USING COBIT - csbweb01.uncw.edu

Need for IT Governance and Assurance

The COBIT® Framework

IT Assurance Approaches

How COBIT Supports IT Assurance Activities

USING COBIT®

The IT Governance Institute®

The IT Governance Institute (ITGITM) (www.itgi.org) was established in 1998 to advance international thinking and standards indirecting and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports businessgoals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers originalresearch, electronic resources and case studies to assist enterprise leaders and boards of directors in their IT governanceresponsibilities.

DisclaimerITGI (the ‘Owner’) has designed and created this publication, titled IT Assurance Guide: Using COBIT ® (the ‘Work’), primarilyas an educational resource for assurance professionals. The Owner makes no claim that use of any of the Work will assure asuccessful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusiveof other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the proprietyof any specific information, procedure or test, CIOs, senior management, IT management and control professionals should applytheir own professional judgement to the specific circumstances presented by the particular systems or IT environment.

Disclosure© 2007 IT Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced, modified,distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,photocopying, recording or otherwise), without the prior written authorisation of ITGI. Reproduction of selections of thispublication, for internal and non-commercial or academic use only, is permitted and must include full attribution of thematerial’s source. No other right or permission is granted with respect to this work.

IT Governance Institute3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.590.7491Fax: +1.847.253.1443E-mail: [email protected] site: www.itgi.org

ISBN 1-933284-74-9IT Assurance Guide: Using COBIT®

Printed in the United States of America

IT ASSURANCE GUIDE: USING COBIT

I T G O V E R N A N C E I N S T I T U T E2

ACKNOWLEDGEMENTS

3I T G O V E R N A N C E I N S T I T U T E

ACKNOWLEDGEMENTS

IT Governance Institute wishes to recognise:Project Managers and Thought LeadersRoger S. Debreceny, Ph.D., FCPA, University of Hawaii, USAErik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium

Workshop Participants and Expert ReviewersMark Adler, CISA, CISM, CIA, CISSP, Allstate Insurance Co., USAPeter Andrews, CISA, CITP, MCMI, PJA Consulting, UKGeorges Ataya, CISA, CISM, CISSP, MSCS, PBA, Solvay Business School, BelgiumGary Austin, CISA, CIA, CISSP, CGFM, KPMG LLP, USAGary S. Baker, CA, Deloitte & Touche, CanadaDavid H. Barnett, CISM, CISSP, Applera Corp., USAChristine Bellino, CPA, CITP, Jefferson Wells, USA John W. Beveridge, CISA, CISM, CFE, CGFM, CQA, Massachusetts Office of the State Auditor, USAAlan Boardman, CISA, CISM, CA, CISSP, Fox IT, UKDavid Bonewell, CISA, CISSP-ISSEP, Accomac Consulting LLC, USADirk Bruyndonckx, CISA, CISM, KPMG Advisory, BelgiumDon Caniglia, CISA, CISM, USALuis A. Capua, CISM, Sindicatura General de la Nación, ArgentinaBoyd Carter, PMP, Elegantsolutions.ca, CanadaSean V. Casey, CISA, CPA, Ernst & Young LLP, USASushil Chatterji, Edutech, SingaporeEdward Chavannes, CISA, CISSP, Ernst & Young LLP, USAChristina Cheng, CISA, CISSP, SSCP, Deloitte & Touche LLP, USADharmesh Choksey, CISA, CPA, CISSP, PMP, KPMG LLP, USAJeffrey D. Custer, CISA, CPA, CIA, Ernst & Young LLP, USABeverly G. Davis, CISA, Federal Home Loan Bank of San Francisco, USAPeter De Bruyne, CISA, Banksys, BelgiumSteven De Haes, University of Antwerp Management School, BelgiumPhilip De Picker, CISA, MCA, National Bank of Belgium, BelgiumKimberly de Vries, CISA, PMP, Zurich Financial Services, USARoger S. Debreceny, Ph.D., FCPA, University of Hawaii, USAZama Dlamini, Deloitte & Touche, South AfricaTroy DuMoulin, Pink Elephant, CanadaBill A. Durrand, CISA, CISM, CA, Ernst & Young LLP, CanadaJustus Ekeigwe, CISA, MBCS, Deloitte & Touche LLP, USARafael Fabius, CISA, República AFAP SA, UruguayUrs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, SwitzerlandChristopher Fox, ACA, USABob Frelinger, CISA, Sun Microsystems Inc., USAZhiwei Fu, Ph. D, Fannie Mae, USAMonique Garsoux, Dexia Bank, BelgiumEdson Gin, CISA, CFE, SSCP, USASauvik Ghosh, CISA, CIA, CISSP, CPA, Ernst & Young LLP, USAGuy Groner, CISA, CIA, CISSP, USAErik Guldentops, CISA, CISM, University of Antwerp Management School, BelgiumGary Hardy, IT Winners, South AfricaJimmy Heschl, CISA, CISM, KPMG, AustriaBenjamin K. Hsaio, CISA, Federal Deposit Insurance Corp., USATom Hughes, Acumen Alliance, AustraliaMonica Jain, CSQA, Covansys Corp., USAvinash W. Kadam, CISA, CISM, CBCP, CISSP, MIEL e-Security Pvt. Ltd., IndiaJohn A. Kay, CISA, USALisa Kinyon, CISA, Countrywide, USARodney Kocot, Systems Control and Security Inc., USALuc Kordel, CISA, CISM, CISSP, CIA, RE, RFA, Dexia Bank, BelgiumLinda Kostic, CISA, CPA, USA



John W. Lainhart IV, CISA, CISM, IBM, USALynn Lawton, CISA, BA, FCA, FIIA, PII, KPMG LLP, UKPhilip Le Grand, Capita Education Services, UKElsa K. Lee, CISA, CISM, CSQA, AdvanSoft International Inc., USAKenny K. Lee, CISA, CISSP, Countrywide SMART Governance, USADebbie Lew, CISA, Ernst & Young LLP, USABjarne Lonberg, CISSP, A.P. Moller-Maersk A/S, DenmarkDonald Lorete, CPA, Deloitte & Touche LLP, USAAddie C.P. Lui, MCSA, MCSE, First Hawaiian Bank, USACharles Mansour, CISA, Charles Mansour Audit & Risk Service, UK Mario Micallef, CPAA, FIA, National Australia Bank Group, AustraliaNiels Thor Mikkelsen, CISA, CIA, Danske Bank, DenmarkJohn Mitchell, CISA, CFE, CITP, FBCS, FIIA, MIIA, QiCA, LHS Business Control, UKAnita Montgomery, CISA, CIA, Countrywide, USAKarl Muise, CISA, City National Bank, USAJay S. Munnelly, CISA, CIA, CGFM, Federal Deposit Insurance Corp., USAOrillo Narduzzo, CISA, CISM, Banca Popolare di Vicenza, ItalySang Nguyen, CISA, CISSP, MCSE, Nova Southeastern University, USAAnthony Noble, CISA, CCP, Viacom Inc., USAEd O’Donnell, Ph.D., CPA, University of Kansas, USASue Owen, Department of Veterans Affairs, AustraliaRobert G. Parker, CISA, CMC, FCA, Robert G. Parker Consulting, CanadaBart Peeters, PricewaterhouseCoopers LLP, BelgiumThomas Phelps IV, CISA, PricewaterhouseCoopers LLP, USAVitor Prisca, CISM, Novabase, PortugalClaus Rosenquist, CISA, TrygVesata, DenmarkJaco Sadie, Sasol, South AfricaMax Shanahan, CISA, FCPA, Max Shanahan & Associates, AustraliaCraig W. Silverthorne, CISA, CISM, CPA, IBM Business Consulting Services, USAChad Smith, Great-West Life, CanadaGustavo A. Solis, CISA, CISM, Grupo Cynthus, MexicoRoger Southgate, CISA, CISM, FCCA, CubeIT Management Ltd., UKPaula Spinner, CSC, USAMark Stanley, CISA, Toyota Financial Services, USADirk Steuperaert, CISA, PricewaterhouseCoopers, BelgiumRobert E. Stroud, CA Inc., USAScott L. Summers, Ph.D., Brigham Young University, USALance M. Turcato, CISA, CISM, CPA, City of Phoenix IT Audit Division, USAIngvar Van Droogenbroeck, PricewaterhouseCoopers, BelgiumWim Van Grembergen, Ph.D., University of Antwerp Management School, BelgiumJohan Van Grieken, CISA, Deloitte, BelgiumGreet Volders, Voquals NV, BelgiumRobert M. Walters, CISA, CPA, CGA, Office of the Comptroller General, CanadaTom Wong, CISA, CIA, CMA, Ernst & Young LLP, CanadaAmanda Xu, CISA, PMP, KPMG LLP, USA

The following professors and students for their work on the COBIT 4.1 control practices and assurance test stepsScott L. Summers, Ph.D., Brigham Young University, USAKeith Ballante, Brigham Young University, USADavid Butler, Brigham Young University, USAPhil Harrison, Brigham Young University, USAWilliam Lancaster, Brigham Young University, USAChase Manderino, Brigham Young University, USAPaul Schneider, Brigham Young University, USAJacob Sperry, Brigham Young University, USABrian Updike, Brigham Young University, USA

ITGI Board of TrusteesEverett C. Johnson, CPA, Deloitte & Touche LLP (retired), USA, International PresidentGeorges Ataya, CISA, CISM, CISSP, Solvay Business School, Belgium, Vice PresidentWilliam C. Boni, CISM, Motorola, USA, Vice PresidentAvinash Kadam, CISA, CISM, CISSP, CBCP, GSEC, GCIH, Miel e-Security Pvt. Ltd., India, Vice PresidentJean-Louis Leignel, MAGE Conseil, France, Vice PresidentLucio Augusto Molina Focazzio, CISA, Colombia, Vice PresidentHoward Nicholson, CISA, City of Salisbury, Australia, Vice PresidentFrank Yam, CISA, FHKIoD, FHKCS, FFA, CIA, CFE, CCP, CFSA, Focus Strategic Group, Hong Kong, Vice PresidentMarios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International PresidentRobert S. Roussey, CPA, University of Southern California, USA, Past International PresidentRonald Saull, CSP, Great-West Life and IGM Financial, Canada, Trustee

IT Governance CommitteeTony Hayes, FCPA, Queensland Government, Australia, ChairMax Blecher, Virtual Alliance, South AfricaSushil Chatterji, Edutech, SingaporeAnil Jogani, CISA, FCA, Tally Solutions Limited, UKJohn W. Lainhart IV, CISA, CISM, IBM, USARómulo Lomparte, CISA, Banco de Crédito BCP, PeruMichael Schirmbrand, Ph.D., CISA, CISM, CPA, KPMG LLP, AustriaRonald Saull, CSP, Great-West Life and IGM Financial, Canada

Assurance CommitteeLynn C. Lawton, CISA, BA, FCA, FIIA, PII, KPMG LLP, UKPippa G. Andrews, CISA, ACA, CIA, Amcor, AustraliaJohn Warner Beveridge, CISA, CISM, CFE, CGFM, Office of the Massachusetts State Auditor, USADaniel Patrick Casciano, CISA, Ernst & Young LLP, USAGregory T. Grocholski, CISA, The Dow Chemical Company, USAAvinash W. Kadam, CISA, CISM, CBCP, CISSP, MIEL e-Security Pvt. Ltd., IndiaAnthony P. Noble, CISA, CCP, Viacom Inc., USAGustavo A. Solis, Grupo Cynthus S.A. de C.V., MexicoPaul A. Zonneveld, CISA, CA, Deloitte & Touche, CanadaCorresponding Member Robert G. Parker, CISA, CA, CMC, FCA, Canada

COBIT Steering CommitteeRoger S. Debreceny, Ph.D., FCPA, University of Hawaii, USA, ChairGary S. Baker, CA, Deloitte & Touche, CanadaDan Casciano, CISA, Ernst & Young LLP, USASteven De Haes, University of Antwerp Management School, BelgiumPeter De Koninck, CISA, CFSA, CIA, SWIFT SC, BelgiumRafael Fabius, CISA, República AFAP SA, UruguayUrs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, SwitzerlandErik Guldentops, CISA, CISM, University of Antwerp Management School, BelgiumGary Hardy, IT Winners, South AfricaJimmy Heschl, CISA, CISM, KPMG LLP, AustriaDebbie Lew, CISA, Ernst & Young LLP, USAMax Shanahan, FCPA, CISA, Max Shanahan & Associates, AustraliaDirk Steuperaert, CISA, PricewaterhouseCoopers, BelgiumRobert E. Stroud, CA Inc., USA

ITGI Advisory PanelRonald Saull, CSP, Great-West Life and IGM Financial, Canada, ChairRoland Bader, F. Hoffmann-La Roche AG, SwitzerlandLinda Betz, IBM Corporation, USAJean-Pierre Corniou, Renault, FranceRob Clyde, CISM, Symantec, USARichard Granger, NHS Connecting for Health, UKHoward Schmidt, CISM, R&H Security Consulting LLC, USAAlex Siow Yuen Khong, StarHub Ltd., SingaporeAmit Yoran, Yoran Associates, USA

ACKNOWLEDGEMENTS


ITGI Affiliates and SponsorsISACA chaptersAmerican Institute of Certified Public AccountantsASIS InternationalThe Center for Internet SecurityCommonwealth Association of Corporate GovernanceFIDA InformInformation Security ForumThe Information Systems Security Association (ISSA)Institut de la Gouvernance des Systèmes d’InformationInstitute of Management AccountantsISACAITGI JapanSolvay Business SchoolUniversity of Antwerp Management SchoolAldion Consulting Pte. Ltd.CAHewlett-PackardIBMITpreneurs Nederlands BVLogLogic Inc.Phoenix Business and Systems Process Inc.Project Rx Inc.Symantec CorporationWolcott Group LLCWorld Pass IT Solutions



TABLE OF CONTENTS


TABLE OF CONTENTS

1. Introduction ......................................................................................................................................................9

Objectives of the Guide......................................................................................................................................9

Summary Overview of COBIT ...........................................................................................................................9

Target Audience................................................................................................................................................11

COBIT Guidance for IT Assurance Activities ..................................................................................................12

Components of IT Assurance Guide................................................................................................................12

Relationship With COBIT Control Practices....................................................................................................14

Document Road Map.......................................................................................................................................15

How to Use This Guide....................................................................................................................................15

2. IT Assurance Principles and Context ..........................................................................................................17

Introduction ......................................................................................................................................................17

Assurance Approach and Road Map ...............................................................................................................18

Relevant General Standards and Guidance .....................................................................................................22

Relevance for IT Assurance.............................................................................................................................23

3. Assurance Planning........................................................................................................................................25

Introduction ......................................................................................................................................................25

IT Assurance Universe .....................................................................................................................................25

Risk-based Assurance Planning.......................................................................................................................27

High-level Assessments ...................................................................................................................................29

Define the Scope and Objectives of the Assurance Initiative.........................................................................29

4. IT Resource and Control Scoping................................................................................................................31

Introduction ......................................................................................................................................................31

Steps in Scoping IT Resources and Control Objectives .................................................................................31

IT-related Business Goals and IT Goals ..........................................................................................................33

5. Assurance Initiative Execution .....................................................................................................................35

Introduction ......................................................................................................................................................35

Step 1—Refine Understanding........................................................................................................................35

Step 2—Refine Scope......................................................................................................................................35

Step 3—Test the Control Design .....................................................................................................................36

Step 4—Test the Outcome of the Control Objectives.....................................................................................37

Step 5—Document the Impact of Control Weaknesses..................................................................................37

Step 6—Develop and Report Overall Conclusion and Recommendations....................................................38

6. Assurance Guidance for COBIT Processes and Controls ..........................................................................39

Introduction ......................................................................................................................................................39

Generic Process Controls.................................................................................................................................39

Generic Control Practices ................................................................................................................................39

IT General Controls .........................................................................................................................................40

Application Controls ........................................................................................................................................40

Examples of the Use of Detailed Assurance Steps .........................................................................................41

7. How COBIT Components Support IT Assurance Activities ......................................................................43

Introduction ......................................................................................................................................................43

COBIOBIT Components .........................................................................................................................................43

IT Assurance Activities ....................................................................................................................................44

The Strongest Links .........................................................................................................................................44

Appendix I—Process Control (PC)..................................................................................................................45

Process Assurance Steps ..................................................................................................................................45

Appendix II—Plan and Organise (PO) ...........................................................................................................51

Process Assurance Steps ..................................................................................................................................51

Appendix III—Acquire and Implement (AI) ...............................................................................................115

Process Assurance Steps ................................................................................................................................115

Appendix IV—Deliver and Support (DS) .....................................................................................................153


Appendix V—Monitor and Evaluate (ME) ..................................................................................................225


Appendix VI—Application Control (AC)......................................................................................................253


Appendix VII—Maturity Model for Internal Control ................................................................................263

Appendix VIII—IT Scoping ...........................................................................................................................265

Appendix IX—COBIT and Related Products ...............................................................................................269



INTRODUCTION


1. INTRODUCTION

OBJECTIVES OF THE GUIDEThe objective of IT Assurance Guide is to provide guidance on how to use COBIT to support a variety of IT assurance activities. Ifthe organisation is already using COBIT as a framework for IT governance, it will enable the leverage of COBIT when planning andperforming assurance reviews, so that the business, IT and assurance professionals are aligned around a common framework andcommon objectives.

This guide is designed to enable efficient and effective development of IT assurance initiatives, providing guidance on planning,scoping and executing assurance reviews using a road map based on well-accepted assurance approaches. Guidance is also providedon how the COBIT resources can be used during these stages supported by detailed tests based on COBIT’s processes and controlobjectives. The guidance and suggested tests, like all the COBIT resources, are not intended to be prescriptive, but should be tailoredto suit the specific assurance initiative.

This guide is aimed primarily at assurance professionals, but may be of interest to IT professionals and advisors.

SUMMARY OVERVIEW OF COBITControl Objectives for Information and related Technology (COBIT) is a comprehensive set of resources that contains all theinformation organisations need to adopt an IT governance and control framework. COBIT provides good practices across a domainand process framework in a manageable and logical structure to help optimise IT-enabled investments and ensure that IT issuccessful in delivering against business requirements.

COBIT contributes to enterprise needs by:• Making a measurable link between the business requirements and IT goals• Organising IT activities into a generally accepted process model• Identifying the major IT resources to be leveraged• Defining the management control objectives to be considered• Providing tools for management:

– Goals and metrics to enable IT performance to be measured– Maturity models to enable process capability to be benchmarked– Responsible, Accountable, Consulted and Informed (RACI) charts to clarify roles and responsibilities

COBIT is focused on what is required to achieve adequate governance, management and control of IT, and is positioned at a highlevel. COBIT has been aligned and harmonised with other, more detailed IT frameworks, standards and best practices. COBIT acts asan integrator of these different guidance materials, summarising key objectives under one umbrella framework that also links togovernance and business requirements. In this context, the Committee of Sponsoring Organisations of the Treadway Commission(COSO) Internal Control Framework and similar compliant frameworks are generally seen as the internal control frameworks forenterprises. COBIT is generally seen as the management and control framework for IT.

The benefits of implementing COBIT as a governance framework over IT include:• Better alignment of business and IT, based on a business focus• Shared understanding amongst all stakeholders, based on a common language• An understandable view of what IT does for business management • Clear ownership and responsibilities, based on a process orientation• Widespread acceptance by third parties and regulators• Fulfilment of the COSO requirements for the IT control environment

The COBIT framework is summarised in figure 1.

The COBIT products have been organised into three levels designed to support:• Boards of directors and executive management • Business and IT management• Governance, assurance, control and security professionals

Figure 2 illustrates the COBIT products within the IT governance body of knowledge aimed at each of these three levels.



PO1 Define a strategic IT plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

AI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes.AI7 Install and accredit solutions and changes.

DS1 Define and manage service levels. DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service. DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration.DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations.

ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control.ME3 Ensure compliance with external requirements.ME4 Provide IT governance.

EffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliability

INFORMATIONCRITERIA

ACQUIRE ANDIMPLEMENT

DELIVER ANDSUPPORT

MONITOR ANDEVALUATE PLAN AND

ORGANISE

ApplicationsInformationInfrastructurePeople

IT RESOURCES

BUSINESS OBJECTIVES

GOVERNANCE OBJECTIVES

COBIT

Figure 1—COBIT Framework

INTRODUCTION


For more details on each product, see appendix X, COBIT and Related Products. For the most complete and up-to-date informationon COBIT and related products, case studies, training opportunities, newsletters and other COBIT-specific information, visitwww.isaca.org/cobit.

TARGET AUDIENCE This IT Assurance Guide provides detailed guidance for assurance and IT professionals on how COBIT can be used to support avariety of assurance activities for each of the 34 IT processes. Assurance steps and advice are provided for:• Generic controls that apply to all processes (identified within the COBIT framework by a PCn identifier)• Application controls (identified within the COBIT framework by an ACn identifier)• Specific process controls (identified within the COBIT framework by domain identification and process number,

e.g., PO6.3, AI4.1)

Assurance steps and guidelines are provided to:• Test the control design of the control objective• Test the outcome of the control objective (operational effectiveness)• Document control weaknesses and their impact

It is assumed that users of this guide are familiar with the concepts of COBIT and have a level of knowledge equivalent to at least theCOBIT foundation level (which can be tested online to obtain the COBIT® Foundation Certificate). If this is not the case, it isrecommended that the reader undertake the COBIT Foundation CourseTM. Information on these opportunities is available [email protected] and at www.isaca.org/cobitcampus.

The guide also assumes that the readers are familiar with assurance concepts in general.

Maturity models

Management guidelines

Board Briefing on ITGovernance, 2nd EditionHow

does theboard exercise

its responsibilities?

Executives and Boards

How do we measure performance?How do we compare to others?

And how do we improve over time?

Business and Technology Management

What is the IT governance

framework?

How do we assess the IT governance

framework?

How do weimplement it in the enterprise?

Governance, Assurance, Control and Security Professionals

IT GovernanceImplementation Guide,

2nd Edition

COBIT Control Practices,2nd Edition

Control objectives

IT Assurance GuideCOBIT and Val ITframeworks

Key managementpractices

This COBIT-based product diagram presents the generally applicable products and their primary audience. There are also derived products for specific purposes (IT Control Objectives for Sarbanes-Oxley, 2nd Edition), for domains such as security (COBIT Security Baseline and Information Security Governance: Guidance for Boards of Directors and Executive Management),or for specific enterprises (COBIT Quickstart for small and medium-sized enterprises or for large enterprises wishing to ramp up to a more extensive IT governance implementation).

Figure 2—Major COBIT-based Products

COBIT GUIDANCE FOR IT ASSURANCE ACTIVITIESThe COBIT framework, represented in figure 3, provides the basis for two guides:• IT Governance Implementation Guide: Using COBIT ® and Val IT TM, 2nd Edition, which provides a road map and process guidance

on how to implement IT governance using the COBIT resources• IT Assurance Guide: Using COBIT, which provides professional guidance for the assurance team and offers a structured assurance

approach linked to the COBIT framework that business and IT professionals can understand

As seen in figure 3, each guide is fed with different inputs. The IT Governance Implementation Guide leverages COBIT ControlPractices, whilst the IT Assurance Guide is based on assurance steps. The two inputs (control practices and assurance steps) areconsidered mutually exclusive, allowing the guides’ users to focus on either part of the IT governance process (implementation or assurance).

IT Assurance Guide provides assurance advice at different levels. At the process level, process-specific advice is provided on how totest whether control objectives are being achieved and on how to document control weaknesses. At the control objective level,assurance steps are provided to test the control design for each specific control objective based on its control practices. This detailedguidance can be found in appendices I through VI. In chapter 6, Assurance Guidance for COBIT Processes and Controls, someexamples can be found on how the detailed guidance can be leveraged for a specific assurance initiative.

At the different levels, generic advice is also provided. Generic advice applies to all processes or control objectives and can be usedin addition to, or as an alternative to, the specific advice. These processes are further described in chapter 6.

For the testing steps of the execution stage, this guide provides generic guidance as well as specific, more detailed guidance to assistthe IT assurance professional. Generic advice means that it can be applied to any process, control objective or control practicedepending on the type of advice. Specific advice refers to advice provided for a specific process, control objective or controlpractice. An overview of the IT assurance framework that underpins this process is shown in figure 4.

COMPONENTS OF IT ASSURANCE GUIDE

The content of the detailed assurance guidance is organised around the 34 COBIT processes and contains the following components:• Control objectives—Increasingly, organisations are recognising that control of IT is critical for ensuring that IT delivers value to

the organisation, risks are managed, regulatory requirements are met, and investments in IT deliver a reasonable return.

IT control objectives are statements of the desired result or purpose to be achieved by implementing control practices in aparticular IT process and often relate directly to specific activities within the process.

COBIT’s control objectives are high-level requirements to be considered for effective control of each IT process. They are written asshort, action-oriented management practices. Wherever possible, they follow a logical life cycle sequence.

Enterprise management has choices relative to control objectives. Members of management should:– Select applicable control objectives– Balance the investment required to implement management practices required to achieve each control objective with the risk that

arises in not achieving it



BoardBriefing*

ExecutiveBaseline for

IT Governance(in development)

IT GovernanceImplementation Guide: Using COBIT and Val IT,

2nd Edition

BoardBriefing*

Audit DirectorBaseline for

IT Governance(future development)

IT Assurance Guide:Using COBIT

Framework

ControlObjectives

ManagementGuidelines

MaturityModels

ControlObjective Value Risk

COBITControl

Practices,2nd Edition

AssuranceSteps

WHATHOW HOW

Figure 3—Implementation and Assurance Guides

* Board Briefing on IT Governance, 2nd Edition

– Decide which control practices to implement– Choose how to implement each control practice

COBIT’s more than 200 control objectives define what needs to be managed in each IT process to address business requirementsand manage risk. They help to define clear policies, foster good practices for IT controls and encourage process ownership. Theyalso provide the reference point for linking good practices to business requirements. Constructed by harmonising more than 40different control guidance sources, COBIT can be integrated with other standards and practices that focus on specific areas, such asthe ISO/IEC 27000 series on information security-related standards, ISO/IEC 9001:2000 Quality Management Systems—Requirements, IT Infrastructure Library (ITIL), Capability Maturity Model® Integration (CMMI®), Projects in ControlledEnvironments 2 (PRINCE2) and A Guide to the Project Management Body of Knowledge® (PMBOK®).

• Value and risk drivers—Value and risk drivers provide valuable inputs to professionals for use in communicating a businessjustification for achieving particular control objectives and implementing associated control practices. The value drivers provideexamples of the business benefits that can result from good control, whilst the risk drivers provide examples of the risks that mayneed to be avoided or mitigated. They provide to assurance professionals and IT governance implementors the argument forimplementing controls and substantiate the impact of not implementing them.

• Assurance testing steps—The assurance testing steps provide guidance at the control objective level for assurance professionalsconducting an IT assurance process. The steps are derived from the control practices, which, in turn, are derived from each controlobjective. The assurance testing steps: – Evaluate the design of the controls– Confirm that controls are placed in operation– Assess the operational effectiveness of the control

These different testing steps are elaborated in more in detail in chapter 6, Assurance Guidance for COBIT Processes and Controls.Generic assurance steps cover the existence and design effectiveness of the proposed control design as well as the associatedresponsibilities. Specific assurance steps test the effective operation of controls and are stated at the control objective level. Inaddition, assurance steps are provided to test the outcomes of control weakness or failure.

The assurance testing steps are designed to provide the first level of the development of an assurance programme by an internal orexternal assurance professional. The objective is not to provide a detailed assurance programme that can be used as is andexecuted. Rather, the intent is for an assurance professional with some experience to use it as the basis for efficiently developingcustomised assurance programmes that can be used and executed by staff members with less experience. The assuranceprofessional should take the testing steps as a foundation for implementing the assurance initiative. He/she should adjust thetesting steps for the reality of the organisation and the objectives of the assurance initiative. The steps are guidance only—they arenot a cookbook.

The combination of all assurance components provides a testing method to assist in forming opinions against assurance objectivesby combining one or more of the following test types:• Enquire (via a different source) and confirm. • Inspect (via walk-through, search, compare and review).

INTRODUCTION


Generic ( ) and Specific ( ) Advice in the Assurance Guide

DocumentedControl

Weaknesses

improvedwith

assessedwith

derivedby

assessedwith

implementedwith

derivedfrom

controlledby

Testing theControl Objective

Outcome

ControlObjectives

Testing theControl Design

of theControl Objectives

ControlPractices

ITProcesses

Figure 4—Overview of the IT Assurance Advice Provided

• Observe (i.e., confirmation through observation).• Reperform or recalculate and analyse (often based on a sample).• Collect (e.g., sample, trace, extract) and analyse automated evidence.

RELATIONSHIP WITH COBIT CONTROL PRACTICES

IT Assurance Guide is part of the COBIT family of products. The assurance test steps have been derived from the COBIT ® ControlPractices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, and are expressed in a form usableby assurance professionals for testing activities.

COBIT Control Practices extends the capabilities of the COBIT framework and provides an additional level of detail. The COBIT ITprocesses, business requirements and control objectives define what needs to be done to implement an effective control structure.COBIT Control Practices provides the more detailed guidance at the control objective level on how to achieve the objectives. Thecontrol practices consist of the following elements for each of the COBIT control objectives:• Value and risk drivers, providing ‘why do it’ guidance• Control practices to be considered when assessing IT processes and implementing improvements

For each of the control objectives, a list of specific control practices is defined. In addition, three generic control practices aredefined, which are applicable to all control objectives. The complete set of generic and specific control practices provides one controlapproach, consisting of practices that are necessary for achieving the control objective. They provide high-level generic guidance, at amore detailed level under the control objective, for assessing process maturity, considering potential improvements and implementingthe controls. They do not describe specific solutions, and further guidance may need to be obtained from specific, relevant standardsand best practices, such as ITIL or PRINCE2. The control practices meet the following design criteria in that they:• Are relevant to the purpose of the control objective• Can be executed in a timely fashion• Are realistic and cost-effective• Are measurable• Provide for a definition of the roles involved and segregated roles, where appropriate• Are action-oriented • Are life-cycle-based, wherever possible

Control practices help ensure that the solutions put forward are more likely to be completely and successfully implemented, byproviding guidance on why controls are needed and what the good practices are for meeting specific control objectives.

The control practices are designed to support two audiences:• Implementors of IT governance (e.g., management, service providers, end users, control professionals) • Assurance professionals (e.g., internal and external assurance professionals)

For assurance purposes, all the control practices were used to develop detailed assurance steps. The assurance testing steps aredesigned to provide the first stage of the development of an assurance programme by an internal or external assurance professional.Therefore, professionals using this assurance guide need to take into account that the assurance steps are derived from the controlpractices. The control practices themselves are not provided in this guide.

The table in figure 5 provides an overview of the control material that is provided by COBIT and forms the basis for the assurancematerial in this guide.



Figure 5—Control Objectives and Control Practices

CONTROLControl Objectives Control Practices

The COBIT framework provides six process When translating control objectives into practices,controls that apply to each process. When the first steps are always the same and cover reviewing a process, these control objectives designing, recording and communicating theGeneric and the associated practices and assurance steps approach for achieving the objective, andshould be added to the specific control assigning responsibility and accountability forobjectives material. making it happen.For each process, a number of specific control COBIT provides specific practices for eachobjectives are provided in the COBIT framework. control objective. Together with the generic

Specific practices they provide a control design consistingof the necessary and sufficient steps to achievethe control objective.

The table in figure 6 describes the assurance material that is derived from the COBIT control material and provided in this guide.

Finally, additional advice is provided on testing the six application controls (as provided in COBIT), again addressing design,outcome and impact testing.

COBIT, and many of its supporting products, provides detailed support in a wide range of IT assurance activities.

DOCUMENT ROAD MAPThe main sections of this document follow the structure of a suggested IT assurance road map. That road map will be explained inmore detail in chapter 2, IT Assurance Principles and Context. The main sections or titles of this road map are: • Planning• Scoping• Execution, including:

– Refining the understanding of the IT assurance subject– Refining the scope of key control objectives– Testing the effectiveness of control design– Testing the outcomes of key control objectives– Documenting the impact of control weaknesses– Developing/communicating conclusions and recommendations

Planning is elaborated in chapter 3, Assurance Planning. Scoping is addressed in chapter 4, IT Resource and Control Scoping, andchapter 5, Assurance Initiative Execution, addresses all of the execution steps.

Chapter 6, Assurance Guidelines for COBIT Processes and Controls, explains the structure of the assurance guidance provided for the COBIT processes and control objectives. Chapter 7 explains how COBIT components support IT assurance activities.Appendices I-VI provide the actual assurance tests.

HOW TO USE THIS GUIDEEven though COBIT has a wide potential audience and can be used by many within an organisation, this guide is particularlyintended for internal and external assurance professionals.

INTRODUCTION


Figure 6—Linking General and Specific Advice to Classes of IT Assurance

ASSURANCETesting the Testing Control Documenting

Control Design Process Outcome Control WeaknessesThe generic control practices In addition or as an alternative As an alternative or in additionare translated into assurance to testing the control design, to the specific advice, some steps based on a standard set the outcome of a control standard approaches to of assurance methods. objective can be tested. Some documenting and putting

Generic standard approaches to looking control weaknesses in contextfor evidence are provided that are provided, largely focusedapply to any process. on identifying comparative data

(e.g., benchmarks,measurements, cases).

The specific control practices For each process, a number of For each process, specificare also translated into assurance steps are provided to advice is provided on how toassurance steps. Combined with test the outcome of the control document control weaknesses,

Specific the generic practices assurance objectives of the process. The relating to the goals, metrics,steps, they provide a complete generic advice can be used as activities and control objectivestest of the control design of an alternative or to complement of the process.the objective. the specific advice.

A major benefit of this guide is that users can rely on the consistency of the COBIT framework and its related products. The COBITframework is increasingly being used as an IT governance framework, helping align business and IT management and providing abasis for improving IT’s performance. If assurance professionals base their reviews on the same framework as business and ITmanagers who are improving IT governance and IT performance, everyone involved will be using a common language and it willbe easier to agree and implement any necessary control improvements.

This guide can be used by the assurance professional for many different purposes, including:• Obtaining a view on current good practices on assurance and testing principles• Learning how using different COBIT components and related concepts can help in planning and scoping assurance initiatives• Having available a comprehensive reference of all COBIT control objectives and supporting control practices and how they can be

tested to obtain assurance that they are effective



IT ASSURANCE PRINCIPLES AND CONTEXT


2. IT ASSURANCE PRINCIPLES AND CONTEXT

INTRODUCTIONThis section describes the overall principles, components and context of IT assurance and explores the IT assurance road map,providing a high-level description of the major steps involved.

The objective of IT Assurance Guide is not to provide detailed assurance guidelines. Instead, the objective is to provide high-levelguidance on conducting assurance initiatives, and explain briefly a number of fundamental principles for understanding assuranceand some related techniques and contributory activities.

Formal standards such as the International Auditing and Assurance Standards Board’s (IAASB’s) International Framework forAssurance Engagements (IAASB Assurance Framework) may be referenced. However, in this manual, ‘assurance’ is the term usedconsistently, as it is broader than the term ‘audit’. Assurance also covers evaluation activities not governed by internal and/orexternal audit standards.

To be called an assurance initiative, five components must be present, as prescribed in the IAASB Assurance Framework and aslisted in figure 7.

The objective of an assurance initiative is for an assurance professional to measure or evaluate a subject matter that is theresponsibility of another party. For IT assurance initiatives, there is generally also a stakeholder involved who uses the subject matterbut who has delegated operation and custodianship of the subject matter to the responsible party. Hence, the stakeholder is the endcustomer of the evaluation and can approve the criteria of the evaluation with the responsible party and the assurance professional.

The conclusion of the evaluation provides an opinion as to whether the subject matter meets the needs of the stakeholder. Figure 8summarises the relationships in an assurance initiative.

1 2 3 4 5A three-partyrelationship involvinga responsible partyfor the subject matter,an assurance professional,and an intended user ofthe assurance report

A subject matterover which the assurance is to be provided (i.e., data, systems,processes)

Suitable criteriaagainst which the subject matter will be assessed (i.e., standards, benchmarks,legislation)

A process that the assurance professional willundertake

A conclusion issued by the assuranceprofessional

Figure 7—The Five Components of an Assurance Initiative

Stakeholderaccepts

accepts

accepts

manages

manages

uses

relies on

uses

reviewsagainstcriteria

reports

Suita

ble

crite

ria fo

r the

assu

ranc

e in

itiat

ive

ResponsibleParty

AssuranceProfessional

ConclusionSubjectMatter

BusinessProcess

AssuranceProcess

Figure 8—Relationships in the Assurance Initiative

ASSURANCE APPROACH AND ROAD MAP

IT Assurance Road MapTo provide assurance, it is important to follow a consistent methodology or approach. Whilst the specific approach may be unique toeach organisation and type of initiative, for the purposes of this guide a fairly common approach is used. It is based on three stages:planning, scoping and execution, with the final stage broken down into six steps. The stages and steps of the road map are presentedin figure 9.

