
to e
ffec
tivel
y an
d ef
fici
ently
use
the
appl
icat
ion
syst
em to
sup
port
bus
ines
spr
oces
ses
(e.g
., tr
aini
ng a
nd s
kills
dev
elop
men
t, tr
aini
ng m
ater
ials
, use
r m
anua
ls, p
roce
dure
man
uals
, onl
ine
help
, ser
vice
des
k su
ppor
t, ke
y us
er id
entif
icat
ion,
eval
uatio
n).
• R
evie
w tr
aini
ng a
nd im
plem
enta
tion
mat
eria
ls to
det
erm
ine
if th
e de
fine
d pr
oces
s in
clud
es th
e re
quir
ed c
onte
nt.
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
the
user
is a
war
e of
and
abl
e to
use
the
feed
back
mec
hani
sm to
ass
ess
the
adeq
uacy
of
the
supp
ort
docu
men
tatio
n, p
roce
dure
s an
d re
late
d tr
aini
ng.
AI4
Ena
ble
Ope
rati
on a
nd U
se (
cont
.)
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI4
.3 K
now
ledg
e T
rans
fer
to E
nd U
sers
T
rans
fer
know
ledg
e an
d sk
ills
to a
llow
end
use
rs to
eff
ectiv
ely
and
effi
cien
tlyus
e th
e sy
stem
in s
uppo
rt o
f bu
sine
ss p
roce
sses
.
• K
now
ledg
e tr
ansf
er to
sta
keho
lder
s•
Eff
icie
nt a
nd e
ffec
tive
trai
ning
• O
ptim
ised
ope
ratio
n an
d sy
stem
usa
ge
• In
cons
iste
nt s
yste
m u
sage
• In
suff
icie
nt d
ocum
enta
tion
• In
crea
sed
relia
nce
on k
ey s
taff
mem
bers
• Pr
oble
ms
in d
aily
ope
ratio
ns•
Tra
inin
g fa
iling
to m
eet u
ser
requ
irem
ents
• H
elp
desk
ove
rloa
d
Test
the
Con
trol
Des
ign
• In
terv
iew
key
sta
ff m
embe
rs a
bout
the
oper
atio
n an
d te
chni
cal s
uppo
rt s
taff
’s a
war
enes
s an
d kn
owle
dge
of th
e pr
oces
s to
eff
ectiv
ely
and
effi
cien
tly d
eliv
er, s
uppo
rt a
ndm
aint
ain
the
appl
icat
ion
syst
em a
nd a
ssoc
iate
d in
fras
truc
ture
acc
ordi
ng to
ser
vice
leve
ls (
e.g.
, tra
inin
g an
d sk
ills
deve
lopm
ent,
trai
ning
mat
eria
ls, u
ser
man
uals
,pr
oced
ure
man
uals
, onl
ine
help
, ser
vice
des
k sc
enar
ios)
.•
Rev
iew
trai
ning
and
impl
emen
tatio
n m
ater
ials
to d
eter
min
e if
the
defi
ned
proc
ess
incl
udes
the
requ
ired
con
tent
.•
Con
firm
thro
ugh
inte
rvie
ws
with
key
sta
ff m
embe
rs th
at o
pera
tion
and
tech
nica
l sup
port
per
sonn
el a
re a
war
e of
and
abl
e to
use
the
feed
back
mec
hani
sm to
ass
ess
adeq
uacy
of
the
supp
ort d
ocum
enta
tion,
pro
cedu
res
and
rela
ted
trai
ning
.•
Det
erm
ine
if o
pera
tions
and
sup
port
sta
ff m
embe
rs a
re in
volv
ed in
the
deve
lopm
ent a
nd m
aint
enan
ce o
f op
erat
ions
and
sup
port
doc
umen
tatio
n.•
Iden
tify
area
s w
here
ope
ratio
nal s
uppo
rt p
roce
dure
s ar
e no
t int
egra
ted
with
exi
stin
g op
erat
iona
l sup
port
pro
cedu
res.
AI4
.4 K
now
ledg
e T
rans
fer
to O
pera
tion
s an
d Su
ppor
t St
aff
Tra
nsfe
r kn
owle
dge
and
skill
s to
ena
ble
oper
atio
ns a
nd te
chni
cal s
uppo
rt s
taff
toef
fect
ivel
y an
d ef
fici
ently
del
iver
, sup
port
and
mai
ntai
n th
e sy
stem
and
ass
ocia
ted
infr
astr
uctu
re.
• K
now
ledg
e tr
ansf
er to
sta
keho
lder
s•
Eff
icie
nt a
nd e
ffec
tive
trai
ning
• O
ptim
ised
ope
ratio
n an
d sy
stem
supp
ort
• Fo
rmal
ly d
efin
ed a
ppro
ache
s fo
r al
lst
ages
of
appl
icat
ion
deve
lopm
ent
• In
suff
icie
nt d
ocum
enta
tion
• In
crea
sed
relia
nce
on k
ey s
taff
mem
bers
• Pr
oble
ms
in d
aily
ope
ratio
ns•
Tra
inin
g fa
iling
to m
eet o
pera
tions
or
supp
ort r
equi
rem
ents
• H
elp
desk
ove
rloa
d
Con
trol
Obj
ecti
veVa
lue
Driv
ers
Ris
k D
river
s
133I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Take the following steps to test the outcome of the control objectives:• For a selection of solution delivery projects, inspect documentation to determine that user and operational procedures manuals are
in place. • Assess management’s knowledge to determine if members of management have directed the creation of management procedures
for their business areas (e.g., access approval, privilege management, segregation of duties, automated business controls,backup/recovery, physical security, source document archival). Confirm that these procedures are integrated with existingmanagement and control procedures, and investigate to determine if management is aware of discrepancies.
• Walk through new or upgraded applications with business management to identify areas where additional training is needed.Review and assess the training materials used.
• Inspect a selection of feedback documentation to determine if adequate feedback mechanisms have been used for developingsupport documentation, procedures and related training material.
• Assess users’ involvement in the creation of user procedures for their business areas (e.g., training and skills development, trainingmaterials, user manuals, procedure manuals, online help, service desk support, key user identification, evaluation). Confirm thatthese procedures are integrated with existing user and control procedures (e.g., system inputs/outputs, system integration, errormessages), and investigate to determine if users are aware of discrepancies.
• Walk through new or upgraded applications and infrastructure with operations management and technical support staff to identifyareas where additional training would be helpful. Review and assess training materials for adequacy.
• Assess operation and technical support staff’s involvement in the creation of operation and technical support staff procedures fortheir areas (e.g., training and skills development, training materials, user manuals, procedure manuals, online help, service deskscenarios). Confirm that these procedures (e.g., backup, restart/restore, reports/output distribution, emergency fixes, operatorcommand/parameters, problem escalation) are integrated with existing operation and technical support staff members procedures.Investigate to determine if operation and technical support staff members are aware of discrepancies.
Take the following steps to document the impact of the control weaknesses:• Assess the cost and operational inefficiency of inadequate training and/or user and operational procedures. • Identify deficiencies in users, operations and training manuals.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E134
AI5
Pro
cure
IT
Res
ourc
es
IT r
esou
rces
, inc
ludi
ng p
eopl
e, h
ardw
are,
sof
twar
e an
d se
rvic
es, n
eed
to b
e pr
ocur
ed. T
his
requ
ires
the
defi
nitio
n an
d en
forc
emen
t of
proc
urem
ent p
roce
dure
s, th
e se
lect
ion
of v
endo
rs, t
he s
etup
of
cont
ract
ual a
rran
gem
ents
, and
the
acqu
isiti
on it
self
. Doi
ng s
o en
sure
s th
at th
e or
gani
satio
n ha
s al
l req
uire
d IT
res
ourc
es in
a ti
mel
y an
dco
st-e
ffec
tive
man
ner.
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
the
polic
ies
and
stan
dard
s ar
e in
pla
ce f
or e
stab
lishi
ng c
ontr
acts
with
sup
plie
rs. T
he p
olic
ies
and
stan
dard
ssh
ould
add
ress
, sup
plie
r-cl
ient
res
pons
ibili
ties,
sup
plie
r SL
As,
mon
itori
ng a
nd r
epor
ting
agai
nst S
LA
s, tr
ansi
tion
arra
ngem
ents
, not
ific
atio
n an
d es
cala
tion
proc
edur
es,
secu
rity
sta
ndar
ds, r
ecor
ds m
anag
emen
t and
con
trol
req
uire
men
ts a
nd r
equi
red
supp
lier
QA
pra
ctic
es. C
ontr
acts
sho
uld
also
incl
ude
lega
l, fi
nanc
ial,
orga
nisa
tiona
l,do
cum
enta
ry, p
erfo
rman
ce, s
ecur
ity, a
udita
bilit
y, in
telle
ctua
l pro
pert
y, r
espo
nsib
ility
and
liab
ility
asp
ects
.
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
the
IT p
rocu
rem
ent p
roce
ss a
nd a
cqui
sitio
n st
rate
gy a
re a
ligne
d w
ith th
e or
gani
satio
n’s
proc
urem
ent p
olic
ies
and
proc
edur
es (
e.g.
, leg
isla
tive
requ
irem
ents
, com
plia
nce
with
the
orga
nisa
tion’
s IT
acq
uisi
tion
polic
y, li
cens
ing
and
leas
ing
requ
irem
ents
, tec
hnol
ogy
upgr
ade
clau
ses,
invo
lvem
ent o
f th
e bu
sine
ss, t
otal
cos
t of
owne
rshi
p, a
cqui
sitio
n pl
an f
or m
ajor
acq
uisi
tions
, rec
ordi
ng o
f as
sets
).•
Insp
ect p
roje
ct m
anag
emen
t pol
icie
s an
d pr
oced
ures
to e
valu
ate
conf
orm
ance
with
ent
erpr
ise
proc
urem
ent p
olic
ies
and
proc
edur
es.
AI5
.1 P
rocu
rem
ent
Con
trol
D
evel
op a
nd f
ollo
w a
set
of
proc
edur
es a
nd s
tand
ards
that
is c
onsi
sten
t with
the
busi
ness
org
anis
atio
n’s
over
all p
rocu
rem
ent p
roce
ss a
nd a
cqui
sitio
n st
rate
gy to
acqu
ire
IT-r
elat
ed in
fras
truc
ture
, fac
ilitie
s, h
ardw
are,
sof
twar
e an
d se
rvic
esne
eded
by
the
busi
ness
.
• O
ptim
ised
sup
plie
r re
latio
ns•
Hig
h-qu
ality
con
trib
utio
n to
bus
ines
san
d IT
pro
cess
es•
Proc
urem
ents
sup
port
ing
the
achi
evem
ent o
f de
sire
d bu
sine
ss a
ndIT
goa
ls
• G
aps
in f
ulfi
ling
requ
irem
ents
by
supp
liers
• C
omm
erci
al a
nd c
ontr
actu
alpr
ocur
emen
t exp
osur
es
• Aut
omat
ed s
olut
ions
not
in li
ne w
ithth
e or
gani
satio
n’s
shor
t- a
nd lo
ng-t
erm
plan
s•
Insu
ffic
ient
sof
twar
e qu
ality
inpr
ocur
ed s
olut
ions
• L
ack
of c
ost c
ontr
ol
Con
trol
Obj
ecti
veR
isk
Driv
ers
Valu
e D
river
s
AI5
.2 S
uppl
ier
Con
trac
t M
anag
emen
t Se
t up
a pr
oced
ure
for
esta
blis
hing
, mod
ifyi
ng a
nd te
rmin
atin
g co
ntra
cts
for
all
supp
liers
. The
pro
cedu
re s
houl
d co
ver,
at a
min
imum
, leg
al, f
inan
cial
,or
gani
satio
nal,
docu
men
tary
, per
form
ance
, sec
urity
, int
elle
ctua
l pro
pert
y, a
ndte
rmin
atio
n re
spon
sibi
litie
s an
d lia
bilit
ies
(inc
ludi
ng p
enal
ty c
laus
es).
All
cont
ract
s an
d co
ntra
ct c
hang
es s
houl
d be
rev
iew
ed b
y le
gal a
dvis
ors.
• D
efin
ed s
uppl
ier
rela
tions
hip
obje
ctiv
es a
nd g
oals
• E
ffic
ient
ly m
anag
ed p
rocu
rem
ent o
fre
sour
ces
• H
igh-
qual
ity c
ontr
ibut
ion
to b
usin
ess
and
IT p
roce
sses
• L
ack
of c
ost m
anag
emen
t•
Gap
s be
twee
n bu
sine
ss e
xpec
tatio
nsan
d su
pplie
r ca
pabi
litie
s•
Und
efin
ed s
ervi
ce c
osts
incu
rred
• Se
rvic
es f
ailin
g to
ref
lect
bus
ines
sre
quir
emen
ts•
Lac
k of
ope
ratio
nal s
uppo
rt
Con
trol
Obj
ecti
veVa
lue
Driv
ers
Ris
k D
river
s
135I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
pre
defi
ned,
spe
cifi
ed a
nd e
stab
lishe
d cr
iteri
a (e
.g.,
requ
irem
ents
def
initi
on, t
imet
able
, dec
isio
n pr
oces
s) a
re u
sed
for
supp
lier
and
acqu
isiti
on s
elec
tions
.•
Insp
ect r
eque
sts
for
info
rmat
ion
(RFI
s) a
nd r
eque
sts
for
prop
osal
(R
FPs)
to d
eter
min
e if
the
esta
blis
hed
crite
ria
are
defi
ned.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
oftw
are
acqu
isiti
ons
incl
ude
and
enfo
rce
the
righ
ts a
nd o
blig
atio
ns o
f al
l par
ties
(e.g
., ow
ners
hip
and
licen
sing
of
inte
llect
ual p
rope
rty;
mai
nten
ance
war
rant
ies;
arb
itrat
ion
proc
edur
es; u
pgra
de te
rms;
and
fitn
ess
for
purp
ose,
incl
udin
g se
curi
ty, e
scro
w a
nd a
cces
s ri
ghts
). F
or a
sel
ectio
n of
sof
twar
eac
quis
ition
s, in
spec
t rel
evan
t doc
umen
tatio
n an
d de
term
ine
if th
e co
ntra
ctua
l ter
ms
incl
ude
the
righ
ts a
nd o
blig
atio
ns o
f al
l par
ties.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
cqui
sitio
ns o
f de
velo
pmen
t res
ourc
es in
clud
e an
d en
forc
e th
e ri
ghts
and
obl
igat
ions
of
all p
artie
s (v
erif
y, f
or e
xam
ple,
ow
ners
hip
and
licen
sing
of
inte
llect
ual p
rope
rty;
fitn
ess
for
purp
ose,
incl
udin
g de
velo
pmen
t met
hodo
logi
es; l
angu
ages
; tes
ting;
qua
lity
man
agem
ent p
roce
sses
, inc
ludi
ng r
equi
red
perf
orm
ance
cri
teri
a; p
erfo
rman
ce r
evie
ws;
bas
is f
or p
aym
ent;
war
rant
ies;
arb
itrat
ion
proc
edur
es; h
uman
res
ourc
e m
anag
emen
t; an
d co
mpl
ianc
e w
ith th
e or
gani
satio
n’s
polic
ies)
.•
Det
erm
ine
if le
gal a
dvic
e ha
s be
en o
btai
ned
on r
esou
rce
deve
lopm
ent a
cqui
sitio
n ag
reem
ents
reg
ardi
ng o
wne
rshi
p an
d lic
ensi
ng o
f in
telle
ctua
l pro
pert
y.•
For
a se
lect
ion
of a
cqui
sitio
ns o
f de
velo
pmen
t res
ourc
es, i
nspe
ct r
elev
ant d
ocum
enta
tion
and
dete
rmin
e if
the
cont
ract
ual t
erm
s in
clud
e th
e ri
ghts
and
obl
igat
ions
of
all p
artie
s.•
Enq
uire
whe
ther
and
con
firm
that
acq
uisi
tions
of
infr
astr
uctu
re, f
acili
ties
and
rela
ted
serv
ices
incl
ude
and
enfo
rce
the
righ
ts a
nd o
blig
atio
ns o
f al
l par
ties
(e.g
., se
rvic
ele
vels
, mai
nten
ance
pro
cedu
res,
acc
ess
cont
rols
, sec
urity
, per
form
ance
rev
iew
, bas
is f
or p
aym
ent,
arbi
trat
ion
proc
edur
es).
• Fo
r a
sele
ctio
n of
acq
uisi
tion
of in
fras
truc
ture
, fac
ilitie
s an
d re
late
d se
rvic
es, i
nspe
ct r
elev
ant d
ocum
enta
tion
and
dete
rmin
e if
the
cont
ract
ual t
erm
s in
clud
e th
e ri
ghts
and
oblig
atio
ns o
f al
l par
ties.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at R
FIs
and
RFP
s ar
e ev
alua
ted
in a
ccor
danc
e w
ith th
e ap
prov
ed p
roce
ss a
nd c
rite
ria.
• D
eter
min
e if
doc
umen
tary
evi
denc
e is
eff
ectiv
ely
mai
ntai
ned.
AI5
.3 S
uppl
ier
Sele
ctio
n Se
lect
sup
plie
rs a
ccor
ding
to a
fai
r an
d fo
rmal
pra
ctic
e to
ens
ure
a vi
able
bes
t fit
base
d on
spe
cifi
ed r
equi
rem
ents
. Req
uire
men
ts s
houl
d be
opt
imis
ed w
ith in
put
from
pot
entia
l sup
plie
rs.
• C
ontr
ibut
ion
to n
ew id
eas
and
prac
tices
• A c
ontin
uous
con
trib
utio
n to
the
orga
nisa
tion’
s ob
ject
ives
bey
ond
supp
lier
SLA
s
• In
appr
opri
ate
supp
lier
sele
ctio
n•
Inad
equa
te s
uppo
rt f
or th
eac
hiev
emen
t of
the
orga
nisa
tion’
sob
ject
ives
• G
aps
betw
een
supp
lier
requ
irem
ents
and
capa
bilit
ies
AI5
Pro
cure
IT
Res
ourc
es (
cont
.)
Con
trol
Obj
ecti
veVa
lue
Driv
ers
Ris
k D
river
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E136
Test
the
Con
trol
Des
ign
• D
eter
min
e w
heth
er a
ll ac
quis
ition
agr
eem
ents
are
ver
ifie
d.•
Rev
iew
the
agre
emen
ts, c
ompa
re th
em to
pol
icy
docu
men
tatio
n an
d de
term
ine
whe
ther
they
com
ply
with
com
pany
pol
icy.
• D
eter
min
e w
heth
er a
cqui
sitio
ns a
re r
evie
wed
and
app
rove
d by
app
ropr
iate
per
sonn
el a
nd w
heth
er le
gal a
dvic
e ha
s be
en o
btai
ned.
• In
spec
t doc
umen
tatio
n of
con
trac
t rev
iew
and
app
rova
l.•
Enq
uire
whe
ther
com
mon
pro
cess
es a
re e
stab
lishe
d an
d us
ed f
or a
cqui
sitio
n of
sof
twar
e, in
fras
truc
ture
and
fac
ilitie
s.•
Perf
orm
a w
alk-
thro
ugh
of th
e pr
oces
ses
to d
eter
min
e if
they
ope
rate
eff
ectiv
ely.
• E
nqui
re w
heth
er r
ight
s an
d ob
ligat
ions
of
all p
artie
s to
the
acqu
isiti
on a
re e
valu
ated
in th
e ac
quis
ition
pro
cess
es. T
hese
rig
hts
and
oblig
atio
ns c
ould
incl
ude:
– A
ppro
val
– Se
rvic
e le
vels
– M
aint
enan
ce p
roce
dure
s–
Acc
ess
cont
rols
– Se
curi
ty–
Perf
orm
ance
rev
iew
– B
asis
for
pay
men
t –
Arb
itrat
ion
proc
edur
es•
For
a re
pres
enta
tive
sam
ple
of a
cqui
sitio
ns, d
eter
min
e if
the
righ
ts a
nd o
blig
atio
ns o
f al
l par
ties
are
eval
uate
d.•
Enq
uire
whe
ther
the
acqu
isiti
on p
roce
ss a
dequ
atel
y co
nsid
ers
all r
elev
ant r
ight
s an
d ob
ligat
ions
, whi
ch m
ay in
clud
e:–
Ow
ners
hip
and
licen
sing
of
inte
llect
ual p
rope
rty
– M
aint
enan
ce–
War
rant
ies
and
arbi
trat
ion
proc
edur
es–
Upg
rade
term
s–
Fitn
ess
for
purp
ose,
incl
udin
g se
curi
ty–
Esc
row
and
acc
ess
righ
ts•
Det
erm
ine
if m
anag
emen
t rep
ortin
g re
quir
emen
ts a
ssoc
iate
d w
ith a
cqui
sitio
ns a
re a
ddre
ssed
.•
Enq
uire
whe
ther
a q
ualit
y as
sess
men
t and
acc
epta
nce
proc
ess
for
all a
cqui
sitio
ns h
as b
een
esta
blis
hed
and
used
, and
det
erm
ine
whe
ther
this
pro
cess
is e
ffec
tivel
ype
rfor
med
on
all a
cqui
sitio
ns b
efor
e pa
ymen
t is
mad
e.•
Enq
uire
whe
ther
all
hard
war
e an
d so
ftw
are
acqu
isiti
ons
are
reco
rded
.•
Sele
ct a
rep
rese
ntat
ive
sam
ple
of a
cqui
sitio
ns a
nd v
erif
y th
at th
ey a
re r
ecor
ded
in a
sset
reg
iste
rs.
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI5
.4 I
T R
esou
rces
Acq
uisi
tion
Pr
otec
t and
enf
orce
the
orga
nisa
tion’
s in
tere
sts
in a
ll ac
quis
ition
con
trac
tual
agre
emen
ts, i
nclu
ding
the
righ
ts a
nd o
blig
atio
ns o
f al
l par
ties
in th
e co
ntra
ctua
lte
rms
for
the
acqu
isiti
on o
f so
ftw
are,
dev
elop
men
t res
ourc
es, i
nfra
stru
ctur
e an
dse
rvic
es.
• E
ffic
ient
and
eff
ectiv
e in
cide
ntm
anag
emen
t•
Syst
ems
oper
atin
g as
inte
nded
and
not
pron
e to
dis
rupt
ion
• In
cide
nts
able
to b
e so
lved
in a
tim
ely
man
ner
• So
ftw
are
upda
tes
not a
vaila
ble
whe
nne
eded
• So
ftw
are
unab
le to
sup
port
the
busi
ness
pro
cess
es•
Cha
nges
to th
e ap
plic
atio
n un
able
tobe
app
lied
as in
tend
ed•
Syst
em p
rone
to p
robl
ems
and
inci
dent
s, c
ausi
ng b
usin
ess
disr
uptio
ns
AI5
Pro
cure
IT
Res
ourc
es (
cont
.)
137I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Take the following steps to test the outcome of the control objectives:• For a selection of recent procurements, determine if the selection approach was responsive to the unique risks of the procurement
(e.g., meets business functional and technical requirements, addresses risks identified in the risk analysis report, complies withprocurement decisions).
• Inspect evidence of approvals at key decision points for a selection of IT procurements, including evidence of senior managementsign-offs on sections that did not follow standard policies.
• For a selection of contracts, determine if only authorised suppliers were used. • For a selection of supplier and acquisitions contracts, compare RFIs and RFPs with the predefined requirements, and determine if
established criteria have been met. • Enquire whether and confirm that software acquisitions include and enforce the rights and obligations of all parties (e.g.,
ownership and licensing of intellectual property; maintenance warranties; arbitration procedures; upgrade terms; fitness forpurpose, including security; escrow and access rights). For a selection of software acquisitions, inspect relevant documentationand determine if the contractual terms include the rights and obligations of all parties.
• Enquire whether and confirm that acquisitions of development resources include and enforce the rights and obligations of allparties (verify, for example, ownership and licensing of intellectual property; fitness for purpose, including developmentmethodologies; languages; testing; quality management processes, including required performance criteria; performance reviews;basis for payment; warranties; arbitration procedures; human resource management; compliance with the organisation’s policies).
• Determine if legal advice has been obtained for resource development acquisition agreements regarding ownership and licensingof intellectual property.
• Enquire whether and confirm that acquisitions of infrastructure, facilities and related services include and enforce the rights andobligations of all parties (e.g., service levels, maintenance procedures, access controls, security, performance review, basis forpayment, arbitration procedures). For a selection of acquisition of infrastructure, facilities and related services, inspect relevantdocumentation and determine if the contractual terms include the rights and obligations of all parties.
• Enquire whether and confirm that RFIs and RFPs have been evaluated in accordance with the approved process and criteria.Determine if documentary evidence is effectively maintained.
Take the following steps to document the impact of the control weaknesses:• Assess the cost and time impact of IT procurement not being aligned with the organisation’s procurement policies. • Assess the cost and time impact of IT procurement not meeting business, legal and contractual requirements. • Assess the legal implications of the supplier and acquisition selection process not complying with legal and contractual
requirements.
AI6
Man
age
Cha
nges
All
chan
ges,
incl
udin
g em
erge
ncy
mai
nten
ance
and
pat
ches
, rel
atin
g to
infr
astr
uctu
re a
nd a
pplic
atio
ns w
ithin
the
prod
uctio
n en
viro
nmen
t are
for
mal
ly m
anag
ed in
aco
ntro
lled
man
ner.
Cha
nges
(in
clud
ing
thos
e to
pro
cedu
res,
pro
cess
es, s
yste
m a
nd s
ervi
ce p
aram
eter
s) a
re lo
gged
, ass
esse
d an
d au
thor
ised
pri
or to
impl
emen
tatio
n an
dre
view
ed a
gain
st p
lann
ed o
utco
mes
fol
low
ing
impl
emen
tatio
n. T
his
assu
res
miti
gatio
n of
the
risk
s of
neg
ativ
ely
impa
ctin
g th
e st
abili
ty o
r in
tegr
ity o
f th
e pr
oduc
tion
envi
ronm
ent.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E138
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e pr
oces
ses
and
proc
edur
es f
or h
andl
ing
chan
ge r
eque
sts
(inc
ludi
ng m
aint
enan
ce a
nd p
atch
es)
appl
y to
app
licat
ions
, pro
cedu
res,
proc
esse
s, s
yste
m a
nd s
ervi
ce p
aram
eter
s, a
nd th
e un
derl
ying
pla
tfor
ms.
• R
evie
w th
e ch
ange
man
agem
ent f
ram
ewor
k to
det
erm
ine
if th
e fr
amew
ork
incl
udes
:–
The
def
initi
on o
f ro
les
and
resp
onsi
bilit
ies
– C
lass
ific
atio
n (e
.g.,
betw
een
infr
astr
uctu
re a
nd a
pplic
atio
n so
ftw
are)
and
pri
oriti
satio
n of
all
chan
ges
– A
sses
smen
t of
impa
ct, a
utho
risa
tion
and
appr
oval
– T
rack
ing
of c
hang
es–
Ver
sion
con
trol
mec
hani
sm–
Impa
ct o
n da
ta in
tegr
ity (
e.g.
, all
chan
ges
to d
ata
file
s m
ade
unde
r sy
stem
and
app
licat
ion
cont
rol r
athe
r th
an b
y di
rect
use
r in
terv
entio
n)–
Man
agem
ent o
f ch
ange
fro
m in
itiat
ion
to r
evie
w a
nd c
losu
re–
Def
initi
on o
f ro
llbac
k pr
oced
ures
– U
se o
f em
erge
ncy
chan
ge p
roce
sses
– B
usin
ess
cont
inui
ty p
lann
ing
– U
se o
f a
reco
rd m
anag
emen
t sys
tem
– A
udit
trai
ls–
Segr
egat
ion
of d
utie
s•
Enq
uire
whe
ther
and
con
firm
that
pro
cess
es a
nd p
roce
dure
s fo
r co
ntra
cted
ser
vice
s pr
ovid
ers
(e.g
., in
fras
truc
ture
, app
licat
ion
deve
lopm
ent,
appl
icat
ion
serv
ice
prov
ider
s,sh
ared
ser
vice
s) a
re in
clud
ed in
the
chan
ge m
anag
emen
t pro
cess
.•
Det
erm
ine
if th
e pr
oces
s an
d pr
oced
ures
incl
ude
the
cont
ract
ual t
erm
s an
d SL
As.
AI6
.1 C
hang
e St
anda
rds
and
Pro
cedu
res
Set u
p fo
rmal
cha
nge
man
agem
ent p
roce
dure
s to
han
dle
in a
sta
ndar
dise
dm
anne
r al
l req
uest
s (i
nclu
ding
mai
nten
ance
and
pat
ches
) fo
r ch
ange
s to
appl
icat
ions
, pro
cedu
res,
pro
cess
es, s
yste
m a
nd s
ervi
ce p
aram
eter
s, a
nd th
eun
derl
ying
pla
tfor
ms.
• An
agre
ed-u
pon
and
stan
dard
ised
appr
oach
for
man
agin
g ch
ange
s in
an
effi
cien
t and
eff
ectiv
e m
anne
r •
Cha
nges
rev
iew
ed a
nd a
ppro
ved
in a
cons
iste
nt a
nd c
o-or
dina
ted
way
• Fo
rmal
ly d
efin
ed e
xpec
tatio
ns a
ndpe
rfor
man
ce m
easu
rem
ent
• In
appr
opri
ate
reso
urce
allo
catio
n•
No
trac
king
of
chan
ges
• In
suff
icie
nt c
ontr
ol o
ver
emer
genc
ych
ange
s•
Incr
ease
d lik
elih
ood
of u
naut
hori
sed
chan
ges
bein
g in
trod
uced
to k
eybu
sine
ss s
yste
ms
• Fa
ilure
to c
ompl
y w
ith c
ompl
ianc
ere
quir
emen
ts•
Una
utho
rise
d ch
ange
s•
Red
uced
sys
tem
ava
ilabi
lity
Con
trol
Obj
ecti
veVa
lue
Driv
ers
Ris
k D
river
s
139I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e ch
ange
man
agem
ent p
roce
ss a
llow
s bu
sine
ss p
roce
ss o
wne
rs a
nd I
T to
req
uest
cha
nges
to in
fras
truc
ture
, sys
tem
s or
app
licat
ions
.•
Enq
uire
whe
ther
and
con
firm
that
req
uest
ed c
hang
es a
re c
ateg
oris
ed (
e.g.
, bet
wee
n in
fras
truc
ture
s, o
pera
ting
syst
ems,
net
wor
ks, a
pplic
atio
n sy
stem
s, p
urch
ased
/pac
kage
dap
plic
atio
n so
ftw
are)
.•
Con
firm
thro
ugh
inte
rvie
ws
with
key
sta
ff m
embe
rs th
at r
eque
sted
cha
nges
are
pri
oriti
sed
base
d on
pre
defi
ned
crite
ria
(e.g
., bu
sine
ss a
nd te
chni
cal n
eeds
for
the
chan
gean
d le
gal,
regu
lato
ry a
nd c
ontr
actu
al r
equi
rem
ents
).•
Enq
uire
whe
ther
and
con
firm
that
cha
nge
requ
ests
are
ass
esse
d an
d do
cum
ente
d in
a s
truc
ture
d m
etho
d th
at a
ddre
sses
impa
ct a
naly
sis
on in
fras
truc
ture
, sys
tem
s an
dap
plic
atio
ns.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
ecur
ity, l
egal
, con
trac
tual
and
com
plia
nce
impl
icat
ions
are
con
side
red
in th
e as
sess
men
t pro
cess
for
the
requ
este
d ch
ange
and
that
busi
ness
ow
ners
are
invo
lved
.•
Enq
uire
whe
ther
and
con
firm
that
eac
h re
ques
ted
chan
ge is
for
mal
ly a
ppro
ved
by th
e bu
sine
ss p
roce
ss o
wne
rs a
nd I
T te
chni
cal s
take
hold
ers.
• In
spec
t a r
epre
sent
ativ
e sa
mpl
e of
cha
nge
man
agem
ent r
eque
sts
to e
nsur
e th
at th
ey w
ere
appr
opri
atel
y as
sess
ed, e
valu
ated
, pri
oriti
sed
and
revi
ewed
.
AI6
.2 I
mpa
ct A
sses
smen
t,P
rior
itis
atio
n an
d A
utho
risa
tion
A
sses
s al
l req
uest
s fo
r ch
ange
in a
str
uctu
red
way
to d
eter
min
e th
e im
pact
on
the
oper
atio
nal s
yste
m a
nd it
s fu
nctio
nalit
y. E
nsur
e th
at c
hang
es a
re c
ateg
oris
ed,
prio
ritis
ed a
nd a
utho
rise
d.
• An
agre
ed-u
pon
and
stan
dard
ised
appr
oach
for
ass
essi
ng im
pact
s in
an
effi
cien
t and
eff
ectiv
e m
anne
r •
Form
ally
def
ined
cha
nge
impa
ctex
pect
atio
ns b
ased
on
busi
ness
ris
kan
d pe
rfor
man
ce m
easu
rem
ent
• C
onsi
sten
t cha
nge
proc
edur
e
• U
nint
ende
d si
de e
ffec
ts• A
dver
se e
ffec
ts o
n ca
paci
ty a
ndpe
rfor
man
ce o
f th
e in
fras
truc
ture
• L
ack
of p
rior
ity m
anag
emen
t of
chan
ges
AI6
Man
age
Cha
nges
(co
nt.)
Con
trol
Obj
ecti
veR
isk
Driv
ers
Valu
e D
river
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E140
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
ere
is a
n es
tabl
ishe
d pr
oces
s to
allo
w r
eque
stor
s an
d st
akeh
olde
rs to
trac
k th
e st
atus
of
requ
ests
thro
ugho
ut th
e va
riou
s st
ages
of
the
chan
ge m
anag
emen
t pro
cess
.•
Enq
uire
whe
ther
and
con
firm
that
the
trac
king
and
rep
ortin
g sy
stem
mon
itors
the
stat
us o
f th
e ch
ange
req
uest
s (e
.g.,
reje
cted
, app
rove
d bu
t not
initi
ated
, app
rove
d,
in p
roce
ss).
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at m
anag
emen
t rev
iew
s an
d m
onito
rs th
e de
taile
d st
atus
of
chan
ges
and
over
all s
tate
(e.
g., a
ged
anal
ysis
of
chan
ge r
eque
sts)
.•
Enq
uire
whe
ther
and
con
firm
that
ope
n an
d ap
prov
ed c
hang
es a
re c
lose
d in
a ti
mel
y m
anne
r, de
pend
ing
on p
rior
ity.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e ov
eral
l cha
nge
man
agem
ent p
roce
ss in
clud
es e
mer
genc
y ch
ange
pro
cedu
res
(e.g
., de
fini
ng, r
aisi
ng, t
estin
g, d
ocum
entin
g, a
sses
sing
and
auth
oris
ing
emer
genc
y ch
ange
s).
• In
spec
t the
doc
umen
tatio
n fo
r a
repr
esen
tativ
e sa
mpl
e of
em
erge
ncy
chan
ges
and,
by
inte
rvie
win
g ke
y st
aff
mem
bers
, est
ablis
h w
heth
er e
mer
genc
y ch
ange
s ar
eim
plem
ente
d as
spe
cifi
ed in
the
chan
ge m
anag
emen
t pro
cess
.•
Con
firm
thro
ugh
inte
rvie
ws
with
key
sta
ff m
embe
rs th
at e
mer
genc
y ac
cess
arr
ange
men
ts a
re a
utho
rise
d, d
ocum
ente
d an
d re
voke
d af
ter
the
chan
ge h
as
been
app
lied.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pos
t-im
plem
enta
tion
revi
ew o
f em
erge
ncy
chan
ges
is c
ondu
cted
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI6
.3 E
mer
genc
y C
hang
es
Est
ablis
h a
proc
ess
for
defi
ning
, rai
sing
, tes
ting,
doc
umen
ting,
ass
essi
ng a
ndau
thor
isin
g em
erge
ncy
chan
ges
that
do
not f
ollo
w th
e es
tabl
ishe
d ch
ange
proc
ess.
• An
agre
ed-u
pon
and
stan
dard
ised
appr
oach
for
man
agin
g ch
ange
s in
an
effi
cien
t and
eff
ectiv
e m
anne
r •
Form
ally
def
ined
em
erge
ncy
chan
geex
pect
atio
ns a
nd p
erfo
rman
cem
easu
rem
ent
• C
onsi
sten
t pro
cedu
re f
or e
mer
genc
ych
ange
s
• In
abili
ty to
res
pond
eff
ectiv
ely
toem
erge
ncy
chan
ge n
eeds
• A
dditi
onal
acc
ess
auth
oris
atio
n no
tte
rmin
ated
pro
perl
y•
Una
utho
rise
d ch
ange
s ap
plie
d,re
sulti
ng in
com
prom
ised
sec
urity
and
unau
thor
ised
acc
ess
to c
orpo
rate
info
rmat
ion
AI6
Man
age
Cha
nges
(co
nt.)
AI6
.4 C
hang
e St
atus
Tra
ckin
g an
d R
epor
ting
E
stab
lish
a tr
acki
ng a
nd r
epor
ting
syst
em to
doc
umen
t rej
ecte
d ch
ange
s,co
mm
unic
ate
the
stat
us o
f ap
prov
ed a
nd in
-pro
cess
cha
nges
, and
com
plet
ech
ange
s. M
ake
cert
ain
that
app
rove
d ch
ange
s ar
e im
plem
ente
d as
pla
nned
.
• An
agre
ed-u
pon
and
stan
dard
ised
appr
oach
for
man
agin
g ch
ange
s in
an
effi
cien
t and
eff
ectiv
e m
anne
r •
Form
ally
def
ined
exp
ecta
tions
and
perf
orm
ance
mea
sure
men
t•
Con
sist
ent c
hang
e pr
oced
ure
• In
suff
icie
nt a
lloca
tion
of r
esou
rces
• C
hang
es n
ot r
ecor
ded
and
trac
ked
• U
ndet
ecte
d un
auth
oris
ed c
hang
es to
the
prod
uctio
n en
viro
nmen
t
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
141I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at c
hang
e do
cum
enta
tion
(e.g
., op
erat
iona
l pro
cedu
res,
con
figu
ratio
n in
form
atio
n, a
pplic
atio
n do
cum
enta
tion,
hel
p sc
reen
s, tr
aini
ngm
ater
ials
) is
up
to d
ate.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at c
hang
e do
cum
enta
tion
(e.g
., pr
e- a
nd p
ost-
impl
emen
tatio
n sy
stem
and
use
r do
cum
enta
tion)
is r
etai
ned.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at b
usin
ess
proc
ess
docu
men
tatio
n is
upd
ated
for
the
chan
ges
impl
emen
ted
in h
ardw
are
or s
oftw
are.
AI6
Man
age
Cha
nges
(co
nt.)
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI6
.5 C
hang
e C
losu
re a
nd D
ocum
enta
tion
W
hene
ver
chan
ges
are
impl
emen
ted,
upd
ate
the
asso
ciat
ed s
yste
m a
nd u
ser
docu
men
tatio
n an
d pr
oced
ures
acc
ordi
ngly
.
• An
agre
ed-u
pon
and
stan
dard
ised
appr
oach
for
doc
umen
ting
chan
ges
• Fo
rmal
ly d
efin
ed e
xpec
tatio
ns•
Con
sist
ent c
hang
e an
d do
cum
enta
tion
proc
edur
es
• In
crea
sed
depe
nden
ce o
n ke
yin
divi
dual
s•
Con
figu
ratio
n do
cum
enta
tion
faili
ngto
ref
lect
the
curr
ent s
yste
mco
nfig
urat
ion
• L
ack
of d
ocum
enta
tion
of b
usin
ess
proc
esse
s•
Failu
re o
f up
date
s fo
r ha
rdw
are
and
soft
war
e ch
ange
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E142
Take the following steps to test the outcome of the control objectives:• For a sample of changes, confirm that the following have been approved by appropriate stakeholders (business process owners and
IT management):– Request for change– Specification of change– Access to source programme– Programmer completion of change– Request to move source into test environment– Completion of acceptance testing– Request for compilation and move into production– Determination and acceptance of overall and specific security impact
• Develop a distribution process.• Review change control documentation for inclusion of:
– Date of requested change– Person(s) requesting– Approval of change request– Approval of change made—IT function– Approval of change made—users– Documentation update date– Move date into production– QA sign-off of change– Acceptance by operations
• For a selection of changes, review documentation to determine the existence of a version control mechanism. • For a selection of changes related to contracted service providers, inspect implemented changes and determine if they follow
vendor-provided instructions. • Inspect a selection of changes and determine if requests have been categorised. • Inspect a selection of changes and determine if changes have been prioritised based on predefined criteria. • Inspect a selection of changes and determine if changes have been assessed in a structured method (e.g., security, legal, contractual
and compliance implications are considered and business owners are involved). • Inspect a sample of emergency changes and verify that they have been processed in accordance with the change management
framework. Verify that procedures have been followed to authorise, document and revoke access after the change has been applied.• Inspect a sample of emergency changes and determine if a post-implementation review has been conducted after the changes were
applied. Consider implications for further application system maintenance, impact on development and test environments,application software development quality, documentation and manuals, and data integrity.
• Walk through the tracking and reporting system and verify that documentation is kept for rejected changes, the status of approvedand in-process changes, and closed changes, and confirm with users to ensure that the status is current.
• Inspect a selection of change status reports to determine if an audit trail is used to track changes from inception to disposition.• Inspect a sample of change status reports to determine if performance metrics are used to aid management’s review and
monitoring.• Inspect a sample of changes to determine if change documentation has been retained in accordance with the appropriate
retention period. • Inspect business process manuals to determine if they have been updated with new or improved functionality changes in
hardware and software. • Select a sample of changes and assess the quality of co-ordination with third parties.• Confirm the process of assessing the performance of the change management process. Assess any potential improvements
identified that resulted in recommendations to IT management to improve the change management process.
Take the following steps to document the impact of the control weaknesses:• Assess the time and cost of lack of formal change management standards and procedures (e.g., improper resource allocation,
unclear roles and responsibilities, security breaches, lack of rollback procedures, lack of documentation and audit trails, inadequatetraining).
• Assess the time and cost of lack of formal impact assessment to prioritise and authorise changes.• Assess the time and cost of lack of formal emergency change standards and procedures (e.g., compromised security, failure to
properly terminate additional access authorisations, unauthorised access to corporate information).• Assess the impact (e.g., insufficient allocation of resources, lack of priority management, changes not recorded and tracked,
unauthorised changes to the productive environment undetected) of lack of tracking and reporting changes.• Assess the impact (e.g., increased dependence on key individuals, configuration documentation not reflecting the current system
configuration, documentation lacking business processes, failure of updates for hardware and software changes) of lack of systemand user documentation.
• Assess the impact (e.g., failure of systems to meet end users’ needs, lack of cost and resource control for changes, loss of businessfocus for changes, failure of return on investments to meet management’s expectations, unavailability of new systems for thebusiness processes) of lack of evaluation of the change process.
143I T G O V E R N A N C E I N S T I T U T E
APPENDIX IIIA
I7 Ins
tall
and
Acc
redi
t Sol
utio
ns a
nd C
hang
es
New
sys
tem
s ne
ed to
be
mad
e op
erat
iona
l onc
e de
velo
pmen
t is
com
plet
e. T
his
requ
ires
pro
per
test
ing
in a
ded
icat
ed e
nvir
onm
ent w
ith r
elev
ant t
est d
ata,
def
initi
on o
f ro
llout
and
mig
ratio
n in
stru
ctio
ns, r
elea
se p
lann
ing
and
actu
al p
rom
otio
n to
pro
duct
ion,
and
a p
ost-
impl
emen
tatio
n re
view
. Thi
s as
sure
s th
at o
pera
tiona
l sys
tem
s ar
e in
line
with
the
agre
ed-u
pon
expe
ctat
ions
and
out
com
es.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
trai
ning
pla
n is
par
t of
the
over
all p
roje
ct m
aste
r pl
an f
or d
evel
opm
ent p
roje
cts.
• E
nqui
re w
heth
er a
nd c
onfi
rm (
e.g.
, thr
ough
inte
rvie
ws
with
key
sta
ff m
embe
rs o
r in
spec
tion
of p
roje
ct p
lan)
that
the
trai
ning
pla
n id
entif
ies
and
addr
esse
s im
pact
edgr
oups
(e.
g., b
usin
ess
end
user
s, I
T o
pera
tions
, sup
port
and
IT
app
licat
ion
deve
lopm
ent t
rain
ing,
ser
vice
pro
vide
rs).
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ltern
ativ
e tr
aini
ng s
trat
egie
s ar
e co
nsid
ered
to e
nsur
e th
at a
cos
t-ef
fect
ive
appr
oach
is s
elec
ted
and
inco
rpor
ated
in th
e tr
aini
ng f
ram
ewor
k.•
Enq
uire
whe
ther
and
con
firm
that
ther
e is
a p
roce
ss to
ver
ify
com
plia
nce
with
the
trai
ning
pla
n.•
Insp
ect t
rain
ing
docu
men
tatio
n to
det
erm
ine
com
plia
nce
to th
e tr
aini
ng p
lan
(e.g
., lis
t of
staf
f m
embe
rs in
vite
d to
trai
ning
, atte
ndee
s lis
t, ev
alua
tion
form
s fo
r th
eac
hiev
emen
t of
lear
ning
obj
ectiv
es a
nd o
ther
fee
dbac
k).
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
ere
is a
pro
cess
of
mon
itori
ng tr
aini
ng to
obt
ain
feed
back
that
cou
ld le
ad to
pot
entia
l im
prov
emen
ts in
the
syst
em.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
lann
ed c
hang
es a
re m
onito
red
to e
nsur
e th
at tr
aini
ng r
equi
rem
ents
are
con
side
red
and
suita
ble
plan
s ar
e cr
eate
d.
AI7
.1 T
rain
ing
Tra
in th
e st
aff
mem
bers
of
the
affe
cted
use
r de
part
men
ts a
nd th
e op
erat
ions
grou
p of
the
IT f
unct
ion
in a
ccor
danc
e w
ith th
e de
fine
d tr
aini
ng a
ndim
plem
enta
tion
plan
and
ass
ocia
ted
mat
eria
ls, a
s pa
rt o
f ev
ery
info
rmat
ion
syst
ems
deve
lopm
ent,
impl
emen
tatio
n or
mod
ific
atio
n pr
ojec
t.
• C
onsi
sten
t dev
elop
men
t of
new
ski
lls•
Enh
ance
d tr
aini
ng f
or e
ffec
tive
and
effi
cien
t job
per
form
ance
• Fa
mili
aris
atio
n w
ith n
ew o
r m
odif
ied
syst
ems
• Fa
ilure
to p
rom
ptly
det
ect p
robl
ems
with
sys
tem
s or
thei
r us
e•
Gap
s in
kno
wle
dge
to p
erfo
rmre
quir
ed d
utie
s an
d ac
tiviti
es•
Err
ors
resu
lting
fro
m n
ew p
roje
cts
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E144
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
test
pla
n is
dev
elop
ed a
nd d
ocum
ente
d in
acc
orda
nce
with
the
proj
ect q
ualit
y pl
an a
nd r
elev
ant o
rgan
isat
iona
l sta
ndar
ds a
nd th
at it
isco
mm
unic
ated
to a
ppro
pria
te b
usin
ess
owne
rs a
nd I
T s
take
hold
ers.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e te
st p
lan
refl
ects
an
asse
ssm
ent o
f th
e pr
ojec
t’s r
isks
and
that
all
func
tiona
l and
tech
nica
l tes
ting
requ
irem
ents
are
incl
uded
.•
Enq
uire
whe
ther
and
con
firm
that
the
test
pla
n id
entif
ies
reso
urce
s to
exe
cute
the
test
s an
d ev
alua
te te
st r
esul
ts.
• C
onfi
rm th
at s
take
hold
ers
are
cons
ulte
d on
res
ourc
e im
plic
atio
ns o
f th
e te
st p
lan.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e te
st p
lan
cons
ider
s te
st p
repa
ratio
n, in
clud
ing
site
pre
para
tion;
trai
ning
req
uire
men
ts; i
nsta
llatio
n or
upd
ate
of a
def
ined
test
envi
ronm
ent;
plan
ning
/per
form
ance
/doc
umen
tatio
n/re
tent
ion
of te
st c
ases
; err
or a
nd p
robl
em h
andl
ing,
cor
rect
ion
and
esca
latio
n; a
nd f
orm
al a
ppro
val.
• Fo
r a
sam
ple
of te
st p
lans
, ins
pect
doc
umen
tatio
n to
det
erm
ine
if a
ppro
pria
te te
st p
hase
s ar
e pe
rfor
med
.•
Enq
uire
whe
ther
and
con
firm
that
the
test
pla
n es
tabl
ishe
s cl
ear
crite
ria
for
mea
suri
ng th
e su
cces
s of
und
erta
king
eac
h te
stin
g ph
ase
and
that
con
sulta
tions
with
the
busi
ness
pro
cess
ow
ners
and
IT
sta
keho
lder
s ar
e co
nsid
ered
in d
efin
ing
the
succ
ess
crite
ria.
• D
eter
min
e if
the
plan
est
ablis
hes
rem
edia
tion
proc
edur
es w
hen
the
succ
ess
crite
ria
are
not m
et (
e.g.
, in
case
of
sign
ific
ant f
ailu
res
in a
test
ing
phas
e, th
e pl
an p
rovi
des
guid
ance
on
whe
ther
to p
roce
ed to
the
next
pha
se, s
top
test
ing
or p
ostp
one
impl
emen
tatio
n).
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at te
st p
lans
are
app
rove
d by
sta
keho
lder
s, in
clud
ing
busi
ness
pro
cess
ow
ners
and
IT,
as
appr
opri
ate.
Exa
mpl
es o
f ot
her
stak
ehol
ders
are
appl
icat
ion
deve
lopm
ent m
anag
ers,
pro
ject
man
ager
s an
d bu
sine
ss p
roce
ss e
nd u
sers
.
AI7
.2 T
est
Pla
n E
stab
lish
a te
st p
lan
base
d on
org
anis
atio
nwid
e st
anda
rds
that
def
ines
rol
es,
resp
onsi
bilit
ies,
and
ent
ry a
nd e
xit c
rite
ria.
Ens
ure
that
the
plan
is a
ppro
ved
byre
leva
nt p
artie
s.
• C
omm
itmen
t of
key
stak
ehol
ders
• M
inim
ised
bus
ines
s in
terr
uptio
nsre
sulti
ng f
rom
sys
tem
pro
cess
ing
failu
re
• In
suff
icie
nt te
stin
g by
aut
omat
ed
test
scr
ipts
• Pe
rfor
man
ce p
robl
ems
unde
tect
ed•
Lac
k of
cos
t con
trol
ove
r te
stin
gac
tiviti
es•
Und
efin
ed te
stin
g ro
les
and
resp
onsi
bilit
ies
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI7
Ins
tall
and
Acc
redi
t Sol
utio
ns a
nd C
hang
es (
cont
.)
145I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• C
onfi
rm f
or a
rep
rese
ntat
ive
sam
ple
of p
roje
cts
that
the
impl
emen
tatio
n pl
an h
as b
een
revi
ewed
and
app
rove
d.•
Enq
uire
whe
ther
and
con
firm
that
an
impl
emen
tatio
n pl
an h
as b
een
crea
ted
that
incl
udes
the
broa
d im
plem
enta
tion
stra
tegy
, the
seq
uenc
e of
impl
emen
tatio
n st
eps,
reso
urce
req
uire
men
ts, i
nter
depe
nden
cies
, cri
teri
a fo
r m
anag
emen
t agr
eem
ent t
o th
e pr
oduc
tion
impl
emen
tatio
n, in
stal
latio
n ve
rifi
catio
n re
quir
emen
ts a
nd tr
ansi
tion
stra
tegy
for
pro
duct
ion
supp
ort.
• Se
lect
a r
epre
sent
ativ
e sa
mpl
e of
pro
ject
s an
d va
lidat
e th
at th
e im
plem
enta
tion
plan
is a
ligne
d w
ith th
e bu
sine
ss c
hang
e m
anag
emen
t pla
n.•
Enq
uire
whe
ther
and
con
firm
that
thir
d pa
rtie
s ar
e co
mm
itted
to b
e in
volv
ed in
eac
h st
ep o
f th
e im
plem
enta
tion.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at f
allb
ack
and
reco
very
pro
cess
es a
re id
entif
ied
and
docu
men
ted
in th
e im
plem
enta
tion
plan
.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e te
st e
nvir
onm
ent i
s se
t up
to m
irro
r th
e pr
oduc
tion
envi
ronm
ent (
fact
ors
incl
ude
wor
kloa
d/st
ress
, ope
ratin
g sy
stem
s, n
eces
sary
appl
icat
ion
soft
war
e, d
atab
ase
man
agem
ent s
yste
ms,
net
wor
k an
d co
mpu
ting
infr
astr
uctu
re).
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e te
st e
nvir
onm
ent i
s in
capa
ble
of in
tera
ctin
g w
ith p
rodu
ctio
n en
viro
nmen
ts.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
test
dat
abas
e ex
ists
.•
Eva
luat
e th
e ex
iste
nce
and
qual
ity o
f a
data
-san
itisi
ng p
roce
ss in
cre
atin
g a
test
dat
abas
e.• A
sses
s pr
otec
tion
mea
sure
s an
d th
e au
thor
isat
ion
of a
cces
s to
the
test
env
iron
men
t.•
Enq
uire
whe
ther
and
con
firm
that
a p
roce
ss e
xist
s an
d is
com
plie
d w
ith to
man
age
rete
ntio
n or
dis
posa
l of
test
res
ults
.•
Enq
uire
whe
ther
and
con
firm
that
the
rete
ntio
n pr
oces
s m
eets
or
exce
eds
regu
lato
ry o
r co
mpl
ianc
e re
quir
emen
ts.
AI7
.3 I
mpl
emen
tati
on P
lan
Est
ablis
h an
impl
emen
tatio
n an
d fa
llbac
k/ba
ckou
t pla
n. O
btai
n ap
prov
al f
rom
rele
vant
par
ties.
• An
agre
ed-u
pon
and
stan
dard
ised
appr
oach
for
impl
emen
ting
chan
ges
inan
eff
icie
nt a
nd e
ffec
tive
man
ner
• Fo
rmal
ly d
efin
ed e
xpec
tatio
ns a
ndpe
rfor
man
ce m
easu
rem
ent
• E
ffec
tive
reco
very
in th
e ev
ent o
fim
plem
enta
tion
failu
re
• Im
prop
er r
esou
rce
allo
catio
n to
ens
ure
effe
ctiv
e im
plem
enta
tion
of c
hang
es•
Secu
rity
bre
ache
s
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI7
Ins
tall
and
Acc
redi
t Sol
utio
ns a
nd C
hang
es (
cont
.)
AI7
.4 T
est
Env
iron
men
t D
efin
e an
d es
tabl
ish
a se
cure
test
env
iron
men
t rep
rese
ntat
ive
of th
e pl
anne
dop
erat
ions
env
iron
men
t rel
ativ
e to
sec
urity
, int
erna
l con
trol
s, o
pera
tiona
lpr
actic
es, d
ata
qual
ity a
nd p
riva
cy r
equi
rem
ents
, and
wor
kloa
ds.
• M
inim
ised
bus
ines
s in
terr
uptio
ns in
prod
uctio
n•
Insu
ffic
ient
test
ing
usin
g au
tom
ated
test
scr
ipts
• Pe
rfor
man
ce p
robl
ems
unde
tect
ed•
Syst
em s
ecur
ity c
ompr
omis
ed
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E146
Test
the
Con
trol
Des
ign
• C
onfi
rm (
e.g.
, thr
ough
inte
rvie
ws
with
key
sta
ff m
embe
rs o
r in
spec
tion
of p
olic
ies
and
proc
edur
es)
that
dat
a co
nver
sion
and
infr
astr
uctu
re m
itiga
tion
plan
s ex
ist,
and
cons
ider
the
follo
win
g: h
ardw
are,
net
wor
ks, o
pera
ting
syst
ems,
sof
twar
e, tr
ansa
ctio
n da
ta, m
aste
r fi
les,
bac
kups
and
arc
hive
s, in
terf
aces
with
oth
er in
tern
al a
nd e
xter
nal
syst
ems,
pro
cedu
res,
sys
tem
doc
umen
tatio
n, e
tc.
• T
hrou
gh in
terv
iew
s w
ith k
ey s
taff
mem
bers
, enq
uire
abo
ut th
e tim
ing
and
com
plet
enes
s of
con
vers
ion
cuto
ver.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
bac
kup
is ta
ken
prio
r to
con
vers
ion,
aud
it tr
ails
are
mai
ntai
ned,
and
a f
allb
ack
and
reco
very
pla
n ex
ists
.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at te
stin
g of
cha
nges
is d
evel
oped
with
inde
pend
ence
(se
para
tion
of d
utie
s) a
nd c
ondu
cted
onl
y in
the
test
env
iron
men
t.•
Enq
uire
whe
ther
and
con
firm
that
test
scr
ipts
exi
st to
val
idat
e se
curi
ty a
nd p
erfo
rman
ce r
equi
rem
ents
.•
Con
firm
thro
ugh
inte
rvie
ws
that
fal
lbac
k or
bac
kout
pla
ns a
re p
repa
red
and
test
ed p
rior
to c
hang
es b
eing
pro
mot
ed in
to p
rodu
ctio
n.
AI7
.5 S
yste
m a
nd D
ata
Con
vers
ion
Plan
dat
a co
nver
sion
and
infr
astr
uctu
re m
igra
tion
as p
art o
f th
e or
gani
satio
n’s
deve
lopm
ent m
etho
ds, i
nclu
ding
aud
it tr
ails
, rol
lbac
ks a
nd f
allb
acks
.
• Im
prop
er c
ompo
nent
s de
tect
ed a
ndre
mov
ed f
rom
pro
duct
ion
• N
ew s
yste
m o
pera
ting
as in
tend
ed a
ndsu
ppor
ting
the
busi
ness
pro
cess
es
• O
ld s
yste
ms
not a
vaila
ble
whe
nne
eded
• U
nrel
iabl
e sy
stem
and
con
vers
ion
resu
lts•
Subs
eque
nt p
roce
ssin
g in
terr
uptio
ns•
Dat
a in
tegr
ity is
sues
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI7
Ins
tall
and
Acc
redi
t Sol
utio
ns a
nd C
hang
es (
cont
.)
AI7
.6 T
esti
ng o
f C
hang
es
Test
cha
nges
inde
pend
ently
in a
ccor
danc
e w
ith th
e de
fine
d te
st p
lan
prio
r to
mig
ratio
n to
the
oper
atio
nal e
nvir
onm
ent.
Ens
ure
that
the
plan
con
side
rs s
ecur
ityan
d pe
rfor
man
ce.
• A
chie
ved
syst
em p
erfo
rman
ce•
Eff
ectiv
e co
st c
ontr
ol•
Incr
ease
d cu
stom
er c
onfi
denc
e
• W
aste
of
reso
urce
s•
Deg
rade
d ov
eral
l sec
urity
• C
hang
es im
pact
ing
syst
empe
rfor
man
ce a
nd a
vaila
bilit
y
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
147I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at k
ey s
take
hold
ers
are
cons
ider
ed in
the
fina
l acc
epta
nce
test
ing
activ
ities
.•
Enq
uire
whe
ther
and
con
firm
that
in th
e fi
nal a
ccep
tanc
e st
ages
, suc
cess
cri
teri
a ar
e id
entif
ied
in th
e te
stin
g pl
an.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ppro
pria
te d
ocum
enta
tion
for
revi
ew a
nd e
valu
atio
n ex
ists
.•
Enq
uire
of
key
stak
ehol
der
whe
ther
the
docu
men
tatio
n an
d pr
esen
tatio
n of
fin
al a
ccep
tanc
e te
stin
g re
sults
are
com
plet
e an
d tim
ely.
AI7
.7 F
inal
Acc
epta
nce
Tes
t E
nsur
e th
at b
usin
ess
proc
ess
owne
rs a
nd I
T s
take
hold
ers
eval
uate
the
outc
ome
ofth
e te
stin
g pr
oces
s as
det
erm
ined
by
the
test
pla
n. R
emed
iate
sig
nifi
cant
err
ors
iden
tifie
d in
the
test
ing
proc
ess,
hav
ing
com
plet
ed th
e su
ite o
f te
sts
iden
tifie
d in
the
test
pla
n an
d an
y ne
cess
ary
regr
essi
on te
sts.
Fol
low
ing
eval
uatio
n, a
ppro
vepr
omot
ion
to p
rodu
ctio
n.
• M
inim
ised
bus
ines
s in
terr
uptio
ns in
prod
uctio
n•
Cri
tical
dat
a fl
ows
prot
ecte
d•
Dev
iatio
ns f
rom
exp
ecte
d se
rvic
equ
ality
iden
tifie
d• A
pplic
atio
n m
eetin
g us
abili
tyre
quir
emen
ts
• Pe
rfor
man
ce p
robl
ems
unde
tect
ed•
Bus
ines
s re
ject
ion
of d
eliv
ered
capa
bilit
ies
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI7
Ins
tall
and
Acc
redi
t Sol
utio
ns a
nd C
hang
es (
cont
.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E148
Test
the
Con
trol
Des
ign
• R
evie
w p
roce
dure
s fo
r pr
ogra
m tr
ansf
er to
ver
ify
that
a f
orm
al p
roce
ss e
xist
s th
at r
equi
res
docu
men
ted
appr
oval
fro
m u
ser
man
agem
ent a
nd s
yste
m d
evel
opm
ent.
• C
onfi
rm th
at th
e ap
prov
al p
roce
ss id
entif
ies
effe
ctiv
e da
tes
for
prom
otio
n of
new
sys
tem
s, a
pplic
atio
ns o
r in
fras
truc
ture
to p
rodu
ctio
n, a
s w
ell a
s fo
r th
e re
tirem
ent o
f ol
dsy
stem
s, a
pplic
atio
ns a
nd in
fras
truc
ture
.•
Enq
uire
whe
ther
and
con
firm
that
the
appr
oval
pro
cess
incl
udes
a f
orm
al d
ocum
ente
d si
gn-o
ff f
rom
bus
ines
s pr
oces
s ow
ners
, thi
rd p
artie
s an
d IT
sta
keho
lder
s as
appr
opri
ate
(e.g
., de
velo
pmen
t gro
up, s
ecur
ity g
roup
, dat
abas
e m
anag
emen
t, us
er s
uppo
rt a
nd o
pera
tions
gro
up).
• C
onfi
rm p
roce
dure
s fo
r up
datin
g co
pies
of
syst
em d
ocum
enta
tion
and
rele
vant
con
tinge
ncy
plan
.•
Enq
uire
of
key
staf
f m
embe
rs c
once
rnin
g pr
oced
ures
for
upd
atin
g al
l sou
rce
prog
ram
libr
arie
s an
d pr
oced
ures
for
labe
lling
and
ret
aini
ng p
rior
ver
sion
s.•
Enq
uire
of
key
staf
f m
embe
rs r
egar
ding
req
uire
d pr
oced
ures
for
obt
aini
ng f
rom
the
acce
ptan
ce te
stin
g fu
nctio
n th
e m
edia
use
d fo
r im
plem
enta
tion.
• E
nqui
re o
f ke
y st
aff
mem
bers
whe
ther
aut
omat
ed s
oftw
are
dist
ribu
tion
is c
ontr
olle
d an
d w
heth
er th
ere
are
chec
ks in
the
dist
ribu
tion
proc
ess
that
ver
ify
that
the
dest
inat
ion
envi
ronm
ent i
s of
the
corr
ect s
tand
ard
impl
emen
tatio
n an
d ve
rsio
n.•
Eva
luat
e th
e ef
fect
iven
ess
of th
e co
ntro
l to
veri
fy th
at d
istr
ibut
ion
occu
rs o
nly
to a
utho
rise
d an
d co
rrec
tly id
entif
ied
dest
inat
ions
.•
Enq
uire
of
key
staf
f m
embe
rs w
heth
er a
for
mal
log
is k
ept o
f w
hat s
oftw
are
and
conf
igur
atio
n ite
ms
have
bee
n di
stri
bute
d, to
who
m th
ey h
ave
been
dis
trib
uted
, whe
reth
ey h
ave
been
impl
emen
ted,
and
whe
n ea
ch h
as b
een
upda
ted.
• E
nqui
re o
f ke
y st
aff
mem
bers
con
cern
ing
proc
edur
es f
or p
rom
ptly
upd
atin
g al
l pro
gram
cop
ies
and
proc
edur
es f
or p
rovi
ding
impl
emen
tatio
n or
der
inst
ruct
ions
inad
vanc
e to
all
impa
cted
loca
tions
.
AI7
.8 P
rom
otio
n to
Pro
duct
ion
Follo
win
g te
stin
g, c
ontr
ol th
e ha
ndov
er o
f th
e ch
ange
d sy
stem
to o
pera
tions
,ke
epin
g it
in li
ne w
ith th
e im
plem
enta
tion
plan
. Obt
ain
appr
oval
of
the
key
stak
ehol
ders
, suc
h as
use
rs, s
yste
m o
wne
r an
d op
erat
iona
l man
agem
ent.
Whe
reap
prop
riat
e, r
un th
e sy
stem
in p
aral
lel w
ith th
e ol
d sy
stem
for
a w
hile
, and
com
pare
beh
avio
ur a
nd r
esul
ts.
• An
agre
ed-u
pon
and
stan
dard
ised
appr
oach
for
pro
mot
ing
chan
ges
into
prod
uctio
n in
an
effi
cien
t and
effe
ctiv
e m
anne
r •
Form
ally
def
ined
exp
ecta
tions
and
perf
orm
ance
mea
sure
men
t•
Con
sist
ent c
hang
e pr
oced
ure
• Se
greg
atio
n of
dut
ies
viol
atio
ns•
Syst
ems
expo
sed
to f
raud
or
othe
rm
alic
ious
act
s•
No
rollb
ack
to p
revi
ous
appl
icat
ion
syst
em v
ersi
on p
ossi
ble
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI7
Ins
tall
and
Acc
redi
t Sol
utio
ns a
nd C
hang
es (
cont
.)
149I T G O V E R N A N C E I N S T I T U T E
APPENDIX III
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
pos
t-im
plem
enta
tion
proc
edur
es h
ave
been
est
ablis
hed.
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
bus
ines
s pr
oces
s ow
ners
and
IT
tech
nica
l man
agem
ent a
re in
volv
ed in
the
sele
ctio
n of
met
rics
for
mea
suri
ngsu
cces
s an
d ac
hiev
emen
t of
requ
irem
ents
and
ben
efits
.•
Con
firm
thro
ugh
inte
rvie
ws
with
key
sta
ff m
embe
rs th
at th
e fo
rm o
f th
e po
st-i
mpl
emen
tatio
n re
view
is in
acc
orda
nce
with
the
orga
nisa
tiona
l cha
nge
man
agem
ent
proc
ess
and
that
bus
ines
s pr
oces
s ow
ners
and
thir
d pa
rtie
s ar
e in
volv
ed, a
s ap
prop
riat
e.•
Con
firm
thro
ugh
inte
rvie
ws
with
key
sta
ff m
embe
rs th
at r
equi
rem
ents
for
pos
t-im
plem
enta
tion
revi
ew a
risi
ng f
rom
out
side
bus
ines
s an
d IT
are
con
side
red.
• C
onfi
rm th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
that
an
actio
n pl
an e
xist
s to
add
ress
issu
es id
entif
ied
in th
e po
st-i
mpl
emen
tatio
n re
view
and
that
bus
ines
s pr
oces
sow
ners
and
IT
tech
nica
l man
agem
ent a
re in
volv
ed in
the
deve
lopm
ent o
f th
e ac
tion
plan
.
AI7
.9 P
ost-
impl
emen
tati
on R
evie
w
Est
ablis
h pr
oced
ures
in li
ne w
ith th
e or
gani
satio
nal c
hang
e m
anag
emen
tst
anda
rds
to r
equi
re a
pos
t-im
plem
enta
tion
revi
ew a
s se
t out
in th
eim
plem
enta
tion
plan
.
• An
agre
ed-u
pon
and
stan
dard
ised
appr
oach
for
pos
t-im
plem
enta
tion
revi
ews
• C
onsi
sten
t and
tran
spar
ent r
evie
wpr
oced
ure
• E
ffic
ient
use
of
orga
nisa
tiona
lre
sour
ces
• Im
prov
ed e
nd-u
ser
satis
fact
ion
• Fa
ilure
to id
entif
y th
at s
yste
ms
do n
otm
eet e
nd u
sers
’nee
ds•
Ret
urn
on in
vest
men
ts f
ailin
g to
mee
tm
anag
emen
t’s e
xpec
tatio
ns
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
AI7
Ins
tall
and
Acc
redi
t Sol
utio
ns a
nd C
hang
es (
cont
.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E150
Take the following steps to test the outcome of the control objectives:• Inspect the training plan to determine if it clearly identifies learning objectives, resources, key milestones, dependencies and
critical path tasks. Confirm that the training plan considers alternative training strategies depending on the business needs.
• Inspect training plan documentation to confirm that:– It identifies the staff members who must be trained – The training was delivered in a timely manner– A cost-effective approach is selected and used (e.g., train the trainer, end-user accreditation, intranet-based training)– Feedback (e.g., evaluation forms, comment sheet) is received and used in identifying areas of potential improvements in
the system– Planned changes are considered training requirements– It aligns with the project quality plan and relevant organisational standards– Test plans were communicated to appropriate business owners and IT stakeholders
• Inspect test documentation to determine if testing was performed based on the project’s risk assessment. Confirm that allfunctional and technical testing requirements are covered (e.g., performance, stress, usability, pilot and security testing) and thatthe test plan addressed any requirement for internal or external accreditation.
• Inspect test documentation to determine if resources were identified for executing the test and evaluating the results (e.g.,construction of test environments and staff members for the test group, including potential temporary replacement of test staffmembers in the production or development environments).
• Review a sample of test scripts to ensure that they adequately address each test criterion.• For a sample of system development, implementation or modification projects, inspect test documentation to determine if
appropriate test phases are performed (e.g., unit test, system test, integration test, user acceptance test, performance test, stress test,data conversion test, security test, operational readiness test).
• For a sample of test plans, inspect documentation to determine if the:– Criteria for measuring success for each testing phase are considered– Test plans are approved– Test database uses only sanitised data and is protected against disclosure
• Inspect conversion plans for adequacy, and confirm with the data owners the results of the conversion for completeness and integrity.
• Inspect and evaluate documentation for fallback/backout plans. • Verify that error logs include audit trails to facilitate timely bug fixing and remediation. • Review the final acceptance testing activities to evaluate whether the scope effectively covered all components and effectively
addressed the acceptance criteria.• Review acceptance testing results and evaluate the effectiveness of their interpretation and presentation.• Inspect results of testing to verify that formal sign-off exists prior to promotion to production.• Inspect source program libraries to verify that they are updated to the current versions and that prior versions are clearly labelled
and retained for a reasonable period of time.• Evaluate the effectiveness of the control to verify that distribution occurs only to authorised and correctly identified destinations.• Inspect the log and verify that a procedure has been implemented to ensure its integrity and completeness.• Physically inspect implementation orders/instructions on file.• Select a sample of system development, implementation or modification projects and inspect change documentation to determine
if management sign-off is performed to ensure that the change is authorised, tested and properly documented before software isreleased to production.
• Walk through the archive environment, and physically inspect archived versions and documentation.• Assess the effectiveness of the change handover process in ensuring that only authorised, tested and documented changes are
accepted in production.• Assess the effectiveness of the process in ensuring that software implemented is unchanged from what has been tested. • Select a sample of build requests and inspect documentation to determine if media preparation is based only on formal build
requests.• Confirm the effectiveness of the backout or reversal procedures.• Confirm that a distribution audit trail includes the software and configuration items that have been distributed, to whom they have
been distributed, where they have been implemented and when each has been updated. • Confirm that automated software distribution occurs only to authorised and correctly identified destinations.• Confirm that post-implementation procedures identify, assess and report on the extent to which business requirements have been
met; expected benefits have been realised; the system is considered usable; internal and external stakeholders’ expectations aremet; unexpected impacts on the organisation may have occurred; key risks are mitigated; and the change management, installationand accreditation processes were performed effectively and efficiently.
• Enquire whether and confirm that requirements for post-implementation review arising from outside business and IT areconsidered.
• For a sample of system development or implementation projects, confirm that outside business and IT requirements (e.g., internalaudit, enterprise risk management, regulatory compliance) are included in the post-implementation review.
151I T G O V E R N A N C E I N S T I T U T E
• Select a sample of system development and implementation projects and confirm that the post-implementation plan includes anaction plan to address the issues identified. Confirm that business process owners and IT technical management are involved in thedevelopment of action plans.
• Assess the effectiveness of the process for verification of success or failure of changes. • Assess the configuration inventory to determine if changes are reviewed and accepted.• Identify:
– Any changes that were made without approval– Any changes not accounted for– Current libraries (source and object) not reflecting the most recent changes– Change control procedure variances
• Assess the impact of failed or erroneous changes.• Assess the impact of late or delayed changes.
Take the following steps to document the impact of the control weaknesses:• Assess the cost and operational inefficiency (e.g., failure to detect problems promptly, gaps in knowledge to perform the duties) of
lack of training. • Assess the impact (e.g., insufficient testing by automated test scripts, failure to detect performance problems, lack of cost control,
undefined roles and responsibilities) due to the lack of a test plan.• Assess whether the implementation plan has been reviewed and approved by major stakeholders to ensure that appropriate
commitment exists throughout the life of the project.• Assess the existence of a test environment to mirror production and provide a reliable future state for changes to business
operations.• Assess the data conversion plan for completeness to ensure that it includes audit trail, rollback procedures and fallback procedures.• Assess changes that are tested independently in accordance with the defined test plans prior to migration into production. • Assess the test plans to include a test to validate security and performance requirements.• Assess the outcome of the testing process to identify errors requiring timely remediation prior to promotion to production. • Assess the impact of a the lack of a post-implementation plan.
APPENDIX III
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E152
Page intentionally left blank
153I T G O V E R N A N C E I N S T I T U T E
APPENDIX IVA
PPE
ND
IXIV
—D
EL
IVE
RA
ND
SUPP
OR
T(D
S)
PR
OC
ESS
ASS
UR
AN
CE
STEP
S
DS1 D
efin
e an
d M
anag
e Ser
vice
Lev
els
Eff
ectiv
e co
mm
unic
atio
n be
twee
n IT
man
agem
ent a
nd b
usin
ess
cust
omer
s re
gard
ing
serv
ices
req
uire
d is
ena
bled
by
a do
cum
ente
d de
fini
tion
of a
nd a
gree
men
t on
IT s
ervi
ces
and
serv
ice
leve
ls. T
his
proc
ess
also
incl
udes
mon
itori
ng a
nd ti
mel
y re
port
ing
to s
take
hold
ers
on th
e ac
com
plis
hmen
t of
serv
ice
leve
ls. T
his
proc
ess
enab
les
alig
nmen
tbe
twee
n IT
ser
vice
s an
d th
e re
late
d bu
sine
ss r
equi
rem
ents
.
Test
the
Con
trol
Des
ign
• In
spec
t SL
A p
olic
ies
and
proc
edur
es f
or th
e al
ignm
ent o
f SL
A o
bjec
tives
and
per
form
ance
mea
sure
s w
ith b
usin
ess
obje
ctiv
es a
nd I
T s
trat
egy.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
olic
ies
exis
t for
the
alig
nmen
t of
SLA
obj
ectiv
es a
nd p
erfo
rman
ce m
easu
res
with
bus
ines
s ob
ject
ives
and
IT
str
ateg
y.•
Insp
ect t
he s
ervi
ce c
atal
ogue
and
ver
ify
that
it in
corp
orat
es s
ervi
ce r
equi
rem
ents
, ser
vice
def
initi
ons,
SL
As,
OL
As
and
fund
ing
sour
ces.
• E
nqui
re o
f st
aff
mem
bers
acc
ount
able
for
SL
A e
scal
atio
n an
d re
solu
tion
to d
eter
min
e w
heth
er th
e pr
oced
ures
or
met
hods
est
ablis
hed
reas
onab
le s
ervi
ce le
vels
inre
spon
ding
to is
sues
.•
Insp
ect a
sam
ple
of r
elev
ant c
hang
es a
nd v
erif
y th
at c
hang
es w
ere
impl
emen
ted
in a
ccor
danc
e w
ith th
e ch
ange
man
agem
ent p
roce
ss.
• In
spec
t the
des
ign
of th
e se
rvic
e im
prov
emen
t pro
gram
me
for
stan
dard
s to
mea
sure
per
form
ance
.
DS1
.1 S
ervi
ce L
evel
Man
agem
ent
Fra
mew
ork
Def
ine
a fr
amew
ork
that
pro
vide
s a
form
alis
ed s
ervi
ce le
vel m
anag
emen
tpr
oces
s be
twee
n th
e cu
stom
er a
nd s
ervi
ce p
rovi
der.
The
fra
mew
ork
shou
ldm
aint
ain
cont
inuo
us a
lignm
ent w
ith b
usin
ess
requ
irem
ents
and
pri
oriti
es a
ndfa
cilit
ate
com
mon
und
erst
andi
ng b
etw
een
the
cust
omer
and
pro
vide
r(s)
. The
fram
ewor
k sh
ould
incl
ude
proc
esse
s fo
r cr
eatin
g se
rvic
e re
quir
emen
ts, s
ervi
cede
fini
tions
, SL
As,
OL
As
and
fund
ing
sour
ces.
The
se a
ttrib
utes
sho
uld
beor
gani
sed
in a
ser
vice
cat
alog
ue. T
he f
ram
ewor
k sh
ould
def
ine
the
orga
nisa
tiona
lst
ruct
ure
for
serv
ice
leve
l man
agem
ent,
cove
ring
the
role
s, ta
sks
and
resp
onsi
bilit
ies
of in
tern
al a
nd e
xter
nal s
ervi
ce p
rovi
ders
and
cus
tom
ers.
• C
lari
fied
IT
serv
ice
resp
onsi
bilit
ies
and
ITob
ject
ives
alig
ned
with
busi
ness
obj
ectiv
es•
Impr
oved
com
mun
icat
ion
and
unde
rsta
ndin
g be
twee
n bu
sine
sscu
stom
ers
and
IT s
ervi
ce p
rovi
ders
• C
onsi
sten
cy p
rom
oted
in s
ervi
cele
vels
, ser
vice
def
initi
ons,
and
ser
vice
deliv
ery
and
supp
ort
• G
aps
betw
een
expe
ctat
ions
and
capa
bilit
ies,
lead
ing
to d
ispu
tes
• C
usto
mer
s an
d pr
ovid
ers
not
unde
rsta
ndin
g th
eir
resp
onsi
bilit
ies
• In
appr
opri
ate
prio
rity
giv
en to
diff
eren
t ser
vice
s pr
ovid
ed•
Inef
fici
ent a
nd c
ostly
ope
ratio
nal
serv
ice
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E154
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
take
hold
ers
agre
e to
, rec
ord
and
com
mun
icat
e th
e SL
A, a
nd w
hat i
s in
clud
ed in
the
form
at a
nd c
onte
nts.
• In
spec
t the
for
mat
of
the
SLA
’s c
onte
nt to
ver
ify
that
it in
clud
es e
xclu
sion
s, c
omm
erci
al a
rran
gem
ents
and
OL
As.
• In
spec
t the
SL
A m
anag
emen
t pro
cess
to v
erif
y th
at it
mea
sure
s SL
As
(qua
litat
ive
and
quan
titat
ive)
and
mon
itors
the
SLA
obj
ectiv
es.
• In
spec
t SL
A’s
for
app
rova
l and
app
ropr
iate
sig
natu
res.
• O
bser
ve a
nd r
evie
w th
e SL
A r
evie
w p
roce
ss to
eva
luat
e its
ade
quac
y.•
Ver
ify
that
the
proc
ess
for
impr
ovem
ents
or
adju
stm
ents
to S
LA
s is
bas
ed o
n pe
rfor
man
ce f
eedb
ack
and
chan
ges
to c
usto
mer
and
bus
ines
s re
quir
emen
ts.
• E
nqui
re o
f ke
y st
aff
mem
bers
whe
ther
ser
vice
s ar
e be
ing
rend
ered
that
are
not
doc
umen
ted
in th
e SL
A.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
exi
sts
for
deve
lopi
ng, r
evie
win
g an
d ad
just
ing
the
serv
ice
cata
logu
e or
por
tfol
io o
f se
rvic
es.
• C
onfi
rm th
e ex
iste
nce
of a
man
agem
ent p
roce
ss to
ens
ure
that
the
serv
ice
cata
logu
e or
por
tfol
io is
ava
ilabl
e, c
ompl
ete
and
up to
dat
e.•
Insp
ect t
he s
ervi
ce c
atal
ogue
or
port
folio
pro
cess
to v
erif
y th
at it
is r
evie
wed
on
a re
gula
r ba
sis.
DS1
.3 S
ervi
ce L
evel
Agr
eem
ents
D
efin
e an
d ag
ree
to S
LA
s fo
r al
l cri
tical
IT
ser
vice
s ba
sed
on c
usto
mer
requ
irem
ents
and
IT
cap
abili
ties.
Thi
s sh
ould
cov
er c
usto
mer
com
mitm
ents
;se
rvic
e su
ppor
t req
uire
men
ts; q
uant
itativ
e an
d qu
alita
tive
met
rics
for
mea
suri
ngth
e se
rvic
e si
gned
off
on
by th
e st
akeh
olde
rs; f
undi
ng a
nd c
omm
erci
alar
rang
emen
ts, i
f ap
plic
able
; and
rol
es a
nd r
espo
nsib
ilitie
s, in
clud
ing
over
sigh
t of
the
SLA
. Con
side
r ite
ms
such
as
avai
labi
lity,
rel
iabi
lity,
per
form
ance
, cap
acity
for
grow
th, l
evel
s of
sup
port
, con
tinui
ty p
lann
ing,
sec
urity
and
dem
and
cons
trai
nts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Se
rvic
e re
spon
sibi
litie
s an
d IT
obje
ctiv
es a
ligne
d w
ith b
usin
ess
obje
ctiv
es•
Serv
ice
qual
ity e
nhan
ced
due
topr
oper
und
erst
andi
ng a
nd a
lignm
ent
of s
ervi
ce d
eliv
ery
• Se
rvic
e ef
fici
ency
incr
ease
d an
d co
sts
redu
ced
due
to e
ffic
ient
dep
loym
ent o
fIT
serv
ices
bas
ed o
n re
al n
eeds
and
prio
ritie
s
Ris
k D
river
s
• Fa
ilure
to m
eet c
usto
mer
ser
vice
requ
irem
ents
• In
effi
cien
t and
inef
fect
ive
use
ofse
rvic
e de
liver
y re
sour
ces
• Fa
ilure
to id
entif
y an
d re
spon
d to
criti
cal s
ervi
ce in
cide
nts
DS1
.2 D
efin
itio
n of
Ser
vice
s B
ase
defi
nitio
ns o
f IT
ser
vice
s on
ser
vice
cha
ract
eris
tics
and
busi
ness
requ
irem
ents
. Ens
ure
that
they
are
org
anis
ed a
nd s
tore
d ce
ntra
lly v
ia th
eim
plem
enta
tion
of a
ser
vice
cat
alog
ue p
ortf
olio
app
roac
h.
• IT
ser
vice
obj
ectiv
es a
ligne
d w
ithbu
sine
ss o
bjec
tives
• IT
ope
ratio
nal s
ervi
ce b
ased
on
corr
ect r
equi
rem
ents
and
pri
oriti
es•
Inci
dent
s lin
ked
to s
ervi
ces
they
impa
ct, e
nabl
ing
inci
dent
res
pons
e to
be e
ffec
tivel
y pr
iori
tised
• In
appr
opri
atel
y de
liver
ed s
ervi
ces
• In
corr
ect p
rior
ity f
or p
rovi
ded
serv
ices
• M
isun
ders
tood
impa
ct o
f in
cide
nts,
lead
ing
to s
low
res
pons
e an
dsi
gnif
ican
t bus
ines
s im
pact
• D
iffe
rent
inte
rpre
tatio
ns a
ndm
isun
ders
tand
ing
of I
T s
ervi
ces
prov
ided
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS1 D
efin
e an
d M
anag
e Ser
vice
Lev
els
(con
t.)
155I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
has
bee
n de
fine
d to
dev
elop
, man
age,
rev
iew
and
adj
ust O
LA
s.•
Insp
ect t
he S
LA
(s)
and
conf
irm
that
the
OL
A s
uppo
rts
the
tech
nica
l req
uire
men
ts o
f th
e re
spec
tive
SLA
(s).
• O
btai
n a
repr
esen
tativ
e sa
mpl
e of
OL
As
and
eval
uate
whe
ther
the
OL
As
cont
ain
oper
able
and
opt
imal
def
initi
ons
of d
eliv
ery
of s
ervi
ces.
Test
the
Con
trol
Des
ign
• T
hrou
gh in
terv
iew
s w
ith k
ey s
taff
mem
bers
res
pons
ible
for
mon
itori
ng s
ervi
ce le
vel p
erfo
rman
ce, d
eter
min
e re
port
ing
crite
ria.
• O
btai
n sa
mpl
es o
f SL
A p
erfo
rman
ce r
epor
ting,
and
ver
ify
dist
ribu
tion.
• In
spec
t rev
iew
s fo
r fo
reca
st a
nd tr
ends
in s
ervi
ce le
vel p
erfo
rman
ce.
DS1
.4 O
pera
ting
Lev
el A
gree
men
ts
Def
ine
OL
As
that
exp
lain
how
the
serv
ices
will
be
tech
nica
lly d
eliv
ered
tosu
ppor
t the
SL
A(s
) in
an
optim
al m
anne
r. T
he O
LA
s sh
ould
spe
cify
the
tech
nica
l pro
cess
es in
term
s m
eani
ngfu
l to
the
prov
ider
and
may
sup
port
sev
eral
SLA
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• O
pera
tiona
l ser
vice
s al
igne
d w
ithSL
As
and,
ther
efor
e, to
bus
ines
s ne
eds
• O
ptim
isat
ion
of o
pera
tiona
l res
ourc
esby
sta
ndar
disa
tion
and
alig
nmen
t with
serv
ice
requ
irem
ents
• C
ost r
educ
tion
by o
ptim
ised
use
of
reso
urce
s an
d fe
wer
ser
vice
inci
dent
s
Ris
k D
river
s
• Fa
ilure
of
the
prov
ided
ser
vice
s to
mee
t the
bus
ines
s re
quir
emen
ts•
Gap
s in
tech
nica
l und
erst
andi
ng o
fse
rvic
es le
adin
g to
inci
dent
s•
Inef
fici
ent a
nd c
ostly
use
of
oper
atio
nal r
esou
rces
DS1 D
efin
e an
d M
anag
e Ser
vice
Lev
els
(con
t.)
DS1
.5 M
onit
orin
g an
d R
epor
ting
of
Serv
ice
Lev
el A
chie
vem
ents
C
ontin
uous
ly m
onito
r sp
ecif
ied
serv
ice
leve
l per
form
ance
cri
teri
a. R
epor
ts o
nac
hiev
emen
t of
serv
ice
leve
ls s
houl
d be
pro
vide
d in
a f
orm
at th
at is
mea
ning
ful
to th
e st
akeh
olde
rs. T
he m
onito
ring
sta
tistic
s sh
ould
be
anal
ysed
and
act
ed u
pon
to id
entif
y ne
gativ
e an
d po
sitiv
e tr
ends
for
indi
vidu
al s
ervi
ces
as w
ell a
s fo
rse
rvic
es o
vera
ll.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• U
sers
abl
e to
mon
itor
serv
ice
leve
lpe
rfor
man
ce b
ased
on
relia
ble
info
rmat
ion
• T
he v
alue
s of
IT
ser
vice
sco
mm
unic
ated
with
in th
e en
terp
rise
• C
onsi
sten
t com
mun
icat
ion
betw
een
rele
vant
par
ties
Ris
k D
river
s
• L
ack
of d
efin
ed m
easu
res
impo
rtan
tto
the
orga
nisa
tion
• U
nide
ntif
ied
unde
rlyi
ng s
ervi
cepr
oble
ms
and
issu
es•
Dis
satis
fied
use
rs d
ue to
lack
of
info
rmat
ion,
irre
spec
tive
of q
ualit
y of
serv
ice
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E156
Test
the
Con
trol
Des
ign
• In
spec
t the
SL
As,
com
pare
the
UC
s, a
nd d
eter
min
e ef
fect
iven
ess
and
curr
ency
of
chan
ges.
• O
btai
n a
wal
k-th
roug
h of
SL
A d
ocum
enta
tion
requ
irem
ents
.•
Rev
iew
SL
As
and
UC
s, a
nd c
onfi
rm th
at a
lignm
ent w
ith b
usin
ess
obje
ctiv
es is
eva
luat
ed o
n a
regu
lar
basi
s.
DS1
.6 R
evie
w o
f Se
rvic
e L
evel
Agr
eem
ents
and
Con
trac
ts
Reg
ular
ly r
evie
w S
LA
s an
d un
derp
inni
ng c
ontr
acts
(U
Cs)
with
inte
rnal
and
exte
rnal
ser
vice
pro
vide
rs to
ens
ure
that
they
are
eff
ectiv
e an
d up
to d
ate
and
that
chan
ges
in r
equi
rem
ents
hav
e be
en ta
ken
into
acc
ount
.
• D
eliv
ered
IT
ser
vice
s al
igne
d w
ithch
angi
ng b
usin
ess
need
s•
Wea
knes
ses
in e
xist
ing
serv
ice
agre
emen
ts id
entif
ied
and
corr
ecte
d
• C
omm
erci
al a
nd le
gal r
equi
rem
ents
not m
et d
ue to
out
-of-
date
con
trac
ts•
Serv
ices
not
mee
ting
chan
ged
requ
irem
ents
• Fi
nanc
ial l
osse
s an
d in
cide
nts
due
tom
isal
igne
d se
rvic
es
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS1 D
efin
e an
d M
anag
e Ser
vice
Lev
els
(con
t.)
157I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Take the following steps to test the outcome of the control objectives:• Enquire of senior management, representing the business and IT functions, about their involvement in the design and approval of
the SLA framework.• Enquire of key staff members if performance critieria have been formalised to support and measure achievement of SLA
objectives, and if a process is in place to monitor and report the attainment of the objectives.• Inspect the internal and external performance SLAs, and compare actual results for alignment with the expected SLA requirements.• Confirm that the IT service objectives align with business objectives, and formally define expectations and performance
measurements.• Inspect service records to ascertain reasons for non-performance, and validate that a performance improvement programme
is in place.• Analyse the historical performance records, and determine that results are tracked against prior service improvement commitments.• Enquire of key staff members whether stakeholders agree to, record and communicate the SLA and what is included in the format
and contents.• Inspect the format of contents of the SLAs to verify that they include exclusions, commercial arrangements and OLAs.• For a sample of past and in-process SLAs, determine that content includes:
– Definition of service– Cost of service– Quantifiable minimum service level– Level of support from the IT function– Availability, reliability and capacity for growth– Change procedure for any portion of the agreement– Continuity planning– Security requirements– Written and formally approved agreement between the provider and user of the service– Effective period and new period review/renewal/non-renewal– Content and frequency of performance reporting and payment for services– Realistic charges compared to history, industry and best practices– Calculation for charges– Service improvement commitment– Formal approval of the user and provider
• Confirm that appropriate users are aware and understand SLA processes and procedures.• Inspect SLAs to verify that the OLAs and UCs support the technical requirements of the SLAs and are delivered in an
optimal manner.• Select a sample of SLAs, and confirm that resolutions procedures for inappropriate service delivery, specifically non-performance,
are included and being met.• Inspect the service catalogue and ascertain that all services are defined properly. • Enquire whether and confirm that distinct IT services to which costs will be allocated have been defined and documented.• Ascertain whether business process owners have knowledge of those IT services that support their business process.• Inspect any documentation available that identifies business processes and their supporting infrastructure or IT services, and
determine whether the mapping is accurate and complete. This can be accomplished, for example, by comparing the mapping tothe organisational chart, lines of business, etc.
• Enquire of business process owners and IT service owners whether they have agreed on a mapping of IT services to businessprocesses.
• Enquire of business process owners and users regarding their degree of satisfaction with IT services provided to identify potentialweak areas. Such enquiries may be conducted in person or via an anonymous survey.
• Inspect documentation that relates to the mapping between IT service areas and business processes to determine if the operationalaspects of the mapping are in place (e.g., SLAs should be examined for appropriateness).
Take the following steps to document the impact of the control weaknesses:• Benchmark SLAs against similar organisations or appropriate international standards/recognised industry best practices.• Determine the existence of gaps between service level expectations and delivered services through inquiry and review of
documented disputes and fee discounts.• Determine if services result in frequent fee surcharges and base fee overruns. • Determine if service level failures were escalated and resolved in a timely manner.• Determine if the service catalogue is up to date and aligned with business goals.• Assess the adequacy of proposed service improvements in comparison with the cost-benefit analysis.• Determine that gaps in expected services are appropriately prioritised and address control requirements for managing services
based on service characteristics and business requirements.• Assess the adequacy of the provision, describing, co-ordinating and communicating the relationship between the provider and user
of information services.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E158
• Assess the adequacy of the provider’s ability to meet improvement commitments in the future.• Enquire of key management staff members whether service level framework provides assurance that SLAs and contracts are
current and aligned with business objectives.• Determine whether reports on achievement of the specified service performance are appropriately used by management to ensure
satisfactory performance.• Determine whether reports of all problems encountered are appropriately used by management to ensure that corrective actions are
taken.• Assess the services provided to determine whether operational agreements align with SLAs. • For selected categories of reported SLA information, determine the existence of inconsistency of service delivery.• Assess users’ satisfaction levels with the current service level process and actual agreements.• Assess the service level measurement criteria, and determine the effectiveness of the communication flow between all
relevant parties.• Review SLAs to determine qualitative and quantitative provisions confirming that obligations are defined and being met.• Assess management’s ongoing review of and corrective action for service level reporting.• Determine whether financial losses incurred are reflective of insufficient service quality.• Verify the service catalogues’ completeness by reviewing and reconciling change requests, network plans, server documentation,
incident records, timesheets and other means of communication• Enquire of IT service leaders regarding daily duties and responsibilities to ascertain whether those duties provide sufficient
coverage of IT infrastructure. • Corroborate outcomes of discussions with outputs of data centre tours, asset registries, network diagrams or other infrastructure
inventories, and identify infrastructure not linked to an IT leader.• Inspect asset registries, network diagrams or other infrastructure inventories, and ascertain the percentage of assets that are not
assigned to an IT service area. • Document the criticality of those assets in light of the service provided.• Inspect documentation identifying IT services and business processes, and ascertain the degree of unallocated IT service areas.• Document the criticality of those service areas in light of the affected business processes.
159I T G O V E R N A N C E I N S T I T U T E
APPENDIX IVD
S2 M
anag
e Th
ird-
part
y Ser
vice
s
The
nee
d to
ass
ure
that
ser
vice
s pr
ovid
ed b
y th
ird
part
ies
(sup
plie
rs, v
endo
rs a
nd p
artn
ers)
mee
t bus
ines
s re
quir
emen
ts r
equi
res
an e
ffec
tive
thir
d-pa
rty
man
agem
ent p
roce
ss.
Thi
s pr
oces
s is
acc
ompl
ishe
d by
cle
arly
def
inin
g th
e ro
les,
res
pons
ibili
ties
and
expe
ctat
ions
in th
ird-
part
y ag
reem
ents
as
wel
l as
revi
ewin
g an
d m
onito
ring
suc
h ag
reem
ents
for
effe
ctiv
enes
s an
d co
mpl
ianc
e. E
ffec
tive
man
agem
ent o
f th
ird-
part
y se
rvic
es m
inim
ises
the
busi
ness
ris
k as
soci
ated
with
non
-per
form
ing
supp
liers
.
Test
the
Con
trol
Des
ign
• In
spec
t ser
vice
sup
plie
r do
cum
enta
tion
for
evid
ence
of
form
alis
ed r
oles
and
res
pons
ibili
ties,
and
det
erm
ine
if s
uppl
ier
man
agem
ent r
oles
hav
e be
en d
ocum
ente
d an
dco
mm
unic
ated
with
in th
e or
gani
satio
n.•
Det
erm
ine
if p
olic
ies
exis
t to
addr
ess
the
need
for
for
mal
con
trac
ts, d
efin
ition
of
cont
ent o
f co
ntra
cts,
and
ass
ignm
ent o
f ow
ner
or r
elat
ions
hip
man
ager
res
pons
ibili
ties
for
ensu
ring
that
con
trac
ts a
re c
reat
ed, m
aint
aine
d, m
onito
red
and
rene
gotia
ted
as r
equi
red.
• Ass
ess
if th
e as
sign
men
t of
supp
lier
man
agem
ent r
oles
is r
easo
nabl
e an
d ba
sed
on th
e le
vel a
nd te
chni
cal s
kills
req
uire
d to
eff
ectiv
ely
man
age
the
rela
tions
hip.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
reg
iste
r of
sup
plie
r re
latio
nshi
ps is
mai
ntai
ned.
• O
btai
n an
d in
spec
t sup
plie
r re
latio
nshi
p cr
iteri
a fo
r re
ason
able
ness
and
com
plet
enes
s of
cat
egor
isat
ions
by
supp
lier
type
, sig
nifi
canc
e an
d cr
itica
lity.
• D
eter
min
e if
the
supp
lier
cate
gori
satio
n sc
hem
e is
suf
fici
ently
det
aile
d to
cat
egor
ise
all s
uppl
ier
rela
tions
hips
bas
ed o
n th
e na
ture
of
cont
ract
ed s
ervi
ces.
• V
erif
y w
heth
er p
ast h
isto
ries
on
supp
lier
sele
ctio
n/re
ject
ion
are
kept
and
use
d.•
Insp
ect t
he r
egis
ter
of s
uppl
ier
rela
tions
hips
to e
nsur
e th
at it
is u
p to
dat
e, a
ppro
pria
tely
cat
egor
ised
and
suf
fici
ently
det
aile
d to
ens
ure
that
it p
rovi
des
a fo
unda
tion
for
mon
itori
ng o
f ex
istin
g su
pplie
rs.
• In
spec
t a r
epre
sent
ativ
e sa
mpl
e of
sup
plie
r co
ntra
cts,
SL
As
and
othe
r do
cum
enta
tion
to e
nsur
e th
at th
ey c
orre
spon
d w
ith th
e su
pplie
r re
gist
er.
DS2
.1 I
dent
ific
atio
n of
All
Supp
lier
Rel
atio
nshi
ps
Iden
tify
all s
uppl
ier
serv
ices
, and
cat
egor
ise
them
acc
ordi
ng to
sup
plie
r ty
pe,
sign
ific
ance
and
cri
tical
ity. M
aint
ain
form
al d
ocum
enta
tion
of te
chni
cal a
ndor
gani
satio
nal r
elat
ions
hips
cov
erin
g th
e ro
les
and
resp
onsi
bilit
ies,
goa
ls,
expe
cted
del
iver
able
s, a
nd c
rede
ntia
ls o
f re
pres
enta
tives
of
thes
e su
pplie
rs.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
entr
alis
ed s
ervi
ce s
uppl
ier
over
view
to s
uppo
rt s
uppl
ier
deci
sion
mak
ing
• Pr
efer
red
supp
liers
iden
tifie
d fo
rfu
ture
acq
uisi
tions
• Su
pplie
r m
anag
emen
t res
ourc
esfo
cuse
d on
cri
tical
sup
plie
rs
Ris
k D
river
s
• U
nide
ntif
ied
sign
ific
ant a
nd c
ritic
alsu
pplie
rs•
Inef
fici
ent a
nd in
effe
ctiv
e us
age
ofsu
pplie
r m
anag
emen
t res
ourc
es•
Unc
lear
rol
es a
nd r
espo
nsib
ilitie
sle
adin
g to
mis
com
mun
icat
ions
, poo
rse
rvic
es a
nd in
crea
sed
cost
s
DS2
.2 S
uppl
ier
Rel
atio
nshi
p M
anag
emen
t Fo
rmal
ise
the
supp
lier
rela
tions
hip
man
agem
ent p
roce
ss f
or e
ach
supp
lier.
The
rela
tions
hip
owne
rs s
houl
d lia
ise
on c
usto
mer
and
sup
plie
r is
sues
and
ens
ure
the
qual
ity o
f th
e re
latio
nshi
p ba
sed
on tr
ust a
nd tr
ansp
aren
cy (
e.g.
, thr
ough
SL
As)
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• R
elat
ions
hips
pro
mot
ed th
at s
uppo
rtth
e ov
eral
l ent
erpr
ise
obje
ctiv
es (
both
busi
ness
and
IT
)•
Eff
ectiv
e an
d ef
fici
ent c
omm
unic
atio
nan
d pr
oble
m r
esol
utio
n•
Cle
ar o
wne
rshi
p of
res
pons
ibili
ties
betw
een
cust
omer
and
sup
plie
r
Ris
k D
river
s
• Su
pplie
r no
t res
pons
ive
or c
omm
itted
to th
e re
latio
nshi
p•
Prob
lem
s an
d is
sues
not
res
olve
d•
Inad
equa
te s
ervi
ce q
ualit
y
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E160
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er r
isks
ass
ocia
ted
with
the
inab
ility
to f
ulfi
l the
sup
plie
r co
ntra
cts
are
defi
ned.
• E
nqui
re w
heth
er r
emed
ies
wer
e co
nsid
ered
whe
n de
fini
ng th
e su
pplie
r co
ntra
ct.
• In
spec
t con
trac
t doc
umen
tatio
n fo
r ev
iden
ce o
f re
view
.•
Enq
uire
of
key
staf
f m
embe
rs w
heth
er a
ris
k m
anag
emen
t pro
cess
exi
sts
to id
entif
y an
d m
onito
r su
pplie
r ri
sk.
• D
eter
min
e if
pol
icie
s ex
ist r
equi
ring
inde
pend
ence
with
in th
e ve
ndor
sou
rcin
g an
d se
lect
ion
proc
ess,
and
bet
wee
n ve
ndor
and
man
agem
ent p
erso
nnel
with
in th
eor
gani
satio
n.
Test
the
Con
trol
Des
ign
• Se
lect
a s
ampl
e of
sup
plie
r in
voic
es, d
eter
min
e if
they
iden
tify
char
ges
for
cont
ract
ed s
ervi
ces,
as
spec
ifie
d w
ithin
ser
vice
con
trac
ts, a
nd a
sses
s th
e re
ason
able
ness
of
char
ges
com
pare
d to
var
ious
inte
rnal
, ext
erna
l and
indu
stry
com
para
ble
perf
orm
ance
.•
Insp
ect a
sam
ple
of s
uppl
ier
serv
ice
repo
rts
to d
eter
min
e if
the
supp
lier
regu
larl
y re
port
s on
agr
eed-
upon
per
form
ance
cri
teri
a an
d if
per
form
ance
rep
ortin
g is
obj
ectiv
ean
d m
easu
rabl
e an
d in
alig
nmen
t with
def
ined
SL
As
and
the
supp
lier
cont
ract
.
DS2
.3 S
uppl
ier
Ris
k M
anag
emen
t Id
entif
y an
d m
itiga
te r
isks
rel
atin
g to
sup
plie
rs’a
bilit
y to
con
tinue
eff
ectiv
ese
rvic
e de
liver
y in
a s
ecur
e an
d ef
fici
ent m
anne
r on
a c
ontin
ual b
asis
. Ens
ure
that
con
trac
ts c
onfo
rm to
uni
vers
al b
usin
ess
stan
dard
s in
acc
orda
nce
with
lega
lan
d re
gula
tory
req
uire
men
ts. R
isk
man
agem
ent s
houl
d fu
rthe
r co
nsid
er n
on-
disc
losu
re a
gree
men
ts (
ND
As)
, esc
row
con
trac
ts, c
ontin
ued
supp
lier
viab
ility
,co
nfor
man
ce w
ith s
ecur
ity r
equi
rem
ents
, alte
rnat
ive
supp
liers
, pen
altie
s an
dre
war
ds, e
tc.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
ompl
ianc
e w
ith le
gal a
nd c
ontr
actu
alre
quir
emen
ts•
Red
uced
inci
dent
s an
d po
tent
ial l
osse
s•
Iden
tific
atio
n of
low
-ris
k, w
ell-
man
aged
sup
plie
rs
Ris
k D
river
s
• N
on-c
ompl
ianc
e w
ith r
egul
ator
y an
dle
gal o
blig
atio
ns•
Secu
rity
as
wel
l as
othe
r in
cide
nts
• Fi
nanc
ial l
osse
s an
d re
puta
tiona
lda
mag
e be
caus
e of
ser
vice
inte
rrup
tion
DS2 M
anag
e Th
ird-
part
y Ser
vice
s (c
ont.
)
DS2
.4 S
uppl
ier
Per
form
ance
Mon
itor
ing
Est
ablis
h a
proc
ess
to m
onito
r se
rvic
e de
liver
y to
ens
ure
that
the
supp
lier
ism
eetin
g cu
rren
t bus
ines
s re
quir
emen
ts a
nd c
ontin
uing
to a
dher
e to
the
cont
ract
agre
emen
ts a
nd S
LA
s, a
nd th
at p
erfo
rman
ce is
com
petit
ive
with
alte
rnat
ive
supp
liers
and
mar
ket c
ondi
tions
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• T
imel
y de
tect
ion
of s
ervi
ce le
vel
non-
com
plia
nce
• B
enef
its o
f se
rvic
e co
ntra
ct r
ealis
ed•
Cos
ts c
ontr
olle
d•
Cos
tly d
ispu
tes
and
poss
ible
litig
atio
nav
oide
d
Ris
k D
river
s
• U
ndet
ecte
d se
rvic
e de
grad
atio
n•
Inab
ility
to c
halle
nge
cost
s an
d se
rvic
equ
ality
• In
abili
ty to
opt
imis
e ch
oice
of
supp
liers
161I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Take the following steps to test the outcome of the control objectives:• For a sample of suppliers, assess if supplier records are aligned to the defined catogorisation scheme used to identify and
categorise all supplier relationships. • Obtain and validate the list of supplier relationship criteria for completeness, and review suppliers’ records against the
catogorisation scheme used to identify and categorise all supplier relationships. Assess if supplier type, significance and criticalityof services provided have been documented.
• Obtain a register of suppliers, and verify the accuracy of data through inspection of a sample of service contracts.• Obtain a register of suppliers, and verify the accuracy of data. Consideration should be given to organisational changes or recent
changes in the IT landscape that would require changes in the supplier relationship criteria.• Determine if supplier documentation is sufficiently detailed to identify methods of communication, prioritisation of services and
escalation procedures, minimum service levels, and operational objectives. • Ascertain if documentation clearly delineates responsibilities between the service provider and the user organisation.• Determine if service supplier documentation is centrally managed and maintained and if a process exists for the periodic review
and updating of documents.• Perform a detailed review of each third-party contract to determine the existence of qualitative and quantitative provisions
confirming obligations, including provisions for co-ordinating and communicating the relationship between the provider and userof information services.
• Determine if policies exist for management’s periodic review of service supplier reporting, and select a sample of supplier reportsfor evidence of management’s review.
• Obtain and inspect service supplier incident reports for existence, and determine if incidents were categorised and escalatedaccording to agreed-upon levels of severity and if they were tracked and communicated within the organisation until resolved.Reported incidents should include communication to supplier management and users of the services.
• Verify that goals and expected service levels are periodically reviewed to ensure that they continue to support current businessrequirements and that suggested changes are communicated clearly to service suppliers.
• Inspect the supplier register for assignment of a relationship manager, and obtain and inspect evidence of a service suppliercommunication process.
• Obtain and review contracts for existence of clauses relating to third-party reviews, and determine if management has obtained andreviewed reports from such reviews.
• For a sample of suppliers, inspect available documentation to determine if supplier risk has been considered and if identified riskhas been addressed/mitigated.
• For a sample of supplier relationships, determine if the following have been addressed within the supplier contract:– Security requirements– Non-disclosure guarantees– Right to access and right to audit– Formal management and legal approval– Legal entity providing services– Services provided– SLAs, both qualitative and quantitative– Cost of services and frequency of payment for services– Resolution of problem process– Penalties for non-performance– Dissolution process– Modification process– Reporting of service—content, frequency and distribution– Roles between contracting parties during the life of the contract– Continuity assurances that services will be provided by the vendor– Communications process and frequency between the user of services and provider– Duration of contract– Level of access provided to vendor– Regulatory requirements
• For a sample of suppliers, determine if services have been assessed for criticality to the organisation, and determine if continuity ofservices has been addressed within the supplier contract, including contingency planning by the supplier, to ensure continuousservice to the organisation.
• For a sample of supplier relationships, determine if legal counsel and management approved the supplier contracts.• Select a sample of supplier invoices, determine if they identify charges for contracted services, as specified within service
contracts, and assess the reasonableness of charges compared to various internal, external and industry comparable performance.• Inspect a sample of supplier service reports to determine if the supplier regularly reports on agreed-upon performance criteria and
if performance reporting is objective, measurable and in alignment with defined SLAs and the supplier contract.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E162
Take the following steps to document the impact of the control weaknesses:• Through inquiry of user and IT management and benchmarking of the organisation to similarly sized organisations and
organisations within the same industry, identify any supplier relationships that have been excluded from the supplier register.Consider the following supplier relationships:– Private branch exchange (PBX) suppliers– Paper and form suppliers– Maintenance support suppliers– Offsite data storage and hot-site services providers– Service organisations providing data processing (e.g., ASP, co-location)– External software developers and quality assurance
• Inquire of supplier management to ascertain if they are knowledgeable of the nature of the service supplier relationship andcontracted services.
• Inspect a sample of service supplier billings for out-of-scope billings, and determine the involvement of supplier management inreviewing and approving the overage.
• For a sample of service suppliers, obtain the supplier’s reported performance metrics, and review for deviations from agreed-uponperformance objectives. Determine if supplier management was aware of any deviations and the reasonableness of actions takenfor deviation (e.g., establishment of action plan, service fee penalties for non-performance).
• For a sample of supplier relationships, determine if the level of services compares to the stated contractual obligations. For changesin the supplier relationships, determine if the risk assessments has been updated and if the supplier contract has been appropriatelymodified.
• Inspect a sample of supplier-reported performance metrics, and identify where performance objectives have not consistently beenattained.
• Determine if management has identified and assessed the performance failures, and if an assessment has been performed, re-evaluate the relationship or evaluate the need for modifying the relationship.
• For supplier relationships with the greatest impact on the organisation, determine if contingency plans exist for the recovery orsecondary sourcing of contracted services.
• Determine the availability of supplier third-party assessments (e.g., SAS No. 70, ISA 402 or attestation reports) or audit reportsand whether management has received and reviewed the reports. For reported control deficiencies (i.e., report qualifications,testing exceptions), determine if management has discussed the deficiencies with the supplier and if an action plan has beenimplemented. Through review of past or subsequent reports, determine if the supplier promptly remediates control deficiencies.
• Determine if key suppliers are included in the annual risk assessment and audit planning process. • Inspect a sample of supplier-reported performance metrics, and identify where performance objectives have not consistently been
attained.• Determine if management has identified and assessed the performance failures and if corrective action and a process for ongoing
monitoring has been implemented.• For a sample of service suppliers, obtain the supplier’s reported performance metrics, and review them for deviations from
agreed-upon performance objectives. • Determine if supplier management is aware of the deviation and the reasonableness of actions taken (e.g., establishment of action
plan, service fee penalties for non-performance).
APPENDIX IVD
S3 M
anag
e P
erfo
rman
ce a
nd C
apac
ity
The
nee
d to
man
age
perf
orm
ance
and
cap
acity
of
IT r
esou
rces
req
uire
s a
proc
ess
to p
erio
dica
lly r
evie
w c
urre
nt p
erfo
rman
ce a
nd c
apac
ity o
f IT
res
ourc
es. T
his
proc
ess
incl
udes
for
ecas
ting
futu
re n
eeds
bas
ed o
n w
orkl
oad,
sto
rage
and
con
tinge
ncy
requ
irem
ents
. Thi
s pr
oces
s pr
ovid
es a
ssur
ance
that
info
rmat
ion
reso
urce
s su
ppor
ting
busi
ness
requ
irem
ents
are
con
tinua
lly a
vaila
ble.
163I T G O V E R N A N C E I N S T I T U T E
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
or
fram
ewor
k fo
r de
velo
ping
, rev
iew
ing
and
adju
stin
g a
perf
orm
ance
and
cap
acity
pla
n is
def
ined
.•
Enq
uire
thro
ugh
inte
rvie
ws
with
key
sta
ff m
embe
rs in
volv
ed in
the
deve
lopm
ent o
f th
e pe
rfor
man
ce a
nd c
apac
ity p
lan
whe
ther
the
appr
opri
ate
elem
ents
(e.
g., c
usto
mer
requ
irem
ents
, bus
ines
s re
quir
emen
ts, c
ost,
appl
icat
ion
perf
orm
ance
req
uire
men
ts, s
cala
bilit
y re
quir
emen
ts)
have
bee
n co
nsid
ered
dur
ing
deve
lopm
ent o
f th
e ca
paci
ty p
lan.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e pe
rfor
man
ce a
nd c
apac
ity p
lan
has
been
dev
elop
ed a
nd is
mai
ntai
ned.
• In
spec
t sup
port
ing
docu
men
ts to
ver
ify
stak
ehol
der
invo
lvem
ent a
nd to
ens
ure
that
the
plan
has
bee
n re
cord
ed a
nd is
up
to d
ate.
DS3
.1 P
erfo
rman
ce a
nd C
apac
ity
Pla
nnin
g E
stab
lish
a pl
anni
ng p
roce
ss f
or th
e re
view
of
perf
orm
ance
and
cap
acity
of
ITre
sour
ces
to e
nsur
e th
at c
ost-
just
ifia
ble
capa
city
and
per
form
ance
are
ava
ilabl
eto
pro
cess
the
agre
ed-u
pon
wor
kloa
ds a
s de
term
ined
by
the
SLA
s. C
apac
ity a
ndpe
rfor
man
ce p
lans
sho
uld
leve
rage
app
ropr
iate
mod
ellin
g te
chni
ques
to p
rodu
cea
mod
el o
f th
e cu
rren
t and
for
ecas
ted
perf
orm
ance
, cap
acity
and
thro
ughp
ut o
fth
e IT
res
ourc
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffic
ient
res
ourc
e m
anag
emen
t by
avoi
ding
ove
rhea
d co
sts
• O
ptim
ised
sys
tem
per
form
ance
achi
eved
thro
ugh
inte
rnal
benc
hmar
king
• Pr
edic
tion
of f
utur
e pe
rfor
man
ce a
ndca
paci
ty r
equi
rem
ents
• Abi
lity
to b
ench
mar
k ca
paci
tyam
ongs
t are
as o
f th
e or
gani
satio
n an
dex
tern
ally
to id
entif
y im
prov
emen
ts
Ris
k D
river
s
• U
nexp
ecte
d in
cide
nts
due
to la
ck o
fca
paci
ty•
Syst
em a
vaila
bilit
y fa
ults
due
to a
mis
sing
pro
activ
e re
sour
ce c
apac
ityan
d pe
rfor
man
ce p
lann
ing
• Fa
ilure
to m
eet b
usin
ess
requ
irem
ents
due
to o
utda
ted
perf
orm
ance
and
capa
city
pla
ns
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E164
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
yste
m m
onito
ring
sof
twar
e ha
s be
en im
plem
ente
d on
the
appr
opri
ate
IT r
esou
rces
bas
ed o
n fa
ctor
s su
ch a
s:–
Bus
ines
s cr
itica
lity
of th
e IT
res
ourc
e –
Req
uire
men
ts id
entif
ied
in th
e SL
A
– L
ikel
ihoo
d or
his
tori
cal t
ende
ncy
of th
e IT
res
ourc
e to
exp
erie
nce
perf
orm
ance
or
capa
city
issu
es
– O
pera
tiona
l/fin
anci
al/r
egul
ator
y im
pact
fro
m p
erfo
rman
ce o
r ca
paci
ty is
sues
•
Det
erm
ine
whe
ther
thre
shol
ds h
ave
been
est
ablis
hed
and
impl
emen
ted
on I
T r
esou
rces
bas
ed o
n bu
sine
ss r
equi
rem
ents
and
SL
As.
Exa
mpl
es o
f th
resh
olds
incl
ude:
–
The
cal
l cen
tre
addi
ng a
dditi
onal
trun
k ca
paci
ty o
n in
boun
d to
ll fr
ee li
nes
whe
n tr
unks
are
80
perc
ent b
usy
– Se
rver
s ad
ding
add
ition
al d
isk
spac
e w
hen
hard
dri
ves
reac
h a
spec
ific
cap
acity
leve
l•
Det
erm
ine
how
inci
dent
s of
inad
equa
te p
erfo
rman
ce a
re id
entif
ied
and
trac
ked.
• O
btai
n tr
oubl
e tic
kets
and
trac
e id
entif
ied
tran
sact
ions
thro
ugh
the
syst
em to
det
erm
ine
if p
rope
r fo
llow
-up
has
occu
rred
.•
Enq
uire
of
key
staf
f m
embe
rs r
espo
nsib
le f
or th
e or
gani
satio
n’s
deliv
ery
with
SL
As
to d
eter
min
e ho
w th
ey m
onito
r, tr
ack
and
repo
rt o
n IT
res
ourc
e ca
paci
ty a
nd
perf
orm
ance
met
rics
.•
Rev
iew
ope
ratio
nal r
epor
ts th
at a
re p
rovi
ded
to k
ey s
take
hold
ers.
DS3
.2 C
urre
nt P
erfo
rman
ce a
nd C
apac
ity
Ass
ess
curr
ent p
erfo
rman
ce a
nd c
apac
ity o
f IT
res
ourc
es to
det
erm
ine
ifsu
ffic
ient
cap
acity
and
per
form
ance
exi
st to
del
iver
aga
inst
agr
eed-
upon
ser
vice
leve
ls.
• E
ffic
ient
and
eff
ectiv
e IT
res
ourc
em
anag
emen
t•
Impr
oved
per
form
ance
and
cap
acity
plan
ning
• Sy
stem
per
form
ance
opt
imis
ed b
ypr
oact
ive
perf
orm
ance
and
cap
acity
plan
ning
• B
usin
ess
disr
uptio
ns•
SLA
s no
t met
• B
usin
ess
requ
irem
ents
not
met
• U
nder
- or
ove
r-co
mm
itmen
ts o
nse
rvic
e de
liver
y du
e to
unk
now
nca
paci
ty m
easu
res
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS3 M
anag
e P
erfo
rman
ce a
nd C
apac
ity
(con
t.)
165I T G O V E R N A N C E I N S T I T U T E
APPENDIX IVD
S3 M
anag
e P
erfo
rman
ce a
nd C
apac
ity
(con
t.)
Test
the
Con
trol
Des
ign
• C
onfi
rm (
by in
terv
iew
ing
key
staf
f m
embe
rs a
nd in
spec
ting
proc
ess
docu
men
tatio
n an
d re
port
s) th
e us
e of
app
ropr
iate
tool
s, te
chni
ques
and
pro
cess
es to
per
form
the
follo
win
g:–
Mea
suri
ng a
ctua
l per
form
ance
and
cap
acity
–
Perf
orm
ing
revi
ews
of c
apac
ity u
sage
, ban
dwid
th (
e.g.
, net
wor
k an
d tr
unk
utili
satio
n re
port
s) a
nd p
erfo
rman
ce r
epor
ts
– C
ompa
ring
act
ual v
s. f
orec
aste
d de
man
d of
res
ourc
es
– In
volv
ing
man
agem
ent i
n re
view
ing
fore
cast
ing
repo
rts
and
disc
ussi
ng a
ny v
aria
nces
•
Insp
ect d
ocum
ents
that
mea
sure
act
ual I
T r
esou
rce
perf
orm
ance
with
exp
ecte
d ca
paci
ty a
nd p
erfo
rman
ce.
• D
eter
min
e ho
w v
aria
nces
in a
ctua
ls v
s. b
asel
ines
/mod
els
are
used
in r
evis
ing
fore
cast
ing
mod
els,
and
ens
ure
that
an
anal
ysis
is p
erio
dica
lly p
erfo
rmed
in a
tim
ely
man
ner.
• E
nqui
re o
f ke
y st
aff
mem
bers
whe
ther
they
are
kno
wle
dgea
ble
of th
e ca
paci
ty p
lann
ing
proc
ess
and
how
they
are
mad
e aw
are
of n
ew b
usin
ess
requ
irem
ents
that
may
requ
ire
chan
ges
to a
pplic
atio
ns, s
erve
rs o
r ot
her
IT r
esou
rces
.•
Con
firm
with
key
sta
ff m
embe
rs th
e pr
oces
s fo
r co
-ord
inat
ing
the
plan
ning
and
acq
uisi
tion
of I
T r
esou
rces
whe
n di
ctat
ed b
y fo
reca
stin
g m
odel
s.•
Rev
iew
a r
epre
sent
ativ
e sa
mpl
e of
SL
As
and
OL
As
and
the
capa
city
pla
n fo
r re
gula
r ad
just
men
ts n
eces
sita
ted
by th
e re
view
s of
for
ecas
ted
perf
orm
ance
and
ca
paci
ty u
sage
.
DS3
.3 F
utur
e P
erfo
rman
ce a
nd C
apac
ity
Con
duct
per
form
ance
and
cap
acity
for
ecas
ting
of I
T r
esou
rces
at r
egul
arin
terv
als
to m
inim
ise
the
risk
of
serv
ice
disr
uptio
ns d
ue to
insu
ffic
ient
cap
acity
or p
erfo
rman
ce d
egra
datio
n, a
nd id
entif
y ex
cess
cap
acity
for
pos
sibl
ere
depl
oym
ent.
Iden
tify
wor
kloa
d tr
ends
and
det
erm
ine
fore
cast
s to
be
inpu
t to
perf
orm
ance
and
cap
acity
pla
ns.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• O
ptim
ised
usa
ge o
f IT
res
ourc
es•
Fore
cast
ed b
usin
ess
dem
ands
on
the
IT in
fras
truc
ture
• Im
prov
ed p
erfo
rman
ce a
nd c
apac
itypl
anni
ng
Ris
k D
river
s
• L
ever
aged
ser
vice
leve
ls n
ot p
rovi
ded
to th
e bu
sine
ss•
Syst
em u
nava
ilabi
lity
due
to f
ailin
g IT
reso
urce
s•
Hig
h pr
oces
sing
load
s no
t met
by
the
syst
ems
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E166
Test
the
Con
trol
Des
ign
• E
nqui
re o
f ke
y st
aff
mem
bers
abo
ut th
e pr
oces
s to
obt
ain,
rev
iew
and
impl
emen
t ven
dor
requ
irem
ents
, and
con
firm
that
the
curr
ent c
apac
ity a
nd p
erfo
rman
ce c
apab
ilitie
sha
ve in
corp
orat
ed th
e ve
ndor
req
uire
men
ts.
• In
spec
t ven
dor
docu
men
tatio
n to
val
idat
e th
at it
spe
cifi
es v
endo
r re
quir
emen
ts a
nd r
ecom
men
datio
ns f
or m
inim
al a
nd o
ptim
al I
T r
esou
rce
capa
city
and
per
form
ance
.•
Enq
uire
of
man
agem
ent f
or k
now
n pe
rfor
man
ce a
nd c
apac
ity g
aps.
• C
ompa
re th
is in
form
atio
n w
ith th
e re
sults
of
curr
ent p
erfo
rman
ce m
onito
ring
and
for
ecas
ted
capa
city
req
uire
men
ts.
• V
erif
y w
heth
er th
ere
is a
pri
oriti
sed
list o
f ac
tiviti
es to
be
supp
orte
d by
the
IT a
pplic
atio
ns.
• V
erif
y th
at th
e ca
paci
ty p
lan
has
been
upd
ated
with
cor
rect
ive
actio
ns.
• V
erif
y w
heth
er th
e pl
anni
ng p
roce
sses
(PO
2-PO
3) h
ave
rece
ived
the
upda
ted
capa
city
pla
n fo
r th
eir
inpu
t.•
Ver
ify
whe
ther
cor
rect
ive
actio
ns h
ave
been
dul
y pr
oces
sed
by th
e ch
ange
man
agem
ent p
roce
ss.
• E
nqui
re o
f ke
y st
aff
mem
bers
abo
ut th
e pr
oces
s to
cor
rect
per
form
ance
and
cap
acity
issu
es.
• O
btai
n tr
oubl
e tic
kets
and
trac
e id
entif
ied
tran
sact
ions
(i.e
., ad
ding
add
ition
al s
yste
ms,
shi
ftin
g pr
oces
sing
wor
kloa
ds to
alte
rnat
ive
serv
ers)
thro
ugh
the
syst
em to
dete
rmin
e if
pro
per
corr
ectiv
e ac
tion
has
been
per
form
ed.
• In
spec
t the
esc
alat
ion
proc
edur
es r
elat
ed to
IT
res
ourc
e pe
rfor
man
ce is
sues
.•
Enq
uire
of
key
staf
f m
embe
rs w
heth
er e
mer
genc
y pr
oble
ms
have
occ
urre
d in
the
rece
nt p
ast,
veri
fy c
ompl
ianc
e to
the
proc
edur
e an
d de
term
ine
whe
ther
it w
as e
ffec
tive.
DS3
.4 I
T R
esou
rces
Ava
ilabi
lity
Prov
ide
the
requ
ired
cap
acity
and
per
form
ance
, tak
ing
into
acc
ount
asp
ects
suc
has
nor
mal
wor
kloa
ds, c
ontin
genc
ies,
sto
rage
req
uire
men
ts a
nd I
T r
esou
rce
life
cycl
es. P
rovi
sion
s su
ch a
s pr
iori
tisin
g ta
sks,
fau
lt-to
lera
nce
mec
hani
sms
and
reso
urce
allo
catio
n pr
actic
es s
houl
d be
mad
e. M
anag
emen
t sho
uld
ensu
re th
atco
ntin
genc
y pl
ans
prop
erly
add
ress
ava
ilabi
lity,
cap
acity
and
per
form
ance
of
indi
vidu
al I
T r
esou
rces
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
IT r
esou
rce
utili
satio
n•
Serv
ice
leve
ls m
eetin
g th
e bu
sine
ssre
quir
emen
ts•
Eff
ectiv
e IT
res
ourc
e av
aila
bilit
ym
anag
emen
t
Ris
k D
river
s
• Sy
stem
una
vaila
bilit
y du
e to
fai
ling
ITre
sour
ces
• In
abili
ty to
pre
dict
ava
ilabi
lity
and
serv
icea
bilit
y of
IT
ser
vice
s•
Une
xpec
ted
outa
ges
of I
T s
ervi
ces
DS3 M
anag
e P
erfo
rman
ce a
nd C
apac
ity
(con
t.)