For more significant assurance initiatives, additional information on breaking down the initiative into objectives, actions anddeliverables can be found in appendix VIII, IT Scoping. This breakdown provides more detailed guidance that can be applied to ITassurance activity scoping and IT control scoping.

PLANNINGThe establishment of the IT assurance universe for the assurance assignment serves as the beginning of every assurance initiative. Tocreate a comprehensive plan, the assurance professional needs to combine an understanding of the IT assurance universe and theselection of an appropriate IT control framework, such as COBIT. The aggregation of these two allows for risk-based planning of theassurance initiative. To set the correct assurance objectives, first a high-level assessment needs to be performed. The end deliverableof this stage is the IT assurance plan (usually annual).

SCOPINGThe scoping process can be performed in three different ways:• The most detailed scoping approach starts from defining business and IT goals for the environment under review and identifying a

set of IT processes and resources (i.e., assurance universe) required to support those goals. The goals that are subject to the ITassurance initiative can be scoped down to a lower granularity (i.e., key control objectives customised for the organisation).

• A high-level scoping approach may start from benchmarking research executed by ITGI, providing generic guidelines on therelationship of business goals, IT goals and IT processes, as described in COBIT. This generic cascade of goals and processes canbe used as a basis for more detailed scoping, as required for the specific environment being assessed.

• A hybrid scoping approach combines the detailed and high-level methods. This approach starts from the generic cascade of goalsand processes, but is adapted and modified to the specific environment before continuing the scoping to more detailed levels.

The end deliverables of this stage are the scope and objectives of the different IT assurance initiatives.

EXECUTIONThe third stage of the IT assurance road map is the execution stage. Figure 10 describes an approach that assurance professionalscan follow as they execute a particular assurance initiative. These steps cover the core testing activities that the assuranceprofessional executes. Chapter 5, Assurance Initiative Execution, describes each of the steps in more detail. The end deliverable ofthis stage is the conclusion of the individual IT assurance initiative.



Business goals IT goals Key IT processes and key IT resources Key control objectives Customised key control objectives

• Establish the IT assurance universe.• Select an IT control framework.• Perform risk-based IT assurance planning.• Perform high-level assessments.• Scope and define the high-level objectives for the initiative.

Refine the understanding of the IT assurancesubject.

Refine scope of key control objectives for the IT assurancesubject.

Test the effectiveness of the control design of the key controlobjectives.

Alternatively/ additionally test the outcome of the key controlobjectives.

Document the impact of controlweaknesses.

Develop and communicate overall conclusion and recommen-dations.

SCOPINGPLANNING

EXECUTING

ASSURANCECONCLUSION

DETAILED SCOPEAND OBJECTIVES

IT ASSURANCEPLANS

Figure 9—IT Assurance Road Map



IT Assurance ActivitiesThe approach presented in the previous section, IT Assurance Road Map, describes the stages and steps for providing assuranceservices and provides the structure for this guide. Some of the typical IT assurance activities that may be performed under each ofthese assurance approach stages are listed in figure 11.

Figure 11 introduces the typical assurance activities that can be used—and for which advice is provided—in the different stages andsteps of the IT assurance road map. Sometimes the step is the activity; sometimes an activity can be leveraged in several steps.

Whilst most of the advice in this guide focuses on the execution stage of the road map in figure 12 and Chapter 7, How COBITComponents Support IT Assurance Activities, additional advice is provided for the assurance activities listed, by identifying theCOBIT components that can provide a particular benefit for each of these activities. All IT assurance initiatives include most ofthese activities; therefore, most of the COBIT components can be leveraged in all types of IT-related assurance initiatives.

Figure 12 demonstrates a linkage between assurance activities and where COBIT components can provide a particular benefit. In addition, chapter 7, How COBIT Components Support IT Assurance Activities, provides suggestions on how the differentCOBIT components can be leveraged to improve the effectiveness and/or efficiency of different IT assurance activities.







Figure 10—Execution Road Map

Figure 11—IT Assurance Activities

• Plan:– Perform a quick risk assessment.– Assess threat, vulnerability and business impact.– Diagnose operational and project risk.– Plan risk-based assurance initiatives.– Identify critical IT processes based on value drivers.– Assess process maturity.

• Scope:– Scope and plan assurance initiatives.– Select the control objectives for critical processes.– Customise control objectives.

• Execute:1. Refine the understanding of the IT assurance subject:

– Identify/confirm critical IT processes.– Self-assess process maturity.

2. Refine the scope of the key control objectives for the IT assurance subject:– Update the control objective selection.– Customise control objectives.– Build a detailed audit programme.

3. Test the effectiveness of the control design of the key control objectives:– Test and evaluate controls.– Update/assess process maturity.

4. Test the outcome of the key control objectives:– Self-assess controls.– Test and evaluate controls.

5. Document the impact of control weaknesses:– Diagnose residual operational and/or project risk.– Substantiate risk.

6. Develop and communicate overall conclusion and recommendations:– Report assurance conclusions.



Fig

ure

12—

Ass

ura

nce

Act

ivit

ies

Lin

ked

to

CO

BIT

Co

mp

on

ents

ITAs

sura

nce

Activ

ities

Perfo

rm a

qui

ck ri

sk a

sses

smen

t.✔

✔✔

✔✔

✔✔

✔✔

Asse

ss th

reat

, vul

nera

bilit

y an

d ✔

✔✔

✔✔

✔bu

sine

ss im

pact

.Di

agno

se o

pera

tiona

l and

/or

✔✔

✔✔

✔✔

✔pr

ojec

t ris

k.Pl

an ri

sk-b

ased

ass

uran

ce in

itiat

ives

.✔

✔✔

✔✔

✔✔

✔✔

✔✔

✔

Iden

tify

criti

cal I

Tpr

oces

ses

base

d✔

✔✔

✔✔

✔✔

✔✔

✔✔

on v

alue

driv

ers.

Asse

ss p

roce

ss m

atur

ity.

✔✔

✔✔

✔✔

✔✔

✔

Scop

e an

d pl

an a

ssur

ance

initi

ativ

es.

✔✔

✔✔

✔✔

✔

Sele

ct th

e co

ntro

l obj

ectiv

es fo

r ✔

✔✔

✔✔

✔cr

itica

l pro

cess

es.

Cust

omis

e co

ntro

l obj

ectiv

es.

✔✔

✔✔

✔✔

✔✔

Build

a d

etai

led

assu

ranc

e pr

ogra

mm

e.✔

✔✔

✔✔

✔✔

✔

Test

and

eva

luat

e co

ntro

ls.

✔✔

✔✔

✔✔

✔✔

Subs

tant

iate

risk

.✔

✔✔

✔✔

✔✔

✔✔

✔✔

✔

Repo

rt as

sura

nce

conc

lusi

ons.

✔✔

✔✔

✔✔

✔✔

✔✔

✔✔

✔

Self-

asse

ss p

roce

ss m

atur

ity.

✔✔

✔✔

✔✔

✔✔

✔

Self-

asse

ss c

ontro

ls.

✔✔

✔✔

✔✔

✔✔

Control Objectives

COBIT Control Practices

Value and Risk Statement

Maturity Model

Maturity Model Attributes

RACI (Key Activities andResponsibilities)

Goals and OutcomeMeasures

Performance Drivers

Management Awareness Tool

Information Criteria

Process List

Board Briefing on ITGovernance,2

ndEdition

ITRisk and ControlDiagnostics

COBITQuickstart

COBIT Online—Searching andBrowsing

COBIT Online—Benchmarking

IT Control Objectives forSarbanes-Oxley,2

ndEdition

COBI

T Co

mpo

nent

s

Reference to Other Assurance ModelsAssurance professionals may be familiar with the standards set by organisations, such as IAASB within the International Federationof Accountants (IFAC). IAASB has defined within its International Standards on Auditing stages of conducting an assuranceengagement in the context of the financial statement audit. Whilst these stages are specifically defined for the purposes of financialstatement audits, they are consistent with the suggested IT assurance processes in this guide. This is illustrated in figure 13.



Dete

rmin

e th

e re

spon

sibl

epa

rty a

nd in

tend

ed u

ser o

fas

sura

nce

outp

ut.

Dete

rmin

e th

e na

ture

of

the

subj

ect m

atte

r.

Defin

e an

d ag

ree

on

eval

uatio

n cr

iteria

.

Colle

ct e

vide

nce.

Asse

ss e

vide

nce.

Mak

e ju

dgem

ent.

Repo

rt an

d co

nclu

de.

Assurance Stages (IAASB)

Planning ✔ ✔ ✔

Scoping ✔

Refine the understanding of the IT assurance subject. ✔ ✔ ✔

Refine the scope of key control objectives. ✔

Test the effectiveness of the control design. ✔ ✔

Test outcomes of key control objectives. ✔ ✔

Document the impact of control weaknesses. ✔ ✔

Develop and communicate the overall conclusion and recommendations. ✔ ✔

Exec

utio

nSt

ages

in th

e Ro

ad M

ap

The first two steps of the execution stage refine the analysis of the planning and scoping stages and, therefore, map in the samemanner to the IAASB standard. For internal assurance, the planning activity is considered to be the annual plan activity and‘refining the plan’ refers to planning aspects of individual assignments; whereas, for external audit, these two levels of planning mayhappen at the same time.

The suggested approach for IT assurance is to make a clear distinction amongst:• Testing the design of a control objective• Testing the outcome of a control objective• Documenting the impact of the weaknesses identified

Each of these three steps deals with collecting and assessing evidence, but in a different manner.

Type of Assurance Advice ProvidedFor the testing steps of the execution stage, this guide provides generic guidance as well as more specific advice to assist the ITassurance professional, as shown in figure 14. The graphic summarises relationships amongst the key COBIT components (process,control objective and control practice) with the steps in the IT assurance road map.

Generic advice means that it can be applied to any process, control objective or control practice depending on the type of advice.Specific advice refers to advice provided for a specific process, control objective or control practice.

The Historical Context—Statutory Audit (Financial Statement Audit)It is important to understand that, historically, IT assurance started in support of financial statement audits. This class of assurance isstill of great relevance, especially in light of the US Sarbanes-Oxley Act and similar regulations internationally.

The purpose of a financial audit is, typically, to express an opinion on financial statements, notably in respect of the followingassertions:• Existence or occurrence of the assets/liabilities/transactions reflected in the financial statements• Completeness of all financial information presented• Rights, obligations and relevant commitments appropriately presented in the financial statements• Valuation or allocation of the value of financial statement captions on a fair and consistent basis• Presentation and disclosure of values in the appropriate captions of the financial statements and relevant accounting principles or

additional information to help ensure correct interpretation

Figure 13—Correlation of IT Assurance and Assurance Stages

Together, these assertions, when met, allow the auditor to form and report an opinion on the financial condition of the related entity.

RELEVANT GENERAL STANDARDS AND GUIDANCE Current recognised guidelines for the external financial statement audit process are embodied in the International Standards onAuditing (ISA).1

ISA 315 sets out the requirements of the assurance professional to obtain an understanding of internal control relevant to the audit,which includes the following components: • The control environment • The entity’s risk assessment process • The information system, including the related business processes relevant to financial reporting, and communication • Control activities • Monitoring of controls

The ISA recognises that, generally speaking, IT provides potential benefits of effectiveness and efficiency for an entity’s internalcontrol, but also that it poses specific risks.

With respect to IT, the financial statement assertions can be translated into the following information processing objectives: • Completeness• Accuracy • Validity • Restricted access

The minimum requirement for the assurance professional is to understand the information systems underpinning business processesrelevant for financial reporting and how the entity has responded to risks arising from IT. Since the use of IT affects the way controlactivities are implemented in the business and related financial reporting, the assurance professional needs to consider whether theentity has responded adequately to the risks arising from IT by establishing effective general IT controls and application controls.

The ISA define general IT controls as policies and procedures that relate to many applications and support the effective functioningof application controls by helping to ensure the continued proper operation of information systems. General IT controls arecategorised in the ISA as follows: • Data centre and network operations • System software acquisition, change and maintenance



Generic ( ) and Specific ( ) Advice in the Assurance Guide

DocumentedControl

Weaknesses

improvedwith

assessedwith

derivedby

assessedwith

implementedwith

derivedfrom

controlledby

Testing theControl Objective

Outcome

ControlObjectives

Testing theControl Design

of theControl Objectives

ControlPractices

ITProcesses

Figure 14—Types of Advice Provided in This Guide

1 International Standards on Auditing (ISA) are professional standards for the performance of financial audit of financial information. These standards are issued byInternational Federation of Accountants (IFAC) and cover respective responsibilities, audit planning, internal control, audit evidence, using work of other experts,audit conclusions and audit report, and specialised areas.



• Access security • Application system acquisition, development and maintenance

ISA 330 gives guidance on the nature, timing and extent of audit procedures to be adopted in response to identified risks. Somespecific requirements are set out in the ISA in relation to internal controls validation, including the following:• When the assurance professional’s assessment of risks of material misstatement at the assertion level includes an expectation that

controls are operating effectively, the assurance professional should perform tests of controls to obtain sufficient appropriate auditevidence that the controls were operating effectively at relevant times during the period under audit.

• When the assurance professional has determined that it is not possible or practicable to reduce the risks of material misstatement atthe assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, the assuranceprofessional should perform tests of relevant controls to obtain audit evidence about their operating effectiveness.

The ISA also specify on the type of procedures to be carried out, stating that, ‘the assurance professional should perform other auditprocedures in combination with inquiry to test the operating effectiveness of controls’.

RELEVANCE FOR IT ASSURANCESpecifically in relation to IT, the ISA state that the assurance professional considers the need to obtain audit evidence supporting theeffective operation of controls directly related to the assertions, as well as other indirect controls on which these controls depend,such as underlying general IT controls. For that purpose, the COBIT framework provides abundant guidance, and this guide providesan assurance approach that is in line with ISA guidance.

Because of the inherent consistency of IT processing, audit evidence about the implementation of an automated application control,when considered in combination with assurance evidence obtained regarding the operating effectiveness of the entity’s generalcontrols (and in particular system development life cycle controls, including change controls) may provide substantial assuranceevidence about its operating effectiveness during the relevant period. More guidance on these aspects is provided in chapter 6,Assurance Guidance for COBIT Processes and Controls.

MaterialityWhen conducting or supporting financial statement audits, assurance professionals ordinarily measure materiality in monetaryterms, since what they are auditing is also measured and reported in monetary terms. IT assurance professionals may conductassurance on non-financial items and, therefore, alternative measures are required. With respect to a specific control objective, amaterial control is a control or group of controls without which control procedures do not provide reasonable assurance that thecontrol objective will be met.

ISACA IS Auditing Guideline G6 (www.isaca.org/standard/guideline.htm) specifies that where the IT assurance objective relates tosystems or operations processing financial transactions, the value of the assets controlled by the system(s) or the value oftransactions processed per day/week/month/year should be considered in assessing materiality.

For systems and operations not affecting financial transactions, the following are examples of measures that should be considered toassess materiality:• Criticality of the business processes supported by the system or operation• Cost of the system or operation (i.e., hardware, software, staff, third-party services, overheads, a combination of these)• Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable development costs, cost of publicity required

for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high wastage, etc.)• Number of accesses/transactions/inquiries processed per period• Nature, timing and extent of reports prepared and files maintained• Nature and quantities of materials handled (e.g., where inventory movements are recorded without values)• Service level agreement (SLA) requirements and cost of potential penalties• Penalties for failure to comply with legal and contractual requirements

Assurance RiskAssurance risk is the risk that an incorrect opinion is reported by the assurance professional in the presence of material misstatementof the subject matter. Assurance risk is a function of the risk of material error and the risk that the assurance professional will notdetect associated errors or control failures.

The risk of material error has two components:• Inherent risk—The susceptibility of an assertion by the responsible party to a misstatement that could be material, individually or

when aggregated with other misstatements, assuming that there were no related internal controls2

• Control risk—The risk that a misstatement that could occur in an assertion and that could be material, individually or whenaggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal control

Detective risk is the risk that the assurance professional’s procedures will not detect a misstatement that exists in an assertion thatcould be material, individually or when aggregated with other misstatements. It is important when planning an assurance initiative toassess assurance risk and design an approach to ensure that the assurance objectives are met.



2 These definitions are drawn from the International Accounting and Assurance Standards Board.

ASSURANCE PLANNING


3. ASSURANCE PLANNING

INTRODUCTIONThe first phase of the IT assurance road map (illustrated in figure 9) is the planning phase. Before beginning an assurance initiative,the work of the IT assurance professional should be planned in a manner appropriate for meeting the assurance objectives. For aninternal assurance function, the assurance plan should be developed/updated/reviewed at least annually. The plan should act as aframework for assurance activities and serve to address responsibilities set by the assurance charter. For an external IT assuranceinitiative, a plan should normally be prepared for each initiative. Each type of assurance plan should clearly document the objectivesof the initiative and reflect the intended user’s strategy and priorities.

As part of the planning process, IT assurance professionals should obtain a good understanding of the assurance universe and theorganisation’s business goals for IT, IT goals, and how they are planned to be realised through IT processes and IT resources. Theextent of the knowledge required is determined by the nature of the organisation, its environment, risks and the objectives of theassurance initiative. To execute the assurance initiative and assurance planning work according to a standardised and structuredapproach, the IT assurance professional should also identify appropriate control frameworks that could be useful for the assuranceinitiatives (e.g., COSO, COBIT) or IT management frameworks or standards (e.g., ITIL, ISO/IEC 27000).

IT ASSURANCE UNIVERSEThe IT assurance universe defines the area of responsibility of the IT assurance provider; it is usually based on a high-level structurethat classifies and relates IT processes, resources, risks and controls, allowing for a risk-based selection of discrete IT assuranceinitiatives. The assurance universe needs to be defined at the enterprise level and must be composed of subjects, units, processes,procedures, systems, etc., that are capable of being defined and evaluated. The building blocks of the assurance universe are unitsunder which assurance can be conducted. For the purpose of IT Assurance Guide, COBIT provides a structure to define the ITassurance universe built around the four types of IT resources and 34 IT processes categorised into four domains. The four domainscover the traditional responsibilities in IT of plan, build, run and monitor.

The IT resources identified in COBIT are defined as follows:• Applications—The automated user systems and manual procedures that process the information• Information—The data input, processed and output by the information systems, in whatever form is used by the business• Infrastructure—The technology and facilities (i.e., hardware, operating systems, database management systems, networking,

multimedia, etc., and the environment that houses and supports them) that enable the processing of the applications• People—The personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information

systems and services. They may be internal, outsourced or contracted as required.

The four domains defined by COBIT are Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor andEvaluate. As shown in figure 15, IT processes deliver information to the business, run the applications, and need infrastructure andpeople. Together, they constitute the enterprise architecture for IT.

deliver

runIT Processes(including goals and

responsibilities)

Information

Applications

Infrastructureand Peopleneed

Figure 15–Enterprise Architecture for IT

The portfolio of assurance activities within the assurance universe needs to be prioritised by risk level, technological complexity,time since the most recent assurance initiative, strategic importance, age in technology, known control weaknesses, etc. By doing so,assurance resources can be assigned to the units carrying the highest risk for the organisation. The prioritisation is driven bybusiness and governance objectives (regarding functionality, agility, return, compliance and comfort), implying specific value andrisk drivers, as illustrated in figure 16. This figure also illustrates that it helps to think in terms of IT resources for translatingbusiness goals into IT goals (i.e., in terms of the services and information required) and in terms of the infrastructure and peopleresources required to provide and support the services and information needed. COBIT provides tables of generically applicableenterprise and IT goals that can—after adaptation to the situation at hand—help in determining the subjects in the assuranceuniverse that need the most attention.

The assurance universe resulting from the analysis work described previously results in most cases in a two-dimensional matrix,with one dimension describing the relevant elements from the enterprise architecture for IT and the other dimension indicating thepossible control objectives, as shown in the left part of figure 17.

Because the recommended framework is COBIT, with its process structure, a first step in scoping the assurance initiative can consistof selecting the processes, thereby reducing the control objectives in scope on the horizontal dimension. This also allows forsimplifying the vertical dimension by concentrating on the IT resources because the processes have been dealt with in the horizontalcontrol objective dimension. This then produces the right side of figure 17. If other control frameworks are used that are notprocess-oriented, the processes need to be retained in the vertical dimension. But even then, most frameworks can be mapped toCOBIT (see www.isaca.org/cobit) so that after mapping the simplified version can be used.



Business Governance

Enterprise Goals for IT

Applications

Information

Infrastructure

People

Functionality Agility Return Compliance Comfort

IT Goals

IT Processes

Figure 16–Business and IT Goals as Drivers for Assurance Planning

IT Process Selection

IT R

esou

rces

Control Objectives Selection

Ente

rpris

e Ar

chite

ctur

e fo

r IT Control Objectives

Figure 17–Linking the Enterprise Architecture and Control Objectives

ASSURANCE PLANNING


Other forms of representing the assurance universe are possible. Whatever representation is chosen, balance between completeness,consistency and manageability has to be preserved. Through the proposed technique, all relevant units can be identified anddescribed. Some examples are:• Applications can either be grouped (in line with the major business processes they support, e.g., sales, logistics, administration,

manufacturing, human resources) or listed individually; one can then identify a subset of the IT processes and control objectives tothe applications to identify (e.g., an assurance initiative on applications) the development cycle or portfolio management. Projects,which are very often reviewed through project assurance initiatives, can be considered as applications in the making.

• People and the way they are organised (i.e., organisational units) are part of the assurance universe horizontal dimension, allowing,for example, assurance on organisational entities.

• Infrastructure elements (e.g., data centre, networks, IT platforms) are another horizontal dimension, allowing identification of, forexample, security reviews of operating systems and networks, or physical reviews of data centres.

• Information includes databases, master files and transaction logs.

Specific topics currently high on the agenda of many IT departments include outsourcing projects and a variety of compliancerequirements. Through the process dimension of the assurance universe, the assurance professional can identify the relevant ITprocesses that manage outsourced IT services, for example, DS1 Define and manage service levels and DS2 Manage third-partyservices. By doing so, this specific topic can be included in the overall assurance universe.

RISK-BASED ASSURANCE PLANNINGThe assurance professional should use an appropriate risk assessment technique or approach in developing the overall plan for theeffective allocation of IT assurance resources. Risk assessment is a technique used to examine units in the assurance universe andselect those areas for review that have the greatest risk exposure. The risks associated with each IT layer cannot be determined byreviewing the IT-related risks in isolation, but must be considered in conjunction with the organisation’s processes and objectives.

Risk has two major attributes (probability and impact) and has a complex relationship amongst the attributes of the objects involved,which are:• Asset—Something of value (tangible or intangible) worth protecting• Threat—Any situation or event that has the potential to harm a system • Threat agent—Methods and things used to exploit a vulnerability (e.g., determination, capability, motive, resources) • Threat event—An instance of a threat acting upon a system vulnerability in which the system is adversely affected• Vulnerability—A weakness that could be exploited by a threat (e.g., an open firewall port, a password that is never changed, a

flammable carpet). A missing control is also considered a vulnerability.• Countermeasure—A synonym for control. The term ‘countermeasure’ can be used to refer to any type of control, but it is most

often used when referring to measures that increase resilience, fault tolerance or reliability of an IT service.• Risk—The potential that a given threat will exploit vulnerabilities of an asset to cause loss or damage to the asset• Residual risk—The risk associated with an event when the control is in place to reduce the effect or likelihood of that event being

taken into account

Figure 18 provides the relationship amongst the different components and the major attributes of each. These attributes are essentialto analyse the contribution of each component to the risk analysis process. A suggested approach for this process is provided infigure 19.

The suggested risk analysis approach starts from the valuation of assets, which in the COBIT framework consists of the informationthat has the required criteria to help achieve the business objectives (including all the resources necessary to produce thatinformation). The next step is the vulnerability analysis, which identifies the vulnerabilities that apply to the assets (e.g., a businessprocess that needs to comply with data privacy, a business product that deals with financial transactions or infrastructure elements)that determine the availability of many information services. The next phase identifies significant threats that may be able to exploita given vulnerability (e.g., unintentional events such as errors, omissions and accidents; intentional actions such as fraud, hacking ortheft). The probability of the threat, the degree of vulnerability and the severity of the impact are combined to developthreat/vulnerability scenarios and assess their risk. This is followed by the selection of countermeasures (controls) and an evaluationof their cost and effectiveness. After considering the impact of implementing selected controls, residual risk can be determined. Theconclusion is an action plan after which the cycle can start again.



Owners

Countermeasures

Risks

Threat Agents Threats Vulnerabilities Assets

Threat/VulnerabilityScenarios

preventand

detect

from

avoid ormitigate

areconcerned

about

have

exploit

give rise to

impose

reduce

Figure 18–Relationship and Attributes of the Risk Analysis Components

Identifysignificant

threats.

Define relevantthreat/

vulnerabilityscenarios.

Assess risk(applicability,

probability andmateriality of

impact).

Evaluatecontrol cost andeffectiveness.

Inventoryuseful

countermeasures.

Determineresidual risk.

Identifyapplicable

vulnerabilities.

Identify criticalassets and

estimate theirvalue.

Develop a riskmitigation

action plan.

Figure 19—A Risk Analysis Approach Leveraging the Risk Components and Their Attributes

ASSURANCE PLANNING


HIGH-LEVEL ASSESSMENTSHigh-level assessment can provide support in assurance planning by identifying processes where the maturity/control gap betweenas-is and to-be is the most significant. Several assessment techniques exist (covering the evaluation against performance and riskattributes, process maturity attributes, control objectives and maturity attributes) resulting in, for example, process complianceprofiles as shown in figure 21.

The results of such high-level assessment can be used to prioritise the IT assurance work. Specific benefits of such high-levelassessments are: • Making members of IT management aware of their accountability for controlling IT and gaining their buy-in• High-level checking of compliance with established IT control requirements• Optimising and prioritising IT assurance resources • Bridging to IT governance

DEFINE THE SCOPE AND OBJECTIVES OF THE ASSURANCE INITIATIVEIT assurance professionals should also clearly define the scope and objectives of the assurance work and perform a preliminaryassessment of internal control/maturity of the function/activities being reviewed to provide reasonable assurance that all materialitems will be adequately covered during the assurance initiative.

To execute high-level planning assessments, COBIT Quickstart can provide hands-on support (see www.isaca.org/cobit). Figures 20through 22 also demonstrate other possible templates that can be used for high-level control and maturity assessments. The firsttemplate, shown in figure 20, is a management awareness diagnostic that evaluates processes against some performance and riskattributes. Completing this template for specific IT processes provides a quick insight into the risks associated (importance andperformance), the responsibility (who does it), the formality (documentation), the assurance history and the accountability.

The next two templates provide examples of how to execute a process maturity assessment, using the maturity description ormaturity attributes. The first template in figure 21 starts from the process maturity description, which needs to be broken down intoseveral maturity statements. For each of the statements, a compliance value needs to be defined, which enables the IT assuranceprofessional to calculate a ‘compliance profile’.

Another approach in assessing process maturity is to leverage the maturity attributes (COBIT maturity models as explained in theCOBIT framework). The maturity of a process can be assessed against six maturity attributes: • Awareness and communication• Policies, plans and procedures• Tools and automation• Skills and expertise• Responsibility and accountability• Goal setting and measurement

Risk

Who IsAccountable?

Impo

rtan

cePe

rfor

man

ce

IT Othe

rOu

tsid

eDo

Not

Kno

wAu

dite

d?Fo

rmal

ityWho Does It?

PO1 Define a strategic IT plan.PO10 Manage projects.AI6 Manage changes.DS2 Manage third-party services.DS5 Ensure systems security.ME1 Monitor and evaluate IT performance.

Importance = How important for the organisation on a scale from 1 (not at all) to 5 (very)Performance = How well it is done from 1 (very well) to 5 (do not know or badly)Formality = Is there a contract, an SLA or a clearly documented procedure (Y, N or ?)Audited? = Y, N or ?Accountable = Name or ‘do not know’

COBIT Processes

Figure 20—Management Awareness Diagnostic



Assessment of these attributes on a template, as shown in figure 22, provides the IT assurance professional with a ‘rising starscheme’, indicating significant gaps between as is and to-be, areas as where attention is needed, and potential quick wins.

.50

.45

.40

.35

.30

.25

.20

.15

.10

.050

Level 1 Level 2 Level 3Level 4 Level 5

AI6—Manage Change

Maturity level 3, moving into level 4

ProcessName

ProcessID

No. Statement Weight

Maturity Level

Total Weight Compliance

0.00 0.33 0.66 1.00compliance value

Not

at

all

A li

ttle

To s

ome

degr

ee

Com

plet

ely

VALU

E

Figure 21—Assessing the Process Maturity Compliance Profile

Awareness and Policies, Plans Tools and Skills and Responsibility and Goal SettingCommunication and Procedures Automation Expertise Accountability and Measurement

5 There is advanced, External best practices and Standardised tool sets are The organisation formally Process owners are There is an integratedforward-looking standards are applied. used across the enterprise. encourages continuous empowered to make performance measurementunderstanding of improvement of skills, based decisions and take action. system linking IT performancerequirements. Process documentation is Tools are fully integrated on clearly defined personal The acceptance of to business goals by global

evolved to automated with other related tools to and organisational goals. responsibility has been application of the IT balancedProactive communication workflows. Processes, policies enable end-to-end cascaded down throughout scorecard. Exceptions areof issues based on trends and procedures are support of the processes. Training and education support the organisation in a globally and consistently exists, mature standardised and integrated external best practices consistent fashion. noted by management and are applied, and integrated management and support improvement of the concepts and techniques. root cause analysis is applied.communication techniques to enable end-to-end Tools are being used to and use of leading-edge Continuous improvement iscommunication tools are improvement. process and automatically Knowledge sharing is an a way of life.in use. detect control exceptions. enterprise culture, and

knowledge-based systemsare being deployed.External experts and industryleaders are used for guidance.

4 There is understanding The process is sound and Tools are implemented Skill requirements are routinely Process responsibility and Efficiency and effectivenessof the full requirements. complete; internal best according to a updated for all areas, accountability are accepted are measured and

practices are applied. standardised plan, and proficiency is ensured for all and working in a way that communicated and linked toMature communication some have been critical areas, and certification enables a process owner to business goals and the ITtechniques are applied and All aspects of the process integrated with other is encouraged. fully discharge his/her strategic plan. The IT balancedstandard communication are documented and repeatable. related tools. responsibilities. A reward scorecard is implementedtools are in use. Policies have been approved Mature training techniques culture is in place that in some areas with exceptions

and signed off on by Tools are being used in main are applied according to the motivates positive action. noted by management andmanagement. Standards for areas to automate management training plan, and knowledge root cause analysis is beingdeveloping and maintaining the of the process and monitor sharing is encouraged. All standardised. Continuousprocesses and procedures are critical activities and controls. internal domain experts are improvement is emerging.adopted and followed. involved, and the effectiveness

of the training plan is assessed.3 There is understanding Usage of good practices A plan has been defined Skill requirements are defined Process responsibility and Some effectiveness goals and

of the need to act. emerges. for use and standardisation and documented for all areas. accountability are defined measures are set, but are notof tools to automate the and process owners have communicated, and there is a

Management is more formal The process, policies and process. A formal training plan has been identified. The process clear link to business goals.and structured in its procedures are defined and been developed, but formal owner is unlikely to have Measurement processes communication. documented for all key Tools are being used for their training is still based on the full authority to exercise emerge, but are not

activities. basic purposes, but may not all individual initiatives. the responsibilities. consistently applied.be in accordance with the IT balanced scorecard areas agreed plan, and may not be are being adopted, as isintegrated with one another. occasional intuitive

application of root causeanalysis.

2 There is awareness of the Similar and common Common approaches to Minimum skill requirements An individual assumes his/her Some goal setting occurs;need to act. processes emerge, but are use of tools exist but are are identified for critical responsibility and is usually some financial measures are

largely intuitive because of based on solutions areas. held accountable, even if this established but are known Management communicates individual expertise. developed by key individuals. is not formally agreed. There only by senior management.the overall issues. Training is provided in is confusion about There is inconsistent

Some aspects of the process Vendor tools may have been response to needs, rather responsibility when problems monitoring in isolated areas.are repeatable because of acquired, but are probably not than on the basis of an occur, and a culture of individual expertise, and some applied correctly, and may agreed plan, and informal blame tends to exist.documentation and informal even be shelfware. training on the job occurs.understanding of policy and procedures may exist.

1 Recognition of the need for There are ad hoc approaches Some tools may exist; Skills required for the There is no definition of Goals are not clear and nothe process is emerging. to processes and practices. usage is based on standard process are not identified. accountability and measurement takes place.

desktop tools. responsibility. People takeThere is sporadic The process and policies A training plan does not ownership of issues basedcommunication of the are undefined. There is no planned exist and no formal training on their own initiative on aissues. approach to the tool usage. occurs. reactive basis.

Figure 22—Assessing Process Maturity Attributes

IT RESOURCE AND CONTROL SCOPING


4. IT RESOURCE AND CONTROL SCOPING

INTRODUCTIONThe second stage of the IT assurance framework (illustrated in figure 23) is the scoping stage. This stage determines which IT resources and control objectives are covered within a given IT control framework in the execution stage of the initiative. Scoping consists of linking applicable IT resources (e.g., applications, information, infrastructure, people) to applicable IT controlobjectives and then assessing the materiality of the impact of not achieving a specific control objective. Figure 23 illustrates theeight-step scoping process.

Setting the scope for the initiative too narrowly may result in material factors not being considered. Setting the scope for theinitiative too broadly may result in inefficiencies and incorrect conclusions because of limited resources and time. Appendix VIII,IT Scoping, sets out a generic scoping methodology that can be applied to IT assurance initiatives and a variety of other IT governance programmes.

STEPS IN SCOPING IT RESOURCES AND CONTROL OBJECTIVESFigure 24 describes the eight steps within the scoping phase of conducting the IT assurance initiative. These steps are described inmore detail as follows.

Step 1—Establish Drivers for the Assurance InitiativeIn the first step, the drivers for the assurance initiative and the corresponding assurance objective are identified. As noted in chapter1, there are many possible drivers for assurance, including process improvement and meeting compliance needs in support of thefinancial statement audit. Verifying the drivers for the assurance initiative can be accomplished by activities such as interviewingkey stakeholders or inspecting assurance plans or charters.

A. Framework Criteria

• A common language for IT activities and key management practices• Business focus• Governance expectations• IT tasks and activities organised into discrete processes• Consistent with generally accepted IT good practices and corporate governance standards

• Select• Weigh• Cut off• Customise

B. Deciding What Is In

2 Document the enterprisearchitecture for IT

(clarify through interviewswith key IT staff members).

1 Establish drivers for theassurance initiative

(clarify through interviewswith stakeholders).

4 Select the IT process [B](document and validate the

link amongst business goal, IT goal and IT process).

3 Choose an IT controlframework [A]

(verify that it responds tominimum criteria).

7 Select initial control objectives [B]

(leverage controlframework mappings).

8 Refine controlobjectives selection

with risk analysis[B](linking significant threats to

applicable vulnerabilitiesto material impact).

5 Select IT component [B](record the important activities

and resources for theprocesses selected).

6 Refine componentselection with

cause/effect analysis[B](use the goals and metrics

chain: business-IT process-activity).

Figure 23—IT Scoping Road Map

More specifically, the boundaries of the entity under review need to be unambiguously described, together with the current roles andresponsibilities and the resources required by IT to support the defined business needs of the entity under review.

The assurance professional needs to interview appropriate management and staff members to obtain an understanding of:• Business requirements and associated risks• Organisation structure• Roles and responsibilities• Policies and procedures• Laws and regulations• Control measures in place• Management reporting (status, performance, actions)• Past issues and corrective actions taken• Current issues and concerns• What management hopes to obtain as a result of the assurance initiative

Step 2—Document Enterprise IT ArchitectureIn the second step, the enterprise IT architecture is documented. The concept and elements of the architecture are set out in chapter 3. The enterprise IT architecture can also be validated by interviews with key IT staff members.