167I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
invo
lved
whe
ther
a p
roce
ss f
or g
athe
ring
dat
a (e
.g.,
IT r
esou
rce
requ
irem
ents
, cap
acity
, ava
ilabi
lity,
util
isat
ion,
reco
mm
enda
tions
on
reso
urce
allo
catio
n, p
rior
itisa
tion)
to a
id m
anag
emen
t has
bee
n es
tabl
ishe
d.•
Enq
uire
thro
ugh
inte
rvie
ws
with
man
agem
ent w
heth
er m
onito
ring
and
rep
ortin
g ac
tiviti
es a
re f
orm
alis
ed a
nd in
tegr
ated
.•
Tra
ce f
eedb
ack
of m
onito
ring
and
rep
ortin
g re
sults
to c
apac
ity p
lann
ing
and
perf
orm
ance
act
iviti
es.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at c
apac
ity r
epor
ts a
re f
ed in
to th
e st
rate
gic
IT p
lann
ing
and
budg
etin
g pr
oces
s.
DS3
.5 M
onit
orin
g an
d R
epor
ting
C
ontin
uous
ly m
onito
r th
e pe
rfor
man
ce a
nd c
apac
ity o
f IT
res
ourc
es. D
ata
gath
ered
sho
uld
serv
e tw
o pu
rpos
es:
• To
mai
ntai
n an
d tu
ne c
urre
nt p
erfo
rman
ce w
ithin
IT
and
add
ress
suc
h is
sues
as
resi
lienc
e, c
ontin
genc
y, c
urre
nt a
nd p
roje
cted
wor
kloa
ds, s
tora
ge p
lans
, and
reso
urce
acq
uisi
tion
• To
rep
ort d
eliv
ered
ser
vice
ava
ilabi
lity
to th
e bu
sine
ss, a
s re
quir
ed b
y th
e SL
As
Acc
ompa
ny a
ll ex
cept
ion
repo
rts
with
rec
omm
enda
tions
for
cor
rect
ive
actio
n.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Is
sues
iden
tifie
d im
pact
ing
effe
ctiv
ese
rvic
e de
liver
y•
Bas
elin
ed s
ervi
ce le
vels
iden
tifyi
ngga
ps in
exp
ecta
tions
• In
crea
sed
IT r
esou
rce
utili
satio
n fo
rim
prov
ed s
ervi
ce d
eliv
ery
Ris
k D
river
s
• L
ack
of p
erfo
rman
ce m
onito
ring
• Se
rvic
e fa
iling
to m
eet t
he e
xpec
ted
qual
ity•
Dev
iatio
ns n
ot id
entif
ied
in a
tim
ely
man
ner,
thus
impa
ctin
g th
e se
rvic
equ
ality
DS3 M
anag
e P
erfo
rman
ce a
nd C
apac
ity
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E168
Take the following steps to test the outcome of the control objectives:• Inspect IT resource performance and capacity planning documentation to identify if the planning process:
– Requires the inclusion of key metrics to be derived from SLAs– Factors in business requirements, technical requirements and cost considerations– Includes models of current and forecasted performance and capacity– Involves the documentation of approvals from stakeholders– Involves the continuous monitoring and reporting of IT
• Inspect IT resource uptime and utilisation reports to determine whether current IT capabilities are adequate.• Enquire whether and confirm that benchmarking studies are performed to identify how competitors in similar industries are
addressing performance and capacity forecasting.• Inspect documentation that provides IT resource availability information on areas such as:
– Storage requirements and current capacity– Fault tolerance and redundancy – Reallocation of IT resources to address availability, capacity and performance issues
• Enquire of key staff members on whether monitoring processes exist and are reported on to manage the performance, capacity andallocation of IT resources.
• Inspect performance reporting documents to verify that appropriate information is provided to management on a periodic basis.• Verify that performance and availability plans are used in budgeting processes and for improvements to the information
architecture.
Take the following steps to document the impact of the control weaknesses:• Inspect incident reports and enquire of key staff members whether any outages are consistently being caused by capacity or
performance issues.• Enquire of key staff members responsible for maintaining IT resources to determine whether they are informed of changes to
business requirements and SLAs that impact capacity and performance.
169I T G O V E R N A N C E I N S T I T U T E
APPENDIX IVD
S4 E
nsur
e C
onti
nuou
s Ser
vice
The
nee
d fo
r pr
ovid
ing
cont
inuo
us I
T s
ervi
ces
requ
ires
dev
elop
ing,
mai
ntai
ning
and
test
ing
IT c
ontin
uity
pla
ns, u
tilis
ing
offs
ite b
acku
p st
orag
e an
d pr
ovid
ing
peri
odic
cont
inui
ty p
lan
trai
ning
. An
effe
ctiv
e co
ntin
uous
ser
vice
pro
cess
min
imis
es th
e pr
obab
ility
and
impa
ct o
f a
maj
or I
T s
ervi
ce in
terr
uptio
n on
key
bus
ines
s fu
nctio
ns a
ndpr
oces
ses.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n en
terp
rise
wid
e bu
sine
ss c
ontin
uity
man
agem
ent p
roce
ss is
des
igne
d an
d ap
prov
ed b
y ex
ecut
ive-
leve
l man
agem
ent.
• In
spec
t the
cur
rent
bus
ines
s im
pact
ana
lysi
s an
d de
term
ine
whe
ther
con
tinui
ty p
lann
ing
has
resu
lted
in c
lear
pos
ition
ing
of r
equi
red
reso
urce
s to
rec
over
the
busi
ness
oper
atio
ns d
urin
g a
disr
uptio
n.•
Insp
ect t
he b
usin
ess
cont
inui
ty f
ram
ewor
k to
con
firm
that
it in
clud
es a
ll th
e el
emen
ts r
equi
red
to r
esum
e bu
sine
ss p
roce
ssin
g in
the
even
t of
a bu
sine
ss in
terr
uptio
n(c
onsi
der
acco
unta
bilit
y, c
omm
unic
atio
n, e
scal
atio
n pl
an, r
ecov
ery
stra
tegi
es, I
T a
nd b
usin
ess
serv
ice
leve
ls, a
nd e
mer
genc
y pr
oced
ures
).
DS4
.1 I
T C
onti
nuit
y F
ram
ewor
k D
evel
op a
fra
mew
ork
for
IT c
ontin
uity
to s
uppo
rt e
nter
pris
ewid
e bu
sine
ssco
ntin
uity
man
agem
ent u
sing
a c
onsi
sten
t pro
cess
. The
obj
ectiv
e of
the
fram
ewor
k sh
ould
be
to a
ssis
t in
dete
rmin
ing
the
requ
ired
res
ilien
ce o
f th
ein
fras
truc
ture
and
to d
rive
the
deve
lopm
ent o
f di
sast
er r
ecov
ery
and
ITco
ntin
genc
y pl
ans.
The
fra
mew
ork
shou
ld a
ddre
ss th
e or
gani
satio
nal s
truc
ture
for
cont
inui
ty m
anag
emen
t, co
veri
ng th
e ro
les,
task
s an
d re
spon
sibi
litie
s of
inte
rnal
and
ext
erna
l ser
vice
pro
vide
rs, t
heir
man
agem
ent a
nd th
eir
cust
omer
s,an
d th
e pl
anni
ng p
roce
sses
that
cre
ate
the
rule
s an
d st
ruct
ures
to d
ocum
ent,
test
and
exec
ute
the
disa
ster
rec
over
y an
d IT
con
tinge
ncy
plan
s. T
he p
lan
shou
ld a
lso
addr
ess
item
s su
ch a
s th
e id
entif
icat
ion
of c
ritic
al r
esou
rces
, not
ing
key
depe
nden
cies
, the
mon
itori
ng a
nd r
epor
ting
of th
e av
aila
bilit
y of
cri
tical
reso
urce
s, a
ltern
ativ
e pr
oces
sing
, and
the
prin
cipl
es o
f ba
ckup
and
rec
over
y.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
ontin
uous
ser
vice
acr
oss
IT•
Con
sist
ent,
docu
men
ted
IT
cont
inui
ty p
lans
• G
over
ned
serv
ices
for
bus
ines
s ne
eds
• Ach
ieve
d sh
ort-
and
long
-ran
geob
ject
ives
sup
port
ing
the
orga
nisa
tion’
s ob
ject
ives
Ris
k D
river
s
• In
suff
icie
nt c
ontin
uity
pra
ctic
es•
IT c
ontin
uity
ser
vice
s no
t man
aged
prop
erly
• In
crea
sed
depe
nden
cy o
n ke
yin
divi
dual
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E170
DS4
.2 I
T C
onti
nuit
y P
lans
D
evel
op I
T c
ontin
uity
pla
ns b
ased
on
the
fram
ewor
k an
d de
sign
ed to
red
uce
the
impa
ct o
f a
maj
or d
isru
ptio
n on
key
bus
ines
s fu
nctio
ns a
nd p
roce
sses
. The
pla
nssh
ould
be
base
d on
ris
k un
ders
tand
ing
of p
oten
tial b
usin
ess
impa
cts
and
addr
ess
requ
irem
ents
for
res
ilien
ce, a
ltern
ativ
e pr
oces
sing
and
rec
over
y ca
pabi
lity
of a
llcr
itica
l IT
ser
vice
s. T
hey
shou
ld a
lso
cove
r us
age
guid
elin
es, r
oles
and
resp
onsi
bilit
ies,
pro
cedu
res,
com
mun
icat
ion
proc
esse
s, a
nd th
e te
stin
g ap
proa
ch.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
ontin
uous
ser
vice
acr
oss
IT,
addr
essi
ng th
e re
quir
emen
ts f
orcr
itica
l IT
res
ourc
es•
Def
ined
and
doc
umen
ted
guid
elin
es,
role
s an
d re
spon
sibi
litie
s • A
chie
ved
shor
t- a
nd lo
ng-r
ange
obje
ctiv
es s
uppo
rtin
g th
eor
gani
satio
n’s
obje
ctiv
es
Ris
k D
river
s
• Fa
ilure
to r
ecov
er I
T s
yste
ms
and
serv
ices
in a
tim
ely
man
ner
• Fa
ilure
of
alte
rnat
ive
deci
sion
-mak
ing
proc
esse
s•
Lac
k of
req
uire
d re
cove
ry r
esou
rces
•
Faile
d co
mm
unic
atio
n to
inte
rnal
and
exte
rnal
sta
keho
lder
s
DS4 E
nsur
e C
onti
nuou
s Ser
vice
(co
nt.)
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at b
usin
ess
cont
inui
ty p
lans
exi
st f
or a
ll ke
y bu
sine
ss f
unct
ions
and
pro
cess
es.
• R
evie
w a
n ap
prop
riat
e sa
mpl
e of
bus
ines
s co
ntin
uity
pla
ns a
nd c
onfi
rm th
at e
ach
plan
:–
Is d
esig
ned
to e
stab
lish
the
resi
lienc
e, a
ltern
ativ
e pr
oces
sing
and
rec
over
y ca
pabi
lity
in li
ne w
ith s
ervi
ce c
omm
itmen
ts a
nd a
vaila
bilit
y ta
rget
s–
Def
ines
rol
es a
nd r
espo
nsib
ilitie
s–
Incl
udes
com
mun
icat
ion
proc
esse
s–
Def
ines
the
min
imum
acc
epta
ble
reco
very
con
figu
ratio
n•
Obt
ain
the
over
all t
estin
g st
rate
gy f
or b
usin
ess
cont
inui
ty p
lans
and
evi
denc
e th
at te
sts
are
bein
g ex
ecut
ed w
ith th
e ag
reed
-upo
n fr
eque
ncy.
• R
evie
w th
e ou
tcom
e of
test
ing,
and
ens
ure
that
res
ultin
g ac
tions
are
fol
low
ed u
p.
171I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• O
btai
n a
list o
f bu
sine
ss f
unct
ions
with
thei
r re
spec
tive
busi
ness
cri
tical
ity, a
nd e
nsur
e th
at c
ontin
uity
pla
ns e
xist
for
the
mos
t cri
tical
bus
ines
s fu
nctio
ns, s
uppo
rtin
gpr
oces
ses
and
reso
urce
s.•
Rev
iew
the
plan
s to
ens
ure
that
they
are
des
igne
d (a
nd te
sted
) to
mee
t bus
ines
s ob
ject
ives
and
lega
l and
reg
ulat
ory
requ
irem
ents
.•
Det
erm
ine
how
con
sist
ency
bet
wee
n pl
ans
is e
nsur
ed.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ll co
pies
of
the
IT c
ontin
uity
pla
n ar
e up
date
d w
ith r
evis
ions
and
are
sto
red
on-
and
offs
ite•
Enq
uire
whe
ther
and
con
firm
that
all
criti
cal c
hang
es to
IT
res
ourc
es a
re c
omm
unic
ated
to th
e co
ntin
uity
man
ager
for
upd
ate
of th
e IT
con
tinui
ty p
lan.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at c
hang
es to
the
cont
inui
ty p
lan
are
mad
e at
inte
rval
s ap
prop
riat
e fo
r th
e tr
igge
rs a
nd f
ollo
w a
ccep
ted
chan
ge c
ontr
ol p
roce
dure
s.
DS4
.3 C
riti
cal I
T R
esou
rces
Fo
cus
atte
ntio
n on
item
s sp
ecif
ied
as m
ost c
ritic
al in
the
IT c
ontin
uity
pla
n to
build
in r
esili
ence
and
est
ablis
h pr
iori
ties
in r
ecov
ery
situ
atio
ns. A
void
the
dist
ract
ion
of r
ecov
erin
g le
ss-c
ritic
al it
ems
and
ensu
re r
espo
nse
and
reco
very
inlin
e w
ith p
rior
itise
d bu
sine
ss n
eeds
, whi
le e
nsur
ing
that
cos
ts a
re k
ept a
t an
acce
ptab
le le
vel a
nd c
ompl
ying
with
reg
ulat
ory
and
cont
ract
ual r
equi
rem
ents
.C
onsi
der
resi
lienc
e, r
espo
nse
and
reco
very
req
uire
men
ts f
or d
iffe
rent
tier
s, e
.g.,
one
to f
our
hour
s, f
our
to 2
4 ho
urs,
mor
e th
an 2
4 ho
urs
and
criti
cal b
usin
ess
oper
atio
nal p
erio
ds.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
ost m
anag
emen
t for
con
tinui
ty•
Eff
ectiv
e m
anag
emen
t of
criti
cal
IT r
esou
rces
• Pr
iori
tised
rec
over
y m
anag
emen
t
Ris
k D
river
s
• U
nava
ilabi
lity
of c
ritic
al I
T r
esou
rces
• In
crea
sed
cost
s fo
r co
ntin
uity
man
agem
ent
• Pr
iori
tisat
ion
of s
ervi
ces
reco
very
not
base
d on
bus
ines
s ne
eds
DS4 E
nsur
e C
onti
nuou
s Ser
vice
(co
nt.)
DS4
.4 M
aint
enan
ce o
f th
e IT
Con
tinu
ity
Pla
n E
ncou
rage
IT
man
agem
ent t
o de
fine
and
exe
cute
cha
nge
cont
rol p
roce
dure
s to
ensu
re th
at th
e IT
con
tinui
ty p
lan
is k
ept u
p to
dat
e an
d co
ntin
ually
ref
lect
sac
tual
bus
ines
s re
quir
emen
ts. C
omm
unic
ate
chan
ges
in p
roce
dure
s an
dre
spon
sibi
litie
s cl
earl
y an
d in
a ti
mel
y m
anne
r.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• App
ropr
iate
IT
con
tinui
ty p
lans
supp
ortin
g th
e or
gani
satio
n’s
obje
ctiv
es•
Cha
nge
cont
rol p
roce
dure
s fo
r IT
cont
inui
ty p
lans
• Fa
mili
arity
of
IT c
ontin
uity
pla
ns f
orap
prop
riat
e in
divi
dual
s
Ris
k D
river
s
• In
appr
opri
ate
reco
very
pla
ns
• Pl
ans
faili
ng to
ref
lect
cha
nges
tobu
sine
ss n
eeds
and
tech
nolo
gy•
Lac
k of
cha
nge
cont
rol p
roce
dure
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E172
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at I
T c
ontin
uity
test
s ar
e sc
hedu
led
and
com
plet
ed o
n a
regu
lar
basi
s af
ter
chan
ges
to th
e IT
infr
astr
uctu
re o
r bu
sine
ss a
nd r
elat
edap
plic
atio
ns.
• E
nsur
e th
at n
ew c
ompo
nent
s an
d up
date
s ar
e in
clud
ed in
the
sche
dule
.•
Enq
uire
whe
ther
and
con
firm
that
a d
etai
led
test
sch
edul
e ha
s be
en c
reat
ed a
nd in
clud
es te
stin
g de
tails
and
eve
nt c
hron
olog
y to
ens
ure
a lo
gica
l and
rea
l seq
uenc
e of
oc
curr
ing
inte
rrup
tions
.•
Enq
uire
whe
ther
and
con
firm
that
a te
st ta
sk f
orce
has
bee
n es
tabl
ishe
d, a
nd th
e m
embe
rs a
re n
ot k
ey p
erso
nnel
def
ined
in th
e pl
an a
nd th
e re
port
ing
is a
ppro
pria
te.
• E
nqui
re th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
whe
ther
deb
rief
ing
even
ts o
ccur
and
, with
in th
ese
even
ts, w
heth
er f
ailu
res
are
anal
ysed
and
sol
utio
ns a
re d
evel
oped
.•
Enq
uire
thro
ugh
inte
rvie
ws
with
key
sta
ff m
embe
rs w
heth
er a
ltern
ativ
e m
eans
are
eva
luat
ed w
hen
test
ing
is n
ot f
easi
ble.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
ucce
ss o
r fa
ilure
of
the
test
is m
easu
red
and
repo
rted
and
the
cons
eque
ntia
l cha
nge
is m
ade
to th
e IT
con
tinui
ty p
lan.
• R
evie
w r
esul
ts a
nd e
valu
ate
how
the
resu
lts a
re r
evie
wed
to d
eter
min
e op
erat
ing
effe
ctiv
enes
s.
Test
the
Con
trol
Des
ign
• E
nqui
re th
roug
h in
terv
iew
s w
ith k
ey s
taff
mem
bers
whe
ther
reg
ular
trai
ning
is p
erfo
rmed
.•
Enq
uire
whe
ther
and
con
firm
that
trai
ning
nee
ds a
nd s
ched
ules
are
ass
esse
d an
d up
date
d re
gula
rly.
• R
evie
w s
ched
ules
and
trai
ning
mat
eria
l to
dete
rmin
e op
erat
ing
effe
ctiv
enes
s.•
Enq
uire
thro
ugh
inte
rvie
ws
with
key
sta
ff m
embe
rs w
heth
er I
T c
ontin
uity
aw
aren
ess
prog
ram
mes
are
bei
ng p
erfo
rmed
on
all l
evel
s.
DS4
.5 T
esti
ng o
f th
e IT
Con
tinu
ity
Pla
n Te
st th
e IT
con
tinui
ty p
lan
on a
reg
ular
bas
is to
ens
ure
that
IT
sys
tem
s ca
n be
effe
ctiv
ely
reco
vere
d, s
hort
com
ings
are
add
ress
ed a
nd th
e pl
an r
emai
ns r
elev
ant.
Thi
s re
quir
es c
aref
ul p
repa
ratio
n, d
ocum
enta
tion,
rep
ortin
g of
test
res
ults
and
,ac
cord
ing
to th
e re
sults
, im
plem
enta
tion
of a
n ac
tion
plan
. Con
side
r th
e ex
tent
of
test
ing
reco
very
of
sing
le a
pplic
atio
ns to
inte
grat
ed te
stin
g sc
enar
ios
to e
nd-t
o-en
d te
stin
g an
d in
tegr
ated
ven
dor
test
ing.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
reco
very
of
IT s
yste
ms
• St
aff
expe
rien
ced
in th
e re
cove
rypr
oces
ses
for
IT s
yste
ms
• U
pgra
ded
plan
s ov
erco
min
gsh
ortc
omin
gs in
the
rest
orat
ion
ofsy
stem
s
Ris
k D
river
s
• Sh
ortc
omin
gs in
rec
over
y pl
ans
• O
utda
ted
reco
very
pla
ns th
at d
o no
tre
flec
t the
cur
rent
arc
hite
ctur
e•
Inap
prop
riat
e re
cove
ry s
teps
and
proc
esse
s•
Inab
ility
to e
ffec
tivel
y re
cove
r sh
ould
real
dis
aste
r oc
cur
DS4 E
nsur
e C
onti
nuou
s Ser
vice
(co
nt.)
DS4
.6 I
T C
onti
nuit
y P
lan
Tra
inin
g Pr
ovid
e al
l con
cern
ed p
artie
s w
ith r
egul
ar tr
aini
ng s
essi
ons
rega
rdin
g th
epr
oced
ures
and
thei
r ro
les
and
resp
onsi
bilit
ies
in c
ase
of a
n in
cide
nt o
r di
sast
er.
Ver
ify
and
enha
nce
trai
ning
acc
ordi
ng to
the
resu
lts o
f th
e co
ntin
genc
y te
sts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• St
aff
expe
rien
ced
in th
e re
cove
rypr
oces
ses
for
IT s
yste
ms
• St
aff
trai
ned
in th
e re
cove
ry p
roce
sses
• Sc
hedu
led
trai
ning
for
all
resp
onsi
ble
staf
f m
embe
rs•
Tra
inin
g pl
ans
upda
ted
to r
efle
ct th
ere
sults
of
the
cont
inge
ncy
test
s
Ris
k D
river
s
• O
utda
ted
trai
ning
sch
edul
es•
Failu
re to
rec
over
as
expe
cted
due
toin
adeq
uate
or
outd
ated
trai
ning
173I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
dis
trib
utio
n lis
t for
the
IT c
ontin
uity
pla
n is
cre
ated
, def
ined
and
mai
ntai
ned.
Rev
iew
whe
ther
the
need
-to-
know
pri
ncip
les
have
bee
nm
aint
aine
d du
ring
dev
elop
men
t of
the
list.
• O
btai
n th
e di
stri
butio
n pr
oced
ure
from
man
agem
ent.
• E
valu
ate
the
proc
edur
e an
d ve
rify
com
plia
nce.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ll di
gita
l and
phy
sica
l cop
ies
of th
e pl
an a
re p
rote
cted
in a
n ap
prop
riat
e m
anne
r an
d th
at th
e do
cum
ents
are
acc
essi
ble
only
by
auth
oris
ed p
erso
nnel
.
DS4 E
nsur
e C
onti
nuou
s Ser
vice
(co
nt.)
Test
the
Con
trol
Des
ign
• O
btai
n a
copy
of
the
inci
dent
han
dlin
g pr
oced
ure,
and
ens
ure
that
it in
clud
es s
teps
for
dam
age
asse
ssm
ent a
s w
ell a
s fo
rmal
dec
isio
n po
ints
and
thre
shol
ds to
act
ivat
eco
ntin
uity
pla
ns.
• R
evie
w I
T r
ecov
ery
plan
s, a
nd c
onfi
rm th
at th
ey m
eet b
usin
ess
requ
irem
ents
.
Con
trol
Obj
ecti
ve
DS4
.7 D
istr
ibut
ion
of t
he I
T C
onti
nuit
y P
lan
Det
erm
ine
that
a d
efin
ed a
nd m
anag
ed d
istr
ibut
ion
stra
tegy
exi
sts
to e
nsur
e th
atpl
ans
are
prop
erly
and
sec
urel
y di
stri
bute
d an
d av
aila
ble
to a
ppro
pria
tely
auth
oris
ed in
tere
sted
par
ties
whe
n an
d w
here
nee
ded.
Atte
ntio
n sh
ould
be
paid
tom
akin
g th
e pl
ans
acce
ssib
le u
nder
all
disa
ster
sce
nari
os.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• St
aff
expe
rien
ced
in th
e re
cove
rypr
oces
ses
for
IT s
yste
ms
• St
aff
trai
ned
in th
e re
cove
ry p
roce
sses
• Pl
ans
avai
labl
e an
d ac
cess
ible
to a
llaf
fect
ed p
artie
s
Ris
k D
river
s
• C
onfi
dent
ial i
nfor
mat
ion
in th
e pl
ans
com
prom
ised
• Pl
ans
not a
cces
sibl
e to
all
requ
ired
part
ies
• U
pgra
des
of th
e pl
an n
ot p
erfo
rmed
ina
timel
y m
anne
r du
e to
unc
ontr
olle
ddi
stri
butio
n st
rate
gies
DS4
.8 I
T S
ervi
ces
Rec
over
y an
d R
esum
ptio
n Pl
an th
e ac
tions
to b
e ta
ken
for
the
peri
od w
hen
IT is
rec
over
ing
and
resu
min
gse
rvic
es. T
his
may
incl
ude
activ
atio
n of
bac
kup
site
s, in
itiat
ion
of a
ltern
ativ
epr
oces
sing
, cus
tom
er a
nd s
take
hold
er c
omm
unic
atio
n, a
nd r
esum
ptio
npr
oced
ures
. Ens
ure
that
the
busi
ness
und
erst
ands
IT
rec
over
y tim
es a
nd th
ene
cess
ary
tech
nolo
gy in
vest
men
ts to
sup
port
bus
ines
s re
cove
ry a
nd r
esum
ptio
nne
eds.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• M
inim
ised
rec
over
y tim
es•
Min
imis
ed r
ecov
ery
cost
s•
Prio
ritis
ed r
ecov
ery
of b
usin
ess-
criti
cal
task
s
Ris
k D
river
s
• Sh
ortc
omin
gs in
rec
over
y pl
ans
• In
appr
opri
ate
reco
very
ste
ps a
ndpr
oces
ses
• Fa
ilure
to r
ecov
er b
usin
ess-
criti
cal
syst
ems
and
serv
ices
in a
tim
ely
man
ner
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E174
DS4 E
nsur
e C
onti
nuou
s Ser
vice
(co
nt.)
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at d
ata
are
prot
ecte
d w
hen
they
are
take
n of
fsite
, whi
lst t
hey
are
in tr
ansp
ort a
nd w
hen
they
are
at t
he s
tora
ge lo
catio
n.•
Enq
uire
whe
ther
and
con
firm
that
the
back
up f
acili
ties
are
not s
ubje
ct to
the
sam
e ri
sks
as th
e pr
imar
y si
te.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at r
egul
ar te
stin
g is
per
form
ed to
ens
ure
the
qual
ity o
f th
e ba
ckup
s an
d m
edia
.•
Rev
iew
test
ing
proc
edur
es to
det
erm
ine
oper
atin
g ef
fect
iven
ess.
• V
erif
y th
at th
e ba
ckup
med
ia c
onta
in a
ll in
form
atio
n re
quir
ed b
y th
e IT
con
tinui
ty p
lan,
e.g
., by
com
pari
ng th
e co
nten
ts o
f th
e ba
ckup
s an
d/or
the
rest
ored
sys
tem
s w
ithth
e op
erat
iona
l sys
tem
s.•
Enq
uire
whe
ther
and
con
firm
that
suf
fici
ent r
ecov
ery
inst
ruct
ions
and
labe
lling
exi
st.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n in
vent
ory
of b
acku
ps a
nd m
edia
exi
sts,
and
ver
ify
its c
orre
ctne
ss.
DS4
.9 O
ffsi
te B
acku
p St
orag
e St
ore
offs
ite a
ll cr
itica
l bac
kup
med
ia, d
ocum
enta
tion
and
othe
r IT
res
ourc
esne
cess
ary
for
IT r
ecov
ery
and
busi
ness
con
tinui
ty p
lans
. Det
erm
ine
the
cont
ent
of b
acku
p st
orag
e in
col
labo
ratio
n be
twee
n bu
sine
ss p
roce
ss o
wne
rs a
nd I
Tpe
rson
nel.
Man
agem
ent o
f th
e of
fsite
sto
rage
fac
ility
sho
uld
resp
ond
to th
e da
tacl
assi
fica
tion
polic
y an
d th
e en
terp
rise
’s m
edia
sto
rage
pra
ctic
es. I
T m
anag
emen
tsh
ould
ens
ure
that
off
site
arr
ange
men
ts a
re p
erio
dica
lly a
sses
sed,
at l
east
annu
ally
, for
con
tent
, env
iron
men
tal p
rote
ctio
n an
d se
curi
ty. E
nsur
eco
mpa
tibili
ty o
f ha
rdw
are
and
soft
war
e to
res
tore
arc
hive
d da
ta, a
nd p
erio
dica
llyte
st a
nd r
efre
sh a
rchi
ved
data
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Ava
ilabi
lity
of b
acku
p da
ta in
the
even
t of
phys
ical
des
truc
tion
ofha
rdw
are
• O
ffsi
te d
ata
cons
iste
ntly
man
aged
thro
ugho
ut th
e or
gani
satio
n• A
ppro
pria
te p
rote
ctio
n of
off
site
stor
age
Ris
k D
river
s
• U
nava
ilabi
lity
of b
acku
p da
ta a
ndm
edia
due
to m
issi
ng d
ocum
enta
tion
in o
ffsi
te s
tora
ge•
Los
s of
dat
a du
e to
dis
aste
r• A
ccid
enta
l des
truc
tion
of b
acku
p da
ta•
Inab
ility
to lo
cate
bac
kup
tape
s w
hen
need
ed
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e sh
ortc
omin
gs o
f th
e pl
an h
ave
been
hig
hlig
hted
and
pos
t-re
cove
ry m
eetin
gs d
iscu
ssin
g op
port
uniti
es f
or im
prov
emen
t ar
e pe
rfor
med
.•
Rev
iew
pla
ns, p
olic
ies
and
proc
edur
es to
det
erm
ine
oper
atin
g ef
fect
iven
ess.
DS4
.10
Pos
t-re
sum
ptio
n R
evie
w
Det
erm
ine
whe
ther
IT
man
agem
ent h
as e
stab
lishe
d pr
oced
ures
for
ass
essi
ng th
ead
equa
cy o
f th
e pl
an in
reg
ard
to th
e su
cces
sful
res
umpt
ion
of th
e IT
fun
ctio
naf
ter
a di
sast
er, a
nd u
pdat
e th
e pl
an a
ccor
ding
ly.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• U
pdat
ed r
ecov
ery
plan
s•
Obj
ectiv
es m
et b
y th
e re
cove
ry p
lans
• Ade
quat
e re
sum
ptio
n pl
ans
acco
rdin
gto
bus
ines
s ne
eds
Ris
k D
river
s
• In
appr
opri
ate
reco
very
pla
ns•
Rec
over
y pl
ans
faili
ng to
mee
tbu
sine
ss n
eeds
• O
bjec
tives
not
met
by
the
reco
very
plan
s
175I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Take the following steps to test the outcome of the control objectives:• Determine the management level for establishing the continuity framework to support enterprisewide business processing recovery
processes.• Determine the components defined to address the IT continuity accountabilities and responsibilities for supporting the business
strategy in response to a business disruption.• Assess the IT continuity plans for recovery strategies and required service levels to meet the business processing objectives.• Determine the effectiveness of the communications plan created to ensure the safety of all affected parties and co-ordination with
public authorities.• Assess the guidelines, roles and responsibilities achieving recovery of short- and long-range business processing requirements.• Assess whether IT continuity planning training is provided on a periodic basis.
Take the following steps to document the impact of the control weaknesses:• Assess whether the IT continuity services sufficiently support achieving business processing services to meet short- and long-
range organisation objectives.• Assess the framework to determine whether the planning invokes dependencies on key individuals rather than prioritisation of
recovery strategies.• Assess the impact on business processing in the event IT systems are not recovered in a timely manner without an alternative
decision-making process.• Determine the business impact required if recovery resources are not available and there is no ability to communicate with internal
and external stakeholders.• Enquire of management whether IT disruptions were prolonged as a result of untrained staff members who did not follow IT
continuity planning procedures.
DS5 E
nsur
e Sys
tem
s Sec
urit
y
The
nee
d to
mai
ntai
n th
e in
tegr
ity o
f in
form
atio
n an
d pr
otec
t IT
ass
ets
requ
ires
a s
ecur
ity m
anag
emen
t pro
cess
. Thi
s pr
oces
s in
clud
es e
stab
lishi
ng a
nd m
aint
aini
ng I
Tse
curi
ty r
oles
and
res
pons
ibili
ties,
pol
icie
s, s
tand
ards
, and
pro
cedu
res.
Sec
urity
man
agem
ent a
lso
incl
udes
per
form
ing
secu
rity
mon
itori
ng a
nd p
erio
dic
test
ing
and
impl
emen
ting
corr
ectiv
e ac
tions
for
iden
tifie
d se
curi
ty w
eakn
esse
s or
inci
dent
s. E
ffec
tive
secu
rity
man
agem
ent p
rote
cts
all I
T a
sset
s to
min
imis
e th
e bu
sine
ss im
pact
of
secu
rity
vul
nera
bilit
ies
and
inci
dent
s.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E176
Test
the
Con
trol
Des
ign
• D
eter
min
e if
a s
ecur
ity s
teer
ing
com
mitt
ee e
xist
s, w
ith r
epre
sent
atio
n fr
om k
ey f
unct
iona
l are
as, i
nclu
ding
inte
rnal
aud
it, H
R, o
pera
tions
, IT
sec
urity
and
lega
l.•
Det
erm
ine
if a
pro
cess
exi
sts
to p
rior
itise
pro
pose
d se
curi
ty in
itiat
ives
, inc
ludi
ng r
equi
red
leve
ls o
f po
licie
s, s
tand
ards
and
pro
cedu
res.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n in
form
atio
n se
curi
ty c
hart
er e
xist
s.•
Rev
iew
and
ana
lyse
the
char
ter
to v
erif
y th
at it
ref
ers
to th
e or
gani
satio
nal r
isk
appe
tite
rela
tive
to in
form
atio
n se
curi
ty a
nd th
at th
e ch
arte
r cl
earl
y in
clud
es:
– Sc
ope
and
obje
ctiv
es o
f th
e se
curi
ty m
anag
emen
t fun
ctio
n–
Res
pons
ibili
ties
of th
e se
curi
ty m
anag
emen
t fun
ctio
n –
Com
plia
nce
and
risk
dri
vers
•
Enq
uire
whe
ther
and
con
firm
that
the
info
rmat
ion
secu
rity
pol
icy
cove
rs th
e re
spon
sibi
litie
s of
boa
rd, e
xecu
tive
man
agem
ent,
line
man
agem
ent,
staf
f m
embe
rs a
nd a
llus
ers
of th
e en
terp
rise
IT
infr
astr
uctu
re a
nd th
at it
ref
ers
to d
etai
led
secu
rity
sta
ndar
ds a
nd p
roce
dure
s.•
Enq
uire
whe
ther
and
con
firm
that
a d
etai
led
secu
rity
pol
icy,
sta
ndar
ds a
nd p
roce
dure
s ex
ist.
Exa
mpl
es o
f po
licie
s, s
tand
ards
and
pro
cedu
res
incl
ude:
–
Secu
rity
com
plia
nce
polic
y –
Man
agem
ent r
isk
acce
ptan
ce (
secu
rity
non
-com
plia
nce
ackn
owle
dgem
ent)
–
Ext
erna
l com
mun
icat
ions
sec
urity
pol
icy
– Fi
rew
all p
olic
y–
E-m
ail s
ecur
ity p
olic
y –
An
agre
emen
t to
com
ply
with
IS
polic
ies
– L
apto
p/de
skto
p co
mpu
ter
secu
rity
pol
icy
– In
tern
et u
sage
pol
icy
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n ad
equa
te o
rgan
isat
iona
l str
uctu
re a
nd r
epor
ting
line
for
info
rmat
ion
secu
rity
exi
st, a
nd a
sses
s if
the
secu
rity
man
agem
ent a
ndad
min
istr
atio
n fu
nctio
ns h
ave
suff
icie
nt a
utho
rity
.•
Enq
uire
whe
ther
and
con
firm
that
a s
ecur
ity m
anag
emen
t rep
ortin
g m
echa
nism
exi
sts
that
info
rms
the
boar
d, b
usin
ess
and
IT m
anag
emen
t of
the
stat
us o
f in
form
atio
n se
curi
ty.
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS5
.1 M
anag
emen
t of
IT
Sec
urit
y M
anag
e IT
sec
urity
at t
he h
ighe
st a
ppro
pria
te o
rgan
isat
iona
l lev
el, s
o th
em
anag
emen
t of
secu
rity
act
ions
is in
line
with
bus
ines
s re
quir
emen
ts.
• C
ritic
al I
T a
sset
s pr
otec
ted
• IT
sec
urity
str
ateg
y su
ppor
ting
busi
ness
nee
ds•
IT s
ecur
ity s
trat
egy
alig
ned
with
the
over
all b
usin
ess
plan
• App
ropr
iate
ly im
plem
ente
d an
dm
aint
aine
d se
curi
ty p
ract
ices
cons
iste
nt w
ith a
pplic
able
law
s an
dre
gula
tions
• L
ack
of I
T s
ecur
ity g
over
nanc
e•
Mis
alig
ned
IT a
nd b
usin
ess
obje
ctiv
es•
Unp
rote
cted
dat
a an
d in
form
atio
nas
sets
177I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• D
eter
min
e th
e ef
fect
iven
ess
of th
e co
llect
ion
and
inte
grat
ion
of in
form
atio
n se
curi
ty r
equi
rem
ents
into
an
over
all I
T s
ecur
ity p
lan
that
is r
espo
nsiv
e to
the
chan
ging
nee
dsof
the
orga
nisa
tion.
• V
erif
y th
at th
e IT
sec
urity
pla
n co
nsid
ers
IT ta
ctic
al p
lans
(PO
1), d
ata
clas
sifi
catio
n (P
O2)
, tec
hnol
ogy
stan
dard
s (P
O3)
, sec
urity
and
con
trol
pol
icie
s (P
O6)
, ris
km
anag
emen
t (PO
9), a
nd e
xter
nal c
ompl
ianc
e re
quir
emen
ts (
ME
3).
• D
eter
min
e if
a p
roce
ss e
xist
s to
per
iodi
cally
upd
ate
the
IT s
ecur
ity p
lan,
and
if th
e pr
oces
s re
quir
es a
ppro
pria
te le
vels
of
man
agem
ent r
evie
w a
nd a
ppro
val o
f ch
ange
s.•
Det
erm
ine
if e
nter
pris
e in
form
atio
n se
curi
ty b
asel
ines
for
all
maj
or p
latf
orm
s ar
e co
mm
ensu
rate
with
the
over
all I
T s
ecur
ity p
lan,
if th
e ba
selin
es h
ave
been
rec
orde
d in
the
conf
igur
atio
n ba
selin
e (D
S9)
cent
ral r
epos
itory
, and
if a
pro
cess
exi
sts
to p
erio
dica
lly u
pdat
e th
e ba
selin
es b
ased
on
chan
ges
in th
e pl
an.
• D
eter
min
e if
the
IT s
ecur
ity p
lan
incl
udes
the
follo
win
g:
– A
com
plet
e se
t of
secu
rity
pol
icie
s an
d st
anda
rds
in li
ne w
ith th
e es
tabl
ishe
d in
form
atio
n se
curi
ty p
olic
y fr
amew
ork
– Pr
oced
ures
to im
plem
ent a
nd e
nfor
ce th
e po
licie
s an
d st
anda
rds
– R
oles
and
res
pons
ibili
ties
– St
affi
ng r
equi
rem
ents
–
Secu
rity
aw
aren
ess
and
trai
ning
–
Enf
orce
men
t pra
ctic
es–
Inve
stm
ents
in r
equi
red
secu
rity
res
ourc
es
• D
eter
min
e if
a p
roce
ss e
xist
s to
inte
grat
e in
form
atio
n se
curi
ty r
equi
rem
ents
and
impl
emen
tatio
n ad
vice
fro
m th
e IT
sec
urity
pla
n in
to o
ther
pro
cess
es, i
nclu
ding
the
deve
lopm
ent o
f SL
As
and
OL
As
(DS1
-DS2
), a
utom
ated
sol
utio
n re
quir
emen
ts (
AI1
), a
pplic
atio
n so
ftw
are
(AI2
), a
nd I
T in
fras
truc
ture
com
pone
nts
(AI3
).
DS5
.2 I
T S
ecur
ity
Pla
n T
rans
late
bus
ines
s, r
isk
and
com
plia
nce
requ
irem
ents
into
an
over
all I
T s
ecur
itypl
an, t
akin
g in
to c
onsi
dera
tion
the
IT in
fras
truc
ture
and
the
secu
rity
cul
ture
.E
nsur
e th
at th
e pl
an is
impl
emen
ted
in s
ecur
ity p
olic
ies
and
proc
edur
es to
geth
erw
ith a
ppro
pria
te in
vest
men
ts in
ser
vice
s, p
erso
nnel
, sof
twar
e an
d ha
rdw
are.
Com
mun
icat
e se
curi
ty p
olic
ies
and
proc
edur
es to
sta
keho
lder
s an
d us
ers.
• T
he I
T s
ecur
ity p
lan
satis
fyin
gbu
sine
ss r
equi
rem
ents
and
cov
erin
g al
lri
sks
to w
hich
the
busi
ness
is e
xpos
ed•
Inve
stm
ents
in I
T s
ecur
ity m
anag
ed in
a co
nsis
tent
man
ner
to e
nabl
e th
ese
curi
ty p
lan
• Se
curi
ty p
olic
ies
and
proc
edur
esco
mm
unic
ated
to s
take
hold
ers
and
user
s•
Use
rs a
war
e of
the
IT s
ecur
ity p
lan
• IT
sec
urity
pla
n no
t alig
ned
with
busi
ness
req
uire
men
ts•
IT s
ecur
ity p
lan
not c
ost e
ffec
tive
• B
usin
ess
expo
sed
to th
reat
s no
tco
vere
d in
the
stra
tegy
• G
aps
betw
een
plan
ned
and
impl
emen
ted
IT s
ecur
ity m
easu
res
• U
sers
not
aw
are
of th
e IT
sec
urity
pla
n•
Secu
rity
mea
sure
s co
mpr
omis
ed b
yst
akeh
olde
rs a
nd u
sers
DS5 E
nsur
e Sys
tem
s Sec
urit
y (c
ont.
)
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E178
Test
the
Con
trol
Des
ign
• D
eter
min
e if
pro
cedu
res
exis
t to
peri
odic
ally
ass
ess
and
rece
rtif
y sy
stem
and
app
licat
ion
acce
ss a
nd a
utho
ritie
s.•
Det
erm
ine
if a
cces
s co
ntro
l pro
cedu
res
exis
t to
cont
rol a
nd m
anag
e sy
stem
and
app
licat
ion
righ
ts a
nd p
rivi
lege
s ac
cord
ing
to th
e or
gani
satio
n’s
secu
rity
pol
icie
s an
dco
mpl
ianc
e an
d re
gula
tory
req
uire
men
ts.
• D
eter
min
e if
sys
tem
s, a
pplic
atio
ns a
nd d
ata
have
bee
n cl
assi
fied
by
leve
ls o
f im
port
ance
and
ris
k, a
nd if
pro
cess
ow
ners
hav
e be
en id
entif
ied
and
assi
gned
.•
Det
erm
ine
if u
ser
prov
isio
ning
pol
icie
s, s
tand
ards
and
pro
cedu
res
exte
nd to
all
syst
em u
sers
and
pro
cess
es, i
nclu
ding
ven
dors
, ser
vice
pro
vide
rs a
nd b
usin
ess
part
ners
.
Test
the
Con
trol
Des
ign
• D
eter
min
e if
sec
urity
pra
ctic
es r
equi
re u
sers
and
sys
tem
pro
cess
es to
be
uniq
uely
iden
tifia
ble
and
syst
ems
to b
e co
nfig
ured
to e
nfor
ce a
uthe
ntic
atio
n be
fore
acc
ess
isgr
ante
d.•
If p
rede
term
ined
and
pre
appr
oved
rol
es a
re u
tilis
ed to
gra
nt a
cces
s, d
eter
min
e if
the
role
s cl
earl
y de
linea
te r
espo
nsib
ilitie
s ba
sed
on le
ast p
rivi
lege
s an
d en
sure
that
the
esta
blis
hmen
t and
mod
ific
atio
n of
rol
es a
re a
ppro
ved
by p
roce
ss o
wne
r m
anag
emen
t.•
Det
erm
ine
if a
cces
s pr
ovis
ioni
ng a
nd a
uthe
ntic
atio
n co
ntro
l mec
hani
sms
are
utili
sed
for
cont
rolli
ng lo
gica
l acc
ess
acro
ss a
ll us
ers,
sys
tem
pro
cess
es a
nd I
T r
esou
rces
, for
in-h
ouse
and
rem
otel
y m
anag
ed u
sers
, pro
cess
es a
nd s
yste
ms.
• U
naut
hori
sed
chan
ges
to h
ardw
are
and
soft
war
e• A
cces
s m
anag
emen
t fai
ling
busi
ness
requ
irem
ents
and
com
prom
isin
g th
ese
curi
ty o
f bu
sine
ss-c
ritic
al s
yste
ms
• U
nspe
cifi
ed s
ecur
ity r
equi
rem
ents
for
all s
yste
ms
• Se
greg
atio
n-of
-dut
y vi
olat
ions
• C
ompr
omis
ed s
yste
m in
form
atio
n
DS5
.3 I
dent
ity
Man
agem
ent
Ens
ure
that
all
user
s (i
nter
nal,
exte
rnal
and
tem
pora
ry)
and
thei
r ac
tivity
on
ITsy
stem
s (b
usin
ess
appl
icat
ion,
IT
env
iron
men
t, sy
stem
ope
ratio
ns, d
evel
opm
ent
and
mai
nten
ance
) ar
e un
ique
ly id
entif
iabl
e. E
nabl
e us
er id
entit
ies
via
auth
entic
atio
n m
echa
nism
s. C
onfi
rm th
at u
ser
acce
ss r
ight
s to
sys
tem
s an
d da
taar
e in
line
with
def
ined
and
doc
umen
ted
busi
ness
nee
ds a
nd th
at jo
bre
quir
emen
ts a
re a
ttach
ed to
use
r id
entit
ies.
Ens
ure
that
use
r ac
cess
rig
hts
are
requ
este
d by
use
r m
anag
emen
t, ap
prov
ed b
y sy
stem
ow
ners
and
impl
emen
ted
byth
e se
curi
ty-r
espo
nsib
le p
erso
n. M
aint
ain
user
iden
titie
s an
d ac
cess
rig
hts
in a
cent
ral r
epos
itory
. Dep
loy
cost
-eff
ectiv
e te
chni
cal a
nd p
roce
dura
l mea
sure
s, a
ndke
ep th
em c
urre
nt to
est
ablis
h us
er id
entif
icat
ion,
impl
emen
t aut
hent
icat
ion
and
enfo
rce
acce
ss r
ight
s.
• E
ffec
tive
impl
emen
tatio
n of
cha
nges
• Pr
oper
inve
stig
atio
n of
impr
oper
acce
ss a
ctiv
ity•
Secu
re c
omm
unic
atio
n en
suri
ngap
prov
ed b
usin
ess
tran
sact
ions
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS5 E
nsur
e Sys
tem
s Sec
urit
y (c
ont.
)
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS5
.4 U
ser
Acc
ount
Man
agem
ent
Add
ress
req
uest
ing,
est
ablis
hing
, iss
uing
, sus
pend
ing,
mod
ifyi
ng a
nd c
losi
ngus
er a
ccou
nts
and
rela
ted
user
pri
vile
ges
with
a s
et o
f us
er a
ccou
nt m
anag
emen
tpr
oced
ures
. Inc
lude
an
appr
oval
pro
cedu
re o
utlin
ing
the
data
or
syst
em o
wne
rgr
antin
g th
e ac
cess
pri
vile
ges.
The
se p
roce
dure
s sh
ould
app
ly f
or a
ll us
ers,
incl
udin
g ad
min
istr
ator
s (p
rivi
lege
d us
ers)
and
inte
rnal
and
ext
erna
l use
rs, f
orno
rmal
and
em
erge
ncy
case
s. R
ight
s an
d ob
ligat
ions
rel
ativ
e to
acc
ess
toen
terp
rise
sys
tem
s an
d in
form
atio
n sh
ould
be
cont
ract
ually
arr
ange
d fo
r al
l typ
esof
use
rs. P
erfo
rm r
egul
ar m
anag
emen
t rev
iew
of
all a
ccou
nts
and
rela
ted
priv
ilege
s.
• C
onsi
sten
tly m
anag
ed a
ndad
min
iste
red
user
acc
ount
s•
Rul
es a
nd r
egul
atio
ns f
or a
ll ki
nds
of u
sers
• T
imel
y di
scov
ery
of s
ecur
ity in
cide
nts
• Pr
otec
tion
of I
T s
yste
ms
and
conf
iden
tial d
ata
from
una
utho
rise
dus
ers
• Se
curi
ty b
reac
hes
• U
sers
fai
ling
to c
ompl
y w
ith s
ecur
itypo
licy
• In
cide
nts
not s
olve
d in
a ti
mel
ym
anne
r•
Failu
re to
term
inat
e un
used
acc
ount
sin
a ti
mel
y m
anne
r, th
us im
pact
ing
corp
orat
e se
curi
ty
179I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n in
vent
ory
of a
ll ne
twor
k de
vice
s, s
ervi
ces
and
appl
icat
ions
exi
sts
and
that
eac
h co
mpo
nent
has
bee
n as
sign
ed a
sec
urity
ris
k ra
ting.
• D
eter
min
e if
sec
urity
bas
elin
es e
xist
for
all
IT u
tilis
ed b
y th
e or
gani
satio
n.•
Det
erm
ine
if a
ll or
gani
satio
n-cr
itica
l, hi
gher
-ris
k ne
twor
k as
sets
are
rou
tinel
y m
onito
red
for
secu
rity
eve
nts.
• D
eter
min
e if
the
IT s
ecur
ity m
anag
emen
t fun
ctio
n ha
s be
en in
tegr
ated
with
in th
e or
gani
satio
n’s
proj
ect m
anag
emen
t ini
tiativ
es to
ens
ure
that
sec
urity
is c
onsi
dere
d in
deve
lopm
ent,
desi
gn a
nd te
stin
g re
quir
emen
ts, t
o m
inim
ise
the
risk
of
new
or
exis
ting
syst
ems
intr
oduc
ing
secu
rity
vul
nera
bilit
ies.
DS5
.5 S
ecur
ity
Tes
ting
,Sur
veill
ance
and
Mon
itor
ing
Test
and
mon
itor
the
IT s
ecur
ity im
plem
enta
tion
in a
pro
activ
e w
ay. I
T s
ecur
itysh
ould
be
reac
cred
ited
in a
tim
ely
man
ner
to e
nsur
e th
at th
e ap
prov
eden
terp
rise
’s in
form
atio
n se
curi
ty b
asel
ine
is m
aint
aine
d. A
logg
ing
and
mon
itori
ng f
unct
ion
will
ena
ble
the
earl
y pr
even
tion
and/
or d
etec
tion
and
subs
eque
nt ti
mel
y re
port
ing
of u
nusu
al a
nd/o
r ab
norm
al a
ctiv
ities
that
may
nee
dto
be
addr
esse
d.
• St
aff
expe
rien
ced
in s
ecur
ity te
stin
gan
d m
onito
ring
of
IT s
yste
ms
• R
egul
arly
rev
iew
ed s
ecur
ity le
vel
• D
evia
tions
fro
m b
usin
ess
requ
irem
ents
hig
hlig
hted
• Se
curi
ty b
reac
hes
dete
cted
pro
activ
ely
• M
isus
e of
use
rs’a
ccou
nts,
com
prom
isin
g or
gani
satio
nal s
ecur
ity•
Und
etec
ted
secu
rity
bre
ache
s•
Unr
elia
ble
secu
rity
logs
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS5 E
nsur
e Sys
tem
s Sec
urit
y (c
ont.
)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E180
Test
the
Con
trol
Des
ign
• D
eter
min
e if
a c
ompu
ter
emer
genc
y re
spon
se te
am (
CE
RT
) ex
ists
to r
ecog
nise
and
eff
ectiv
ely
man
age
secu
rity
em
erge
ncie
s. T
he f
ollo
win
g ar
eas
shou
ld e
xist
as
part
of
an e
ffec
tive
CE
RT
pro
cess
: –
Inci
dent
han
dlin
g—G
ener
al a
nd s
peci
fic
proc
edur
es a
nd o
ther
req
uire
men
ts to
ens
ure
effe
ctiv
e ha
ndlin
g of
inci
dent
s an
d re
port
ed v
ulne
rabi
litie
s–
Ven
dor
rela
tions
—T
he r
ole
and
resp
onsi
bilit
ies
of v
endo
rs in
inci
dent
pre
vent
ion
and
follo
w-u
p, s
oftw
are
flaw
cor
rect
ion,
and
oth
er a
reas
– C
omm
unic
atio
ns—
Req
uire
men
ts, i
mpl
emen
tatio
n an
d op
erat
ion
of e
mer
genc
y an
d ro
utin
e co
mm
unic
atio
ns c
hann
els
amon
gst k
ey m
embe
rs o
f m
anag
emen
t–
Leg
al a
nd c
rim
inal
inve
stig
ativ
e is
sues
—Is
sues
dri
ven
by le
gal c
onsi
dera
tions
and
the
requ
irem
ents
or
cons
trai
nts
resu
lting
fro
m th
e in
volv
emen
t of
crim
inal
inve
stig
ativ
e or
gani
satio
ns d
urin
g an
inci
dent
– C
onst
ituen
cy r
elat
ions
—R
espo
nse
cent
re s
uppo
rt s
ervi
ces
and
met
hods
of
inte
ract
ion
with
con
stitu
ents
, inc
ludi
ng tr
aini
ng a
nd a
war
enes
s, c
onfi
gura
tion
man
agem
ent,
and
auth
entic
atio
n–
Res
earc
h ag
enda
and
inte
ract
ion—
Iden
tific
atio
n of
exi
stin
g re
sear
ch a
ctiv
ities
and
req
uire
men
ts a
nd r
atio
nale
for
nee
ded
rese
arch
rel
atin
g to
res
pons
e ce
ntre
act
iviti
es–
Mod
el o
f th
e th
reat
—D
evel
opm
ent o
f a
basi
c m
odel
that
cha
ract
eris
es p
oten
tial t
hrea
ts a
nd r
isks
to h
elp
focu
s ri
sk r
educ
tion
activ
ities
and
pro
gres
s in
thos
e ac
tiviti
es–
Ext
erna
l iss
ues—
Fact
ors
that
are
out
side
the
dire
ct c
ontr
ol o
f th
e co
mpa
ny (
e.g.
, leg
isla
tion,
pol
icy,
pro
cedu
ral r
equi
rem
ents
) bu
t tha
t cou
ld a
ffec
t the
ope
ratio
n an
def
fect
iven
ess
of th
e co
mpa
ny’s
act
iviti
es•
Det
erm
ine
if th
e se
curi
ty in
cide
nt m
anag
emen
t pro
cess
app
ropr
iate
ly in
terf
aces
with
key
org
anis
atio
n fu
nctio
ns, i
nclu
ding
the
help
des
k, e
xter
nal s
ervi
ce p
rovi
ders
and
netw
ork
man
agem
ent.
• E
valu
ate
if th
e se
curi
ty in
cide
nt m
anag
emen
t pro
cess
incl
udes
the
follo
win
g ke
y el
emen
ts:
– E
vent
det
ectio
n –
Cor
rela
tion
of e
vent
s an
d ev
alua
tion
of th
reat
/inci
dent
–
Res
olut
ion
of th
reat
, or
crea
tion
and
esca
latio
n w
ork
orde
r –
Cri
teri
a fo
r in
itiat
ing
the
orga
nisa
tion’
s C
ER
T p
roce
ss
– V
erif
icat
ion
and
requ
ired
leve
ls o
f do
cum
enta
tion
of th
e re
solu
tion
– Po
st-r
emed
iatio
n an
alys
is–
Wor
k or
der/
inci
dent
clo
sure
DS5 E
nsur
e Sys
tem
s Sec
urit
y (c
ont.
)
DS5
.6 S
ecur
ity
Inci
dent
Def
init
ion
Cle
arly
def
ine
and
com
mun
icat
e th
e ch
arac
teri
stic
s of
pot
entia
l sec
urity
inci
dent
s so
they
can
be
prop
erly
cla
ssif
ied
and
trea
ted
by th
e in
cide
nt a
ndpr
oble
m m
anag
emen
t pro
cess
.
• Pr
oact
ive
secu
rity
inci
dent
det
ectio
n•
Rep
ortin
g of
sec
urity
bre
ache
s on
ade
fine
d an
d do
cum
ente
d le
vel
• Id
entif
ied
way
s of
com
mun
icat
ion
for
secu
rity
inci
dent
s
• U
ndet
ecte
d se
curi
ty b
reac
hes
• L
ack
of in
form
atio
n fo
r pe
rfor
min
gco
unte
ratta
cks
• M
issi
ng c
lass
ific
atio
n of
sec
urity
brea
ches
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
181I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
olic
ies
and
proc
edur
es h
ave
been
est
ablis
hed
to a
ddre
ss s
ecur
ity b
reac
h co
nseq
uenc
es (
spec
ific
ally
to a
ddre
ss c
ontr
ols
toco
nfig
urat
ion
man
agem
ent,
appl
icat
ion
acce
ss, d
ata
secu
rity
and
phy
sica
l sec
urity
req
uire
men
ts).
• In
spec
t the
con
trol
rec
ords
gra
ntin
g an
d ap
prov
ing
acce
ss a
nd lo
ggin
g un
succ
essf
ul a
ttem
pts,
lock
outs
, aut
hori
sed
acce
ss to
sen
sitiv
e fi
les
and/
or d
ata,
and
phy
sica
l ac
cess
to f
acili
ties.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e se
curi
ty d
esig
n fe
atur
es f
acili
tate
pas
swor
d ru
les
(e.g
., m
axim
um le
ngth
, cha
ract
ers,
exp
irat
ion,
reu
se).
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e co
ntro
l req
uire
s an
nual
man
agem
ent r
evie
ws
of s
ecur
ity f
eatu
res
for
phys
ical
and
logi
cal a
cces
s to
file
s an
d da
ta.
• V
erif
y th
at a
cces
s is
aut
hori
sed
and
appr
opri
atel
y ap
prov
ed.
• In
spec
t sec
urity
rep
orts
gen
erat
ed f
rom
sys
tem
tool
s pr
even
ting
netw
ork
pene
trat
ion
vuln
erab
ility
atta
cks.
DS5
.7 P
rote
ctio
n of
Sec
urit
y T
echn
olog
y M
ake
secu
rity
-rel
ated
tech
nolo
gy r
esis
tant
to ta
mpe
ring
, and
do
not d
iscl
ose
secu
rity
doc
umen
tatio
n un
nece
ssar
ily.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
orpo
rate
sec
urity
tech
nolo
gypr
otec
ted
• R
elia
ble
info
rmat
ion
secu
red
• C
orpo
rate
ass
ets
prot
ecte
d
Ris
k D
river
s
• E
xpos
ure
of in
form
atio
n•
Bre
ach
of tr
ust w
ith o
ther
orga
nisa
tions
• V
iola
tions
of
lega
l and
reg
ulat
ory
requ
irem
ents
DS5 E
nsur
e Sys
tem
s Sec
urit
y (c
ont.
)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E182
Test
the
Con
trol
Des
ign
• D
eter
min
e if
a d
efin
ed k
ey li
fe c
ycle
man
agem
ent p
roce
ss e
xist
s. T
he p
roce
ss s
houl
d in
clud
e:–
Min
imum
key
siz
es r
equi
red
for
the
gene
ratio
n of
str
ong
keys
– U
se o
f re
quir
ed k
ey g
ener
atio
n al
gori
thm
s–
Iden
tific
atio
n of
req
uire
d st
anda
rds
for
the
gene
ratio
n of
key
s–
Purp
oses
for
whi
ch k
eys
shou
ld b
e us
ed a
nd r
estr
icte
d–
Allo
wab
le u
sage
per
iods
or
activ
e lif
etim
es f
or k
eys
– A
ccep
tabl
e m
etho
ds o
f ke
y di
stri
butio
n–
Key
bac
kup,
arc
hiva
l and
des
truc
tion
• Ass
ess
if c
ontr
ols
over
pri
vate
key
s ex
ist t
o en
forc
e th
eir
conf
iden
tialit
y an
d in
tegr
ity. C
onsi
dera
tion
shou
ld b
e gi
ven
to th
e fo
llow
ing:
– St
orag
e of
pri
vate
sig
ning
key
s w
ithin
sec
ure
cryp
togr
aphi
c de
vice
s (e
.g.,
FIPS
140
-1, I
SO 1
5782
-1, A
NSI
X9.
66)
– Pr
ivat
e ke
ys n
ot e
xpor
ted
from
a s
ecur
e cr
ypto
grap
hic
mod
ule
– Pr
ivat
e ke
ys b
acke
d up
, sto
red
and
reco
vere
d on
ly b
y au
thor
ised
per
sonn
el u
sing
dua
l con
trol
in a
phy
sica
lly s
ecur
ed e
nvir
onm
ent
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e or
gani
satio
n ha
s im
plem
ente
d in
form
atio
n cl
assi
fica
tion
and
asso
ciat
ed p
rote
ctiv
e co
ntro
ls f
or in
form
atio
n th
at a
ccou
nt f
or th
eor
gani
satio
n’s
need
s fo
r sh
arin
g or
res
tric
ting
info
rmat
ion
and
the
orga
nisa
tiona
l im
pact
s as
soci
ated
with
suc
h ne
eds.
• D
eter
min
e if
pro
cedu
res
are
defi
ned
to e
nsur
e th
at in
form
atio
n la
belli
ng a
nd h
andl
ing
is p
erfo
rmed
in a
ccor
danc
e w
ith th
e or
gani
satio
n’s
info
rmat
ion
clas
sifi
catio
n sc
hem
e.
DS5 E
nsur
e Sys
tem
s Sec
urit
y (c
ont.
)
DS5
.8 C
rypt
ogra
phic
Key
Man
agem
ent
Det
erm
ine
that
pol
icie
s an
d pr
oced
ures
are
in p
lace
to o
rgan
ise
the
gene
ratio
n,ch
ange
, rev
ocat
ion,
des
truc
tion,
dis
trib
utio
n, c
ertif
icat
ion,
sto
rage
, ent
ry, u
se a
ndar
chiv
ing
of c
rypt
ogra
phic
key
s to
ens
ure
the
prot
ectio
n of
key
s ag
ains
tm
odif
icat
ion
and
unau
thor
ised
dis
clos
ure.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• D
efin
ed a
nd d
ocum
ente
d ke
ym
anag
emen
t•
Key
s ha
ndle
d in
a s
ecur
e m
anne
r•
Secu
re c
omm
unic
atio
n
Ris
k D
river
s
• K
eys
mis
used
by
unau
thor
ised
par
ties
• R
egis
trat
ion
of n
on-v
erif
ied
user
s,th
us c
ompr
omis
ing
syst
em s
ecur
ity•
Una
utho
rise
d ac
cess
to c
rypt
ogra
phic
keys
183I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
mal
icio
us s
oftw
are
prev
entio
n po
licy
is e
stab
lishe
d, d
ocum
ente
d an
d co
mm
unic
ated
thro
ugho
ut th
e or
gani
satio
n.•
Ens
ure
that
aut
omat
ed c
ontr
ols
have
bee
n im
plem
ente
d to
pro
vide
vir
us p
rote
ctio
n an
d th
at v
iola
tions
are
app
ropr
iate
ly c
omm
unic
ated
.•
Enq
uire
of
key
staf
f m
embe
rs w
heth
er th
ey a
re a
war
e of
the
mal
icio
us s
oftw
are
prev
entio
n po
licy
and
thei
r re
spon
sibi
lity
for
ensu
ring
com
plia
nce.
• Fr
om a
sam
ple
of u
ser
wor
ksta
tions
, obs
erve
whe
ther
a v
irus
pro
tect
ion
tool
has
bee
n in
stal
led
and
incl
udes
vir
us d
efin
ition
file
s an
d th
e la
st ti
me
the
defi
nitio
ns
wer
e up
date
d.•
Enq
uire
whe
ther
and
con
firm
that
the
prot
ectio
n so
ftw
are
is c
entr
ally
dis
trib
uted
(ve
rsio
n an
d pa
tch-
leve
l) u
sing
a c
entr
alis
ed c
onfi
gura
tion
and
chan
ge
man
agem
ent p
roce
ss.
• R
evie
w th
e di
stri
butio
n pr
oces
s to
det
erm
ine
the
oper
atin
g ef
fect
iven
ess.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at in
form
atio
n on
new
pot
entia
l thr
eats
is r
egul
arly
rev
iew
ed a
nd e
valu
ated
and
, as
nece
ssar
y, m
anua
lly u
pdat
ed to
the
viru
s de
fini
tion
file
s.•
Rev
iew
the
revi
ew a
nd e
valu
atio
n pr
oces
s to
det
erm
ine
oper
atin
g ef
fect
iven
ess.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at in
com
ing
e-m
ail i
s fi
ltere
d ap
prop
riat
ely
agai
nst u
nsol
icite
d in
form
atio
n.•
Rev
iew
the
filte
ring
pro
cess
to d
eter
min
e op
erat
ing
effe
ctiv
enes
s, o
r re
view
the
auto
mat
ed p
roce
ss e
stab
lishe
d fo
r fi
lteri
ng p
urpo
ses.
DS5 E
nsur
e Sys
tem
s Sec
urit
y (c
ont.
)
DS5
.9 M
alic
ious
Sof
twar
e P
reve
ntio
n,D
etec
tion
and
Cor
rect
ion
Put p
reve
ntiv
e, d
etec
tive
and
corr
ectiv
e m
easu
res
in p
lace
(es
peci
ally
up-
to-d
ate
secu
rity
pat
ches
and
vir
us c
ontr
ol)
acro
ss th
e or
gani
satio
n to
pro
tect
info
rmat
ion
syst
ems
and
tech
nolo
gy f
rom
mal
war
e (e
.g.,
viru
ses,
wor
ms,
spy
war
e, s
pam
).
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Sy
stem
sec
urity
ens
ured
by
proa
ctiv
em
alw
are
prot
ectio
n•
Ens
ured
sys
tem
inte
grity
• T
imel
y de
tect
ion
of s
ecur
ity th
reat
s
Ris
k D
river
s
• E
xpos
ure
of in
form
atio
n•
Vio
latio
ns o
f le
gal a
nd r
egul
ator
yre
quir
emen
ts•
Syst
ems
and
data
that
are
pro
ne to
viru
s at
tack
s•
Inef
fect
ive
coun
term
easu
res
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E184
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at d
ata
tran
smis
sion
s ou
tsid
e th
e or
gani
satio
n re
quir
e en
cryp
ted
form
at p
rior
to tr
ansm
issi
on.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at c
orpo
rate
dat
a ar
e cl
assi
fied
acc
ordi
ng to
exp
osur
e le
vel a
nd c
lass
ific
atio
n sc
hem
e (e
.g.,
conf
iden
tial,
sens
itive
).•
Enq
uire
whe
ther
and
con
firm
that
sen
sitiv
e da
ta p
roce
ssin
g is
con
trol
led
thro
ugh
appl
icat
ion
cont
rols
that
val
idat
e th
e tr
ansa
ctio
n pr
ior
to tr
ansm
issi
on.
• R
evie
w th
at th
e ap
plic
atio
n lo
gs o
r ha
lts p
roce
ssin
g fo
r in
valid
or
inco
mpl
ete
tran
sact
ions
.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
net
wor
k se
curi
ty p
olic
y (e
.g.,
prov
ided
ser
vice
s, a
llow
ed tr
affi
c, ty
pes
of c
onne
ctio
ns p
erm
itted
) ha
s be
en e
stab
lishe
d an
d is
mai
ntai
ned.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
roce
dure
s an
d gu
idel
ines
for
adm
inis
teri
ng a
ll cr
itica
l net
wor
king
com
pone
nts
(e.g
., co
re r
oute
rs, D
MZ
, VPN
sw
itche
s) a
rees
tabl
ishe
d an
d up
date
d re
gula
rly
by th
e ke
y ad
min
istr
atio
n pe
rson
nel,
and
chan
ges
to th
e do
cum
enta
tion
are
trac
ked
in th
e do
cum
ent h
isto
ry.
DS5
.10
Net
wor
k Se
curi
ty
Use
sec
urity
tech
niqu
es a
nd r
elat
ed m
anag
emen
t pro
cedu
res
(e.g
., fi
rew
alls
,se
curi
ty a
pplia
nces
, net
wor
k se
gmen
tatio
n, in
trus
ion
dete
ctio
n) to
aut
hori
seac
cess
and
con
trol
info
rmat
ion
flow
s fr
om a
nd to
net
wor
ks.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
orpo
rate
sec
urity
tech
nolo
gypr
otec
ted
• R
elia
ble
info
rmat
ion
secu
red
• C
orpo
rate
ass
ets
prot
ecte
d•
Net
wor
k se
curi
ty m
anag
ed in
aco
nsis
tent
man
ner
Ris
k D
river
s
• Fa
ilure
of
fire
wal
l rul
es to
ref
lect
the
orga
nisa
tion’
s se
curi
ty p
olic
y•
Und
etec
ted
unau
thor
ised
mod
ific
atio
ns to
fir
ewal
l rul
es•
Com
prom
ised
ove
rall
secu
rity
arch
itect
ure
• Se
curi
ty b
reac
hes
not d
etec
ted
in a
timel
y m
anne
r
DS5 E
nsur
e Sys
tem
s Sec
urit
y (c
ont.
)
DS5
.11
Exc
hang
e of
Sen
siti
ve D
ata
Exc
hang
e se
nsiti
ve tr
ansa
ctio
n da
ta o
nly
over
a tr
uste
d pa
th o
r m
ediu
m w
ithco
ntro
ls to
pro
vide
aut
hent
icity
of
cont
ent,
proo
f of
sub
mis
sion
, pro
of o
f re
ceip
tan
d no
n-re
pudi
atio
n of
ori
gin.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• T
rust
ed w
ays
of c
omm
unic
atio
ns
• R
elia
ble
info
rmat
ion
exch
ange
• Sy
stem
and
dat
a in
tegr
ity s
afeg
uard
ed
Ris
k D
river
s
• Se
nsiti
ve in
form
atio
n ex
pose
d•
Inad
equa
te p
hysi
cal s
ecur
ity m
easu
res
• U
naut
hori
sed
exte
rnal
con
nect
ions
tore
mot
e si
tes
• D
iscl
osur
e of
cor
pora
te a
sset
s an
dse
nsiti
ve in
form
atio
n ac
cess
ible
for
unau
thor
ised
par
ties
185I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Take the following steps to test the outcome of the control objectives:• Through inquiry and observation, determine if the security management function effectively interacts with key enterprise
functions, including areas such as risk management, compliance and audit.• Review the process for identifying and responding to security incidents, selecting a sample of recorded incidents. Through inquiry
and review of supporting documentation, determine whether appropriate management action has been taken to resolve the incident.• Select a sample of employees and determine if computer usage and confidentiality (non-disclosure) agreements have been signed
as part of their initial terms and conditions of employment.• Review the IT security strategy, plans, policies and procedures to determine their relevance to the organisation’s current IT
landscape, and determine when they were last reviewed and updated.• Review the IT security strategy, plans, policies and procedures, and verify that they reflect the data classification.• Interview stakeholders and users on their knowledge of the IT security strategy, plans, policies and procedures, and determine if
stakeholders and users find them to be relevant to risks and organisational practices.• Ask executive management about any recent or planned changes to the organisation (e.g., business unit acquisitions/dispositions,
new systems, changes in regulatory environment), and determine if the IT security plan is properly aligned.• Determine if security processes have been implemented to uniquely identify and control the actions of all users and processes
through review of system (development, test and production systems) and application accounts, job queues and services, andsecurity software mode settings.
• Through a sample of access control lists (ACLs), determine whether the security provisioning process appropriately considers thefollowing:– Sensitivity of the information and applications involved (data classification)– Policies for information protection and dissemination (legal, regulatory and contractual requirements)– The ‘need-to-have’ of the function– Standard user access profiles for common job roles in the organisation– The need for segregation for the access rights involved– Data owner and management’s authorisation for access– The documentation of identity and access rights in a central repository– Creation, communication and change of initial passwords
• Through inquiry and review of sampled ACLs, determine if a process exists for resolving access provisioning requests that are notcommensurate with established security authentication practices and roles.
• Determine if a risk assessment process was utilised to identify possible segregation of duties and if an escalation process wasutilised to obtain added levels of management authorisation.
• Determine if authentication and authorisation mechanisms exist to enforce access rights according to the sensitivity and criticalityof information (e.g., password, token, digital signature).
• Determine if trust relationships enforce comparable security levels and maintain user and process identities.• Select a sample of user and system accounts and a sample ACL to determine existence of the following:
– Clearly defined requested role and/or privileges– Business justification for assignment– Data owner and management authorisation– Business/risk justification and management approval for non-standard requests– Access requested commensurate with job function/role and required segregation of duties– Documentation evidencing adherence to and completion of the provisioning process
• Obtain from HR a sample of employee transfers and terminations and, through review of system account profiles and/or ACLs,determine if access has been appropriately altered and/or revoked in a timely manner.
• Select a sample of critical network devices and system services, and determine if access control mechanisms have been routinelyevaluated and tested to confirm their operational effectiveness.
• Select a sample of critical network devices and system services, and determine if they have been routinely monitored for existenceof security incidents.
• Sample security baselines and determine if they are appropriately aligned to the organisation’s risk profile and levels of acceptedrisk and if they take into account common risks and vulnerabilities (i.e., conform to leading practices).
• Select a sample of IT devices and determine their compliance with established security baselines. For deviations from baselines,determine if a risk assessment was performed and if management approved the deviation from the baseline.
• Determine if a security review process has been integrated into the organisation’s acquisition and implementation processes (AI)and delivery and support processes (DS), requiring security management’s involvement and approval of any IT changes that wouldimpact the design or operation systems security. The review process should consider:– Overall technology architecture– Database access and security design– Protocol, port and socket usage– Required services
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E186
– User remote access and modem requirements– Server-to-server authentication and encryption– Scalability, availability and redundancy– Session management and cookie usage– Administrative capabilities– User ID and password management– Audit trails and logging/reporting
• Determine if security audit trails capture user identification (ID), type of event, date and time, success or failure indication,origination of event, and the identity or the name of the affected object. Logged events should include accesses to sensitive data,actions by administrative and privileged accounts, initialisation of audit logs, and modification of system-level objects.
• Inspect and review documents supporting the recording, analysis and resolution of potential security incidents, and perform thefollowing steps:– Understand the methods used to categorise incidents and identify actionable threats.– Identify specific logged security incidents, and inquire as to the nature and disposition of the incident.
• Inspect documentation evidencing the process used to match the organisation’s network device inventory to publishedvulnerabilities for the purpose of verifying that all devices are at current release and security patch levels.
• Determine if formal management responsibilities and procedures exist throughout the key management life cycle, includingchanges to encryption equipment, software and operating procedures.
• For a sample of new keys, determine if key pairs have been generated in accordance with industry standards and compliance orregulatory requirements (e.g., ISO 15782-1, FIPS 140-1, ANSI X9.66) and if documentation evidences the existence of split-knowledge and dual-control keys (requiring two or three people, each knowing only his/her part of the key, to reconstruct thewhole key).
• For a sample of expired keys, determine if documentation exists evidencing the complete destruction of keys at the end of thekey-pair life cycle.
• Review maintenance records evidencing that cryptographic hardware is routinely tested. • Obtain a list of individuals who have access to cryptographic hardware, software and keys, and determine if access is limited to
properly authorised individuals responsible for the creation and injection of keys. • Determine if key custodians formally acknowledge, understand and accept their key custodian responsibilities.• Determine if encryption keys are generated, stored and used in a manner such that the keys and their components are known only
to authorised custodians.• For keys received from third-party vendors, determine if they are sent in separate parts by different carriers on different dates, and
if each part of the key is stored in a separate safe, for which the combination is known by a separate key officer.• Assess the system security features to evaluate whether proactive controls have been established to protect from malicious security
attacks.• Assess whether the data/system protection software is centrally distributed throughout the network environment.• Assess the control features for filtering incoming traffic against unsolicited information.• Select a sample of critical network devices, and confirm that the devices are properly secured with special mechanisms and tools
(e.g., authentication for device management, secure communications, strong authentication mechanisms) and that activemonitoring and pattern recognition are in place to protect devices from attack.
• Select a sample of network devices, and determine if the devices have been configured with minimal features enabled (e.g., features that are necessary for functionality and hardened for security applications); all unnecessary services, functionalitiesand interfaces have been removed; and all relevant security patches and major updates are applied to the system in a timely mannerbefore going to production.
• Select a sample of new network devices or changes to existing network devices and determine that the organisation’s Acquire andImplement (AI) process controls and Deliver and Support (DS) process controls have been followed.
• Select a sample of firewall devices, and review ACLs for the following:– Access rules effectively segregating trusted and non-trusted network segments– Documentation evidencing the business purpose and management’s approval of rules– Configurations following management-approved baselines– Devices that are current on version and patch release levels
• Determine if encryption is utilised for all non-console administrative access, such as SSH, VPN or SSL/TLS.• Assess whether automated controls safeguard the data and systems, such that data are transmitted through reliable sources. • Determine if user management periodically reviews user profiles and access rights to ensure the adequacy of access rights and
requirements for segregation of duties.• Verify that direct access to data is prevented or, where required, controlled and documented accordingly.• Verify that the quality requirements for passwords are defined and enforced by systems.
187I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Take the following steps to document the impact of the control weaknesses:• Determine the level of security consciousness within the organisation by reviewing functional and operational documentation for
the existence of security considerations (e.g., involvement of the security management function within the SDLC).• Benchmark the information security organisation (e.g., size, lines of reporting) against similar organisations, and benchmark
formalised policies, standards and procedures to international standards/recognised industry best practices. • Determine if the security management function is commensurate with the size and complexity of the IT landscape. Consider the
following:– Size, complexity and diversity of the IT landscape– Use of security administration tools and technology– Alignment of security management to business lines (e.g., do organisation segments have competing security functions?)– Skills and training of security management personnel
• Determine if members of executive management communicate the importance and their support of the security managementorganisation. Consideration should be given to executive management or security steering committee approval of formalisedsecurity policies.
• Determine the existence of a management-approved security charter and policies, standards and procedures that address logicalsecurity for all relevant aspects of the organisation’s IT landscape.
• Determine if the IT security plan has adequately considered the security profile of the organisation, including any regulatory andcompliance requirements.
• Assess the ability of the security management organisation to execute and monitor compliance with the plan. Consideration shouldbe given to the size of the organisation, use of security assessment and administration technology and tools, and requiredexperience levels and ongoing training received by security personnel.
• Select policy, standards and procedural documentation from various financial, operational and compliance areas within theorganisation, and determine if key provisions of the IT security plan have been appropriately reflected in the documentation.
• Determine if a security review process has been integrated into the organisation’s AI and DS processes, requiring securitymanagement’s involvement and approval of any IT changes that would impact the design or operation systems security.
• Determine if the organisation’s AI processes and controls are supported by segregated development, test and assurance, andproduction environments.
• Identify the existence and reasonableness of anonymous and group accounts (e.g., nobody, web user, everybody), remote processesand started tasks. Consideration should be given to the nature and scope of transaction authorities, the risk of possible escalation ofprivileges, the process origin (e.g., trusted, non-trusted), or if a security design review was performed for system and application-initiated jobs and processes.
• Determine if security software, applications and supporting systems software has been configured to enforce user authentication orpropagate user and process identities. Determine if default accounts exist to authenticate anonymous users or processes.
• Determine sources of non-trusted access (e.g., business partners, vendors), and determine how access has been assigned to provideuniquely identifiable account holders and appropriate protection of information.
• Through the use of audit software tools or scripts, identify the existence of inactive or unused accounts and determine theexistence of a business justification.
• Identify active vendor or contractor accounts, and determine if access is commensurate with the terms and duration of the contract.• Determine if vendor-supplied accounts have been appropriately safeguarded (e.g., default passwords changed, accounts revoked).• Assess the reasonableness of the nature and frequency of verification and vulnerability assessment processes utilised, considering
the organisation’s risk profile, size, complexity and diversity.• Determine if security scripts and tools are utilised to test the existence of common vulnerabilities, the effectiveness of security
mechanisms and the effectiveness of user access administration processes (e.g., existence of inactive or never used accounts,terminated user accounts, accounts without passwords or forced password changes).
• Identify and select a sample of organisation-critical network devices (hardware and application systems) and at-risk perimeternetwork devices. Determine the existence of security sensors or use of host logging to capture incidents, and ensure that securityincidents are included in the daily review process.
• Obtain a sample of security-related incident work order tickets, and determine if the issue has been appropriately resolved andclosed in a timely manner.
• Determine if security tool deployment appropriately addresses all principal technologies utilised by the organisation and ifpersonnel possess the required skills to appropriately operate the security tools and technologies.
• Determine if security personnel are required to attend annual training and if security tools receive routine updates to threat andvulnerability engines and supporting database/signatures.
• Select a sample of business-critical or sensitive data, and determine if data have been secured in accordance with the organisation’sencryption standards.
• Verify that the cryptographic system used to protect stored data effectively renders data unreadable, and determine if any methodcan be utilised to access erased data through forensic techniques.
• Determine whether the security controls have been implemented to prevent exposure from malicious attacks and vulnerabilities.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E188
• Determine if portable code (e.g., Java, JavaScript) and downloaded binaries and executables are scanned before being allowed intothe network or blocked from entering the network.
• Determine that the organisation’s network documentation accurately reflects the current network environment, including wirelessdevices, and examine the network design to determine if security barriers are strategically placed at the network’s perimeter,between the organisation’s trusted internal network and non-trusted public (i.e., Internet), vendor (i.e., service organisation) orbusiness partner (i.e., extranet) segments.
• Verify that changes to security-relevant parameters follow the organisation’s change management processes and are authorised andtested accordingly.
• Confirm that sensitive information is not disclosed or exposed to unauthorised parties.
189I T G O V E R N A N C E I N S T I T U T E
APPENDIX IVD
S6 Ide
ntify
and
Allo
cate
Cos
ts
The
nee
d fo
r a
fair
and
equ
itabl
e sy
stem
of
allo
catin
g IT
cos
ts to
the
busi
ness
req
uire
s ac
cura
te m
easu
rem
ent o
f IT
cos
ts a
nd a
gree
men
t with
bus
ines
s us
ers
on f
air
allo
catio
n. T
his
proc
ess
incl
udes
bui
ldin
g an
d op
erat
ing
a sy
stem
to c
aptu
re, a
lloca
te a
nd r
epor
t IT
cos
ts to
the
user
s of
ser
vice
s. A
fai
r sy
stem
of
allo
catio
n en
able
s th
ebu
sine
ss to
mak
e m
ore
info
rmed
dec
isio
ns r
egar
ding
the
use
of I
T s
ervi
ces.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pol
icy
exis
ts f
or c
ost a
lloca
tions
to d
epar
tmen
ts.
• In
spec
t the
doc
umen
tatio
n th
at d
efin
es th
e IT
ser
vice
s an
d ve
rify
that
the
dist
inct
IT
ser
vice
s to
whi
ch c
osts
will
be
allo
cate
d ha
ve b
een
defi
ned
and
docu
men
ted.
• In
spec
t the
map
ping
of
IT s
ervi
ces
to I
T in
fras
truc
ture
, and
det
erm
ine
if th
e m
appi
ng is
app
ropr
iate
by,
for
exa
mpl
e, o
btai
ning
a c
opy
of th
e ha
rdw
are
and
soft
war
ein
vent
orie
s an
d th
e lis
ting
of I
T s
ervi
ces
to e
nsur
e th
at a
ll in
fras
truc
ture
and
ser
vice
s ha
ve b
een
map
ped.
• C
onfi
rm th
e so
urce
s of
info
rmat
ion
used
to c
reat
e th
e m
appi
ng to
det
erm
ine
whe
ther
the
sour
ces
of in
form
atio
n w
ere
appr
opri
ate
for
the
map
ping
exe
rcis
e.•
Insp
ect t
he m
appi
ng o
f IT
ser
vice
s to
the
busi
ness
pro
cess
to e
nsur
e th
at th
e m
appi
ng h
as b
een
done
com
plet
ely
and
appr
opri
atel
y. T
his
can
be a
ccom
plis
hed
by, f
orex
ampl
e, c
ompa
ring
the
map
ping
to th
e or
gani
satio
nal c
hart
or
lines
of
busi
ness
.•
Enq
uire
whe
ther
and
det
erm
ine
if r
esul
ts o
f th
e m
appi
ng h
ave
been
con
firm
ed w
ith th
e bu
sine
ss p
roce
ss o
wne
rs. E
nqui
ries
sho
uld
focu
s on
asc
erta
inin
g th
e ag
reem
ent o
fth
e bu
sine
ss p
roce
ss o
wne
rs w
ith th
e al
ignm
ent o
f IT
ser
vice
s pr
ovid
ed.
• In
spec
t doc
umen
tatio
n su
ppor
ting
the
com
mun
icat
ion
and
agre
emen
t on
map
ping
to d
eter
min
e w
heth
er a
gree
men
t was
ach
ieve
d. S
uch
docu
men
tatio
n m
ay in
clud
em
eetin
g m
inut
es, b
udge
t doc
umen
tatio
n an
d SL
As.
DS6
.1 D
efin
itio
n of
Ser
vice
s Id
entif
y al
l IT
cos
ts, a
nd m
ap th
em to
IT
ser
vice
s to
sup
port
a tr
ansp
aren
t cos
tm
odel
. IT
ser
vice
s sh
ould
be
linke
d to
bus
ines
s pr
oces
ses
such
that
the
busi
ness
can
iden
tify
asso
ciat
ed s
ervi
ce b
illin
g le
vels
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed m
anag
emen
t und
erst
andi
ngan
d ac
cept
ance
of
IT c
osts
, the
reby
faci
litat
ing
mor
e ef
fect
ive
budg
etin
gfo
r IT
ser
vice
s•
Use
r m
anag
emen
t em
pow
ered
with
relia
ble,
tran
spar
ent i
nfor
mat
ion
abou
tco
ntro
llabl
e IT
cos
ts to
fac
ilita
te m
ore
effi
cien
t con
trol
and
pri
oriti
satio
n of
reso
urce
s•
Bus
ines
s m
anag
emen
t abl
e to
see
the
tota
l cos
t of
each
bus
ines
s fu
nctio
nan
d, th
eref
ore,
mak
e be
tter
info
rmed
deci
sion
s
Ris
k D
river
s
• C
osts
acc
ount
ed f
or in
corr
ectly
• In
vest
men
t dec
isio
ns b
ased
on
inva
lidco
st in
form
atio
n•
Bus
ines
s us
ers
havi
ng a
n in
corr
ect
view
of
IT’s
cos
t and
val
ueco
ntri
butio
n
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E190
Test
the
Con
trol
Des
ign
• O
btai
n a
copy
of
the
cost
ele
men
ts d
efin
ed (
e.g.
, in
an I
T c
ost a
lloca
tion
mod
el o
r co
stin
g sy
stem
), c
ompa
re th
em to
cos
t ele
men
ts d
efin
ed f
or th
e ov
eral
l org
anis
atio
n,an
d ex
amin
e w
here
dif
fere
nces
exi
st.
• Id
entif
y th
e el
emen
ts th
at a
re u
niqu
e to
IT,
and
ass
ess
the
appr
opri
aten
ess
of th
e co
st e
lem
ents
def
ined
.•
Insp
ect b
illin
gs’c
ost a
lloca
tion
jour
nal e
ntri
es to
rec
ord
the
allo
catio
ns o
f IT
cos
ts a
nd a
sses
s th
e ap
prop
riat
enes
s of
thos
e al
loca
tions
. For
exa
mpl
e, c
ompa
riso
ns a
cros
sde
part
men
ts o
r as
a p
erce
ntag
e of
dep
artm
ent e
xpen
ditu
res
may
iden
tify
mis
allo
catio
ns o
r un
allo
cate
d co
sts.
• O
btai
n a
copy
of
the
ente
rpri
se c
ost a
ccou
ntin
g sy
stem
set
up, a
nd a
sses
s th
e tr
eatm
ent o
f IT
cos
ts th
roug
h ex
amin
atio
n of
IT
exp
ense
reg
iste
rs, i
nter
depa
rtm
ent b
illin
gs,
jour
nal e
ntri
es, e
tc.
• O
btai
n an
d in
spec
t a c
opy
of th
e do
cum
enta
tion
that
req
uire
s bu
dget
s an
d fo
reca
sts
to b
e up
date
d on
cha
nges
in c
ost s
truc
ture
s, a
nd r
evie
w th
at d
ocum
enta
tion
with
busi
ness
pro
cess
ow
ners
and
IT
ser
vice
lead
ers
to d
eter
min
e w
heth
er th
e pr
oces
s is
und
erst
ood
and
depl
oyed
.•
Insp
ect d
ocum
enta
tion
of th
e pr
oces
s fo
r cr
eatin
g IT
bud
gets
, for
ecas
ts a
nd a
ctua
l cos
t rep
ortin
g.•
Ens
ure
that
thos
e pr
oces
ses
are
in a
lignm
ent w
ith th
e ov
eral
l org
anis
atio
nal p
roce
sses
, and
det
erm
ine
whe
ther
the
dist
ribu
tion
lists
and
sch
edul
e fo
r re
port
ing
on in
itial
budg
ets,
for
ecas
ts a
nd a
ctua
l to
date
are
app
ropr
iate
. App
ropr
iate
ness
of
dist
ribu
tion
incl
udes
con
side
ring
all
impa
cted
bus
ines
s pr
oces
s ow
ners
, sen
ior
man
agem
ent,
etc.
App
ropr
iate
ness
of
the
sche
dule
for
dis
trib
utio
n of
rep
ortin
g in
clud
es e
nsur
ing
that
IT
is a
ligne
d w
ith b
usin
ess
repo
rtin
g tim
elin
es.
• Ass
ess
the
defi
nitio
ns o
f ro
les
for
reci
pien
ts o
f bu
dget
s, f
orec
asts
and
act
ual a
naly
sis
to d
eter
min
e w
heth
er a
ll ap
prop
riat
e pa
rtie
s ha
ve b
een
assi
gned
as
reci
pien
ts.
• M
ore
effe
ctiv
e al
ignm
ent p
rom
oted
betw
een
busi
ness
obj
ectiv
es a
nd th
eco
st o
f IT
• Fa
cilit
ated
allo
catio
n of
IT
res
ourc
esto
com
petin
g IT
pro
ject
s an
d pr
oces
ses
• B
usin
ess
units
abl
e to
ful
ly u
nder
stan
dth
e to
tal I
T c
ost i
nvol
ved
for
deliv
erin
g va
riou
s bu
sine
ss p
roce
sses
• T
he le
vel o
f pr
oduc
tivity
incr
ease
d an
dth
e bu
sine
ss v
iew
and
pro
fess
iona
lism
of s
taff
with
in th
e IT
org
anis
atio
nex
pand
ed th
roug
h in
crea
sed
fina
ncia
lac
coun
tabi
lity
Valu
e D
river
sD
S6.2
IT
Acc
ount
ing
Cap
ture
and
allo
cate
act
ual c
osts
acc
ordi
ng to
the
ente
rpri
se c
ost m
odel
.V
aria
nces
bet
wee
n fo
reca
sts
and
actu
al c
osts
sho
uld
be a
naly
sed
and
repo
rted
on,
in c
ompl
ianc
e w
ith th
e en
terp
rise
’s f
inan
cial
mea
sure
men
t sys
tem
s.
Con
trol
Obj
ecti
veR
isk
Driv
ers
• Fa
ilure
of
the
curr
ent a
ccou
ntin
gm
odel
to s
uppo
rt e
quita
ble
serv
ice
char
geba
ck•
Cos
ts r
ecor
ded
faili
ng to
com
ply
with
the
ente
rpri
se’s
fin
anci
al a
ccou
ntin
gpo
licie
s•
The
bus
ines
s ha
ving
an
inco
rrec
t vie
wof
IT
cos
ts a
nd v
alue
pro
vide
d
DS6 Ide
ntify
and
Allo
cate
Cos
ts (
cont
.)
191I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ll ch
arge
able
item
s an
d se
rvic
es p
rovi
ded
by th
e IT
dep
artm
ent a
re p
rope
rly
cate
gori
sed
and
item
ised
and
that
the
corr
espo
ndin
gch
arge
s fo
r ev
ery
serv
ice
are
liste
d.•
Ver
ify
that
the
mat
eria
l is
orga
nise
d in
line
with
the
ente
rpri
se a
ccou
ntin
g fr
amew
ork.
• C
onfi
rm th
roug
h in
terv
iew
s w
ith m
ajor
use
rs a
nd a
rev
iew
of
user
dep
artm
ent c
ompl
aint
s in
cha
rgeb
ack
invo
ices
that
the
char
geba
ck m
odel
is tr
ansp
aren
t and
fai
r.•
Con
firm
thro
ugh
inte
rvie
ws
with
IT
man
agem
ent t
hat t
he c
ostin
g an
d ch
arge
back
mod
el a
llow
s fo
r ef
fici
ent r
esou
rce
plan
ning
.•
Sele
ct a
sam
ple
reso
urce
/ser
vice
, com
pare
the
tota
l cos
t to
inco
me
from
cha
rgeb
ack,
and
ana
lyse
the
gap.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e co
st/c
harg
e m
odel
is r
evie
wed
on
a re
gula
r ba
sis
(e.g
., an
nual
ly o
r se
mi-
annu
ally
), in
clud
ing
the
curr
ent b
usin
ess
requ
irem
ents
and
chan
ges
in th
e IT
ser
vice
s an
d co
sts.
• In
spec
t the
rea
sses
sed
char
ging
mod
el d
ocum
ents
to lo
ok f
or m
anag
emen
t app
rova
l and
to d
eter
min
e op
erat
ing
effe
ctiv
enes
s.•
Insp
ect t
he p
olic
y or
sta
ndar
ds r
equi
ring
IT
cos
t cha
rge
mod
els
to b
e pe
rfor
med
, and
ens
ure
that
ther
e is
a r
equi
rem
ent f
or r
egul
ar r
evie
w a
gain
st th
e en
terp
rise
mod
el(e
.g.,
annu
ally
or
sem
i-an
nual
ly),
or
that
ther
e is
a p
roce
ss f
or c
hang
es to
the
ente
rpri
se m
odel
to b
e re
flec
ted
in th
e IT
mod
els.
DS6
.3 C
ost
Mod
ellin
g an
d C
harg
ing
Est
ablis
h an
d us
e an
IT
cos
ting
mod
el b
ased
on
the
serv
ice
defi
nitio
ns th
atsu
ppor
t the
cal
cula
tion
of c
harg
ebac
k ra
tes
per
serv
ice.
The
IT
cos
t mod
elsh
ould
ens
ure
that
cha
rgin
g fo
r se
rvic
es is
iden
tifia
ble,
mea
sura
ble
and
pred
icta
ble
by u
sers
to e
ncou
rage
pro
per
use
of r
esou
rces
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• IT
cos
t allo
catio
n tr
ansp
aren
t for
all
affe
cted
par
ties
• R
elia
ble
info
rmat
ion
prov
ided
to th
eor
gani
satio
n ab
out i
ts to
tal I
T c
ost
• In
vest
men
t dec
isio
ns r
elat
able
tocu
rren
t cos
ts
Ris
k D
river
s
• T
he c
ost m
odel
not
in li
ne w
ith th
eov
eral
l acc
ount
ing
proc
edur
es•
Gap
s in
iden
tifie
d an
d ch
arge
dse
rvic
es•
Serv
ice
usag
e in
suff
icie
ntly
mea
sure
dan
d fa
iling
to r
efle
ct a
ctua
l bus
ines
sus
age
DS6 Ide
ntify
and
Allo
cate
Cos
ts (
cont
.)
DS6
.4 C
ost
Mod
el M
aint
enan
ce
Reg
ular
ly r
evie
w a
nd b
ench
mar
k th
e ap
prop
riat
enes
s of
the
cost
/rec
harg
e m
odel
to m
aint
ain
its r
elev
ance
and
app
ropr
iate
ness
to th
e ev
olvi
ng b
usin
ess
and
ITac
tiviti
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• IT
cos
t allo
catio
ns c
ontin
uous
lyal
igne
d w
ith a
ctua
l bus
ines
s us
age
ofIT
ser
vice
s•
Cos
t allo
catio
ns b
ased
on
the
mos
tap
prop
riat
e ap
proa
ch f
or th
e bu
sine
ssan
d IT
Ris
k D
river
s
• T
he c
ost m
odel
not
in li
ne w
ith a
ctua
lus
age
• T
he m
etho
d us
ed f
or c
ost a
lloca
tion
not a
ppro
pria
te f
or th
e ne
eds
of th
ebu
sine
ss a
nd I
T
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E192
Take the following steps to test the outcome of the control objectives:• Enquire whether and confirm that cost allocations to departments are acceptable and/or appropriate for the organisation.• Enquire whether and confirm that costs are allocated to distinct IT services.• Enquire whether and confirm that the responsibility for gathering and allocating costs has been assigned appropriately.• Inspect documentation that defines the cost allocation approach to ascertain whether all costs are allocated reasonably. This can be
accomplished by, for example, comparing cost allocations to the budget or actual expenses incurred.• Obtain the IT budget and departmental budgets, and determine whether IT service costs exist in departmental budgets.• Consider whether the IT budget appears to be in alignment with the business needs through examination of departmental budgets,
applications supported by department, etc.• Select a sample of costs incurred and trace those costs to ascertain that they have been appropriately allocated to the IT services.• Extract significant costs (e.g., the top 10 percent, significant department costs), and trace those costs to ascertain that they have
been appropriately allocated to the IT services.• Extract all IT costs and stratify by type for comparison to IT service definitions.• Confirm with IT service leaders that all infrastructure inventory is accounted for and owned by IT services provided. This can be
accomplished by examining the geographic scope of IT service and the nature of applications and business services provided, anddiscussing those scopes with the IT service leaders or through corroborating the IT service scope discussed with the currentnetwork diagrams.
• Select a sample of IT services and inspect the allocations of IT infrastructure for completeness by considering the nature of the ITservice provided and known infrastructure required for support.
• Select a sample of IT infrastructure and ensure that it is mapped or assigned to an IT service area.• Inspect asset registries, network diagrams or other infrastructure inventories, and determine whether allocations to service owners
have been made.• Select a sample of assets from a tour of the data centre and ensure that the assets are appropriately logged in asset registries,
network diagrams or other infrastructure inventories.• Enquire whether and confirm that all defined cost elements (e.g., people, accommodations, transfers, hardware, software) have
been captured.• Inspect billings/cost allocations/journal entries to record the allocations of IT costs and assess the appropriateness of those
allocations. For example, comparisons across departments, or a percentage of department expenditures, may identifymisallocations or unallocated costs.
• Compare and reconcile costs allocated to departments against IT expenditures to determine whether complete and accurateallocations are occurring.
• Inspect the general ledger accounts for IT expenditures to identify high-risk accounts (e.g., accounts that are not regularly used orthat have high volumes of transactions flowing through them), and review for unusual entries.
• Select a sample of invoices from the IT department, and ensure that the accounting treatment is in accordance with the enterprise’scost allocation models.
• Analyse IT cost information obtained from the general ledger accounts to determine whether accounts that are subject to auto-posted or standard journal entries are posted correctly. For example, reperform the calculation of depreciation expense on IT assetsto verify that accumulated amortisation on IT is allocated appropriately to the departments based on service usage or percentageallocations.
• Confirm with business process owners that there are processes in place to prevent unauthorised changes to cost allocations and todetect/monitor changes to cost allocations.
• Inspect a sample of cost structure changes, and ensure that budgets and forecasts for the affected departments have been revisedand are numerically correct.
• Inspect the change logs to identify significant changes or deployment of new systems, and determine whether those changes havehad an impact on cost structures and have resulted in a subsequent change in budgets and forecasts.
• Inspect any analysis of variance amongst budgeted cost, forecasted cost and actual cost and determine whether they have beencompleted on a timely basis and with sufficient detail. Assess whether the analysis has been performed in alignment withorganisational standards.
• Inspect distribution lists to validate whether all relevant senior management and business process owners receive analysis.• Confirm with the business process owners how they are informed of changes to the IT service costs allocated to their departments.• Enquire whether and confirm that inquiries due to unclear cost or pricing procedures are followed up on immediately and
captured for summary analysis. Trace an inquiry through the system to determine operating effectiveness and ensure immediatefollow-up.
Take the following steps to document the impact of the control weaknesses:• Compare IT expenditure as a percentage of overall corporate expenditures, and determine if IT expenditures appear reasonable by
using, for example, trend analysis over years or benchmarking against industry standards.• Select a statistical sample of expenditures from each of the IT expense accounts and determine through statistical extrapolation the
impact of misallocations and the ways in which accounts and/or departments have been affected.
193I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
• Compare and reconcile costs allocated to departments against IT expenditures to determine whether complete and accurateallocations are occurring.
• Inspect HR records to determine changes in headcount since the last cost structure change, and quantify the impact of the changeon the costing models. Compare payroll registers from the prior year to the current year to assess the consistency of payrollexpenditures and whether those changes have been reflected in the costing models.
• Inspect the change logs to identify significant changes or deployment of new systems, determine whether those changes have hadan impact on cost structures, and quantify the impact on the costing models.
• Compare the asset registers from the prior year to the current year, identify any significant new assets, and determine whetherthose assets have had an impact on cost structures in terms of, for example, depreciation and amortisation. Assess whether anysignificant decommissioned assets have not been removed appropriately.
• Enquire of business process owners whether the lack of budget, forecast and actual cost information from IT has impacted theirability to manage costs. Determine the impact through discussion with those process owners.
• Enquire whether and confirm that all chargeable items and services provided by the IT department are itemised and that thecorresponding charges for every service are listed.
• Select a statistical sample of expenditures from each of the IT expense accounts and determine through statistical extrapolation theimpact of misallocations and the ways in which accounts and/or departments have been affected.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E194
DS7 E
duca
te a
nd T
rain
Use
rs
Eff
ectiv
e ed
ucat
ion
of a
ll us
ers
of I
T s
yste
ms,
incl
udin
g th
ose
with
in I
T, r
equi
res
iden
tifyi
ng th
e tr
aini
ng n
eeds
of
each
use
r gr
oup.
In
addi
tion
to id
entif
ying
nee
ds, t
his
proc
ess
incl
udes
def
inin
g an
d ex
ecut
ing
a st
rate
gy f
or e
ffec
tive
trai
ning
and
mea
suri
ng th
e re
sults
. An
effe
ctiv
e tr
aini
ng p
rogr
amm
e in
crea
ses
effe
ctiv
e us
e of
tech
nolo
gy b
yre
duci
ng u
ser
erro
rs, i
ncre
asin
g pr
oduc
tivity
and
incr
easi
ng c
ompl
ianc
e w
ith k
ey c
ontr
ols,
suc
h as
use
r se
curi
ty m
easu
res.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pla
n fo
r tr
aini
ng a
nd p
rofe
ssio
nal d
evel
opm
ent o
f IT
sta
ff m
embe
rs e
xist
s.•
Obt
ain
and
insp
ect t
he c
urri
culu
m f
or c
ompl
eten
ess
(e.g
., de
pth
and
brea
dth
of c
over
age,
fre
quen
cy o
f cl
asse
s, c
lass
sch
edul
e, c
ompl
exity
of
clas
s, s
ourc
e of
trai
ning
—ve
ndor
loca
l sch
ool o
r tr
ade
inst
itute
).•
Obt
ain
and
insp
ect t
he tr
aini
ng c
alen
dar.
• O
btai
n an
d re
view
the
trai
ning
bud
get.
• O
btai
n a
copy
of
test
com
plet
ions
, sco
ring
and
atte
ndan
ce c
onfi
rmat
ion
(e.g
., on
line
trai
ning
cou
rse
evid
ence
of
exam
s an
d at
tend
ance
).•
Det
erm
ine
man
agem
ent’s
pro
cess
for
dev
elop
ing
and
mai
ntai
ning
a s
kill
inve
ntor
y.•
Obt
ain
and
revi
ew th
e sk
ills
inve
ntor
y ca
talo
gue
to d
eter
min
e w
heth
er th
e sk
ills
cata
logu
ed m
ap to
the
syst
ems
depl
oyed
.•
Det
erm
ine
that
the
skill
s da
taba
se is
cur
rent
and
ava
ilabl
e kn
owle
dge
is m
aint
aine
d as
cur
rent
.•
Insp
ect t
he tr
aini
ng s
trat
egy
to e
nsur
e th
at tr
aini
ng n
eeds
are
to b
e in
corp
orat
ed in
to u
sers
’ind
ivid
ual p
erfo
rman
ce p
lans
.•
Insp
ect d
ocum
enta
tion
deta
iling
the
requ
irem
ent t
o an
alys
e ro
ot c
ause
s, in
clud
ing
trai
ning
, fro
m th
e se
rvic
e de
sk o
utpu
ts.
DS7
.1 I
dent
ific
atio
n of
Edu
cati
on a
nd T
rain
ing
Nee
ds
Est
ablis
h an
d re
gula
rly
upda
te a
cur
ricu
lum
for
eac
h ta
rget
gro
up o
f em
ploy
ees
cons
ider
ing:
• C
urre
nt a
nd f
utur
e bu
sine
ss n
eeds
and
str
ateg
y•
Val
ue o
f in
form
atio
n as
an
asse
t•
Cor
pora
te v
alue
s (e
thic
al v
alue
s, c
ontr
ol a
nd s
ecur
ity c
ultu
re, e
tc.)
• Im
plem
enta
tion
of n
ew I
T in
fras
truc
ture
and
sof
twar
e (i
.e.,
pack
ages
,ap
plic
atio
ns)
• C
urre
nt a
nd f
utur
e sk
ills,
com
pete
nce
prof
iles,
and
cer
tific
atio
n an
d/or
cred
entia
ling
need
s as
wel
l as
requ
ired
rea
ccre
dita
tion
• D
eliv
ery
met
hods
(e.
g., c
lass
room
, web
-bas
ed),
targ
et g
roup
siz
e, a
cces
sibi
lity
and
timin
g
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Tra
inin
g ne
eds
for
pers
onne
l ide
ntif
ied
to f
ulfi
l bus
ines
s re
quir
emen
ts• A
bas
elin
e fo
r th
e ef
fect
ive
use
of th
eor
gani
satio
n’s
tech
nolo
gy b
ype
rson
nel,
both
imm
edia
tely
and
inth
e fu
ture
• E
stab
lishm
ent o
f tr
aini
ng a
nded
ucat
ion
prog
ram
mes
that
are
rele
vant
to th
e ri
sks
and
oppo
rtun
ities
the
orga
nisa
tion
face
s cu
rren
tly a
nd in
the
futu
re•
Inst
alle
d ap
plic
atio
n ca
pabi
litie
sop
timis
ed to
sat
isfy
bus
ines
s ne
eds
Ris
k D
river
s
• St
aff
mem
bers
inad
equa
tely
trai
ned
tofu
lfil
thei
r jo
b fu
nctio
n•
Inef
fect
ive
trai
ning
mec
hani
sms
• T
rain
ing
prov
ided
not
app
ropr
iate
for
trai
ning
nee
d•
Inst
alle
d ap
plic
atio
n ca
pabi
litie
sun
deru
tilis
ed
195I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• R
evie
w th
e ev
alua
tion
form
s to
ver
ify
that
they
eff
ectiv
ely
mea
sure
the
qual
ity a
nd r
elev
ance
of
the
cont
ents
and
the
leve
l of
the
expe
ctat
ions
met
.•
Det
erm
ine
if f
eedb
ack
is s
umm
aris
ed in
to a
for
mat
use
ful f
or d
efin
ing
the
futu
re tr
aini
ng c
urri
culu
m.
• O
btai
n a
list o
f fo
llow
-up
actio
ns a
nd o
btai
n ev
iden
ce th
at th
ey h
ave
been
act
ed u
pon.
• E
nsur
e th
at th
e ta
rget
aud
ienc
e w
as r
each
ed.
Test
the
Con
trol
Des
ign
• R
evie
w th
e tr
aini
ng s
ched
ule,
and
con
firm
that
it m
eets
trai
ning
nee
ds.
• E
nsur
e th
at a
dequ
ate
reso
urce
s ar
e av
aila
ble
to d
eliv
er tr
aini
ng.
• Ana
lyse
a s
ampl
e of
the
trai
ning
pro
gram
mes
and
ver
ify:
– C
onte
nts
vs. o
bjec
tives
– A
ctua
l vs.
pla
nned
atte
ndan
ce–
Atte
ndee
sat
isfa
ctio
n–
App
licat
ion
of f
eedb
ack
rece
ived
DS7 E
duca
te a
nd T
rain
Use
rs (
cont
.)
DS7
.2 D
eliv
ery
of T
rain
ing
and
Edu
cati
on
Bas
ed o
n th
e id
entif
ied
educ
atio
n an
d tr
aini
ng n
eeds
, ide
ntif
y ta
rget
gro
ups
and
thei
r m
embe
rs, e
ffic
ient
del
iver
y m
echa
nism
s, te
ache
rs, t
rain
ers,
and
men
tors
.A
ppoi
nt tr
aine
rs a
nd o
rgan
ise
timel
y tr
aini
ng s
essi
ons.
Rec
ord
regi
stra
tion
(inc
ludi
ng p
rere
quis
ites)
, atte
ndan
ce a
nd tr
aini
ng s
essi
on p
erfo
rman
ceev
alua
tions
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Fo
rmal
ised
and
com
mun
icat
edm
anag
emen
t com
mitm
ent f
or tr
aini
ng•
Eff
ectiv
e tr
aine
rs a
nd tr
aini
ngpr
ogra
mm
es•
Suff
icie
nt a
ttend
ance
and
invo
lvem
ent
in tr
aini
ng p
rogr
amm
es a
nd s
essi
ons
Ris
k D
river
s
• In
appr
opri
ate
and
inef
fect
ive
trai
ning
prog
ram
mes
and
mec
hani
sms
sele
cted
• O
utda
ted
trai
ning
mat
eria
ls u
sed
• Po
or a
ttend
ance
and
invo
lvem
ent
reco
rded
DS7
.3 E
valu
atio
n of
Tra
inin
g R
ecei
ved
Eva
luat
e ed
ucat
ion
and
trai
ning
con
tent
del
iver
y up
on c
ompl
etio
n fo
r re
leva
nce,
qual
ity, e
ffec
tiven
ess,
the
rete
ntio
n of
kno
wle
dge,
cos
t and
val
ue. T
he r
esul
ts o
fth
is e
valu
atio
n sh
ould
ser
ve a
s in
put f
or f
utur
e cu
rric
ulum
def
initi
on a
nd th
ede
liver
y of
trai
ning
ses
sion
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffec
tive
trai
ning
pro
gram
mes
bas
edon
use
r fe
edba
ck•
Rel
evan
t tra
inin
g pr
ogra
mm
es•
Enh
ance
d qu
ality
of
trai
ning
prog
ram
mes
• T
rain
ing
cont
ent a
ppro
pria
tely
desi
gned
and
str
uctu
red
to h
elp
user
sre
tain
and
reu
se k
now
ledg
e•
Eff
ectiv
e tr
acki
ng/m
onito
ring
of
cost
s(f
inan
cial
, mat
eria
l, et
c.)
and
valu
ead
ded
Ris
k D
river
s
• In
appr
opri
ate
and
inef
fect
ive
trai
ning
prog
ram
mes
sel
ecte
d•
Out
date
d tr
aini
ng m
ater
ial u
sed
• D
ecre
asin
g qu
ality
of
end-
user
trai
ning
pro
gram
mes
• T
rain
ing
cont
ent d
esig
n an
d st
ruct
ure
faili
ng to
ass
ist k
now
ledg
e re
tent
ion
and
reus
e•
Tra
inin
g co
st o
utw
eigh
ing
its b
enef
itan
d va
lue-
add
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E196
Take the following steps to test the outcome of the control objectives:• Review management communications to personnel encouraging additional education and self-study programmes.• Obtain and review expense reimbursement requests for training. • Obtain a list of vendor-provided training materials (e.g., manuals, CDs, training packets, syllabi).• Obtain and review the inventory of educational books in the IT library.• Speak with individual staff members to determine whether they have set a training plan that is aligned with their department’s or
the organisation’s requirements.• Inspect incident management records to identify trends in system support and usage that may indicate skill gaps.• Enquire of management as to which specific competencies are required to support the environment, and ascertain whether there is
a plan to build and maintain those skills for the organisation or to acquire those skills through third-party arrangements.• Inspect a sample of individual performance plans to determine if technology training needs were incorporated.• Enquire of management regarding results of performance evaluations and any potential skill gaps identified.• Inspect problem management records to identify trends in system support and usage that may indicate skill gaps.• Walk though the process for defining effective training programmes to determine if:
– All relevant needs, including timing, are considered– Training sessions effectively meet training needs identified– Information on delivery mechanisms is up to date– Recent evaluations of trainers and programmes are reviewed
• Inspect the record of attendance and completion of training and education programmes for accuracy. • Inspect the participant and trainer feedback from a sample of completed training sessions. • Interview users to evaluate their understanding of the training sessions and then review the tests to verify that they effectively
measure the quality and relevance of the contents of the sessions and the level of the expectations met.• Enquire whether and confirm that stakeholders were interviewed and provided feedback on education and training. • Enquire of management regarding results of performance evaluations and any potential skill gaps identified in areas where training
has been delivered.• Enquire of management and users whether user effectiveness and knowledge improved after the training was delivered.• Determine whether indicators such as reduced number of service desk calls and productivity of users are assessed to indicate
whether training had the intended impact.• Inspect course evaluations to determine the degree of trainee satisfaction with the training delivered. Specifically consider the
satisfaction with the instructors, course content and course location.
Take the following steps to document the impact of the control weaknesses:• Obtain personnel files/résumés to analyse whether skills are appropriate for the job/position.• Obtain personnel files/résumés to analyse skills against deployed systems.• Enquire of management and review reports (e.g., listings of month-end and year-end accounting and reporting corrections) to
determine whether corrections of information processed are required. Analyse to determine whether the incorrect information wascaused by inadequate knowledge of users.
• Determine aggregate costs associated with downtime in areas where training or skills are undefined, and compare them to servicecosts for other areas or against peer groups.
• Inspect incident management records to identify trends in system support and usage that may indicate skill gaps.• Enquire of management regarding results of performance evaluations and any potential skill gaps identified, such as in areas where
training has been delivered.• Assess benchmark indicators such as reduced number of service desk calls and productivity of users to indicate whether training
had the intended impact.
197I T G O V E R N A N C E I N S T I T U T E
APPENDIX IVD
S8 M
anag
e Ser
vice
Des
k a
nd Inc
iden
ts
Tim
ely
and
effe
ctiv
e re
spon
se to
IT
use
r qu
erie
s an
d pr
oble
ms
requ
ires
a w
ell-
desi
gned
and
wel
l-ex
ecut
ed s
ervi
ce d
esk
and
inci
dent
man
agem
ent p
roce
ss. T
his
proc
ess
incl
udes
set
ting
up a
ser
vice
des
k fu
nctio
n w
ith r
egis
trat
ion,
inci
dent
esc
alat
ion,
tren
d an
d ro
ot c
ause
ana
lysi
s, a
nd r
esol
utio
n. T
he b
usin
ess
bene
fits
incl
ude
incr
ease
dpr
oduc
tivity
thro
ugh
quic
k re
solu
tion
of u
ser
quer
ies.
In
addi
tion,
the
busi
ness
can
add
ress
roo
t cau
ses
(suc
h as
poo
r us
er tr
aini
ng)
thro
ugh
effe
ctiv
e re
port
ing.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n IT
ser
vice
des
k ex
ists
.•
Enq
uire
whe
ther
and
con
firm
that
ana
lysi
s ha
s be
en p
erfo
rmed
to d
eter
min
e th
e se
rvic
e de
sk m
odel
, sta
ffin
g, to
ols
and
inte
grat
ion
with
oth
er p
roce
sses
.•
Con
firm
that
the
hour
s of
ope
ratio
n an
d ex
pect
ed r
espo
nse
time
to a
cal
l mee
t bus
ines
s re
quir
emen
ts.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at in
stru
ctio
ns e
xist
for
the
hand
ling
of a
que
ry th
at c
anno
t be
imm
edia
tely
res
olve
d by
ser
vice
des
k st
aff.
Que
ries
sho
uld
have
pri
ority
leve
ls th
at d
eter
min
e th
e de
sire
d re
solu
tion
time
and
esca
latio
n pr
oced
ures
.• A
sk r
elev
ant p
erso
nnel
abo
ut w
heth
er to
ols
for
the
serv
ice
desk
are
impl
emen
ted
in a
ccor
danc
e w
ith s
ervi
ce d
efin
ition
s an
d SL
A r
equi
rem
ents
.•
Enq
uire
abo
ut th
e ex
iste
nce
of s
tand
ards
of
serv
ice
and
com
mun
icat
ion
of th
e st
anda
rds
with
cus
tom
ers.
DS8
.1 S
ervi
ce D
esk
Est
ablis
h a
serv
ice
desk
fun
ctio
n, w
hich
is th
e us
er in
terf
ace
with
IT,
to r
egis
ter,
com
mun
icat
e, d
ispa
tch
and
anal
yse
all c
alls
, rep
orte
d in
cide
nts,
ser
vice
req
uest
san
d in
form
atio
n de
man
ds. T
here
sho
uld
be m
onito
ring
and
esc
alat
ion
proc
edur
esba
sed
on a
gree
d-up
on s
ervi
ce le
vels
rel
ativ
e to
the
appr
opri
ate
SLA
that
allo
wcl
assi
fica
tion
and
prio
ritis
atio
n of
any
rep
orte
d is
sue
as a
n in
cide
nt, s
ervi
cere
ques
t or
info
rmat
ion
requ
est.
Mea
sure
end
use
rs’s
atis
fact
ion
with
the
qual
ityof
the
serv
ice
desk
and
IT
ser
vice
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
cust
omer
sat
isfa
ctio
n•
Def
ined
and
mea
sura
ble
serv
ice
desk
perf
orm
ance
•
Inci
dent
s re
port
ed, f
ollo
wed
up
and
solv
ed in
a ti
mel
y m
anne
r
Ris
k D
river
s
• In
crea
sed
dow
ntim
e•
Dec
reas
ed c
usto
mer
sat
isfa
ctio
n •
Use
rs u
naw
are
of th
e fo
llow
-up
proc
edur
es o
n re
port
ed in
cide
nts
• R
ecur
ring
pro
blem
s no
t add
ress
ed
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E198
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at p
roce
sses
and
tool
s ar
e in
pla
ce to
reg
iste
r cu
stom
er q
ueri
es, s
tatu
s an
d ac
tions
tow
ard
reso
lutio
n.•
Ass
ess
how
com
plet
ely
and
accu
rate
ly th
is r
epos
itory
is m
aint
aine
d.•
Con
firm
that
the
proc
ess
incl
udes
wor
kflo
w f
or th
e ha
ndlin
g an
d es
cala
tion
of c
usto
mer
que
ries
.•
Rev
iew
a s
ampl
e of
ope
n an
d cl
osed
cus
tom
er q
ueri
es to
che
ck c
ompl
ianc
e w
ith th
e pr
oces
s an
d se
rvic
e co
mm
itmen
ts.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e se
rvic
e de
sk m
aint
ains
ow
ners
hip
of c
usto
mer
-rel
ated
req
uest
s an
d in
cide
nts.
• V
erif
y th
at th
e en
d-to
-end
life
cyc
le o
f re
ques
ts/in
cide
nts
is m
onito
red
and
esca
late
d ap
prop
riat
ely
by th
e se
rvic
e de
sk.
• C
onfi
rm w
ith m
embe
rs o
f m
anag
emen
t tha
t sig
nifi
cant
inci
dent
s ar
e re
port
ed to
them
.•
Rev
iew
pro
cedu
res
for
repo
rtin
g si
gnif
ican
t inc
iden
ts to
man
agem
ent.
• C
onfi
rm th
e ex
iste
nce
of a
pro
cess
to e
nsur
e th
at th
e in
cide
nt r
ecor
ds a
re u
pdat
ed to
sho
w th
e da
te a
nd ti
me
of a
nd th
e as
sign
men
t of
IT p
erso
nnel
to e
ach
quer
y.•
Enq
uire
whe
ther
and
con
firm
that
ther
e is
a p
roce
ss in
pla
ce to
ens
ure
that
IT
sta
ff m
embe
rs a
re in
volv
ed in
dea
ling
with
que
ries
and
inci
dent
s an
d th
at th
e in
cide
ntre
ques
t rec
ords
are
upd
ated
thro
ugho
ut th
e lif
e cy
cle.
DS8
.2 R
egis
trat
ion
of C
usto
mer
Que
ries
E
stab
lish
a fu
nctio
n an
d sy
stem
to a
llow
logg
ing
and
trac
king
of
calls
, inc
iden
ts,
serv
ice
requ
ests
and
info
rmat
ion
need
s. I
t sho
uld
wor
k cl
osel
y w
ith s
uch
proc
esse
s as
inci
dent
man
agem
ent,
prob
lem
man
agem
ent,
chan
ge m
anag
emen
t,ca
paci
ty m
anag
emen
t and
ava
ilabi
lity
man
agem
ent.
Inci
dent
s sh
ould
be
clas
sifi
ed a
ccor
ding
to a
bus
ines
s an
d se
rvic
e pr
iori
ty a
nd r
oute
d to
the
appr
opri
ate
prob
lem
man
agem
ent t
eam
, whe
re n
eces
sary
. Cus
tom
ers
shou
ld b
eke
pt in
form
ed o
f th
e st
atus
of
thei
r qu
erie
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
ffic
ient
sol
ving
of
inci
dent
s in
atim
ely
man
ner
• Add
ed v
alue
for
end
use
rs• A
ccou
ntab
ility
for
inci
dent
sol
ving
Ris
k D
river
s
• N
ot a
ll in
cide
nts
trac
ked
• Pr
iori
tisat
ion
of in
cide
nts
faili
ng to
refl
ect b
usin
ess
need
s•
Inci
dent
s no
t sol
ved
in a
tim
ely
man
ner
DS8 M
anag
e Ser
vice
Des
k a
nd Inc
iden
ts (
cont
.)
DS8
.3 I
ncid
ent
Esc
alat
ion
Est
ablis
h se
rvic
e de
sk p
roce
dure
s, s
o in
cide
nts
that
can
not b
e re
solv
edim
med
iate
ly a
re a
ppro
pria
tely
esc
alat
ed a
ccor
ding
to li
mits
def
ined
in th
e SL
Aan
d, if
app
ropr
iate
, wor
karo
unds
are
pro
vide
d. E
nsur
e th
at in
cide
nt o
wne
rshi
pan
d lif
e cy
cle
mon
itori
ng r
emai
n w
ith th
e se
rvic
e de
sk f
or u
ser-
base
d in
cide
nts,
rega
rdle
ss w
hich
IT
gro
up is
wor
king
on
reso
lutio
n ac
tiviti
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
cust
omer
sat
isfa
ctio
n•
Con
sist
ent p
roce
ss f
or p
robl
em s
olvi
ng• A
ccou
ntab
ility
for
res
olve
d in
cide
nt•
Cle
ar tr
ack
on in
cide
nt r
esol
utio
npr
ogre
ss
Ris
k D
river
s
• In
effi
cien
t use
of
reso
urce
s•
Una
vaila
bilit
y of
ser
vice
des
kre
sour
ces
• In
abili
ty to
fol
low
up
inci
dent
reso
lutio
n
199I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
is in
pla
ce to
man
age
the
reso
lutio
n of
eac
h in
cide
nt.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ll re
solv
ed in
cide
nts
are
desc
ribe
d in
det
ail,
incl
udin
g a
deta
iled
log
of a
ll st
eps
to r
esol
ve th
e in
cide
nts.
• In
spec
t a s
ampl
e of
inci
dent
s an
d ve
rify
that
the
stat
us o
f m
anag
ing
the
life
cycl
e of
the
inci
dent
, inc
ludi
ng r
esol
utio
n an
d cl
osur
e, is
rep
orte
d.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
is in
pla
ce to
iden
tify,
fur
ther
inve
stig
ate
and
repo
rt o
n al
l que
ries
whe
re th
e ag
reed
-upo
n tim
e fr
ames
for
res
olut
ion
have
been
exc
eede
d.•
Enq
uire
whe
ther
and
con
firm
that
tren
d an
alys
is is
bei
ng p
erfo
rmed
on
all q
ueri
es to
iden
tify
repe
atin
g in
cide
nts
and
patte
rns,
in s
uppo
rt o
f pr
oble
m id
entif
icat
ion.
• V
erif
y if
pro
blem
man
agem
ent i
s re
gula
rly
prov
ided
with
inci
dent
and
tren
d an
alys
is d
ata.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e an
alys
is is
per
form
ed o
n th
e fe
edba
ck r
ecei
ved
from
cus
tom
ers
to e
valu
ate
the
leve
ls o
f sa
tisfa
ctio
n w
ith th
e se
rvic
e pr
ovid
ed b
yth
e se
rvic
e de
sk.
• C
onfi
rm th
e ex
iste
nce
of c
usto
mer
fee
dbac
k an
alys
is r
epor
ts, a
nd v
erif
y w
heth
er c
orre
ctiv
e ac
tions
hav
e be
en ta
ken
to im
prov
e se
rvic
e.•
Con
firm
that
ser
vice
des
k pe
rfor
man
ce is
com
pare
d to
indu
stry
sta
ndar
ds.
• V
erif
y w
heth
er b
ench
mar
k an
alys
is is
use
d fo
r co
ntin
uous
impr
ovem
ent.
DS8
.4 I
ncid
ent
Clo
sure
E
stab
lish
proc
edur
es f
or th
e m
onito
ring
of
timel
y cl
eara
nce
of c
usto
mer
que
ries
.W
hen
the
inci
dent
has
bee
n re
solv
ed, e
nsur
e th
at th
e se
rvic
e de
sk r
ecor
ds th
ere
solu
tion
step
s, a
nd c
onfi
rm th
at th
e ac
tion
take
n ha
s be
en a
gree
d to
by
the
cust
omer
. Als
o re
cord
and
rep
ort u
nres
olve
d in
cide
nts
(kno
wn
erro
rs a
ndw
orka
roun
ds)
to p
rovi
de in
form
atio
n fo
r pr
oper
pro
blem
man
agem
ent.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• In
crea
sed
cust
omer
sat
isfa
ctio
n•
Con
sist
ent a
nd s
yste
mat
ic in
cide
ntre
solu
tion
proc
ess
• Pr
even
tion
of p
robl
em r
ecur
renc
e
Ris
k D
river
s
• In
corr
ect i
nfor
mat
ion
gath
erin
g•
Com
mon
inci
dent
s no
t sol
ved
prop
erly
• In
cide
nts
not r
esol
ved
on a
tim
ely
basi
s
DS8 M
anag
e Ser
vice
Des
k a
nd Inc
iden
ts (
cont
.)