Step 3—Select Control FrameworksAppropriate control frameworks are selected in the third step. Typically this will be COBIT, but for some initiatives it may be COSO,similar entity-level control frameworks, or more detailed frameworks or standards, such as one of the relevant ISO standards.

Step 4—Identify IT ProcessesAfter the appropriate control framework is chosen, the appropriate IT processes are selected and linked to appropriate IT resourcesin the next step. IT processes in scope can be identified through analysis of the relationship amongst business goals, IT goalsand IT processes.

Step 5—Select IT ComponentsStep five is described in chapter 2. IT resources are made up of:• Applications • Information• Infrastructure• People

A number of inputs can be used to determine the IT resources that are relevant to the initiative. The priority here should be oncompleteness because the subsequent risk analysis determines items that can be excluded from the scope of the initiative. However,efficiency needs to be taken into account as well, to keep the matrix to a reasonable/workable size. The different inputs are:• Drivers for the initiative—The drivers for the assurance initiative are the most important factors for determining the IT

components and the control objectives to review. Typical examples are major service breakdown, organisational change andregulatory compliance.

• Business control requirements—Given the focus of this guide on IT assurance, it is assumed that the analysis of the requiredand applicable business controls has occurred so that the scoping of IT controls is limited to how IT supports automatedbusiness controls.

• Enterprise architecture for IT—The enterprise architecture encompasses the processes involved to deliver the informationservices, the portfolio of applications and systems in use by the organisation, the technology used to run them, and the peopleneeded to plan, build, operate and support the applications. The relevant IT resources or groups of IT resources can be deducedfrom the architecture.

Step 6—Refine IT Component SelectionIn the initial linking of processes to resources, the assurance professional may derive a rather large portfolio, perhaps broader thancan be cost-effectively reviewed within the terms of the assurance initiative. In the sixth step, the assurance professional shouldrefine the selection of IT resources by ensuring that the resources have a direct relationship to the processes relevant to the initiative.



IT RESOURCE AND CONTROL SCOPING


Step 7—Select Control ObjectivesThe assurance professional makes a first selection of the COBIT control objectives that are relevant for the IT processes that are inscope for the assurance initiative. Often the control objectives need to be customised for the realities of the particular enterprisesituation. For most initiatives, scoping IT resources does not require substantial analysis, because it starts from a specific enterprisesituation. Conversely, scoping the control objectives needs more analysis because it starts from one or more generic frameworks.COBIT provides material that can support the latter step, by describing a ‘risk and value’ statement for each of the control objectives,demonstrating why specific controls are needed. Some mapping is required as well as customisation of the selected controlobjectives to the enterprise environment and the objective of the assurance initiative.

Step 8—Refine Control Objectives SelectionFinally, in the eighth step, the assurance professional links the refined portfolio of IT resources set out in step six to the first cut ofcontrol objectives selected in the seventh step. In an iterative process, the professional refines and often reduces the list of controlobjectives that are relevant for this particular assurance initiative. The process of linking IT resources to control objectives isillustrated in figure 24.

In this step, the assurance professional should analyse the risk of not achieving the selected control objectives for the selected ITresources, and retain only the IT resources and control objectives that have a material effect if the control objective is not achieved.The assurance professional should: • Review the horizontal lines of the matrix (figure 24) to determine if there is sufficient risk to keep the IT resource in scope and to

identify the resources with high risk that may require more in-depth review and testing• Review the vertical lines of the matrix (figure 24) to remove the control objectives that are low risk and to identify objectives that

require enterprisewide solutions as opposed to point solutions

The critical conclusion of this step, illustrated in figure 24, is to answer the question, ‘Will not achieving this control objective forthis class of IT resource be material for this particular assurance initiative?’ Only the cells for which the answer is ‘yes’ should beretained in the final IT control scope.

IT-RELATED BUSINESS GOALS AND IT GOALSTo assist the IT assurance professionals in assurance planning, COBIT provides a detailed cascade from IT-related business goals toIT goals to IT processes. COBIT defines 17 generic business goals, which encompass business drivers and services that directlyimpact IT. These are translated into supporting IT goals that, in turn, are linked to IT process goals (see appendix 1 in COBIT 4.1).This cascade of business, IT and process goals is particularly useful when analysing the assurance initiative drivers and how theyimpact the assurance universe.

IT Process Selection

Scop

ing

IT R

esou

rces

Scoping Control Objectives

BusinessControl

Requirements

BusinessControl

Requirements

EnterpriseArchitecture

for IT

AssuranceInitiativeDrivers

EnterpriseArchitecture

for IT

AssuranceInitiativeDrivers

IT ControlFramework

Will not achieving thiscontrol objective for thisIT resource be material?

Figure 24—Risk-based IT Resource and Control Scoping

This cascade of goals can help guide the assurance planning work. As shown in figure 25, if the assurance work focuses on aspecific business function, IT-related business goals and IT goals can be valuable input for the assurance planning work. Assurancework that focuses on a specific organisational component (e.g., a process) can use IT goals and IT process goals as a source ofinformation for assurance planning.



MajorApplication

ImportantInfrastructure

ComponentOrganisational

ComponentMajor

ChangeBusinessFunction

Business Goals

IT Process Goals

(P=primary, S=secondary)

IT Goals

P

S

S

S

P

S

P

S

S

P

P

S

ASSURANCE SUBJECT

GOAL

INFO

RMAT

ION

Figure 25—IT-related Business, IT and IT Process Goals for IT Assurance Planning

ASSURANCE INITIATIVE EXECUTION


5. ASSURANCE INITIATIVE EXECUTION

INTRODUCTIONThe third stage of the IT assurance framework (previously illustrated in figure 10) is the execution stage. Figure 10 describes aroad map that assurance professionals can follow as they execute a particular assurance initiative. The remainder of this section willanalyse the road map in detail.

STEP 1—REFINE UNDERSTANDINGThe assurance steps to be performed document the activities underlying the control objectives and identify the stated controlmeasures/procedures in place.

The first step of the execution stage is refining an understanding of the environment in which the testing is performed. This impliesunderstanding the organisation to select the correct assurance scope and objectives. The assurance scope and objectives need to becommunicated to and agreed upon by all stakeholders.

The output from this step consists of documented evidence regarding: • Who performs the task(s), where the task is performed and when the task is performed• The inputs required to perform the task and the outputs generated by the task• The stated procedures for performing the task

The assurance professional can structure this step along the following lines:• Interview and use activity lists and RACI charts.• Collect and read process description, policies, input/output, issues, meeting minutes, past assurance reports, past assurance

recommendations, business reports, etc.• Prepare the scoping task (objective of process, goals and metrics of process to be reviewed).• Build an understanding of enterprise IT architecture.

STEP 2—REFINE SCOPEThe assurance steps to be performed determine the scope of the assurance project.

Based on the current and detailed understanding of the IT environment, any revisions that may have been made to the businessand/or assurance objectives, and whilst planning a cost-effective testing plan, it may be appropriate to adjust the scope.

The scoping phase performed earlier may, therefore, need to be refined to determine a finalised subset of the assurance universe(e.g., process, system, application) and a set of controls to be reviewed.

Analyse Business and IT GoalsThe assurance objectives and approach to the current business objectives should be realigned, and the understanding of businessprocesses, the business goals, and the relevance of IT to the processes and objectives should be updated. The IT goals may need tobe adjusted, bearing in mind the latest assurance requirements and the IT organisation.







Figure 10—Execution Road Map

Select Processes and ControlsThe selection of the in-scope IT processes, IT control objectives and IT resources (i.e., applications, information, infrastructure,people) should be refined to establish the assurance boundaries. The selection of the processes, objectives and related resources isperformed by assessing if it is likely that non-achievement of the control objective for the IT component will have a material effect.

Analyse RisksThe scope may need to be further adjusted, based on an assessment of the inherent risk of material control objections not being met.This risk-adjusted scope determines the amount of assurance review and testing required.

Finalise ScopeThe assurance strategy should be set, and the scope and focus of the assurance approach should be finalised based on the latestunderstanding of objectives, optimum testing approach and assessed risk, as described previously. The IT processes, IT resourcesand IT control objectives selection should be adjusted as required by the strategy defined. The documentation required and thetesting approach should be determined to ensure the most effective and efficient coverage of assurance objectives.

STEP 3—TEST THE CONTROL DESIGNThis section lists the different techniques that will be used in the detailed assurance steps.

Testing is performed, covering the following main test objectives (also to be found in SAS 703 and SysTrust™4 assurance):• Evaluate the design of the controls.• Confirm that controls are placed in operation.• Assess the operational effectiveness of the controls.

In addition, control efficiency may also be tested.

In the testing phase, different types of testing can be applied. Five generic testing methods include:• Enquire and confirm:

– Search for exceptions/deviations and examine them.– Investigate unusual or non-routine transactions/events.– Check/determine whether something has (not) occurred (sample).– Corroborate management statements from independent sources.– Interview staff members and assess their knowledge and awareness.– Reconcile transactions (e.g., reconciling transactions to bank statements).– Ask management questions and obtain answers to confirm findings.

• Inspect:– Review plans, policies and procedures.– Search audit trails, problem logs, etc.– Trace transactions through the process/system.– Physically inspect presence (documentation, assets, etc.).– Walk through installations, plans, etc.– Perform a design or code walk-through.– Compare actual with expected findings.

• Observe:– Observe and describe the processes.– Observe and describe the procedures.– Compare actual with expected behaviour.

• Reperform and/or recalculate:– Independently develop and estimate the expected outcome.– Attempt what is prevented.– Reperform what is detected by detective controls.– Reperform transactions, control procedures, etc.– Recalculate independently.– Compare expected value with actual value.– Compare actual with expected behaviour.– Trace transactions through the process/system.



3 Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognised auditing standard developed by the American Institute ofCertified Public Accountants (AICPA).

4 SysTrust is an assurance service developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA).

ASSURANCE INITIATIVE EXECUTION


• Review automated evidenced collection:– Collect sample data.– Use embedded audit modules.– Analyse data using computer-assisted audit techniques (CAATs). – Extract exceptions or key transactions.

The assurance steps to be performed assess the adequacy of the design of controls. The following three assurance steps should beperformed:• Observe/inspect and review the control approach, and test the design for completeness, relevancy, timeliness and measurability.• Enquire whether and confirm that the responsibilities for the control practices and overall accountability have been assigned. Test

whether accountability and responsibilities are understood and accepted. Verify that the right skills and the necessary resources areavailable.

• Enquire through interviews with key staff members involved whether the control mechanism, its purpose, and the accountabilityand responsibilities are understood.

In summary, the assurance professional must determine whether:• Documented control processes exist• Appropriate evidence of control processes exists• Responsibility and accountability are clear and effective• Compensating controls exist, where necessary

Additionally and specifically in internal audit assignments, the cost-effectiveness of the control design should be verified with thefollowing assurance steps:• If the design of the control practice set is effective, investigate whether it can be made more efficient by optimising steps, looking

for synergies with other control mechanisms and reconsidering the balance of prevention vs. detection and correction. Consider theeffort spent in maintaining the control practices.

• If the control practice set is operating effectively, investigate whether it can be made more cost-effective. Consider analysingperformance metrics of the activities associated with this control practice set, automation opportunities and/or skill level.

STEP 4—TEST THE OUTCOME OF THE CONTROL OBJECTIVESThe assurance steps to be performed ensure that the control measures established are working as prescribed, consistently andcontinuously, and conclude on the appropriateness of the control environment.

To test the outcome or effectiveness of the control, the assurance professional needs to look for direct and indirect evidence of thecontrol’s impact on the quality of the process outputs. This implies the direct and indirect substantiation of measurable contributionof the control to the IT, process and activity goals, thereby recording direct and indirect evidence of actually achieving the outcomesas documented in COBIT.

The assurance professional should obtain direct or indirect evidence for selected items/periods to ensure that the control underreview is working effectively by applying a selection of testing techniques as presented in step three. The assurance professionalshould also perform a limited review of the adequacy of the process deliverables and determine the level of substantive testing andadditional work needed to provide assurance that the IT process is adequate.

STEP 5—DOCUMENT THE IMPACT OF CONTROL WEAKNESSES The assurance steps to be performed substantiate the risk of the control objective not being met by using analytical techniquesand/or consulting alternative sources.

When control weaknesses are found, they have to be properly documented, taking into account their often sensitive and confidentialnature. In addition, particular care is required to correctly analyse and assess the severity of the observed weaknesses and thepotential business impact they may have.

The objective of this step is to conduct the necessary testing to provide management with assurance (or non-assurance) about theachievement of a given business process and its related control objectives. More detailed analysis should occur when:• No control measures are in place• Controls are not working as expected• Controls are not consistently applied

This should result in a thorough understanding of the control weaknesses and the resulting threats and vulnerabilities, and anunderstanding of the potential impact of the control weaknesses.

The following assurance steps can be performed to document the impact of not achieving the control objective:• Relate the impact of not achieving the control objective to actual cases in the same industry and leverage industry benchmarks.• Link known performance indicators to known outcomes and, in their absence, link the cause to its effect (cause/effect analysis).• Illustrate what the impact would affect (e.g., business goals and objectives, enterprise architecture elements, capabilities,

resources).• Illustrate the impact of control weaknesses with numbers and scenarios of errors, inefficiencies and misuse.• Clarify vulnerabilities and threats that are more likely with controls not operating effectively.• Document the impact of actual control weaknesses in terms of bottom-line impact, integrity of financial reporting, hours lost in

staff time, loss of sales, ability to manage and react to the market, customer and shareholder requirements, etc.• Point out the consequence of non-compliance with regulatory requirements and contractual agreements.• Measure the actual impact of disruptions and outages on business processes and objectives, and on customers (e.g., number, effort,

downtime, customer satisfaction, cost).• Document the cost (i.e., customer and financial impact) of errors that could have been caught by effective controls.• Measure and document the cost of rework (e.g., ratio of rework to normal work) as an efficiency measure affected by control weaknesses.• Measure the actual business benefits and illustrate cost savings of effective controls after the fact.• Use benchmarking and survey results to compare the enterprise performance with others.• Use extensive graphics to illustrate the issues.

COBIT provides support in the following ways:• The business, IT and process goals and the information criteria in the process descriptions indicate what business values are at risk

if controls are not implemented properly. • For each control objective, there are value and risk driver statements that indicate the benefits to be gained and the risks to be

avoided by improving controls.• The RACI charts demonstrate which roles might be affected by the risk and, therefore, should be informed of the substantive

testing outcome.• Maturity models can be leveraged to benchmark internally and against other industries or competitors in an easy, accessible and

understandable manner, helping to influence management. Benchmarking data are available in COBIT Online.

STEP 6—DEVELOP AND REPORT OVERALL CONCLUSION AND RECOMMENDATIONS The assurance steps to be performed communicate the substantiated risk of the control weaknesses to the different stakeholders ofthe assurance initiative.

The assurance professional should document any identified control weaknesses and resulting threats and vulnerabilities, and identifyand document the actual and potential impact (e.g., through root cause analysis). In addition, the assurance professional may providecomparative information (e.g., through benchmarks) to establish a reference framework in which the test results ought to beevaluated. As potential guidance to this, a generic maturity model for internal control is provided in chapter 7, Maturity Model forInternal Control, showing the status of the internal control environment and the establishment of internal controls in an enterprise. Itshows how the management of internal control, and an awareness of the need to establish better internal controls, typically developsfrom an ad hoc to an optimised level.

The objective is to identify items of significance to be able to articulate to the stakeholder the recommended actions and reasons fortaking action. This phase includes aggregating the results of the previous phases, developing a conclusion concerning the identifiedcontrol weaknesses and communicating:• Recommended actions to mitigate the impact of the control weaknesses• Performance comparison to standards and best practices for a relative view on the results• The risk position regarding the process

The formulated conclusion and recommendations should allow the responsible party to take further steps and remedial actions.

When the assurance initiative is performed within an assurance context, the assurance professional needs to be thoughtful of formalassurance communication and compliant with assurance reporting standards and guidelines (available at www.isaca.org).



ASSURANCE GUIDANCE FOR COBIT PROCESSES AND CONTROLS


6. ASSURANCE GUIDANCE FOR COBIT PROCESSES AND CONTROLS

INTRODUCTIONThis section describes the structure of the detailed testing guidance based on COBIT, covering six generic controls applicable to allIT processes, IT general controls based on the 34 COBIT IT processes and six application controls.

Guidance is provided for testing control design, testing control outcome and documenting the impact in appendices I through VI,according to the layout in figure 26.

GENERIC PROCESS CONTROLSEach COBIT process has generic control requirements that are identified by generic process controls within the Process Control (PC)domain (see appendix I). These are applicable for all COBIT processes and should be considered together with the detailed COBITcontrol objectives to have a complete view of control requirements.

The six generic process controls, detailed in appendix I, Process Control, are:• PC1 Process goals and objectives• PC2 Process ownership• PC3 Process repeatability• PC4 Roles and responsibilities• PC5 Policy, plans and procedures• PC6 Process performance improvement

GENERIC CONTROL PRACTICES Three generic control practices and, consequently, three generic assurance steps are defined. They are: • Approach• Accountability and responsibility• Communication and understanding

The complete set of generic and specific control practices provides one consistent control approach necessary and sufficient forachieving the stated control objectives. Other control approaches with different sets of practices may exist; hence, there is a need toalways verify the appropriateness of the control design at the outset of control implementation or at the outset of assurance activities.

ApproachThe generic approach control practice consists of:• Generic control practice—Designs the control approach for achieving this control objective, and defines and maintains the

control practices that implement this design• Assurance step—Enquires whether and confirms that a set of practices has been defined to achieve the objective;

observes/inspects and reviews the control approach, and tests the design for completeness, relevancy, timeliness and measurability

Control Objective

Assurance Steps for Testing Control Design

Assurance Steps for Testing the Outcome of the Control Objectives

Assurance Steps for Documenting the Impact of Control Weaknesses

Value Statements Risk Statements

Figure 26—Structure of the Detailed Assurance Advice in Appendices I to VI

Accountability and ResponsibilityThe generic accountability and responsibility control practice consists of:• Generic control practice—Defines and assigns accountability and responsibility for the control objective as a whole, and

responsibility for the different control practices (see RACI charts in COBIT); makes sure personnel have the right skills andnecessary resources to execute these responsibilities

• Assurance step—Enquires whether and confirms that responsibilities for the control practices as well as overall accountabilityhave been assigned in a cost-effective and efficient manner; tests whether accountability and responsibilities are understood andaccepted; verifies that the right skills and necessary resources are available

Communication and UnderstandingThe generic communication and understanding control practice consists of:• Generic control practices—Ensures the control practices, as implemented, address the control objectives and are communicated

and understood• Assurance step—Enquires through interviews with key staff members involved whether the control mechanism, its purpose, and

the accountability and responsibilities have been communicated and are understood

IT GENERAL CONTROLSGeneral controls relate to the environment within which automated application systems are developed, maintained and operated andwhich are, therefore, applicable to all the applications. They ensure the proper development, implementation and maintenance of allautomated applications, and the integrity of program and data files and of computer operations.

Guidance is provided on how to test COBIT’s 34 IT processes, organised into four appendices (see appendices II-V) based onCOBIT’s four domains.

APPLICATION CONTROLS Application controls relate to the transactions and standing data pertaining to each automated application system and are specific toeach such application. They ensure the completeness and accuracy of the records and the validity of the entries made in thetransactions and standing data resulting from both manual and automated processing. They are defined further in the ApplicationControl (AC) domain in appendix VI.

Relative to IT assurance, a distinction is made between application and general controls. General controls are controls embedded inthe IT organisation, its processes and services. Examples include:• Systems development• Change management• Security• Computer operations

Controls embedded in business process applications, on the other hand, are commonly referred to as application controls. Examples include:• Completeness• Accuracy• Validity• Authorisation• Segregation of duties

Therefore, the objectives of application controls generally involve ensuring that:• Data prepared for entry are complete, valid and reliable• Data are converted to an automated form and entered into the application accurately, completely, and on time• Data are processed by the application completely and on time, and in accordance with established requirements• Output is protected from unauthorised modification or damage and distributed in accordance with prescribed policies

COBIT assumes the design and implementation of automated application controls to be the responsibility of IT, covered in theAcquire and Implement (AI) domain, based on business requirements defined using COBIT’s information criteria. The operationalmanagement and control responsibility for application controls is not with IT, but with the business process owner. IT delivers andsupports the applications’ services and the supporting information databases and infrastructures. Therefore, the COBIT IT processescover general IT controls but not application controls, because these are the responsibility of business process owners and, asdescribed previously, are integrated into business processes.



ASSURANCE GUIDANCE FOR COBIT PROCESSES AND CONTROLS


Business controls are not in the scope of COBIT and IT Assurance Guide. Figure 27 sets the boundaries of IT general controls andapplication controls, delineating at the same time the extent to which COBIT handles business controls.

For automated services, the business is responsible for defining functional, as well as control, requirements to be included in allbusiness processes supported by applications. Subsequently, IT responsibilities include automation of the business functional andcontrol requirements and establishment of controls to maintain the integrity of the business applications.

Just as for the IT general controls and generic process controls, guidance is provided for testing the design and outcome anddocumenting impact for each of the six COBIT application controls, detailed in appendix VI, Application Control:• AC1 Source document preparation and authorisation• AC2 Source document collection and data entry• AC3 Accuracy, completeness and authenticity checks• AC4 Data processing integrity and validity• AC5 Output review, reconciliation and error handling• AC6 Transaction authentication and integrity

Application control weaknesses may have an impact on the entity’s ability to process business transactions through the impactedbusiness processes and applications. Application controls are a subcomponent of the entity’s business controls. Weaknesses inapplication controls may be mitigated by compensating manual business and organisational control activities. The impact ofapplication control weaknesses should be considered in the context of the underlying business process nature and relatedtransactions and the impact of other business process controls and, as such, should be considered in consultation with the businessprocess assurance provider.

EXAMPLES OF THE USE OF DETAILED ASSURANCE STEPSSome illustrative examples of how the assurance testing steps could be applied follow.

Example 1—Testing of Control DesignSITUATIONGeneral computer controls are reviewed in a transaction processing organisation with assessment of the process AI6 Managechanges, control objective AI6.2 Impact assessment, prioritisation and authorisation.

OBSERVATIONSFor the selected systems (e.g., application, platform, network), the assurance professional inventoried the types of changes that canbe implemented, the procedures (formal or informal) currently in place, all parties involved in the change management process,tools used, etc. This was done through interviews with involved persons and inquiries for documented procedures. The result of thiswork was a comprehensive and correct flowchart of the change management process.

Plan and Organise

IT General Controls

Acquireand

Implement

Deliverand

Support

Monitor and Evaluate

Application Controls

Business FunctionalRequirements

Business’s responsibilityto properly define

functional and controlrequirements

Business’s responsibilityto properly use

automated services

BusinessControls

IT’s responsibility to• Automate and implement business functional and control requirements• Establish controls to maintain the integrity of application controls

AutomatedServicesBusiness Control

RequirementsImplement

and

BusinessControls

Figure 27—IT General Controls and Application Controls

The assurance professional reviewed the identified process flow to determine whether there was a step defined in the procedure to assessthe impact of a change by a competent person or group of persons. The assurance professional observed that the template for requestingand approving changes included a section on impact assessment. However, the change management procedure did not mention that thisinformation is mandatory, and the absence of this information did not lead to a rejection of the change request. In addition, the proceduredid not mention any documentation standards or required verification and approval steps for the impact assessment.

CONCLUSIONThe design of this control is flawed because a fundamental component of the control (i.e., impact assessment) is incomplete at best.It is possible that changes have been implemented without proper risk assessment, which can lead to unplanned and difficult-to-contain operational disruptions or malfunctions.

Example 2—Testing for the Effectiveness of the Control SITUATIONGeneral computer controls are reviewed in a transaction processing organisation with assessment of the process AI6 Managechanges, control objective AI6.3 Emergency changes.

OBSERVATIONSAs part of the evaluation of the control design, the assurance professional identified that, for all relevant change managementprocedures, there is a control defined to help ensure that emergency change requests are reintroduced into the normal changemanagement cycle. In addition, the assurance professional found that there is a procedure that ensures that all emergency changesare appropriately logged in a change management tool.

As part of the control effectiveness testing, a sample of emergency change requests was selected from the change management tooland traced to its reintroduction as normal changes. This tracing included verification of whether the emergency change was actuallyintroduced again as a normal change and whether it was processed following the normal change management procedure.

The assurance professional observed that from the sample of 25 emergency changes selected, three of them were not subsequentlyreprocessed as normal changes. In addition, the assurance professional found that from the 22 emergency changes that had beenduly reintroduced, only 10 were discussed at the change management board—or at least that there was a trace available thatindicated that the 10 changes were discussed (trace included information stored in the change management tool).

CONCLUSIONThe emergency change procedure is not effective for two reasons:• Not all emergency changes are reintroduced in the system, leading to a risk of losing emergency changes from sight and not

learning from them.• Emergency changes that have been reintroduced are most likely inadequately discussed and documented, leading to the same risk.

Example 3—Documenting the Impact of Control WeaknessesSITUATIONGeneral computer controls are reviewed in a transaction processing organisation with assessment of the process AI6 Managechanges, control objective AI6.3 Emergency changes.

OBSERVATIONSUsing the situation as described, the assurance professional needed to gain additional information and perform further analysis toassess and document the impact of the control weaknesses. For the aforementioned examples, the assurance professional needed toconsider the types and numbers of changes affected by the control weaknesses.

Some of the required information might/should already be gathered at the planning stage. This information should be used toevaluate the materiality of the weaknesses noted. Notably, the changes affected should be mapped back to the relevant infrastructurecomponents and the applications/information they support/process. In addition, SLA penalties might apply. Furthermore, analysis ofproblems noted in the past can help establish the real potential impact of the weaknesses noted.

In this case, it turns out that, after discussion with the responsible change manager and confirmation with other change management boardmembers, the missing emergency changes relate to non-critical systems and the missing documentation was only a documentation issue,whereas the actual change, its cause and consequences had indeed been discussed but were not formally documented.

CONCLUSIONAlthough the control weaknesses remain as they have been observed, further analysis and documentation showed that theweaknesses were of a lesser importance than originally assessed.



HOW COBIT COMPONENTS SUPPORT IT ASSURANCE ACTIVITIES


7. HOW COBIT COMPONENTS SUPPORT IT ASSURANCE ACTIVITIES

INTRODUCTIONFigure 28 links the list of typical IT assurance activities to the COBIT components that can be leveraged to make the activities moreefficient and effective. It demonstrates how COBIT can support specific assurance-related activities, often performed as stand-alonetasks, in addition to how COBIT has provided support to the suggested IT assurance road map, described in the previous sections.

Links have been indicated only where there is specific and strong support for an IT assurance activity. There are some keycomponents, however, that support all activities. In practice, users of COBIT adapt and tailor the COBIT resources for their specificpurposes and discover how COBIT can add value to a particular task. The table is, therefore, only a guide.

Two of the most useful components are the goals and outcome measures and the RACI charts (key activities and responsibilities).They capture the essence of IT, its processes, activities and objectives and, hence, support all aspects of planning, scoping andassurance execution. Another important component for IT assurance activities is COBIT Online—its searching and browsingfunctions enable easier access to all the main COBIT content as well as useful benchmarking data. Those COBIT componentsimportant for assurance activities are shaded in figure 28.

The following sections summarise the most important relationships in figure 28, first from the components point of view and then from the activities point of view. To conclude, the strongest links between activities and components are circled in figure 28.

COBIT COMPONENTSControl objectives and practices are mostly useful for testing related activities, although since the control objectives are high-leveland similar to key management practices, they can be considered during planning activities. Both are also helpful for the selectionand customisation of control objectives for an assurance initiative.

Figure 28—Linking IT Assurance Activities and COBIT Components

IT Assurance ActivitiesPerform a quick risk assessment. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Assess threat, vulnerability and ✔ ✔ ✔ ✔ ✔ ✔business impact.Diagnose operational and project risk. ✔ ✔ ✔ ✔ ✔ ✔ ✔

Plan risk-based assurance initiatives. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Identify critical IT processes based ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔on value drivers.Assess process maturity. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Scope and plan assurance initiatives. ✔ ✔ ✔ ✔ ✔ ✔ ✔

Select the control objectives for ✔ ✔ ✔ ✔ ✔ ✔critical processes.Customise control objectives. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Build a detailed assurance programme. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Test and evaluate controls. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Substantiate risk. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Report assurance conclusions. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Self-assess process maturity. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Self-assess controls. ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

COBI

T Co

ntro

l Pra

ctic

es

Cont

rol O

bjec

tives

Valu

e an

d Ri

sk S

tate

men

ts

Mat

urity

Mod

el

Mat

urity

Mod

el A

ttrib

utes

Goal

s an

d Ou

tcom

eM

easu

res

RACI

(Key

Act

iviti

es a

ndRe

spon

sibi

litie

s)

Perfo

rman

ce D

river

s

Man

agem

ent

Awar

enes

s To

ol

Info

rmat

ion

Crite

ria

Proc

ess

List

ITRi

sk a

nd C

ontro

lDi

agno

stic

s

Boar

d Br

iefin

g on

ITGo

vern

ance

,2nd

Editi

on

COBI

TQu

icks

tart

COBI

T On

line—

Sear

chin

gan

d Br

owsi

ng

COBI

T On

line—

Benc

hmar

king

IT C

ontr

ol O

bjec

tives

for

Sarb

anes

-Oxl

ey,2

ndEd

ition

COBIT Components

The list of COBIT processes and the domains provide a responsibility structure for IT and help ensure the completeness of theassurance coverage. The list is useful in the planning phase and also when summarising the conclusions of an assurance initiative.Similarly, information criteria provide a generic and simple high-level structure of the objectives of IT processes and are equallyuseful for structuring assurance plans and conclusions.

Maturity models are very useful tools for high-level assessments of processes, identification of key processes, planning which processesneed most attention in the assurance programme and also when summarising the assurance conclusions. The maturity attributes providemore details for process maturity assessment, and because they are generic for all processes, they are also an alternative to the specificprocess maturity descriptions provided for each COBIT process. Because maturity models describe how processes are managed, thedetailed attributes can be used to further customise control objectives, which usually describe only what needs to be done. Maturitymodels are increasingly being used by IT management for self-assessment and can, therefore, provide a common approach for both theassurance and IT professionals to understand and agree upon priorities and areas on which to focus attention.

Whereas performance drivers play an important role for assurance activities in the planning and reporting phases of an IT assuranceroad map, they are also a good source for customising control objectives because they imply that certain actions need to happen orconditions need to exist that will increase the probability of successfully achieving the process’s objectives and goals.

Value and risk statements provide the arguments to justify controls but are also primary inputs when performing high-level ordetailed risk assessments. They are also starting points when identifying critical processes and IT components.

The management awareness and diagnostic tools are provided in Supplemental Tools and Materials, available online and on CD-ROM with the IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition. They are tools to perform initial high-level assessments of process importance, significant risks and the state of process controls, typically done in the early stages ofthe IT assurance initiative.

The assessment form presentation of COBIT Quickstart lends itself easily for quick or high-level assessments as well as for efficientself-assessments.

Benchmarking data and functionality as provided in COBIT Online are useful to portray how the entity compares on processmanagement and controls with other enterprises in the same industry, geography or size segment. The comparison is supported withpie chart and spider diagrams. Such benchmarks lend a lot of credibility to the conclusions of assurance activities but can also beused earlier in the assurance life cycle (e.g., to identify processes that need early or in-depth assurance coverage because of gapswith the rest of the industry).

IT ASSURANCE ACTIVITIESTo gain insight into the entity where the IT assurance activities are to be performed, the COBIT components that provide the bestsupport for the assurance professional are the process structure, maturity models, goals, outcome measures and performance drivers.

Risk-based IT assurance planning has become common practice and is well supported by COBIT’s maturity modelling and COBITOnline’s benchmarking to identify where the highest potential risks are. The risk and value statements of the control objectivesprovide additional support if more detailed risk assessment is required to drive the assurance plan. Quickstart as well as theawareness and diagnostic tools are aids to perform high-level assessments quickly and efficiently.

Planning and reporting—and scoping to a lesser extent—use most of the COBIT components but usually only as input or reference.On the other hand, detailed planning and scoping, as well as testing, are activities that use fewer of the COBIT components but theytend to use them more intensely. Planning, scoping and testing are also the IT assurance activities that extensively use the materialthat is at the ‘heart’ of COBIT: the control objectives.

THE STRONGEST LINKSSome of the strongest links between COBIT components and IT assurance activities (i.e., where activities can benefit the most fromthe COBIT materials) are as follows:• Goals and outcome measures with planning risk-based assurance initiatives• Risk and value statements with risk assessments and risk substantiation • Key activities and RACI charts with detailed assurance planning• Control objectives and practices with testing and evaluating controls• Maturity models and attributes with process maturity and other high-level assessments

The ITGI publication IT Control Objectives for Sarbanes-Oxley, 2nd Edition, also provides strong links between COBIT componentsand IT assurance activities.



APPENDIX I


APP

EN

DIX

I—PR

OC

ESS

CO

NT

RO

L(P

C)

PR

OC

ESS

ASS

UR

AN

CE

STEP

S

Def

ine

and

com

mun

icat

e sp

ecif

ic, m

easu

rabl

e, a

ctio

nabl

e, r

ealis

tic,

resu

lts-o

rien

ted

and

timel

y (S

MA

RR

T)

proc

ess

goal

s an

d ob

ject

ives

for

the

effe

ctiv

e ex

ecut

ion

of e

ach

IT p

roce

ss. E

nsur

e th

at th

ey a

re li

nked

to th

ebu

sine

ss g

oals

and

sup

port

ed b

y su

itabl

e m

etri

cs.

Test

the

Con

trol

Des

ign

• E

nsur

e th

at a

for

mal

pro

cess

exi

sts

for

com

mun

icat

ing

goal

s an

d ob

ject

ives

and

that

, whe

n up

date

d, s

uch

com

mun

icat

ion

is r

epea

ted.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

roce

ss g

oals

and

obj

ectiv

es h

ave

been

def

ined

. Ver

ify

that

pro

cess

sta

keho

lder

s un

ders

tand

thes

e go

als.

•

Enq

uire

whe

ther

and

con

firm

that

the

IT p

roce

ss g

oals

link

bac

k to

bus

ines

s go

als.

•

Con

firm

thro

ugh

inte

rvie

ws

with

pro

cess

sta

keho

lder

s th

at th

e IT

pro

cess

goa

ls a

re S

MA

RR

T.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at o

utpu

ts a

nd a

ssoc

iate

d qu

ality

targ

ets

are

defi

ned

for

each

IT

pro

cess

. •

Wal

k th

roug

h th

e pr

oces

s de

sign

with

sel

ecte

d pr

oces

s st

akeh

olde

rs a

nd v

erif

y w

heth

er th

e pr

oces

s is

und

erst

ood

and

likel

y to

ach

ieve

its

obje

ctiv

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• K

ey p

roce

sses

mea

sure

d ef

fici

ently

and

effe

ctiv

ely

• Pr

oces

ses

in li

ne w

ith b

usin

ess

obje

ctiv

es

Ris

k D

river

s

• Pr

oces

s ef

fect

iven

ess

diff

icul

t to

mea

sure

• B

usin

ess

obje

ctiv

es n

ot s

uppo

rted

by

proc

esse

s

PC

1 P

roce

ss G

oals

and

Obj

ecti

ves

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• A

naly

se p

roce

ss m

etri

cs, t

arge

ts a

nd p

erfo

rman

ce r

epor

ts to

ver

ify

that

pro

cess

goa

ls h

ave

SMA

RR

T c

hara

cter

istic

s an

d ar

e be

ing

mea

sure

d ef

fect

ivel

y an

d ef

fici

ently

.• A

sses

s th

e ef

fect

iven

ess

of c

omm

unic

atin

g th

e pr

oces

s go

als

and

obje

ctiv

es th

roug

h di

scus

sion

s w

ith p

erso

nnel

at v

ario

us le

vels

and

exa

min

atio

n of

trai

ning

mat

eria

ls,

mem

os a

nd o

ther

doc

umen

tatio

n.•

Test

the

appr

opri

aten

ess

of th

e fr

eque

ncy

of c

omm

unic

atio

n of

goa

ls a

nd o

bjec

tives

.•

Ens

ure

that

bus

ines

s go

als

are

supp

orte

d by

IT

pro

cess

es b

y tr

acin

g be

twee

n th

e tw

o an

d id

entif

ying

uns

uppo

rted

bus

ines

ses

goal

s.

Doc

umen

t th

e Im

pact

of C

ontr

ol W

eakn

esse

s

• D

eter

min

e th

e bu

sine

ss im

pact

if p

roce

ss g

oals

and

obj

ectiv

es a

re n

ot li

nked

to th

e bu

sine

ss g

oals

.•

Ass

ess

the

impa

ct o

n bu

sine

ss p

roce

ssin

g in

the

even

t tha

t pro

cess

goa

ls a

re n

ot d

efin

ed in

a S

MA

RR

T m

anne

r.



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n ow

ner

exis

ts f

or e

ach

IT p

roce

ss.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at r

oles

and

res

pons

ibili

ties

have

bee

n de

fine

d. V

erif

y th

at th

e ow

ners

und

erst

and

and

acce

pt th

ese

resp

onsi

bilit

ies.

• C

onfi

rm w

ith th

e pr

oces

s ow

ner

and

dire

ct s

uper

viso

r th

at s

uffi

cien

t aut

hori

ty h

as b

een

prov

ided

to s

uppo

rt th

e ro

le a

nd r

espo

nsib

ilitie

s.•

Ens

ure

that

pro

cess

es a

re in

pla

ce to

ass

ign

owne

rshi

p an

d ac

coun

tabi

lity

for

proc

esse

s an

d de

liver

able

s, in

clud

ing

com

mun

icat

ions

.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• R

evie

w jo

b de

scri

ptio

ns a

nd p

erfo

rman

ce a

ppra

isal

s of

the

proc

ess

owne

r to

ver

ify

assi

gnm

ent,

unde

rsta

ndin

g an

d ac

cept

ance

of

owne

rshi

p.•

Rev

iew

the

role

s an

d re

spon

sibi

litie

s to

ens

ure

that

they

are

com

plet

e an

d ap

prop

riat

e.•

Rev

iew

org

anis

atio

n ch

arts

and

rep

ortin

g lin

es to

ver

ify

actu

al a

utho

rity

.•

Ver

ify

that

pro

cess

es a

re in

tera

ctin

g w

ith e

ach

othe

r ef

fect

ivel

y.•

Ver

ify

that

pro

cess

ow

ners

are

dri

ving

con

tinuo

us im

prov

emen

t.

Doc

umen

t th

e Im

pact

of C

ontr

ol W

eakn

esse

s

Ass

ess

whe

ther

the

proc

ess

owne

rshi

p su

ffic

ient

ly s

uppo

rts

achi

evin

g bu

sine

ss p

roce

ssin

g se

rvic

es to

mee

t sho

rt-

and

long

-ran

ge o

rgan

isat

iona

l obj

ectiv

es.

Ass

ign

an o

wne

r fo

r ea

ch I

T p

roce

ss, a

nd c

lear

ly d

efin

e th

e ro

le a

ndre

spon

sibi

litie

s of

the

proc

ess

owne

r. In

clud

e, f

or e

xam

ple,

res

pons

ibili

ty f

orpr

oces

s de

sign

, int

erac

tion

with

oth

er p

roce

sses

, acc

ount

abili

ty f

or th

e en

dre

sults

, mea

sure

men

t of

proc

ess

perf

orm

ance

and

the

iden

tific

atio

n of

impr

ovem

ent o

ppor

tuni

ties.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

oces

ses

oper

atin

g sm

ooth

ly a

ndre

liabl

y•

Proc

esse

s in

tera

ctin

g w

ith e

ach

othe

ref

fect

ivel

y•

Proc

ess

prob

lem

s an

d is

sues

iden

tifie

dan

d re

solv

ed•

Proc

esse

s co

ntin

ually

impr

oved

Ris

k D

river

s

• Pr

oces

ses

perf

orm

ing

unre

liabl

y•

Proc

esse

s no

t wor

king

toge

ther

effe

ctiv

ely

• G

aps

in p

roce

ss c

over

age

likel

y•

Proc

ess

erro

rs n

ot r

ectif

ied

PC

2 P

roce

ss O

wne

rshi

p

APPENDIX I


Des

ign

and

esta

blis

h ea

ch k

ey I

T p

roce

ss s

uch

that

it is

rep

eata

ble

and

cons

iste

ntly

pro

duce

s th

e ex

pect

ed r

esul

ts. P

rovi

de f

or a

logi

cal b

ut f

lexi

ble

and

scal

able

seq

uenc

e of

act

iviti

es th

at w

ill le

ad to

the

desi

red

resu

lts a

nd is

agi

leen

ough

to d

eal w

ith e

xcep

tions

and

em

erge

ncie

s. U

se c

onsi

sten

t pro

cess

es,

whe

re p

ossi

ble,

and

tailo

r on

ly w

hen

unav

oida

ble.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

effi

cien

cy a

nd e

ffec

tiven

ess

of r

ecur

ring

act

iviti

es•

Eas

e of

pro

cess

mai

nten

ance

• Abi

lity

to d

emon

stra

te p

roce

ssef

fect

iven

ess

to a

udito

rs a

ndre

gula

tors

• Pr

oces

ses

supp

ortin

g th

e ov

eral

l IT

orga

nisa

tion

goal

s an

d en

hanc

ing

ITva

lue

deliv

ery

Ris

k D

river

s

• In

cons

iste

nt p

roce

ss r

esul

ts a

ndlik

elih

ood

of p

roce

ss e

rror

s•

Hig

h re

lianc

e on

pro

cess

spe

cial

ists

• Pr

oces

ses

unab

le to

rea

ct to

pro

blem

san

d ne

w r

equi

rem

ents

PC

3 P

roce

ss R

epea

tabi

lity

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

roce

ss r

epea

tabi

lity

is a

man

agem

ent o

bjec

tive.

• Fo

r im

port

ant a

nd h

igh-

risk

pro

cess

es, r

evie

w th

e pr

oces

s st

eps

in d

etai

l and

ens

ure

that

they

pro

vide

for

evi

denc

e of

man

agem

ent r

evie

w.

• C

onfi

rm w

hich

goo

d pr

actic

es a

nd in

dust

ry s

tand

ards

wer

e us

ed w

hen

defi

ning

the

IT p

roce

sses

. •

Inte

rvie

w s

elec

ted

proc

ess

stak

ehol

ders

and

det

erm

ine

adhe

renc

e to

the

proc

ess.

•

Ens

ure

that

sys

tem

s ar

e de

sign

ed f

or s

cala

bilit

y an

d fl

exib

ility

.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• W

alk

thro

ugh

the

proc

ess

desi

gn w

ith th

e pr

oces

s ow

ner,

and

veri

fy w

heth

er th

e st

eps

are

logi

cal a

nd li

kely

to c

ontr

ibut

e to

the

end

resu

lt.•

Rev

iew

pro

cess

doc

umen

tatio

n to

ver

ify

the

adop

tion

of a

pplic

able

pro

cess

sta

ndar

ds a

nd d

egre

e of

cus

tom

isat

ion.

• A

sses

s th

e m

atur

ity a

nd le

vel o

f in

tegr

atio

n of

sup

port

ing

tool

s us

ed f

or th

e pr

oces

s.

Doc

umen

t th

e Im

pact

of C

ontr

ol W

eakn

esse

s

Sele

ct d

ata

abou

t pro

cess

res

ults

not

mee

ting

obje

ctiv

es, a

nd a

naly

se w

heth

er th

e ca

uses

rel

ate

to p

roce

ss d

esig

n, o

wne

rshi

p, r

espo

nsib

ilitie

s or

inco

nsis

tent

app

licat

ion.



Def

ine

the

key

activ

ities

and

end

del

iver

able

s of

the

proc

ess.

Ass

ign

and

com

mun

icat

e un

ambi

guou

s ro

les

and

resp

onsi

bilit

ies

for

effe

ctiv

e an

d ef

fici

ent

exec

utio

n of

the

key

activ

ities

and

thei

r do

cum

enta

tion

as w

ell a

s ac

coun

tabi

lity

for

the

proc

ess’

s en

d de

liver

able

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

effi

cien

cy a

nd e

ffec

tiven

ess

of r

ecur

ring

act

iviti

es•

Staf

f m

embe

rs k

now

ing

wha

t to

doan

d w

hy, i

mpr

ovin

g m

oral

e an

d jo

bsa

tisfa

ctio

n

Ris

k D

river

s

• U

ncon

trol

led,

unr

elia

ble

proc

esse

s•

Proc

esse

s no

t sup

port

ing

the

busi

ness

obje

ctiv

es•

Proc

esse

s no

t per

form

ed a

s in

tend

ed•

Prob

lem

s an

d er

rors

like

ly to

rem

ain

unre

solv

ed•

Proc

ess

perf

orm

ance

like

ly to

be

vari

able

and

unr

elia

ble

PC

4 R

oles

and

Res

pons

ibili

ties

Test

the

Con

trol

Des

ign

• E

nsur

e th

at a

pro

cess

is in

pla

ce to

def

ine

and

mai

ntai

n in

form

atio

n ab

out t

he k

ey a

ctiv

ities

and

del

iver

able

s. E

nsur

e th

at th

e pr

oces

s in

clud

es th

e de

velo

pmen

t of

supp

ortin

g po

licie

s, p

roce

dure

s an

d gu

idan

ce.

• E

nsur

e th

at p

roce

sses

are

des

igne

d to

cap

ture

acc

ompl

ishm

ents

and

incl

ude

them

in e

mpl

oyee

per

form

ance

info

rmat

ion.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• C

onfi

rm th

roug

h in

terv

iew

s an

d do

cum

enta

tion

revi

ew th

at k

ey a

ctiv

ities

and

end

del

iver

able

s fo

r th

e pr

oces

s ha

ve b

een

iden

tifie

d an

d re

cord

ed.

• R

evie

w jo

b de

scri

ptio

ns, a

nd v

erif

y th

at r

oles

and

res

pons

ibili

ties

for

key

activ

ities

and

pro

cess

doc

umen

tatio

n ar

e re

cord

ed a

nd c

omm

unic

ated

. •

Ver

ify

thro

ugh

inte

rvie

ws

with

ow

ners

, man

agem

ent a

nd s

taff

mem

bers

that

acc

ount

abili

ty f

or th

e pr

oces

s an

d its

out

puts

are

ass

igne

d, c

omm

unic

ated

, und

erst

ood

and

acce

pted

. Cor

robo

rate

inte

rvie

w f

indi

ngs

thro

ugh

anal

ysis

of

the

reso

lutio

n to

sig

nifi

cant

pro

cess

inci

dent

s an

d re

view

of

a sa

mpl

e of

job

perf

orm

ance

app

rais

als.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at r

egul

ar jo

b pe

rfor

man

ce a

ppra

isal

is p

erfo

rmed

to a

sses

s ac

tual

per

form

ance

aga

inst

pro

cess

res

pons

ibili

ties,

suc

h as

:–

Exe

cutin

g ro

les

and

resp

onsi

bilit

ies

as d

efin

ed–

Perf

orm

ing

proc

ess-

rela

ted

activ

ities

in li

ne w

ith g

oals

and

obj

ectiv

es–

Con

trib

utin

g to

the

qual

ity o

f th

e pr

oces

s en

d de

liver

able

s •

Rev

iew

the

reso

lutio

n to

sig

nifi

cant

pro

cess

inci

dent

s, a

nd r

evie

w a

sam

ple

of jo

b pe

rfor

man

ce a

ppra

isal

s to

ver

ify

whe

ther

res

pons

ibili

ties

and

acco

unta

bilit

ies

are

enfo

rced

.•

Rev

iew

rol

es a

nd r

espo

nsib

ilitie

s w

ith v

ario

us s

taff

mem

bers

and

asc

erta

in th

eir

unde

rsta

ndin

g, w

heth

er th

e al

loca

tions

are

app

ropr

iate

and

whe

ther

the

repo

rtin

gre

latio

nshi

ps a

re e

ffec

tive.

• A

sses

s w

heth

er th

e ro

les

and

resp

onsi

bilit

ies

are

desi

gned

to s

uppo

rt c

ompl

ianc

e w

ith v

ario

us a

ctiv

ities

with

in th

e ro

les.

Doc

umen

t th

e Im

pact

of C

ontr

ol W

eakn

esse

s

Ass

ess

whe

ther

the

role

s an

d re

spon

sibi

litie

s su

ffic

ient

ly s

uppo

rt th

e ac

hiev

emen

t of

busi

ness

pro

cess

ing

serv

ices

to m

eet s

hort

- an

d lo

ng-r

ange

org

anis

atio

nal o

bjec

tives

.

APPENDIX I


Def

ine

and

com

mun

icat

e ho

w a

ll po

licie

s, p

lans

and

pro

cedu

res

that

dri

ve a

n IT

pro

cess

are

doc

umen

ted,

rev

iew

ed, m

aint

aine

d, a

ppro

ved,

sto

red,

com

mun

icat

ed a

nd u

sed

for

trai

ning

. Ass

ign

resp

onsi

bilit

ies

for

each

of

thes

eac

tiviti

es a

nd, a

t app

ropr

iate

tim

es, r

evie

w w

heth

er th

ey a

re e

xecu

ted

corr

ectly

.E

nsur

e th

at th

e po

licie

s, p

lans

and

pro

cedu

res

are

acce

ssib

le, c

orre

ct, u

nder

stoo

dan

d up

to d

ate.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

staf

f aw

aren

ess

of w

hat t

odo

and

why

• D

ecre

asin

g nu

mbe

r of

inci

dent

s fr

om p

olic

y vi

olat

ions

• Po

licie

s an

d as

soci

ated

pro

cedu

res

rem

aini

ng c

urre

nt a

nd e

ffec

tive

Ris

k D

river

s

• Pr

oces

ses

not a

ligne

d w

ith b

usin

ess

obje

ctiv

es•

Staf

f m

embe

rs n

ot k

now

ing

how

tope

rfor

m c

ritic

al ta

sks

• Po

licy

viol

atio

ns

PC

5 P

olic

y, P

lans

and

Pro

cedu

res

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

uch

rule

s ex

ist a

nd a

re c

omm

unic

ated

, kno

wn

and

appl

ied

to h

ow a

ll IT

pro

cess

-rel

ated

doc

umen

tatio

n (e

.g.,

polic

ies,

pla

ns,

proc

edur

es, g

uide

lines

, ins

truc

tions

, met

hodo

logi

es)

that

dri

ves

an I

T p

roce

ss w

ill b

e de

velo

ped,

doc

umen

ted,

rev

iew

ed, m

aint

aine

d, a

ppro

ved,

sto

red,

use

d fo

r tr

aini

ngan

d co

mm

unic

ated

. •

Insp

ect s

elec

ted

polic

ies,

pla

ns a

nd p

roce

dure

s to

ver

ify

if th

ey w

ere

crea

ted

follo

win

g th

e ru

les

and

are

kept

up

to d

ate.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at r

espo

nsib

ilitie

s ar

e de

fine

d fo

r de

velo

ping

, mai

ntai

ning

, sto

ring

and

com

mun

icat

ing

proc

ess-

rela

ted

docu

men

tatio

n.•

Enq

uire

whe

ther

and

con

firm

that

ther

e ar

e do

cum

ente

d pr

oces

ses

unde

r w

hich

pol

icie

s an

d pr

oced

ures

are

iden

tifie

d, d

evel

oped

, app

rove

d, r

evie

wed

and

mai

ntai

ned

topr

ovid

e co

nsis

tent

gui

danc

e.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• V

erif

y th

at th

ose

who

per

form

the

activ

ities

und

erst

and

thei

r re

spon

sibi

lity.

•

Insp

ect s

elec

ted

docu

men

ts to

ver

ify

that

they

are

up

to d

ate

and

unde

rsto

od.

• R

evie

w I

T p

roce

ss-r

elat

ed d

ocum

enta

tion

and

veri

fy if

sig

n-of

f is

don

e at

the

appr

opri

ate

leve

l.•

Rev

iew

if I

T p

roce

ss-r

elat

ed d

ocum

enta

tion

is a

cces

sibl

e, c

orre

ct, u

nder

stoo

d an

d up

to d

ate.

•

Ens

ure

that

pol

icie

s ar

e ef

fect

ivel

y pr

omul

gate

d th

roug

h aw

aren

ess

and

trai

ning

.•

Ass

ess,

thro

ugh

inte

rvie

ws

at a

ll st

aff

leve

ls, w

heth

er th

e po

licie

s an

d pr

oced

ures

are

cle

arly

und

erst

ood

and

supp

ort t

he b

usin

ess

obje

ctiv

es.

Doc

umen

t th

e Im

pact

of C

ontr

ol W

eakn

esse

s

Ass

ess

whe

ther

all

polic

ies,

pla

ns a

nd p

roce

dure

s su

ffic

ient

ly s

uppo

rt a

chie

ving

bus

ines

s pr

oces

sing

ser

vice

s to

mee

t sho

rt-

and

long

-ran

ge o

rgan

isat

iona

l obj

ectiv

es.



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

is in

pla

ce to

est

ablis

h ke

y m

etri

cs d

esig

ned

to p

rovi

de a

hig

h le

vel o

f in

sigh

t int

o th

e op

erat

ions

with

lim

ited

effo

rt.

• V

erif

y th

at th

e de

sign

of

the

met

rics

ena

bles

mea

sure

men

t of

achi

evem

ent o

f th

e pr

oces

s go

als,

res

ourc

e ut

ilisa

tion,

out

put q

ualit

y an

d th

roug

hput

tim

e to

sup

port

impr

ovem

ent o

f th

e pr

oces

s pe

rfor

man

ce a

nd o

utco

me.

•

Enq

uire

whe

ther

and

con

firm

that

rel

atio

nshi

ps b

etw

een

outc

ome

and

perf

orm

ance

met

rics

hav

e be

en d

efin

ed a

nd in

tegr

ated

into

the

ente

rpri

se’s

per

form

ance

man

agem

ent s

yste

m (

e.g.

, bal

ance

d sc

orec

ard)

whe

re a

ppro

pria

te.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

roce

dure

s ha

ve b

een

desi

gned

to id

entif

y sp

ecif

ic ta

rget

s fo

r pr

oces

s go

als

and

perf

orm

ance

dri

vers

. The

pro

cedu

res

shou

ld d

efin

eho

w th

e da

ta w

ill b

e ob

tain

ed, i

nclu

ding

mec

hani

sms

to f

acili

tate

pro

cess

mea

sure

men

t (e.

g., a

utom

ated

and

inte

grat

ed to

ols,

tem

plat

es).

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

roce

sses

exi

st to

obt

ain

and

com

pare

act

ual r

esul

ts to

est

ablis

hed

inte

rnal

and

ext

erna

l ben

chm

arks

and

goa

ls. V

erif

y th

at f

or k

eypr

oces

ses,

man

agem

ent c

ompa

res

proc

ess

perf

orm

ance

and

pro

cess

out

com

es a

gain

st in

tern

al a

nd e

xter

nal b

ench

mar

ks a

nd c

onsi

ders

the

resu

lt of

the

anal

ysis

for

proc

ess

impr

ovem

ent.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ppro

pria

te m

etri

cs a

re d

efin

ed to

ass

ess

proc

ess

perf

orm

ance

and

ach

ieve

men

t of

the

proc

ess

goal

s.

• A

naly

se s

ome

of th

e ke

y m

etri

cs a

nd c

orro

bora

te, v

ia o

ther

mea

ns, w

heth

er th

ey p

rovi

de s

uffi

cien

t ins

ight

into

goa

ls.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at ta

rget

s ha

ve b

een

defi

ned

for

proc

ess

goal

s an

d pe

rfor

man

ce d

rive

rs. R

evie

w ta

rget

s an

d as

sess

whe

ther

they

alig

n to

the

goal

s an

den

able

eff

icie

nt a

nd a

ppro

pria

te id

entif

icat

ion

of c

orre

ctiv

e ac

tion.

• R

evie

w th

e pr

oced

ures

for

col

lect

ing

data

and

mea

sure

men

t to

asce

rtai

n th

e ef

fect

iven

ess

and

effi

cien

cy o

f m

onito

ring

.•

Inte

rvie

w p

roce

ss o

wne

rs a

nd s

take

hold

ers

to a

sses

s th

e ap

prop

riat

enes

s of

the

mea

sure

men

t met

hod

and

mec

hani

sms.

• Fo

r si

gnif

ican

t goa

ls o

f im

port

ant p

roce

sses

, rep

erfo

rm d

ata

colle

ctio

n an

d m

easu

rem

ent o

f ta

rget

s.•

Insp

ect a

sam

ple

of p

roce

ss m

etri

cs to

ass

ess

the

appr

opri

aten

ess

of r

elat

ions

hips

bet

wee

n m

etri

cs (

i.e.,

whe

ther

a p

erfo

rman

ce m

etri

c pr

ovid

es in

sigh

t int

o th

e lik

ely

achi

evem

ent o

f th

e pr

oces

s ou

tcom

e).

• O

btai

n an

d re

view

maj

or d

evia

tions

aga

inst

targ

ets

and

conf

irm

that

act

ion

was

take

n. I

nspe

ct th

e lis

t of

actio

ns ta

ken

as a

res

ult o

f m

easu

rem

ent,

and

veri

fy w

heth

er th

eyha

ve le

d to

act

ual i

mpr

ovem

ents

.•

Enq

uire

if in

tern

al a

nd e

xter

nal b

ench

mar

ks a

re u

sed

and,

if s

o, a

sses

s th

eir

rele

vanc

e an

d id

entif

y if

app

ropr

iate

act

ion

is ta

ken

on s

igni

fica

nt d

evia

tions

aga

inst

the

benc

hmar

ks.

Doc

umen

t th

e Im

pact

of C

ontr

ol W

eakn

esse

s

Det

erm

ine

the

busi

ness

impa

ct if

a s

et o

f ke

y m

etri

cs is

not

ava

ilabl

e to

mea

sure

the

achi

evem

ent o

f th

e pr

oces

s go

als,

res

ourc

e ut

ilisa

tion,

out

put q

ualit

y an

d th

roug

hput

time

to s

uppo

rt im

prov

emen

t of

the

proc

ess

perf

orm

ance

and

out

com

e.

Iden

tify

a se

t of

met

rics

that

pro

vide

s in

sigh

t int

o th

e ou

tcom

es a

nd p

erfo

rman

ceof

the

proc

ess.

Est

ablis

h ta

rget

s th

at r

efle

ct o

n th

e pr

oces

s go

als

and

the

perf

orm

ance

dri

vers

that

ena

ble

the

achi

evem

ent o

f pr

oces

s go

als.

Def

ine

how

the

data

are

to b

e ob

tain

ed. C

ompa

re a

ctua

l mea

sure

men

t to

the

targ

et a

nd ta

keac

tion

upon

dev

iatio

ns, w

here

nec

essa

ry. A

lign

met

rics

, tar

gets

and

met

hods

with

IT’s

ove

rall

perf

orm

ance

mon

itori

ng a

ppro

ach.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

oces

s co

sts

optim

ised

• Pr

oces

ses

nim

ble

and

resp

onsi

ve to

busi

ness

nee

ds

Ris

k D

river

s

• Pr

oces

s ou

tcom

es a

nd d

eliv

erab

les

not

in li

ne w

ith o

vera

ll IT

and

bus

ines

sob

ject

ives

• Pr

oces

ses

too

cost

ly•

Proc

esse

s sl

ow to

rea

ct to

bus

ines

sne

eds

PC

6 P

roce

ss P

erfo

rman

ce Im

prov

emen

t


APPENDIX IIA

PPE

ND

IXII

—PL

AN

AN

DO

RG

AN

ISE

(PO

)

PR

OC

ESS

ASS

UR

AN

CE

STEP

S

PO

1 D

efin

e a

Str

ateg

ic IT

Pla

n

IT s

trat

egic

pla

nnin

g is

req

uire

d to

man

age

and

dire

ct a

ll IT

res

ourc

es in

line

with

the

busi

ness

str

ateg

y an

d pr

iori

ties.

The

IT

fun

ctio

n an

d bu

sine

ss s

take

hold

ers

are

resp

onsi

ble

for

ensu

ring

that

opt

imal

val

ue is

rea

lised

fro

m p

roje

ct a

nd s

ervi

ce p

ortf

olio

s. T

he s

trat

egic

pla

n sh

ould

impr

ove

key

stak

ehol

ders

’und

erst

andi

ng o

f IT

oppo

rtun

ities

and

lim

itatio

ns, a

sses

s cu

rren

t per

form

ance

and

cla

rify

the

leve

l of

inve

stm

ent r

equi

red.

The

bus

ines

s st

rate

gy a

nd p

rior

ities

are

to b

e re

flec

ted

in p

ortf

olio

s an

dex

ecut

ed b

y th

e IT

tact

ical

pla

n(s)

, whi

ch e

stab

lishe

s co

ncis

e ob

ject

ives

, pla

ns a

nd ta

sks

unde

rsto

od a

nd a

ccep

ted

by b

oth

busi

ness

and

IT.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e pr

oces

s fo

r pr

epar

ing

a bu

sine

ss c

ase

exis

ts (

e.g.

, the

pro

cess

will

gui

de e

ntry

/exi

t cri

teri

a fo

r bu

sine

ss c

ase

deve

lopm

ent,

the

revi

ew p

roce

ss, m

easu

rem

ents

, the

cha

nge

man

agem

ent p

roce

ss f

or th

e bu

sine

ss c

ase)

.•

Enq

uire

whe

ther

and

con

firm

that

the

mon

itori

ng p

roce

ss f

or th

e bu

sine

ss c

ase

is b

ased

upo

n es

tabl

ishe

d be

nchm

arks

, suc

h as

thos

e in

org

anis

atio

nal S

LA

s or

indu

stry

and

tech

nica

l sta

ndar

ds.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e su

cces

ses

and

failu

res

of I

T in

vest

men

t pro

gram

mes

are

rev

iew

ed a

nd th

e bu

sine

ss c

ase

anal

ysis

pro

cess

is e

nhan

ced

as r

equi

red

(e.g

., hi

stor

ical

dat

a sh

ould

be

anal

ysed

, and

impr

ovem

ents

, les

sons

lear

ned

and

best

pra

ctic

es s

houl

d be

ref

eren

ced)

.

Test

the

Con

trol

Des

ign

PO

1.1

IT V

alue

Man

agem

ent

Wor

k w

ith th

e bu

sine

ss to

ens

ure

that

the

ente

rpri

se p

ortf

olio

of

IT-e

nabl

edin

vest

men

ts c

onta

ins

prog

ram

mes

that

hav

e so

lid b

usin

ess

case

s. R

ecog

nise

that

ther

e ar

e m

anda

tory

, sus

tain

ing

and

disc

retio

nary

inve

stm

ents

that

dif

fer

inco

mpl

exity

and

deg

ree

of f

reed

om in

allo

catin

g fu

nds.

IT

pro

cess

es s

houl

dpr

ovid

e ef

fect

ive

and

effi

cien

t del

iver

y of

the

IT c

ompo

nent

s of

pro

gram

mes

and

earl

y w

arni

ng o

f an

y de

viat

ions

fro

m p

lan,

incl

udin

g co

st, s

ched

ule

orfu

nctio

nalit

y, th

at m

ight

impa

ct th

e ex

pect

ed o

utco

mes

of

the

prog

ram

mes

. IT

serv

ices

sho

uld

be e

xecu

ted

agai

nst e

quita

ble

and

enfo

rcea

ble

SLA

s.A

ccou

ntab

ility

for

ach

ievi

ng th

e be

nefi

ts a

nd c

ontr

ollin

g th

e co

sts

shou

ld b

ecl

earl

y as

sign

ed a

nd m

onito

red.

Est

ablis

h fa

ir, t

rans

pare

nt, r

epea

tabl

e an

dco

mpa

rabl

e ev

alua

tion

of b

usin

ess

case

s, in

clud

ing

fina

ncia

l wor

th, t

he r

isk

ofno

t del

iver

ing

a ca

pabi

lity

and

the

risk

of

not r

ealis

ing

the

expe

cted

ben

efits

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• IT

inve

stm

ents

’ben

efit

tran

spar

ent

and

effe

ctiv

e to

the

ente

rpri

se• A

n ef

fect

ive

deci

sion

-mak

ing

proc

ess

to e

nsur

e th

at in

vest

men

ts in

IT

deliv

er ta

ngib

le b

usin

ess

bene

fit

• IT

inve

stm

ents

in li

ne w

ith th

ebu

sine

ss o

bjec

tives

• Sh

ared

und

erst

andi

ng r

egar

ding

cos

t,ri

sk a

nd b

enef

its o

f IT

-ena

bled

busi

ness

initi

ativ

es•

Dir

ect r

elat

ions

hip

betw

een

busi

ness

goal

s an

d us

e of

res

ourc

es f

or I

T

Ris

k D

river

s

• In

effe

ctiv

e de

cisi

on m

akin

g le

adin

g to

inve

stm

ents

in I

T th

at h

ave

insu

ffic

ient

ret

urn

or a

neg

ativ

eim

pact

on

the

orga

nisa

tion

• IT

not

alig

ned

with

the

busi

ness

• IT

val

ue m

anag

emen

t lac

king

the

supp

ort a

nd c

omm

itmen

t of

seni

orm

anag

emen

t•

Und

efin

ed o

r co

nfus

ing

acco

unta

bilit

yan

d re

spon

sibi

lity

• C

osts

, ben

efits

and

ris

ks o

f IT

-ena

bled

busi

ness

initi

ativ

es u

ncle

ar o

rm

isun

ders

tood

• IT

not

com

plia

nt w

ith g

over

nanc

ere

quir

emen

ts, p

oten

tially

impa

ctin

gm

anag

emen

t’s a

nd th

e bo

ard’

s pu

blic

resp

onsi

bilit

y



Test

the

Con

trol

Des

ign

• C

onfi

rm th

at th

e pr

oces

s fo

r co

mm

unic

atin

g bu

sine

ss o

ppor

tuni

ties

with

IT

man

agem

ent i

s re

view

ed a

nd th

e im

port

ance

of

the

proc

ess

is c

omm

unic

ated

to th

e bu

sine

ssan

d IT

. Con

side

r th

e up

date

fre

quen

cy o

f th

ose

proc

esse

s.•

Enq

uire

whe

ther

and

con

firm

thro

ugh

inte

rvie

ws

with

mem

bers

of

IT m

anag

emen

t tha

t the

y he

lped

def

ine

ente

rpri

se g

oals

. Ask

them

abo

ut th

eir

acco

unta

bilit

y fo

rac

hiev

ing

ente

rpri

se g

oals

, det

erm

ine

if th

ey u

nder

took

wha

t-if

ana

lyse

s an

d co

nfir

m th

eir

com

mitm

ent t

o th

e go

als.

• E

nqui

re w

ith b

usin

ess

man

agem

ent a

nd I

T m

anag

emen

t to

iden

tify

busi

ness

pro

cess

es th

at a

re d

epen

dent

on

IT. C

onsi

der

whe

ther

the

bus

ines

s an

d IT

sha

re th

e sa

me

view

of

syst

ems,

incl

udin

g th

eir

criti

calit

y, u

sage

and

rep

ortin

g.

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

PO

1.2

Bus

ines

s-IT

Alig

nmen

t E

stab

lish

proc

esse

s of

bi-

dire

ctio

nal e

duca

tion

and

reci

proc

al in

volv

emen

t in

stra

tegi

c pl

anni

ng to

ach

ieve

bus

ines

s an

d IT

alig

nmen

t and

inte

grat

ion.

Med

iate

betw

een

busi

ness

and

IT

impe

rativ

es s

o pr

iori

ties

can

be m

utua

lly a

gree

d.

• IT

alig

ned

with

the

orga

nisa

tion’

sm

issi

on a

nd g

oals

• IT

ena

blin

g th

e ac

hiev

emen

t of

the

stra

tegi

c bu

sine

ss o

bjec

tives

• O

ptim

ised

ret

urn

on I

T in

vest

men

t •

Opp

ortu

nitie

s fo

r in

nova

tion

iden

tifie

dan

d ex

ploi

ted

• IT

see

n as

a c

ost f

acto

r•

The

ent

erpr

ise’

s m

issi

on n

ot b

eing

supp

orte

d by

its

IT•

IT m

anag

emen

t dec

isio

ns n

otfo

llow

ing

the

busi

ness

dir

ectio

n•

Lac

k of

com

mon

und

erst

andi

ng o

fbu

sine

ss a

nd I

T p

rior

ities

, lea

ding

toco

nflic

ts a

bout

allo

catio

n of

res

ourc

esan

d pr

iori

ties

• M

isse

d op

port

uniti

es to

exp

loit

new

IT c

apab

ilitie

s

PO

1 D

efin

e a

Str

ateg

ic IT

Pla

n (c

ont.

)


APPENDIX II

Test

the

Con

trol

Des

ign

• C

onfi

rm th

at a

ppro

pria

te c

rite

ria,

sta

ndar

ds a

nd p

erfo

rman

ce in

dica

tors

hav

e be

en e

stab

lishe

d an

d us

ed to

ass

ess

and

repo

rt p

erfo

rman

ce to

man

agem

ent a

nd k

eyst

akeh

olde

rs. A

n ac

tion

plan

for

var

iatio

ns a

nd a

dev

iatio

n pr

oces

s sh

ould

exi

st.

• R

evie

w th

e pe

rfor

man

ce in

dica

tors

est

ablis

hed

for

key

syst

ems

and

proc

esse

s (e

.g.,

stre

ngth

s an

d w

eakn

esse

s, f

unct

iona

lity,

deg

ree

of b

usin

ess

auto

mat

ion,

sta

bilit

y,co

mpl

exity

, dev

elop

men

t req

uire

men

ts, t

echn

olog

y al

ignm

ent a

nd d

irec

tion,

sup

port

and

mai

nten

ance

req

uire

men

ts, c

osts

, ext

erna

l par

ties’

inpu

t).

• C

onfi

rm th

at r

evie

ws

exis

t with

reg

ard

to th

e ac

hiev

emen

t of

agre

ed-u

pon

targ

ets

defi

ned

with

in th

e pr

evio

us ta

ctic

al I

T p

lan.

• C

onfi

rm th

at a

com

pari

son

agai

nst w

ell-

unde

rsto

od a

nd r

elia

ble

indu

stry

, tec

hnol

ogy

or o

ther

rel

evan

t ben

chm

arks

is p

erfo

rmed

to h

elp

asse

ss e

xist

ing

syst

ems

and

capa

bilit

ies.

Con

trol

Obj

ecti

veR

isk

Driv

ers

Valu

e D

river

s

PO

1.3

Ass

essm

ent

of C

urre

nt C

apab

ility

and

Per

form

ance

A

sses

s th

e cu

rren

t cap

abili

ty a

nd p

erfo

rman

ce o

f so

lutio

n an

d se

rvic

e de

liver

y to

esta

blis

h a

base

line

agai

nst w

hich

fut

ure

requ

irem

ents

can

be

com

pare

d. D

efin

epe

rfor

man

ce in

term

s of

IT

’s c

ontr

ibut

ion

to b

usin

ess

obje

ctiv

es, f

unct

iona

lity,

stab

ility

, com

plex

ity, c

osts

, str

engt

hs a

nd w

eakn

esse

s.

• IT

pla

ns c

ontr

ibut

ing

tran

spar

ently

toth

e or

gani

satio

n’s

mis

sion

and

goa

ls•

Cla

rity

of

cost

s, b

enef

its a

nd r

isks

of

IT’s

cur

rent

per

form

ance

• Te

chno

logi

cal o

ppor

tuni

ties

iden

tifie

dan

d ca

pabi

litie

s le

vera

ged

• IT

capa

bilit

ies

know

n an

dop

erat

iona

lised

eff

ectiv

ely

and

effi

cien

tly to

del

iver

the

requ

ired

solu

tions

and

ser

vice

s

• IT

cap

abili

ties

not c

ontr

ibut

ing

to th

eor

gani

satio

n’s

mis

sion

and

goa

ls•

Inve

stm

ent d

ecis

ions

take

n to

o la

te•

Opp

ortu

nitie

s an

d ca

pabi

litie

s no

tle

vera

ged

• In

effe

ctiv

e us

e of

exi

stin

g re

sour

ces

• In

abili

ty to

iden

tify

base

lines

for

curr

ent,

and

requ

irem

ents

for

fut

ure,

syst

em c

apab

ility

and

per

form

ance

PO

1 D

efin

e a

Str

ateg

ic IT

Pla

n (c

ont.

)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

was

fol

low

ed to

doc

umen

t IT

’s g

oals

and

obj

ectiv

es n

eces

sary

to p

erfo

rm it

s ta

sks.