DS8
.5 R
epor
ting
and
Tre
nd A
naly
sis
Prod
uce
repo
rts
of s
ervi
ce d
esk
activ
ity to
ena
ble
man
agem
ent t
o m
easu
rese
rvic
e pe
rfor
man
ce a
nd s
ervi
ce r
espo
nse
times
and
to id
entif
y tr
ends
or
recu
rrin
g pr
oble
ms,
so
serv
ice
can
be c
ontin
ually
impr
oved
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• D
ecre
ased
ser
vice
dow
ntim
e•
Incr
ease
d cu
stom
er s
atis
fact
ion
• C
onfi
denc
e in
the
offe
red
serv
ices
• H
elp
desk
per
form
ance
mea
sure
d an
dop
timis
ed
Ris
k D
river
s
• Se
rvic
e de
sk a
ctiv
ity f
ailin
g to
sup
port
busi
ness
act
iviti
es•
Cus
tom
ers
not s
atis
fied
by
the
offe
red
serv
ices
• In
cide
nts
not s
olve
d in
a ti
mel
ym
anne
r•
Incr
easi
ng c
usto
mer
dow
ntim
e
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E200
Take the following steps to test the outcome of the control objectives:• Confirm how customers and users are advised of the service desk standards, and inspect the existence of these methods (postings
at the service desk or online, etc.). • Confirm the existence of user feedback logs. • Enquire about the effectiveness of the system in terms of monitoring and improving customer satisfaction rates.• Enquire about the existence of service desk performance reports.• Inspect a sample of entries in the call log that were not immediately resolved, and determine whether the proper escalation
procedures were followed.• Inspect whether reported metrics address the relevant service desk goals. Enquire as to who uses the reports and for what purpose.• Monitor several service desk calls to confirm whether existing procedures are being followed. Trace observed calls to the service
incident tracking system.• Enquire whether and confirm that incidents are properly prioritised according to policy. • Review a sample of incident tickets to verify adherence to policy.• Select a sample query and verify that incident records are updated to show the date and time of and the assignment of IT personnel
to each query. • Inspect samples of documentation of trouble incidents, and confirm that such incidents conform to priority levels set by policy.• Enquire whether and confirm that users are informed on the progress of incident resolution. • Enquire whether and confirm that all request and incident records are monitored through their life cycle and reviewed on a regular
basis to guarantee a timely resolution of customer queries.• Enquire whether and confirm that requests and incidents are closed only after confirmation of the requester.• Inspect a sample of incidents and verify that there has been a manual or automated follow-up of the resolution. • Confirm through inspection that incidents are reviewed for update in the knowledge base, including workarounds, known errors
and the root cause for similar incidents arising in the future. Physically inspect the knowledge base, and inspect a sample of entriesto ensure that the workaround is included, as well as the root cause, if known.
• Inspect a sample of incident records, and verify if they were monitored and fulfiled according to SLAs. • Select a sample of records and confirm with the requester that they were consulted for closure.• Identify whether appropriate definitions exist for incident classification (e.g., by impact and urgency).• Identify whether procedures for functional and hierarchical escalation are defined.• Enquire whether and confirm that incident management is clearly linked with continuity/contingency plans.
Take the following steps to document the impact of the control weaknesses:• Observe several service desk calls to confirm undocumented procedures. Undocumented escalation procedures should assign
trouble tickets that the service desk cannot resolve to the appropriate IT staff members. • Verify that all critical service calls are prioritised by the service desk manager or a senior staff member.• Observe operations of the IT support team, and record undocumented procedures to log and prioritise incidents.
201I T G O V E R N A N C E I N S T I T U T E
APPENDIX IVD
S9 M
anag
e th
e C
onfig
urat
ion
Ens
urin
g th
e in
tegr
ity o
f ha
rdw
are
and
soft
war
e co
nfig
urat
ions
req
uire
s th
e es
tabl
ishm
ent a
nd m
aint
enan
ce o
f an
acc
urat
e an
d co
mpl
ete
conf
igur
atio
n re
posi
tory
. Thi
spr
oces
s in
clud
es c
olle
ctin
g in
itial
con
figu
ratio
n in
form
atio
n, e
stab
lishi
ng b
asel
ines
, ver
ifyi
ng a
nd a
uditi
ng c
onfi
gura
tion
info
rmat
ion,
and
upd
atin
g th
e co
nfig
urat
ion
repo
sito
ry a
s ne
eded
. Eff
ectiv
e co
nfig
urat
ion
man
agem
ent f
acili
tate
s gr
eate
r sy
stem
ava
ilabi
lity,
min
imis
es p
rodu
ctio
n is
sues
and
res
olve
s is
sues
mor
e qu
ickl
y.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
enio
r m
anag
emen
t set
s sc
ope
and
mea
sure
s fo
r co
nfig
urat
ion
man
agem
ent f
unct
ions
, and
ass
esse
s pe
rfor
man
ce.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
tool
is in
pla
ce to
ena
ble
the
effe
ctiv
e lo
ggin
g of
con
figu
ratio
n m
anag
emen
t inf
orm
atio
n in
a r
epos
itory
.•
Det
erm
ine
that
acc
ess
to th
e to
ol is
res
tric
ted
to a
ppro
pria
te p
erso
nnel
.•
Rev
iew
a s
ampl
e of
con
figu
ratio
n ite
ms
to e
nsur
e th
at a
uni
que
iden
tifie
r is
ass
igne
d.•
Enq
uire
whe
ther
and
con
firm
that
con
figu
ratio
n ba
selin
es f
or c
ompo
nent
s ar
e de
fine
d an
d do
cum
ente
d.•
Rev
iew
that
bas
elin
es e
nabl
e id
entif
icat
ion
of s
yste
m c
onfi
gura
tion
at d
iscr
ete
poin
ts in
tim
e.•
Enq
uire
whe
ther
and
con
firm
that
ther
e is
a d
ocum
ente
d pr
oces
s to
rev
ert t
o th
e ba
selin
e co
nfig
urat
ion.
• Te
st a
sam
ple
of s
yste
ms
and
appl
icat
ions
by
veri
fyin
g th
at th
ey c
an b
e re
vert
ed to
bas
elin
e co
nfig
urat
ions
.•
Enq
uire
whe
ther
and
con
firm
that
mec
hani
sms
exis
t to
mon
itor
chan
ges
agai
nst t
he d
efin
ed r
epos
itory
and
bas
elin
e.•
Ver
ify
that
man
agem
ent i
s re
ceiv
ing
regu
lar
repo
rts
and
that
thes
e re
port
s re
sult
in c
ontin
uous
impr
ovem
ent p
lans
.
DS9
.1 C
onfi
gura
tion
Rep
osit
ory
and
Bas
elin
e E
stab
lish
a su
ppor
ting
tool
and
a c
entr
al r
epos
itory
to c
onta
in a
ll re
leva
ntin
form
atio
n on
con
figu
ratio
n ite
ms.
Mon
itor
and
reco
rd a
ll as
sets
and
cha
nges
toas
sets
. Mai
ntai
n a
base
line
of c
onfi
gura
tion
item
s fo
r ev
ery
syst
em a
nd s
ervi
ceas
a c
heck
poin
t to
whi
ch to
ret
urn
afte
r ch
ange
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• H
ardw
are
and
soft
war
e pl
anne
def
fect
ivel
y to
mai
ntai
n bu
sine
ss s
ervi
ces
• T
he c
onfi
gura
tion
depl
oyed
cons
iste
ntly
acr
oss
the
ente
rpri
se•
Plan
ning
enh
ance
d so
that
cha
nges
are
in a
ccor
danc
e w
ith th
e ov
eral
lar
chite
ctur
e•
Cos
t sav
ings
thro
ugh
supp
lier
cons
olid
atio
n•
Fast
inci
dent
res
olut
ion
Ris
k D
river
s
• Fa
ilure
of
chan
ges
to c
ompl
y w
ith th
eov
eral
l tec
hnol
ogy
arch
itect
ure
• Ass
ets
not p
rote
cted
pro
perl
y•
Una
utho
rise
d ch
ange
s to
har
dwar
e an
dso
ftw
are
not d
isco
vere
d, w
hich
cou
ldre
sult
in s
ecur
ity b
reac
hes
• D
ocum
ente
d in
form
atio
n fa
iling
tore
flec
t the
cur
rent
arc
hite
ctur
e•
Inab
ility
to f
all b
ack
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E202
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pol
icy
is in
pla
ce to
ens
ure
that
all
conf
igur
atio
n ite
ms
and
thei
r at
trib
utes
are
iden
tifie
d an
d m
aint
aine
d.•
Enq
uire
whe
ther
and
con
firm
that
ther
e is
a p
olic
y fo
r ph
ysic
al a
sset
tagg
ing.
• V
erif
y th
at a
sset
s ar
e ph
ysic
ally
tagg
ed a
ccor
ding
to p
olic
y.•
Enq
uire
whe
ther
and
con
firm
that
a r
ole-
base
d ac
cess
pol
icy
exis
ts.
• V
erif
y th
at a
utho
rise
d an
d ap
prop
riat
e pe
rson
nel h
ave
desi
gnat
ed a
cces
s to
the
conf
igur
atio
n re
posi
tory
as
per
the
polic
y.•
Enq
uire
whe
ther
and
con
firm
that
a p
olic
y is
in p
lace
to e
nsur
e th
at c
hang
e an
d pr
oble
m m
anag
emen
t pro
cedu
res
are
inte
grat
ed w
ith th
e m
aint
enan
ce o
f th
eco
nfig
urat
ion
repo
sito
ry.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
is in
pla
ce to
rec
ord
new
, mod
ifie
d an
d de
lete
d co
nfig
urat
ion
item
s, a
nd id
entif
y an
d m
aint
ain
the
rela
tions
hips
am
ongs
tco
nfig
urat
ion
item
s in
the
conf
igur
atio
n re
posi
tory
.•
Insp
ect r
elev
ant d
ocum
enta
tion,
tim
ely
exec
utio
n an
d da
ta in
tegr
ity o
f th
e pr
oces
s.•
Enq
uire
whe
ther
and
con
firm
that
a p
roce
ss is
in p
lace
to e
nsur
e th
at a
naly
sis
is d
one
to id
entif
y cr
itica
l con
figu
ratio
n ite
ms.
• V
erif
y th
at th
is p
roce
ss s
uppo
rts
chan
ge m
anag
emen
t and
ana
lysi
s of
fut
ure
proc
essi
ng d
eman
ds a
nd te
chno
logy
acq
uisi
tions
.•
Enq
uire
whe
ther
and
con
firm
that
pro
cure
men
t pro
cedu
res
prov
ide
for
the
reco
rdin
g of
new
ass
ets
with
in th
e co
nfig
urat
ion
man
agem
ent t
ool.
• V
alid
ate
that
the
conf
irm
atio
n m
anag
emen
t dat
a m
atch
the
proc
urem
ent r
ecor
ds.
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS9
.2 I
dent
ific
atio
n an
d M
aint
enan
ce o
f C
onfi
gura
tion
Ite
ms
Est
ablis
h co
nfig
urat
ion
proc
edur
es to
sup
port
man
agem
ent a
nd lo
ggin
g of
all
chan
ges
to th
e co
nfig
urat
ion
repo
sito
ry. I
nteg
rate
thes
e pr
oced
ures
with
cha
nge
man
agem
ent,
inci
dent
man
agem
ent a
nd p
robl
em m
anag
emen
t pro
cedu
res.
• E
ffec
tive
chan
ge a
nd in
cide
ntm
anag
emen
t•
Com
plia
nce
with
acc
ount
ing
requ
irem
ents
• Fa
ilure
to id
entif
y bu
sine
ss-c
ritic
alco
mpo
nent
s•
Unc
ontr
olle
d ch
ange
man
agem
ent,
caus
ing
busi
ness
dis
rupt
ions
• In
abili
ty to
ass
ess
the
impa
ct o
f a
chan
ge b
ecau
se o
f in
accu
rate
info
rmat
ion
• In
abili
ty to
acc
urat
ely
acco
unt
for
asse
ts
DS9 M
anag
e th
e C
onfig
urat
ion
(con
t.)
203I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
is in
pla
ce to
reg
ular
ly e
nsur
e th
e in
tegr
ity o
f al
l con
figu
ratio
n da
ta.
• R
evie
w r
epor
ts th
at c
ompa
re r
ecor
ded
data
aga
inst
the
phys
ical
env
iron
men
t.•
Ver
ify
that
dev
iatio
ns a
re r
epor
ted
and
corr
ecte
d.•
Ver
ify
that
har
dwar
e an
d so
ftw
are
reco
ncili
atio
n is
per
iodi
cally
per
form
ed a
gain
st th
e co
nfig
urat
ion
data
base
.•
If a
utom
ated
tool
s ar
e be
ing
used
, per
form
a m
anua
l rec
onci
liatio
n ag
ains
t the
aut
omat
ed r
ecor
d.•
Ver
ify
that
per
iodi
c re
view
s ar
e pe
rfor
med
aga
inst
the
polic
y fo
r so
ftw
are
usag
e to
det
ect p
erso
nal,
unlic
ense
d so
ftw
are
or a
ny s
oftw
are
inst
ance
s in
exc
ess
of c
urre
ntlic
ense
agr
eem
ents
.
DS9
.3 C
onfi
gura
tion
Int
egri
ty R
evie
w
Peri
odic
ally
rev
iew
the
conf
igur
atio
n da
ta to
ver
ify
and
conf
irm
the
inte
grity
of
the
curr
ent a
nd h
isto
rica
l con
figu
ratio
n. P
erio
dica
lly r
evie
w in
stal
led
soft
war
eag
ains
t the
pol
icy
for
soft
war
e us
age
to id
entif
y pe
rson
al o
r un
licen
sed
soft
war
eor
any
sof
twar
e in
stan
ces
in e
xces
s of
cur
rent
lice
nse
agre
emen
ts. R
epor
t, ac
t on
and
corr
ect e
rror
s an
d de
viat
ions
.
• Id
entif
icat
ion
of d
evia
tions
fro
m th
eba
selin
e•
Enh
ance
d id
entif
icat
ion
and
solv
ing
of p
robl
ems
• Id
entif
icat
ion
of u
naut
hori
sed
soft
war
e
• Fa
ilure
to id
entif
y bu
sine
ss-c
ritic
alco
mpo
nent
s•
Unc
ontr
olle
d ch
ange
man
agem
ent,
caus
ing
busi
ness
dis
rupt
ions
• M
isus
ed a
sset
s•
Incr
ease
d co
sts
for
prob
lem
sol
ving
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS9 M
anag
e th
e C
onfig
urat
ion
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E204
Take the following steps to test the outcome of the control objectives:• Enquire of management whether any failed configuration changes or security breaches have occurred, and ascertain whether those
issues resulted in a loss of corporate assets, disclosure information or downtime. Determine that access to the logging tool isrestricted to appropriate personnel.
• Review a sample of configuration items to ensure that a unique identifier is assigned. • Verify that baselines enable identification of system configuration at discrete points in time.• Enquire whether and confirm that there is a documented process to revert to the baseline configuration. • Inspect the outputs of tools designed to detect changes to the configuration, and assess whether those changes are in alignment
with the organisation’s design specifications and security strategy.• Inspect the tools used for the configuration management database (CMDB), and verify that the quantity and quality of information
provided by the CMDB are appropriate for all IT processes.• Determine whether configuration information is held in redundant information systems.• Select a sample of desktops and examine the configuration and software deployed against baseline standards to ensure that no
unauthorised changes have been made.• Identify whether the use of unlicensed software is prevented and procedures exist to detect unauthorised software.• Verify that management is receiving regular reports and that these reports result in continuous improvement plans.• Test a sample of systems and applications by verifying that they can be reverted to baseline configurations. • Obtain vulnerability assessment tools for deployed technologies, and run them to determine whether known vulnerabilities have
been corrected.• Determine what should be documented (e.g., configuration items, incident records, change records, change schedules,
availability information, service levels) for the review of configuration information and to document the relationship amongstconfiguration items.
Take the following steps to document the impact of the control weaknesses:• Enquire of management if any failed configuration changes or security breaches have occurred, and ascertain whether those issues
have resulted in a loss of corporate assets, disclosure information or downtime.• Inspect copies of internal or external reports on configuration assessments, and determine whether configuration weaknesses have
been identified.• Use vulnerability assessment tools for deployed technologies to determine whether known vulnerabilities have been corrected.
205I T G O V E R N A N C E I N S T I T U T E
APPENDIX IVD
S10 M
anag
e P
robl
ems
Eff
ectiv
e pr
oble
m m
anag
emen
t req
uire
s th
e id
entif
icat
ion
and
clas
sifi
catio
n of
pro
blem
s, r
oot c
ause
ana
lysi
s an
d re
solu
tion
of p
robl
ems.
The
pro
blem
man
agem
ent p
roce
ssal
so in
clud
es th
e fo
rmul
atio
n of
rec
omm
enda
tions
for
impr
ovem
ent,
mai
nten
ance
of
prob
lem
rec
ords
and
rev
iew
of
the
stat
us o
f co
rrec
tive
actio
ns. A
n ef
fect
ive
prob
lem
man
agem
ent p
roce
ss m
axim
ises
sys
tem
ava
ilabi
lity,
impr
oves
ser
vice
leve
ls, r
educ
es c
osts
, and
impr
oves
cus
tom
er c
onve
nien
ce a
nd s
atis
fact
ion.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
dequ
ate
proc
esse
s su
ppor
ted
by a
ppro
pria
te to
ols
are
in p
lace
to id
entif
y an
d cl
assi
fy p
robl
ems.
• R
evie
w e
stab
lishe
d cr
iteri
a to
cla
ssif
y an
d pr
iori
tise
prob
lem
s, e
nsur
ing
that
they
res
ult i
n cl
assi
fica
tions
in li
ne w
ith s
ervi
ce c
omm
itmen
ts a
nd o
rgan
isat
iona
l uni
tsre
spon
sibl
e fo
r re
solv
ing
or c
onta
inin
g th
e pr
oble
m.
• C
onfi
rm th
at a
pro
cess
is in
pla
ce f
or th
e ac
cura
cy o
f cl
assi
fica
tion,
and
iden
tify
reas
ons
for
mis
clas
sifi
catio
n so
they
can
be
addr
esse
d.•
Take
a r
epre
sent
ativ
e sa
mpl
e fr
om th
e pr
oble
m d
atab
ase
to e
nsur
e th
at th
e pr
oble
ms
are
appr
opri
atel
y cl
assi
fied
and
cat
egor
ised
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS1
0.1
Iden
tifi
cati
on a
nd C
lass
ific
atio
n of
Pro
blem
s Im
plem
ent p
roce
sses
to r
epor
t and
cla
ssif
y pr
oble
ms
that
hav
e be
en id
entif
ied
aspa
rt o
f in
cide
nt m
anag
emen
t. T
he s
teps
invo
lved
in p
robl
em c
lass
ific
atio
n ar
esi
mila
r to
the
step
s in
cla
ssif
ying
inci
dent
s; th
ey a
re to
det
erm
ine
cate
gory
,im
pact
, urg
ency
and
pri
ority
. Cat
egor
ise
prob
lem
s as
app
ropr
iate
into
rel
ated
grou
ps o
r do
mai
ns (
e.g.
, har
dwar
e, s
oftw
are,
sup
port
sof
twar
e). T
hese
gro
ups
may
mat
ch th
e or
gani
satio
nal r
espo
nsib
ilitie
s of
the
user
and
cus
tom
er b
ase,
and
shou
ld b
e th
e ba
sis
for
allo
catin
g pr
oble
ms
to s
uppo
rt s
taff
.
• Su
ppor
t too
ls f
or s
ervi
ce d
esk
perf
orm
ance
• Pr
oact
ive
prob
lem
man
agem
ent
• E
nhan
ced
end-
user
trai
ning
• E
ffic
ient
and
eff
ectiv
e pr
oble
m a
ndin
cide
nt h
andl
ing
• Pr
oble
ms
and
inci
dent
s so
lved
in a
timel
y m
anne
r•
Impr
oved
qua
lity
of I
T s
ervi
ces
• D
isru
ptio
n of
IT
ser
vice
s•
Incr
ease
d lik
elih
ood
of p
robl
emre
curr
ence
• Pr
oble
ms
and
inci
dent
s no
t sol
ved
in a
timel
y m
anne
r•
Lac
k of
aud
it tr
ails
of
prob
lem
s,in
cide
nts
and
thei
r so
lutio
ns f
orpr
oact
ive
prob
lem
and
inci
dent
man
agem
ent
• R
ecur
renc
e of
inci
dent
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E206
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at p
roce
sses
and
tool
s ar
e in
pla
ce to
reg
iste
r, cl
assi
fy, p
rior
itise
and
trac
k pr
oble
ms
to r
esol
utio
n.•
Con
firm
that
tool
s in
clud
e re
port
ing
faci
litie
s th
at a
re u
sed
to p
rodu
ce m
anag
emen
t rep
orts
on
prob
lem
s.•
Sele
ct a
sam
ple
of p
robl
em r
epor
ts a
nd v
erif
y th
e ad
equa
cy o
f:–
Prob
lem
doc
umen
tatio
n fo
r an
alys
is o
f ro
ot c
ause
s–
Iden
tific
atio
n of
pro
blem
ow
ners
hip
and
reso
lutio
n re
spon
sibi
lity
– Pr
oble
m s
tatu
s in
form
atio
n
DS1
0.2
Pro
blem
Tra
ckin
g an
d R
esol
utio
n E
nsur
e th
at th
e pr
oble
m m
anag
emen
t sys
tem
pro
vide
s fo
r ad
equa
te a
udit
trai
lfa
cilit
ies
that
allo
w tr
acki
ng, a
naly
sing
and
det
erm
inin
g th
e ro
ot c
ause
of
all
repo
rted
pro
blem
s co
nsid
erin
g:• A
ll as
soci
ated
con
figu
ratio
n ite
ms
• O
utst
andi
ng p
robl
ems
and
inci
dent
s•
Kno
wn
and
susp
ecte
d er
rors
• T
rack
ing
of p
robl
em tr
ends
Iden
tify
and
initi
ate
sust
aina
ble
solu
tions
add
ress
ing
the
root
cau
se, r
aisi
ngch
ange
req
uest
s vi
a th
e es
tabl
ishe
d ch
ange
man
agem
ent p
roce
ss. T
hrou
ghou
t the
reso
lutio
n pr
oces
s, p
robl
em m
anag
emen
t sho
uld
obta
in r
egul
ar r
epor
ts f
rom
chan
ge m
anag
emen
t on
prog
ress
in r
esol
ving
pro
blem
s an
d er
rors
. Pro
blem
man
agem
ent s
houl
d m
onito
r th
e co
ntin
uing
impa
ct o
f pr
oble
ms
and
know
ner
rors
on
user
ser
vice
s. I
n th
e ev
ent t
hat t
his
impa
ct b
ecom
es s
ever
e, p
robl
emm
anag
emen
t sho
uld
esca
late
the
prob
lem
, per
haps
ref
erri
ng it
to a
n ap
prop
riat
ebo
ard
to in
crea
se th
e pr
iori
ty o
f th
e re
ques
t for
cha
nge
(RFC
) or
to im
plem
ent a
nur
gent
cha
nge
as a
ppro
pria
te. M
onito
r th
e pr
ogre
ss o
f pr
oble
m r
esol
utio
n ag
ains
t SL
As.
• L
imite
d di
srup
tion
to o
r re
duct
ion
ofIT
ser
vice
qua
lity
• E
ffic
ient
and
eff
ectiv
e ha
ndlin
g of
prob
lem
s an
d in
cide
nts
• M
inim
ised
ela
psed
tim
e fo
r pr
oble
mde
tect
ion
to r
esol
utio
n• A
ppro
pria
te p
robl
em s
olvi
ng w
ithre
spec
t to
the
agre
ed-u
pon
serv
ice
leve
ls•
Impr
oved
qua
lity
of I
T s
ervi
ces
• R
ecur
renc
e of
pro
blem
s an
d in
cide
nts
• L
oss
of in
form
atio
n•
Cri
tical
inci
dent
s no
t sol
ved
prop
erly
• B
usin
ess
disr
uptio
ns•
Insu
ffic
ient
ser
vice
qua
lity
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS10 M
anag
e P
robl
ems
(con
t.)
207I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• R
evie
w th
e pr
oces
ses
for
conf
igur
atio
n, in
cide
nt a
nd p
robl
em m
anag
emen
t, an
d co
nfir
m th
at th
ey a
re a
ppro
pria
tely
inte
grat
ed.
• R
evie
w r
ecor
ds to
con
firm
that
the
resp
onsi
ble
man
ager
s of
the
diff
eren
t are
as r
egul
arly
mee
t and
res
olve
com
mon
issu
es.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
robl
ems
are
clos
ed o
nly
afte
r co
nfir
mat
ion
of r
esol
utio
n by
the
stak
ehol
ders
.•
Sele
ct a
rep
rese
ntat
ive
sam
ple
of p
robl
ems
and
veri
fy th
roug
h in
terv
iew
s w
ith s
take
hold
ers
that
the
stak
ehol
ders
wer
e in
form
ed c
ompl
etel
y an
d in
a ti
mel
y m
anne
r of
prob
lem
clo
sure
s.
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
DS1
0.4
Inte
grat
ion
of C
onfi
gura
tion
,Inc
iden
t an
d P
robl
em M
anag
emen
t In
tegr
ate
the
rela
ted
proc
esse
s of
con
figu
ratio
n, in
cide
nt a
nd p
robl
emm
anag
emen
t to
ensu
re e
ffec
tive
man
agem
ent o
f pr
oble
ms
and
enab
leim
prov
emen
ts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Im
prov
ed c
usto
mer
sat
isfa
ctio
n•
Eff
icie
nt a
nd e
ffec
tive
prob
lem
and
inci
dent
han
dlin
g•
Doc
umen
ted
prob
lem
and
inci
dent
repo
rtin
g•
Eff
ectiv
e se
rvic
e m
anag
emen
t
Ris
k D
river
s
• L
oss
of in
form
atio
n•
Cri
tical
inci
dent
s no
t sol
ved
prop
erly
• B
usin
ess
disr
uptio
ns•
Incr
easi
ng n
umbe
r of
pro
blem
s•
Dec
reas
ed s
atis
fact
ion
with
IT
serv
ices
DS1
0.3
Pro
blem
Clo
sure
Pu
t in
plac
e a
proc
edur
e to
clo
se p
robl
em r
ecor
ds e
ither
aft
er c
onfi
rmat
ion
ofsu
cces
sful
elim
inat
ion
of th
e kn
own
erro
r or
aft
er a
gree
men
t with
the
busi
ness
on h
ow to
alte
rnat
ivel
y ha
ndle
the
prob
lem
.
• Q
ueri
es r
esol
ved
with
in th
e ag
reed
-up
on ti
me
fram
es•
Impr
oved
cus
tom
er a
nd u
ser
satis
fact
ion
• E
ffic
ient
and
eff
ectiv
e pr
oble
m a
ndin
cide
nt h
andl
ing
• Abi
lity
to a
pply
less
ons
lear
ned
whe
nad
dres
sing
fut
ure
prob
lem
s si
mila
r in
natu
re
• O
utst
andi
ng q
ueri
es•
Incr
ease
d se
rvic
e di
srup
tion
• C
ritic
al in
cide
nts
not s
olve
d pr
oper
ly•
Dis
satis
fact
ion
with
IT
ser
vice
s
DS10 M
anag
e P
robl
ems
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E208
Take the following steps to test the outcome of the control objectives:• Compare the incident list to incident reports and error logs to ensure that the incident process is working correctly.• Verify the existence of problem identification and handling documentation.• Inspect a sample of reports to ensure that they are being used when appropriate and that they contain the necessary information.• Verify that known errors, incident analysis tools and root causes are communicated to the incident management processes.• Verify that the status of the problem handling process is monitored throughout its life cycle, including input from change and
configuration management.• Review schedules and minutes of meetings amongst process owners for configuration, incident and problem management.• Inspect and review records and reports regarding the total costs of problems.
Take the following step to document the impact of the control weaknesses:• Enquire whether and confirm that changes resulting from the problem management process are monitored to determine the overall
improvement of IT services.
209I T G O V E R N A N C E I N S T I T U T E
APPENDIX IVD
S11 M
anag
e D
ata
Eff
ectiv
e da
ta m
anag
emen
t req
uire
s id
entif
ying
dat
a re
quir
emen
ts. T
he d
ata
man
agem
ent p
roce
ss a
lso
incl
udes
the
esta
blis
hmen
t of
effe
ctiv
e pr
oced
ures
to m
anag
e th
e m
edia
libra
ry, b
acku
p an
d re
cove
ry o
f da
ta, a
nd p
rope
r di
spos
al o
f m
edia
. Eff
ectiv
e da
ta m
anag
emen
t hel
ps e
nsur
e th
e qu
ality
, tim
elin
ess
and
avai
labi
lity
of b
usin
ess
data
.
Test
the
Con
trol
Des
ign
• O
btai
n th
e in
vent
ory
of d
ata
elem
ents
.•
For
each
dat
a el
emen
t, co
nfir
m th
at r
equi
rem
ents
for
con
fide
ntia
lity,
inte
grity
and
ava
ilabi
lity
have
bee
n de
fine
d an
d th
at th
ese
requ
irem
ents
hav
e be
en v
alid
ated
with
the
data
ow
ners
.•
Ens
ure
that
con
trol
s co
mm
ensu
rate
with
req
uire
men
ts h
ave
been
def
ined
and
impl
emen
ted.
Test
the
Con
trol
Des
ign
• R
evie
w th
e da
ta m
odel
, and
ens
ure
that
sto
rage
tech
niqu
es s
atis
fy b
usin
ess
requ
irem
ents
.•
Rev
iew
ret
entio
n pe
riod
s fo
r da
ta, a
nd e
nsur
e th
at th
ey a
re in
line
with
con
trac
tual
, leg
al a
nd r
egul
ator
y re
quir
emen
ts.
DS1
1.1
Bus
ines
s R
equi
rem
ents
for
Dat
a M
anag
emen
t V
erif
y th
at a
ll da
ta e
xpec
ted
for
proc
essi
ng a
re r
ecei
ved
and
proc
esse
dco
mpl
etel
y, a
ccur
atel
y an
d in
a ti
mel
y m
anne
r, an
d al
l out
put i
s de
liver
ed in
acco
rdan
ce w
ith b
usin
ess
requ
irem
ents
. Sup
port
dat
a pr
oces
sing
res
tart
and
repr
oces
sing
nee
ds.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• D
ata
man
agem
ent i
n su
ppor
t of
busi
ness
req
uire
men
ts•
Gui
danc
e fo
r da
ta h
andl
ing
• D
ata
tran
sact
ions
aut
hori
sed
• Sa
fegu
arde
d st
orag
e of
sou
rces
Ris
k D
river
s
• D
ata
man
agem
ent f
ailin
g to
sup
port
busi
ness
req
uire
men
ts•
Secu
rity
bre
ache
s •
Bus
ines
s, le
gal a
nd r
egul
ator
yre
quir
emen
ts n
ot m
et
DS1
1.2
Stor
age
and
Ret
enti
on A
rran
gem
ents
D
efin
e an
d im
plem
ent p
roce
dure
s fo
r ef
fect
ive
and
effi
cien
t dat
a st
orag
e,re
tent
ion
and
arch
ivin
g to
mee
t bus
ines
s ob
ject
ives
, the
org
anis
atio
n’s
secu
rity
polic
y an
d re
gula
tory
req
uire
men
ts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• D
ata
man
agem
ent i
n su
ppor
t of
busi
ness
req
uire
men
ts•
Gui
danc
e fo
r da
ta h
andl
ing
• Sa
fegu
arde
d st
orag
e of
sou
rces
• D
ata
retr
ieve
d in
an
effi
cien
t man
ner
Ris
k D
river
s
• D
ata
not p
rote
cted
fro
m u
naut
hori
sed
view
ing
or a
lteri
ng•
Doc
umen
ts n
ot r
etri
eved
whe
n ne
eded
• N
on-c
ompl
ianc
e w
ith r
egul
ator
y an
dle
gal o
blig
atio
ns•
Una
utho
rise
d da
ta a
cces
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E210
Test
the
Con
trol
Des
ign
• O
btai
n th
e m
edia
inve
ntor
y an
d, o
n a
sam
ple
basi
s, e
nsur
e th
at m
edia
on
the
inve
ntor
y lis
t can
be
iden
tifie
d an
d ite
ms
in s
tora
ge c
an b
e tr
aced
bac
k to
the
inve
ntor
y.•
On
a sa
mpl
e ba
sis,
con
firm
that
ext
erna
l lab
els
corr
espo
nd w
ith in
tern
al la
bels
, or
othe
rwis
e va
lidat
e th
at e
xter
nal l
abel
s ar
e af
fixe
d to
the
corr
ect m
edia
.
DS11 M
anag
e D
ata
(con
t.)
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– R
espo
nsib
ility
for
the
deve
lopm
ent a
nd c
omm
unic
atio
n of
pol
icie
s on
dis
posa
l is
clea
rly
defi
ned
– E
quip
men
t and
med
ia c
onta
inin
g se
nsiti
ve in
form
atio
n ar
e sa
nitis
ed p
rior
to r
euse
or
disp
osal
in s
uch
a w
ay th
at d
ata
mar
ked
as ‘
dele
ted’
or ‘
to b
e di
spos
ed’c
anno
t be
retr
ieve
d (e
.g.,
med
ia c
onta
inin
g hi
ghly
sen
sitiv
e da
ta h
ave
been
phy
sica
lly d
estr
oyed
)–
Dis
pose
d eq
uipm
ent a
nd m
edia
con
tain
ing
sens
itive
info
rmat
ion
have
bee
n lo
gged
to m
aint
ain
an a
udit
trai
l–
The
re is
a p
roce
dure
to r
emov
e ac
tive
med
ia f
rom
the
med
ia in
vent
ory
list u
pon
disp
osal
. Che
ck th
at th
e cu
rren
t inv
ento
ry h
as b
een
upda
ted
to r
efle
ct r
ecen
t dis
posa
lsin
the
log.
– U
nsan
itise
d eq
uipm
ent a
nd m
edia
are
tran
spor
ted
in a
sec
ure
way
thro
ugho
ut th
e di
spos
al p
roce
ss–
Dis
posa
l con
trac
tors
hav
e th
e ne
cess
ary
phys
ical
sec
urity
and
pro
cedu
res
to s
tore
and
han
dle
the
equi
pmen
t and
med
ia b
efor
e an
d du
ring
dis
posa
l
DS1
1.3
Med
ia L
ibra
ry M
anag
emen
t Sy
stem
D
efin
e an
d im
plem
ent p
roce
dure
s to
mai
ntai
n an
inve
ntor
y of
sto
red
and
arch
ived
med
ia to
ens
ure
thei
r us
abili
ty a
nd in
tegr
ity.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• A
ccou
ntin
g of
all
med
ia•
Impr
oved
bac
kup
man
agem
ent
• Sa
fegu
ardi
ng o
f da
ta a
vaila
bilit
y•
Red
uced
tim
e fo
r da
ta r
esto
ratio
n
Ris
k D
river
s
• M
edia
inte
grity
com
prom
ised
• B
acku
p m
edia
una
vaila
ble
whe
nne
eded
• U
naut
hori
sed
acce
ss to
dat
a ta
pes
• D
estr
uctio
n of
bac
kups
• In
abili
ty to
det
erm
ine
loca
tion
ofba
ckup
med
ia
DS1
1.4
Dis
posa
l D
efin
e an
d im
plem
ent p
roce
dure
s to
ens
ure
that
bus
ines
s re
quir
emen
ts f
orpr
otec
tion
of s
ensi
tive
data
and
sof
twar
e ar
e m
et w
hen
data
and
har
dwar
e ar
edi
spos
ed o
r tr
ansf
erre
d.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
oper
pro
tect
ion
of c
orpo
rate
info
rmat
ion
• E
nhan
ced
back
up m
anag
emen
t•
Safe
guar
ding
of
data
ava
ilabi
lity
Ris
k D
river
s
• D
iscl
osur
e of
cor
pora
te in
form
atio
n•
Com
prom
ised
inte
grity
of
sens
itive
data
• U
naut
hori
sed
acce
ss to
dat
a ta
pes
211I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– C
ritic
al d
ata
that
aff
ect b
usin
ess
oper
atio
ns a
re p
erio
dica
lly id
entif
ied
in a
lignm
ent w
ith th
e ri
sk m
anag
emen
t mod
el a
nd I
T s
ervi
ce c
ontin
uity
pla
n–
Ade
quat
e po
licie
s an
d pr
oced
ures
for
the
back
up o
f sy
stem
s, a
pplic
atio
ns, d
ata
and
docu
men
tatio
n ex
ist a
nd c
onsi
der
fact
ors
incl
udin
g:. F
requ
ency
of
back
up (
e.g.
, dis
k m
irro
ring
for
rea
l-tim
e ba
ckup
s vs
. DV
D-R
OM
for
long
-ter
m r
eten
tion)
. Typ
e of
bac
kup
(e.g
., fu
ll vs
. inc
rem
enta
l). T
ype
of m
edia
. Aut
omat
ed o
nlin
e ba
ckup
s. D
ata
type
s (e
.g.,
voic
e, o
ptic
al)
. Cre
atio
n of
logs
. Cri
tical
end
-use
r co
mpu
ting
data
(e.
g., s
prea
dshe
ets)
. Phy
sica
l and
logi
cal l
ocat
ion
of d
ata
sour
ces
. Sec
urity
and
acc
ess
righ
ts. E
ncry
ptio
n–
Res
pons
ibili
ties
have
bee
n as
sign
ed f
or ta
king
and
mon
itori
ng b
acku
ps–
A s
ched
ule
exis
ts f
or ta
king
and
logg
ing
back
ups
in a
ccor
danc
e w
ith e
stab
lishe
d po
licie
s an
d pr
oced
ures
– Sy
stem
, app
licat
ion,
dat
a an
d do
cum
enta
tion
mai
ntai
ned
or p
roce
ssed
by
thir
d pa
rtie
s ar
e ad
equa
tely
bac
ked
up o
r ot
herw
ise
secu
red.
The
ret
urn
of b
acku
ps f
rom
thir
dpa
rtie
s sh
ould
be
requ
ired
and
esc
row
or
depo
sit a
rran
gem
ents
con
side
red.
– R
equi
rem
ents
for
ons
ite a
nd o
ffsi
te s
tora
ge o
f ba
ckup
dat
a ha
ve b
een
defi
ned
that
mee
t the
bus
ines
s re
quir
emen
ts, i
nclu
ding
the
acce
ss r
equi
red
to b
acku
p da
ta–
Suff
icie
nt r
esto
ratio
n te
sts
have
bee
n pe
rfor
med
per
iodi
cally
to e
nsur
e th
at a
ll co
mpo
nent
s of
bac
kups
can
be
effe
ctiv
ely
rest
ored
– T
he ti
me
fram
e re
quir
ed f
or r
esto
ratio
n ha
s be
en a
gree
d up
on a
nd c
omm
unic
ated
with
the
busi
ness
or
IT p
roce
ss o
wne
r. T
he p
rior
ity f
or d
ata
reco
very
has
bee
n ba
sed
on b
usin
ess
requ
irem
ents
and
IT
ser
vice
con
tinui
ty p
roce
dure
s.
DS1
1.5
Bac
kup
and
Res
tora
tion
D
efin
e an
d im
plem
ent p
roce
dure
s fo
r ba
ckup
and
res
tora
tion
of s
yste
ms,
appl
icat
ions
, dat
a an
d do
cum
enta
tion
in li
ne w
ith b
usin
ess
requ
irem
ents
and
the
cont
inui
ty p
lan.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
orpo
rate
info
rmat
ion
prop
erly
rest
ored
• E
nhan
ced
back
up m
anag
emen
t alig
ned
with
the
busi
ness
req
uire
men
ts a
nd th
eba
ckup
pla
n•
Safe
guar
ding
of
data
ava
ilabi
lity
and
inte
grity
Ris
k D
river
s
• D
iscl
osur
e of
cor
pora
te in
form
atio
n•
Inab
ility
to r
ecov
er b
acku
p da
ta w
hen
need
ed•
Rec
over
y pr
oced
ures
fai
ling
to m
eet
busi
ness
req
uire
men
ts•
Inab
ility
to r
esto
re d
ata
in th
e ev
ent o
fa
disa
ster
• In
appr
opri
ate
time
requ
irem
ent f
orpe
rfor
min
g ba
ckup
s
DS11 M
anag
e D
ata
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E212
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– A
pro
cess
is in
pla
ce th
at id
entif
ies
sens
itive
dat
a an
d ad
dres
ses
the
busi
ness
nee
d fo
r co
nfid
entia
lity
of th
e da
ta, c
ompl
ianc
e w
ith a
pplic
able
law
s an
d re
gula
tions
has
been
add
ress
ed, a
nd th
e cl
assi
fica
tion
of d
ata
has
been
agr
eed
upon
with
the
busi
ness
pro
cess
ow
ners
– A
pol
icy
has
been
def
ined
and
impl
emen
ted
to p
rote
ct s
ensi
tive
data
and
mes
sage
s fr
om u
naut
hori
sed
acce
ss a
nd in
corr
ect t
rans
mis
sion
and
tran
spor
t, in
clud
ing,
but
not l
imite
d to
, enc
rypt
ion,
mes
sage
aut
hent
icat
ion
code
s, h
ash
tota
ls, b
onde
d co
urie
rs a
nd ta
mpe
r-re
sist
ant p
acka
ging
for
phy
sica
l tra
nspo
rt–
Req
uire
men
ts h
ave
been
est
ablis
hed
for
phys
ical
and
logi
cal a
cces
s to
dat
a ou
tput
, and
con
fide
ntia
lity
of o
utpu
t is
clea
rly
defi
ned
and
take
n in
to c
onsi
dera
tion
– R
ules
and
pro
cedu
res
have
bee
n es
tabl
ishe
d fo
r en
d-us
er a
cces
s to
dat
a an
d m
anag
emen
t and
bac
kup
of s
ensi
tive
data
– R
ules
and
pro
cedu
res
have
bee
n es
tabl
ishe
d fo
r en
d-us
er a
pplic
atio
ns th
at m
ay a
dver
sely
impa
ct d
ata
stor
ed o
n en
d-us
er c
ompu
ters
or
netw
orke
d ap
plic
atio
ns o
r da
ta(e
.g.,
cons
ider
pol
icie
s on
use
r ri
ghts
on
netw
orke
d pe
rson
al c
ompu
ters
)–
Aw
aren
ess
prog
ram
mes
hav
e be
en in
stitu
ted
to c
reat
e an
d m
aint
ain
awar
enes
s of
sec
urity
in th
e ha
ndlin
g an
d pr
oces
sing
of
sens
itive
dat
a–
Sens
itive
info
rmat
ion
proc
essi
ng f
acili
ties
are
with
in s
ecur
e ph
ysic
al lo
catio
ns p
rote
cted
by
defi
ned
secu
rity
per
imet
ers
coup
led
with
app
ropr
iate
sur
veill
ance
, sec
urity
barr
iers
and
ent
ry c
ontr
ols
– T
he d
esig
n of
the
phys
ical
infr
astr
uctu
re p
reve
nts
loss
es f
rom
fir
e, in
terf
eren
ce, e
xter
nal a
ttack
or
unau
thor
ised
acc
ess.
The
re a
re s
ecur
e ou
tput
dro
poff
poi
nts
for
sens
itive
out
puts
or
tran
sfer
of
data
to th
ird
part
ies.
DS1
1.6
Secu
rity
Req
uire
men
ts f
or D
ata
Man
agem
ent
Def
ine
and
impl
emen
t pol
icie
s an
d pr
oced
ures
to id
entif
y an
d ap
ply
secu
rity
requ
irem
ents
app
licab
le to
the
rece
ipt,
proc
essi
ng, s
tora
ge a
nd o
utpu
t of
data
tom
eet b
usin
ess
obje
ctiv
es, t
he o
rgan
isat
ion’
s se
curi
ty p
olic
y an
d re
gula
tory
requ
irem
ents
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Se
nsiti
ve in
form
atio
n pr
oper
ly s
ecur
edan
d pr
otec
ted
• Abi
lity
to v
iew
or
alte
r in
form
atio
nav
aila
ble
to a
utho
rise
d us
ers
• C
ompl
eten
ess
and
accu
racy
of
tran
smitt
ed d
ata
Ris
k D
river
s
• Se
nsiti
ve d
ata
mis
used
or
dest
roye
d•
Una
utho
rise
d da
ta a
cces
s•
Inco
mpl
eten
ess
and
inac
cura
cy o
ftr
ansm
itted
dat
a•
Dat
a al
tere
d by
una
utho
rise
d us
ers
DS11 M
anag
e D
ata
(con
t.)
213I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Take the following steps to test the outcome of the control objectives:• Review business requirements documentation to ensure that the documentation mechanism is being used as designed.• Inspect the data management tools to make sure that they are being used as described.• Verify that access to media and systems is restricted to authorised personnel. • Verify if media that are susceptible to degradation, such as tape, are routinely replaced.• Select a sample of the media disposal list and verify that the disposed media are not on the media inventory list.• Inspect on- and offsite storage facilities and check for accessibility.• Review a sample of test results to ensure that restorations are successful and the time required for restoration is reconciled with
SLAs and continuity requirements.• Verify that backup information is stored offsite, as required by continuity processes.• Verify that procedures to ensure integrity of archived information are in place and followed.
Take the following steps to document the impact of the control weaknesses:• Enquire whether and confirm that a policy is in place that meets business requirements for disposal or reuse of equipment and
media to minimise the risk of exposure of sensitive data to unauthorised persons.• Enquire whether and confirm that critical data that affect business operations are periodically identified, in alignment with the risk
management model and IT service continuity plan.• Verify that consideration is given to the confidentiality, integrity and availability of the data as well as applicable laws and
regulations.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E214
DS12 M
anag
e th
e P
hysi
cal Env
iron
men
t
Prot
ectio
n fo
r co
mpu
ter
equi
pmen
t and
per
sonn
el r
equi
res
wel
l-de
sign
ed a
nd w
ell-
man
aged
phy
sica
l fac
ilitie
s. T
he p
roce
ss o
f m
anag
ing
the
phys
ical
env
iron
men
t inc
lude
sde
fini
ng th
e ph
ysic
al s
ite r
equi
rem
ents
, sel
ectin
g ap
prop
riat
e fa
cilit
ies,
and
des
igni
ng e
ffec
tive
proc
esse
s fo
r m
onito
ring
env
iron
men
tal f
acto
rs a
nd m
anag
ing
phys
ical
acc
ess.
Eff
ectiv
e m
anag
emen
t of
the
phys
ical
env
iron
men
t red
uces
bus
ines
s in
terr
uptio
ns f
rom
dam
age
to c
ompu
ter
equi
pmen
t and
per
sonn
el.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– Ph
ysic
al s
ites
for
IT e
quip
men
t hav
e be
en s
elec
ted
acco
rdin
g to
a te
chno
logy
str
ateg
y th
at m
eets
bus
ines
s re
quir
emen
ts a
nd a
sec
urity
pol
icy,
con
side
ring
suc
h is
sues
as
geog
raph
ic p
ositi
on, n
eigh
bour
s, in
fras
truc
ture
and
ris
ks (
e.g.
, the
ft, t
empe
ratu
re, f
ire,
sm
oke,
wat
er, v
ibra
tion,
terr
oris
m, v
anda
lism
, che
mic
als,
exp
losi
ves)
– A
pro
cess
is d
efin
ed a
nd im
plem
ente
d th
at id
entif
ies
the
pote
ntia
l ris
ks a
nd th
reat
s to
the
orga
nisa
tion’
s IT
site
s an
d as
sess
es th
e bu
sine
ss im
pact
on
an o
ngoi
ng b
asis
,ta
king
into
acc
ount
the
risk
ass
ocia
ted
with
nat
ural
and
man
-mad
e di
sast
ers
– T
he s
elec
tion
and
desi
gn o
f th
e si
te ta
ke in
to a
ccou
nt r
elev
ant l
aws
and
regu
latio
ns, s
uch
as b
uild
ing
code
s; e
nvir
onm
enta
l, fi
re, e
lect
rica
l eng
inee
ring
; and
occu
patio
nal h
ealth
and
saf
ety
regu
latio
ns
DS1
2.1
Site
Sel
ecti
on a
nd L
ayou
t D
efin
e an
d se
lect
the
phys
ical
site
s fo
r IT
equ
ipm
ent t
o su
ppor
t the
tech
nolo
gyst
rate
gy li
nked
to th
e bu
sine
ss s
trat
egy.
The
sel
ectio
n an
d de
sign
of
the
layo
ut o
fa
site
sho
uld
take
into
acc
ount
the
risk
ass
ocia
ted
with
nat
ural
and
man
-mad
edi
sast
ers,
whi
lst c
onsi
deri
ng r
elev
ant l
aws
and
regu
latio
ns, s
uch
as o
ccup
atio
nal
heal
th a
nd s
afet
y re
gula
tions
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• M
inim
ised
thre
ats
to p
hysi
cal s
ecur
ity
• D
ecre
ased
ris
k of
a p
hysi
cal a
ttack
on
the
IT s
ite v
ia r
educ
tion
of th
epo
ssib
ility
of
the
site
bei
ng id
entif
ied
by u
naut
hori
sed
pers
ons
who
may
initi
ate
such
an
atta
ck•
Red
uctio
n in
insu
ranc
e co
sts
as a
resu
lt of
dem
onst
ratin
g op
timal
phys
ical
sec
urity
man
agem
ent
Ris
k D
river
s
• T
hrea
ts to
phy
sica
l sec
urity
not
iden
tifie
d•
Incr
ease
d vu
lner
abili
ty to
sec
urity
risk
s, r
esul
ting
from
site
loca
tion
and/
or la
yout
215I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– A
pol
icy
is d
efin
ed a
nd im
plem
ente
d fo
r th
e ph
ysic
al s
ecur
ity a
nd a
cces
s co
ntro
l mea
sure
s to
be
follo
wed
for
IT
site
s. T
he p
olic
y is
reg
ular
ly r
evie
wed
to e
nsur
e th
at it
rem
ains
rel
evan
t and
up
to d
ate.
– A
cces
s to
info
rmat
ion
abou
t sen
sitiv
e IT
site
s an
d th
eir
desi
gn p
lans
is li
mite
d–
Ext
erna
l sig
ns a
nd o
ther
iden
tific
atio
n of
sen
sitiv
e IT
site
s ar
e di
scre
et a
nd d
o no
t obv
ious
ly id
entif
y th
e si
te f
rom
out
side
– O
rgan
isat
iona
l dir
ecto
ries
/site
map
s do
not
iden
tify
the
loca
tion
of th
e IT
site
– T
he d
esig
n of
phy
sica
l sec
urity
mea
sure
s ta
kes
into
acc
ount
the
risk
s as
soci
ated
with
the
busi
ness
and
ope
ratio
n. W
here
app
ropr
iate
, phy
sica
l sec
urity
mea
sure
s in
clud
eal
arm
sys
tem
s, b
uild
ing
hard
enin
g, a
rmou
red
cabl
ing
prot
ectio
n, s
ecur
e pa
rtiti
onin
g, e
tc.
– Te
sts
of th
e pr
even
tive,
det
ectiv
e an
d co
rrec
tive
phys
ical
sec
urity
mea
sure
s ar
e pe
rfor
med
per
iodi
cally
to v
erif
y de
sign
, im
plem
enta
tion
and
effe
ctiv
enes
s–
The
site
des
ign
take
s in
to a
ccou
nt th
e ph
ysic
al c
ablin
g of
tele
com
mun
icat
ion
and
pipi
ng o
f w
ater
, pow
er a
nd s
ewer
– A
pro
cess
sup
port
ed b
y th
e ap
prop
riat
e au
thor
isat
ion
is d
efin
ed a
nd im
plem
ente
d fo
r th
e se
cure
rem
oval
of
IT e
quip
men
t –
Rec
eivi
ng a
nd s
hipp
ing
area
s of
IT
equ
ipm
ent a
re s
afeg
uard
ed in
the
sam
e m
anne
r an
d sc
ope
as n
orm
al I
T s
ites
and
oper
atio
ns–
A p
olic
y an
d pr
oces
s ar
e de
fine
d to
tran
spor
t and
sto
re e
quip
men
t sec
urel
y–
A p
roce
ss e
xist
s to
ens
ure
that
sto
rage
dev
ices
con
tain
ing
sens
itive
info
rmat
ion
are
phys
ical
ly d
estr
oyed
or
sani
tised
– A
pro
cess
exi
sts
for
reco
rdin
g, m
onito
ring
, man
agin
g, r
epor
ting
and
reso
lvin
g ph
ysic
al s
ecur
ity in
cide
nts,
in li
ne w
ith th
e ov
eral
l IT
inci
dent
man
agem
ent p
roce
ss–
Part
icul
arly
sen
sitiv
e si
tes
are
chec
ked
freq
uent
ly (
incl
udin
g w
eeke
nds
and
holid
ays)
by
secu
rity
per
sonn
el
DS1
2.2
Phy
sica
l Sec
urit
y M
easu
res
Def
ine
and
impl
emen
t phy
sica
l sec
urity
mea
sure
s in
line
with
bus
ines
sre
quir
emen
ts to
sec
ure
the
loca
tion
and
the
phys
ical
ass
ets.
Phy
sica
l sec
urity
mea
sure
s m
ust b
e ca
pabl
e of
eff
ectiv
ely
prev
entin
g, d
etec
ting
and
miti
gatin
g ri
sks
rela
ting
to th
eft,
tem
pera
ture
, fir
e, s
mok
e, w
ater
, vib
ratio
n, te
rror
, van
dalis
m,
pow
er o
utag
es, c
hem
ical
s or
exp
losi
ves.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
otec
tion
of c
ritic
al I
T s
yste
ms
from
phys
ical
thre
ats
• E
ffec
tive
depl
oym
ent o
f ph
ysic
alse
curi
ty m
easu
res
• Pr
omot
ion
of a
war
enes
s am
ongs
t sta
ffan
d m
anag
emen
t of
the
orga
nisa
tion’
sre
quir
emen
ts f
or p
hysi
cal s
ecur
ity
Ris
k D
river
s
• T
hrea
ts to
phy
sica
l sec
urity
not
iden
tifie
d•
Har
dwar
e st
olen
by
unau
thor
ised
peop
le•
Phys
ical
atta
ck o
n th
e IT
site
• D
evic
es r
econ
figu
red
with
out
auth
oris
atio
n•
Con
fide
ntia
l inf
orm
atio
n be
ing
acce
ssed
by
devi
ces
conf
igur
ed to
read
the
radi
atio
n em
itted
by
the
com
pute
rs
DS12 M
anag
e th
e P
hysi
cal Env
iron
men
t (c
ont.
)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E216
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– A
pro
cess
is in
pla
ce th
at g
over
ns th
e re
ques
ting
and
gran
ting
of a
cces
s to
the
com
putin
g fa
cilit
ies
– Fo
rmal
acc
ess
requ
ests
are
com
plet
ed a
nd a
utho
rise
d by
man
agem
ent o
f th
e IT
site
, the
rec
ords
are
ret
aine
d, a
nd th
e fo
rms
spec
ific
ally
iden
tify
the
area
s to
whi
ch th
ein
divi
dual
is g
rant
ed a
cces
s. T
his
is v
erif
ied
by o
bser
vatio
n or
rev
iew
of
appr
oval
s.–
Proc
edur
es a
re in
pla
ce to
ens
ure
that
acc
ess
prof
iles
rem
ain
curr
ent.
Ver
ify
that
acc
ess
to I
T s
ites
(ser
ver
room
s, b
uild
ings
, are
as o
r zo
nes)
is b
ased
on
job
func
tion
and
resp
onsi
bilit
ies.
– T
here
is a
pro
cess
to lo
g an
d m
onito
r al
l ent
ry p
oint
s to
IT
site
s, r
egis
teri
ng a
ll vi
sito
rs, i
nclu
ding
con
trac
tors
and
ven
dors
, to
the
site
– A
pol
icy
exis
ts in
stru
ctin
g al
l per
sonn
el to
dis
play
vis
ible
iden
tific
atio
n at
all
times
and
pre
vent
s th
e is
suan
ce o
f id
entit
y ca
rds
or b
adge
s w
ithou
t pro
per
auth
oris
atio
n.O
bser
ve w
heth
er b
adge
s ar
e be
ing
wor
n in
pra
ctic
e.–
A p
olic
y ex
ists
req
uiri
ng v
isito
rs to
be
esco
rted
at a
ll tim
es b
y a
mem
ber
of th
e IT
ope
ratio
ns g
roup
whi
lst o
nsite
, and
indi
vidu
als
who
are
not
wea
ring
app
ropr
iate
iden
tific
atio
n ar
e po
inte
d ou
t to
secu
rity
per
sonn
el–
Acc
ess
to s
ensi
tive
IT s
ites
is r
estr
icte
d th
roug
h pe
rim
eter
res
tric
tions
, suc
h as
fen
ces/
wal
ls a
nd s
ecur
ity d
evic
es o
n in
teri
or a
nd e
xter
ior
door
s. V
erif
y th
at th
e de
vice
sre
cord
ent
ry a
nd s
ound
an
alar
m in
the
even
t of
unau
thor
ised
acc
ess.
Exa
mpl
es o
f su
ch d
evic
es in
clud
e ba
dges
or
key
card
s, k
ey p
ads,
clo
sed-
circ
uit t
elev
isio
n an
dbi
omet
ric
scan
ners
.–
Reg
ular
phy
sica
l sec
urity
aw
aren
ess
trai
ning
is c
ondu
cted
. Ver
ify
by r
evie
win
g tr
aini
ng lo
gs.
DS1
2.3
Phy
sica
l Acc
ess
Def
ine
and
impl
emen
t pro
cedu
res
to g
rant
, lim
it an
d re
voke
acc
ess
to p
rem
ises
,bu
ildin
gs a
nd a
reas
acc
ordi
ng to
bus
ines
s ne
eds,
incl
udin
g em
erge
ncie
s. A
cces
sto
pre
mis
es, b
uild
ings
and
are
as s
houl
d be
just
ifie
d, a
utho
rise
d, lo
gged
and
mon
itore
d. T
his
shou
ld a
pply
to a
ll pe
rson
s en
teri
ng th
e pr
emis
es, i
nclu
ding
staf
f, te
mpo
rary
sta
ff, c
lient
s, v
endo
rs, v
isito
rs o
r an
y ot
her
thir
d pa
rty.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• App
ropr
iate
acc
ess
to e
nsur
e tim
ely
reso
lutio
n of
a c
ritic
al in
cide
nt• A
ll vi
sito
rs id
entif
iabl
e an
d tr
acea
ble
• St
aff
awar
e of
res
pons
ibili
ties
inre
spec
t to
visi
tors
Ris
k D
river
s
• V
isito
rs g
aini
ng u
naut
hori
sed
acce
ssto
IT
equ
ipm
ent o
r in
form
atio
n•
Una
utho
rise
d en
try
to s
ecur
e ar
eas
DS12 M
anag
e th
e P
hysi
cal Env
iron
men
t (c
ont.
)
217I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– A
pro
cess
is in
pla
ce to
iden
tify
natu
ral a
nd m
an-m
ade
disa
ster
s th
at m
ight
occ
ur in
the
area
with
in w
hich
the
sens
itive
IT
fac
ilitie
s ar
e lo
cate
d. R
evie
w r
epor
ts to
veri
fy th
at th
e po
tent
ial i
mpa
ct is
ass
esse
d ac
cord
ing
to b
usin
ess
cont
inui
ty p
lann
ing
proc
edur
es.
– A
pol
icy
is in
pla
ce th
at o
utlin
es h
ow I
T e
quip
men
t, in
clud
ing
mob
ile a
nd o
ffsi
te e
quip
men
t, is
pro
tect
ed a
gain
st th
eft a
nd e
nvir
onm
enta
l thr
eats
. Rev
iew
docu
men
tatio
n to
ens
ure
that
the
polic
y, f
or e
xam
ple,
bar
s ea
ting,
dri
nkin
g an
d sm
okin
g in
sen
sitiv
e ar
eas,
and
pro
hibi
ts s
tora
ge o
f st
atio
nery
and
oth
er s
uppl
ies
posi
nga
fire
haz
ard
with
in c
ompu
ter
room
s.–
IT f
acili
ties
are
situ
ated
and
con
stru
cted
in a
way
to m
inim
ise
and
miti
gate
sus
cept
ibili
ty to
env
iron
men
tal t
hrea
ts–
Suita
ble
devi
ces
are
in p
lace
that
will
det
ect e
nvir
onm
enta
l thr
eats
. Ins
pect
con
tinuo
us m
onito
ring
don
e at
thes
e de
vice
s.–
Ala
rms
or o
ther
not
ific
atio
ns a
re r
aise
d in
cas
e of
an
envi
ronm
enta
l exp
osur
e, p
roce
dure
s in
res
pons
e to
suc
h oc
curr
ence
s ar
e do
cum
ente
d an
d te
sted
, and
per
sonn
el a
regi
ven
suita
ble
trai
ning
– A
pro
cess
is in
pla
ce to
com
pare
mea
sure
s an
d co
ntin
genc
y pl
ans
agai
nst i
nsur
ance
pol
icy
requ
irem
ents
. Rev
iew
the
repo
rts
and
the
insu
ranc
e po
licy
to v
erif
y co
mpl
ianc
e.–
Man
agem
ent t
akes
act
ion
to e
nsur
e th
at a
ny p
oint
s of
non
-com
plia
nce
are
addr
esse
d in
a ti
mel
y m
anne
r–
IT s
ites
are
built
in lo
catio
ns th
at m
inim
ise
the
impa
ct o
f en
viro
nmen
tal r
isk,
suc
h as
thef
t, ai
r, fi
re, s
mok
e, w
ater
, vib
ratio
n, te
rror
ism
and
van
dalis
m. P
hysi
cally
insp
ect
the
loca
tions
of
the
IT s
ites
to e
nsur
e th
at th
e de
sign
is p
rope
rly
impl
emen
ted.
Rev
iew
the
risk
ass
essm
ent r
epor
t mad
e pr
ior
to th
e de
sign
and
con
stru
ctio
n of
the
site
.–
A p
olic
y is
in p
lace
to e
nsur
e on
goin
g cl
eani
ng a
nd c
lean
-up
in p
roxi
mity
of
IT o
pera
tions
. Che
ck th
e IT
site
s an
d se
rver
roo
ms
to m
ake
sure
that
they
are
kep
t in
acl
ean,
tidy
and
saf
e co
nditi
on a
t all
times
(e.
g., n
o m
ess/
litte
r, pa
per
or c
ardb
oard
box
es, f
illed
dus
tbin
s, f
lam
mab
le c
hem
ical
s or
mat
eria
ls).
Enq
uire
whe
ther
the
site
sar
e al
way
s ke
pt c
lean
.
DS1
2.4
Pro
tect
ion
Aga
inst
Env
iron
men
tal F
acto
rs
Des
ign
and
impl
emen
t mea
sure
s fo
r pr
otec
tion
agai
nst e
nvir
onm
enta
l fac
tors
.In
stal
l spe
cial
ised
equ
ipm
ent a
nd d
evic
es to
mon
itor
and
cont
rol t
he e
nvir
onm
ent.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Id
entif
icat
ion
of a
ll po
tent
ial
envi
ronm
enta
l thr
eats
to th
e IT
faci
litie
s•
Prev
entio
n or
tim
ely
dete
ctio
n of
envi
ronm
enta
l thr
eats
• R
educ
ed r
isk
of c
laim
s ag
ains
tin
sura
nce
com
pani
es b
eing
rej
ecte
dfo
r no
n-co
mpl
ianc
e w
ith th
ere
quir
emen
ts o
f in
sura
nce
polic
ies,
and
min
imis
ed in
sura
nce
prem
ium
s• A
ppro
pria
te p
rote
ctio
n ag
ains
ten
viro
nmen
tal f
acto
rs
Ris
k D
river
s
• Fa
cilit
ies
expo
sed
to e
nvir
onm
enta
lim
pact
s•
Inad
equa
te e
nvir
onm
enta
l thr
eat
dete
ctio
n•
Inad
equa
te m
easu
res
for
envi
ronm
enta
l thr
eat p
rote
ctio
n
DS12 M
anag
e th
e P
hysi
cal Env
iron
men
t (c
ont.