The

y sh

ould

be

defi

ned,

doc

umen

ted

and

com

mun

icat

ed, i

nclu

ding

the:

– A

chie

vem

ent o

f th

e be

nefi

ts a

nd m

anag

emen

t of

the

risk

s of

the

IT c

apab

ilitie

s–

Est

ablis

hmen

t of

the

curr

ent a

nd f

utur

e pe

rfor

man

ce r

equi

red

to r

espo

nd to

bus

ines

s ex

pect

atio

ns–

Prov

isio

n of

info

rmat

ion

on tr

ansp

aren

cy a

nd h

ow I

T d

eliv

ers

valu

e to

the

busi

ness

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

ere

is a

tim

e fr

ame

for

the

deve

lopm

ent a

nd e

xecu

tion

of th

e st

rate

gic

and

tact

ical

pla

ns. T

his

time

fram

e sh

ould

incl

ude

the

inte

rrel

atio

nshi

ps a

nd d

epen

denc

ies

of th

e ex

ecut

ion

of th

e ta

ctic

al p

lans

. The

tim

e fr

ame

coul

d va

ry b

ased

on

scop

e, f

undi

ng a

nd p

rior

itisa

tion.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

to c

aptu

re o

utco

me

mea

sure

s, r

epre

sent

ed b

y m

etri

cs (

wha

t) a

nd ta

rget

s (h

ow m

uch)

, of

IT o

bjec

tives

exi

sts

and

that

the

mea

sure

s re

late

to b

usin

ess-

iden

tifie

d be

nefi

ts a

nd th

e st

rate

gy’s

dir

ectio

n.

• C

onfi

rm a

nd r

evie

w th

e po

licie

s an

d pr

oced

ures

sup

port

ing

the

stru

ctur

ed p

lann

ing

appr

oach

to d

eter

min

e if

they

eff

ectiv

ely

supp

ort t

he p

roce

ss f

or c

reat

ing

an I

T

stra

tegi

c pl

an.

PO

1.4

IT S

trat

egic

Pla

n C

reat

e a

stra

tegi

c pl

an th

at d

efin

es, i

n co

-ope

ratio

n w

ith r

elev

ant s

take

hold

ers,

how

IT

goa

ls w

ill c

ontr

ibut

e to

the

ente

rpri

se’s

str

ateg

ic o

bjec

tives

and

rel

ated

cost

s an

d ri

sks.

It s

houl

d in

clud

e ho

w I

T w

ill s

uppo

rt I

T-en

able

d in

vest

men

tpr

ogra

mm

es, I

T s

ervi

ces

and

IT a

sset

s. I

T s

houl

d de

fine

how

the

obje

ctiv

es w

illbe

met

, the

mea

sure

men

ts to

be

used

and

the

proc

edur

es to

obt

ain

form

al s

ign-

off

from

the

stak

ehol

ders

. The

IT

str

ateg

ic p

lan

shou

ld c

over

inve

stm

ent/o

pera

tiona

l bud

get,

fund

ing

sour

ces,

sou

rcin

g st

rate

gy, a

cqui

sitio

nst

rate

gy, a

nd le

gal a

nd r

egul

ator

y re

quir

emen

ts. T

he s

trat

egic

pla

n sh

ould

be

suff

icie

ntly

det

aile

d to

allo

w f

or th

e de

fini

tion

of ta

ctic

al I

T p

lans

.

• St

rate

gic

IT p

lans

con

sist

ent w

ithbu

sine

ss o

bjec

tives

• St

rate

gic

obje

ctiv

es a

nd a

ssoc

iate

dac

coun

tabi

litie

s cl

ear

and

unde

rsto

odby

all

• IT

str

ateg

ic o

ptio

ns id

entif

ied

and

stru

ctur

ed, a

nd in

tegr

ated

with

the

busi

ness

pla

ns•

Red

uced

like

lihoo

d of

unn

eces

sary

IT

initi

ativ

es•

Stra

tegi

c IT

pla

ns c

ompl

ete

and

usab

le

• B

usin

ess

requ

irem

ents

not

und

erst

ood

or a

ddre

ssed

by

IT m

anag

emen

t•

No

regu

lar

and

form

al c

onsu

ltatio

nbe

twee

n IT

man

agem

ent a

nd b

usin

ess

and

seni

or m

anag

emen

t•

IT p

lans

not

alig

ned

with

bus

ines

sne

eds

• U

nnec

essa

ry I

T in

itiat

ives

and

inve

stm

ents

• IT

pla

ns in

cons

iste

nt w

ith th

eor

gani

satio

n’s

expe

ctat

ions

or

requ

irem

ents

• IT

not

foc

used

on

the

righ

t pri

oriti

es

PO

1 D

efin

e a

Str

ateg

ic IT

Pla

n (c

ont.

)

Ris

k D

river

sVa

lue

Driv

ers

Con

trol

Obj

ecti

ve


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at ta

ctic

al I

T p

lans

exi

st a

nd th

at th

ey h

ave

been

bas

ed o

n th

e IT

str

ateg

ic p

lan.

•

Con

firm

that

this

is d

one

in a

str

uctu

red

man

ner

in a

ccor

danc

e w

ith e

stab

lishe

d pr

oces

ses

and

that

ther

e is

no

undu

e de

lay

betw

een

upda

tes

of th

e st

rate

gic

plan

and

the

subs

eque

nt u

pdat

e of

the

tact

ical

pla

ns.

• V

alid

ate

that

the

cont

ents

of

the

IT ta

ctic

al p

lan

are

adeq

uate

and

that

it c

onta

ins

prop

er p

roje

ct d

efin

ition

s, p

lann

ing

info

rmat

ion,

del

iver

able

s an

d qu

antif

ied

estim

ated

bene

fits

. •

Rev

iew

whe

ther

the

tact

ical

pla

n ad

dres

ses

IT-r

elat

ed r

isk.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

is in

pla

ce th

at e

nabl

es id

entif

icat

ion

and

prio

ritis

atio

n (b

ased

on

busi

ness

ben

efits

) of

IT

pro

gram

mes

and

pro

ject

ssu

ppor

ting

the

IT ta

ctic

al p

lan.

•

Con

firm

that

this

pro

cess

of

port

folio

man

agem

ent u

ses

appr

opri

ate

crite

ria

to d

efin

e an

d pr

iori

tise

the

diff

eren

t pro

ject

s an

d pr

ogra

mm

es.

• V

erif

y w

heth

er b

usin

ess

goal

s an

d ex

pect

ed b

usin

ess

outc

omes

are

doc

umen

ted

and

reas

onab

le, a

nd w

heth

er s

uffi

cien

t inf

orm

atio

n re

late

d to

bud

get a

nd e

ffor

t is

pres

ent.

• C

onfi

rm th

at th

e pr

ogra

mm

e/pr

ojec

t out

com

es a

re d

uly

com

mun

icat

ed to

all

stak

ehol

ders

.

PO

1.5

IT T

acti

cal P

lans

C

reat

e a

port

folio

of

tact

ical

IT

pla

ns th

at a

re d

eriv

ed f

rom

the

IT s

trat

egic

pla

n.T

he ta

ctic

al p

lans

sho

uld

addr

ess

IT-e

nabl

ed p

rogr

amm

e in

vest

men

ts, I

T s

ervi

ces

and

IT a

sset

s. T

he ta

ctic

al p

lans

sho

uld

desc

ribe

req

uire

d IT

initi

ativ

es, r

esou

rce

requ

irem

ents

, and

how

the

use

of r

esou

rces

and

ach

ieve

men

t of

bene

fits

will

be

mon

itore

d an

d m

anag

ed. T

he ta

ctic

al p

lans

sho

uld

be s

uffi

cien

tly d

etai

led

toal

low

the

defi

nitio

n of

pro

ject

pla

ns. A

ctiv

ely

man

age

the

set o

f ta

ctic

al I

T p

lans

and

initi

ativ

es th

roug

h an

alys

is o

f pr

ojec

t and

ser

vice

por

tfol

ios.

• L

ong-

rang

e st

rate

gic

IT p

lans

cap

able

of b

eing

ope

ratio

nalis

ed b

y sh

ort-

rang

e ta

ctic

al I

T p

lans

• E

ffec

tive

IT r

esou

rce

allo

catio

n•

IT p

lans

cap

able

of

bein

gco

ntin

uous

ly m

onito

red

and

eval

uate

d•

Day

-to-

day

perf

orm

ance

and

res

ourc

eus

age

capa

ble

of b

eing

mon

itore

dag

ains

t str

ateg

ic ta

rget

s•

Focu

s pr

ovid

ed f

or I

T d

epar

tmen

t an

d st

aff

• IT

long

-ran

ge p

lans

not

ach

ieve

d• A

vaila

ble

IT r

esou

rces

not

leve

rage

dfo

r bu

sine

ss b

enef

its•

Dev

iatio

ns in

IT

pla

ns n

ot id

entif

ied

• IT

’s p

rior

ities

mis

unde

rsto

od a

ndsu

bjec

t to

chan

ge•

Info

rmat

ion

to m

onito

r IT

’spe

rfor

man

ce n

ot a

vaila

ble

PO

1 D

efin

e a

Str

ateg

ic IT

Pla

n (c

ont.

)

Ris

k D

river

sVa

lue

Driv

ers

Con

trol

Obj

ecti

ve

PO

1.6

IT P

ortf

olio

Man

agem

ent

Act

ivel

y m

anag

e w

ith th

e bu

sine

ss th

e po

rtfo

lio o

f IT

-ena

bled

inve

stm

ent

prog

ram

mes

req

uire

d to

ach

ieve

spe

cifi

c st

rate

gic

busi

ness

obj

ectiv

es b

yid

entif

ying

, def

inin

g, e

valu

atin

g, p

rior

itisi

ng, s

elec

ting,

initi

atin

g, m

anag

ing

and

cont

rolli

ng p

rogr

amm

es. T

his

shou

ld in

clud

e cl

arif

ying

des

ired

bus

ines

sou

tcom

es, e

nsur

ing

that

pro

gram

me

obje

ctiv

es s

uppo

rt a

chie

vem

ent o

f th

eou

tcom

es, u

nder

stan

ding

the

full

scop

e of

eff

ort r

equi

red

to a

chie

ve th

eou

tcom

es, a

ssig

ning

cle

ar a

ccou

ntab

ility

with

sup

port

ing

mea

sure

s, d

efin

ing

proj

ects

with

in th

e pr

ogra

mm

e, a

lloca

ting

reso

urce

s an

d fu

ndin

g, d

eleg

atin

gau

thor

ity, a

nd c

omm

issi

onin

g re

quir

ed p

roje

cts

at p

rogr

amm

e la

unch

.

• E

ffic

ient

IT

res

ourc

e m

anag

emen

t•

IT in

itiat

ives

con

tinuo

usly

mon

itore

dan

d ev

alua

ted

• T

he r

ight

mix

of

IT in

itiat

ives

for

apo

sitiv

e an

d ri

sk-a

djus

ted

retu

rn o

nin

vest

men

t (R

OI)

• Pe

rfor

man

ce a

nd r

esou

rce

requ

irem

ents

of

IT in

itiat

ives

mon

itore

d ag

ains

t def

ined

targ

ets

• M

isse

d bu

sine

ss o

ppor

tuni

ties

due

to a

too-

cons

erva

tive

port

folio

• L

ow R

OI

due

to a

too-

aggr

essi

vepo

rtfo

lio• A

vaila

ble

IT r

esou

rces

not

leve

rage

d•

Dev

iatio

ns in

IT

pla

ns n

ot id

entif

ied

Ris

k D

river

sVa

lue

Driv

ers

Con

trol

Obj

ecti

ve



Take the following steps to test the outcome of the control objectives:• Confirm through interviews with steering committee members and other sources that the steering committee members are

appropriately represented by IT and business unit leadership (e.g., awareness of roles, responsibility, decision matrix and theirownership).

• Review the approved steering committee charter and assess for relevance (e.g., roles, responsibility, authority, accountability, scopeand objectives are communicated and understood by all members of the committee).

• Inspect business cases to determine that the documentation has appropriate content (e.g., scope, objectives, cost-benefit analysis,high-level road map, measures for success, roles and responsibilities, impact of existing IT investment programmes) and that the business cases were developed and approved in a timely manner. Confirm through interviews whether IT-enabled investment programmes, IT services and IT assets are evaluated against the prioritisation criteria (review thedocumented prioritisation criteria).

• Confirm through interviews with members of IT management that they are informed of future business directions and goals, long-term and short-terms goals, mission, and values.

• Enquire whether and confirm that enterprisewide goals and objectives are incorporated into IT strategic and tactical planningprocesses and that the strategic planning process includes all business and support activities.

• Confirm by examining documentation, such as meeting minutes or correspondence, that business and IT are both involved inleveraging current technology to create new business opportunities.

• Confirm that a report on current information systems (including feedback on the system, use of the system improvements ofchanges done on the system) is maintained on regular basis.

• Review the achievement of agreed-upon targets defined within the previous tactical IT plan (e.g., outcome of the performanceevaluation could include, but may not be restricted to, current requirements, current delivery compared with requirements, barriersto achieving requirements, and the steps and costs required to achieve agreed-upon business goals and performance requirements).

• Enquire whether and confirm that the risk and cost implications of the required IT capabilities have been documented in the ITstrategic plan.

• Confirm that the outcome measures that relate to business-identified benefits have been signed off on by the stakeholders and thatthe feedback from stakeholders has been taken into consideration.

• Enquire whether and confirm that the approved IT strategic plan is communicated and that there is a process to determine that theplan is clearly understood.

• Confirm through interviews, meeting minutes, presentations and correspondence that the IT strategic plan has been approved bythe IT steering committee and the board. Enquire whether and confirm that a formal approval process was followed.

• Enquire whether and confirm that tactical plans are aligned to strategic plans and regularly updated. Confirm through interviewsthat tactical plans are used as the basis for identifying and planning the projects, acquiring and scheduling resources, andimplementing monitoring techniques.

• Enquire whether and confirm that the content of the tactical plans includes clearly stated project definitions, project time framesand deliverables, the required resources and the business benefits to be monitored, performance indicator goals, mitigation plan,contingency plan, communication protocol, roles, and responsibilities.

• Confirm that the selected portfolio/project has been translated into the required effort, resources, finding, achievement, etc., and isapproved by business (e.g., meeting minutes, senior management review records).

• Confirm that the required authority to launch the approved projects within the selected programmes has been obtained (meetingminutes, formal approval process, communication of approved project) from business and IT.

• Confirm that projects that have been delayed or postponed or that have not proceeded are communicated to business owners andinvolved IT staff members.

Take the following steps to document the impact of the control weaknesses:• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to the improper allocation of

IT investment.• Assess the additional cost due to the return on investment (ROI) not being maximised in terms of business goals.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to the IT investments not being properly

aligned with the overall business strategy.• Assess the impact of the business investing in self-contained IT systems to meet its requirements.• Assess the possibility of business dissatisfaction with IT service delivery.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to the inability to execute IT strategic plans.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to projects being started and then failing or

incurring unnecessary expenditure.• Assess the additional cost due to the implementation of a suboptimal solution.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to business outcomes not being understood

and, hence, being less effective.


APPENDIX IIP

O2 D

efin

e th

e In

form

atio

n A

rchi

tect

ure

The

info

rmat

ion

syst

ems

func

tion

crea

tes

and

regu

larl

y up

date

s a

busi

ness

info

rmat

ion

mod

el a

nd d

efin

es th

e ap

prop

riat

e sy

stem

s to

opt

imis

e th

e us

e of

this

info

rmat

ion.

Thi

s en

com

pass

es th

e de

velo

pmen

t of

a co

rpor

ate

data

dic

tiona

ry w

ith th

e or

gani

satio

n’s

data

syn

tax

rule

s, d

ata

clas

sifi

catio

n sc

hem

e an

d se

curi

ty le

vels

. Thi

s pr

oces

sim

prov

es th

e qu

ality

of

man

agem

ent d

ecis

ion

mak

ing

by m

akin

g su

re th

at r

elia

ble

and

secu

re in

form

atio

n is

pro

vide

d, a

nd it

ena

bles

rat

iona

lisin

g in

form

atio

n sy

stem

sre

sour

ces

to a

ppro

pria

tely

mat

ch b

usin

ess

stra

tegi

es. T

his

IT p

roce

ss is

als

o ne

eded

to in

crea

se a

ccou

ntab

ility

for

the

inte

grity

and

sec

urity

of

data

and

to e

nhan

ce th

eef

fect

iven

ess

and

cont

rol o

f sh

arin

g in

form

atio

n ac

ross

app

licat

ions

and

ent

ities

.

Test

the

Con

trol

Des

ign

• V

erif

y w

heth

er a

n en

terp

rise

info

rmat

ion

mod

el e

xist

s, b

ased

on

wel

l-ac

cept

ed s

tand

ards

, and

whe

ther

it is

kno

wn

by a

ppro

pria

te b

usin

ess

and

IT s

take

hold

ers.

•

Ver

ify

whe

ther

the

mod

el is

eff

ectiv

ely

used

and

mai

ntai

ned

in p

aral

lel w

ith th

e pr

oces

s th

at tr

ansl

ates

IT

str

ateg

y in

to I

T ta

ctic

al p

lans

and

tact

ical

pla

ns

into

pro

ject

s.

• Ass

ess

whe

ther

the

mod

el c

onsi

ders

fle

xibi

lity,

fun

ctio

nalit

y, c

ost-

effe

ctiv

enes

s, s

ecur

ity, f

ailu

re r

esili

ency

, com

plia

nce,

etc

.

PO

2.1

Ent

erpr

ise

Info

rmat

ion

Arc

hite

ctur

e M

odel

E

stab

lish

and

mai

ntai

n an

ent

erpr

ise

info

rmat

ion

mod

el to

ena

ble

appl

icat

ions

deve

lopm

ent a

nd d

ecis

ion-

supp

ortin

g ac

tiviti

es, c

onsi

sten

t with

IT

pla

ns a

sde

scri

bed

in P

O1.

The

mod

el s

houl

d fa

cilit

ate

the

optim

al c

reat

ion,

use

and

shar

ing

of in

form

atio

n by

the

busi

ness

in a

way

that

mai

ntai

ns in

tegr

ity a

nd is

flex

ible

, fun

ctio

nal,

cost

-eff

ectiv

e, ti

mel

y, s

ecur

e an

d re

silie

nt to

fai

lure

.

• Im

prov

ed d

ecis

ion

mak

ing

base

d on

rele

vant

, rel

iabl

e an

d us

able

info

rmat

ion

• Im

prov

ed I

T a

gilit

y an

dre

spon

sive

ness

to b

usin

ess

requ

irem

ents

• Su

ppor

t for

bus

ines

s fu

nctio

nsth

roug

h ac

cura

te, c

ompl

ete

and

valid

dat

a•

Eff

icie

nt d

ata

man

agem

ent a

ndre

duce

d re

dund

ancy

and

dup

licat

ion

• Im

prov

ed d

ata

inte

grity

• M

eetin

g fi

duci

ary

requ

irem

ents

rega

rdin

g co

mpl

ianc

e re

port

ing,

secu

rity

and

pri

vacy

of

data

• In

adeq

uate

info

rmat

ion

for

busi

ness

func

tions

• In

cons

iste

ncy

betw

een

info

rmat

ion

requ

irem

ents

and

app

licat

ion

deve

lopm

ents

• D

ata

inco

nsis

tenc

y be

twee

n th

eor

gani

satio

n an

d sy

stem

s•

Hig

h ef

fort

req

uire

d or

inab

ility

toco

mpl

y w

ith f

iduc

iary

obl

igat

ions

(e.g

., co

mpl

ianc

e re

port

ing,

sec

urity

,pr

ivac

y)•

Inef

fici

ent p

lann

ing

of I

T-en

able

din

vest

men

t pro

gram

mes

due

to la

ck

of in

form

atio

n• A

ccum

ulat

ion

of d

ata

that

are

not

rele

vant

, con

sist

ent o

r us

able

in a

nec

onom

ical

man

ner

Ris

k D

river

sVa

lue

Driv

ers

Con

trol

Obj

ecti

ve



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at d

ata

synt

ax g

uide

lines

are

mai

ntai

ned.

•

Enq

uire

whe

ther

and

con

firm

that

the

data

dic

tiona

ry is

def

ined

to id

entif

y re

dund

ancy

and

inco

mpa

tibili

ty o

f da

ta a

nd th

at th

e im

pact

of

any

mod

ific

atio

ns to

the

data

dict

iona

ry a

nd c

hang

es m

ade

to th

e da

ta d

ictio

nary

are

eff

ectiv

ely

com

mun

icat

ed.

• R

evie

w v

ario

us a

pplic

atio

n sy

stem

s an

d de

velo

pmen

t pro

ject

s to

ver

ify

that

the

data

dic

tiona

ry is

use

d fo

r da

ta d

efin

ition

s.•

Enq

uire

whe

ther

and

con

firm

that

sen

ior

man

ager

s ag

ree

upon

the

proc

ess

for

defi

ning

dat

a sy

ntax

rul

es, d

ata

valid

atio

n ru

les

and

busi

ness

rul

es (

e.g.

, con

sist

ency

,in

tegr

ity, q

ualit

y).

• In

spec

t the

dat

a qu

ality

pro

gram

me’

s pl

ans,

pol

icie

s an

d pr

oced

ures

to e

valu

ate

its e

ffec

tiven

ess.

PO

2.2

Ent

erpr

ise

Dat

a D

icti

onar

y an

d D

ata

Synt

ax R

ules

M

aint

ain

an e

nter

pris

e da

ta d

ictio

nary

that

inco

rpor

ates

the

orga

nisa

tion’

s da

tasy

ntax

rul

es. T

his

dict

iona

ry s

houl

d en

able

the

shar

ing

of d

ata

elem

ents

am

ongs

tap

plic

atio

ns a

nd s

yste

ms,

pro

mot

e a

com

mon

und

erst

andi

ng o

f da

ta a

mon

gst I

Tan

d bu

sine

ss u

sers

, and

pre

vent

inco

mpa

tible

dat

a el

emen

ts f

rom

bei

ng c

reat

ed.

• C

omm

on u

nder

stan

ding

of

busi

ness

data

acr

oss

the

ente

rpri

se•

Faci

litat

ed s

hari

ng o

f da

ta a

mon

gst a

llap

plic

atio

ns, s

yste

ms

and

entit

ies

• R

educ

ed c

osts

for

app

licat

ion

deve

lopm

ent a

nd m

aint

enan

ce•

Impr

oved

dat

a in

tegr

ity

• C

ompr

omis

ed in

form

atio

n in

tegr

ity•

Inco

mpa

tible

and

inco

nsis

tent

dat

a•

Inef

fect

ive

appl

icat

ion

cont

rols

PO

2 D

efin

e th

e In

form

atio

n A

rchi

tect

ure

(con

t.)

Valu

e D

river

sR

isk

Driv

ers

Con

trol

Obj

ecti

ve


APPENDIX II

Test

the

Con

trol

Des

ign

• R

evie

w th

e da

ta c

lass

ific

atio

n sc

hem

e an

d ve

rify

that

all

sign

ific

ant c

ompo

nent

s ar

e co

vere

d an

d co

mpl

eted

, and

that

the

sche

me

is r

easo

nabl

e in

bal

anci

ng c

ost v

s. r

isk.

Thi

s in

clud

es d

ata

owne

rshi

p w

ith b

usin

ess

owne

rs a

nd d

efin

ition

of

appr

opri

ate

secu

rity

mea

sure

s re

late

d to

cla

ssif

icat

ion

leve

ls.

• V

erif

y th

at s

ecur

ity c

lass

ific

atio

ns h

ave

been

cha

lleng

ed a

nd c

onfi

rmed

with

the

busi

ness

ow

ners

at r

egul

ar in

terv

als.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at in

tegr

ity a

nd c

onsi

sten

cy c

rite

ria

for

all i

nfor

mat

ion

are

defi

ned

in c

olla

bora

tion

with

bus

ines

s m

anag

emen

t. •

Enq

uire

whe

ther

and

con

firm

that

pro

cedu

res

are

impl

emen

ted

to m

anag

e an

d m

aint

ain

data

inte

grity

and

con

sist

ency

thro

ugho

ut th

e co

mpl

ete

data

pro

cess

and

lif

e cy

cle.

•

Enq

uire

whe

ther

and

con

firm

that

a d

ata

qual

ity p

rogr

amm

e is

impl

emen

ted

to v

alid

ate

and

ensu

re d

ata

inte

grity

and

con

sist

ency

on

a re

gula

r ba

sis.

Test

the

Con

trol

Des

ign

Ris

k D

river

sVa

lue

Driv

ers

Con

trol

Obj

ecti

ve

PO

2.3

Dat

a C

lass

ific

atio

n Sc

hem

e E

stab

lish

a cl

assi

fica

tion

sche

me

that

app

lies

thro

ugho

ut th

e en

terp

rise

, bas

ed o

nth

e cr

itica

lity

and

sens

itivi

ty (

e.g.

, pub

lic, c

onfi

dent

ial,

top

secr

et)

of e

nter

pris

eda

ta. T

his

sche

me

shou

ld in

clud

e de

tails

abo

ut d

ata

owne

rshi

p; d

efin

ition

of

appr

opri

ate

secu

rity

leve

ls a

nd p

rote

ctio

n co

ntro

ls; a

nd a

bri

ef d

escr

iptio

n of

da

ta r

eten

tion

and

dest

ruct

ion

requ

irem

ents

, cri

tical

ity a

nd s

ensi

tivity

. It s

houl

dbe

use

d as

the

basi

s fo

r ap

plyi

ng c

ontr

ols

such

as

acce

ss c

ontr

ols,

arc

hivi

ng

or e

ncry

ptio

n.

• E

nsur

ed a

vaila

bilit

y of

info

rmat

ion

that

sup

port

s de

cisi

on m

akin

g •

The

foc

us o

f se

curi

ty in

vest

men

tsba

sed

on c

ritic

ality

• D

efin

ed a

ccou

ntab

ility

for

info

rmat

ion

inte

grity

, ava

ilabi

lity

and

secu

rity

• D

ata

acce

ss c

onsi

sten

tly p

erm

itted

base

d on

def

ined

sec

urity

leve

ls

• In

appr

opri

ate

secu

rity

req

uire

men

ts

• In

adeq

uate

or

exce

ssiv

e in

vest

men

ts in

secu

rity

con

trol

s•

Occ

urre

nce

of p

riva

cy, d

ata

conf

iden

tialit

y, in

tegr

ity a

ndav

aila

bilit

y in

cide

nts

• N

on-c

ompl

ianc

e w

ith r

egul

ator

y or

thir

d-pa

rty

requ

irem

ents

• In

effi

cien

t or

inco

nsis

tent

info

rmat

ion

for

deci

sion

mak

ing

PO

2 D

efin

e th

e In

form

atio

n A

rchi

tect

ure

(con

t.)

PO

2.4

Inte

grit

y M

anag

emen

t D

efin

e an

d im

plem

ent p

roce

dure

s to

ens

ure

the

inte

grity

and

con

sist

ency

of

all

data

sto

red

in e

lect

roni

c fo

rm, s

uch

as d

atab

ases

, dat

a w

areh

ouse

s an

d da

taar

chiv

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onsi

sten

cy o

f da

ta in

tegr

ity a

cros

s al

lda

ta s

tore

d•

Impr

oved

dat

a in

tegr

ity

Ris

k D

river

s

• D

ata

inte

grity

err

ors

and

inci

dent

s•

Unr

elia

ble

data

on

whi

ch to

bas

ebu

sine

ss d

ecis

ions

• N

on-c

ompl

ianc

e w

ith r

egul

ator

y or

thir

d-pa

rty

requ

irem

ents

• U

nrel

iabl

e ex

tern

al r

epor

ts



Take the following steps to test the outcome of the control objectives:• Review documentation of the information architecture model to determine whether it addresses all significant applications and

their interfaces and relationships.• Review information architecture documentation to verify that it is consistent with the organisation’s strategy and strategic and

tactical IT plans. • Ensure that changes made to the information architecture model reflect those in the IT strategic and tactical plans and that

associated costs and risks are identified.• Enquire whether and confirm that business management and IT understand relevant parts of the information architecture model

(e.g., data ownership, accountability, data governance).• Enquire whether and confirm that the information architecture model is regularly checked for adequacy, flexibility, integrity and

security and that it is subject to frequent user reviews (e.g., impact of information system changes).• Enquire whether and confirm that data administration controls exist, and co-ordinate the definitions and usage of reliable and

relevant data consistent with the enterprise information model.• Review the data dictionary and verify that all significant data elements are described properly as per the defined process.• Verify defined data syntax rules, data validation rules and business rules as per the defined process.• Enquire whether and confirm that metadata in data dictionaries are sufficiently detailed to communicate syntax in an integrated

manner across applications and that they include data attributes and security levels for each data item.• Enquire whether and confirm that data dictionary management is implemented, maintained and reviewed periodically to manage

the organisation’s data dictionary and data syntax rules.• Verify whether the system covers all relevant data elements by comparing a list of data with actual implementation in the tool.• Enquire whether and confirm that a data quality programme is implemented to increase data integrity, standardisation, consistency,

one-time data entry and storage (e.g., use automated evidence collection when possible to test data integrity, standardisation,consistency, one-time data-entry and storage from sample data, embedded audit modules, data analysis using audit software orother integration tools). Use automated tools (e.g., computer-assisted audit techniques [CAATs]) to verify data integrity.

• Enquire whether and confirm that a data classification scheme is defined and approved (e.g, security levels, access levels anddefaults are appropriate).

• Enquire whether and confirm that data classification levels are defined based on organisation needs for information protection andthe business impact of unprotected information.

• Verify that business owners review the actual classification of information and are aware of their roles, responsibilities andaccountability for data.

• Enquire whether and confirm that components inherit the classification of the original assets.• Verify that all deviations from the data classification inheritance policy have been approved by the data owner.• Enquire whether and confirm that information and data (including hard copies of data) are labelled, handled, protected and

otherwise secured in a manner consistent with the data classification categories. • Inspect evidence that the required integrity and consistency criteria for data are defined and implemented (e.g., data stored in

databases and data warehouses are consistent).• Enquire whether and confirm that a data quality programme is implemented to validate and ensure data integrity and consistency

on a regular basis.

Take the following steps to document the impact of the control weaknesses:• Assess the impact of inconsistency amongst IT plans described in strategic planning and the enterprise information

architecture model.• Assess the impact of ineffective interface between business and IT decision making. • Assess the vulnerability to disclosure of sensitive information.


APPENDIX IIP

O3 D

eter

min

e Te

chno

logic

al D

irec

tion

The

info

rmat

ion

serv

ices

fun

ctio

n de

term

ines

the

tech

nolo

gy d

irec

tion

to s

uppo

rt th

e bu

sine

ss. T

his

requ

ires

the

crea

tion

of a

tech

nolo

gica

l inf

rast

ruct

ure

plan

and

an

arch

itect

ure

boar

d th

at s

ets

and

man

ages

cle

ar a

nd r

ealis

tic e

xpec

tatio

ns o

f w

hat t

echn

olog

y ca

n of

fer

in te

rms

of p

rodu

cts,

ser

vice

s an

d de

liver

y m

echa

nism

s. T

he p

lan

isre

gula

rly

upda

ted

and

enco

mpa

sses

asp

ects

suc

h as

sys

tem

s ar

chite

ctur

e, te

chno

logi

cal d

irec

tion,

acq

uisi

tion

plan

s, s

tand

ards

, mig

ratio

n st

rate

gies

and

con

tinge

ncy.

Thi

sen

able

s tim

ely

resp

onse

s to

cha

nges

in th

e co

mpe

titiv

e en

viro

nmen

t, ec

onom

ies

of s

cale

for

info

rmat

ion

syst

ems

staf

fing

and

inve

stm

ents

, as

wel

l as

impr

oved

inte

rope

rabi

lity

of p

latf

orm

s an

d ap

plic

atio

ns.

Test

the

Con

trol

Des

ign

• R

evie

w th

e pr

oces

s of

str

engt

hs, w

eakn

esse

s, o

ppor

tuni

ties

and

thre

ats

(SW

OT

) an

alys

is p

erfo

rman

ce to

ens

ure

effe

ctiv

enes

s of

pro

cess

(e.

g., c

heck

for

mea

sure

men

ts o

fth

e pr

oces

s an

d ch

ange

s m

ade

to th

e pr

oces

s as

a r

esul

t of

impr

ovem

ent)

. •

Con

firm

thro

ugh

inte

rvie

ws

with

the

CIO

and

oth

er m

embe

rs o

f se

nior

man

agem

ent t

hat a

n ap

prop

riat

e te

chno

logi

cal r

isk

appe

tite

has

been

est

ablis

hed

base

d on

the

busi

ness

str

ateg

y.

PO

3.1

Tec

hnol

ogic

al D

irec

tion

Pla

nnin

g A

naly

se e

xist

ing

and

emer

ging

tech

nolo

gies

, and

pla

n w

hich

tech

nolo

gica

ldi

rect

ion

is a

ppro

pria

te to

rea

lise

the

IT s

trat

egy

and

the

busi

ness

sys

tem

sar

chite

ctur

e. A

lso

iden

tify

in th

e pl

an w

hich

tech

nolo

gies

hav

e th

e po

tent

ial t

ocr

eate

bus

ines

s op

port

uniti

es. T

he p

lan

shou

ld a

ddre

ss s

yste

ms

arch

itect

ure,

tech

nolo

gica

l dir

ectio

n, m

igra

tion

stra

tegi

es a

nd c

ontin

genc

y as

pect

s of

infr

astr

uctu

re c

ompo

nent

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed le

vera

ging

of

tech

nolo

gy f

orbu

sine

ss o

ppor

tuni

ties

• Im

prov

ed in

tegr

atio

n of

infr

astr

uctu

rean

d ap

plic

atio

ns v

ia d

efin

ed s

tand

ards

for

tech

nica

l dir

ectio

n•

Impr

oved

use

of

reso

urce

s an

dca

pabi

litie

s•

Red

uced

cos

ts f

or te

chno

logi

cal

acqu

isiti

ons

thro

ugh

redu

ced

plat

form

s an

d in

crem

enta

lly m

anag

edin

vest

men

ts

Ris

k D

river

s

• Te

chno

logi

cal a

cqui

sitio

nsin

cons

iste

nt w

ith s

trat

egic

pla

ns•

IT in

fras

truc

ture

inap

prop

riat

e fo

ror

gani

satio

nal r

equi

rem

ents

• D

evia

tions

fro

m th

e ap

prov

edte

chno

logi

cal d

irec

tion

• In

crea

sed

cost

s du

e to

unc

o-or

dina

ted

and

unst

ruct

ured

acq

uisi

tion

plan

s



Test

the

Con

trol

Des

ign

• D

eter

min

e w

heth

er, b

y w

hom

and

how

cur

rent

and

fut

ure

tren

ds a

nd r

egul

atio

ns a

re m

onito

red

(e.g

., te

chno

logi

cal d

evel

opm

ents

, com

petit

or a

ctiv

ities

, inf

rast

ruct

ure

issu

es, l

egal

req

uire

men

ts a

nd r

egul

ator

y en

viro

nmen

t cha

nges

, thi

rd-p

arty

exp

erts

) an

d w

heth

er r

elat

ed r

isks

or

rela

ted

oppo

rtun

ities

for

val

ue c

reat

ion

are

prop

erly

asse

ssed

.•

Ver

ify

whe

ther

the

resu

lt of

the

mon

itori

ng is

con

sist

ently

pas

sed

on to

the

appr

opri

ate

bodi

es (

e.g.

, IT

ste

erin

g co

mm

ittee

) an

d to

the

IT ta

ctic

al a

nd in

fras

truc

ture

plan

ning

pro

cess

es f

or a

ctio

n.