)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E218
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– A
pro
cess
exi
sts
that
exa
min
es th
e IT
fac
ilitie
s’ne
ed f
or p
rote
ctio
n ag
ains
t env
iron
men
tal c
ondi
tions
and
pow
er f
luct
uatio
ns a
nd o
utag
es, i
n co
njun
ctio
n w
ith o
ther
busi
ness
con
tinui
ty p
lann
ing
proc
edur
es–
Uni
nter
rupt
ible
pow
er s
uppl
ies
(UPS
s) a
re a
cqui
red
and
mee
t ava
ilabi
lity
and
busi
ness
con
tinui
ty r
equi
rem
ents
– A
pro
cess
is in
pla
ce to
reg
ular
ly te
st th
e U
PS’s
ope
ratio
n an
d to
ens
ure
that
pow
er c
an b
e sw
itche
d to
the
supp
ly w
ithou
t any
sig
nifi
cant
eff
ect o
n bu
sine
ss o
pera
tions
– T
he te
sts
have
bee
n pe
rfor
med
and
cor
rect
ive
actio
n is
take
n w
here
nee
ded
– In
fac
ilitie
s ho
usin
g se
nsiti
ve I
T s
yste
ms,
mor
e th
an o
ne p
ower
sup
ply
entr
y is
ava
ilabl
e–
The
phy
sica
l ent
ranc
e of
pow
er is
sep
arat
ed–
Cab
ling
exte
rnal
to th
e IT
site
is lo
cate
d un
derg
roun
d or
has
sui
tabl
e al
tern
ativ
e pr
otec
tion
– B
luep
rint
s an
d pl
ans
exis
t–
Cab
ling
with
in th
e IT
site
is c
onta
ined
with
in s
ecur
ed c
ondu
its–
Cab
ling
is p
rote
cted
and
har
dene
d ag
ains
t env
iron
men
tal r
isk
– W
irin
g ca
bine
ts a
re lo
cked
with
res
tric
ted
acce
ss–
Cab
ling
and
phys
ical
pat
chin
g (d
ata
and
phon
e) a
re w
ell s
truc
ture
d an
d or
gani
sed
– D
ocum
enta
tion
for
cabl
ing
and
cond
uits
is a
vaila
ble
for
refe
renc
e–
For
faci
litie
s ho
usin
g hi
gh-a
vaila
bilit
y sy
stem
s, a
naly
sis
is d
one
for
redu
ndan
cy a
nd f
ail-
over
cab
ling
requ
irem
ents
(ex
tern
al a
nd in
tern
al)
– A
pro
cess
is in
pla
ce to
ens
ure
that
IT
site
s an
d fa
cilit
ies
are
in o
ngoi
ng c
ompl
ianc
e w
ith r
elev
ant h
ealth
and
saf
ety
law
s, r
egul
atio
ns, g
uide
lines
, or
vend
orsp
ecif
icat
ions
– A
pro
cess
is in
pla
ce to
edu
cate
per
sonn
el o
n he
alth
and
saf
ety
law
s, r
egul
atio
ns o
r gu
idel
ines
. Thi
s al
so in
clud
es e
duca
tion
of p
erso
nnel
on
fire
and
res
cue
drill
s to
ensu
re k
now
ledg
e an
d ac
tions
mad
e in
cas
e of
fir
e or
sim
ilar
inci
dent
s.–
The
trai
ning
pro
gram
me
asse
sses
kno
wle
dge
of th
e gu
idel
ines
and
the
trai
ning
pro
gram
me
is d
ocum
ente
d–
A p
roce
ss is
in p
lace
to r
ecor
d, m
onito
r, m
anag
e an
d re
solv
e fa
cilit
ies
inci
dent
s in
line
with
the
IT in
cide
nt m
anag
emen
t pro
cess
– R
epor
ts o
n in
cide
nts
are
mad
e av
aila
ble
whe
re d
iscl
osur
e is
req
uire
d in
term
s of
law
s an
d re
gula
tions
– A
pro
cess
is in
pla
ce to
ens
ure
that
IT
site
s an
d eq
uipm
ent a
re m
aint
aine
d pe
r th
e su
pplie
r’s r
ecom
men
ded
serv
ice
inte
rval
s an
d sp
ecif
icat
ions
– M
aint
enan
ce is
car
ried
out
onl
y by
aut
hori
sed
pers
onne
l. R
evie
w d
ocum
enta
tion
and
enqu
ire
of p
erso
nnel
to c
onfi
rm.
– Ph
ysic
al a
ltera
tions
to I
T s
ites
or p
rem
ises
are
ana
lyse
d to
rea
sses
s th
e en
viro
nmen
tal r
isk
(e.g
., fi
re, w
ater
dam
age)
– R
esul
ts o
f th
is a
naly
sis
are
repo
rted
to b
usin
ess
cont
inui
ty a
nd f
acili
ties
man
agem
ent
• W
alk
thro
ugh
the
faci
litie
s an
d co
mpa
re f
indi
ngs
with
the
heal
th a
nd s
afet
y gu
idel
ines
.•
Enq
uire
of
pers
onne
l abo
ut p
ossi
ble
brea
ches
of
the
stan
dard
s.•
Wal
k th
roug
h re
cent
ly c
hang
ed s
ites
to e
nsur
e th
at th
ey s
till m
eet s
tand
ards
for
ris
ks.
DS1
2.5
Phy
sica
l Fac
iliti
es M
anag
emen
t M
anag
e fa
cilit
ies,
incl
udin
g po
wer
and
com
mun
icat
ions
equ
ipm
ent,
in li
ne w
ithla
ws
and
regu
latio
ns, t
echn
ical
and
bus
ines
s re
quir
emen
ts, v
endo
r sp
ecif
icat
ions
,an
d he
alth
and
saf
ety
guid
elin
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
otec
tion
of c
ritic
al I
T s
yste
ms
from
the
effe
cts
of p
ower
out
ages
and
oth
erfa
cilit
y-re
late
d ri
sks
• E
ffec
tive
and
effi
cien
t use
of
faci
lity
reso
urce
s
Ris
k D
river
s
• N
on-c
ompl
ianc
e w
ith h
ealth
and
safe
ty r
egul
atio
ns•
IT s
yste
ms
failu
re d
ue to
impr
oper
prot
ectio
n fr
om p
ower
out
ages
and
othe
r fa
cilit
y-re
late
d ri
sks
• Acc
iden
ts to
sta
ff m
embe
rs
DS12 M
anag
e th
e P
hysi
cal Env
iron
men
t (c
ont.
)
219I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Take the following steps to test the outcome of the control objectives:• Review the risk analysis report to verify that the report has been updated within the last year.• Review policies to verify that new/updated regulations and laws are reflected in the policies.• Walk through the areas to ensure that they are secure according to procedures.• Review the security logs for confirmation of minimum security checks.• Inspect the logs to verify that they include, at minimum, the visitor’s name, the visitor’s company, the purpose of the visit, the
name of the member of the IT operations group authorising the visit, the date of visit, and the times of entry and exit.• Select a sample of personnel with badges and verify authorisiation.• Verify whether wiring cabinets are locked and have restricted access.• Verify that documentation for cabling and conduits is available for reference.• Walk through the facilities and compare findings with the health and safety guidelines.• Interview personnel to assess their knowledge of the guidelines.
Take the following steps to document the impact of the control weaknesses:• Verify that special considerations are taken into account (e.g., geographic position, neighbours, infrastructure). Other risks that
need consideration are theft, temperature, fire, smoke, water, vibration, terrorism, vandalism, chemicals and explosives.• Enquire whether and confirm that a process exists that examines the IT facilities’ need for protection against environmental
conditions and power fluctuations and outages, in conjunction with other business continuity planning procedures.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E220
DS13 M
anag
e O
pera
tion
s
Com
plet
e an
d ac
cura
te p
roce
ssin
g of
dat
a re
quir
es e
ffec
tive
man
agem
ent o
f da
ta p
roce
ssin
g pr
oced
ures
and
dili
gent
mai
nten
ance
of
hard
war
e. T
his
proc
ess
incl
udes
def
inin
gop
erat
ing
polic
ies
and
proc
edur
es f
or e
ffec
tive
man
agem
ent o
f sc
hedu
led
proc
essi
ng, p
rote
ctin
g se
nsiti
ve o
utpu
t, m
onito
ring
infr
astr
uctu
re p
erfo
rman
ce a
nd e
nsur
ing
prev
entiv
e m
aint
enan
ce o
f ha
rdw
are.
Eff
ectiv
e op
erat
ions
man
agem
ent h
elps
mai
ntai
n da
ta in
tegr
ity a
nd r
educ
es b
usin
ess
dela
ys a
nd I
T o
pera
ting
cost
s.
Test
the
Con
trol
Des
ign
• In
spec
t a c
opy
of th
e st
anda
rd I
T o
pera
tiona
l pro
cedu
res.
• R
evie
w o
pera
tiona
l pro
cedu
res
for
com
plet
enes
s. C
onte
nt m
ay in
clud
e ro
les
and
resp
onsi
bilit
ies
of I
T s
taff
mem
bers
, org
anis
atio
n ch
arts
, dir
ect s
uper
viso
r ro
les
and
repo
rts,
pro
cedu
res
for
abno
rmal
ope
ratin
g sy
stem
term
inat
ion,
a c
allo
ut li
st in
the
case
of
emer
genc
y, e
tc.
• In
spec
t the
org
anis
atio
n ch
art a
nd r
evie
w jo
b ro
les.
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– B
atch
job
exec
utio
n pr
oced
ures
are
com
plet
e–
Proc
edur
es in
clud
e an
exp
ecte
d da
ily jo
b sc
hedu
le, p
oint
of
cont
acts
in th
e ca
se o
f jo
b fa
ilure
s an
d a
runn
ing
list o
f jo
b fa
ilure
cod
es–
Bat
ch jo
b du
ties
and
resp
onsi
bilit
ies
for
each
com
pute
r op
erat
or e
xist
– C
ompu
ter
oper
ator
shi
ft s
ched
ules
exi
st–
Sche
dule
s in
clud
e st
art a
nd e
nd s
hift
s an
d na
mes
of
the
oper
ator
s–
At l
east
one
ope
rato
r is
pre
sent
dur
ing
the
exec
utio
n of
bat
ch jo
bs
DS1
3.1
Ope
rati
ons
Pro
cedu
res
and
Inst
ruct
ions
D
efin
e, im
plem
ent a
nd m
aint
ain
proc
edur
es f
or I
T o
pera
tions
, ens
urin
g th
at th
eop
erat
ions
sta
ff m
embe
rs a
re f
amili
ar w
ith a
ll op
erat
ions
task
s re
leva
nt to
them
.O
pera
tiona
l pro
cedu
res
shou
ld c
over
shi
ft h
ando
ver
(for
mal
han
dove
r of
act
ivity
,st
atus
upd
ates
, ope
ratio
nal p
robl
ems,
esc
alat
ion
proc
edur
es a
nd r
epor
ts o
ncu
rren
t res
pons
ibili
ties)
to s
uppo
rt a
gree
d-up
on s
ervi
ce le
vels
and
ens
ure
cont
inuo
us o
pera
tions
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• D
emon
stra
tion
that
IT
ope
ratio
ns a
rem
eetin
g SL
As
• Pr
omot
ion
of c
ontin
uity
of
oper
atio
nal
supp
ort b
y do
cum
entin
g st
aff
expe
rien
ce a
nd r
etai
ning
it in
akn
owle
dge
base
• St
ruct
ured
, sta
ndar
dise
d an
d cl
earl
ydo
cum
ente
d IT
ope
ratio
ns p
roce
dure
san
d su
ppor
t sta
ff in
stru
ctio
ns•
Red
uced
tim
e to
tran
sfer
kno
wle
dge
betw
een
skill
ed o
pera
tion
supp
ort s
taff
and
new
rec
ruits
Ris
k D
river
s
• E
rror
s an
d re
wor
k du
e to
mis
unde
rsta
ndin
g of
pro
cedu
res
• In
effi
cien
cies
due
to u
ncle
ar a
nd/o
rno
n-st
anda
rd p
roce
dure
s•
Inab
ility
to d
eal q
uick
ly w
ithop
erat
iona
l pro
blem
s, n
ew s
taff
and
oper
atio
nal c
hang
es
DS1
3.2
Job
Sche
dulin
g O
rgan
ise
the
sche
dulin
g of
jobs
, pro
cess
es a
nd ta
sks
into
the
mos
t eff
icie
ntse
quen
ce, m
axim
isin
g th
roug
hput
and
util
isat
ion
to m
eet b
usin
ess
requ
irem
ents
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• O
ptim
ised
use
of
syst
em r
esou
rces
by
equa
lisin
g lo
ads
and
min
imis
ing
the
impa
ct to
onl
ine
user
s•
Min
imis
ed e
ffec
t of
chan
ges
to jo
bsc
hedu
les
to a
void
pro
duct
ion
disr
uptio
ns
Ris
k D
river
s
• R
esou
rce
utili
satio
n pe
aks
• Pr
oble
ms
with
sch
edul
ing
of a
d ho
cjo
bs•
Rer
uns
or r
esta
rts
of jo
bs
221I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– A
pla
nned
pro
cess
for
eve
nt lo
ggin
g id
entif
ies
the
leve
l of
info
rmat
ion
to b
e re
cord
ed b
ased
on
a co
nsid
erat
ion
of r
isk
and
perf
orm
ance
– In
fras
truc
ture
ass
ets
that
nee
d to
be
mon
itore
d ar
e id
entif
ied
base
d on
ser
vice
cri
tical
ity a
nd th
e re
latio
nshi
p be
twee
n co
nfig
urat
ion
item
s an
d se
rvic
es th
at d
epen
d on
them
– D
ocum
enta
tion
of th
e pr
oces
s pl
an f
or lo
ggin
g ex
ists
. Phy
sica
lly in
spec
t the
doc
umen
ts.
– T
he li
st o
f as
sets
pro
perl
y id
entif
ies
the
asse
ts. E
nqui
re o
f pe
rson
nel a
s to
wha
t ass
ets
are
mos
t im
port
ant,
and
trac
e th
ose
asse
ts to
the
list.
DS1
3.3
IT I
nfra
stru
ctur
e M
onit
orin
g D
efin
e an
d im
plem
ent p
roce
dure
s to
mon
itor
the
IT in
fras
truc
ture
and
rel
ated
even
ts. E
nsur
e th
at s
uffi
cien
t chr
onol
ogic
al in
form
atio
n is
bei
ng s
tore
d in
oper
atio
ns lo
gs to
ena
ble
the
reco
nstr
uctio
n, r
evie
w a
nd e
xam
inat
ion
of th
e tim
ese
quen
ces
of o
pera
tions
and
the
othe
r ac
tiviti
es s
urro
undi
ng o
r su
ppor
ting
oper
atio
ns.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
oact
ive
dete
ctio
n of
infr
astr
uctu
repr
oble
ms
likel
y to
res
ult i
n an
inci
dent
• Abi
lity
to m
onito
r tr
ends
and
dea
lw
ith p
oten
tial i
nfra
stru
ctur
e pr
oble
ms
befo
re th
ey o
ccur
• Abi
lity
to o
ptim
ise
the
depl
oym
ent
and
use
of r
esou
rces
Ris
k D
river
s
• In
fras
truc
ture
pro
blem
s un
dete
cted
and
occu
rren
ce o
f in
cide
nts
• In
fras
truc
ture
pro
blem
s ca
usin
ggr
eate
r op
erat
iona
l and
bus
ines
sim
pact
than
if th
ey h
ad b
een
prev
ente
dor
det
ecte
d ea
rlie
r •
Poor
ly u
tilis
ed a
nd d
eplo
yed
infr
astr
uctu
re r
esou
rces
DS13 M
anag
e O
pera
tion
s (c
ont.
)
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– Pr
oced
ures
exi
st to
gov
ern
the
rece
ipt,
rem
oval
and
dis
posa
l of
spec
ial f
orm
s an
d ou
tput
dev
ices
into
, with
in a
nd o
ut o
f th
e or
gani
satio
n–
At l
east
a s
emi-
annu
al r
evie
w e
xist
s of
acc
ess
to s
ensi
tive
asse
ts–
A p
roce
dure
exi
sts
to g
ain,
cha
nge
and
rem
ove
acce
ss to
sen
sitiv
e as
sets
– R
emov
al a
nd d
ispo
sal p
roce
dure
s do
cum
enta
tion
exis
ts
DS1
3.4
Sens
itiv
e D
ocum
ents
and
Out
put
Dev
ices
E
stab
lish
appr
opri
ate
phys
ical
saf
egua
rds,
acc
ount
ing
prac
tices
and
inve
ntor
ym
anag
emen
t ove
r se
nsiti
ve I
T a
sset
s, s
uch
as s
peci
al f
orm
s, n
egot
iabl
ein
stru
men
ts, s
peci
al p
urpo
se p
rint
ers
or s
ecur
ity to
kens
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Add
ition
al p
rote
ctio
n fo
r sp
ecia
l for
ms
and
com
mer
cial
ly s
ensi
tive
outp
ut d
ata
thro
ugh
inve
ntor
y m
anag
emen
t•
Prev
entio
n of
thef
t, fr
aud,
tam
peri
ng,
dest
ruct
ion
or o
ther
abu
ses
of s
ensi
tive
IT a
sset
s•
Ver
ific
atio
n of
acc
ess
auth
oris
atio
nsbe
fore
gra
ntin
g ph
ysic
al a
cces
s to
spec
ial f
orm
s an
d ou
tput
dev
ices
, and
rete
ntio
n of
evi
denc
e re
gard
ing
the
inte
grity
of
spec
ial o
utpu
t dev
ices
Ris
k D
river
s
• M
isus
e of
sen
sitiv
e IT
ass
ets,
lead
ing
to f
inan
cial
loss
es a
nd o
ther
bus
ines
sim
pact
s•
Inab
ility
to a
ccou
nt f
or a
ll se
nsiti
ve
IT a
sset
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E222
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– A
pre
vent
ive
mai
nten
ance
pla
n fo
r al
l cri
tical
har
dwar
e is
in p
lace
and
that
it is
des
igne
d co
nsid
erin
g co
st-b
enef
it an
alys
is, v
endo
r re
com
men
datio
ns, r
isk
of o
utag
e,qu
alif
ied
pers
onne
l and
oth
er r
elev
ant f
acto
rs–
Act
ivity
logs
are
rev
iew
ed f
or id
entif
icat
ion
of p
reve
ntiv
e m
aint
enan
ce n
eeds
, and
the
expe
cted
impa
ct (
e.g.
, per
form
ance
res
tric
tions
, SL
As)
of
mai
nten
ance
act
iviti
esis
com
mun
icat
ed to
aff
ecte
d cu
stom
ers
and
user
s
DS13 M
anag
e O
pera
tion
s (c
ont.
)
DS1
3.5
Pre
vent
ive
Mai
nten
ance
for
Har
dwar
e D
efin
e an
d im
plem
ent p
roce
dure
s to
ens
ure
timel
y m
aint
enan
ce o
f in
fras
truc
ture
to r
educ
e th
e fr
eque
ncy
and
impa
ct o
f fa
ilure
s or
per
form
ance
deg
rada
tion.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• O
ptim
ised
sys
tem
per
form
ance
and
avai
labi
lity
• Pr
even
tive
inci
dent
and
pro
blem
man
agem
ent
• Pr
otec
tion
of w
arra
ntie
s
Ris
k D
river
s
• In
fras
truc
ture
pro
blem
s th
at c
ould
have
bee
n av
oide
d or
pre
vent
ed•
War
rant
ies
viol
ated
due
to n
on-
com
plia
nce
with
mai
nten
ance
requ
irem
ents
223I T G O V E R N A N C E I N S T I T U T E
APPENDIX IV
Take the following steps to test the outcome of the control objectives:• Enquire whether and confirm that standard IT operational procedures that support agreed-upon service levels are in place.
Procedures should include a trouble escalation system to track and monitor downtime.• Enquire whether and confirm that roles and responsibilities, including those of external service providers, are defined. Review any
relevant documentation for existence.• Enquire whether and confirm that support staff members are aware of and understand the operations procedures and related tasks
for which they are responsible. Walk through the support staff work area to confirm that the operations processes are beingimplemented correctly.
• Enquire whether and confirm that the procedures are consistently maintained and implemented properly by reviewing logs. • Enquire whether and confirm that handover communications and related responsibilities are defined.• Enquire whether and confirm that procedures for exception handling exist and are integrated with incident management.• Confirm job and role descriptions for segregation of duties. For example, computer operators should not have access to the
programs, and computer programmers should not have access to production data or write directly to the media (BLP, bypass labelprocessing).
• Verify the existence of documentation of the procedures. Observe and interview staff members to verify adherence to theprocedures.
• Inspect access privileges to verify that segregation of duties is appropriate.• Inspect documentation and interview operational staff members to verify that procedures are followed.• Observe operational staff members to confirm use of procedures and document performance.• Enquire whether and confirm that scheduling of batch jobs is controlled by the use of job scheduling software. Ensure that proper
security controls are in place to prevent unauthorised jobs from running.• Enquire whether and confirm that batch jobs are scheduled.• Evaluate the scheduling process to ensure that the scheduling of batch jobs takes into consideration:
– Business requirements– Priority of job– Conflicts between jobs– Workload balancing (performance and capacity management)
• Enquire whether and confirm that the outcomes of batch jobs are monitored and verified.• Enquire whether and confirm that automated processes are in place to immediately notify when batch jobs fail. Inspect hardware
and software related to the automated processes to verify existence.• Ensure that control of batch jobs is not limited to technical information (e.g., time required to complete the job) and that business
process requirements for the data are controlled (e.g., completeness and correctness of data processed).• Inspect relevant documentation for existence and to ensure that the formal procedures properly address the scheduling of
batch jobs.• Inspect change documentation to verify accuracy.• Verify the existence of schedules. • Inspect documentation and evidence that batch job incidents were raised and solved in a timely manner.• Enquire whether and confirm that rules are defined covering thresholds and event conditions and are implemented within the
system to ensure that real events are triggered when required.• Enquire whether and confirm that event logs are produced and kept for an appropriate period to assist in future investigations and
access control monitoring.• Enquire whether and confirm that procedures for monitoring event logs are established, the results of the monitoring activities are
reviewed regularly and, if appropriate, incidents are escalated to the service desk.• Enquire whether and confirm that incidents are created for all deviations noted.• Inspect event logs to ensure that they are not overloaded with minor events and that all major events are recorded. • Inspect event logs to verify existence and appropriateness.• Obtain a sample query of event log entries that may trigger a service desk ticket. Trace the event log entry to the service
ticket logs.• Enquire whether and confirm that access to sensitive documents and output devices is assigned appropriately.• Enquire whether and confirm that a regular reconciliation of sensitive documents and devices is conducted. Perform a
reconciliation of a sample of sensitive documents and devices, comparing actual to recorded amounts.• Enquire whether and confirm that appropriate physical safeguards are established. • Inspect and test the physical safeguards of sensitive assets.• Inspect whether appropriate critical equipment is available.• Enquire whether and confirm that all activity logs are reviewed on a regular basis, to identify critical hardware components that
require preventive maintenance.• Enquire whether and confirm that communication means are effective in informing users of the impact of outages immediately
(e.g., e-mail, phone tree).• Confirm with the business and IT that scheduling was performed in accordance to business requirements. Review the production
schedule, and verify that all relevant equipment is considered and scheduling considers service requirements.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E224
• Physically inspect the hardware to confirm that maintenance has been taking place. Inspect the plan to ensure that it is designed effectively considering cost-benefit analysis, vendor recommendations, risk of outage, qualified personnel and otherrelevant factors.
• Determine if appropriate action is taken in a timely manner for critical maintenance.
Take the following steps to document the impact of the control weaknesses:• Enquire whether a lack of documented procedures impacts continuous operations, i.e., computer operators are able to conduct
daily operations without an operations manual, and lines of communication are known.• Enquire whether undocumented IT operations procedures reflect current operations. If not, it may hinder cross-training or training
of new hires and lead to improper procedures being followed during a shift turnover.• Enquire whether and confirm that all batch jobs are completed via reports or other means.• Observe that computer operators are monitoring and completing batch jobs as scheduled.• Enquire of IT staff members about the last service outage, and review the event log for existence. Confirm that proper
documentation, including reason and resolution, is recorded.• Inspect event logs for a week-long period to confirm existence and enquire of IT staff members of resolution of event log entries.• Inspect access to sensitive assets, and confirm whether access to assets is appropriate by tracing access to organisation chart.• Observe physical safeguards to assets, and determine whether such safeguards are appropriate.• Physically inspect the hardware to confirm that maintenance has been taking place. Inspect the plan to ensure that it is
designed effectively considering cost-benefit analysis, vendor recommendations, risk of outage, qualified personnel and otherrelevant factors.
225I T G O V E R N A N C E I N S T I T U T E
APPENDIX VA
PPE
ND
IXV
—M
ON
ITO
RA
ND
EV
AL
UA
TE
(ME
)
PR
OC
ESS
ASS
UR
AN
CE
STEP
S
ME1 M
onit
or a
nd E
valu
ate
IT P
erfo
rman
ce
Eff
ectiv
e IT
per
form
ance
man
agem
ent r
equi
res
a m
onito
ring
pro
cess
. Thi
s pr
oces
s in
clud
es d
efin
ing
rele
vant
per
form
ance
indi
cato
rs, s
yste
mat
ic a
nd ti
mel
y re
port
ing
ofpe
rfor
man
ce, a
nd p
rom
pt a
ctin
g up
on d
evia
tions
. Mon
itori
ng is
nee
ded
to m
ake
sure
that
the
righ
t thi
ngs
are
done
and
are
in li
ne w
ith th
e se
t dir
ectio
ns a
nd p
olic
ies.
Test
the
Con
trol
Des
ign
• O
btai
n an
d re
view
man
agem
ent’s
def
initi
on o
f cr
itica
l bus
ines
s pr
oces
ses,
str
ateg
ic in
itiat
ives
and
key
IT
pro
cess
es to
ens
ure
that
they
sup
port
the
corp
orat
e pe
rfor
man
cem
anag
emen
t sys
tem
.•
Und
erst
and
man
agem
ent’s
met
hod
of c
omm
unic
atin
g its
cri
tical
bus
ines
s pr
oces
ses,
str
ateg
ic in
itiat
ives
and
key
IT
pro
cess
es.
• C
onfi
rm th
at th
ere
is a
met
rics
-bas
ed m
onito
ring
app
roac
h fo
r IT
per
form
ance
dri
vers
(e.
g., i
nspe
ct c
orpo
rate
pol
icie
s an
d ot
her
rele
vant
doc
umen
tatio
n).
• D
eter
min
e if
the
mon
itori
ng a
ppro
ach
prov
ides
app
ropr
iate
goa
l and
per
form
ance
indi
cato
rs w
ith e
ffor
ts to
inst
ill r
atio
s th
at b
ring
impo
rtan
t bus
ines
s is
sues
to li
ght.
• Id
entif
y w
heth
er a
ppro
pria
te s
yste
ms
are
used
to m
onito
r IT
per
form
ance
.•
Inte
rvie
w m
embe
rs o
f m
anag
emen
t to
iden
tify
thei
r aw
aren
ess
of r
elat
ions
hips
and
dep
ende
ncie
s be
twee
n IT
pro
cess
es w
hen
mon
itori
ng I
T p
roce
ss a
ctiv
ities
(e.
g.,
expe
ctat
ion
gaps
, und
efin
ed in
terf
aces
, ‘th
ings
fal
ling
betw
een
the
crac
ks’,
dup
licat
ion
of e
ffor
t, in
effi
cien
cies
).•
Und
erst
and
man
agem
ent’s
app
roac
h re
gard
ing
revi
ew o
ver
the
rele
vanc
e of
inte
rdep
ende
ncie
s of
key
IT
pro
cess
es to
alig
n w
ith b
usin
ess
goal
s an
d ob
ject
ives
.
ME
1.1
Mon
itor
ing
App
roac
h E
stab
lish
a ge
nera
l mon
itori
ng f
ram
ewor
k an
d ap
proa
ch to
def
ine
the
scop
e,m
etho
dolo
gy a
nd p
roce
ss to
be
follo
wed
for
mea
suri
ng I
T’s
sol
utio
n an
d se
rvic
ede
liver
y, a
nd m
onito
r IT
’s c
ontr
ibut
ion
to th
e bu
sine
ss. I
nteg
rate
the
fram
ewor
kw
ith th
e co
rpor
ate
perf
orm
ance
man
agem
ent s
yste
m.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• A tr
ansp
aren
t vie
w o
f IT
’spe
rfor
man
ce, b
ased
on
relia
ble
info
rmat
ion
• O
ppor
tuni
ties
for
impr
ovem
ent
iden
tifie
d•
Faci
litat
ed a
chie
vem
ent o
f bu
sine
ssan
d go
vern
ance
req
uire
men
ts•
Cos
t-ef
fici
ent I
T s
ervi
ces
• M
ore
info
rmed
IT
inve
stm
ent
deci
sion
s, im
prov
ing
valu
e de
liver
y •
Con
sist
ent u
se a
nd in
tegr
ity o
fpe
rfor
man
ce in
dica
tors
Ris
k D
river
s
• Pe
rfor
man
ce r
epor
ts b
ased
on
out-
of-
date
, ina
ccur
ate
or u
nrel
iabl
e da
ta•
Perf
orm
ance
met
rics
not
alig
ned
with
busi
ness
and
gov
erna
nce
requ
irem
ents
• L
ack
of ti
mel
y id
entif
icat
ion
of is
sues
rela
ted
to I
T a
nd b
usin
ess
alig
nmen
t•
Cus
tom
er e
xpec
tatio
ns a
nd b
usin
ess
need
s no
t ade
quat
ely
iden
tifie
d•
Mon
itore
d da
ta f
ailin
g to
sup
port
the
anal
ysis
of
the
over
all p
roce
sspe
rfor
man
ce
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E226
Test
the
Con
trol
Des
ign
Enq
uire
whe
ther
and
con
firm
that
:•
Targ
ets
have
bee
n de
fine
d fo
r th
e IT
met
rics
in li
ne w
ith th
e co
vera
ge a
nd c
hara
cter
istic
s of
the
met
rics
def
ined
in th
e m
onito
ring
fra
mew
ork.
Obt
ain
IT a
nd b
usin
ess
man
agem
ent a
ppro
val f
or th
e ta
rget
s.•
Perf
orm
ance
dat
a ne
eded
by
the
mon
itori
ng a
ppro
ach
are
colle
cted
sat
isfa
ctor
ily a
nd in
an
auto
mat
ed f
ashi
on, w
here
ver
feas
ible
. Ver
ify
that
the
mea
sure
d pe
rfor
man
ce is
com
pare
d to
the
targ
ets
at a
gree
d-to
inte
rval
s.•
The
re a
re p
roce
dure
s fo
r en
suri
ng c
onsi
sten
cy, c
ompl
eten
ess
and
inte
grity
of
perf
orm
ance
mon
itori
ng s
ourc
e da
ta•
The
re is
a p
roce
ss to
con
trol
all
chan
ges
to p
erfo
rman
ce m
onito
ring
dat
a so
urce
s•
Perf
orm
ance
targ
ets
have
bee
n de
fine
d an
d fo
cus
on th
ose
that
pro
vide
the
larg
est i
nsig
ht-t
o-ef
fort
rat
io•
The
inte
grity
of
the
data
col
lect
ed is
ass
esse
d by
car
ryin
g ou
t rec
onci
liatio
n an
d co
ntro
l che
cks
at a
gree
d-up
on in
terv
als
ME
1.2
Def
init
ion
and
Col
lect
ion
of M
onit
orin
g D
ata
Wor
k w
ith th
e bu
sine
ss to
def
ine
a ba
lanc
ed s
et o
f pe
rfor
man
ce ta
rget
s an
d ha
veth
em a
ppro
ved
by th
e bu
sine
ss a
nd o
ther
rel
evan
t sta
keho
lder
s. D
efin
ebe
nchm
arks
with
whi
ch to
com
pare
the
targ
ets,
and
iden
tify
avai
labl
e da
ta to
be
colle
cted
to m
easu
re th
e ta
rget
s. E
stab
lish
proc
esse
s to
col
lect
tim
ely
and
accu
rate
dat
a to
rep
ort o
n pr
ogre
ss a
gain
st ta
rget
s.
• Id
entif
icat
ion
and
mea
sure
men
t of
the
mos
t cri
tical
and
mea
ning
ful m
etri
cs•
Stro
ng c
usto
mer
bia
s in
the
cultu
re o
fth
e IT
org
anis
atio
n fo
r al
l IT
pro
cess
es•
Impr
oved
cus
tom
er s
atis
fact
ion
and
focu
s• A
bilit
y of
sys
tem
s to
eff
icie
ntly
prov
ide
the
data
req
uire
d to
mon
itor
the
proc
esse
s• A
his
tory
of
orga
nisa
tiona
lpe
rfor
man
ce to
mon
itor
tren
ds a
ndch
ange
s in
per
form
ance
• M
etri
cs b
ased
on
obje
ctiv
es th
at a
reno
t alig
ned
with
bus
ines
s ob
ject
ives
• M
etri
cs b
ased
on
inco
rrec
t or
inco
mpl
ete
data
• In
effe
ctiv
e re
port
ing
on
orga
nisa
tionw
ide
IT p
roce
sspe
rfor
man
ce in
dica
tors
• C
usto
mer
exp
ecta
tions
and
bus
ines
sne
eds
not i
dent
ifie
d•
Mon
itore
d da
ta f
ailin
g to
sup
port
the
anal
ysis
of
the
over
all p
roce
sspe
rfor
man
ce
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
ME1 M
onit
or a
nd E
valu
ate
IT P
erfo
rman
ce (
cont
.)
227I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at th
e IT
pro
cess
per
form
ance
rep
orts
are
inte
grat
ed in
to th
e IT
mon
itori
ng s
yste
m.
• E
nsur
e th
at th
e da
ta in
thes
e re
port
s ar
e ea
sy to
und
erst
and
and
conc
ise
and
that
they
mee
t man
agem
ent a
nd e
nd-u
ser
requ
irem
ents
for
eff
ectiv
e, ti
mel
y de
cisi
on m
akin
g.•
Insp
ect p
erfo
rman
ce r
epor
ts to
con
firm
that
they
app
ropr
iate
ly c
over
IT
obj
ectiv
es a
nd o
utco
me
and
perf
orm
ance
mea
sure
s an
d cl
arif
y ca
use-
and-
effe
ct r
elat
ions
hips
.
Test
the
Con
trol
Des
ign
• In
terv
iew
pro
cess
ow
ners
to c
onfi
rm th
at ta
rget
per
form
ance
leve
ls f
or k
ey p
roce
sses
are
est
ablis
hed
and
valid
ated
aga
inst
the
indu
stry
and
com
petit
ion.
• In
spec
t per
form
ance
rep
orts
for
tim
elin
ess
of m
easu
rem
ent a
nd e
ffec
tiven
ess
of c
ompa
riso
n to
the
targ
ets.
• V
erif
y th
at in
form
al f
eedb
ack
is o
btai
ned
and
used
for
ser
vice
del
iver
y an
d/or
rep
ortin
g im
prov
emen
ts.
• Ana
lyse
per
form
ance
rep
orts
to v
erif
y th
at r
esul
ts a
re c
onsi
sten
tly a
sses
sed
agai
nst t
arge
ts a
t agr
eed-
to in
terv
als
and
that
rel
evan
t sta
keho
lder
s re
ceiv
e re
port
ing
data
.•
Insp
ect e
vide
nce
of p
erfo
rman
ce a
sses
smen
t, an
d de
term
ine
if th
e as
sess
men
t and
ana
lysi
s ar
e co
mpl
ete
and
effe
ctiv
e.•
For
an a
ppro
pria
te s
ampl
e, v
erif
y th
at c
ause
s ar
e id
entif
ied
and
tran
slat
ed in
to r
emed
ial a
ctio
ns th
at a
re a
ssig
ned
to s
omeo
ne w
ith th
e ap
prop
riat
e au
thor
ity a
nd r
esou
rce
and
follo
wed
up
appr
opri
atel
y.•
Enq
uire
whe
ther
and
con
firm
that
roo
t cau
ses
are
peri
odic
ally
iden
tifie
d ac
ross
dev
iatio
ns a
nd a
ppro
pria
tely
act
ed u
pon.
ME
1.3
Mon
itor
ing
Met
hod
Dep
loy
a pe
rfor
man
ce m
onito
ring
met
hod
(e.g
., ba
lanc
ed s
core
card
) th
at r
ecor
dsta
rget
s; c
aptu
res
mea
sure
men
ts; p
rovi
des
a su
ccin
ct, a
ll-ar
ound
vie
w o
f IT
perf
orm
ance
; and
fits
with
in th
e en
terp
rise
mon
itori
ng s
yste
m.
• M
onito
ring
met
hod
and
appr
oach
mee
ting
man
agem
ent’s
exp
ecta
tions
• E
nhan
ced
deci
sion
sup
port
for
IT
• Alig
nmen
t with
the
ente
rpri
sede
cisi
on-m
akin
g pr
oces
s•
Tra
nspa
rent
and
rel
iabl
e pe
rfor
man
cein
form
atio
n
• In
effe
ctiv
e re
port
ing
onor
gani
satio
nwid
e IT
pro
cess
perf
orm
ance
indi
cato
rs•
Bus
ines
s ex
pect
atio
ns a
nd n
eeds
no
t met
• W
rong
dec
isio
ns b
ased
on
unre
liabl
epe
rfor
man
ce in
form
atio
n
ME
1.4
Per
form
ance
Ass
essm
ent
Peri
odic
ally
rev
iew
per
form
ance
aga
inst
targ
ets,
ana
lyse
the
caus
e of
any
devi
atio
ns, a
nd in
itiat
e re
med
ial a
ctio
n to
add
ress
the
unde
rlyi
ng c
ause
s. A
tap
prop
riat
e tim
es, p
erfo
rm r
oot c
ause
ana
lysi
s ac
ross
dev
iatio
ns.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• E
nhan
ced
cost
-eff
icie
ncy
of s
ervi
cequ
ality
and
rea
dine
ss f
or f
utur
e ch
ange
• C
ontin
uous
pro
cess
impr
ovem
ent
• A g
reat
er le
vel o
f ac
coun
tabi
lity
and
owne
rshi
p of
per
form
ance
with
in th
eor
gani
satio
n
Ris
k D
river
s
• Pr
oces
s pe
rfor
man
ce w
eakn
esse
sre
mai
ning
and
rep
eatin
g th
emse
lves
• L
ost o
ppor
tuni
ties
for
impr
ovem
ent
• G
ood
perf
orm
ance
not
rec
ogni
sed,
dem
otiv
atin
g st
aff
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
ME1 M
onit
or a
nd E
valu
ate
IT P
erfo
rman
ce (
cont
.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E228
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
boa
rd a
nd e
xecu
tive
repo
rtin
g pr
oces
s ha
s be
en e
stab
lishe
d.•
Ver
ify
that
the
repo
rtin
g co
vers
IT
’s c
ontr
ibut
ion
to th
e bu
sine
ss b
y m
easu
ring
ach
ieve
men
t of
IT g
oals
, miti
gatio
n of
IT
ris
ks a
nd th
e us
age
of r
esou
rces
and
that
it is
base
d on
the
perf
orm
ance
mon
itori
ng f
ram
ewor
k (e
.g.,
bala
nced
sco
reca
rds,
tren
ding
ana
lysi
s, e
xecu
tive
dash
boar
ds).
• C
onfi
rm th
at b
oard
and
exe
cutiv
e re
port
s ar
e ba
sed
on c
onso
lidat
ed in
form
atio
n of
IT
per
form
ance
mea
sure
men
t.•
Ver
ify
that
ther
e is
a p
roce
ss in
pla
ce to
man
age
repo
rt v
ersi
ons
and
itera
tions
.
ME
1.5
Boa
rd a
nd E
xecu
tive
Rep
orti
ng
Dev
elop
sen
ior
man
agem
ent r
epor
ts o
n IT
’s c
ontr
ibut
ion
to th
e bu
sine
ss,
spec
ific
ally
in te
rms
of th
e pe
rfor
man
ce o
f th
e en
terp
rise
’s p
ortf
olio
, IT-
enab
led
inve
stm
ent p
rogr
amm
es, a
nd th
e so
lutio
n an
d se
rvic
e de
liver
able
per
form
ance
of
indi
vidu
al p
rogr
amm
es. I
nclu
de in
sta
tus
repo
rts
the
exte
nt to
whi
ch p
lann
edob
ject
ives
hav
e be
en a
chie
ved,
bud
gete
d re
sour
ces
used
, set
per
form
ance
targ
ets
met
and
iden
tifie
d ri
sks
miti
gate
d. A
ntic
ipat
e se
nior
man
agem
ent’s
rev
iew
by
sugg
estin
g re
med
ial a
ctio
ns f
or m
ajor
dev
iatio
ns. P
rovi
de th
e re
port
to s
enio
rm
anag
emen
t, an
d so
licit
feed
back
fro
m m
anag
emen
t’s r
evie
w.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Q
ualit
y re
port
ing
that
mee
ts th
ebo
ard’
s go
vern
ance
req
uire
men
ts•
Perf
orm
ance
info
rmat
ion
that
can
be
effe
ctiv
ely
and
effi
cien
tly u
sed
for
stra
tegi
c, m
anag
eria
l and
day
-to-
day
oper
atio
ns•
Enh
ance
d de
cisi
on-m
akin
g pr
oces
ses
in r
espo
ndin
g to
bus
ines
s ne
eds
and
conc
erns
, and
a f
ocus
on
proc
ess
impr
ovem
ent o
ppor
tuni
ties
• In
crea
sed
satis
fact
ion
of m
anag
emen
tan
d th
e bo
ard
with
per
form
ance
repo
rtin
g
Ris
k D
river
s
• D
ecis
ions
fai
ling
to s
uppo
rt th
ebu
sine
ss n
eeds
and
con
cern
s•
Seni
or m
anag
emen
t dis
satis
fied
with
IT p
erfo
rman
ce
• D
isco
nnec
t bet
wee
n m
anag
emen
t an
d IT
• In
abili
ty o
f th
e bo
ard
and
exec
utiv
e to
dire
ct a
nd c
ontr
ol k
ey I
T a
ctiv
ities
ME1 M
onit
or a
nd E
valu
ate
IT P
erfo
rman
ce (
cont
.)
229I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er p
roce
sses
, pol
icie
s an
d pr
oced
ures
exi
st to
initi
ate,
pri
oriti
se a
nd a
lloca
te r
espo
nsib
ility
and
trac
king
for
all
rem
edia
l act
ions
. Con
firm
by
insp
ectin
g th
edo
cum
enta
tion
of th
e ap
proa
ch a
nd o
bser
ving
the
proc
ess,
whe
re p
ossi
ble.
• Fo
r a
sam
ple,
test
whe
ther
rem
edia
l act
ion
task
s ar
e ac
cura
tely
res
pond
ing
to th
e pe
rfor
man
ce is
sue
dete
cted
and
that
pro
gres
s re
view
s ar
e co
nduc
ted
peri
odic
ally
.• A
naly
se h
isto
ric
perf
orm
ance
rep
orts
, and
ver
ify
that
sub
stan
dard
per
form
ance
tren
ds a
re r
outin
ely
iden
tifie
d an
d co
nsis
tent
ly e
scal
ated
to s
enio
r m
anag
emen
t, in
clud
ing
devi
atio
ns f
rom
agr
eed-
upon
impl
emen
tatio
n of
cor
rect
ive
actio
ns.
• Se
arch
act
ivity
logs
/rep
orts
for
sat
isfa
ctor
y co
mpl
etio
n of
rem
edia
l act
ion
task
s de
term
ined
by
pre-
spec
ifie
d ou
tcom
es, a
nd c
onfi
rm th
at th
ese
rem
edia
l act
ion
task
s w
ere
sign
ed o
ff a
s ap
prop
riat
ely
addr
essi
ng th
e ca
use.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
erfo
rman
ce m
easu
rem
ent t
rain
ing
is p
erfo
rmed
.
ME
1.6
Rem
edia
l Act
ions
Id
entif
y an
d in
itiat
e re
med
ial a
ctio
ns b
ased
on
perf
orm
ance
mon
itori
ng,
asse
ssm
ent a
nd r
epor
ting.
Thi
s in
clud
es f
ollo
w-u
p of
all
mon
itori
ng, r
epor
ting
and
asse
ssm
ents
thro
ugh:
• R
evie
w, n
egot
iatio
n an
d es
tabl
ishm
ent o
f m
anag
emen
t res
pons
es• A
ssig
nmen
t of
resp
onsi
bilit
y fo
r re
med
iatio
n•
Tra
ckin
g of
the
resu
lts o
f ac
tions
com
mitt
ed
Valu
e D
river
sC
ontr
ol O
bjec
tive
• M
anag
emen
t’s p
roac
tive
com
mitm
ent
to r
emed
ial a
ctio
n•
Und
erly
ing
perf
orm
ance
pro
blem
sre
solv
ed e
ffec
tivel
y an
d in
a ti
mel
ym
anne
r•
Proc
ess
perf
orm
ance
take
n se
riou
sly,
and
a cu
lture
of
cont
inuo
usim
prov
emen
t enc
oura
ged
Ris
k D
river
s
• In
cide
nts
due
to u
nres
olve
d pr
oble
ms
• Po
or p
erfo
rman
ce n
ot a
cted
upo
n,le
adin
g to
fur
ther
deg
rada
tion
• Pe
rfor
man
ce m
easu
rem
ent n
ot ta
ken
seri
ousl
y
ME1 M
onit
or a
nd E
valu
ate
IT P
erfo
rman
ce (
cont
.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E230
Take the following steps to test the outcome of the control objectives:• Interview stakeholders and assess their knowledge and awareness of key IT processes and how they are measured and monitored to
ensure that the monitoring system supports the corporate performance management system. • Review plans, policies and procedures for monitoring the performance of key IT processes to ensure that they support critical
business processes.• Determine if the IT monitoring system supports the current business strategy and facilitates effective monitoring. • Corroborate with independent sources (stakeholders and systems-related source) that management is measuring the appropriate
performance indicators. • Review plans, policies and procedures for monitoring the performance of key IT processes for integration with the enterprise’s
performance management system.• Review the documentation and communication of relationships and dependencies between key IT processes, particularly
flowcharts, systems overview diagrams and dataflow diagrams. • Review documented performance metrics with management to ensure appropriate coverage as follows:
– Business contribution including, but not limited to, financials– Performance against the strategic business and IT plan– Risk and compliance with relevant legislation and regulations– Internal and external user satisfaction with service levels– Key IT processes, including solution and service delivery– Future-oriented activities, e.g., forecasting of implications related to emerging technology, reusable infrastructure, and business
and IT personnel skill sets• Review documented performance metrics to confirm that they:
– Represent business and IT goals and objectives– Are based on accepted good practices– Focus on the most important ones– Are useful for internal and external comparison– Reflect business expectations – Are meaningful to IT’s customers and sponsors
• Confirm that IT performance requirements are established in conjunction with business management and aligned with enterprisemanagement’s key performance metrics.
• Review appropriate approval by senior and business management of IT performance measurements and plans for communicationto all process stakeholders.
• Review minutes, action lists, policies, plans and procedures related to performance measurement for evidence of regular reviewand update of the performance measurement approach.
• Review whether collection of performance data is covered adequately in the business requirements documentation.• Review the data collection process and confirm that automation is considered.• Assess the consistency, completeness and integrity of source data. • Confirm that targets have been defined and properly signed off on by IT, senior and business management.• Review plans, policies and procedures for organisational training to ensure skills in measurement, data collection and analysis and
that the staff members adopt and promote the performance measurement culture.• Determine if the data collected are reconciled to the source data at agreed-upon intervals.• Inspect the measurement reports (e.g., balanced scorecard, pie charts, KPI matrices) of the enterprise and IT measurement systems,
and determine if the method is integrated in the enterprise monitoring system. • Confirm through interviews with key staff members whether the monitoring and reporting method/system is suitable and relevant
for the objectives of performance measurement. • Enquire whether and confirm that quality and completeness of output are verified. (e.g., compare actual output with expected
findings and confirm results with management).• Review the performance measurement system to determine if targets and measurement data are correct and complete. • Enquire whether and confirm that management regularly reviews the integrity of the data quality measurements.• Inspect performance reports for timeliness of measurement and effectiveness of comparison to the targets.• Inspect performance reports to verify that performance results are consistently and completely assessed against targets at agreed-to
intervals and that relevant stakeholders receive reporting data. • Ensure that causes are identified and translated into remedial actions that are assigned to someone with the appropriate authority
and resource and are followed up appropriately.• Enquire whether and confirm that root causes are periodically identified across deviations and appropriately acted upon. • Through independent sources, verify that root cause analysis does occur and results in reaction. • Inspect that documentation exists and verify that those responsible for the underlying causes are aware of the issues.• Confirm that senior management reports highlight key issues (positive and negative) generally relating to IT’s contribution to the
business and specifically to IT solution and service delivery capability and performance. • Enquire whether and confirm that IT performance measurement is clearly linked to business outcomes and how IT supports
business strategy.
231I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
• Verify that IT performance measurement is translated into business performance impacts and incorporated into standard periodicreports to the board.
• Trace results from the source to consolidated reports to assess the accuracy, completeness and reasonableness of consolidatedperformance reports.
• Review management reports to verify that deviations from expected performance are identified and management has committed toaddressing issues (e.g., action items, management comments to recommendations, estimated resolution time frame).
• Review project documentation to confirm that remediation actions identified in senior management reports follow theorganisation’s change management process (e.g., AI6 Manage change) and that it covers elements of change management, such asproject plan, appropriate approvals, progress reporting, project changes/deviation tracking, completion and sign-off.
• Inspects project documentation for remedial action tasks, and compare to the agreed-upon resolution to ensure that all monitoringdeficiencies have been properly mitigated.
• Determine whether progress reviews are conducted periodically.
Take the following steps to document the impact of the control weaknesses:• Independently benchmark the performance measurement and monitoring approach against similar organisations or appropriate
international standards/recognised industry best practices. • Corroborate performance metrics used by the enterprise with independent sources (e.g., good practice, internal and industry
benchmarks).• Benchmark the performance targets and monitoring data collection approach against similar organisations or appropriate
international standards/recognised industry best practices.• Compare actual to planned performance in all IT areas.• Compare actual to anticipated user satisfaction with all IT areas.• Corroborate with enterprise, IT and business management to determine if IT performance reports are useful and understandable.• Benchmark the performance targets and monitoring data collection approach against similar organisations or appropriate
international standards/recognised industry best practices.• Assess whether senior management is satisfied with reporting on performance monitoring.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E232
ME2 M
onit
or a
nd E
valu
ate
Inte
rnal
Con
trol
Est
ablis
hing
an
effe
ctiv
e in
tern
al c
ontr
ol p
rogr
amm
e fo
r IT
req
uire
s a
wel
l-de
fine
d m
onito
ring
pro
cess
. Thi
s pr
oces
s in
clud
es th
e m
onito
ring
and
rep
ortin
g of
con
trol
exce
ptio
ns, r
esul
ts o
f se
lf-a
sses
smen
ts a
nd th
ird-
part
y re
view
s. A
key
ben
efit
of in
tern
al c
ontr
ol m
onito
ring
is to
pro
vide
ass
uran
ce r
egar
ding
eff
ectiv
e an
d ef
fici
ent
oper
atio
ns a
nd c
ompl
ianc
e w
ith a
pplic
able
law
s an
d re
gula
tions
.
Test
the
Con
trol
Des
ign
• Ass
ess
whe
ther
ther
e is
exe
cutiv
e-le
vel s
uppo
rt f
or o
rgan
isat
iona
l gov
erna
nce
stan
dard
s fo
r in
tern
al c
ontr
ol a
nd r
isk
man
agem
ent (
e.g.
, min
utes
, cor
pora
te p
olic
ies,
inte
rvie
w w
ith C
EO
). V
erif
y th
at p
olic
ies
and
proc
edur
es in
clud
e go
vern
ance
for
inte
rnal
sta
ndar
ds a
nd r
isk
man
agem
ent (
e.g.
, ado
ptio
n of
CO
SO I
nter
nal
Con
trol
—In
tegr
ated
Fra
mew
ork,
CO
SO E
nter
pris
e R
isk
Man
agem
ent—
Inte
grat
ed F
ram
ewor
k, C
OB
IT).
• Ass
ess
whe
ther
ther
e is
a c
ontin
uous
impr
ovem
ent a
ppro
ach
to in
tern
al c
ontr
ol m
onito
ring
(i.e
., ba
lanc
ed s
core
card
, sel
f-as
sess
men
t).
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at th
e in
tern
al c
ontr
ols
that
req
uire
sup
ervi
sory
ove
rsig
ht a
nd r
evie
w a
re id
entif
ied
and
cons
ider
the
criti
calit
y an
d ri
sk o
f th
e re
late
d IT
pro
cess
act
iviti
es (
e.g.
,ex
iste
nce
of r
isk
rank
ing
of k
ey p
roce
sses
/con
trol
s).
• C
onfi
rm th
at a
n es
cala
tion
proc
ess
for
issu
es id
entif
ied
by s
uper
viso
ry r
evie
ws
has
been
def
ined
.•
Und
erst
and
the
auto
mat
ion
of c
ontr
ol m
onito
ring
and
rep
ortin
g.
ME
2.1
Mon
itor
ing
of I
nter
nal C
ontr
ol F
ram
ewor
k C
ontin
uous
ly m
onito
r, be
nchm
ark
and
impr
ove
the
IT c
ontr
ol e
nvir
onm
ent a
ndco
ntro
l fra
mew
ork
to m
eet o
rgan
isat
iona
l obj
ectiv
es.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• IT
mee
ting
its o
bjec
tives
for
the
busi
ness
• R
educ
ed im
pact
of
cont
rol f
ailu
re o
rde
fici
ency
on
the
busi
ness
pro
cess
es•
Con
tinuo
us im
prov
emen
t of
proc
ess
cont
rols
with
res
pect
to in
dust
rypr
actic
es•
Proa
ctiv
e de
tect
ion
and
reso
lutio
n of
cont
rol d
evia
tions
• C
ompl
ianc
e w
ith la
ws
and
regu
latio
ns
Ris
k D
river
s
• In
crea
sed
adve
rse
impa
ct o
n th
eor
gani
satio
n’s
oper
atio
ns o
r re
puta
tion
• C
ontr
ol w
eakn
esse
s ha
mpe
ring
effe
ctiv
e bu
sine
ss p
roce
ss e
xecu
tion
• U
ndet
ecte
d m
alfu
nctio
ning
of
inte
rnal
cont
rol c
ompo
nent
s
ME
2.2
Supe
rvis
ory
Rev
iew
M
onito
r an
d ev
alua
te th
e ef
fici
ency
and
eff
ectiv
enes
s of
inte
rnal
IT
man
ager
ial
revi
ew c
ontr
ols.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onfi
rmat
ion
that
IT
pro
cess
essu
ppor
ting
the
achi
evem
ent o
fbu
sine
ss g
oals
are
und
er e
ffec
tive
and
effi
cien
t con
trol
• C
ontr
ibut
ion
of r
evie
wed
res
ults
to th
eov
eral
l dec
isio
n-m
akin
g pr
oces
s
Ris
k D
river
s
• C
ontr
ol d
efic
ienc
ies
ham
peri
ng th
ebu
sine
ss p
roce
sses
• In
accu
rate
or
inco
mpl
ete
cont
rol
defi
cien
cy d
ata,
res
ultin
g in
err
oneo
usm
anag
emen
t dec
isio
ns
233I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at p
olic
ies
incl
ude
esta
blis
hing
thre
shol
ds f
or a
ccep
tabl
e le
vels
of
cont
rol e
xcep
tions
and
con
trol
bre
akdo
wns
.•
Con
firm
that
the
esca
latio
n pr
oced
ures
for
con
trol
exc
eptio
ns h
ave
been
com
mun
icat
ed a
nd r
epor
ted
to b
usin
ess
and
IT s
take
hold
ers
(e.g
., vi
a th
e in
tran
et, h
ard
copy
proc
edur
es).
The
esc
alat
ion
proc
edur
es s
houl
d in
clud
e cr
iteri
a or
thre
shol
ds f
or e
scal
atio
ns (
e.g.
, con
trol
exc
eptio
ns le
ss th
an a
spe
cifi
c am
ount
of
impa
ct d
o no
t nee
d to
be e
scal
ated
, con
trol
exc
eptio
ns g
reat
er th
an a
spe
cifi
c am
ount
of
impa
ct n
eed
imm
edia
te r
epor
ting
to C
IO, a
nd c
ontr
ol e
xcep
tions
gre
ater
than
a s
peci
fic
amou
nt o
fim
pact
req
uire
imm
edia
te r
epor
ting
to th
e bo
ard
of d
irec
tors
). I
nter
view
man
agem
ent t
o as
sess
kno
wle
dge
and
awar
enes
s of
the
esca
latio
n pr
oced
ures
, as
wel
l as
root
cau
se a
naly
sis
and
repo
rtin
g.•
Con
firm
that
indi
vidu
als
have
bee
n as
sign
ed a
ccou
ntab
ility
for
roo
t cau
se a
naly
sis
and
repo
rtin
g as
wel
l as
exce
ptio
n re
solu
tion.
ME2 M
onit
or a
nd E
valu
ate
Inte
rnal
Con
trol
(co
nt.)
ME
2.3
Con
trol
Exc
epti
ons
Iden
tify
cont
rol e
xcep
tions
, and
ana
lyse
and
iden
tify
thei
r un
derl
ying
roo
tca
uses
. Esc
alat
e co
ntro
l exc
eptio
ns a
nd r
epor
t to
stak
ehol
ders
app
ropr
iate
ly.
Inst
itute
nec
essa
ry c
orre
ctiv
e ac
tion.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Abi
lity
to im
plem
ent p
reve
ntiv
em
easu
res
for
recu
rrin
g ex
cept
ions
• Abi
lity
to a
pply
cor
rect
ive
mea
sure
sin
a ti
mel
y m
anne
r•
Enh
ance
d re
port
ing
to a
ll af
fect
edpa
rtie
s to
com
ply
with
the
defi
ned
serv
ice
leve
ls•
Min
imis
ed p
oten
tial f
or c
ompl
ianc
efa
ilure
s
Ris
k D
river
s
• C
ontr
ol d
efic
ienc
ies
iden
tifie
d no
t in
atim
ely
man
ner
• M
anag
emen
t not
info
rmed
abo
utco
ntro
l def
icie
ncie
s•
Ext
ende
d tim
e re
quir
ed to
res
olve
the
iden
tifie
d is
sues
, thu
s de
crea
sing
the
proc
ess
perf
orm
ance
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E234
Test
the
Con
trol
Des
ign
• R
evie
w c
ontr
ol s
elf-
asse
ssm
ent p
roce
dure
s to
ens
ure
the
incl
usio
n of
rel
evan
t inf
orm
atio
n su
ch a
s sc
ope,
sel
f-as
sess
men
t app
roac
h, e
valu
atio
n cr
iteri
a, f
requ
ency
of
self
-ass
essm
ent,
role
s an
d re
spon
sibi
litie
s, a
nd r
esul
ts r
epor
ting
to e
xecu
tive
busi
ness
and
IT
sta
keho
lder
s (e
.g.,
refe
renc
e in
tern
al a
udit
stan
dard
s or
acc
epte
d pr
actic
es in
the
desi
gn o
f se
lf-a
sses
smen
ts).
• C
orro
bora
te w
ith m
anag
emen
t to
dete
rmin
e if
inde
pend
ent r
evie
ws
of c
ontr
ol s
elf-
asse
ssm
ent a
re p
erfo
rmed
aga
inst
indu
stry
sta
ndar
ds a
nd b
est p
ract
ices
to e
nsur
eob
ject
ivity
and
to e
nabl
e th
e sh
arin
g of
inte
rnal
con
trol
goo
d pr
actic
es (
e.g.
, ben
chm
arki
ng a
gain
st m
atur
ity m
odel
leve
ls a
cros
s si
mila
r or
gani
satio
ns a
nd th
e re
leva
ntin
dust
ry).
ME
2.4
Con
trol
Sel
f-as
sess
men
t E
valu
ate
the
com
plet
enes
s an
d ef
fect
iven
ess
of m
anag
emen
t’s c
ontr
ol o
ver
ITpr
oces
ses,
pol
icie
s an
d co
ntra
cts
thro
ugh
a co
ntin
uing
pro
gram
me
of s
elf-
asse
ssm
ent.
• Abi
lity
to im
plem
ent p
reve
ntiv
em
easu
res
for
recu
rrin
g ex
cept
ions
• Abi
lity
to a
pply
cor
rect
ive
mea
sure
sin
a ti
mel
y m
anne
r•
Enh
ance
d re
port
ing
to a
ll af
fect
edpa
rtie
s to
com
ply
with
the
defi
ned
serv
ice
leve
ls•
Con
trol
def
icie
ncie
s id
entif
ied
befo
read
vers
e im
pact
occ
urs
• Pr
oact
ive
appr
oach
to im
prov
ing
serv
ice
qual
ity•
Min
imis
ed p
oten
tial f
or c
ompl
ianc
efa
ilure
s
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
ontr
ol d
efic
ienc
ies
not i
dent
ifie
d in
atim
ely
man
ner
• M
anag
emen
t not
info
rmed
abo
utco
ntro
l def
icie
ncie
s•
Ext
ende
d tim
e re
quir
ed to
res
olve
the
iden
tifie
d is
sues
, thu
s de
crea
sing
the
proc
ess
perf
orm
ance
Ris
k D
river
s
ME2 M
onit
or a
nd E
valu
ate
Inte
rnal
Con
trol
(co
nt.)
235I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Test
the
Con
trol
Des
ign
• V
erif
y th
at in
depe
nden
t con
trol
rev
iew
s, c
ertif
icat
ions
or
accr
edita
tions
are
per
form
ed p
erio
dica
lly a
ccor
ding
to r
isk
and
busi
ness
obj
ectiv
es a
long
with
req
uire
d ex
tern
alsk
ill s
ets
(e.g
., co
nduc
t an
annu
al r
isk
asse
ssm
ent a
nd d
efin
e ri
sk a
reas
for
rev
iew
).•
Ver
ify
that
the
revi
ew r
esul
ts h
ave
been
rep
orte
d to
an
appr
opri
ate
man
agem
ent l
evel
(e.
g., a
udit
com
mitt
ee)
and
rem
edia
l act
ion
has
been
initi
ated
.
ME
2.5
Ass
uran
ce o
f In
tern
al C
ontr
ol
Obt
ain,
as
need
ed, f
urth
er a
ssur
ance
of
the
com
plet
enes
s an
d ef
fect
iven
ess
ofin
tern
al c
ontr
ols
thro
ugh
thir
d-pa
rty
revi
ews.