PO

3.3

Mon

itor

Fut

ure

Tre

nds

and

Reg

ulat

ions

E

stab

lish

a pr

oces

s to

mon

itor

the

busi

ness

sec

tor,

indu

stry

, tec

hnol

ogy,

infr

astr

uctu

re, l

egal

and

reg

ulat

ory

envi

ronm

ent t

rend

s. I

ncor

pora

te th

eco

nseq

uenc

es o

f th

ese

tren

ds in

to th

e de

velo

pmen

t of

the

IT te

chno

logy

infr

astr

uctu

re p

lan.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed a

war

enes

s of

tech

nolo

gica

lop

port

uniti

es a

nd im

prov

ed s

ervi

ces

• Im

prov

ed a

war

enes

s of

tech

nica

l and

regu

lato

ry r

isks

• Im

prov

ed e

valu

atio

n of

tech

nolo

gica

lch

ange

s in

line

with

the

busi

ness

pla

n

Ris

k D

river

s

• N

on-c

ompl

ianc

e w

ith r

egul

ator

yre

quir

emen

ts•

Hig

h ef

fort

req

uire

d to

ach

ieve

com

plia

nce

beca

use

of w

rong

or

late

deci

sion

s•

Tech

nica

l inc

ompa

tibili

ties

orm

aint

enan

ce is

sues

with

in th

e IT

infr

astr

uctu

re•

Org

anis

atio

nal f

ailu

re to

max

imis

e th

eus

e of

em

ergi

ng te

chno

logi

cal

oppo

rtun

ities

to im

prov

e bu

sine

ss a

ndIT

cap

abili

ty

Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

a te

chno

logy

infr

astr

uctu

re p

lan

base

d on

the

IT s

trat

egic

and

tact

ical

pla

ns is

cre

ated

.•

Rev

iew

the

plan

to c

onfi

rm th

at it

incl

udes

fac

tors

suc

h as

con

sist

ent i

nteg

rate

d te

chno

logi

es, b

usin

ess

syst

ems

arch

itect

ure

and

cont

inge

ncy

aspe

cts

of in

fras

truc

ture

com

pone

nts,

tran

sitio

nal a

nd o

ther

cos

ts, c

ompl

exity

, tec

hnic

al r

isks

, fut

ure

flex

ibili

ty v

alue

, and

pro

duct

/ven

dor

sust

aina

bilit

y an

d di

rect

ions

for

acq

uisi

tion

of I

T a

sset

s.

• E

nqui

re w

ith k

ey s

taff

mem

bers

and

insp

ect t

he te

chno

logy

infr

astr

uctu

re p

lan

to c

onfi

rm th

at c

hang

es in

the

com

petit

ive

envi

ronm

ent,

econ

omie

s of

sca

le f

orin

form

atio

n sy

stem

s st

affi

ng a

nd in

vest

men

ts, a

nd im

prov

ed in

tero

pera

bilit

y of

pla

tfor

ms

and

appl

icat

ions

are

iden

tifie

d.

PO

3 D

eter

min

e Te

chno

logic

al D

irec

tion

(co

nt.)

PO

3.2

Tec

hnol

ogy

Infr

astr

uctu

re P

lan

Cre

ate

and

mai

ntai

n a

tech

nolo

gy in

fras

truc

ture

pla

n th

at is

in a

ccor

danc

e w

ithth

e IT

str

ateg

ic a

nd ta

ctic

al p

lans

. The

pla

n sh

ould

be

base

d on

the

tech

nolo

gica

ldi

rect

ion

and

incl

ude

cont

inge

ncy

arra

ngem

ents

and

dir

ectio

n fo

r ac

quis

ition

of

tech

nolo

gy r

esou

rces

. It s

houl

d co

nsid

er c

hang

es in

the

com

petit

ive

envi

ronm

ent,

econ

omie

s of

sca

le f

or in

form

atio

n sy

stem

s st

affi

ng a

ndin

vest

men

ts, a

nd im

prov

ed in

tero

pera

bilit

y of

pla

tfor

ms

and

appl

icat

ions

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed in

tero

pera

bilit

y•

Impr

oved

eco

nom

ies

of s

cale

for

inve

stm

ents

and

sup

port

sta

ffin

g• A

tech

nolo

gy p

lan

with

goo

d ba

lanc

ein

cos

t, re

quir

emen

ts a

gilit

y an

d ri

sks

• Su

ffic

ient

, sta

ble

and

flex

ible

tech

nolo

gica

l inf

rast

ruct

ure

to r

espo

ndto

info

rmat

ion

requ

irem

ents

Ris

k D

river

s

• In

cons

iste

nt s

yste

m im

plem

enta

tions

• D

evia

tions

fro

m th

e ap

prov

edte

chno

logi

cal d

irec

tion

• In

crea

sed

cost

s du

e to

unc

o-or

dina

ted

and

unst

ruct

ured

acq

uisi

tion

plan

s•

Org

anis

atio

nal f

ailu

re to

max

imis

e th

eus

e of

em

ergi

ng te

chno

logi

cal

oppo

rtun

ities

to im

prov

e bu

sine

ss a

ndIT

cap

abili

ty


APPENDIX II

Test

the

Con

trol

Des

ign

• V

erif

y th

at th

e co

rpor

ate

tech

nolo

gy s

tand

ards

are

bei

ng a

ppro

ved

by th

e IT

arc

hite

ctur

e bo

ard.

Ass

ess

the

effe

ctiv

enes

s of

the

proc

ess

for

com

mun

icat

ion

of te

chni

cal

stan

dard

s to

IT

sta

ff m

embe

rs (

e.g.

, pro

ject

man

ager

s, in

form

atio

n ar

chite

cts)

. Int

ervi

ew r

elev

ant I

T p

erso

nnel

to d

eter

min

e th

eir

unde

rsta

ndin

g of

tech

nica

l sta

ndar

ds.

• A

scer

tain

fro

m I

T m

anag

emen

t tha

t mon

itori

ng a

nd b

ench

mar

king

pro

cess

es a

re p

ut in

pla

ce to

con

firm

com

plia

nce

to e

stab

lishe

d te

chno

logy

sta

ndar

ds a

nd g

uide

lines

.•

Eva

luat

e te

chni

cal f

easi

bilit

y an

alys

is d

ocum

enta

tion

for

sele

cted

pro

ject

s to

ass

ess

com

plia

nce

with

cor

pora

te te

chno

logy

sta

ndar

ds.

Test

the

Con

trol

Des

ign

• R

evie

w th

e gu

idel

ines

, pla

ns, p

roce

sses

and

mee

ting

min

utes

of

the

arch

itect

ure

boar

d. V

erif

y w

heth

er th

ey p

rovi

de a

rchi

tect

ure

guid

elin

es a

nd r

elat

ed a

dvic

e in

line

with

the

busi

ness

str

ateg

y an

d es

tabl

ishe

d in

form

atio

n ar

chite

ctur

e.

• V

erif

y w

heth

er th

e ar

chite

ctur

e bo

ard

has

cons

ider

ed r

egul

ator

y co

mpl

ianc

e an

d bu

sine

ss c

ontin

uity

in it

s de

cisi

ons.

•

Ver

ify

that

mec

hani

sms

are

in p

lace

that

ens

ure

dete

ctio

n of

non

-com

plia

nce

with

the

stan

dard

s an

d gu

idel

ines

of

the

arch

itect

ure

boar

d w

ithin

the

proj

ect m

anag

emen

tpr

oces

s.• A

sses

s th

e ro

le o

f th

e ar

chite

ctur

e bo

ard

in f

ollo

win

g th

roug

h on

req

uire

d co

rrec

tions

ari

sing

fro

m n

on-c

ompl

ianc

e w

ith s

tand

ards

in th

e pr

ojec

t man

agem

ent p

roce

ss.

PO

3.4

Tec

hnol

ogy

Stan

dard

s To

pro

vide

con

sist

ent,

effe

ctiv

e an

d se

cure

tech

nolo

gica

l sol

utio

nsen

terp

rise

wid

e, e

stab

lish

a te

chno

logy

for

um to

pro

vide

tech

nolo

gy g

uide

lines

,ad

vice

on

infr

astr

uctu

re p

rodu

cts

and

guid

ance

on

the

sele

ctio

n of

tech

nolo

gy,

and

mea

sure

com

plia

nce

with

thes

e st

anda

rds

and

guid

elin

es. T

his

foru

m s

houl

ddi

rect

tech

nolo

gy s

tand

ards

and

pra

ctic

es b

ased

on

thei

r bu

sine

ss r

elev

ance

, ris

ksan

d co

mpl

ianc

e w

ith e

xter

nal r

equi

rem

ents

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

cont

rol o

ver

info

rmat

ion

syst

ems

asse

t acq

uisi

tions

, cha

nges

and

disp

osal

s•

Stan

dard

ised

acq

uisi

tions

sup

port

ing

the

tech

nolo

gica

l dir

ectio

n, in

crea

sing

alig

nmen

t and

red

ucin

g ri

sks

• Sc

alab

le in

form

atio

n sy

stem

s re

duci

ngre

plac

emen

t cos

ts•

Con

sist

ency

in te

chno

logy

thro

ugho

utth

e en

terp

rise

, im

prov

ing

effi

cien

cyan

d re

duci

ng s

uppo

rt, l

icen

sing

and

mai

nten

ance

cos

ts

Ris

k D

river

s

• In

com

patib

ilitie

s be

twee

n te

chno

logy

plat

form

s an

d ap

plic

atio

ns•

Dev

iatio

ns f

rom

the

appr

oved

tech

nolo

gica

l dir

ectio

n•

Lic

ensi

ng v

iola

tions

• In

crea

sed

supp

ort,

repl

acem

ent a

ndm

aint

enan

ce c

osts

• In

abili

ty to

acc

ess

hist

oric

al d

ata

onun

supp

orte

d te

chno

logy

PO

3 D

eter

min

e Te

chno

logic

al D

irec

tion

(co

nt.)

PO

3.5

IT A

rchi

tect

ure

Boa

rd

Est

ablis

h an

IT

arc

hite

ctur

e bo

ard

to p

rovi

de a

rchi

tect

ure

guid

elin

es a

nd a

dvic

eon

thei

r ap

plic

atio

n, a

nd to

ver

ify

com

plia

nce.

Thi

s en

tity

shou

ld d

irec

t IT

arch

itect

ure

desi

gn, e

nsur

ing

that

it e

nabl

es th

e bu

sine

ss s

trat

egy

and

cons

ider

sre

gula

tory

com

plia

nce

and

cont

inui

ty r

equi

rem

ents

. Thi

s is

rel

ated

/link

ed to

P

O2

Def

ine

the

info

rmat

ion

arch

itec

ture

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

acco

unta

bilit

y an

dre

spon

sibi

lity

for

arch

itect

ural

deci

sion

s•

Incr

ease

d al

ignm

ent b

etw

een

busi

ness

stra

tegy

and

tech

nica

l IT

dir

ectio

n•

Con

sist

ent u

nder

stan

ding

of

tech

nolo

gy a

rchi

tect

ure

thro

ugho

ut th

een

terp

rise

Ris

k D

river

s

• In

com

patib

ilitie

s be

twee

n te

chno

logy

plat

form

s an

d ap

plic

atio

ns•

Dev

iatio

ns f

rom

the

appr

oved

tech

nolo

gica

l dir

ectio

n•

Unc

ontr

olle

d ac

quis

ition

, use

and

poss

ible

pro

lifer

atio

n of

info

rmat

ion

syst

ems

asse

ts



Take the following steps to test the outcome of the control objectives:• Review the result of the SWOT analysis to verify that business systems architecture, technological direction, migration strategies

and contingency aspects are included in the technological direction and infrastructure plans. • Review appropriate documents to confirm whether market evolutions, legal and regulatory conditions, and emerging technologies

(e.g., technological developments, competitor activities, infrastructure issues, legal requirements and regulatory environmentchanges, third-party experts) are being monitored (e.g., review the output and results of the monitoring activity and verify theaction taken based on the analysis).

• Review the IT strategy and IT technological infrastructure plan to ensure that it is aligned with the latest developments in IT thathave the potential to impact the success of the business.

• Confirm with the chief architect that ongoing assessments of current status vs. planned infrastructure are taking place. Review thecorrective actions identified and executed, and compare these against the approved technology infrastructure plans.

• Inspect the technology infrastructure plan to confirm that changes in the competitive environment, economies of scale forinformation systems staffing and investments, and improved interoperability of platforms and applications are identified.

• Enquire whether the technology research budget is used in an effective and efficient manner (e.g., number of improvements basedon research, improvement in services).

• Inspect technology guidelines to determine that they appropriately support the technological solutions, accurately represent theorganisation’s technological direction and provide sufficient direction for a wide range of problems.

• Enquire whether and confirm that an IT architecture board has been established and roles, responsibility and accountability havebeen formally defined.

• Confirm with members of the IT architecture board that meetings are held frequently (e.g., periodic/event basis).• Determine that all agreed-upon actions from IT architecture board meetings are appropriately recorded, tracked and implemented.

Take the following steps to document the impact of the control weaknesses:• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that the organisation may not select appropriate

technologies that achieve business goals or create new business opportunities (e.g., market leadership).• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that the technology plans may not consider

changes in the competitive environment.• Assess the impact of economies of scale for information systems staffing and investments that are not achieved.• Assess the opportunity cost of not realising opportunities to integrate platforms and applications. • Assess the opportunity cost that potential business opportunities may not be realised.• Assess the opportunity cost that technology trends may not be taken into account in the development of the IT technology

infrastructure plan.• Assess the risk of non-compliance to legal and regulatory regulations.


APPENDIX IIP

O4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps

An

IT o

rgan

isat

ion

is d

efin

ed b

y co

nsid

erin

g re

quir

emen

ts f

or s

taff

, ski

lls, f

unct

ions

, acc

ount

abili

ty, a

utho

rity

, rol

es a

nd r

espo

nsib

ilitie

s, a

nd s

uper

visi

on. T

his

orga

nisa

tion

isem

bedd

ed in

to a

n IT

pro

cess

fra

mew

ork

that

ens

ures

tran

spar

ency

and

con

trol

as

wel

l as

the

invo

lvem

ent o

f se

nior

exe

cutiv

es a

nd b

usin

ess

man

agem

ent.

A s

trat

egy

com

mitt

eeen

sure

s bo

ard

over

sigh

t of

IT, a

nd o

ne o

r m

ore

stee

ring

com

mitt

ees

in w

hich

bus

ines

s an

d IT

par

ticip

ate

dete

rmin

e th

e pr

iori

tisat

ion

of I

T r

esou

rces

in li

ne w

ith b

usin

ess

need

s.Pr

oces

ses,

adm

inis

trat

ive

polic

ies

and

proc

edur

es a

re in

pla

ce f

or a

ll fu

nctio

ns, w

ith s

peci

fic

atte

ntio

n to

con

trol

, qua

lity

assu

ranc

e, r

isk

man

agem

ent,

info

rmat

ion

secu

rity

, dat

aan

d sy

stem

s ow

ners

hip,

and

seg

rega

tion

of d

utie

s. T

o en

sure

tim

ely

supp

ort o

f bu

sine

ss r

equi

rem

ents

, IT

is to

be

invo

lved

in r

elev

ant d

ecis

ion

proc

esse

s.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– T

he I

T p

roce

sses

req

uire

d to

rea

lise

the

IT s

trat

egic

pla

n ha

ve b

een

iden

tifie

d an

d co

mm

unic

ated

– A

fra

mew

ork

to e

nabl

e th

e de

fini

tion

and

follo

w-u

p of

pro

cess

goa

ls, m

easu

res,

con

trol

s an

d m

atur

ity h

as b

een

defi

ned

and

impl

emen

ted

– R

elat

ions

hips

and

touc

hpoi

nts

(e.g

., in

puts

/out

puts

, and

am

ongs

t the

IT

pro

cess

es, e

nter

pris

e po

rtfo

lio m

anag

emen

t and

bus

ines

s pr

oces

ses)

hav

e be

en d

efin

ed.

PO

4.1

IT P

roce

ss F

ram

ewor

k D

efin

e an

IT

pro

cess

fra

mew

ork

to e

xecu

te th

e IT

str

ateg

ic p

lan.

Thi

s fr

amew

ork

shou

ld in

clud

e an

IT

pro

cess

str

uctu

re a

nd r

elat

ions

hips

(e.

g., t

o m

anag

e pr

oces

sga

ps a

nd o

verl

aps)

, ow

ners

hip,

mat

urity

, per

form

ance

mea

sure

men

t,im

prov

emen

t, co

mpl

ianc

e, q

ualit

y ta

rget

s an

d pl

ans

to a

chie

ve th

em. I

t sho

uld

prov

ide

inte

grat

ion

amon

gst t

he p

roce

sses

that

are

spe

cifi

c to

IT,

ent

erpr

ise

port

folio

man

agem

ent,

busi

ness

pro

cess

es a

nd b

usin

ess

chan

ge p

roce

sses

. The

IT p

roce

ss f

ram

ewor

k sh

ould

be

inte

grat

ed in

to a

qua

lity

man

agem

ent s

yste

m(Q

MS)

and

the

inte

rnal

con

trol

fra

mew

ork.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onsi

sten

t app

roac

h fo

r th

e de

fini

tion

of I

T p

roce

sses

• O

rgan

isat

ion

of k

ey a

ctiv

ities

into

logi

cal,

inte

rdep

ende

nt p

roce

sses

• C

lear

def

initi

on o

f ow

ners

hip

of a

ndre

spon

sibi

lity

for

proc

esse

s an

d ke

yac

tiviti

es•

Rel

iabl

e an

d re

peat

able

exe

cutio

n of

key

activ

ities

• Fl

exib

le a

nd r

espo

nsiv

e IT

pro

cess

es

Ris

k D

river

s

• Fr

amew

ork

not b

eing

acc

epte

d by

the

busi

ness

and

IT

pro

cess

es n

ot b

eing

rela

ted

to b

usin

ess

requ

irem

ents

• In

com

plet

e fr

amew

ork

of I

T p

roce

sses

• C

onfl

icts

and

unc

lear

inte

rdep

ende

ncie

s am

ongs

t pro

cess

es•

Ove

rlap

s be

twee

n ac

tiviti

es•

Infl

exib

le I

T o

rgan

isat

ion

• G

aps

betw

een

proc

esse

s•

Dup

licat

ion

of p

roce

sses



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e:–

Cha

rter

, sco

pe, o

bjec

tives

, mem

bers

hip,

rol

es, r

espo

nsib

ilitie

s, e

tc.,

of th

e IT

str

ateg

y co

mm

ittee

hav

e be

en d

efin

ed in

a m

anne

r th

at w

ill e

nsur

e co

mpl

ianc

e w

ithst

rate

gic

dire

ctio

ns o

f th

e en

terp

rise

– IT

str

ateg

y co

mm

ittee

is c

ompo

sed

of b

oard

and

non

-boa

rd m

embe

rs w

ith a

ppro

pria

te e

xper

tise

on th

e or

gani

satio

n’s

depe

nden

cy o

n IT

and

opp

ortu

nitie

s pr

ovid

ed

by I

T•

Rev

iew

age

ndas

, pap

ers

and

min

utes

of

the

IT s

trat

egy

com

mitt

ee to

:–

Ens

ure

that

the

com

mitt

ee m

eets

on

a re

gula

r ba

sis

to a

ddre

ss s

trat

egic

issu

es, i

nclu

ding

maj

or in

vest

men

t dec

isio

ns, r

aise

d by

the

boar

d of

dir

ecto

rs o

r th

e or

gani

satio

n–

Ass

ess

that

the

com

mitt

ee is

giv

ing

appr

opri

ate

guid

ance

to th

e bo

ard

of d

irec

tors

on

ITgo

vern

ance

and

IT

str

ateg

ic is

sues

PO

4.2

IT S

trat

egy

Com

mit

tee

Est

ablis

h an

IT

str

ateg

y co

mm

ittee

at t

he b

oard

leve

l. T

his

com

mitt

ee s

houl

den

sure

that

IT

gov

erna

nce,

as

part

of

ente

rpri

se g

over

nanc

e, is

ade

quat

ely

addr

esse

d; a

dvis

e on

str

ateg

ic d

irec

tion;

and

rev

iew

maj

or in

vest

men

ts o

n be

half

of th

e fu

ll bo

ard.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Su

ppor

t of

the

boar

d•

Boa

rd in

sigh

t int

o IT

val

ue a

nd r

isks

• Fa

ster

dec

isio

ns o

n im

port

ant

inve

stm

ents

• C

lear

res

pons

ibili

ty a

nd a

ccou

ntab

ility

for

stra

tegi

c de

cisi

ons

• IT

gov

erna

nce

inte

grat

ed in

toco

rpor

ate

gove

rnan

ce•

Wel

l-go

vern

ed I

T f

unct

ion

Ris

k D

river

s

• L

ack

of r

epre

sent

atio

n of

IT

on

the

boar

d ag

enda

• IT

-rel

ated

ris

ks a

nd v

alue

unk

now

n at

the

boar

d le

vel

• D

ecis

ions

on

inve

stm

ents

and

prio

ritie

s no

t bas

ed o

n jo

int (

busi

ness

and

IT)

prio

ritie

s•

IT g

over

nanc

e se

para

te f

rom

cor

pora

tego

vern

ance

• IT

not c

ompl

iant

with

gov

erna

nce

requ

irem

ents

, pot

entia

lly im

pact

ing

man

agem

ent’s

and

the

boar

d’s

publ

icac

coun

tabi

lity

PO

4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)


APPENDIX IIP

O4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e ch

arte

r, sc

ope,

obj

ectiv

es, m

embe

rshi

ps, r

oles

, res

pons

ibili

ties,

etc

., of

the

IT s

teer

ing

com

mitt

ee r

esul

t in

appr

opri

ate

impl

emen

tatio

n of

the

IT s

trat

egic

dir

ectio

ns o

f th

e en

terp

rise

.•

Insp

ect d

ocum

ents

suc

h as

mee

ting

min

utes

and

the

IT s

teer

ing

com

mitt

ee c

hart

er to

iden

tify

the

part

icip

ants

invo

lved

in th

e co

mm

ittee

, the

ir r

espe

ctiv

e jo

b fu

nctio

nsan

d th

e re

port

ing

rela

tions

hip

of th

e co

mm

ittee

to e

xecu

tive

man

agem

ent (

e.g.

, det

erm

ine

prio

ritis

atio

n of

IT-

enab

led

inve

stm

ent p

rogr

amm

es, t

rack

sta

tus

of p

roje

cts,

and

mon

itor

serv

ice

leve

ls a

nd s

ervi

ce im

prov

emen

ts).

• E

nqui

re a

nd c

onfi

rm w

ith b

usin

ess

man

agem

ent t

o en

sure

that

the

busi

ness

take

s an

act

ive

role

in th

e w

ork

of th

e IT

ste

erin

g co

mm

ittee

and

man

agem

ent i

sap

prop

riat

ely

cons

ulte

d.

PO

4.3

IT S

teer

ing

Com

mit

tee

Est

ablis

h an

IT

ste

erin

g co

mm

ittee

(or

equ

ival

ent)

com

pose

d of

exe

cutiv

e,bu

sine

ss a

nd I

T m

anag

emen

t to:

• D

eter

min

e pr

iori

tisat

ion

of I

T-en

able

d in

vest

men

t pro

gram

mes

in li

ne w

ith th

een

terp

rise

’s b

usin

ess

stra

tegy

and

pri

oriti

es•

Tra

ck s

tatu

s of

pro

ject

s an

d re

solv

e re

sour

ce c

onfl

ict

• M

onito

r se

rvic

e le

vels

and

ser

vice

impr

ovem

ents

Valu

e D

river

sC

ontr

ol O

bjec

tive

• IT

str

ateg

y in

line

with

the

orga

nisa

tion’

s st

rate

gy•

IT-e

nabl

ed in

vest

men

t pro

gram

mes

inlin

e w

ith th

e or

gani

satio

n’s

stra

tegy

• B

usin

ess

and

IT in

volv

emen

t in

the

prio

ritis

atio

n pr

oces

s•

Bus

ines

s an

d IT

invo

lvem

ent i

nco

nflic

t res

olut

ion

• B

usin

ess

and

IT in

volv

emen

t in

mon

itori

ng p

erfo

rman

ce

Ris

k D

river

s

• IT

str

ateg

y no

t in

line

with

the

orga

nisa

tion’

s st

rate

gy•

IT-e

nabl

ed in

vest

men

t pro

gram

mes

not i

n su

ppor

t of

the

orga

nisa

tiona

lgo

als

and

obje

ctiv

es•

Insu

ffic

ient

sup

port

and

invo

lvem

ent

of I

T a

nd s

enio

r or

gani

satio

nal

man

agem

ent i

n ke

y de

cisi

on-m

akin

gpr

oces

ses



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e IT

fun

ctio

n is

:–

Hea

ded

by a

CIO

or

sim

ilar

func

tion,

of

whi

ch th

e au

thor

ity, r

espo

nsib

ility

, acc

ount

abili

ty a

nd r

epor

ting

line

are

com

men

sura

te w

ith th

e im

port

ance

of

IT w

ithin

th

e en

terp

rise

– D

efin

ed a

nd f

unde

d in

suc

h a

way

that

indi

vidu

al u

ser

grou

ps/d

epar

tmen

ts c

anno

t exe

rt u

ndue

infl

uenc

e ov

er th

e IT

fun

ctio

n an

d un

derm

ine

the

prio

ritie

s ag

reed

upo

nby

the

IT s

trat

egy

com

mitt

ee a

nd I

T s

teer

ing

com

mitt

ee–

App

ropr

iate

ly r

esou

rced

(e.

g., s

taff

ing,

con

tinge

nt w

orke

rs, b

udge

t) to

ena

ble

the

impl

emen

tatio

n an

d m

anag

emen

t of

appr

opri

ate

IT s

olut

ions

and

ser

vice

s to

sup

port

the

busi

ness

and

to e

nabl

e re

latio

nshi

ps w

ith th

e bu

sine

ss

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– Pe

riod

ic r

evie

ws

are

perf

orm

ed o

ver

the

impa

ct o

f or

gani

satio

nal c

hang

es a

s th

ey a

ffec

t the

ove

rall

orga

nisa

tion

and

the

stru

ctur

e of

the

IT f

unct

ion

itsel

f–

The

IT

org

anis

atio

n ha

s fl

exib

le r

esou

rce

arra

ngem

ents

, suc

h as

the

use

of e

xter

nal c

ontr

acto

rs a

nd f

lexi

ble

thir

d-pa

rty

serv

ice

arra

ngem

ents

, to

supp

ort c

hang

ing

busi

ness

nee

ds

PO

4.4

Org

anis

atio

nal P

lace

men

t of

the

IT

Fun

ctio

n Pl

ace

the

IT f

unct

ion

in th

e ov

eral

l org

anis

atio

nal s

truc

ture

with

a b

usin

ess

mod

el c

ontin

gent

on

the

impo

rtan

ce o

f IT

with

in th

e en

terp

rise

, spe

cifi

cally

its

criti

calit

y to

bus

ines

s st

rate

gy a

nd th

e le

vel o

f op

erat

iona

l dep

ende

nce

on I

T.

The

rep

ortin

g lin

e of

the

chie

f in

form

atio

n of

fice

r (C

IO)

shou

ld b

eco

mm

ensu

rate

with

the

impo

rtan

ce o

f IT

with

in th

e en

terp

rise

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• IT

res

ourc

es a

ligne

d to

the

stra

tegi

cpr

iori

ties

• E

ffec

tive

man

agem

ent o

f IT

supp

ortin

g th

e bu

sine

ss o

bjec

tives

• Se

nior

man

agem

ent c

omm

itmen

t in

ITde

cisi

on m

akin

g at

the

appr

opri

ate

leve

l•

Bus

ines

s/IT

alig

nmen

t at t

heor

gani

satio

nal l

evel

Ris

k D

river

s

• In

suff

icie

nt c

omm

itmen

t fro

m s

enio

ror

gani

satio

nal m

anag

emen

t•

IT r

esou

rces

not

eff

ectiv

ely

supp

ortin

gth

e bu

sine

ss•

IT n

ot g

iven

suf

fici

ent s

trat

egic

impo

rtan

ce•

IT r

egar

ded

as s

epar

ate

from

the

busi

ness

and

vic

e ve

rsa

• L

ack

of b

usin

ess

dire

ctio

n an

dco

mm

unic

atio

n of

bus

ines

s in

itiat

ives

PO

4.5

IT O

rgan

isat

iona

l Str

uctu

re

Est

ablis

h an

inte

rnal

and

ext

erna

l IT

org

anis

atio

nal s

truc

ture

that

ref

lect

sbu

sine

ss n

eeds

. In

addi

tion,

put

a p

roce

ss in

pla

ce f

or p

erio

dica

lly r

evie

win

g th

eIT

org

anis

atio

nal s

truc

ture

to a

djus

t sta

ffin

g re

quir

emen

ts a

nd s

ourc

ing

stra

tegi

esto

mee

t exp

ecte

d bu

sine

ss o

bjec

tives

and

cha

ngin

g ci

rcum

stan

ces.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

and

effi

cien

t sup

port

for

the

busi

ness

• St

affi

ng r

equi

rem

ents

and

sou

rcin

gst

rate

gies

that

sup

port

str

ateg

icbu

sine

ss g

oals

• Fl

exib

le a

nd r

espo

nsiv

e IT

orga

nisa

tiona

l str

uctu

re•

Bus

ines

s/IT

alig

nmen

t at t

heor

gani

satio

nal l

evel

Ris

k D

river

s

• In

suff

icie

nt b

usin

ess

supp

ort

• In

suff

icie

nt s

taff

ing

requ

irem

ents

• In

appr

opri

ate

sour

cing

str

ateg

ies

• In

flex

ibili

ty o

f IT

to c

hang

es in

busi

ness

nee

ds

PO

4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)


APPENDIX IIP

O4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– E

ach

IT ta

sk h

as b

een

form

alis

ed b

y re

view

ing

docu

men

tatio

n an

d de

term

inin

g w

heth

er I

T ta

sk d

escr

iptio

ns a

re a

ppro

pria

te a

nd u

pdat

ed a

s re

quir

ed–

A r

ole

has

been

ass

igne

d to

IT

per

sonn

el w

ith c

orre

spon

ding

IT

task

s. A

sses

s w

heth

er p

erso

nnel

und

erst

and

the

role

and

task

s th

at h

ave

been

ass

igne

d, a

nd th

at th

eta

sks

are

bein

g pe

rfor

med

.–

Acc

ount

abili

ties

and

resp

onsi

bilit

ies

have

bee

n as

sign

ed to

rol

es. V

erif

y by

insp

ectio

n of

job

desc

ript

ions

, cha

rter

s, e

tc.,

that

eac

h ro

le h

as th

e ne

cess

ary

acco

unta

bilit

ies

and

resp

onsi

bilit

ies

to e

xecu

te th

e ro

le.

– IT

per

sonn

el h

ave

been

info

rmed

of

thei

r ro

les.

Ass

ess

whe

ther

cha

nges

are

com

mun

icat

ed to

IT

per

sonn

el a

nd w

heth

er th

e ch

ange

s ar

e be

ing

impl

emen

ted.

– M

anag

ers

peri

odic

ally

con

firm

the

accu

racy

of

the

role

des

crip

tions

. Rev

iew

rol

e de

scri

ptio

ns to

det

erm

ine

whe

ther

they

acc

urat

ely

refl

ect t

he r

oles

of

team

mem

bers

.–

Rol

e de

scri

ptio

ns o

utlin

e ke

y go

als

and

obje

ctiv

es a

nd in

clud

e SM

AR

RT

mea

sure

s–

SMA

RR

T m

easu

res

are

used

in s

taff

per

form

ance

eva

luat

ions

– A

ll ro

le d

escr

iptio

ns in

the

orga

nisa

tion

incl

ude

resp

onsi

bilit

ies

rega

rdin

g in

form

atio

n sy

stem

s, in

tern

al c

ontr

ol a

nd s

ecur

ity–

Man

agem

ent t

rain

s st

aff

mem

bers

reg

ular

ly o

n th

eir

role

s. I

nter

view

sta

ff m

embe

rs to

det

erm

ine

whe

ther

a k

now

ledg

e of

the

role

has

bee

n co

mm

unic

ated

an

d un

ders

tood

.•

To d

eter

min

e w

heth

er e

mpl

oyee

s ar

e pr

ovid

ed w

ith e

nter

pris

ewid

e an

d de

part

men

tal p

olic

ies

and

proc

edur

es, r

evie

w th

e:–

Ann

ual p

olic

y ac

know

ledg

emen

t–

HR

rec

ords

indi

catin

g w

heth

er e

mpl

oyee

s w

ere

prov

ided

with

pol

icy

docu

men

tatio

n du

ring

new

hir

e or

ient

atio

n–

Em

ploy

ee tr

aini

ng r

ecor

ds

PO

4.6

Est

ablis

hmen

t of

Rol

es a

nd R

espo

nsib

iliti

es

Est

ablis

h an

d co

mm

unic

ate

role

s an

d re

spon

sibi

litie

s fo

r IT

per

sonn

el a

nd e

ndus

ers

that

del

inea

te b

etw

een

IT p

erso

nnel

and

end

-use

r au

thor

ity, r

espo

nsib

ilitie

san

d ac

coun

tabi

lity

for

mee

ting

the

orga

nisa

tion’

s ne

eds.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

indi

vidu

al p

erfo

rman

ce

• Act

iviti

es a

lloca

ted

to s

peci

fic

posi

tions

• E

ffic

ient

rec

ruitm

ent o

f ap

prop

riat

ely

skill

ed a

nd e

xper

ienc

ed I

T s

taff

• E

ffec

tive

staf

f pe

rfor

man

ce

Ris

k D

river

s

• N

on-c

ompl

ianc

e w

ith r

egul

atio

ns•

Com

prom

ised

info

rmat

ion

• R

ecru

itmen

t of

staf

f no

t wor

king

as

inte

nded

• Fr

audu

lent

sys

tem

usa

ge•

Non

-res

pons

ive

IT o

rgan

isat

ion



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e Q

A f

unct

ion

incl

udes

:–

A r

epor

ting

line

such

that

it c

an o

pera

te w

ith a

dequ

ate

inde

pend

ence

and

rep

ort i

ts f

indi

ngs

obje

ctiv

ely

– M

onito

ring

pro

cess

es to

ens

ure

com

plia

nce

with

the

orga

nisa

tion’

s Q

A-r

elat

ed p

olic

ies,

sta

ndar

ds a

nd p

roce

dure

s (e

.g.,

com

plia

nce

with

the

orga

nisa

tion’

s de

velo

pmen

t met

hodo

logy

)–

Act

ing

as a

cen

tre

of e

xper

tise

for

the

deve

lopm

ent o

f Q

A-r

elat

ed p

olic

ies

(e.g

., Q

A r

equi

rem

ents

in a

sys

tem

s de

velo

pmen

t lif

e cy

cle)

, sta

ndar

ds a

nd p

roce

dure

s–

A p

roce

ss a

dopt

ed a

nd a

ligne

d w

ith Q

A b

est p

ract

ices

and

sta

ndar

ds–

Staf

f le

vels

and

ski

lls c

omm

ensu

rate

with

the

size

of

the

orga

nisa

tion

and

the

QA

fun

ctio

n’s

resp

onsi

bilit

ies.

Ass

ess

the

skill

s to

ver

ify

that

they

incl

ude

qual

ityas

sura

nce,

IT,

con

trol

s, p

roce

sses

and

com

mun

icat

ion.

– A

ctiv

e su

ppor

t fro

m s

enio

r m

anag

emen

t spo

nsor

s–

A d

efin

ed a

nd d

ocum

ente

d pr

oces

s fo

r id

entif

ying

, esc

alat

ing

and

reso

lvin

g is

sues

iden

tifie

d to

the

QA

pro

cess

– A

pro

cess

to r

epor

t per

iodi

cally

on

its f

indi

ngs

and

reco

mm

enda

tions

PO

4.7

Res

pons

ibili

ty f

or I

T Q

ualit

y A

ssur

ance

A

ssig

n re

spon

sibi

lity

for

the

perf

orm

ance

of

the

qual

ity a

ssur

ance

(Q

A)

func

tion

and

prov

ide

the

QA

gro

up w

ith a

ppro

pria

te Q

A s

yste

ms,

con

trol

s an

dco

mm

unic

atio

ns e

xper

tise.

Ens

ure

that

the

orga

nisa

tiona

l pla

cem

ent a

nd th

ere

spon

sibi

litie

s an

d si

ze o

f th

e Q

A g

roup

sat

isfy

the

requ

irem

ents

of

the

orga

nisa

tion.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Q

ualit

y as

sura

nce

as a

n in

tegr

al p

art

of I

T’s

res

pons

ibili

ties

• Pr

oces

ses

in li

ne w

ith th

eor

gani

satio

n’s

qual

ity e

xpec

tatio

ns•

Proa

ctiv

e id

entif

icat

ion

ofim

prov

emen

ts to

IT

fun

ctio

nalit

y an

dbu

sine

ss p

roce

sses

• Pr

oact

ive

iden

tific

atio

n of

qua

lity

issu

es a

nd b

usin

ess

risk

s

Ris

k D

river

s

• R

eput

atio

nal d

amag

e•

Und

etec

ted

qual

ity-r

elat

ed r

isks

that

impa

ct th

e ov

eral

l bus

ines

s•

Incr

ease

d co

sts

and

time

dela

ys d

ue to

poor

qua

lity

cont

rol

• Q

ualit

y as

sura

nce

not a

pplie

dco

nsis

tent

ly o

r ef

fect

ivel

y•

Inco

nsis

tenc

ies

in q

ualit

y ac

ross

the

orga

nisa

tion

• R

educ

ed b

usin

ess

perf

orm

ance

PO

4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)


APPENDIX IIP

O4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– Se

nior

man

agem

ent h

as e

stab

lishe

d an

org

anis

atio

nwid

e, a

dequ

atel

y st

affe

d ri

sk m

anag

emen

t and

info

rmat

ion

secu

rity

fun

ctio

n w

ith o

vera

ll ac

coun

tabi

lity

for

risk

man

agem

ent a

nd in

form

atio

n se

curi

ty. V

erif

y by

inte

rvie

win

g ke

y pe

rson

nel t

hat t

he r

epor

ting

line

of th

e ri

sk m

anag

emen

t and

info

rmat

ion

secu

rity

fun

ctio

n is

suc

hth

at it

can

eff

ectiv

ely

desi

gn, i

mpl

emen

t and

, in

conj

unct

ion

with

line

man

agem

ent,

enfo

rce

com

plia

nce

with

the

orga

nisa

tion’

s ri

sk m

anag

emen

t and

info

rmat

ion

secu

rity

pol

icie

s, s

tand

ards

and

pro

cedu

res.

– R

oles

and

res

pons

ibili

ties

for

the

risk

man

agem

ent a

nd in

form

atio

n se

curi

ty f

unct

ion

have

bee

n fo

rmal

ised

and

doc

umen

ted

– R

espo

nsib

ilitie

s ha

ve b

een

allo

cate

d to

app

ropr

iate

ly s

kille

d an

d ex

peri

ence

d st

aff

mem

bers

and

, in

the

case

of

info

rmat

ion

secu

rity

, und

er th

e di

rect

ion

of a

nin

form

atio

n se

curi

ty o

ffic

er–

The

res

ourc

e re

quir

emen

ts in

rel

atio

n to

ris

k m

anag

emen

t and

info

rmat

ion

secu

rity

hav

e be

en r

egul

arly

ass

esse

d by

man

agem

ent t

o en

sure

that

app

ropr

iate

res

ourc

esar

e pr

ovid

ed to

mee

t the

nee

ds o

f th

e bu

sine

ss–

A p

roce

ss is

in p

lace

to o

btai

n se

nior

man

agem

ent g

uida

nce

conc

erni

ng th

e ri

sk p

rofi

le a

nd a

ccep

tanc

e of

sig

nifi

cant

res

idua

l ris

ks. V

erif

y th

at it

fun

ctio

ns p

rope

rly

byex

amin

ing

rece

nt s

ituat

ions

.

PO

4.8

Res

pons

ibili

ty f

or R

isk,

Secu

rity

and

Com

plia

nce

Em

bed

owne

rshi

p an

d re

spon

sibi

lity

for

IT-r

elat

ed r

isks

with

in th

e bu

sine

ss a

t an

appr

opri

ate

seni

or le

vel.

Def

ine

and

assi

gn r

oles

cri

tical

for

man

agin

g IT

ris

ks,

incl

udin

g th

e sp

ecif

ic r

espo

nsib

ility

for

info

rmat

ion

secu

rity

, phy

sica

l sec

urity

and

com

plia

nce.

Est

ablis

h ri

sk a

nd s

ecur

ity m

anag

emen

t res

pons

ibili

ty a

t the

ente

rpri

se le

vel t

o de

al w

ith o

rgan

isat

ionw

ide

issu

es. A

dditi

onal

sec

urity

man

agem

ent r

espo

nsib

ilitie

s m

ay n

eed

to b

e as

sign

ed a

t a s

yste

m-s

peci

fic

leve

lto

dea

l with

rel

ated

sec

urity

issu

es. O

btai

n di

rect

ion

from

sen

ior

man

agem

ent o

nth

e ap

petit

e fo

r IT

ris

k an

d ap

prov

al o

f an

y re

sidu

al I

T r

isks

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed p

rote

ctio

n an

d in

tegr

ity o

fin

form

atio

n as

sets

• R

isk,

sec

urity

and

com

plia

nce

resp

onsi

bilit

ies

embe

dded

at s

enio

rm

anag

emen

t lev

el•

Seni

or m

anag

emen

t sup

port

in r

isk,

secu

rity

and

com

plia

nce

issu

es•

Secu

rity

mec

hani

sms

as e

ffec

tive

and

effi

cien

t cou

nter

mea

sure

s fo

r th

eor

gani

satio

n’s

thre

ats

• Pr

oact

ive

iden

tific

atio

n an

d re

solu

tion

of r

isk,

sec

urity

and

com

plia

nce

issu

es

Ris

k D

river

s

• Im

prop

er p

rote

ctio

n of

info

rmat

ion

asse

ts•

Los

s of

con

fide

ntia

l inf

orm

atio

n•

Fina

ncia

l los

ses

• L

ack

of m

anag

emen

t com

mitm

ent f

oror

gani

satio

nwid

e se

curi

ty•

Non

-com

plia

nce

risk

• U

ncle

ar u

nder

stan

ding

of

the

orga

nisa

tion’

s IT

ris

k ap

petit

e



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pol

icy

for

data

cla

ssif

icat

ion

and

syst

em o

wne

rshi

p ha

s be

en d

evel

oped

and

com

mun

icat

ed.

• V

alid

ate

that

the

polic

y ha

s be

en a

pplie

d to

maj

or a

pplic

atio

n sy

stem

s an

d en

terp

rise

arc

hite

ctur

e an

d in

tern

al a

nd e

xter

nal d

ata

com

mun

icat

ion.

• V

erif

y th

at th

e po

licy

for

data

cla

ssif

icat

ion

and

syst

em o

wne

rshi

p su

ppor

ts th

e pr

otec

tion

of in

form

atio

n as

sets

, ena

bles

eff

icie

nt d

eliv

ery

and

use

of b

usin

ess

appl

icat

ions

, and

fac

ilita

tes

effe

ctiv

e se

curi

ty d

ecis

ion

mak

ing.

•

Obs

erve

the

proc

ess

to r

egis

ter

and

mai

ntai

n sy

stem

ow

ners

hip

and

data

cla

ssif

icat

ion,

and

ass

ess

whe

ther

the

proc

ess

is b

eing

con

sist

ently

app

lied.

PO

4.9

Dat

a an

d Sy

stem

Ow

ners

hip

Prov

ide

the

busi

ness

with

pro

cedu

res

and

tool

s, e

nabl

ing

it to

add

ress

its

resp

onsi

bilit

ies

for

owne

rshi

p of

dat

a an

d in

form

atio

n sy

stem

s. O

wne

rs s

houl

dm

ake

deci

sion

s ab

out c

lass

ifyi

ng in

form

atio

n an

d sy

stem

s an

d pr

otec

ting

them

in li

ne w

ith th

is c

lass

ific

atio

n.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• U

sers

con

trol

ling

thei

r da

ta a

ndsy

stem

s•

Def

ined

acc

ount

abili

ty f

or th

em

aint

enan

ce o

f da

ta a

nd s

yste

mse

curi

ty m

easu

res

• E

ffec

tive

and

timel

y in

form

atio

nm

anag

emen

t pro

cess

es•

Red

uced

fin

anci

al lo

sses

cau

sed

byth

eft o

f as

sets

Ris

k D

river

s

• Im

prop

erly

sec

ured

bus

ines

s da

ta•

Impr

oper

pro

tect

ion

of in

form

atio

nas

sets

• R

equi

rem

ents

for

pro

tect

ing

busi

ness

data

not

in li

ne w

ith th

e bu

sine

ssre

quir

emen

ts•

Inad

equa

te s

ecur

ity m

easu

res

for

data

and

syst

ems

• B

usin

ess

proc

ess

owne

rs n

ot ta

king

resp

onsi

bilit

y fo

r da

ta

PO

4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s th

at s

uper

viso

ry p

ract

ices

hav

e be

en e

stab

lishe

d, in

clud

ing

guid

ance

and

trai

ning

for

per

form

ance

rev

iew

s.

• R

evie

w r

ecor

ds to

ass

ess

the

freq

uenc

y an

d ex

tent

of

supe

rvis

ory

revi

ews

and

staf

f ap

prai

sals

. • A

sses

s w

heth

er r

evie

ws

have

a s

ound

set

of

perf

orm

ance

exp

ecta

tions

and

per

form

ance

cri

teri

a.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at f

indi

ngs

from

sup

ervi

sory

rev

iew

s an

d st

aff

appr

aisa

ls a

re p

rope

rly

esca

late

d, c

omm

unic

ated

and

fol

low

ed u

p.

PO

4.10

Sup

ervi

sion

Im

plem

ent a

dequ

ate

supe

rvis

ory

prac

tices

in th

e IT

fun

ctio

n to

ens

ure

that

rol

esan

d re

spon

sibi

litie

s ar

e pr

oper

ly e

xerc

ised

, to

asse

ss w

heth

er a

ll pe

rson

nel h

ave

suff

icie

nt a

utho

rity

and

res

ourc

es to

exe

cute

thei

r ro

les

and

resp

onsi

bilit

ies,

and

to g

ener

ally

rev

iew

key

per

form

ance

indi

cato

rs.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

and

effi

cien

t exe

cutio

n of

IT’s

rol

es a

nd r

espo

nsib

ilitie

s• A

ppro

pria

te c

ontr

ols

over

IT

fun

ctio

ns•

Prom

pt id

entif

icat

ion

of r

esou

rcin

gis

sues

• Pr

ompt

iden

tific

atio

n of

per

form

ance

issu

es

Ris

k D

river

s

• O

rgan

isat

ion’

s go

als

and

obje

ctiv

esno

t met

• R

esou

rcin

g an

d pe

rfor

man

ce is

sues

not i

dent

ifie

d an

d re

solv

ed

• M

alfu

nctio

n of

IT

and

bus

ines

spr

oces

ses

• In

adeq

uate

mon

itori

ng o

f co

ntro

ls a

ndob

ject

ives

• K

ey r

oles

and

res

pons

ibili

ties

not

exer

cise

d


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

vaila

ble

and

requ

ired

IT

ski

lls a

nd c

ompe

tenc

ies

are

regu

larl

y re

view

ed a

nd th

eir

impa

ct o

n IT

sta

ffin

g is

ana

lyse

d, e

scal

ated

and

acte

d up

on, a

s ne

eded

. •

Rev

iew

maj

or b

usin

ess

and

oper

atio

nal c

hang

es, a

nd a

sses

s w

heth

er th

eir

impa

ct o

n sk

ills,

com

pete

ncie

s an

d st

affi

ng r

equi

rem

ents

are

ass

esse

d an

d fo

llow

ed u

p.

• Ass

ess

the

sour

cing

str

ateg

ies

and

veri

fy th

at th

ey s

uppo

rt th

e sk

ill a

nd c

ompe

tenc

y re

quir

emen

ts.

PO

4.12

IT

Sta

ffin

g E

valu

ate

staf

fing

req

uire

men

ts o

n a

regu

lar

basi

s or

upo

n m

ajor

cha

nges

to th

ebu

sine

ss, o

pera

tiona

l or

IT e

nvir

onm

ents

to e

nsur

e th

at th

e IT

fun

ctio

n ha

ssu

ffic

ient

res

ourc

es to

ade

quat

ely

and

appr

opri

atel

y su

ppor

t the

bus

ines

s go

als

and

obje

ctiv

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Abi

lity

of I

T s

taff

to s

uppo

rt b

usin

ess

need

s•

Cos

t con

trol

• App

ropr

iate

siz

e of

the

IT d

epar

tmen

t• A

ppro

pria

te s

kills

in th

e IT

depa

rtm

ent

Ris

k D

river

s

• IT

sta

ff r

esou

rces

una

ble

to m

eet

busi

ness

nee

ds•

Exc

essi

ve I

T in

tern

al a

nd/o

r ex

tern

alst

affi

ng c

osts

• U

nder

- or

ove

rres

ourc

ed I

Tde

part

men

t•

Lac

k of

app

ropr

iate

ski

lls in

the

ITde

part

men

t

PO

4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

tand

ards

hav

e be

en e

stab

lishe

d to

enf

orce

and

ens

ure

appr

opri

ate

segr

egat

ion

of d

utie

s an

d th

at th

ese

stan

dard

s ar

e re

view

ed a

ndch

ange

d as

nee

ded.

• A

sses

s w

heth

er s

tand

ards

hav

e be

en im

plem

ente

d in

ass

igni

ng r

oles

and

res

pons

ibili

ties.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

exi

sts

to id

entif

y cr

itica

l pos

ition

s an

d pr

oces

ses

that

mus

t be

subj

ect t

o se

greg

atio

n of

dut

ies.

PO

4.11

Seg

rega

tion

of

Dut

ies

Impl

emen

t a d

ivis

ion

of r

oles

and

res

pons

ibili

ties

that

red

uces

the

poss

ibili

ty f

ora

sing

le in

divi

dual

to c

ompr

omis

e a

criti

cal p

roce

ss. M

ake

sure

that

per

sonn

elar

e pe

rfor

min

g on

ly a

utho

rise

d du

ties

rele

vant

to th

eir

resp

ectiv

e jo

bs a

ndpo

sitio

ns.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

and

effi

cien

t fun

ctio

ning

of

busi

ness

-cri

tical

sys

tem

s an

dpr

oces

ses

• Pr

oper

pro

tect

ion

of in

form

atio

nas

sets

• R

educ

ed r

isk

of f

inan

cial

loss

and

repu

tatio

nal d

amag

e

Ris

k D

river

s

• In

appr

opri

ate

subv

ersi

on o

f cr

itica

lpr

oces

ses

• Fi

nanc

ial l

oss

and

repu

tatio

nal

dam

age

• M

alic

ious

or

unin

tent

iona

l dam

ages

• N

on-c

ompl

ianc

e w

ith e

xter

nal

requ

irem

ents

for

seg

rega

tion

ofm

ater

ially

sig

nifi

cant

sys

tem

s an

dbu

sine

ss p

roce

sses



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at m

anag

emen

t has

for

mal

pro

cedu

res

for

cons

ider

ing

the

staf

fing

cov

erag

e fo

r ke

y pr

oces

ses

whe

n ap

prov

ing

or b

eing

not

ifie

d of

abs

ence

s.

• Ass

ess

whe

ther

man

agem

ent r

evie

ws

its d

epen

denc

y on

key

sta

ff m

embe

rs a

nd h

as c

onsi

dere

d co

ntin

genc

y ac

tions

suc

h as

alte

rnat

ive

sour

cing

, doc

umen

ting

key

know

ledg

e, tr

aini

ng o

f ot

her

staf

f m

embe

rs, a

nd tr

ansf

erri

ng r

espo

nsib

ilitie

s fr

om k

ey s

taff

mem

bers

to o

ther

s.

Test

the

Con

trol

Des

ign

• In

spec

t the

pol

icie

s an

d pr

oced

ures

des

crib

ing

whe

n, h

ow a

nd w

hat t

ype

of w

ork

can

be o

utso

urce

d, a

nd d

eter

min

e w

heth

er th

ey a

re b

eing

impl

emen

ted.

•

Insp

ect t

he p

olic

ies

and

proc

edur

es f

or in

form

atio

n se

curi

ty r

espo

nsib

ilitie

s of

con

trac

tors

, and

ass

ess

thro

ugh

enqu

iry

whe

ther

they

are

bei

ng f

ollo

wed

(e.

g., b

ackg

roun

dch

ecks

are

con

duct

ed, p

hysi

cal a

nd lo

gica

l acc

ess

cont

rol r

equi

rem

ents

are

fol

low

ed, p

erso

nal i

dent

ific

atio

n is

sec

ure,

and

con

trac

tors

are

adv

ised

that

man

agem

ent

rese

rves

the

righ

t to

mon

itor

and

insp

ect a

ll us

age

of I

T r

esou

rces

, inc

ludi

ng e

-mai

l, vo

ice

com

mun

icat

ions

, and

all

prog

ram

s an

d da

ta f

iles)

. •

Rev

iew

the

polic

ies

and

proc

edur

es f

or s

elec

ting

a co

ntra

ctor

, and

ass

ess

whe

ther

they

are

bei

ng im

plem

ente

d.

PO

4.13

Key

IT

Per

sonn

el

Def

ine

and

iden

tify

key

IT p

erso

nnel

(e.

g., r

epla

cem

ents

/bac

kup

pers

onne

l), a

ndm

inim

ise

relia

nce

on a

sin

gle

indi

vidu

al p

erfo

rmin

g a

criti

cal j

ob f

unct

ion.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

oper

ly tr

aine

d ke

y IT

per

sonn

el•

Red

uced

dep

ende

ncy

on in

divi

dual

key

IT p

erso

nnel

•

Kno

wle

dge

shar

ing

• C

ontin

uity

of

IT s

ervi

ces

• C

ritic

al I

T r

oles

rel

iabl

y su

ppor

ted

• Su

cces

sion

pla

nnin

g

Ris

k D

river

s

• In

suff

icie

nt s

kills

of

key

IT p

erso

nnel

• R

elia

nce

on s

ingl

e kn

owle

dge

expe

rts

• In

adeq

uate

kno

wle

dge

shar

ing

orsu

cces

sion

pla

nnin

g•

Cri

tical

task

s an

d ro

les

not p

erfo

rmed

PO

4.14

Con

trac

ted

Staf

f P

olic

ies

and

Pro

cedu

res

Ens

ure

that

con

sulta

nts

and

cont

ract

per

sonn

el w

ho s

uppo

rt th

e IT

fun

ctio

nkn

ow a

nd c

ompl

y w

ith th

e or

gani

satio

n’s

polic

ies

for

the

prot

ectio

n of

the

orga

nisa

tion’

s in

form

atio

n as

sets

suc

h th

at th

ey m

eet a

gree

d-up

on c

ontr

actu

alre

quir

emen

ts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

ontr

acte

d st

aff

supp

ortin

g th

e ne

eds

of th

e bu

sine

ss•

Kno

wle

dge

shar

ing

and

rete

ntio

nw

ithin

the

orga

nisa

tion

• Pr

otec

tion

of th

e in

form

atio

n as

sets

• C

ontr

ol o

ver

the

cont

ract

edpe

rson

nel’s

act

iviti

es

Ris

k D

river

s

• In

crea

sed

depe

nden

ce o

n ke

y(c

ontr

acte

d) in

divi

dual

s•

Gap

s be

twee

n ex

pect

atio

ns a

nd th

eca

pabi

lity

of c

ontr

acte

d pe

rson

nel

• W

ork

perf

orm

ed n

ot a

ligne

d w

ithbu

sine

ss r

equi

rem

ents

• N

o kn

owle

dge

capt

ure

or s

kills

tran

sfer

fro

m c

ontr

acte

d pe

rson

nel

• In

effi

cien

t and

inef

fect

ive

use

ofco

ntra

cted

sta

ff•

Failu

re o

f co

ntra

cted

sta

ff to

adh

ere

toor

gani

satio

nal p

olic

ies

for

the

prot

ectio

n of

info

rmat

ion

asse

ts•

Liti

gatio

n co

sts

from

dis

agre

emen

tsov

er e

xpec

tatio

ns f

or r

espo

nsib

ility

and

acco

unta

bilit

y

PO

4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

for

iden

tifyi

ng s

take

hold

ers

has

been

def

ined

and

that

a c

omm

unca

tions

cha

nnel

and

com

mun

icat

ion

plan

hav

e be

enes

tabl

ishe

d fo

r ea

ch.

• V

erif

y th

roug

h in

terv

iew

s w

ith k

ey s

take

hold

ers

thei

r sa

tisfa

ctio

n w

ith I

T’s

com

mun

icat

ions

, the

eff

ectiv

enes

s of

IT

’s c

omm

unic

atio

ns a

nd th

e ad

equa

cy w

ith w

hich

feed

back

fro

m s

take

hold

ers

is b

eing

dea

lt.

PO

4.15

Rel

atio

nshi

ps

Est

ablis

h an

d m

aint

ain

an o

ptim

al c

o-or

dina

tion,

com

mun

icat

ion

and

liais

onst

ruct

ure

betw

een

the

IT f

unct

ion

and

vari

ous

othe

r in

tere

sts

insi

de a

nd o

utsi

deth

e IT

fun

ctio

n, s

uch

as th

e bo

ard,

exe

cutiv

es, b

usin

ess

units

, ind

ivid

ual u

sers

,su

pplie

rs, s

ecur

ity o

ffic

ers,

ris

k m

anag

ers,

the

corp

orat

e co

mpl

ianc

e gr

oup,

outs

ourc

ers

and

offs

ite m

anag

emen

t.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffic

ient

iden

tific

atio

n an

d re

solu

tion

of is

sues

• Alig

nmen

t of

goal

s an

d ap

proa

ches

with

bus

ines

s ob

ject

ives

and

met

hodo

logi

es•

Posi

tive

invo

lvem

ent o

f st

akeh

olde

rs•

Cle

arly

def

ined

ow

ners

hip

and

acco

unta

bilit

y fo

r re

latio

nshi

pm

anag

emen

t

Ris

k D

river

s

• E

xten

ded

gaps

bet

wee

n th

eid

entif

icat

ion

and

reso

lutio

n of

issu

es•

Inad

equa

te id

entif

icat

ion

ofim

prov

emen

ts•

Gap

s be

twee

n bu

sine

ss o

bjec

tives

and

IT p

olic

ies,

gui

delin

es a

ndm

etho

dolo

gies

PO

4 D

efin

e th

e IT

Pro

cess

es, O

rgan

isat

ion

and

Rel

atio

nshi

ps (

cont

.)



Take the following steps to test the outcome of the control objectives:• Review the IT process framework and determine if it supports the IT strategic plan and integrates with the business process, IT

processes and enterprise portfolio management.• Enquire through interviews whether this framework is being communicated, executed and understood by business and IT.• Enquire whether and confirm that the IT process framework has been integrated with the quality management system and internal

control framework.• Enquire whether and confirm that the scope, membership, responsibilities, etc., of the IT strategy committee are defined, that the

committee is composed of board and non-board members, and that each has appropriate expertise.• Confirm through interviews, meeting minutes and reports to the board of directors that the IT strategy committee reports to the

board on governance and IT strategic issues.• Enquire whether and confirm that senior IT management understands which processes are used to monitor, measure and report on

IT function performance.• Confirm the existence of an IT steering committee with representation from the executive level, key business operations areas, IT

and key business support areas. • Enquire whether and confirm that formal documentation of the role and authority of the IT steering committee includes key

sponsorship at the executive level.• Inspect documents such as meeting minutes and an IT steering committee charter to identify the participants involved in the

committee, their respective job functions and the reporting relationship of the committee to executive management.• Enquire whether and confirm that IT is headed by a CIO or similar function and the reporting line is commensurate with the

importance of IT.• Confirm through interviews and organisational chart reviews that no individual user groups/departments can exert undue influence

over the IT function (e.g., reporting relationship of the IT function and its independence from a single business unit or department,and identifying how projects are funded).

• Confirm through interviews and documentation reviews that the IT function is adequately resourced and funded to support thebusiness function (e.g., review the business case, IT strategy and IT tactical plan for resource requirements).

• Enquire whether and confirm that periodic reviews of the IT organisational structure occur, with the aim of ensuring that theyreflect business needs.

• Confirm with the head of IT administration that access to external resources is available as needed.• Confirm through interviews with IT personnel that a role has been assigned to each with corresponding IT tasks (e.g., assess

whether personnel understand the role and tasks that have been assigned and the tasks are being performed).• Enquire whether and confirm that responsibilities have been assigned to roles (e.g., verify that each role has the necessary

responsibilities to execute the role).• Enquire whether and confirm that role descriptions have been created, and delineate authority and responsibilities.• Enquire whether and confirm that a QA function exists. • Determine the role of the QA functions (e.g., monitoring processes to ensure compliance with the organisation’s QA-related

policies, standards and procedures; and acting as a centre of expertise for the development of QA-related policies, standards andprocedures).

• Enquire whether and confirm that the QA function is adequately staffed with the appropriate skills.• Enquire whether and confirm that members of senior management have established risk management and information security

functions that are accountable for the respective areas.• Enquire whether and confirm that the reporting line of the risk management and security function allows it to effectively design,

implement and, in conjunction with line management, enforce compliance with the organisation’s policies and procedures.• Enquire whether and confirm that a process is in place to obtain senior management guidance on the acceptable level of risk

associated with IT.• Enquire whether and confirm that roles and responsibilities for the risk management and information security function have been

formalised and documented and that responsibilities have been appropriately allocated. Review the documentation and determinewhether roles and responsibilities are being fulfiled as outlined.

• Enquire whether and confirm that resource requirements are assessed regularly and are provided as needed. Assess whether thestaffing levels are appropriate based on the the results of the resource requirement assessments.

• Confirm through interview and documentation reviews that an inventory of information assets has been created, tracked andmaintained.

• Confirm through interviews that supervisors have the required skill set to perform supervisory functions (e.g., tracking of criticaltasks, key performance indicators, staff performance appraisals and risk assessment).

• Review the escalation procedure and verify that it has been implemented and is being applied consistently (e.g., issues arerecorded, tracked and analysed periodically).

• Enquire whether and confirm during periodic employee reviews that supervisory skills are assessed and required actions are takento ensure competency.

• Enquire whether and confirm that there is a process to identify conflicting functions.• Enquire whether and confirm that conflicting functions have been remediated.• Enquire whether and confirm that procedures address how appropriate segregation is maintained during periods when typical

personnel are unavailable.


APPENDIX II

• Enquire whether segregation of duties is reviewed when job roles and responsibilities are created or updated and whetherresponsibilities are reassigned where necessary. Determine whether the changes are implemented (e.g., job descriptions clearlydelineate authority and responsibility).

• Enquire whether and confirm that compensating controls have been designed and implemented as necessary (e.g., confirm withsenior IT management or supervisors on the effectiveness of the compensating controls). Enquire whether and confirm thatmanagement periodically reviews staffing requirements in consideration of business/IT environment and strategy, and identifiesskills and resource gaps.

• Enquire whether and confirm that management is evaluating sourcing strategies (e.g., business/IT staff co-location, cross-functional training and job rotation) in conjunction with reviewing staffing requirements.

• Enquire whether and confirm that management periodically identifies key processes, skills required to support the processes andkey areas that lack job redundancy (e.g., determine the availability of individuals with relevant skills, experience and knowledge tofulfil the critical roles, and inspect documentation that lists the key processes and the designated individuals who support them).

• Enquire whether and confirm that management has considered outsourcing or other support arrangements to provide jobredundancy for key processes (e.g., inspect available contracts with third parties to identify the existence of outsourcingprovisions).

• Confirm the existence and maintenance of key contact lists and their availability to the appropriate personnel in a timely manner.Confirm that backup personnel are cross-trained.

• Enquire whether and confirm that the policies, procedures, rules and responsibilities are being communicated to the contractor andthat the contractor understands that management reserves the right to monitor and inspect all usage of IT resources.

• Enquire whether and confirm that an appropriate individual has responsibility for reviewing the contractor’s work and approvalof payments.

• Enquire whether and confirm that IT management has defined the key stakeholders and relationships and that roles andresponsibilities are communicated with stakeholders (e.g., users, suppliers, security officers, risk managers, regulators).

• Confirm with management that appropriately skilled IT personnel are assigned to manage the relationship (e.g., inspect documentsthat list the IT contact for each key stakeholder).

• Enquire whether and confirm that feedback is obtained from the key stakeholders (e.g., issues, action items, reports), and assesswhether the feedback is being properly used to drive continuous improvement.

Take the following steps to document the impact of the control weaknesses:• Assess the risk (e.g., threats, potential vulnerabilities, security, internal controls) that a road map to achieve the strategic goals will

not be established. • Assess the risk and additional cost due to IT not being organised optimally to achieve strategic goals. • Assess the risk (e.g., threats, potential vulnerabilities, security, internal controls) that an IT strategic plan may not be effectively

executed.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) of overreliance on key IT personnel.• Assess the additional cost of staffing requirements and sourcing strategies not being adjusted to meet expected business objectives

and changing circumstances.• Assess the additional cost of personnel performing unauthorised duties relevant to their respective jobs and positions.• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that uncontrolled activities of external personnel

may compromise the organisation’s information assets.



PO

5 M

anag

e th

e IT

Inv

estm

ent

A f

ram

ewor

k is

est

ablis

hed

and

mai

ntai

ned

to m

anag

e IT

-ena

bled

inve

stm

ent p

rogr

amm

es a

nd th

at e

ncom

pass

es c

ost,

bene

fits

, pri

oriti

satio

n w

ithin

bud

get,

a fo

rmal

budg

etin

g pr

oces

s an

d m

anag

emen

t aga

inst

the

budg

et. S

take

hold

ers

are

cons

ulte

d to

iden

tify

and

cont

rol t

he to

tal c

osts

and

ben

efits

with

in th

e co

ntex

t of

the

IT s

trat

egic

and

tact

ical

pla

ns, a

nd in

itiat

e co

rrec

tive

actio

n w

here

nee

ded.

The

pro

cess

fos

ters

par

tner

ship

bet

wee

n IT

and

bus

ines

s st

akeh

olde

rs; e

nabl

es th

e ef

fect

ive

and

effi

cien

t use

of

IT r

esou

rces

; and

pro

vide

s tr

ansp

aren

cy a

nd a

ccou

ntab

ility

into

the

tota

l cos

t of

owne

rshi

p, th

e re

alis

atio

n of

bus

ines

s be

nefi

ts a

nd th

e R

OI

of I

T-en

able

d in

vest

men

ts.

Test

the

Con

trol

Des

ign

• V

erif

y th

at a

fin

anci

al m

anag

emen

t fra

mew

ork

exis

ts, i

nclu

ding

pro

cess

es a

nd r

espo

nsib

ilitie

s, a

s a

basi

s fo

r co

st, b

enef

it an

d bu

dget

man

agem

ent.

Enq

uire

whe

ther

and

conf

irm

that

inpu

ts a

nd o

utpu

ts o

f th

e fi

nanc

ial f

ram

ewor

k ha

ve b

een

defi

ned

and

that

man

agem

ent m

akes

reg

ular

impr

ovem

ents

to th

e fr

amew

ork

base

d on

ava

ilabl

efi

nanc

ial i

nfor

mat

ion.

•

Ver

ify

that

a p

ortf

olio

of

inve

stm

ent p

rogr

amm

es, s

ervi

ces

and

asse

ts h

as b

een

crea

ted

and

mai

ntai

ned.

Per

form

a h

igh-

leve

l rev

iew

of

the

port

folio

to c

heck

for

com

plet

enes

s an

d al

ignm

ent w

ith th

e st

rate

gic

and

tact

ical

IT

pla

ns.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

exi

sts

to c

omm

unic

ate

rele

vant

cos

t and

ben

efit

aspe

cts

of th

e po

rtfo

lio to

the

appr

opri

ate

budg

et p

rior

itisa

tion

(bus

ines

sca

ses)

, cos

t man

agem

ent a

nd b

enef

it m

anag

emen

t pro

cess

es.

• C

onfi

rm th

at th

e co

mm

unic

ated

cos

t and

ben

efit

inpu

ts a

re c

ompa

rabl

e an

d co

nsis

tent

. •

Ver

ify

that

the

crea

ted

IT b

udge

t inc

lude

s pr

ojec

ts, a

sset

s an

d se

rvic

es.

PO

5.1

Fin

anci

al M

anag

emen

t F

ram

ewor

k E

stab

lish

and

mai

ntai

n a

fina

ncia

l fra

mew

ork

to m

anag

e th

e in

vest

men

t and

cos

tof

IT

ass

ets

and

serv

ices

thro

ugh

port

folio

s of

IT-

enab

led

inve

stm

ents

, bus

ines

sca

ses

and

IT b

udge

ts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

sigh

t int

o th

e va

lue

of I

T’s

cont

ribu

tion

to th

e bu

sine

ss, b

y us

ing

stan

dard

ised

inve

stm

ent c

rite

ria

• IT

pri

oriti

es b

ased

on

IT v

alue

cont

ribu

tion

• C

lear

and

agr

eed-

upon

bud

gets

• Im

prov

ed a

bilit

y to

ass

ign

prio

ritie

sba

sed

on b

usin

ess

case

s

Ris

k D

river

s

• U

ncle

ar p

rior

ities

for

IT

pro

ject

s•

Inef

fici

ent p

roce

ss f

or f

inan

cial

man

agem

ent

• IT

bud

get n

ot r

efle

ctin

g bu

sine

ssne

eds

• W

eak

cont

rol o

ver

IT b

udge

ts•

Failu

re o

f se

nior

man

agem

ent t

oap

prov

e th

e IT

bud

gets

• L

ack

of s

enio

r m

anag

emen

t sup

port


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

and

dec

isio

n-m

akin

g co

mm

ittee

for

the

prio

ritis

atio

n of

IT

initi

ativ

es a

nd r

esou

rces

has

bee

n cr

eate

d. V

erif

y th

at th

eco

mm

ittee

’s r

espo

nsib

ilitie

s ha

ve b

een

defi

ned

in r

elat

ion

to o

ther

com

mitt

ees.

•

Enq

uire

whe

ther

and

con

firm

that

all

IT in

itiat

ives

are

pri

oriti

sed

with

in p

ortf

olio

s ba

sed

on b

usin

ess

case

s an

d st

rate

gic

and

tact

ical

pla

ns.

• R

evie

w th

e al

loca

ted

budg

ets

and

cut-

offs

for

con

sist

ency

and

acc

urac

y.

• V

erif

y th

roug

h in

spec

tion

of m

eetin

g m

inut

es w

heth

er th

e pr

iort

isia

tion

deci

sion

s ha

ve b

een

com

mun

icat

ed, a

nd e

nqui

re th

roug

h in

terv

iew

s w

heth

er th

e de

cisi

ons

are

revi

ewed

by

the

budg

et s

take

hold

er.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

exi

sts

to id

entif

y, c

omm

unic

ate

and

reso

lve

sign

ific

ant b

udge

t dec

isio

ns th

at im

pact

the

busi

ness

cas

e, p

ortf

olio

or

stra

tegi

c pl

ans.

•

Ver

ify

that

the

ITst

rate

gy c

omm

ittee

and

exe

cutiv

e co

mm

ittee

hav

e ra

tifie

d ch

ange

s to

the

over

all I

T b

udge

t for

item

s th

at n

egat

ivel

y im

pact

the

entit

y’s

stra

tegi

c or

tact

ical

pla

ns a

nd h

ave

sugg

este

d ac

tions

to r

esol

ve th

ese

impa

cts.

PO

5.2

Pri

orit

isat

ion

Wit

hin

IT B

udge

t Im

plem

ent a

dec

isio

n-m

akin

g pr

oces

s to

pri

oriti

se th

e al

loca

tion

of I

T r

esou

rces

for

oper

atio

ns, p

roje

cts

and

mai

nten

ance

to m

axim

ise

IT’s

con

trib

utio

n to

optim

isin

g th

e re

turn

on

the

ente

rpri

se’s

por

tfol

io o

f IT

-ena

bled

inve

stm

ent

prog

ram

mes

and

oth

er I

T s

ervi

ces

and

asse

ts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

iori

ties

that

ref

lect

IT

goa

ls a

ndre

quir

emen

ts o

f th

e bu

sine

ss a

nd a

retr

ansp

aren

t to

all s

take

hold

ers

• Fo

cuse

d us

e of

res

ourc

es• A

ppro

pria

te d

ecis

ion

mak

ing,

bal

anci

ngco

st, c

ontin

uous

impr

ovem

ent,

qual

ityan

d re

adin

ess

for

the

futu

re

Ris

k D

river

s

• In

effi

cien

t res

ourc

e m

anag

emen

t•

Inab

ility

to o

ptim

ise

goal

s an

dob

ject

ives

• C

onfu

sion

, dem

otiv

atio

n an

d lo

ss o

fag

ility

due

to u

ncle

ar p

rior

ities

• IT

bud

get n

ot in

line

with

the

ITst

rate

gy a

nd in

vest

men

t dec

isio

ns

PO

5 M

anag

e th

e IT

Inve

stm

ent

(con

t.)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

met

hodo

logy

has

bee

n im

plem

ente

d to

est

ablis

h, c

hang

e, a

ppro

ve a

nd c

omm

unic

ate

a fo

rmal

IT

bud

get.

• R

evie

w th

e IT

bud

get t

o ve

rify

whe

ther

rel

evan

t ele

men

ts (

e.g.