• Id
entif
icat
ion
of p
roce
ss c
ontr
olim
prov
emen
t opp
ortu
nitie
s, r
esul
ting
in im
prov
ed s
ervi
ce to
the
busi
ness
• E
stab
lishm
ent a
nd m
aint
enan
ce o
fef
fect
ive
inte
rnal
con
trol
fra
mew
ork
• C
ontr
ol s
kills
and
kno
wle
dge
com
mun
icat
ed w
ithin
the
orga
nisa
tion
to in
crea
se th
e aw
aren
ess
of in
tern
alco
ntro
l pri
ncip
les
and
prac
tice
• Pr
oces
ses
not e
ffec
tivel
y co
ntro
lled
and
faili
ng to
mee
t the
bus
ines
sre
quir
emen
ts•
Obj
ectiv
e re
com
men
datio
ns n
otob
tain
ed, r
esul
ting
in I
T c
ontr
olar
rang
emen
ts n
ot b
eing
opt
imis
ed•
Con
trol
gap
s no
t ide
ntif
ied
• C
ompl
ianc
e w
ith r
egul
ator
y,co
ntra
ctua
l and
lega
l req
uire
men
ts n
otac
hiev
ed
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
ME2 M
onit
or a
nd E
valu
ate
Inte
rnal
Con
trol
(co
nt.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E236
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at in
tern
al c
ontr
ol r
equi
rem
ents
are
add
ress
ed in
the
polic
ies
and
proc
edur
es f
or c
ontr
acts
and
agr
eem
ents
with
thir
d pa
rtie
s an
d th
at a
ppro
pria
te p
rovi
sion
s fo
rri
ghts
to a
udit
are
incl
uded
.•
Con
firm
that
ther
e is
a p
roce
ss in
pla
ce to
ens
ure
that
rev
iew
s ar
e pe
riod
ical
ly p
erfo
rmed
to a
cces
s th
e in
tern
al c
ontr
ols
of a
ll th
ird
part
ies
and
that
no
n-co
mpl
ianc
e is
sues
are
com
mun
icat
ed.
• C
onfi
rm th
at p
olic
ies
and
proc
edur
es a
re in
pla
ce to
con
firm
rec
eipt
of
any
requ
ired
lega
l or
regu
lato
ry in
tern
al c
ontr
ol a
sser
tions
fro
m a
ffec
ted
thir
d-pa
rty
serv
ice
prov
ider
s.•
Con
firm
that
pol
icie
s an
d pr
oced
ures
are
in p
lace
to in
vest
igat
e ex
cept
ions
, and
obt
ain
assu
ranc
e th
at a
ppro
pria
te r
emed
ial a
ctio
ns h
ave
been
impl
emen
ted.
ME
2.6
Inte
rnal
Con
trol
at T
hird
Par
ties
A
sses
s th
e st
atus
of
exte
rnal
ser
vice
pro
vide
rs’i
nter
nal c
ontr
ols.
Con
firm
that
exte
rnal
ser
vice
pro
vide
rs c
ompl
y w
ith le
gal a
nd r
egul
ator
y re
quir
emen
ts a
ndco
ntra
ctua
l obl
igat
ions
.
• Id
entif
icat
ion
of s
ervi
ce im
prov
emen
top
port
uniti
es f
or th
ird
part
ies
• C
onfi
rmat
ion
of a
n ef
fect
ive
inte
rnal
cont
rol f
ram
ewor
k ov
er th
ird-
part
yse
rvic
e pr
ovid
ers
• Ass
uran
ce p
rovi
ded
over
the
serv
ice
prov
ider
’s p
erfo
rman
ce a
ndco
mpl
ianc
e w
ith in
tern
al c
ontr
ols
• In
suff
icie
nt a
ssur
ance
ove
r th
e se
rvic
epr
ovid
er’s
con
trol
fra
mew
ork
and
cont
rol p
erfo
rman
ce•
Failu
res
of m
issi
on-c
ritic
al s
yste
ms
duri
ng o
pera
tion
• IT
ser
vice
s fa
iling
to m
eet t
he s
ervi
cesp
ecif
icat
ions
• Fa
ilure
s an
d de
grad
atio
ns o
f se
rvic
efr
om th
e pr
ovid
er n
ot id
entif
ied
in a
timel
y m
anne
r•
Rep
utat
iona
l dam
age
caus
ed b
ypr
ovid
er s
ervi
ce p
erfo
rman
cede
grad
atio
n
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
ME2 M
onit
or a
nd E
valu
ate
Inte
rnal
Con
trol
(co
nt.)
237I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at p
roce
dure
s ar
e es
tabl
ishe
d to
initi
ate,
pri
oriti
se a
nd a
ssig
n re
spon
sibi
lity
for
all r
emed
ial a
ctio
ns, w
ith a
ppro
pria
te tr
acki
ng o
f ac
tions
.•
Con
firm
that
ther
e is
a m
echa
nism
to d
etec
t sub
stan
dard
per
form
ance
of
the
rem
edia
tion
and
that
cor
rect
ive
actio
ns a
re id
entif
ied
and
revi
ewed
by
man
agem
ent
(e.g
., pr
ojec
t mile
ston
es).
Con
firm
that
con
tinue
d su
bsta
ndar
d pe
rfor
man
ce o
f th
e re
med
iatio
n is
esc
alat
ed to
sen
ior
man
agem
ent f
or f
urth
er a
ctio
n (e
.g.,
proj
ect s
tatu
sre
port
ing,
IT
ste
erin
g co
mm
ittee
min
utes
).•
Con
firm
that
est
ablis
hed
proc
edur
es r
equi
re r
emed
ial a
ctio
n ta
sks
to b
e ap
prov
ed u
pon
satis
fact
ory
com
plet
ion
agai
nst p
resp
ecif
ied
outc
omes
.
Valu
e D
river
sR
isk
Driv
ers
Con
trol
Obj
ecti
ve
ME
2.7
Rem
edia
l Act
ions
Id
entif
y, in
itiat
e, tr
ack
and
impl
emen
t rem
edia
l act
ions
ari
sing
fro
m c
ontr
olas
sess
men
ts a
nd r
epor
ting.
• Ass
uran
ce th
at id
entif
ied
cont
rol g
aps
are
rem
edia
ted
as n
eces
sary
• Sa
fegu
ardi
ng o
f co
ntin
ued
func
tioni
ngof
bus
ines
s-cr
itica
l app
licat
ions
• Su
ppor
t of
the
orga
nisa
tion’
s ov
eral
lri
sk m
anag
emen
t pro
cess
• M
aint
enan
ce o
f ag
reed
-upo
n se
rvic
ele
vels
• Pr
evio
usly
iden
tifie
d co
ntro
l gap
sco
ntin
uing
to c
ause
pro
blem
s•
Mal
func
tioni
ng o
f bu
sine
ss-c
ritic
alap
plic
atio
ns•
Rep
utat
iona
l dam
age
caus
ed b
y fa
ilure
to c
orre
ct s
ervi
ce p
rovi
der
cont
rol
defi
cien
cies
ME2 M
onit
or a
nd E
valu
ate
Inte
rnal
Con
trol
(co
nt.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E238
Take the following steps to test the outcome of the control objectives:• Review internal control monitoring policies and procedures to ensure that they adhere to organisational governance standards,
industry-accepted frameworks and industry best practices. • Determine whether independent assessments of IT controls are required and reports on IT internal control systems are generated
for management review.• Review the independent evaluation reports (e.g., outsourced development or production activities) of the IT internal control system
to determine if the proper boundaries are considered and approved by executive management.• Review and confirm the establishment of processes and procedures to ensure that control exceptions are promptly reported,
followed up and analysed. • Confirm that corrective actions are chosen and implemented to address the control exceptions. • Review activity logs or pertinent documentation for control exceptions, and confirm that exceptions are promptly reported,
followed up, analysed, tracked and corrected.• Confirm that periodic review is performed to ensure that the IT internal control system is current to recent business changes and
the associated business and IT risks. • Confirm that any gaps between the framework and business processes have been identified and evaluated along with appropriate
recommendations. For example, ensure that business systems for operations are not maintained by IT, so established controlspolicies and procedures used by IT are not applied.
• Confirm that the performance of the IT control framework is regularly reviewed, evaluated, and compared to industry standardsand best practices.
• Review the last control exceptions resolution progress status report to confirm that control exceptions monitoring is timely andeffective.
• Review control self-assessment schedules, and select a sample of control self-assessment plans and reports to determine if controlself-assessments procedures are followed for effective ongoing monitoring.
• Review a sample of the control self-assessment reports for independent review, benchmarking and remedial actions for controlexceptions noted (consider ranking the significance of the control exceptions and prioritise remedial actions accordingly).
• Confirm that control self-assessment outcomes and exceptions are reported and there is a process to track control exceptions andremedial actions.
• Assess the competence of external specialists or staff members performing independent reviews for relevant IT audit experience,relevant industry knowledge and appropriate certifications/training.
• Confirm that the personnel performing the reviews are independent (e.g., review the signed confidentiality agreement).• Review existing contracts for third-party services on IT controls, and validate that the terms and conditions cover clear scope,
assignment of liability and confidentiality.• Confirm that any significant internal control deficiencies identified are reported for immediate management attention.• Corroborate with members of management to determine if they review the results of third-party compliance review to ensure that
third parties comply with required legal, regulatory and contractual obligations.• Select a sample of the third-party contracts and examine for specification of internal control requirements and establishment of
rights to audit provision(s) as appropriate. • Corroborate to determine if any of the following is performed: certification/accreditation review, appropriate audit engagement
(e.g., SAS 70 Type II engagement) or direct audit of the service provider by IT management.• For a sample of third parties, obtain and review internal control compliance testing reports to ensure that the third-party service
providers comply with applicable laws, regulations and contractual commitments. • Review evidence to ensure that non-compliance issues are communicated and there are remedial action plans (including time
frame) in place to address the issues.• Review the method used to prioritise remediation of control deficiencies for reasonableness.• Review the list of remediation issues and determine whether those issues are properly prioritised (e.g., critical, high, medium and
low).• Review project scheduling tools and compare to remediation actions to confirm that the areas identified as high risk are adequately
prioritised.• Inspect the sign-offs and determine whether they occurred in a timely manner.
Take the following steps to document the impact of the control weaknesses:• Calculate the impact on the organisation for each actual key control failure.• Quantify the risk and likelihood to the impact on the organisation for each potential key control failure.
239I T G O V E R N A N C E I N S T I T U T E
APPENDIX VM
E3 E
nsur
e C
ompl
ianc
e W
ith
Ext
erna
l R
equi
rem
ents
Eff
ectiv
e ov
ersi
ght o
f co
mpl
ianc
e re
quir
es th
e es
tabl
ishm
ent o
f a
revi
ew p
roce
ss to
ens
ure
com
plia
nce
with
law
s, r
egul
atio
ns a
nd c
ontr
actu
al r
equi
rem
ents
. Thi
s pr
oces
sin
clud
es id
entif
ying
com
plia
nce
requ
irem
ents
, opt
imis
ing
and
eval
uatin
g th
e re
spon
se, o
btai
ning
ass
uran
ce th
at th
e re
quir
emen
ts h
ave
been
com
plie
d w
ith a
nd, f
inal
ly,
inte
grat
ing
IT’s
com
plia
nce
repo
rtin
g w
ith th
e re
st o
f th
e bu
sine
ss.
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at p
roce
dure
s ar
e in
pla
ce to
ens
ure
that
lega
l, re
gula
tory
and
con
trac
tual
obl
igat
ions
impa
ctin
g IT
are
rev
iew
ed. T
hese
reg
ulat
ory
com
plia
nce
proc
edur
es s
houl
d:–
Iden
tify
and
asse
ss th
e im
pact
of
the
appl
icab
le le
gal o
r re
gula
tory
req
uire
men
ts r
elev
ant t
o th
e IT
org
anis
atio
n–
Upd
ate
the
asso
ciat
ed I
T p
olic
ies
and
proc
edur
es a
ffec
ted
by th
e le
gal a
nd r
egul
ator
y re
quir
emen
ts–
Incl
ude
area
s su
ch a
s la
ws
and
regu
latio
ns f
or e
lect
roni
c co
mm
erce
, dat
a fl
ow, p
riva
cy, i
nter
nal c
ontr
ols,
fin
anci
al r
epor
ting,
indu
stry
-spe
cifi
c re
gula
tions
, int
elle
ctua
lpr
oper
ty c
opyr
ight
, and
hea
lth a
nd s
afet
y–
Incl
ude
the
freq
uenc
y of
lega
l or
regu
lato
ry r
equi
rem
ents
rev
iew
(e.
g., a
nnua
lly o
r w
hen
ther
e is
a n
ew o
r up
date
d le
gal,
regu
lato
ry a
nd c
ontr
actu
al r
equi
rem
ent)
• C
onfi
rm th
at a
log
of a
ll ap
plic
able
lega
l, re
gula
tory
and
con
trac
tual
req
uire
men
ts; t
heir
impa
ct; a
nd r
equi
red
actio
ns a
re m
aint
aine
d an
d up
to d
ate.
ME
3.1
Iden
tifi
cati
on o
f E
xter
nal L
egal
,Reg
ulat
ory
and
Con
trac
tual
Com
plia
nce
Req
uire
men
ts
Iden
tify,
on
a co
ntin
uous
bas
is, l
ocal
and
inte
rnat
iona
l law
s, r
egul
atio
ns, a
ndot
her
exte
rnal
req
uire
men
ts th
at m
ust b
e co
mpl
ied
with
for
inco
rpor
atio
n in
toth
e or
gani
satio
n’s
IT p
olic
ies,
sta
ndar
ds, p
roce
dure
s an
d m
etho
dolo
gies
.
• Id
entif
icat
ion
of g
ood
prac
tices
for
deal
ing
with
law
s an
d re
gula
tions
• Im
prov
ed p
erso
nnel
aw
aren
ess
for
regu
lato
ry r
equi
rem
ents
• In
crea
sing
pro
cess
per
form
ance
and
com
plia
nce
with
law
s an
d re
gula
tions
• Im
prov
ed c
orpo
rate
per
form
ance
• R
elev
ant l
aws
or r
egul
atio
nsov
erlo
oked
, lea
ding
to n
on-c
ompl
ianc
e•
Pote
ntia
l are
as o
f fi
nanc
ial l
osse
s an
dpe
nalti
es n
ot id
entif
ied
• D
ecre
ased
cus
tom
er a
nd b
usin
ess
part
ner
satis
fact
ion
• In
crea
sed
likel
ihoo
d of
dis
pute
s w
ithcu
stom
ers
and
regu
lato
rs•
Incr
ease
d ri
sk to
bus
ines
s co
ntin
uity
from
san
ctio
ns im
pose
d by
reg
ulat
ors
• Po
or c
orpo
rate
ope
ratio
nal a
ndfi
nanc
ial p
erfo
rman
ce
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E240
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at th
ere
are
proc
edur
es a
nd p
ract
ices
to e
nsur
e co
mpl
ianc
e w
ith le
gal,
regu
lato
ry a
nd c
ontr
actu
al r
equi
rem
ents
.•
Con
firm
that
app
ropr
iate
fun
ctio
ns a
re in
clud
ed (
e.g.
, leg
al d
epar
tmen
t, pr
oduc
tion,
acc
ount
ing,
HR
).
• N
on-c
ompl
ianc
e ar
eas
not i
dent
ifie
d•
Out
date
d co
mpl
ianc
e re
quir
emen
tsre
mai
ning
in e
ffec
t•
Polic
ies
faili
ng to
mee
t the
ent
erpr
ise’
sco
mpl
ianc
e ne
eds
• Pe
rson
nel u
naw
are
of p
roce
dure
s an
dpr
actic
es to
com
ply
with
lega
l and
regu
lato
ry r
equi
rem
ents
ME
3.2
Opt
imis
atio
n of
Res
pons
e to
Ext
erna
l Req
uire
men
ts
Rev
iew
and
adj
ust I
T p
olic
ies,
sta
ndar
ds, p
roce
dure
s an
d m
etho
dolo
gies
toen
sure
that
lega
l, re
gula
tory
and
con
trac
tual
req
uire
men
ts a
re a
ddre
ssed
and
com
mun
icat
ed.
• Su
ppor
t of
the
ente
rpri
se’s
com
plia
nce
with
app
licab
le la
ws
and
regu
latio
nsth
roug
h th
e us
e of
sta
ndar
ds a
ndm
etho
dolo
gies
• Po
licie
s re
gula
rly
revi
ewed
and
alig
ned
with
the
orga
nisa
tion’
sob
ject
ives
• Im
prov
ed p
erso
nnel
aw
aren
ess
of le
gal
and
regu
lato
ry c
ompl
ianc
ere
quir
emen
ts•
Incr
easi
ng p
roce
ss p
erfo
rman
ce in
rela
tion
to c
ompl
ianc
e w
ith la
ws
and
regu
latio
ns
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
ME3 E
nsur
e C
ompl
ianc
e W
ith
Ext
erna
l R
equi
rem
ents
(co
nt.)
Test
the
Con
trol
Des
ign
• R
evie
w th
e IT
org
anis
atio
n po
licie
s, s
tand
ards
and
pro
cedu
res
and
conf
irm
thei
r re
gula
r an
d tim
ely
upda
te to
add
ress
any
non
-com
plia
nce
(leg
al a
nd r
egul
ator
y)
gaps
iden
tifie
d.
ME
3.3
Eva
luat
ion
of C
ompl
ianc
e W
ith
Ext
erna
l Req
uire
men
ts
Con
firm
com
plia
nce
of I
T p
olic
ies,
sta
ndar
ds, p
roce
dure
s an
d m
etho
dolo
gies
with
lega
l and
reg
ulat
ory
requ
irem
ents
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• G
ood
prac
tices
for
dea
ling
with
law
san
d re
gula
tions
inco
rpor
ated
effe
ctiv
ely
into
ent
erpr
ise
arra
ngem
ents
• In
crea
sing
pro
cess
per
form
ance
and
com
plia
nce
with
law
s an
d re
gula
tions
• D
evia
tions
iden
tifie
d to
sup
port
tim
ely
corr
ectiv
e ac
tion
Ris
k D
river
s
• Fi
nanc
ial l
osse
s an
d pe
nalti
es
• D
ecre
ased
cus
tom
er a
nd b
usin
ess
part
ner
satis
fact
ion
• N
on-c
ompl
ianc
e in
cide
nts
not
iden
tifie
d, a
dver
sely
impa
ctin
g th
een
terp
rise
’s p
erfo
rman
ce a
ndre
puta
tion
• In
crea
sed
likel
ihoo
d of
dis
pute
s
241I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Test
the
Con
trol
Des
ign
• R
evie
w f
rom
pro
cess
ow
ners
evi
denc
e of
reg
ular
con
firm
atio
n of
com
plia
nce
with
app
licab
le la
ws,
reg
ulat
ions
and
con
trac
tual
com
mitm
ents
(i.e
., fi
nal r
epor
t and
lette
rfr
om r
egul
ator
s ac
know
ledg
ing
the
com
plet
ion
of th
eir
revi
ew).
• R
evie
w th
at p
roce
sses
are
in p
lace
to tr
ack
and
exec
ute
inte
rnal
and
ext
erna
l rev
iew
s to
ens
ure
that
ther
e is
ade
quat
e pl
anni
ng a
nd r
esou
rce
allo
catio
n to
ass
ist/c
ompl
ete
revi
ews
(e.g
., in
vent
ory
of r
egul
ator
y re
quir
emen
ts, s
ched
ulin
g of
inte
rnal
com
plia
nce
revi
ews,
sch
edul
ing
of r
esou
rces
req
uire
d to
ass
ist r
evie
ws)
.•
Enq
uire
whe
ther
pro
cedu
res
are
in p
lace
to r
egul
arly
ass
ess
leve
ls o
f co
mpl
ianc
e w
ith le
gal a
nd r
egul
ator
y re
quir
emen
ts b
y in
depe
nden
t par
ties.
• R
evie
w p
olic
ies
and
proc
edur
es to
ens
ure
that
con
trac
ts w
ith th
ird-
part
y se
rvic
e pr
ovid
ers
requ
ire
regu
lar
conf
irm
atio
n of
com
plia
nce
(e.g
., re
ceip
t of
asse
rtio
ns)
with
appl
icab
le la
ws,
reg
ulat
ions
and
con
trac
tual
com
mitm
ents
.•
Con
firm
that
a p
roce
ss to
mon
itor
and
repo
rt o
n in
cide
nts
of n
on-c
ompl
ianc
e is
impl
emen
ted
that
incl
udes
, whe
re n
eces
sary
, fur
ther
inve
stig
atio
n of
the
root
cau
se o
fin
cide
nts
taki
ng p
lace
.
ME
3.4
Pos
itiv
e A
ssur
ance
of
Com
plia
nce
Obt
ain
and
repo
rt a
ssur
ance
of
com
plia
nce
and
adhe
renc
e to
all
inte
rnal
pol
icie
sde
rive
d fr
om in
tern
al d
irec
tives
or
exte
rnal
lega
l, re
gula
tory
or
cont
ract
ual
requ
irem
ents
, con
firm
ing
that
any
cor
rect
ive
actio
ns to
add
ress
any
com
plia
nce
gaps
hav
e be
en ta
ken
by th
e re
spon
sibl
e pr
oces
s ow
ner
in a
tim
ely
man
ner.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• C
onfi
rmat
ion
of th
e en
terp
rise
’sco
mpl
ianc
e w
ith a
pplic
able
law
s an
dre
gula
tions
thro
ugh
the
use
ofst
anda
rds
and
met
hodo
logi
es•
Goo
d pr
actic
es id
entif
ied
for
deal
ing
with
law
s an
d re
gula
tions
eff
ectiv
ely
inco
rpor
ated
into
ent
erpr
ise
arra
ngem
ents
• In
crea
sing
pro
cess
per
form
ance
inre
latio
n to
com
plia
nce
with
app
licab
lela
ws
and
regu
latio
ns•
Con
firm
atio
n th
at d
evia
tions
fro
mco
mpl
ianc
e re
quir
emen
ts a
reid
entif
ied
and
corr
ecte
d in
a ti
mel
ym
anne
r
Ris
k D
river
s
• Fa
ilure
to r
epor
t non
-com
plia
nce
inci
dent
s, a
dver
sely
impa
ctin
g th
een
terp
rise
’s p
erfo
rman
ce a
ndre
puta
tion
• In
crea
sed
likel
ihoo
d of
dis
pute
s• A
reas
of
non-
com
plia
nce
not
iden
tifie
d an
d re
port
ed•
Cor
rect
ive
actio
ns n
ot in
itiat
ed in
atim
ely
man
ner,
adve
rsel
y im
pact
ing
the
over
all p
erfo
rman
ce o
f th
eor
gani
satio
n
ME3 E
nsur
e C
ompl
ianc
e W
ith
Ext
erna
l R
equi
rem
ents
(co
nt.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E242
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– R
equi
rem
ents
are
co-
ordi
nate
d fo
r co
rpor
ate
repo
rtin
g on
lega
l and
reg
ulat
ory
com
plia
nce,
incl
udin
g th
e re
quir
emen
t to
reta
in a
ny h
isto
rica
l inf
orm
atio
n–
IT c
ompl
ianc
e re
port
ing
conf
orm
s w
ith c
orpo
rate
rep
ortin
g re
quir
emen
ts, s
uch
as d
istr
ibut
ion,
fre
quen
cy, s
cope
, con
tent
and
for
mat
, to
ensu
re r
epor
ting
cons
iste
ncy
and
com
plet
enes
s
ME
3.5
Inte
grat
ed R
epor
ting
In
tegr
ate
IT r
epor
ting
on le
gal,
regu
lato
ry a
nd c
ontr
actu
al r
equi
rem
ents
with
sim
ilar
outp
ut f
rom
oth
er b
usin
ess
func
tions
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Fa
cilit
ated
cor
pora
te r
epor
ting
onco
mpl
ianc
e is
sues
• E
nabl
ing
of ti
mel
y de
tect
ion
ofco
ntro
l gap
s w
here
they
are
inte
rfer
ing
with
oth
er b
usin
ess
func
tions
• Su
ppor
t of
the
orga
nisa
tion’
s st
anda
rds
and
met
hodo
logi
es in
est
ablis
hing
effe
ctiv
e co
mpl
ianc
e ar
rang
emen
ts•
Red
uced
ove
rall
com
plia
nce
risk
faci
ng th
e en
terp
rise
Ris
k D
river
s
• In
crea
sed
ente
rpri
se n
on-c
ompl
ianc
eex
posu
re•
Oth
er b
usin
ess
func
tions
una
war
e of
com
plia
nce
requ
irem
ents
and
sta
tus
rela
ted
to I
T p
roce
sses
• Fa
ilure
to in
tegr
ate
IT-r
elat
edco
mpl
ianc
e is
sues
into
ove
rall
repo
rtin
g, r
esul
ting
in e
rron
eous
stra
tegi
c de
cisi
on m
akin
g by
ente
rpri
se m
anag
emen
t
ME3 E
nsur
e C
ompl
ianc
e W
ith
Ext
erna
l R
equi
rem
ents
(co
nt.)
243I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Take the following steps to test the outcome of the control objectives:• Trace specific compliance requirements from recognition and documentation through the procedures to prevent and detect non-
compliance. Interview and assess relevant staff members to confirm that they are aware of legal, regulatory and contractualrequirements that have been identified.
• Review evidence or a log of applicable laws, regulations and standards and the company’s compliance status from internal andindependent counsel’s input. For non-compliance areas, identify management remedial actions to address the requirements.
• Confirm that coverage, procedures and practices for compliance are regularly reviewed by internal and external experts (e.g., security audits, SAS 70s).
• Confirm that advice from appropriate third parties is obtained as required.• Review IT processes documentation for evidence of periodic legal and regulatory compliance review, and ensure that the
documents are updated where appropriate. • Enquire if recurring patterns of compliance failures are looked for and their cause evaluated on a regular basis (e.g., determine if
changes to policies, standards, procedures, processes and activities are implemented as a result of the evaluations). • Review compliance assessment reports on legal and regulatory requirements performed by independent internal or external parties
to ensure that regular reviews take place.• Review a sample of third-party contracts to determine if there are provisions to require regular confirmation of compliance with
applicable laws, regulations and contractual commitments.• Select a sample of third-party service providers and obtain evidence of their assertions of compliance to determine if they comply
with the contractual requirement of regular confirmation of compliance.• Review findings from third-party compliance reporting as well as from non-compliance investigation and resolution to determine
if operating effectiveness deficiencies are addressed.• Confirm that standards for IT compliance reporting conform with the agreed-upon format, including scope, content and format,
required to ensure consistency and completeness (e.g., review agreement procedures) • Review compliance reports to ensure that the IT compliance assessment results were incorporated and presented consistently with
similar reports from other business functions.
Take the following steps to document the impact of the control weaknesses:• Identify and quantify the cost of fines and other penalties levied against the enterprise as a result of non-compliance.• Quantify the risk and likelihood of non-compliance with regulatory requirements (e.g., “Statement of the Securities and Exchange
Commission Concerning Financial Penalties,” US Securities and Exchange Commission [SEC], 2006), to assist in theunderstanding of the impact on the enterprise.
ME4 P
rovi
de IT
Gov
erna
nce
Est
ablis
hing
an
effe
ctiv
e go
vern
ance
fra
mew
ork
incl
udes
def
inin
g or
gani
satio
nal s
truc
ture
s, p
roce
sses
, lea
ders
hip,
rol
es a
nd r
espo
nsib
ilitie
s to
ens
ure
that
ent
erpr
ise
ITin
vest
men
ts a
re a
ligne
d an
d de
liver
ed in
acc
orda
nce
with
ent
erpr
ise
stra
tegi
es a
nd o
bjec
tives
.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E244
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– A
n ag
reed
-upo
n pr
oces
s ex
ists
to a
lign
the
IT g
over
nanc
e fr
amew
ork
with
the
over
all e
nter
pris
e go
vern
ance
and
con
trol
env
iron
men
t–
The
fra
mew
ork
is b
ased
on
a co
mpr
ehen
sive
IT
pro
cess
and
con
trol
mod
el a
nd d
efin
es le
ader
ship
, una
mbi
guou
s ac
coun
tabi
lity,
rol
es a
nd r
espo
nsib
ilitie
s, in
form
atio
nre
quir
emen
ts, o
rgan
isat
iona
l str
uctu
res,
and
pra
ctic
es to
avo
id b
reak
dow
n in
inte
rnal
con
trol
and
ove
rsig
ht–
App
ropr
iate
man
agem
ent g
over
nanc
e st
ruct
ures
exi
st, s
uch
as th
e IT
str
ateg
y co
mm
ittee
, IT
ste
erin
g co
mm
ittee
, tec
hnol
ogy
coun
cil,
IT a
rchi
tect
ure
revi
ew b
oard
and
IT
aud
it co
mm
ittee
. Ver
ify
that
term
s of
ref
eren
ce e
xist
for
eac
h of
thes
e.–
The
IT
gov
erna
nce
fram
ewor
k fo
cuse
s on
str
ateg
ic a
lignm
ent,
valu
e de
liver
y, r
esou
rce
man
agem
ent,
risk
man
agem
ent a
nd p
erfo
rman
ce m
easu
rem
ent
– A
pro
cess
exi
sts
to m
easu
re a
nd e
valu
ate
deliv
ery
of I
T’s
str
ateg
ies
and
obje
ctiv
es, a
nd to
agg
rega
te a
ll IT
gov
erna
nce
issu
es a
nd r
emed
ial a
ctio
ns in
to a
con
solid
ated
man
agem
ent r
epos
itory
or
trac
king
mec
hani
sm–
Una
mbi
gous
res
pons
ibili
ties
for
IT r
isk
man
agem
ent h
ave
been
est
ablis
hed
– IT
gov
erna
nce
stat
us a
nd is
sues
are
rep
orte
d to
the
corp
orat
e go
vern
ance
ove
rsig
ht b
ody
ME
4.1
Est
ablis
hmen
t of
an
IT G
over
nanc
e F
ram
ewor
k D
efin
e, e
stab
lish
and
alig
n th
e IT
gov
erna
nce
fram
ewor
k w
ith th
e ov
eral
len
terp
rise
gov
erna
nce
and
cont
rol e
nvir
onm
ent.
Bas
e th
e fr
amew
ork
on a
suita
ble
IT p
roce
ss a
nd c
ontr
ol m
odel
and
pro
vide
for
una
mbi
guou
sac
coun
tabi
lity
and
prac
tices
to a
void
a b
reak
dow
n in
inte
rnal
con
trol
and
over
sigh
t. C
onfi
rm th
at th
e IT
gov
erna
nce
fram
ewor
k en
sure
s co
mpl
ianc
e w
ithla
ws
and
regu
latio
ns a
nd is
alig
ned
with
, and
con
firm
s de
liver
y of
, the
ente
rpri
se’s
str
ateg
ies
and
obje
ctiv
es. R
epor
t IT
gov
erna
nce
stat
us a
nd is
sues
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• IT
dec
isio
ns in
line
with
the
ente
rpri
se’s
str
ateg
ies
and
obje
ctiv
es• A
con
sist
ent a
ppro
ach
for
ago
vern
ance
fra
mew
ork
achi
eved
and
alig
ned
with
the
ente
rpri
se a
ppro
ach
• Pr
oces
ses
over
seen
eff
ectiv
ely
and
tran
spar
ently
• C
ompl
ianc
e w
ith le
gal a
nd r
egul
ator
yre
quir
emen
ts c
onfi
rmed
• B
oard
req
uire
men
ts f
or g
over
nanc
elik
ely
to b
e m
et
Ris
k D
river
s
• In
effe
ctiv
e re
spon
sibi
litie
s an
dac
coun
tabi
litie
s es
tabl
ishe
d fo
r IT
pro
cess
es•
The
IT
por
tfol
io f
ailin
g to
sup
port
the
ente
rpri
se’s
obj
ectiv
es a
nd s
trat
egie
s•
Rem
edia
l act
ions
to m
aint
ain
and
impr
ove
IT p
roce
ss e
ffec
tiven
ess
and
effi
cien
cy n
ot id
entif
ied
orim
plem
ente
d•
Con
trol
s no
t ope
ratin
g as
exp
ecte
d
245I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Test
the
Con
trol
Des
ign
• In
spec
t IT
str
ateg
y do
cum
enta
tion
and
asse
ss w
heth
er it
sup
port
s th
e di
rect
ion
prov
ided
by
the
boar
d/se
nior
man
agem
ent.
It s
houl
d re
flec
t bus
ines
s st
rate
gies
and
IT
’sap
prop
riat
e al
ignm
ent w
ith b
usin
ess
oper
atio
ns.
• D
eter
min
e w
heth
er th
e IT
str
ateg
ic p
lann
ing
proc
ess
incl
udes
invo
lvem
ent f
rom
bus
ines
s op
erat
ions
and
dem
onst
rate
s al
ignm
ent w
ith b
usin
ess
stra
tegi
es a
nd o
bjec
tives
.•
Rev
iew
the
IT s
trat
egy
docu
men
ts a
nd a
sses
s w
heth
er th
ey in
clud
e th
e ro
le o
f IT
, IT
gui
ding
pri
ncip
les
from
bus
ines
s m
axim
s, h
ow I
T m
onito
rs th
e bu
sine
ss im
pact
of
the
IT in
fras
truc
ture
and
app
licat
ions
por
tfol
io, a
nd th
e po
tent
ial c
ontr
ibut
ion
of I
T to
the
over
all b
usin
ess
stra
tegy
(e.
g., e
valu
atin
g, p
ost-
impl
emen
tatio
n, b
enef
itsde
liver
ed b
y IT
pro
ject
s).
ME
4.2
Stra
tegi
c A
lignm
ent
Ena
ble
boar
d an
d ex
ecut
ive
unde
rsta
ndin
g of
str
ateg
ic I
T is
sues
, suc
h as
the
role
of I
T, te
chno
logy
insi
ghts
and
cap
abili
ties.
Ens
ure
that
ther
e is
a s
hare
dun
ders
tand
ing
betw
een
the
busi
ness
and
IT
reg
ardi
ng th
e po
tent
ial c
ontr
ibut
ion
of I
T to
the
busi
ness
str
ateg
y. W
ork
with
the
boar
d an
d th
e es
tabl
ishe
dgo
vern
ance
bod
ies,
suc
h as
an
IT s
trat
egy
com
mitt
ee, t
o pr
ovid
e st
rate
gic
dire
ctio
n to
man
agem
ent r
elat
ive
to I
T, e
nsur
ing
that
the
stra
tegy
and
obj
ectiv
esar
e ca
scad
ed in
to b
usin
ess
units
and
IT
fun
ctio
ns, a
nd th
at c
onfi
denc
e an
d tr
ust
are
deve
lope
d be
twee
n th
e bu
sine
ss a
nd I
T. E
nabl
e th
e al
ignm
ent o
f IT
to th
ebu
sine
ss in
str
ateg
y an
d op
erat
ions
, enc
oura
ging
co-
resp
onsi
bilit
y be
twee
n th
ebu
sine
ss a
nd I
T f
or m
akin
g st
rate
gic
deci
sion
s an
d ob
tain
ing
bene
fits
fro
m
IT-e
nabl
ed in
vest
men
ts.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• IT
mor
e re
spon
sive
to th
e en
terp
rise
’sob
ject
ives
• IT
res
ourc
es h
elpi
ng to
fac
ilita
te th
ebu
sine
ss g
oals
in a
n ef
fici
ent a
ndef
fect
ive
man
ner
• IT
cap
abili
ties
enab
ling
oppo
rtun
ities
for
the
busi
ness
str
ateg
y•
Eff
icie
nt a
lloca
tion
and
man
agem
ent
of I
T in
vest
men
ts
Ris
k D
river
s
• In
effe
ctiv
e al
loca
tion
and
man
agem
ent
of I
T in
vest
men
ts•
IT f
ailin
g to
sup
port
the
ente
rpri
se’s
obje
ctiv
es•
Stra
tegi
c IT
pla
nnin
g no
t alig
ned
with
the
over
all c
orpo
rate
str
ateg
y•
IT d
irec
tions
not
def
ined
and
not
supp
ortin
g bu
sine
ss g
oals
ME4 P
rovi
de IT
Gov
erna
nce
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E246
Test
the
Con
trol
Des
ign
• C
onfi
rm th
at th
ere
is c
o-re
spon
sibi
lity
betw
een
the
busi
ness
and
IT
for
all
IT in
vest
men
ts.
• In
spec
t doc
umen
tatio
n th
at id
entif
ies
how
IT
del
iver
s ag
ains
t the
str
ateg
y. I
t sho
uld
incl
ude
deliv
erin
g on
tim
e an
d w
ithin
bud
get,
with
app
ropr
iate
fun
ctio
nalit
y an
d th
ein
tend
ed b
enef
its.
• D
eter
min
e w
heth
er th
ere
is a
pro
cess
to r
egul
arly
iden
tify
and
eval
uate
way
s to
incr
ease
IT
val
ue c
ontr
ibut
ion
whi
lst m
anag
ing
busi
ness
and
exe
cutiv
e ex
pect
atio
ns w
ithre
spec
t to
emer
ging
tech
nolo
gy (
i.e.,
stee
ring
com
mitt
ee m
eetin
gs).
• D
eter
min
e w
heth
er th
ere
is a
par
tner
ship
bet
wee
n th
e bu
sine
ss a
nd th
e IT
pro
vide
rs, w
ith s
hare
d re
spon
sibi
lity
for
sour
cing
dec
isio
ns.
• D
eter
min
e w
heth
er I
T is
aw
are
of (
or h
as d
ocum
ente
d) b
usin
ess
expe
ctat
ions
for
IT
val
ue (
i.e.,
time-
to-m
arke
t, co
st a
nd ti
me
man
agem
ent,
part
neri
ng s
ucce
ss)
and
that
IT
per
ceiv
es th
e va
lue
of I
T c
onsi
sten
tly.
• D
eter
min
e w
heth
er th
ere
is a
n ef
fect
ive
proc
ess
to e
nsur
e th
at I
T a
nd b
usin
ess
arch
itect
ures
are
des
igne
d to
dri
ve m
axim
um v
alue
.•
Det
erm
ine
whe
ther
ther
e is
an
effe
ctiv
e pr
oces
s in
pla
ce to
adj
ust I
T in
vest
men
ts b
ased
on
a ba
lanc
e of
ris
k, c
ost a
nd b
enef
it w
ith b
udge
ts th
at a
re a
ccep
tabl
e an
d ta
kein
to a
ccou
nt r
etur
n an
d co
mpe
titiv
e as
pect
s of
IT
inve
stm
ents
.•
Insp
ect I
T d
ocum
enta
tion
to a
sses
s w
heth
er th
e bu
sine
ss h
as s
et e
xpec
tatio
ns f
or th
e co
nten
t of
IT d
eliv
erab
les,
incl
udin
g m
eetin
g bu
sine
ss r
equi
rem
ents
; fle
xibi
lity
toad
opt f
utur
e re
quir
emen
ts; t
hrou
ghpu
t and
res
pons
e tim
es; e
ase
of u
se; s
ecur
ity; a
nd th
e in
tegr
ity, a
ccur
acy
and
curr
ency
of
info
rmat
ion.
• D
eter
min
e w
heth
er th
ere
is a
n ef
fect
ive
IT p
ortf
olio
man
agem
ent p
roce
ss th
at is
bei
ng e
valu
ated
on
a re
gula
r ba
sis
to o
ptim
ise
valu
e in
rel
atio
n to
cos
ts a
nd th
at r
esul
ts
in (
for
the
busi
ness
) co
mpe
titiv
e ad
vant
age,
ela
psed
tim
e fo
r or
der/
serv
ice
fulf
ilmen
t, cu
stom
er s
atis
fact
ion,
em
ploy
ee p
rodu
ctiv
ity a
nd p
rofi
tabi
lity.
• R
evie
w th
e re
sults
of
man
agem
ent’s
mon
itori
ng o
f th
e IT
bud
get a
nd in
vest
men
t pla
nnin
g to
ens
ure
that
it r
emai
ns r
ealis
tic a
nd in
tegr
ated
into
the
over
all f
inan
cial
pla
n(t
his
may
incl
ude
com
plia
nce
with
reg
ulat
ory
requ
irem
ents
).•
Det
erm
ine
that
the
IT a
sset
por
tfol
io m
anag
emen
t pro
cess
eff
ectiv
ely
man
ages
and
rep
orts
on
the
actu
al c
osts
and
the
RO
I.
ME
4.3
Val
ue D
eliv
ery
Man
age
IT-e
nabl
ed in
vest
men
t pro
gram
mes
and
oth
er I
T a
sset
s an
d se
rvic
es to
ensu
re th
at th
ey d
eliv
er th
e gr
eate
st p
ossi
ble
valu
e in
sup
port
ing
the
ente
rpri
se’s
stra
tegy
and
obj
ectiv
es. E
nsur
e th
at th
e ex
pect
ed b
usin
ess
outc
omes
of
IT-
enab
led
inve
stm
ents
and
the
full
scop
e of
eff
ort r
equi
red
to a
chie
ve th
ose
outc
omes
are
und
erst
ood;
that
com
preh
ensi
ve a
nd c
onsi
sten
t bus
ines
s ca
ses
are
crea
ted
and
appr
oved
by
stak
ehol
ders
; tha
t ass
ets
and
inve
stm
ents
are
man
aged
thro
ugho
ut th
eir
econ
omic
life
cyc
le; a
nd th
at th
ere
is a
ctiv
e m
anag
emen
t of
the
real
isat
ion
of b
enef
its, s
uch
as c
ontr
ibut
ion
to n
ew s
ervi
ces,
eff
icie
ncy
gain
s an
dim
prov
ed r
espo
nsiv
enes
s to
cus
tom
er d
eman
ds. E
nfor
ce a
dis
cipl
ined
app
roac
hto
por
tfol
io, p
rogr
amm
e an
d pr
ojec
t man
agem
ent,
insi
stin
g th
at th
e bu
sine
ssta
kes
owne
rshi
p of
all
IT-e
nabl
ed in
vest
men
ts a
nd I
T e
nsur
es o
ptim
isat
ion
of th
eco
sts
of d
eliv
erin
g IT
cap
abili
ties
and
serv
ices
.
• C
ost-
effi
cien
t del
iver
y of
sol
utio
nsan
d se
rvic
es
• O
ptim
ised
use
of
IT r
esou
rces
• B
usin
ess
need
s su
ppor
ted
effi
cien
tly•
Incr
easi
ng s
uppo
rt f
or u
se o
f IT
by
ente
rpri
se s
take
hold
ers
• In
crea
sed
valu
e co
ntri
butio
n of
IT
tobu
sine
ss o
bjec
tives
• R
elia
ble
and
accu
rate
pic
ture
of
cost
san
d lik
ely
bene
fits
• M
isdi
rect
ed I
Tin
vest
men
ts•
Val
ue n
ot o
btai
ned
from
the
IT a
sset
san
d se
rvic
es•
Dec
reas
ing
cust
omer
sat
isfa
ctio
n•
Incr
easi
ng c
osts
for
IT
inve
stm
ents
and
oper
atio
ns•
Lac
k of
alig
nmen
t bet
wee
n th
ebu
sine
ss o
bjec
tives
and
the
ITar
chite
ctur
e•
Exp
ecte
d be
nefi
ts n
ot r
ealis
ed
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
ME4 P
rovi
de IT
Gov
erna
nce
(con
t.)
247I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Test
the
Con
trol
Des
ign
• C
onfi
rm th
roug
h qu
estio
ning
of
man
agem
ent t
hat a
hig
h-le
vel d
irec
tion
for
sour
cing
and
use
of
IT r
esou
rces
is in
pla
ce.
• R
evie
w m
inut
es o
f m
eetin
gs w
ith h
igh-
leve
l dir
ecto
rs to
det
erm
ine
effe
ctiv
enes
s of
thes
e di
rect
ion
activ
ities
.•
Enq
uire
whe
ther
and
con
firm
that
sui
tabl
e IT
res
ourc
es, s
kills
and
infr
astr
uctu
re a
re a
vaila
ble
to m
eet s
trat
egic
obj
ectiv
es a
nd th
at p
olic
ies
are
in p
lace
to e
nabl
eco
ntin
ued
avai
labi
lity.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at I
T in
fras
truc
ture
s ar
e pr
ovid
ed th
at f
acili
tate
the
crea
tion
and
shar
ing
of b
usin
ess
info
rmat
ion
at o
ptim
al c
ost.
• R
evie
w th
at p
olic
ies,
pro
cedu
res
and
proc
esse
s ar
e in
pla
ce f
or r
esou
rce
man
agem
ent,
and
veri
fy th
at th
ey a
re o
pera
ting
effe
ctiv
ely
to:
– O
ptim
ise
and
bala
nce
over
all I
T in
vest
men
ts a
nd u
se o
f re
sour
ces
betw
een
sust
aini
ng a
nd g
row
ing
the
ente
rpri
se–
Cap
italis
e on
info
rmat
ion
and
know
ledg
e re
sour
ces
– E
stab
lish
busi
ness
pri
oriti
es s
o th
at r
esou
rces
are
allo
cate
d to
ena
ble
effe
ctiv
e IT
per
form
ance
• In
depe
nden
tly d
evel
op a
nd e
stim
ate
optim
al b
alan
ce o
f ov
eral
l IT
inve
stm
ents
and
use
of
reso
urce
s, a
nd c
ompa
re w
ith a
ctua
l fin
ding
s.•
Tra
ce it
ems
thro
ugh
the
IT in
fras
truc
ture
s, a
nd d
eter
min
e w
heth
er c
reat
ion
and
shar
ing
of in
form
atio
n is
fac
ilita
ted
effe
ctiv
ely.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at c
ritic
al r
oles
are
allo
cate
d an
d de
fine
d fo
r dr
ivin
g m
axim
um v
alue
fro
m I
T w
ith a
ppro
pria
te s
taff
ing
and
reso
urce
s.•
Rev
iew
the
defi
ned
role
s, a
nd e
nsur
e th
at th
ey a
re e
ffec
tivel
y al
loca
ted
and
exec
uted
.•
Enq
uire
whe
ther
and
con
firm
that
pro
cedu
res
for
capa
bilit
y as
sess
men
ts a
re in
pla
ce a
nd r
egul
arly
per
form
ed to
ens
ure
an a
bilit
y to
sup
port
the
busi
ness
str
ateg
y.•
Rep
erfo
rm c
apab
ility
ass
essm
ents
and
com
pare
to d
efin
ed b
usin
ess
stra
tegi
es.
ME
4.4
Res
ourc
e M
anag
emen
t O
vers
ee th
e in
vest
men
t, us
e an
d al
loca
tion
of I
T r
esou
rces
thro
ugh
regu
lar
asse
ssm
ents
of
IT in
itiat
ives
and
ope
ratio
ns to
ens
ure
appr
opri
ate
reso
urci
ng a
ndal
ignm
ent w
ith c
urre
nt a
nd f
utur
e st
rate
gic
obje
ctiv
es a
nd b
usin
ess
impe
rativ
es.
• E
ffic
ient
and
eff
ectiv
e pr
iori
tisat
ion
and
utili
satio
n of
IT
res
ourc
es•
IT c
osts
opt
imis
ed•
Incr
ease
d lik
elih
ood
of b
enef
itre
alis
atio
n•
IT p
lann
ing
supp
orte
d an
d op
timis
ed•
Rea
dine
ss f
or f
utur
e ch
arge
• Fr
agm
ente
d, in
effi
cien
t inf
rast
ruct
ures
• In
suff
icie
nt c
apab
ilitie
s, s
kills
and
reso
urce
s to
ach
ieve
des
ired
goa
ls•
Stra
tegi
c ob
ject
ives
not
ach
ieve
d•
Inap
prop
riat
e pr
iori
ties
used
for
allo
catio
n of
res
ourc
es
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
ME4 P
rovi
de IT
Gov
erna
nce
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E248
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– B
ased
on
info
rmat
ion
from
man
agem
ent,
such
as
IT r
isk
expo
sure
s, r
isk
man
agem
ent m
easu
res
and
asso
ciat
ed c
osts
, the
boa
rd d
efin
es, r
egul
arly
re-
eval
uate
s an
dco
mm
unic
ates
the
ente
rpri
se’s
ris
k ap
petit
e–
Man
agem
ent r
evie
ws
the
outc
ome
of th
e ev
alua
tion
of th
e ri
sk o
f IT
act
iviti
es, t
o co
nfir
m th
at th
e to
tal r
isk
expo
sure
doe
s no
t exc
eed
the
defi
ned
risk
app
etite
,co
nsid
erin
g m
itiga
ting
cont
rols
in p
lace
, and
ove
rsee
s th
e im
plem
enta
tion
of a
dditi
onal
miti
gatin
g co
ntro
ls to
red
uce
the
over
all r
isk
expo
sure
as
need
ed–
A p
roce
ss e
xist
s to
incl
ude
IT r
isk
man
agem
ent i
ssue
s in
IT
gov
erna
nce
stat
us a
nd is
sues
rep
ortin
g an
d to
pro
vide
tran
spar
ency
of
IT r
isks
to a
ll st
akeh
olde
rs
ME4 P
rovi
de IT
Gov
erna
nce
(con
t.)
ME
4.5
Ris
k M
anag
emen
t W
ork
with
the
boar
d to
def
ine
the
ente
rpri
se’s
app
etite
for
IT
ris
k, a
nd o
btai
nre
ason
able
ass
uran
ce th
at I
T r
isk
man
agem
ent p
ract
ices
are
app
ropr
iate
to e
nsur
eth
at th
e ac
tual
IT
ris
k do
es n
ot e
xcee
d th
e bo
ard’
s ri
sk a
ppet
ite. E
mbe
d ri
skm
anag
emen
t res
pons
ibili
ties
into
the
orga
nisa
tion,
ens
urin
g th
at th
e bu
sine
ss a
ndIT
reg
ular
ly a
sses
s an
d re
port
IT-
rela
ted
risk
s an
d th
eir
impa
ct a
nd th
at th
een
terp
rise
’s I
T r
isk
posi
tion
is tr
ansp
aren
t to
all s
take
hold
ers.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• R
isks
iden
tifie
d be
fore
they
mat
eria
lise
• In
crea
sed
awar
enes
s of
ris
k ex
posu
res
• C
lear
acc
ount
abili
ty a
nd r
espo
nsib
ility
for
man
agin
g cr
itica
l ris
ks
• E
ffec
tive
appr
oach
for
man
agin
g IT
ris
ks•
IT r
isk
prof
ile a
ligne
d w
ithm
anag
emen
t’s e
xpec
tatio
ns•
Min
imis
ed p
oten
tial f
or c
ompl
ianc
efa
ilure
s
Ris
k D
river
s
• R
isks
iden
tifie
d or
man
aged
inef
fect
ivel
y•
Incr
ease
d ex
pens
es a
nd c
osts
incu
rred
to m
anag
e un
antic
ipat
ed r
isks
• C
ritic
al I
T a
pplic
atio
ns a
nd s
ervi
ces
failu
re•
Lac
k of
ow
ners
hip
of I
T r
isks
249I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at:
– T
he I
T s
core
card
per
form
ance
mea
sure
s ar
e pr
oper
ly a
ligne
d w
ith th
e bu
sine
ss s
core
card
mea
sure
s an
d ac
cept
ed b
y th
e bu
sine
ss–
Man
agem
ent a
sses
ses
and
acce
pts
the
effe
ctiv
enes
s of
the
proc
esse
s an
d th
e ac
cura
cy a
nd c
ompl
eten
ess
of th
e de
liver
able
s to
mea
sure
and
rep
ort I
T p
erfo
rman
ce in
rela
tion
to a
chie
vem
ent o
f th
e st
rate
gic
IT o
bjec
tives
. Ver
ify
that
sta
tus
repo
rts
incl
ude
the
exte
nt to
whi
ch p
lann
ed o
bjec
tives
hav
e be
en a
chie
ved,
del
iver
able
s ob
tain
edan
d pe
rfor
man
ce ta
rget
s m
et.
– T
he b
oard
eva
luat
es th
e ap
prop
riat
enes
s of
man
agem
ent’s
cor
rect
ive
actio
ns f
or s
igni
fica
nt p
erfo
rman
ce p
robl
ems
and
prov
ides
dir
ectio
n to
rec
tify
orga
nisa
tiona
l or
syst
emic
cau
ses
as n
eces
sary
ME
4.6
Per
form
ance
Mea
sure
men
t C
onfi
rm th
at a
gree
d-up
on I
T o
bjec
tives
hav
e be
en m
et o
r ex
ceed
ed, o
r th
atpr
ogre
ss to
war
d IT
goa
ls m
eets
exp
ecta
tions
. Whe
re a
gree
d-up
on o
bjec
tives
hav
ebe
en m
isse
d or
pro
gres
s is
not
as
expe
cted
, rev
iew
man
agem
ent’s
re
med
ial a
ctio
n. R
epor
t to
the
boar
d re
leva
nt p
ortf
olio
s, p
rogr
amm
e an
d IT
perf
orm
ance
, sup
port
ed b
y re
port
s to
ena
ble
seni
or m
anag
emen
t to
revi
ew th
een
terp
rise
’s p
rogr
ess
tow
ard
iden
tifie
d go
als.
• In
crea
sed
proc
ess
perf
orm
ance
• Are
as o
f im
prov
emen
t ide
ntif
ied
• IT
obj
ectiv
es a
nd s
trat
egie
s be
ing
and
rem
aini
ng in
line
with
the
ente
rpri
se’s
stra
tegy
• Pr
oces
ses
over
seen
eff
ectiv
ely
and
tran
spar
ently
• T
imel
y an
d ef
fect
ive
man
agem
ent
repo
rtin
g en
able
d
• Pe
rfor
man
ce g
aps
not i
dent
ifie
d in
atim
ely
man
ner
• D
ecre
ased
sta
keho
lder
con
fide
nce
• Se
rvic
e de
viat
ions
and
deg
rada
tions
not r
ecog
nise
d an
d ad
dres
sed,
resu
lting
in f
ailu
re to
del
iver
bus
ines
sre
quir
emen
ts•
Serv
ice
perf
orm
ance
fai
lure
s ca
usin
gle
gal a
nd r
egul
ator
y co
mpl
ianc
eex
posu
res
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
ME4 P
rovi
de IT
Gov
erna
nce
(con
t.)
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E250
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n au
dit c
omm
ittee
has
bee
n es
tabl
ishe
d w
ith a
man
date
to c
onsi
der
wha
t the
sig
nifi
cant
ris
ks a
re; a
sses
s ho
w th
ey a
re id
entif
ied,
eval
uate
d an
d m
anag
ed; c
omm
issi
on I
T a
nd s
ecur
ity a
udits
; and
rig
orou
sly
follo
w u
p cl
osur
e of
sub
sequ
ent r
ecom
men
datio
ns.
• In
terv
iew
the
audi
t com
mitt
ee a
nd a
sses
s its
kno
wle
dge
and
awar
enes
s of
its
resp
onsi
bilit
ies.
Det
erm
ine
whe
ther
the
esta
blis
hed
audi
t com
mitt
ee is
ope
ratin
g ef
fect
ivel
y.•
Enq
uire
whe
ther
and
con
firm
that
inde
pend
ent r
evie
ws,
cer
tific
atio
ns o
r ac
cred
itatio
ns o
f co
mpl
ianc
e w
ith I
T p
olic
ies,
sta
ndar
ds a
nd p
roce
dure
s ha
ve b
een
obta
ined
.Ph
ysic
ally
insp
ect f
or a
dequ
acy
the
docu
men
ts p
rodu
ced
by th
e in
depe
nden
t rev
iew
s.
ME4 P
rovi
de IT
Gov
erna
nce
(con
t.)
ME
4.7
Inde
pend
ent A
ssur
ance
O
btai
n in
depe
nden
t ass
uran
ce (
inte
rnal
or
exte
rnal
) ab
out t
he c
onfo
rman
ce o
f IT
with
rel
evan
t law
s an
d re
gula
tions
; the
org
anis
atio
n’s
polic
ies,
sta
ndar
ds a
ndpr
oced
ures
; gen
eral
ly a
ccep
ted
prac
tices
; and
the
effe
ctiv
e an
d ef
fici
ent
perf
orm
ance
of
IT.
• O
ppor
tuni
ties
for
serv
ice
impr
ovem
ents
iden
tifie
d•
Gap
s de
tect
ed in
a ti
mel
y m
anne
r•
Rel
iabl
e as
sura
nce
of e
ffec
tive
gove
rnan
ce, r
isk
man
agem
ent,
and
inte
rnal
con
trol
mec
hani
sms
and
proc
edur
es• A
ssur
ance
to th
e bo
ard
and
exec
utiv
em
anag
emen
t tha
t gov
erna
nce
isw
orki
ng e
ffec
tivel
y
• R
eput
atio
nal d
amag
e th
roug
h fa
ilure
to d
etec
t or
prev
ent s
ervi
cepe
rfor
man
ce d
egra
datio
n•
Inef
fect
ive
IT g
over
nanc
e, r
isk
man
agem
ent a
nd in
tern
al c
ontr
olar
rang
emen
ts•
Une
thic
al b
ehav
iour
s ad
opte
d an
dac
cept
ed
Valu
e D
river
sC
ontr
ol O
bjec
tive
Ris
k D
river
s
251I T G O V E R N A N C E I N S T I T U T E
APPENDIX V
Take the following steps to test the outcome of the control objectives:• Review board/senior management meeting minutes to determine whether business direction is provided over enterprise use of IT
resources and capabilities.• Review the enterprise leadership and organisational structures related to the use of IT resources to determine their appropriateness
in relation to the overall enterprise and the completeness of their coverage of oversight and management of IT resources.• Identify the process model being used to establish and support IT governance, and assess its adequacy and effectiveness of
application.• Review IT strategic planning minutes to verify that IT and business goals and objectives are aligned.• Confirm that there are business sponsors designated to have direct active involvement in and accountability for all major
IT-enabled investments. • Review plans for IT services and compare with the business strategy to assess that the direction allows IT to provide optimal
support.• Confirm through interviews with those responsible for IT strategy that it is integrating well with overall business goals. • Assess whether the goals and objectives of the business and IT are clearly communicated to relevant parties and that appropriate
mediation exists and is functioning effectively (e.g., technology plans).• Assess whether an IT steering committee drives business alignment by ensuring that IT strategy is aligned with business strategy
and that supporting strategies and plans are consistent and integrated.• Determine whether there is a process for executive management to regularly review IT governance reports to determine whether IT
strategic issues and actions to resolve them are reported. Such reports should include progress against strategic plans, key serviceperformance measures, and significant risk assessment and mitigation aspects.
• Identify and assess the extent of independent assurance provided to the enterprise in relation to the establishment and effectivenessof IT governance arrangements.
Take the following steps to document the impact of the control weaknesses:• Quantify the impact of failures of IT to support new business initiatives or critical business services.• Identify IT-related incidents and issues that attract media attention and comment (e.g., major failed projects, compliance violations,
security failures).
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E252
Page intentionally left blank
253I T G O V E R N A N C E I N S T I T U T E
APPENDIX VIA
PPE
ND
IXV
I—A
PPL
ICA
TIO
NC
ON
TR
OL
(AC
)
PR
OC
ESS
ASS
UR
AN
CE
STEP
S
Test
the
Con
trol
Des
ign
• E
nsur
e th
at th
e de
sign
of
the
syst
em p
rovi
des
for
the
iden
tific
atio
n an
d m
anag
emen
t of
auth
oris
atio
n le
vels
.•
Enq
uire
whe
ther
and
con
firm
that
the
desi
gn o
f th
e sy
stem
pro
vide
s fo
r th
e us
e of
pre
appr
oved
aut
hori
satio
n lis
ts a
nd r
elat
ed s
igna
ture
s fo
r us
e in
det
erm
inin
g th
atdo
cum
ents
hav
e be
en a
ppro
pria
tely
aut
hori
sed.
• A
sses
s w
heth
er s
ourc
e do
cum
ents
and
/or
inpu
t scr
eens
are
des
igne
d w
ith p
rede
term
ined
cod
ing,
cho
ices
, etc
., to
enc
oura
ge ti
mel
y co
mpl
etio
n an
d m
inim
ise
the
pote
ntia
lfo
r er
ror.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e de
sign
of
the
syst
em e
ncou
rage
s re
view
of
the
form
s fo
r co
mpl
eten
ess
and
auth
oris
atio
n an
d id
entif
ies
situ
atio
ns w
here
atte
mpt
s to
proc
ess
inco
mpl
ete
and/
or u
naut
hori
sed
docu
men
ts o
ccur
.•
Enq
uire
whe
ther
and
con
firm
that
, onc
e id
entif
ied,
the
syst
em is
des
igne
d to
trac
k an
d re
port
upo
n in
com
plet
e an
d/or
una
utho
rise
d do
cum
ents
that
are
rej
ecte
d an
dre
turn
ed to
the
owne
r fo
r co
rrec
tion.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• V
erif
y, th
roug
h in
spec
tion
of a
utho
risa
tion
lists
, tha
t aut
hori
satio
n le
vels
are
pro
perl
y de
fine
d fo
r ea
ch g
roup
of
tran
sact
ions
. Obs
erve
that
aut
hori
satio
n le
vels
are
prop
erly
app
lied.
• In
spec
t and
obs
erve
cre
atio
n an
d do
cum
enta
tion
of d
ata
prep
arat
ion
proc
edur
es, a
nd e
nqui
re w
heth
er a
nd c
onfi
rm th
at p
roce
dure
s ar
e un
ders
tood
and
the
corr
ect s
ourc
em
edia
are
use
d.
• W
here
req
uire
d by
pro
cedu
res,
obs
erve
whe
ther
and
ens
ure
that
ade
quat
e se
greg
atio
n of
dut
ies
betw
een
orig
inat
or a
nd a
ppro
ver
exis
ts.
• In
spec
t doc
umen
ts, t
race
tran
sact
ions
thro
ugh
the
proc
ess
and,
whe
re p
ossi
ble,
use
aut
omat
ed e
vide
nce
colle
ctio
n, in
clud
ing
sam
ple
data
, em
bedd
ed a
udit
mod
ules
or
CA
AT
s, to
trac
e tr
ansa
ctio
ns to
ver
ify
that
aut
hori
satio
n ac
cess
con
trol
s ar
e ef
fect
ive.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
list
of
auth
oris
ed p
erso
nnel
and
thei
r si
gnat
ures
is m
aint
aine
d by
the
appr
opri
ate
depa
rtm
ents
. Whe
re p
ossi
ble,
use
aut
omat
edev
iden
ce c
olle
ctio
n, in
clud
ing
sam
ple
data
, em
bedd
ed a
udit
mod
ules
or
CA
AT
s, to
trac
e tr
ansa
ctio
ns to
ver
ify
that
the
list o
f au
thor
ised
per
sonn
el is
eff
ectiv
ely
desi
gned
to a
llow
/res
tric
t per
sonn
el to
ent
er d
ata.
•
Insp
ect t
he li
st o
f au
thor
ised
per
sonn
el a
nd o
ther
doc
umen
tatio
n, a
nd o
bser
ve p
roce
sses
and
pro
cedu
res
to v
erif
y th
at th
e pr
oces
ses
and
proc
edur
es u
sed
to m
aint
ain
the
list a
re ti
mel
y an
d ef
fect
ive.
Sel
ect a
sam
ple
of e
mpl
oyee
s an
d as
sess
whe
ther
thei
r au
thor
isat
ion
leve
ls a
re c
omm
ensu
rate
with
thei
r ro
les
and
resp
onsi
bilit
ies.
•
Enq
uire
whe
ther
and
con
firm
that
all
sour
ce d
ocum
ents
incl
ude
stan
dard
com
pone
nts
such
as
pred
eter
min
ed in
put c
odes
and
def
ault
valu
es to
red
uce
erro
rs, r
ecor
dtr
ansa
ctio
n tim
e an
d da
te to
pro
vide
for
mon
itori
ng, a
nd c
aptu
re a
utho
risa
tion
info
rmat
ion
to e
nsur
e va
lidity
. •
Whe
re p
ossi
ble,
use
aut
omat
ed e
vide
nce
colle
ctio
n, in
clud
ing
sam
ple
data
, em
bedd
ed a
udit
mod
ules
or
CA
AT
s, to
sel
ect t
rans
actio
ns f
or s
ubse
quen
t ver
ific
atio
n of
the
use
of s
tand
ard
com
pone
nts
that
impr
ove
accu
racy
and
pro
vide
evi
denc
e of
aut
hori
satio
n.
Ens
ure
that
sou
rce
docu
men
ts a
re p
repa
red
by a
utho
rise
d an
d qu
alif
ied
pers
onne
l fol
low
ing
esta
blis
hed
proc
edur
es, t
akin
g in
to a
ccou
nt a
dequ
ate
segr
egat
ion
of d
utie
s re
gard
ing
the
orig
inat
ion
and
appr
oval
of
thes
e do
cum
ents
.M
inim
ise
erro
rs a
nd o
mis
sion
s th
roug
h go
od in
put f
orm
des
ign.
Det
ect e
rror
san
d ir
regu
lari
ties
so th
ey c
an b
e re
port
ed a
nd c
orre
cted
.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• D
ata
inte
grity
• St
anda
rdis
ed a
nd a
utho
rise
dtr
ansa
ctio
n do
cum
enta
tion
• Im
prov
ed a
pplic
atio
n pe
rfor
man
ce•
Acc
urac
y of
tran
sact
ion
data
Ris
k D
river
s
• C
ompr
omis
ed in
tegr
ity o
f cr
itica
l dat
a•
Una
utho
rise
d an
d/or
err
oneo
ustr
ansa
ctio
ns•
Proc
essi
ng in
effi
cien
cies
and
rew
ork
AC
1 S
ourc
e D
ata
Pre
para
tion
and
Aut
horisa
tion
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E254
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve (
cont
.)
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at, d
urin
g da
ta e
ntry
, sou
rce
docu
men
ts a
re r
evie
wed
; inc
ompl
ete,
uns
igne
d or
inap
prop
riat
ely
auth
oris
ed d
ocum
ents
are
ret
urne
d to
orig
inat
ors
for
corr
ectio
n an
d ar
e lo
gged
; and
logs
are
per
iodi
cally
rev
iew
ed to
ver
ify
that
cor
rect
ed d
ocum
ents
are
ret
urne
d by
ori
gina
tors
in a
tim
ely
fash
ion.
Ins
pect
sour
ce d
ocum
ents
and
rev
iew
logs
and
oth
er d
ocum
ents
to v
erif
y th
at in
com
plet
e do
cum
ents
are
eff
ectiv
ely
dete
cted
and
com
plet
ed b
y or
igin
ator
s in
a ti
mel
y m
anne
r.•
Rev
iew
sou
rce
docu
men
t for
ms
and
veri
fy if
they
are
usa
ble,
fac
ilita
te e
rror
pre
vent
ion,
and
ena
ble
spee
dy a
nd e
ffic
ient
pre
para
tion.
AC
1 S
ourc
e D
ata
Pre
para
tion
and
Aut
horisa
tion
(co
nt.)
255I T G O V E R N A N C E I N S T I T U T E
APPENDIX VI
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at c
rite
ria
for
timel
ines
s, c
ompl
eten
ess
and
accu
racy
of
sour
ce d
ocum
ents
are
def
ined
and
com
mun
icat
ed.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at d
ocum
ente
d pr
oced
ures
for
the
corr
ectio
n of
err
ors,
out
-of-
bala
nce
cond
ition
s an
d en
try
of o
verr
ides
exi
st. E
nsur
e th
at th
e pr
oced
ures
incl
ude
mec
hani
sms
for
timel
y fo
llow
-up,
cor
rect
ion,
app
rova
l and
res
ubm
issi
on. A
sses
s pr
oced
ures
for
fac
tors
suc
h as
des
crip
tions
of
erro
r m
essa
ges
and
over
ride
mec
hani
sms.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
olic
ies
and
proc
esse
s ar
e es
tabl
ishe
d to
est
ablis
h cr
iteri
a fo
r th
e id
entif
icat
ion
of c
lass
es o
f cr
itica
l tra
nsac
tions
that
req
uire
pre
-nu
mbe
red
sour
ce d
ocum
ents
or
othe
r un
ique
met
hods
of
iden
tifyi
ng s
ourc
e da
ta.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
ere
are
polic
ies
and
proc
edur
es in
pla
ce to
det
erm
ine
docu
men
t ret
entio
n po
licie
s. F
acto
rs to
con
side
r in
ass
essi
ng th
e do
cum
ent
rete
ntio
n po
licy
incl
ude
criti
calit
y of
the
tran
sact
ion,
for
m o
f th
e so
urce
dat
a, m
etho
d of
ret
entio
n, lo
catio
n of
ret
entio
n, ti
me
peri
od f
or r
eten
tion,
com
plia
nce
and
regu
lato
ry r
equi
rem
ents
.•
For
each
maj
or g
roup
of
tran
sact
ions
, enq
uire
whe
ther
and
con
firm
ther
e is
doc
umen
tatio
n of
cri
teri
a to
def
ine
auth
oris
atio
n fo
r in
put,
editi
ng, a
ccep
tanc
e, r
ejec
tion
and
over
ride
.•
Insp
ect d
ocum
enta
tion
of p
olic
ies
and
proc
edur
es to
ens
ure
that
cri
teri
a fo
r tim
elin
ess,
com
plet
enes
s an
d ac
cura
cy a
re a
ppro
pria
tely
rep
rese
nted
.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at c
ritic
al s
ourc
e do
cum
ents
are
pre
num
bere
d an
d ou
t-of
-seq
uenc
e nu
mbe
rs a
re id
entif
ied
and
take
n in
to a
ccou
nt.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at e
rror
mes
sage
s ar
e ge
nera
ted
in a
tim
ely
man
ner,
tran
sact
ions
are
not
pro
cess
ed u
nles
s er
rors
are
cor
rect
ed o
r ap
prop
riat
ely
over
ridd
en,
erro
rs th
at c
anno
t be
corr
ecte
d im
med
iate
ly a
re lo
gged
and
val
id tr
ansa
ctio
n pr
oces
sing
con
tinue
s, a
nd e
rror
logs
are
rev
iew
ed a
nd a
cted
upo
n w
ithin
a s
peci
fied
and
reas
onab
le p
erio
d of
tim
e.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at r
epor
ts o
n er
rors
and
out
-of-
bala
nce
cond
ition
s ar
e re
view
ed b
y ap
prop
riat
e pe
rson
nel;
all e
rror
s ar
e id
entif
ied,
cor
rect
ed a
nd c
heck
edw
ithin
a r
easo
nabl
e pe
riod
of
time;
and
err
ors
are
repo
rted
unt
il co
rrec
ted.
•
For
a sa
mpl
e of
tran
sact
ion
flow
s, e
nqui
re w
heth
er a
nd c
onfi
rm th
at r
eten
tion
of s
ourc
e do
cum
ents
is d
efin
ed a
nd a
pplie
d in
rel
atio
n to
est
ablis
hed
crite
ria
for
sour
cedo
cum
ent r
eten
tion.
• Se
lect
a s
et o
f cr
itica
l tra
nsac
tions
and
:–
Com
pare
the
actu
al s
tate
of
acce
ss c
ontr
ols
over
tran
sact
ion
inpu
t, ed
iting
, acc
epta
nce,
etc
., w
ith e
stab
lishe
d cr
iteri
a, p
olic
ies
or p
roce
dure
s.–
Ins
pect
whe
ther
cri
tical
sou
rce
docu
men
ts a
re p
renu
mbe
red
or th
at o
ther
uni
que
met
hods
of
iden
tifyi
ng s
ourc
e da
ta a
re u
sed.
– I
nspe
ct d
ocum
enta
tion
or w
alk-
thro
ugh
tran
sact
ions
to id
entif
y th
ose
pers
onne
l who
can
inpu
t, ed
it, a
utho
rise
, acc
ept a
nd r
ejec
t tra
nsac
tions
and
ove
rrid
e er
rors
.–
Tak
e a
sam
ple
of tr
ansa
ctio
ns w
ithin
this
set
for
a s
peci
fic
peri
od, a
nd in
spec
t the
sou
rce
docu
men
ts f
or th
ose
tran
sact
ions
. Ver
ify
that
all
appr
opri
ate
sour
ce d
ocum
ents
are
avai
labl
e.•
Iden
tify
and
revi
ew o
ut-o
f-se
quen
ce n
umbe
rs, g
aps
and
dupl
icat
es u
sing
aut
omat
ed to
ols
(CA
AT
s).
• In
spec
t doc
umen
ts, t
race
tran
sact
ions
thro
ugh
the
proc
ess
and,
whe
re p
ossi
ble,
use
aut
omat
ed e
vide
nce
colle
ctio
n, in
clud
ing
sam
ple
data
, em
bedd
ed a
udit
mod
ules
or
CA
AT
s, to
trac
e tr
ansa
ctio
ns to
ver
ify
that
aut
hori
satio
n co
ntro
ls a
re e
ffec
tive
and
that
suf
fici
ent e
vide
nce
is r
elia
bly
reco
rded
and
rev
iew
ed.
Ens
ure
that
dat
a in
put i
s pe
rfor
med
in a
tim
ely
man
ner
by a
utho
rise
d an
dqu
alif
ied
staf
f. C
orre
ctio
n an
d re
subm
issi
on o
f da
ta th
at w
ere
erro
neou
sly
inpu
tsh
ould
be
perf
orm
ed w
ithou
t com
prom
isin
g or
igin
al tr
ansa
ctio
n au
thor
isat
ion
leve
ls. W
here
app
ropr
iate
for
rec
onst
ruct
ion,
ret
ain
orig
inal
sou
rce
docu
men
tsfo
r th
e ap
prop
riat
e am
ount
of
time.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Acc
urat
e da
ta e
ntry
and
eff
icie
ntpr
oces
sing
• E
rror
s de
tect
ed in
a ti
mel
y m
anne
r•
Sens
itive
tran
sact
ion
data
sec
ured
Ris
k D
river
s
• Pr
oces
sing
inef
fici
enci
es d
ue to
inco
mpl
ete
data
ent
ry•
Com
prom
ised
inte
grity
of
criti
cal d
ata
• Acc
ess
cont
rol v
iola
tions
• D
ata
entr
y er
rors
und
etec
ted
AC
2 S
ourc
e D
ata
Col
lect
ion
and
Ent
ry
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E256
AC
2 S
ourc
e D
ata
Col
lect
ion
and
Ent
ry (
cont
.)
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve (
cont
.)
• In
spec
t doc
umen
ts, t
race
tran
sact
ions
thro
ugh
the
proc
ess
and,
whe
re p
ossi
ble,
use
aut
omat
ed e
vide
nce
colle
ctio
n, in
clud
ing
sam
ple
data
, em
bedd
ed a
udit
mod
ules
or
CA
AT
s, to
trac
e tr
ansa
ctio
ns to
ver
ify
that
tim
ely
erro
r m
essa
ges,
tran
sact
ion
proc
ess
rest
rict
ions
and
err
or lo
gs a
re g
ener
ated
, app
lied
and
revi
ewed
eff
ectiv
ely.
• In
spec
t err
or a
nd o
ut-o
f-ba
lanc
e re
port
s, e
rror
cor
rect
ions
, and
oth
er d
ocum
ents
to v
erif
y th
at e
rror
s an
d ou
t-of
-bal
ance
con
ditio
ns a
re e
ffec
tivel
y re
view
ed, c
orre
cted
,ch
ecke
d an
d re
port
ed u
ntil
corr
ecte
d.
257I T G O V E R N A N C E I N S T I T U T E
APPENDIX VI
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
olic
ies
and
proc
edur
es e
xist
for
the
hand
ling
of tr
ansa
ctio
ns th
at f
ail e
dit a
nd v
alid
atio
n ch
ecks
. •
Enq
uire
whe
ther
and
con
firm
that
pro
cess
es a
nd p
roce
dure
s ar
e es
tabl
ishe
d fo
r th
e se
greg
atio
n of
dut
ies
for
entr
y, m
odif
icat
ion
and
appr
oval
of
tran
sact
ion
data
as
wel
las
for
val
idat
ion
rule
s. F
acto
rs to
con
side
r in
the
asse
ssm
ent o
f se
greg
atio
n of
dut
ies
polic
ies
incl
ude
criti
calit
y of
the
tran
sact
ion
syst
em a
nd m
etho
ds f
or th
e en
forc
emen
tof
seg
rega
tion
of d
utie
s.•
Enq
uire
whe
ther
and
con
firm
that
val
idat
ion
crite
ria
and
para
met
ers
on in
put d
ata
are
peri
odic
ally
rev
iew
ed, c
onfi
rmed
and
upd
ated
in a
tim
ely,
app
ropr
iate
and
au
thor
ised
man
ner.
• Fo
r im
port
ant o
r cr
itica
l sys
tem
s, in
spec
t the
dat
a in
put d
esig
n to
ens
ure
that
the
auth
oris
atio
n co
ntro
ls a
llow
onl
y ap
prop
riat
ely
auth
oris
ed p
erso
ns to
inpu
t or
mod
ify
data
.•
Obt
ain
func
tiona
l des
crip
tion
and
desi
gn in
form
atio
n on
dat
a in
put c
ontr
ols.
Ins
pect
the
func
tiona
lity
and
desi
gn f
or a
ppro
pria
te c
ontr
ols.
Exa
mpl
es o
f co
ntro
ls in
clud
eth
e pr
esen
ce o
f se
quen
ce, l
imit,
ran
ge, v
alid
ity, r
easo
nabl
enes
s, ta
ble
look
-ups
, exi
sten
ce, k
ey v
erif
icat
ion,
che
ck d
igit,
com
plet
enes
s (e
.g.,
tota
l mon
etar
y am
ount
, tot
alite
ms,
tota
l doc
umen
ts, h
ash
tota
ls),
dup
licat
ion,
logi
cal r
elat
ions
hip
chec
ks a
nd ti
me
edits
. •
Obt
ain
func
tiona
l des
crip
tion
and
desi
gn in
form
atio
n on
dat
a in
put a
utho
risa
tion
cont
rols
. Ins
pect
the
func
tiona
lity
and
desi
gn f
or th
e pr
esen
ce o
f au
thor
isat
ion
chec
ks.
• O
btai
n fu
nctio
nal d
escr
iptio
n an
d de
sign
info
rmat
ion
on tr
ansa
ctio
n da
ta e
ntry
. Ins
pect
the
func
tiona
lity
and
desi
gn f
or th
e pr
esen
ce o
f tim
ely
and
com
plet
e ch
ecks
and
erro
r m
essa
ges.
If
poss
ible
, obs
erve
tran
sact
ion
data
ent
ry.
• O
btai
n fu
nctio
nal d
escr
iptio
n an
d de
sign
info
rmat
ion
on tr
ansa
ctio
n da
ta v
alid
atio
n.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• In
spec
t err
or a
nd o
ut-o
f-ba
lanc
e re
port
s, e
rror
cor
rect
ions
, and
oth
er d
ocum
ents
to v
erif
y th
at e
rror
s an
d ou
t-of
-bal
ance
con
ditio
ns a
re e
ffec
tivel
y re
view
ed, c
orre
cted
,ch
ecke
d an
d re
port
ed u
ntil
corr
ecte
d.•
Insp
ect e
rror
cor
rect
ions
, out
-of-
bala
nce
cond
ition
s, e
ntry
ove
rrid
es a
nd o
ther
doc
umen
ts to
ver
ify
that
the
proc
edur
es a
re f
ollo
wed
.•
Sele
ct a
sam
ple
of in
put s
ourc
e da
ta o
f so
urce
doc
umen
ts. U
sing
insp
ectio
n, C
AA
Ts,
or
othe
r au
tom
ated
evi
denc
e co
llect
ion
and
asse
ssm
ent t
ools
, val
idat
e th
at in
put d
ata
are
a co
mpl
ete
and
accu
rate
rep
rese
ntat
ion
of u
nder
lyin
g so
urce
doc
umen
ts.
• Se
lect
a s
ampl
e of
sou
rce
data
inpu
t pro
cess
es. E
nqui
re w
heth
er a
nd c
onfi
rm th
at m
echa
nism
s ar
e in
pla
ce to
ens
ure
that
the
sour
ce d
ata
inpu
t pro
cess
es h
ave
been
perf
orm
ed in
line
with
est
ablis
hed
crite
ria
for
timel
ines
s, c
ompl
eten
ess
and
accu
racy
•
Enq
uire
whe
ther
and
con
firm
that
tran
sact
ions
fai
ling
edit
and
valid
atio
n ro
utin
es a
re s
ubje
ct to
app
ropr
iate
fol
low
-up
until
they
are
rem
edia
ted.
Ens
ure
that
tran
sact
ions
are
acc
urat
e, c
ompl
ete
and
valid
. Val
idat
e da
ta th
at w
ere
inpu
t, an
d ed
it or
sen
d ba
ck f
or c
orre
ctio
n as
clo
se to
the
poin
t of
orig
inat
ion
aspo
ssib
le.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• D
ata
proc
essi
ng e
rror
s ef
fici
ently
rem
edia
ted
• D
ata
accu
racy
, com
plet
enes
s an
dva
lidity
mai
ntai
ned
duri
ng p
roce
ssin
g•
Uni
nter
rupt
ed tr
ansa
ctio
n pr
oces
sing
• Se
greg
atio
n of
dut
ies
for
data
ent
ryan
d pr
oces
sing
Ris
k D
river
s
• Pr
oces
sing
inef
fici
enci
es a
nd r
ewor
ksdu
e to
inco
mpl
ete,
inva
lid o
rin
accu
rate
dat
a en
try
• C
ompr
omis
ed in
tegr
ity o
f cr
itica
l dat
a•
Dat
a en
try
erro
rs u
ndet
ecte
d•
Una
utho
rise
d da
ta e
ntry
AC
3 A
ccur
acy,
Com
plet
enes
s an
d A
uthe
ntic
ity
Che
cks
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E258
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at tr
ansa
ctio
n pr
oces
sing
take
s pl
ace
only
aft
er a
ppro
pria
te a
utho
risa
tion
is g
iven
. •
Rev
iew
the
docu
men
tatio
n of
the
tool
s an
d ap
plic
atio
ns to
ver
ify
they
are
app
licab
le a
nd s
uita
ble
for
the
task
. Whe
re a
ppro
pria
te f
or c
ritic
al tr
ansa
ctio
ns, r
evie
w th
e co
deto
con
firm
that
con
trol
s in
the
tool
s an
d ap
plic
atio
ns o
pera
te a
s de
sign
ed. R
epro
cess
a r
epre
sent
ativ
e sa
mpl
e to
ver
ify
that
aut
omat
ed to
ols
oper
ate
as in
tend
ed.
• O
btai
n fu
nctio
nal d
escr
iptio
n an
d de
sign
info
rmat
ion
on d
ata
inpu
t con
trol
s. I
nspe
ct th
e fu
nctio
nalit
y an
d de
sign
for
the
pres
ence
of
sequ
ence
and
dup
licat
ion
erro
rs,
refe
rent
ial i
nteg
rity
che
cks,
con
trol
, and
has
h to
tals
. With
sea
rchi
ng to
ols,
iden
tify
case
s w
here
err
ors
wer
e id
entif
ied
erro
neou
sly
and
case
s w
here
err
ors
wer
e no
tde
tect
ed.
• In
spec
t the
fun
ctio
nal d
escr
iptio
n an
d de
sign
info
rmat
ion
on tr
ansa
ctio
n da
ta e
ntry
to v
erif
y w
heth
er tr
ansa
ctio
ns f
ailin
g ed
it an
d va
lidat
ion
rout
ines
are
pos
ted
tosu
spen
se f
iles.
Ver
ify
whe
ther
sus
pens
e fi
les
are
corr
ectly
and
con
sist
ently
pro
duce
d an
d th
at u
sers
are
info
rmed
of
tran
sact
ions
pos
ted
to s
uspe
nse
acco
unts
. Ver
ify
that
proc
essi
ng o
f tr
ansa
ctio
ns is
not
del
ayed
by
data
ent
ry o
r tr
ansa
ctio
n au
thor
isat
ion
erro
rs. U
se a
utom
ated
evi
denc
e co
llect
ion,
incl
udin
g sa
mpl
e da
ta, b
ase
case
s (p
repa
red
tran
sact
ions
with
an
expe
cted
out
com
e), e
mbe
dded
aud
it m
odul
es o
r C
AA
TS,
to tr
ace
tran
sact
ions
to v
erif
y th
at tr
ansa
ctio
ns a
re p
roce
ssed
eff
ectiv
ely,
val
id tr
ansa
ctio
nsar
e pr
oces
sed
with
out i
nter
rupt
ion
from
inva
lid tr
ansa
ctio
ns a
nd e
rron
eous
tran
sact
ions
are
rep
orte
d.• A
naly
se a
rep
rese
ntat
ive
sam
ple
of e
rror
tran
sact
ions
on
susp
ense
acc
ount
s an
d fi
les,
and
ver
ify
that
tran
sact
ions
fai
ling
valid
atio
n ro
utin
es a
re c
heck
ed u
ntil
rem
edia
tion.
Ver
ify
whe
ther
sus
pens
e ac
coun
ts a
nd f
iles
for
tran
sact
ions
fai
ling
valid
atio
n ro
utin
es c
onta
in o
nly
rece
nt e
rror
s, c
onfi
rmin
g th
at o
lder
one
s ha
ve b
een
appr
opri
atel
yre
med
iate
d.•
Enq
uire
whe
ther
and
con
firm
that
jobs
seq
uenc
e is
indi
cate
d to
IT
ope
ratio
ns. E
nqui
re w
heth
er a
nd c
onfi
rm th
at jo
bs p
rovi
de a
dequ
ate
inst
ruct
ions
to th
e jo
b sc
hedu
ling
syst
em s
o da
ta a
re n
ot in
appr
opri
atel
y ad
ded,
cha
nged
or
lost
dur
ing
proc
essi
ng. I
nspe
ct s
ourc
e do
cum
ents
, tra
ce tr
ansa
ctio
ns th
roug
h th
e pr
oces
s an
d, w
here
pos
sibl
e,us
e au
tom
ated
evi
denc
e co
llect
ion,
incl
udin
g sa
mpl
e da
ta, e
mbe
dded
aud
it m
odul
es o
r C
AA
TS,
to tr
ace
tran
sact
ions
to v
erif
y th
at p
rodu
ctio
n jo
b sc
hedu
ling
soft
war
e is
used
eff
ectiv
ely
so th
at jo
bs r
un in
the
corr
ect s
eque
nce
and
prov
ide
adeq
uate
inst
ruct
ions
to th
e sy
stem
s.•
Enq
uire
whe
ther
and
con
firm
that
eve
ry tr
ansa
ctio
n is
ass
igne
d a
uniq
ue a
nd s
eque
ntia
l num
ber
or id
entif
ier
(e.g
., in
dex,
dat
e, ti
me)
. Ins
pect
doc
umen
ts, t
race
tran
sact
ions
thro
ugh
the
proc
ess
and,
whe
re p
ossi
ble,
use
aut
omat
ed e
vide
nce
colle
ctio
n, in
clud
ing
sam
ple
data
, em
bedd
ed a
udit
mod
ules
or
CA
AT
S, to
trac
e tr
ansa
ctio
nsto
ver
ify
that
ther
e ar
e no
dup
licat
es f
or tr
ansa
ctio
ns th
at r
equi
re u
niqu
e ID
s an
d th
ere
are
no g
aps
that
nee
d to
be
sequ
entia
lly n
umbe
red.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at th
e au
dit t
rail
of tr
ansa
ctio
ns p
roce
ssed
is m
aint
aine
d. I
nspe
ct th
e au
dit t
rail
and
othe
r do
cum
ents
to v
erif
y th
at th
e au
dit t
rail
isde
sign
ed e
ffec
tivel
y. U
se a
utom
ated
evi
denc
e co
llect
ion,
incl
udin
g sa
mpl
e da
ta, e
mbe
dded
aud
it m
odul
es o
r C
AA
TS
to tr
ace
tran
sact
ions
to v
erif
y th
at th
e au
dit t
rail
ism
aint
aine
d ef
fect
ivel
y. V
erif
y th
at b
efor
e an
d af
ter
imag
es a
re m
aint
aine
d an
d pe
riod
ical
ly r
evie
wed
by
appr
opri
ate
pers
onne
l. •
Enq
uire
whe
ther
and
con
firm
that
the
tran
sact
ion
audi
t tra
il is
mai
ntai
ned
and
peri
odic
ally
rev
iew
ed f
or u
nusu
al a
ctiv
ity. V
erif
y th
at th
e re
view
is d
one
by a
sup
ervi
sor
who
doe
s no
t per
form
dat
a en
try.
Ins
pect
the
audi
t tra
il, tr
ansa
ctio
ns (
or b
atch
es),
rev
iew
s an
d ot
her
docu
men
ts; t
race
tran
sact
ions
thro
ugh
the
proc
ess;
and
, whe
repo
ssib
le, u
se a
utom
ated
evi
denc
e co
llect
ion,
incl
udin
g sa
mpl
e da
ta, e
mbe
dded
aud
it m
odul
es o
r C
AA
TS,
ver
ify
that
per
iodi
c re
view
and
mai
nten
ance
of
the
audi
t tra
ilef
fect
ivel
y de
tect
s un
usua
l act
ivity
and
sup
ervi
sor
revi
ews
are
effe
ctiv
e to
ver
ify
the
valid
ity o
f ad
just
men
ts, o
verr
ides
and
hig
h-va
lue
tran
sact
ions
in a
tim
ely
man
ner.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
ppro
pria
te to
ols
are
used
and
mai
nten
ance
of
thre
shol
ds c
ompl
ies
with
the
secu
rity
req
uire
men
ts. E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
supe
rvis
or p
erio
dica
lly r
evie
ws
syst
em o
utpu
t and
thre
shol
ds. U
se a
utom
ated
evi
denc
e co
llect
ion,
incl
udin
g sa
mpl
e da
ta, e
mbe
dded
aud
it m
odul
es o
r C
AA
TS,
to tr
ace
tran
sact
ions
to v
erif
y th
at th
e to
ols
wor
k as
des
igne
d.•
Enq
uire
whe
ther
and
con
firm
that
util
ities
are
use
d, w
here
pos
sibl
e, to
aut
omat
ical
ly m
aint
ain
the
inte
grity
of
data
dur
ing
unex
pect
ed in
terr
uptio
ns in
dat
a pr
oces
sing
.In
spec
t the
aud
it tr
ail a
nd o
ther
doc
umen
ts, p
lans
, pol
icie
s an
d pr
oced
ures
to v
erif
y th
at s
yste
m c
apab
ilitie
s ar
e ef
fect
ivel
y de
sign
ed to
aut
omat
ical
ly m
aint
ain
data
inte
grity
. Rev
iew
the
reco
rds
of a
ctua
l int
erru
ptio
ns in
volv
ing
data
inte
grity
issu
es a
nd v
erif
y th
at a
ppro
pria
te to
ols
wer
e us
ed e
ffec
tivel
y.
Mai
ntai
n th
e in
tegr
ity a
nd v
alid
ity o
f da
ta th
roug
hout
the
proc
essi
ng c
ycle
.E
nsur
e th
at d
etec
tion
of e
rron
eous
tran
sact
ions
doe
s no
t dis
rupt
pro
cess
ing
ofva
lid tr
ansa
ctio
ns.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Pr
oces
sing
err
ors
dete
cted
in a
tim
ely
man
ner
• Abi
lity
to in
vest
igat
e pr
oble
ms
Ris
k D
river
s
• In
suff
icie
nt e
vide
nce
of e
rror
s or
mis
use
• D
ata
entr
y er
rors
und
etec
ted
• U
naut
hori
sed
data
pro
cess
ing
AC
4 P
roce
ssin
g Int
egrity
and
Val
idit
y
259I T G O V E R N A N C E I N S T I T U T E
APPENDIX VI
Test
ing
the
Con
trol
Des
ign
(con
t.)
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• Fo
r a
sam
ple
appl
icat
ion,
enq
uire
whe
ther
and
con
firm
that
seg
rega
tion
of d
utie
s is
in p
lace
. Ver
ify
whe
ther
seg
rega
tion
of d
utie
s is
impl
emen
ted
for
entr
y, m
odif
icat
ion
and
appr
oval
of
tran
sact
ion
data
as
wel
l as
for
valid
atio
n ru
les.
• Fo
r a
sam
ple
of c
ritic
al tr
ansa
ctio
ns p
roce
sses
, tes
t whe
ther
acc
ess
cont
rols
pre
vent
una
utho
rise
d da
ta e
ntry
. With
sea
rchi
ng to
ols,
iden
tify
case
s w
here
una
utho
rise
dpe
rson
nel a
re a
ble
to in
put o
r m
odif
y da
ta.
• Fo
r a
sam
ple
of tr
ansa
ctio
n sy
stem
s, v
erif
y w
heth
er s
uspe
nse
acco
unts
and
sus
pens
e fi
les
for
tran
sact
ions
fai
ling
edit
and
valid
atio
n ro
utin
es c
onta
in o
nly
rece
nt e
rror
s.C
onfi
rm th
at o
lder
fai
ling
tran
sact
ions
hav
e be
en a
ppro
pria
tely
rem
edia
ted.
• Fo
r a
sam
ple
of tr
ansa
ctio
ns, v
erif
y th
at d
ata
entr
y is
not
del
ayed
by
inva
lid tr
ansa
ctio
ns.
• Fo
r hi
ghly
cri
tical
tran
sact
ions
, set
up
a te
st s
yste
m th
at o
pera
tes
like
the
live
syst
em. E
nter
dif
fere
nt ty
pes
of e
rror
s.
• V
erif
y w
heth
er e
rror
det
ectio
n an
d re
port
ing
are
timel
y an
d co
mpl
ete
and
if th
ey p
rovi
de s
uffi
cien
t inf
orm
atio
n to
cor
rect
the
tran
sact
ion.
• Fo
r hi
ghly
cri
tical
tran
sact
ions
, set
up
a te
st s
yste
m th
at o
pera
tes
like
the
live
syst
em. P
roce
ss tr
ansa
ctio
ns in
the
test
sys
tem
to e
nsur
e th
at v
alid
tran
sact
ions
are
proc
esse
d ap
prop
riat
ely
and
in a
tim
ely
fash
ion.
•
Ens
ure
that
err
ors
are
repo
rted
app
ropr
iate
ly a
nd in
a ti
mel
y fa
shio
n.•
Insp
ect e
rror
mes
sage
s up
on d
ata
entr
y or
onl
ine
proc
essi
ng.
• E
nsur
e th
at e
rror
mes
sage
s ar
e ap
prop
riat
e fo
r th
e tr
ansa
ctio
n fl
ow. E
xam
ples
of
appr
opri
ate
attr
ibut
es o
f m
essa
ges
incl
ude
unde
rsta
ndab
ility
, im
med
iacy
and
vis
ibili
ty.
• D
eter
min
e w
heth
er tr
ansa
ctio
ns f
ailin
g ed
it an
d va
lidat
ion
rout
ines
are
pos
ted
to s
uspe
nse
file
s.
• V
erif
y w
heth
er s
uspe
nse
file
s ar
e co
rrec
tly a
nd c
onsi
sten
tly p
rodu
ced.
•
Ver
ify
whe
ther
the
user
is in
form
ed o
f tr
ansa
ctio
ns p
oste
d to
sus
pens
e ac
coun
ts.
• Ta
ke a
sam
ple
of d
ata
inpu
t tra
nsac
tions
. Use
app
ropr
iate
aut
omat
ed a
naly
sis
and
sear
ch to
ols
to id
entif
y ca
ses
whe
re e
rror
s w
ere
iden
tifie
d er
rone
ousl
y an
d ca
ses
whe
reer
rors
wer
e no
t det
ecte
d.
• U
se a
utom
ated
evi
denc
e co
llect
ion,
incl
udin
g sa
mpl
e da
ta, e
mbe
dded
aud
it m
odul
es o
r C
AA
TS,
to v
erif
y th
at v
alid
tran
sact
ions
are
pro
cess
ed w
ithou
t int
erru
ptio
n.In
spec
t whe
ther
and
con
firm
that
inva
lid tr
ansa
ctio
ns a
re r
epor
ted
in a
tim
ely
man
ner.
AC
4 P
roce
ssin
g Int
egrity
and
Val
idit
y (
cont
.)
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
djus
tmen
ts, o
verr
ides
and
hig
h-va
lue
tran
sact
ions
are
pro
mpt
ly r
evie
wed
in d
etai
l for
app
ropr
iate
ness
by
a su
perv
isor
who
doe
s no
tpe
rfor
m d
ata
entr
y. I
nspe
ct th
e au
dit t
rail,
oth
er d
ocum
ents
, pla
ns, p
olic
ies
and
proc
edur
es to
ver
ify
that
adj
ustm
ents
, ove
rrid
es a
nd h
igh-
valu
e tr
ansa
ctio
ns a
re d
esig
ned
effe
ctiv
ely
to b
e pr
ompt
ly r
evie
wed
in d
etai
l. In
spec
t the
aud
it tr
ail,
tran
sact
ions
(or
bat
ches
), r
evie
ws
and
othe
r do
cum
ents
; tra
ce tr
ansa
ctio
ns th
roug
h th
e pr
oces
s; a
nd,
whe
re p
ossi
ble,
use
aut
omat
ed e
vide
nce
colle
ctio
n, in
clud
ing
sam
ple
data
, em
bedd
ed a
udit
mod
ules
or
CA
AT
S, to
ver
ify
that
sup
ervi
sor
revi
ews
are
effe
ctiv
e to
ens
ure
the
valid
ity o
f ad
just
men
ts, o
verr
ides
and
hig
h-va
lue
tran
sact
ions
in a
tim
ely
man
ner.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at r
econ
cilia
tion
of f
ile to
tals
is p
erfo
rmed
on
a ro
utin
e ba
sis
and
that
out
-of-
bala
nce
cond
ition
s ar
e re
port
ed. I
nspe
ct r
econ
cilia
tions
and
othe
r do
cum
ents
and
trac
e tr
ansa
ctio
ns th
roug
h th
e pr
oces
s to
ver
ify
that
rec
onci
liatio
ns e
ffec
tivel
y de
term
ine
whe
ther
file
tota
ls m
atch
or
the
out-
of-b
alan
ce c
ondi
tion
isre
port
ed to
the
appr
opri
ate
pers
onne
l.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E260
Test
the
Con
trol
Des
ign
• R
evie
w d
esig
n cr
iteri
a an
d co
nfir
m th
at th
ey r
equi
re th
e us
e of
inte
grity
-bas
ed c
ontr
ol p
roce
sses
, suc
h as
the
use
of c
ontr
ol to
tals
in h
eade
r an
d/or
trai
ler
reco
rds
and
the
bala
ncin
g of
out
put b
ack
to c
ontr
ol to
tals
pro
duce
d by
the
syst
em.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at d
etec
ted
out-
of-b
alan
ce c
ondi
tions
are
rep
orte
d, r
epor
ts h
ave
been
des
igne
d in
to th
e sy
stem
and
pro
cedu
res
have
bee
n de
velo
ped
toen
sure
that
rep
orts
are
pro
vide
d to
the
appr
opri
ate
leve
l of
man
agem
ent.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
roce
dure
s re
quir
e th
at o
ut-o
f-ba
lanc
e co
nditi
ons
and
othe
r ab
norm
aliti
es r
equi
re p
rom
pt in
vest
igat
ion
and
repo
rtin
g.•
Rev
iew
the
docu
men
tatio
n an
d en
sure
that
pro
cedu
res
spec
ify
that
per
iodi
c in
vent
orie
s be
take
n of
key
sen
sitiv
e do
cum
ents
and
dif
fere
nces
be
inve
stig
ated
.•
Enq
uire
whe
ther
and
con
firm
that
pro
cedu
res
have
bee
n de
sign
ed to
ens
ure
that
the
com
plet
enes
s an
d ac
cura
cy o
f ap
plic
atio
n ou
tput
are
val
idat
ed p
rior
to th
e ou
tput
bein
g us
ed f
or s
ubse
quen
t pro
cess
ing,
incl
udin
g us
e in
end
-use
r pr
oces
sing
.•
Enq
uire
whe
ther
and
con
firm
that
pro
cedu
res
have
bee
n de
velo
ped
to e
nsur
e th
at o
utpu
t is
revi
ewed
for
rea
sona
blen
ess,
acc
urac
y or
oth
er c
rite
ria
esta
blis
hed
by th
epr
oces
s ow
ner
prio
r to
use
. • A
sses
s w
heth
er p
roce
dure
s ha
ve b
een
defi
ned
that
req
uire
the
logg
ing
of p
oten
tial e
rror
s an
d th
eir
reso
lutio
n pr
ior
to d
istr
ibut
ion
of th
e re
port
s.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at c
ontr
ol to
tals
are
pro
perl
y im
plem
ente
d in
hea
der
and/
or tr
aile
r re
cord
s of
out
put t
o ba
lanc
e ba
ck to
con
trol
tota
ls p
rodu
ced
by th
esy
stem
.•
Enq
uire
whe
ther
and
con
firm
that
det
ecte
d ou
t-of
-bal
ance
con
ditio
ns a
re r
epor
ted
to th
e ap
prop
riat
e le
vel o
f m
anag
emen
t. In
spec
t out
-of-
bala
nce
repo
rts.
Whe
re p
ossi
ble,
use
auto
mat
ed e
vide
nce
colle
ctio
n to
look
for
con
trol
tota
l err
ors
and
veri
fy th
at th
ey w
ere
acte
d up
on c
orre
ctly
and
in a
tim
ely
man
ner.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at p
hysi
cal i
nven
tori
es o
f se
nsiti
ve o
utpu
ts a
re ta
ken
at a
ppro
pria
te in
terv
als.
Ens
ure
that
they
are
com
pare
d to
inve
ntor
y re
cord
s an
d th
atan
y di
ffer
ence
s ar
e ac
ted
upon
. Con
firm
that
aud
it tr
ails
are
cre
ated
to a
ccou
nt f
or a
ll ex
cept
ions
and
rej
ectio
ns o
f se
nsiti
ve o
utpu
t doc
umen
ts. I
nspe
ct a
rep
rese
ntat
ive
sam
ple
of a
udit
trai
ls u
sing
aut
omat
ed e
vide
nce
colle
ctio
n, if
pos
sibl
e, to
iden
tify
exce
ptio
ns a
nd v
erif
y w
heth
er th
ey h
ave
been
det
ecte
d an
d ac
tion
has
been
take
n. T
ake
a ph
ysic
al in
vent
ory
sam
ple,
and
com
pare
it to
the
asso
ciat
ed a
udit
trai
ls to
ver
ify
that
det
ectio
n op
erat
es e
ffec
tivel
y.•
Obt
ain
a lis
t of
all e
lect
roni
c ou
tput
s th
at a
re r
euse
d in
end
-use
r ap
plic
atio
ns. V
erif
y th
at th
e el
ectr
onic
out
put i
s te
sted
for
com
plet
enes
s an
d ac
cura
cy b
efor
e th
e ou
tput
isre
used
and
rep
roce
ssed
. Sel
ect a
rep
rese
ntat
ive
sam
ple
of e
lect
roni
c ou
tput
, and
trac
e se
lect
ed d
ocum
ents
thro
ugh
the
proc
ess
to e
nsur
e th
at c
ompl
eten
ess
and
accu
racy
are
veri
fied
bef
ore
othe
r op
erat
ions
are
per
form
ed. R
eper
form
com
plet
enes
s an
d ac
cura
cy te
sts
to v
alid
ate
that
they
are
eff
ectiv
e.•
Enq
uire
whe
ther
and
con
firm
that
out
put i
s re
view
ed f
or r
easo
nabl
enes
s an
d ac
cura
cy. S
elec
t a r
epre
sent
ativ
e sa
mpl
e of
out
put r
epor
ts a
nd te
st th
e re
ason
able
ness
and
accu
racy
of
the
outp
ut. V
erif
y th
at p
oten
tial e
rror
s ar
e re
port
ed a
nd c
entr
ally
logg
ed. S
elec
t a s
ampl
e of
rep
rese
ntat
ive
tran
sact
ions
and
ver
ify
that
err
ors
are
iden
tifie
dan
d ad
dres
sed
in a
tim
ely
man
ner.
Insp
ect e
rror
logs
to v
erif
y th
at e
rror
s ar
e ef
fect
ivel
y ad
dres
sed
in a
tim
ely
man
ner.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
ensi
tive
info
rmat
ion
is d
efin
ed, a
gree
d up
on b
y th
e pr
oces
s ow
ner
and
trea
ted
appr
opri
atel
y. T
his
may
incl
ude
labe
lling
sen
sitiv
eap
plic
atio
n ou
tput
and
, whe
re r
equi
red,
sen
ding
sen
sitiv
e ou
tput
to s
peci
al a
cces
s-co
ntro
lled
outp
ut d
evic
es. F
or a
sam
ple
of s
ensi
tive
data
, sea
rch
outp
ut f
iles
and
conf
irm
that
they
are
pro
perl
y la
belle
d. R
evie
w th
e di
stri
butio
n m
etho
ds o
f se
nsiti
ve in
form
atio
n an
d th
e ac
cess
con
trol
mec
hani
sms
of s
ensi
tive
outp
ut d
evic
es. V
erif
yth
at th
e m
echa
nism
s co
rrec
tly e
nfor
ce p
re-e
stab
lishe
d ac
cess
rig
hts.
Est
ablis
h pr
oced
ures
and
ass
ocia
ted
resp
onsi
bilit
ies
to e
nsur
e th
at o
utpu
t is
hand
led
in a
n au
thor
ised
man
ner,
deliv
ered
to th
e ap
prop
riat
e re
cipi
ent a
ndpr
otec
ted
duri
ng tr
ansm
issi
on; t
hat v
erif
icat
ion,
det
ectio
n an
d co
rrec
tion
of th
eac
cura
cy o
f ou
tput
occ
urs;
and
that
info
rmat
ion
prov
ided
in th
e ou
tput
is u
sed.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• Se
nsiti
ve d
ata
outp
ut p
rote
cted
• C
ompl
ete
and
erro
r-fr
ee p
roce
ssin
gre
sults
del
iver
ed to
the
righ
t rec
ipie
nt•
Err
ors
dete
cted
in a
tim
ely
man
ner
Ris
k D
river
s
• Se
nsiti
ve tr
ansa
ctio
n da
ta d
eliv
ered
tow
rong
rec
ipie
nt•
Com
prom
ised
dat
a co
nfid
entia
lity
• In
effi
cien
t tra
nsac
tion
proc
essi
ng•
Tra
nsac
tion
data
out
put e
rror
sun
dete
cted
AC
5 O
utpu
t R
evie
w, R
econ
cilia
tion
and
Err
or H
andl
ing
261I T G O V E R N A N C E I N S T I T U T E
APPENDIX VI
Test
the
Con
trol
Des
ign
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at a
pro
cess
has
bee
n de
sign
ed to
ens
ure
that
, for
cri
tical
tran
sact
ions
, app
ropr
iate
agr
eem
ents
hav
e be
en m
ade
with
cou
nter
part
ies
that
incl
ude
com
mun
icat
ion
and
tran
sact
ion
pres
enta
tion
stan
dard
s, r
espo
nsib
ilitie
s, a
uthe
ntic
atio
n an
d se
curi
ty r
equi
rem
ents
.•
Enq
uire
whe
ther
and
con
firm
that
sys
tem
s ar
e de
sign
ed to
inco
rpor
ate
appr
opri
ate
mec
hani
sms
for
inte
grity
, aut
hent
icity
and
non
-rep
udia
tion,
suc
h as
ado
ptio
n of
ase
cure
sta
ndar
d or
one
that
is in
depe
nden
tly v
erif
ied.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
yste
ms
are
desi
gned
to in
corp
orat
e in
dust
ry s
tand
ard
outp
ut ta
ggin
g to
iden
tify
auth
entic
ated
info
rmat
ion.
• In
spec
t man
uals
and
doc
umen
tatio
n fo
r cr
itica
l app
licat
ions
to c
onfi
rm th
at d
esig
n sp
ecif
icat
ions
req
uire
that
inpu
t be
appr
opri
atel
y ve
rifi
ed f
or a
uthe
ntic
ity.
• E
nqui
re w
heth
er a
nd c
onfi
rm th
at s
yste
ms
are
desi
gned
to id
entif
y tr
ansa
ctio
ns r
ecei
ved
from
oth
er p
roce
ssin
g ap
plic
atio
ns, a
nd a
naly
se th
at in
form
atio
n to
det
erm
ine
auth
entic
ity o
f or
igin
of
the
info
rmat
ion
and
whe
ther
inte
grity
of
cont
ent w
as m
aint
aine
d du
ring
tran
smis
sion
. •
Obt
ain
and
insp
ect a
gree
men
ts m
ade
with
cou
nter
part
ies
for
criti
cal t
rans
actio
ns, a
nd e
nsur
e th
at th
e ag
reem
ents
spe
cify
req
uire
men
ts f
or c
omm
unic
atio
n an
d tr
ansa
ctio
npr
esen
tatio
n st
anda
rds,
res
pons
ibili
ties,
aut
hent
icat
ion
and
secu
rity
req
uire
men
ts.
• Se
lect
a s
ampl
e of
cou
nter
part
y ag
reem
ents
for
cri
tical
tran
sact
ions
and
ver
ify
that
they
are
com
plet
e.
• Se
lect
a s
ampl
e of
aut
hent
icat
ion
failu
res
to v
erif
y th
at th
e co
unte
rpar
ty a
gree
men
ts o
pera
te e
ffec
tivel
y.•
Rev
iew
doc
umen
tatio
n an
d pe
rfor
m a
wal
k-th
roug
h to
iden
tify
appl
icat
ions
that
are
cri
tical
for
tran
sact
ion
auth
entic
ity, i
nteg
rity
and
non
-rep
udia
tion.
For
thes
eap
plic
atio
ns, e
nqui
re w
heth
er a
nd c
onfi
rm th
at a
n ap
prop
riat
e m
echa
nism
for
inte
grity
, aut
hent
icity
and
non
-rep
udia
tion
is a
dopt
ed (
i.e.,
a se
cure
sta
ndar
d or
one
that
isin
depe
nden
tly v
erif
ied)
.•
Insp
ect a
pplic
atio
n m
anua
ls a
nd d
ocum
enta
tion
for
criti
cal a
pplic
atio
ns to
con
firm
that
spe
cifi
catio
ns a
nd th
e de
sign
sta
te th
at o
utpu
t is
appr
opri
atel
y ta
gged
with
auth
entic
atio
n in
form
atio
n.•
Perf
orm
a w
alk-
thro
ugh
of th
e co
de o
f a
sam
ple
of a
pplic
atio
ns to
con
firm
that
this
spe
cifi
catio
n an
d de
sign
are
app
lied.
Ver
ify
that
thes
e sp
ecif
icat
ions
hav
e be
en te
sted
with
goo
d re
sult.
• Se
lect
a r
epre
sent
ativ
e sa
mpl
e of
tran
sact
ions
, and
ver
ify
that
aut
hent
icity
and
inte
grity
info
rmat
ion
is c
orre
ctly
car
ried
for
war
d th
roug
hout
the
proc
essi
ng c
ycle
. •
Rev
iew
err
or lo
gs f
or tr
ansa
ctio
ns th
at f
aile
d au
then
ticat
ion,
and
ver
ify
the
caus
e.
Test
the
Out
com
e of
the
Con
trol
Obj
ecti
ve
• Pe
rfor
m a
wal
k-th
roug
h of
the
code
of
a sa
mpl
e of
app
licat
ions
to c
onfi
rm th
at s
peci
fica
tions
for
aut
hent
icity
hav
e be
en a
pplie
d. V
erif
y th
at th
ese
spec
ific
atio
ns h
ave
been
test
ed w
ith g
ood
resu
lt.•
Rev
iew
err
or lo
gs f
or tr
ansa
ctio
ns th
at f
aile
d au
then
ticat
ion,
and
ver
ify
the
caus
e.
Bef
ore
pass
ing
tran
sact
ion
data
bet
wee
n in
tern
al a
pplic
atio
ns a
nd b
usin
ess/
oper
atio
nal f
unct
ions
(in
or
outs
ide
the
ente
rpri
se),
che
ck it
for
pro
per
addr
essi
ng, a
uthe
ntic
ity o
f or
igin
and
inte
grity
of
cont
ent.
Mai
ntai
n au
then
ticity
and
inte
grity
dur
ing
tran
smis
sion
or
tran
spor
t.
Valu
e D
river
sC
ontr
ol O
bjec
tive
• St
raig
ht-t
hrou
gh p
roce
ssin
g•
Con
fide
nce
in v
alid
ity a
nd a
uthe
ntic
ityof
tran
sact
ions
• E
rror
s an
d m
isus
e pr
even
ted
Ris
k D
river
s
• E
rron
eous
and
/or
unau
thor
ised
tran
sact
ions
• T
rans
actio
n er
rors
und
etec
ted
• In
effi
cien
cies
and
rew
ork
AC
6 T
rans
acti
on A
uthe
ntic
atio
n an
d In
tegrity
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E262
Page intentionally left blank
263I T G O V E R N A N C E I N S T I T U T E
APPENDIX VII
APPENDIX VII—MATURITY MODEL FOR INTERNAL CONTROL
This appendix provides a generic maturity model showing the status of the internal control environment and the establishment ofinternal controls in an enterprise. It shows how the management of internal control, and an awareness of the need to establish betterinternal controls, typically develops from an ad hoc to an optimised level. The model provides a high-level guide to help COBITusers appreciate what is required for effective internal controls in IT and to help position their enterprise on the maturity scale
Maturity Level Status of the Internal Control Environment Establishment of Internal Controls0 Non-existent There is no recognition of the need for internal There is no intent to assess the need for internal control.
control. Control is not part of the organisation’s Incidents are dealt with as they arise.culture or mission. There is a high risk of control deficiencies and incidents.
1 Initial/ad hoc There is some recognition of the need for internal There is no awareness of the need for assessment of what is control. The approach to risk and control needed in terms of IT controls. When performed, it is only on anrequirements is ad hoc and disorganised, without ad hoc basis, at a high level and in reaction to significant incidents.communication or monitoring. Deficiencies are not Assessment addresses only the actual incident.identified. Employees are not aware of their responsibilities.
2 Repeatable but Controls are in place but are not documented. Their Assessment of control needs occurs only when needed for selectedIntuitive operation is dependent on the knowledge and IT processes to determine the current level of control maturity,
motivation of individuals. Effectiveness is not the target level that should be reached and the gaps that exist. adequately evaluated. Many control weaknesses An informal workshop approach, involving IT managers and the exist and are not adequately addressed; the impact team involved in the process, is used to define an adequate can be severe. Management actions to resolve approach to controls for the process and to motivate an control issues are not prioritised or consistent. agreed-upon action plan.Employees may not be aware of their responsibilities.
3 Defined Controls are in place and adequately documented. Critical IT processes are identified based on value and risk drivers.Operating effectiveness is evaluated on a periodic A detailed analysis is performed to identify control requirements basis and there is an average number of issues. and the root cause of gaps and to develop improvement However, the evaluation process is not documented. opportunities. In addition to facilitated workshops, tools are used While management is able to deal predictably with and interviews are performed to support the analysis and ensure most control issues, some control weaknesses that an IT process owner owns and drives the assessment and persist and impacts could still be severe. Employees improvement process.are aware of their responsibilities for control.
4 Managed and There is an effective internal control and risk IT process criticality is regularly defined with full support and Measurable management environment. A formal, documented agreement from the relevant business process owners. Assessment
evaluation of controls occurs frequently. Many of control requirements is based on policy and the actual maturity controls are automated and regularly reviewed. of these processes, following a thorough and measured analysis Management is likely to detect most control issues, involving key stakeholders. Accountability for these assessments but not all issues are routinely identified. There is is clear and enforced. Improvement strategies are supported by consistent follow-up to address identified control business cases. Performance in achieving the desired outcomes is weaknesses. A limited, tactical use of technology is consistently monitored. External control reviews are organised applied to automate controls. occasionally.
5 Optimised An enterprisewide risk and control programme Business changes consider the criticality of IT processes and cover provides continuous and effective control and risk any need to reassess process control capability. IT process owners issues resolution. Internal control and risk regularly perform self-assessments to confirm that controls are at management are integrated with enterprise practices, the right level of maturity to meet business needs and they consider supported with automated real-time monitoring with maturity attributes to find ways to make controls more efficient and full accountability for control monitoring, risk effective. The organisation benchmarks to external best practices management and compliance enforcement. Control and seeks external advice on internal control effectiveness. For evaluation is continuous, based on self-assessments critical processes, independent reviews take place to provide and gap and root cause analyses. Employees are assurance that the controls are at the desired level of maturity and proactively involved in control improvements. working as planned.
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E264
Page intentionally left blank
APPENDIX VIII
APPENDIX VIII—IT SCOPING
1. Define the Initiative.Define the purpose of the initiative, the business objective and the expected value to be returned. Document the enterprise areasaddressed and impacted. List the success factors, compliance requirements, potential risks and project closure criteria. Establish howchanges to these project drivers and outcomes will be handled.
Step Activities DeliverablesStep 1.1 Define objectives. • Identify reasons and objectives for • Documented business valuesIdentify the primary objectives and goals of undertaking the project and review with • Documented objectives of the IT initiativethe initiative. Develop the value proposition management. • Documented expected outcomesand indicate how the objectives support and • Research and document key issues and enhance the goals of the enterprise. concerns.
• Learn from similar projects that have been undertaken.
• Identify and obtain relevant documents.• Identify the expected outcome and
deliverables of the initiative (high level).• Identify the competitive landscape.
Step 1.2 Define boundaries. • Identify key activities, business units, • Documented scope of the IT initiativeDefine the IT project and its boundaries, organisational entities, operations, etc., to • Documented scope of boundary issues andwhat is included and what is excluded. be included within the scope of the project. their treatmentIdentify the organisational units, business • Identify and document items that are • Communication of the boundaries with key activities and processes that are included, normally within the scope of such projects stakeholdersand those that are excluded from the but that are to be excluded.project scope. • Identify any scope issues, such as partially
owned entities, foreign jurisdictions or exclusions.
• Ensure that the scope is sufficient to ensure that the results obtained will meet the objectives and expected deliverables.
• Establish liaison with affected entities to ensure co-ordination.
Step 1.3 Define standards. • Identify contractual, legislative, regulatory, • Documented standards that will be used in Identify standards, reference frameworks, industry or other standards to which the undertaking the projectpolicies and/or contracts with which the entity and the project must comply. • Documented key success factors and metrics initiative needs to comply. Standards may • Identify any standards or frameworks that for use in assessing project resultsinclude industry requirements, regulatory the project/initiative should consider.standards and entity policies. Identify • Document success factors to enable, and key indicators for measuring, and establish key metrics to evidence, compliance success factors for achieving compliance. with standards.Step 1.4 Define risks. • Identify potential reasons for failure or delay • Documented risk assessment of the IT initiativeIdentify and assess risks associated with the of the initiative in meeting objectives. • Risk mitigation plan (as needed) and estimatedproject, including business risks as well as • Identify important scenarios that may costsproject risks. The degree of risk assessment endanger the initiative’s objectives, as well as and mitigation depends on the project’s size, the negative impacts this initiative may have value delivered and impact. on other enterprise objectives.
• Identify the significance of risks and likelihood of occurrence.
• Create plans to manage and mitigate the risks.Step 1.5 Define change process. • Identify and analyse internal and external • Change process descriptionIdentify internal and external factors that factors that could cause changes to • Change management guidance, including the could cause changes to the project, and the project. use of tools and techniquesdefine how changes will be made to the • Define and document the process and project’s objectives, scope, risks and procedures for authorising, accepting and success factors. communicating changes to the drivers
and outcomes.• Identify appropriate tools and techniques to
manage the change process.
265I T G O V E R N A N C E I N S T I T U T E
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E266
Step Activities DeliverablesStep 1.6 Define success. • Identify post-project acceptance activities. • Evidence (metrics, quality criteria, etc.) required Identify the conditions that must exist for the • Identify evidence required to indicate that the to indicate that the project has been successfully project to be considered complete, including project deliverables have been provided and completedthe specific activities, tasks and deliverables accepted by the project owner and by those • Evidence that post-completion activities have required to complete the project. Define the taking responsibility for the ongoing activities been identified and provided to appropriateexit criteria of the initiative (i.e., the the project may create. organisational unitsconditions that determine if the objectiveshave been achieved).Step 1.7 Define resources. • Define the number and level (skills) of • Resource modelIdentify the resources required to resources needed to achieve the objectives • Resource cost plansuccessfully complete the initiative, of the initiative.including people, technology, funding • Assess the need for technology and and skills. equipment to support the initiative.Step 1.8 Define deliverables. • Identify the external deliverables that will • List of project deliverablesDefine the specific deliverables that are to result from the initiative. • Sample of selected deliverablesbe produced during the initiative. • Create an illustrative sample deliverable.
2. Plan the initiative.Define the deliverables in detail. Based on that, identify the resources, support and accountabilities required to produce thedeliverables. Obtain approval, set priorities within the initiative, activate resources and develop a communication plan so that theinitiative can be stage-gated.
Step Activities DeliverablesStep 2.1 Obtain executive support. • Determine the suitability of potential sponsors. • Initiative sponsor/ownerIdentify and appoint the appropriate project • Assess the availability of potential sponsors • Completed project documentation and chartersponsor for the initiative. to fulfil the requirements.
• Develop executive presentation materialbased on project objectives and benefits.
Step 2.2 Finalise resource requirements. • Review the expected resource model and • Updated resource modelAcquire the necessary funding and resources cost plan. • Detailed resource acquisition timelineas defined in the resource model. • Prepare a detailed acquisition timeline. • Detailed project budget
• Prepare a detailed calendar-based projectbudget, including resource consumption/use and funding requirements.
Step 2.3 Define organisation for the initiative. • Document roles and responsibilities. • Organisation modelDefine and implement the organisational • Define leadership expectations. • Reporting authoritystructure required to make the initiative • Create and establish the organisation • Roles and responsibilitiessuccessful. This will include leadership, structure.staffing, key sponsor, etc., and may include • Initially populate the organisation with a project management office. key personnel.
• Create position descriptions, roles and responsibilities.
Step 2.4 Define timeline. • Review goals and objectives and the • Documented timelines integrated with the Define the specific timeline for the initiative expected resource model. resource planning informationto be completed to meet stated goals and • Based on the review, define key milestones • Project timeline document indicating:objectives given the expected resources and for deliverables and major initiative - Activities and tasksdeliverables defined for the initiative. checkpoints with project sponsors. - Activity dependenceInclude key milestones and identify the • Prepare a high-level timing diagram, and - Major milestone datescritical path. identify potential critical path and dependent - Major project checkpoints
activities. - Key deliverable dates• Prepare Gantt charts for each major phase - Status and reporting dates
of the subproject, including critical and slack - Business activities and other key datespath analysis, skill requirements, and • Defined communications documentsresource plans.
• Ensure that timing will meet critical external reporting, financing and other deadlines within the business cycle.
• Define ongoing status reporting within theproject and to key external stakeholders and affected staff members.
APPENDIX VIII
267I T G O V E R N A N C E I N S T I T U T E
Step Activities DeliverablesStep 2.5 Define approach and methodology. • Develop project phases and subphases, each • Detailed project planDetermine the methodologies to be used with objectives, activities and deliverables.and develop detailed plans, complete with • Determine the approach and methodologies phases, subphases, activities and tasks, to to be used and the information to enable the project to successfully meet be obtained.its objectives. • Develop detailed work plans for each phase,
subphase and activity.Step 2.6 Create communication plan. • Communicate project status, resource plan • Documented communication plan, including Design a plan to communicate information and costs (as appropriate). time line and key milestonesabout the initiative, manage expectations • Communicate the status of the risk and support the objectives of the initiative management plan.throughout its life cycle. Consider the key • Communicate changes in project goals milestones and different audiences. and objectives.
• Communicate project progress.
Page intentionally left blank
IT ASSURANCE GUIDE: USING COBIT
I T G O V E R N A N C E I N S T I T U T E268
269I T G O V E R N A N C E I N S T I T U T E
APPENDIX IX
APPENDIX IX—COBIT AND RELATED PRODUCTS
The COBIT framework, in versions 4.0 and higher, includes all of the following:• Framework—Explains how COBIT organises IT governance management and control objectives and good practices by IT domains
and processes, and links them to business requirements• Process descriptions—Include 34 IT processes covering the IT responsibility areas from beginning to end• Control objectives—Provide generic best practice management objectives for IT processes• Management guidelines—Offer tools to help assign responsibility and measure performance• Maturity models—Provide profiles of IT processes describing possible current and future states
In the years since its inception, COBIT’s core content has continued to evolve, and the number of COBIT-based derivative works hasincreased. Following are the publications currently derived from COBIT:• Board Briefing on IT Governance, 2nd Edition—Designed to help executives understand why IT governance is important, what its
issues are and what their responsibility is for managing it• COBIT Online—Allows users to customise a version of COBIT for their own enterprise, then store and manipulate that version as
desired. It offers online, real-time surveys, frequently asked questions, benchmarking and a discussion facility for sharingexperiences and questions.
• COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition—Providesguidance on the risks to be avoided and value to be gained from implementing a control objective, and instruction on how toimplement the objective. Control practices are strongly recommended for use with IT Governance Implementation Guide: UsingCOBIT and Val IT, 2nd Edition.
• IT Assurance Guide: Using COBIT ®—Provides guidance on how COBIT can be used to support a variety of assurance activitiesand offers suggested testing steps for all the COBIT IT processes and control objectives. It replaces the information in AuditGuidelines for auditing and self-assessment against the control objectives in COBIT 4.1.
• IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over FinancialReporting, 2nd Edition—Provides guidance on how to assure compliance for the IT environment based on the COBIT controlobjectives
• IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition—Provides a generic road map for implementing ITgovernance using COBIT and Val IT resources and a supporting tool kit
• COBIT Quickstart—Provides a baseline of control for the smaller organisation and a possible first step for the larger enterprise.The second edition is in development at the time of this writing.
• COBIT Security Baseline, 2nd Edition—Focuses on essential steps for implementing information security within the enterprise. Thesecond edition is in final development at the time of this writing.
• COBIT Mappings—Currently posted at www.isaca.org/downloads:– Aligning COBIT, ITIL and ISO 17799 for Business Benefit– COBIT Mapping: Overview of International IT Guidance, 2nd Edition– COBIT Mapping: Mapping of CMMI ® for Development V1.2 With COBIT 4.0 – COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, 2nd Edition– COBIT Mapping: Mapping of ISO/IEC 17799:2005 With COBIT 4.0 – COBIT Mapping: Mapping of ITIL With COBIT 4.0 – COBIT Mapping: Mapping of PMBOK With COBIT 4.0 – COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0 – COBIT Mapping: Mapping of SEI’s CMM for Software With COBIT 4.0
• Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition—Presentsinformation security in business terms and contains tools and techniques to help uncover security-related problems
Val IT is the umbrella term used to describe the publications and future additional products and activities addressing the Val ITframework.
Current Val IT-related publications are:• Enterprise Value: Governance of IT Investments—The Val IT Framework, which explains how an enterprise can extract optimal
value from IT-enabled investments and is based on the COBIT framework. It is organised into: – Three processes—Value Governance, Portfolio Management and Investment Management– IT key management practices—Essential management practices that positively influence the achievement of the desired result or
purpose of a particular activity. They support the Val IT processes and play roughly the same role as do COBIT’s control objectives.• Enterprise Value: Governance of IT Investments—The Business Case, which focuses on one key element of the investment
management process• Enterprise Value: Governance of IT Investments—The ING Case Study, which describes how a global financial services
company manages a portfolio of IT investments in the context of the Val IT framework
For the most complete and up-to-date information on COBIT, Val IT and related products, case studies, training opportunities,newsletters and other framework-specific information, visit www.isaca.org/cobit and www.isaca.org/valit.
IT ASSURANCE GUIDE: USING COBIT
Page intentionally left blank