, aut

hori

sed

sour

ces

of f

undi

ng, i

nter

nal r

esou

rce

cost

s, th

ird-

part

y co

sts,

cap

ital a

nd o

pera

tiona

l exp

ense

s)ar

e ta

ken

into

acc

ount

whe

n cr

eatin

g th

e bu

dget

. •

Enq

uire

whe

ther

and

con

firm

that

bud

get c

ontin

genc

ies

have

bee

n id

entif

ied

and

a ra

tiona

le f

or th

ese

cont

inge

ncie

s ha

s be

en a

ppro

ved.

•

Ver

ify

that

the

effe

ctiv

enes

s of

the

budg

etin

g pr

oces

s is

mon

itore

d (c

ost a

lloca

tion,

ser

vice

cos

t allo

catio

n an

d bu

dget

var

ianc

e an

alys

is),

and

rev

iew

rep

orts

to v

erif

y th

atle

sson

s le

arne

d ar

e re

cord

ed to

mak

e fu

ture

bud

getin

g m

ore

accu

rate

and

rel

iabl

e.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e pe

ople

invo

lved

in th

e bu

dget

ing

proc

ess

(e.g

., pr

oces

s, s

ervi

ce a

nd p

rogr

amm

e ow

ners

, ass

et m

anag

ers)

are

pro

perl

y in

stru

cted

. •

Enq

uire

whe

ther

and

con

firm

that

ther

e is

an

appr

oved

and

con

sist

ent b

udge

t cre

atio

n pr

oces

s (e

.g.,

revi

ew th

e bu

dget

pla

ns, m

ake

deci

sion

s ab

out b

udge

t allo

catio

ns,

and

com

pile

and

com

mun

icat

e th

e ov

eral

l IT

bud

gets

, pro

ject

cos

t allo

catio

n, s

ervi

ce c

ost a

lloca

tion

and

budg

et v

aria

nce

anal

ysis

).

PO

5.3

IT B

udge

ting

Est

ablis

h an

d im

plem

ent p

ract

ices

to p

repa

re a

bud

get r

efle

ctin

g th

e pr

iori

ties

esta

blis

hed

by th

e en

terp

rise

’s p

ortf

olio

of

IT-e

nabl

ed in

vest

men

t pro

gram

mes

,an

d in

clud

ing

the

ongo

ing

cost

s of

ope

ratin

g an

d m

aint

aini

ng th

e cu

rren

tin

fras

truc

ture

. The

pra

ctic

es s

houl

d su

ppor

t dev

elop

men

t of

an o

vera

ll IT

bud

get

as w

ell a

s de

velo

pmen

t of

budg

ets

for

indi

vidu

al p

rogr

amm

es, w

ith s

peci

fic

emph

asis

on

the

IT c

ompo

nent

s of

thos

e pr

ogra

mm

es. T

he p

ract

ices

sho

uld

allo

w f

or o

ngoi

ng r

evie

w, r

efin

emen

t and

app

rova

l of

the

over

all b

udge

t and

the

budg

ets

for

indi

vidu

al p

rogr

amm

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• An

effe

ctiv

e de

cisi

on-m

akin

g pr

oces

sfo

r bu

dget

for

ecas

ting

and

allo

catio

n•

Form

ally

def

ined

spe

ctru

m o

f fu

ndin

gop

tions

for

IT

ope

ratio

ns•

Iden

tifie

d an

d cl

assi

fied

IT

cos

ts•

Cle

ar a

ccou

ntab

ility

for

spe

ndin

g

Ris

k D

river

s

• R

esou

rce

conf

licts

• In

appr

opri

ate

allo

catio

n of

fin

anci

alre

sour

ces

of I

T o

pera

tions

• Fi

nanc

ial r

esou

rces

not

alig

ned

with

the

orga

nisa

tion’

s go

als

• L

ack

of e

mpo

wer

men

t, le

adin

g to

loss

of a

gilit

y•

Lac

k of

sen

ior

man

agem

ent s

uppo

rtfo

r th

e IT

bud

get

PO

5 M

anag

e th

e IT

Inve

stm

ent

(con

t.)


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

fra

mew

ork

has

been

def

ined

to m

anag

e IT

-rel

ated

cos

ts a

nd th

at I

T e

xpen

ditu

re c

ateg

orie

s ar

e co

mpr

ehen

sive

, app

ropr

iate

and

prop

erly

cla

ssif

ied.

• C

onfi

rm th

at th

ere

is a

ppro

pria

te in

depe

nden

ce b

etw

een

indi

vidu

als

who

cap

ture

, ana

lyse

and

rep

ort f

inan

cial

info

rmat

ion,

and

the

IT b

udge

t hol

ders

. •

Rev

iew

est

ablis

hed

times

cale

s to

det

erm

ine

whe

ther

they

are

alig

ned

with

bud

getin

g an

d ac

coun

ting

requ

irem

ents

and

, with

in I

T p

roje

cts,

whe

ther

they

are

str

uctu

red

acco

rdin

g to

the

deliv

erab

les

timet

able

. •

Enq

uire

whe

ther

and

con

firm

that

a m

etho

d ha

s be

en d

efin

ed th

at c

olle

cts

data

to id

entif

y sp

ecif

ied

devi

atio

ns.

• V

erif

y th

at s

yste

ms

from

whi

ch d

ata

are

colle

cted

hav

e be

en id

entif

ied.

•

Det

erm

ine

whe

ther

the

info

rmat

ion

prov

ided

by

the

syst

ems

is c

ompl

ete,

acc

urat

e an

d co

nsis

tent

. •

Det

erm

ine

how

cos

t-re

late

d in

form

atio

n is

con

solid

ated

, how

it is

pre

sent

ed a

t var

ious

leve

ls in

the

orga

nisa

tion

and

to s

take

hold

ers,

and

whe

ther

it h

elps

ena

ble

the

timel

y id

entif

icat

ion

of r

equi

red

corr

ectiv

e ac

tions

.

PO

5.4

Cos

t M

anag

emen

t Im

plem

ent a

cos

t man

agem

ent p

roce

ss c

ompa

ring

act

ual c

osts

to b

udge

ts. C

osts

shou

ld b

e m

onito

red

and

repo

rted

. Whe

re th

ere

are

devi

atio

ns, t

hese

sho

uld

beid

entif

ied

in a

tim

ely

man

ner

and

the

impa

ct o

f th

ose

devi

atio

ns o

n pr

ogra

mm

essh

ould

be

asse

ssed

. Tog

ethe

r w

ith th

e bu

sine

ss s

pons

or o

f th

ose

prog

ram

mes

,ap

prop

riat

e re

med

ial a

ctio

n sh

ould

be

take

n an

d, if

nec

essa

ry, t

he p

rogr

amm

ebu

sine

ss c

ase

shou

ld b

e up

date

d.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Acc

urat

e an

d tim

ely

iden

tific

atio

n of

budg

et v

aria

nces

• M

axim

ised

and

cos

t-ef

fici

ent

utili

satio

n of

IT

res

ourc

es•

Con

sist

ently

pri

ced

serv

ice

deliv

ery

• T

rans

pare

nt I

T v

alue

con

trib

utio

n•

Bus

ines

s un

ders

tand

ing

of a

ctua

l cos

tan

d be

nefi

t of

IT

Ris

k D

river

s

• M

issp

endi

ng o

f IT

inve

stm

ents

• In

appr

opri

ate

serv

ice

pric

ing

• IT

val

ue c

ontr

ibut

ion

not t

rans

pare

nt

PO

5 M

anag

e th

e IT

Inve

stm

ent

(con

t.)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e co

st m

anag

emen

t pro

cess

pro

vide

s su

ffic

ient

info

rmat

ion

to id

entif

y, q

uant

ify

and

qual

ify

bene

fits

of

deliv

erin

g IT

sol

utio

ns,

prov

idin

g IT

ser

vice

s an

d m

anag

ing

IT a

sset

s.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e al

loca

tion

of b

enef

its a

cros

s tim

e al

low

s fo

r m

eani

ngfu

l ana

lysi

s of

ben

efits

.•

Rev

iew

the

proc

ess

for

deve

lopi

ng m

etri

cs f

or m

easu

ring

ben

efits

(e.

g., o

btai

ning

gui

danc

e fr

om e

xter

nal e

xper

ts, i

ndus

try

lead

ers

and

com

para

tive

benc

hmar

king

dat

a).

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

ere

is a

rem

edia

tion

proc

ess

for

iden

tifie

d be

nefi

t dev

iatio

ns.

PO

5.5

Ben

efit

Man

agem

ent

Impl

emen

t a p

roce

ss to

mon

itor

the

bene

fits

fro

m p

rovi

ding

and

mai

ntai

ning

appr

opri

ate

IT c

apab

ilitie

s. I

T’s

con

trib

utio

n to

the

busi

ness

, eith

er a

s a

com

pone

nt o

f IT

-ena

bled

inve

stm

ent p

rogr

amm

es o

r as

par

t of

regu

lar

oper

atio

nal s

uppo

rt, s

houl

d be

iden

tifie

d an

d do

cum

ente

d in

a b

usin

ess

case

,ag

reed

to, m

onito

red

and

repo

rted

. Rep

orts

sho

uld

be r

evie

wed

and

, whe

re th

ere

are

oppo

rtun

ities

to im

prov

e IT

’s c

ontr

ibut

ion,

app

ropr

iate

act

ions

sho

uld

bede

fine

d an

d ta

ken.

Whe

re c

hang

es in

IT

’s c

ontr

ibut

ion

impa

ct th

e pr

ogra

mm

e, o

rw

here

cha

nges

to o

ther

rel

ated

pro

ject

s im

pact

the

prog

ram

me,

the

prog

ram

me

busi

ness

cas

e sh

ould

be

upda

ted.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Acc

urat

e id

entif

icat

ion

of b

enef

itva

rian

ces

duri

ng a

nd a

fter

impl

emen

tatio

n• A

ccur

ate

info

rmat

ion

for

port

folio

deci

sion

s, i.

e., c

ontin

ue, a

djus

t or

retir

e pr

ogra

mm

es•

Prop

erly

pri

ced

serv

ice

deliv

ery

• T

rans

pare

ncy

of I

T’s

con

trib

utio

n to

the

busi

ness

• B

usin

ess

unde

rsta

ndin

g of

act

ual c

ost

and

bene

fit o

f IT

Ris

k D

river

s

• M

issp

endi

ng o

f IT

inve

stm

ents

• In

appr

opri

ate

serv

ice

pric

ing

• IT

val

ue c

ontr

ibut

ion

not t

rans

pare

nt•

Inco

rrec

t per

cept

ion

of I

T v

alue

cont

ribu

tion

PO

5 M

anag

e th

e IT

Inve

stm

ent

(con

t.)


APPENDIX II

Take the following steps to test the outcome of the control objectives:• Enquire whether and confirm that a financial management framework, processes and responsibilities have been defined and

maintained to enable fair, transparent, repeatable and comparable estimation of IT costs and benefits for input to the portfolio ofIT-enabled business programmes.

• Assess whether the financial management framework provides information to enable effective and efficient IT investment andportfolio decisions, enables estimation of IT costs and benefits, and provides input into the maintenance of IT asset and servicesportfolios. Determine whether the financial management framework and processes provide sufficient financial information toassist in the development of business cases and facilitate the budget process.

• Verify that investments, IT assets and services are being taken into account in preparing IT budgets.• Enquire whether and confirm that the current IT budget is tracked against actual costs and that variations are analysed.• Enquire whether and confirm that information provided by the budgeting process is sufficient to track project costs and assist in

the allocation of IT resources.• Enquire whether and confirm that an effective decision-making process is implemented to prioritise all IT initiatives and allocate

budgets accordingly.• Enquire whether and confirm that a methodology has been implemented to establish, maintain and communicate for change and

approval of a formal IT budget.• Enquire whether and confirm that process, service and programme owners as well as project and asset managers have been

instructed in how to capture budget requirements and plan budgets.• Confirm that there is a budgeting process and that this process is reviewed/improved on a periodic basis.• Review the cost management framework and verify that it defines all IT-related costs. Verify that the tools used to monitor costs

are effective and used properly (i.e., how costs are allocated across budgets and projects, how costs are captured and analysed, andto whom and how they are reported).

• Enquire whether and confirm that the allocation of the budget across time is aligned with IT projects and support activities toallow for meaningful analysis of budget variances.

• Enquire whether and confirm that IT financial management members have been instructed in how to capture, consolidate andreport the cost data.

• Enquire whether and confirm that the appropriate level of management reviews the results of cost analysis and approves corrective actions.

• Enquire whether and confirm that responsibility and accountability for achieving benefits as recorded in the business case have been assigned.

• Enquire whether and confirm that the metrics for monitoring IT’s and the business’s contribution to the business case are collected,reported and analysed at regular intervals.

• Enquire whether and confirm that the identified budget deviations are approved by business and IT management.

Take the following steps to document the impact of the control weaknesses:• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that:

– Input into business cases may not take into account current IT asset and service portfolios– New investment and maintenance may not influence the future IT budget– Cost/benefit aspects of projects may not be communicated to the budget prioritisation, cost management and benefit

management processes– The allocation of IT resources may not be prioritised as a result of IT’s contribution to optimising ROI– Ongoing review, refinement and approval of the overall budget and the budgets for individual programmes may not occur– Cost deviations may not be identified in a timely manner and the impact of those deviations may not be assessed – Opportunities to improve IT’s contribution to business solutions may not be considered– Not all benefits may be identified in a cost-benefits analysis, resulting in poor prioritisation of projects and projects that could

have been considered may be rejected

PO

6 C

omm

unic

ate

Man

agem

ent

Aim

s an

d D

irec

tion

Man

agem

ent d

evel

ops

an e

nter

pris

e IT

con

trol

fra

mew

ork

and

defi

nes

and

com

mun

icat

es p

olic

ies.

An

ongo

ing

com

mun

icat

ion

prog

ram

me

is im

plem

ente

d to

art

icul

ate

the

mis

sion

, ser

vice

obj

ectiv

es, p

olic

ies

and

proc

edur

es, e

tc.,

appr

oved

and

sup

port

ed b

y m

anag

emen

t. T

he c

omm

unic

atio

n su

ppor

ts a

chie

vem

ent o

f IT

obj

ectiv

es a

nd e

nsur

esaw

aren

ess

and

unde

rsta

ndin

g of

bus

ines

s an

d IT

ris

ks, o

bjec

tives

and

dir

ectio

n. T

he p

roce

ss e

nsur

es c

ompl

ianc

e w

ith r

elev

ant l

aws

and

regu

latio

ns.



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

e ex

iste

nce

of f

orm

al ‘

tone

at t

he to

p’co

mm

unic

atio

n (e

.g.,

CIO

new

slet

ter

or in

tran

et p

age,

per

iodi

c e-

mai

ls, I

T v

isio

n or

gui

ding

prin

cipl

es)

desi

gned

to d

efin

e an

d m

anag

e th

e IT

ris

k an

d co

ntro

l env

iron

men

t and

ens

ure

that

it a

ligns

with

the

orga

nisa

tion’

s ge

nera

l ris

k an

d co

ntro

l env

iron

men

t. •

Det

erm

ine

whe

ther

acc

ount

abili

ty a

nd r

espo

nsib

ility

hav

e be

en a

ssig

ned

to in

divi

dual

s fo

r es

tabl

ishi

ng a

nd r

einf

orci

ng th

e co

mm

unic

atio

ns o

f th

e co

ntro

l cul

ture

. •

Con

firm

the

exis

tenc

e of

pol

icie

s an

d pr

actic

es to

sup

port

the

cont

rol e

nvir

onm

ent (

e.g.

, acc

epta

ble

use

polic

ies,

bac

kgro

und

chec

ks).

•

Insp

ect f

or e

vide

nce

of p

erio

dic

awar

enes

s tr

aini

ng o

n th

ese

polic

ies

and

prac

tices

. •

Det

erm

ine

if a

pro

cess

exi

sts

to p

erio

dica

lly (

at le

ast a

nnua

lly)

reas

sess

the

adeq

uacy

of

the

cont

rol e

nvir

onm

ent a

nd r

isk

appe

tite

to e

nsur

e th

at it

is a

ligne

d w

ith th

eor

gani

satio

n’s

chan

ging

env

iron

men

t. •

Enq

uire

whe

ther

and

con

firm

that

HR

pol

icie

s (e

.g.,

back

grou

nd c

heck

s on

job

appl

ican

ts, a

war

enes

s tr

aini

ng f

or n

ew h

ires

, sig

ned

code

of

cond

uct d

ocum

enta

tion,

appr

opri

ate

cons

eque

nces

for

une

thic

al b

ehav

iour

) su

ppor

t the

IT

con

trol

env

iron

men

t.

PO

6.1

IT P

olic

y an

d C

ontr

ol E

nvir

onm

ent

Def

ine

the

elem

ents

of

a co

ntro

l env

iron

men

t for

IT,

alig

ned

with

the

ente

rpri

se’s

man

agem

ent p

hilo

soph

y an

d op

erat

ing

styl

e. T

hese

ele

men

ts s

houl

d in

clud

eex

pect

atio

ns/r

equi

rem

ents

reg

ardi

ng d

eliv

ery

of v

alue

fro

m I

T in

vest

men

ts,

appe

tite

for

risk

, int

egri

ty, e

thic

al v

alue

s, s

taff

com

pete

nce,

acc

ount

abili

ty a

ndre

spon

sibi

lity.

The

con

trol

env

iron

men

t sho

uld

be b

ased

on

a cu

lture

that

supp

orts

val

ue d

eliv

ery

whi

lst m

anag

ing

sign

ific

ant r

isks

, enc

oura

ges

cros

s-di

visi

onal

co-

oper

atio

n an

d te

amw

ork,

pro

mot

es c

ompl

ianc

e an

d co

ntin

uous

proc

ess

impr

ovem

ent,

and

hand

les

proc

ess

devi

atio

ns (

incl

udin

g fa

ilure

) w

ell.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

ompr

ehen

sive

IT

con

trol

envi

ronm

ent

• C

ompr

ehen

sive

set

of

IT p

olic

ies

• In

crea

sed

awar

enes

s of

the

orga

nisa

tion’

s m

issi

on•

Prop

er u

se o

f ap

plic

atio

ns a

nd I

Tse

rvic

es

Ris

k D

river

s

• M

isco

mm

unic

atio

ns a

bout

orga

nisa

tiona

l mis

sion

•

Man

agem

ent’s

phi

loso

phy

mis

inte

rpre

ted

• Act

ions

not

alig

ned

with

the

orga

nisa

tion’

s bu

sine

ss o

bjec

tives

• N

o tr

ansp

aren

t IT

con

trol

env

iron

men

t•

Com

plia

nce

and

secu

rity

issu

es


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

for

mal

IT

ris

k an

d co

ntro

l fra

mew

ork

exis

ts b

ased

on

ackn

owle

dged

indu

stry

sta

ndar

ds/le

adin

g pr

actic

es (

e.g.

, CO

SO, C

OSO

-ER

M,

CO

BIT

).• A

sses

s w

heth

er th

e IT

ris

k an

d co

ntro

l fra

mew

ork

is a

ligne

d w

ith th

e or

gani

satio

n’s

ente

rpri

se r

isk

and

cont

rol f

ram

ewor

k an

d co

nsid

ers

the

ente

rpri

se r

isk

tole

ranc

e le

vel.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e IT

ris

k an

d co

ntro

l fra

mew

ork

spec

ifie

s its

sco

pe a

nd p

urpo

se a

nd o

utlin

es m

anag

emen

t’s e

xpec

tatio

ns o

f w

hat n

eeds

to

be

cont

rolle

d.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e st

ruct

ure

of th

e IT

ris

k an

d co

ntro

l fra

mew

ork

is w

ell d

efin

ed a

nd r

espo

nsib

ilitie

s ha

ve b

een

clea

rly

stat

ed a

nd a

ssig

ned

toap

prop

riat

e in

divi

dual

s.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

is in

pla

ce to

per

iodi

cally

rev

iew

(pr

efer

ably

ann

ually

) th

e IT

ris

k an

d co

ntro

l fra

mew

ork

to m

aint

ain

its a

dequ

acy

and

rele

vanc

y.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

hie

rarc

hica

l set

of

polic

ies,

sta

ndar

ds a

nd p

roce

dure

s ha

ve b

een

crea

ted

and

alig

n w

ith th

e IT

str

ateg

y an

d co

ntro

l env

iron

men

t. •

Enq

uire

whe

ther

and

con

firm

that

spe

cifi

c po

licie

s ex

ist o

n re

leva

nt k

ey to

pics

, suc

h as

qua

lity,

sec

urity

, con

fide

ntia

lity,

inte

rnal

con

trol

s, e

thic

s an

d in

telle

ctua

l pr

oper

ty r

ight

s.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pol

icy

upda

te p

roce

ss h

as b

een

defi

ned

that

req

uire

s, a

t min

imum

, ann

ual r

evie

ws.

•

Enq

uire

whe

ther

and

con

firm

that

pro

cedu

res

are

in p

lace

to tr

ack

com

plia

nce

and

defi

ne c

onse

quen

ces

of n

on-c

ompl

ianc

e.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ccou

ntab

ility

has

bee

n de

fine

d an

d do

cum

ente

d fo

r fo

rmul

atin

g, d

evel

opin

g, d

ocum

entin

g, r

atif

ying

, dis

sem

inat

ing

and

cont

rolli

ngpo

licie

s to

ens

ure

that

all

elem

ents

of

the

polic

y m

anag

emen

t pro

cess

hav

e be

en a

ssig

ned

to a

ccou

ntab

le in

divi

dual

s.

PO

6.2

Ent

erpr

ise

IT R

isk

and

Con

trol

Fra

mew

ork

Dev

elop

and

mai

ntai

n a

fram

ewor

k th

at d

efin

es th

e en

terp

rise

’s o

vera

ll ap

proa

chto

IT

ris

k an

d co

ntro

l and

that

alig

ns w

ith th

e IT

pol

icy

and

cont

rol e

nvir

onm

ent

and

the

ente

rpri

se r

isk

and

cont

rol f

ram

ewor

k.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

ompr

ehen

sive

IT

con

trol

and

ris

kfr

amew

ork

• IT

ris

k an

d co

ntro

l aw

aren

ess

and

unde

rsta

ndin

g•

Red

uctio

n of

neg

ativ

e bu

sine

ss im

pact

whe

n pl

anne

d an

d un

plan

ned

issu

esoc

cur

Ris

k D

river

s

• Se

nsiti

ve c

orpo

rate

info

rmat

ion

disc

lose

d•

Irre

gula

ritie

s no

t ide

ntif

ied

• Fi

nanc

ial l

osse

s•

Com

plia

nce

and

secu

rity

issu

es

PO

6 C

omm

unic

ate

Man

agem

ent

Aim

s an

d D

irec

tion

(co

nt.)

PO

6.3

IT P

olic

ies

Man

agem

ent

Dev

elop

and

mai

ntai

n a

set o

f po

licie

s to

sup

port

IT

str

ateg

y. T

hese

pol

icie

ssh

ould

incl

ude

polic

y in

tent

; rol

es a

nd r

espo

nsib

ilitie

s; e

xcep

tion

proc

ess;

com

plia

nce

appr

oach

; and

ref

eren

ces

to p

roce

dure

s, s

tand

ards

and

gui

delin

es.

The

ir r

elev

ance

sho

uld

be c

onfi

rmed

and

app

rove

d re

gula

rly.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• App

ropr

iate

pol

icie

s an

d pr

oced

ures

for

the

orga

nisa

tion

• Q

ualit

y w

ithin

the

orga

nisa

tion

• Pr

oper

use

of

appl

icat

ions

and

IT

serv

ices

• T

rans

pare

ncy

and

unde

rsta

ndin

g of

IT

cost

s, b

enef

its, s

trat

egy

and

secu

rity

leve

ls

Ris

k D

river

s

• G

reat

er n

umbe

r an

d im

pact

of

secu

rity

brea

ches

• U

nacc

epte

d or

unk

now

n po

licie

s•

Mis

unde

rsta

ndin

g of

man

agem

ent’s

aim

s an

d di

rect

ions

• O

ut-o

f-da

te o

r in

com

plet

e po

licie

s•

Poor

org

anis

atio

nal s

ecur

ity c

ultu

re•

Lac

k of

tran

spar

ency



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

is in

pla

ce to

tran

slat

e IT

pol

icie

s an

d st

anda

rds

into

ope

ratio

nal p

roce

dure

s.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at e

mpl

oym

ent c

ontr

acts

and

ince

ntiv

e m

echa

nism

s ar

e al

igne

d w

ith p

olic

ies.

•

Enq

uire

whe

ther

and

con

firm

that

a p

roce

ss is

in p

lace

to r

equi

re u

sers

to e

xplic

itly

ackn

owle

dge

that

they

rec

eive

d, u

nder

stan

d an

d ac

cept

rel

evan

t IT

pol

icie

s, s

tand

ards

and

proc

edur

es. T

he a

ckno

wle

dgem

ent s

houl

d be

per

iodi

cally

ref

resh

ed (

e.g.

, bia

nnua

lly).

•

Enq

uire

whe

ther

suf

fici

ent a

nd s

kille

d re

sour

ces

are

avai

labl

e to

sup

port

pol

icy

rollo

ut.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

ere

are

man

agem

ent p

roce

sses

to r

egul

arly

com

mun

icat

e IT

obj

ectiv

es a

nd d

irec

tion.

•

Ver

ify

with

a r

epre

sent

ativ

e sa

mpl

e of

sta

ff m

embe

rs a

t dif

fere

nt le

vels

that

IT

obj

ectiv

es h

ave

been

cle

arly

com

mun

icat

ed a

nd u

nder

stoo

d.

• R

evie

w p

ast c

omm

unic

atio

ns a

nd v

erif

y th

at th

ey c

over

the

mis

sion

, ser

vice

obj

ectiv

es, s

ecur

ity, i

nter

nal c

ontr

ols,

qua

lity,

cod

e of

eth

ics/

cond

uct,

polic

ies

and

proc

edur

es, e

tc.

PO

6.4

Pol

icy,

Stan

dard

and

Pro

cedu

res

Rol

lout

R

oll o

ut a

nd e

nfor

ce I

T p

olic

ies

to a

ll re

leva

nt s

taff

, so

they

are

bui

lt in

to a

nd a

rean

inte

gral

par

t of

ente

rpri

se o

pera

tions

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• App

ropr

iate

pro

tect

ion

of th

eor

gani

satio

n’s

asse

ts•

Dec

isio

ns a

ligne

d w

ith th

eor

gani

satio

n’s

busi

ness

obj

ectiv

es•

Eff

icie

nt m

anag

emen

t of

the

orga

nisa

tion’

s as

sets

• Pr

oper

use

of

IT r

esou

rces

and

IT

serv

ices

Ris

k D

river

s

• O

rgan

isat

ion’

s po

licie

s, s

tand

ards

and

proc

edur

es u

nkno

wn

or n

ot a

ccep

ted

• L

ack

of c

omm

unic

atio

n of

man

agem

ent’s

aim

s an

d di

rect

ions

• C

ontr

ol c

ultu

re n

ot a

ligne

d w

ithm

anag

emen

t’s a

ims

• Po

licie

s m

isun

ders

tood

or

not

acce

pted

• B

usin

ess

risk

of

polic

ies

and

proc

edur

es n

ot f

ollo

wed

PO

6 C

omm

unic

ate

Man

agem

ent

Aim

s an

d D

irec

tion

(co

nt.)

PO

6.5

Com

mun

icat

ion

of I

T O

bjec

tive

s an

d D

irec

tion

C

omm

unic

ate

awar

enes

s an

d un

ders

tand

ing

of b

usin

ess

and

IT o

bjec

tives

and

dire

ctio

n to

app

ropr

iate

sta

keho

lder

s an

d us

ers

thro

ugho

ut th

e en

terp

rise

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

lear

ly c

omm

unic

ated

man

agem

ent

philo

soph

y•

Incr

ease

d aw

aren

ess

of th

eor

gani

satio

n’s

mis

sion

• Aw

aren

ess

and

unde

rsta

ndin

g of

ris

ks,

secu

rity

, obj

ectiv

es, e

tc.,

with

in th

eor

gani

satio

n•

Dec

isio

ns a

ligne

d w

ith th

eor

gani

satio

n’s

busi

ness

obj

ectiv

es

Ris

k D

river

s

• IT

obj

ectiv

es n

ot a

chie

ved

• Po

or a

ccep

tanc

e or

und

erst

andi

ng o

fth

e or

gani

satio

nal p

olic

y•

Bus

ines

s th

reat

s no

t ide

ntif

ied

in a

timel

y m

anne

r•

Lac

k of

und

erst

andi

ng o

fm

anag

emen

t’s a

ims

and

dire

ctio

ns•

Lac

k of

con

fide

nce

and

trus

t in

IT’s

mis

sion

• B

reak

dow

n in

con

trol

and

sec

urity

cultu

re


APPENDIX II

Take the following steps to test the outcome of the control objectives:• Assess the frequency, format and content of the communication of the ‘tone at the top’ messages to determine if it will effectively

define and reinforce the control culture, risk appetite, ethical values, code of conduct and requirements of management integrity.

• Inspect for evidence of periodic awareness training on policies and practices that are relevant to support the control environment(e.g., annual code of conduct or ethics training, periodic acknowledgement of acceptable use policies). Assess employees’understanding of IT management’s philosophy and risk appetite to determine the extent to which it is aligned with management.Assess through inquiry and observation whether there is a general understanding of key risks and regulatory requirements thataffect the IT control environment, or a general understanding of the importance of adhering to IT policies and procedures.

• Determine whether there is an IT risk and control framework that defines the enterprise’s overall approach to IT risk and controland that aligns the IT policy and control environment to the enterprise risk and control framework.

• Determine whether the responsibilities associated with implementing and maintaining the IT risk and control framework are beingadequately carried out by qualified individuals. Inspect defined risks and controls to determine their adequacy in controlling theconfidentiality, integrity and availability of information systems and networks.

• Review IT policies to determine the frequency of updates and whether a re-evaluation has occurred at least annually. Makenecessary adjustments and amendments, and determine whether updated IT policies are appropriately communicated across the enterprise.

• Confirm through interviews that resources have been allocated to those who perform appropriate roles and responsibilities forformulating, developing, documenting, ratifying, disseminating and controlling IT policies.

• Verify that sufficient and skilled resources have been allocated to support the rollout process, including monitoring and enforcingcompliance. Examine and verify through interviews that operational procedures that support the IT policies and standards havebeen communicated, understood and accepted by appropriate staff.

• Inspect documentation of acknowledgement and acceptance of IT policies for a sample of employees to determine that it is beingconsistently administered and periodically refreshed.

• Inspect evidence to ensure that communication takes place to articulate IT objectives and direction and that managementsupport is visible.

• Enquire whether and confirm that the communication process has the necessary resources and skills for effective communication.

Take the following steps to document the impact of the control weaknesses:• Determine whether lack of appropriate IT policy management has resulted in lack of adequate control over IT resources and lack

of achievement of business objectives.• Determine whether lack of adequate communication, monitoring, and enforcement of IT policies and standards has resulted in a

lack of compliance with those standards and the associated non-achievement of business goals.• Determine whether lack of awareness of IT objectives and direction has resulted in the lack of achievement of business goals.



PO

7 M

anag

e IT

Hum

an R

esou

rces

A c

ompe

tent

wor

kfor

ce is

acq

uire

d an

d m

aint

aine

d fo

r th

e cr

eatio

n an

d de

liver

y of

IT

ser

vice

s to

the

busi

ness

. Thi

s is

ach

ieve

d by

fol

low

ing

defi

ned

and

agre

ed-u

pon

prac

tices

sup

port

ing

recr

uitin

g, tr

aini

ng, e

valu

atin

g pe

rfor

man

ce, p

rom

otin

g an

d te

rmin

atin

g. T

his

proc

ess

is c

ritic

al, a

s pe

ople

are

impo

rtan

t ass

ets,

and

gov

erna

nce

and

the

inte

rnal

con

trol

env

iron

men

t are

hea

vily

dep

ende

nt o

n th

e m

otiv

atio

n an

d co

mpe

tenc

e of

per

sonn

el.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n IT

HR

man

agem

ent p

lan

exis

ts th

at r

efle

cts

the

defi

nitio

n of

ski

ll re

quir

emen

ts a

nd p

refe

rred

pro

fess

iona

l qua

lific

atio

ns to

mee

tta

ctic

al a

nd s

trat

egic

IT

nee

ds o

f th

e or

gani

satio

n. T

he p

lan

shou

ld b

e up

date

d at

leas

t ann

ually

and

sho

uld

incl

ude

spec

ific

rec

ruitm

ent a

nd r

eten

tion

actio

n pl

ans

toad

dres

s cu

rren

t and

fut

ure

requ

irem

ents

. It s

houl

d al

so in

clud

e po

licie

s fo

r th

e en

forc

emen

t of

unin

terr

upte

d ho

liday

pol

icy

proc

edur

es, a

s ap

plic

able

.•

Enq

uire

whe

ther

and

con

firm

that

a d

ocum

ente

d pr

oces

s fo

r th

e re

crui

tmen

t and

ret

entio

n of

IT

per

sonn

el is

in p

lace

and

ref

lect

s th

e ne

eds

iden

tifie

d in

the

IT H

R p

lan.

•

Con

firm

that

HR

pro

fess

iona

ls r

egul

arly

rev

iew

and

app

rove

the

IT r

ecru

itmen

t and

ret

entio

n pr

oces

s to

ens

ure

alig

nmen

t with

org

anis

atio

nal p

olic

ies.

Test

the

Con

trol

Des

ign

• In

spec

t a s

ampl

e of

job

desc

ript

ions

for

a c

ompl

ete

and

appr

opri

ate

desc

ript

ion

of r

equi

red

skill

s, c

ompe

tenc

ies

and

qual

ific

atio

ns.

• V

erif

y th

at p

roce

sses

exi

st a

nd a

re c

ondu

cted

on

a re

gula

r ba

sis

to r

evie

w a

nd r

efre

sh jo

b de

scri

ptio

ns.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at m

anag

emen

t has

iden

tifie

d sk

ill n

eeds

, inc

ludi

ng a

ppro

pria

te e

duca

tion,

cro

ss-t

rain

ing

and

cert

ific

atio

n re

quir

emen

ts to

add

ress

spec

ific

req

uire

men

ts o

f th

e or

gani

satio

n.

PO

7.1

Per

sonn

el R

ecru

itm

ent

and

Ret

enti

on

Mai

ntai

n IT

per

sonn

el r

ecru

itmen

t pro

cess

es in

line

with

the

over

all

orga

nisa

tion’

s pe

rson

nel p

olic

ies

and

proc

edur

es (

e.g.

, hir

ing,

pos

itive

wor

ken

viro

nmen

t, or

ient

ing)

. Im

plem

ent p

roce

sses

to e

nsur

e th

at th

e or

gani

satio

n ha

san

app

ropr

iate

ly d

eplo

yed

IT w

orkf

orce

with

the

skill

s ne

cess

ary

to a

chie

veor

gani

satio

nal g

oals

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• IT

ski

lls o

ptim

ised

and

alig

ned

with

orga

nisa

tiona

l goa

ls•

Impr

oved

rec

ruitm

ent a

nd r

eten

tion

ofth

e ri

ght I

T s

kills

to s

uppo

rt f

utur

ebu

sine

ss r

equi

rem

ents

Ris

k D

river

s

• IT

ser

vice

s fo

r bu

sine

ss-c

ritic

alpr

oces

ses

not s

uppo

rted

ade

quat

ely

• In

effe

ctiv

e IT

sol

utio

ns•

Lac

k of

app

ropr

iate

IT

ski

lls d

ue to

IT

hum

an r

esou

rces

man

agem

ent n

otbe

ing

in li

ne w

ith m

arke

t con

ditio

ns

PO

7.2

Per

sonn

el C

ompe

tenc

ies

Reg

ular

ly v

erif

y th

at p

erso

nnel

hav

e th

e co

mpe

tenc

ies

to f

ulfi

l the

ir r

oles

on

the

basi

s of

thei

r ed

ucat

ion,

trai

ning

and

/or

expe

rien

ce. D

efin

e co

re I

T c

ompe

tenc

yre

quir

emen

ts a

nd v

erif

y th

at th

ey a

re b

eing

mai

ntai

ned,

usi

ng q

ualif

icat

ion

and

cert

ific

atio

n pr

ogra

mm

es w

here

app

ropr

iate

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• App

ropr

iate

ly q

ualif

ied

and

expe

rien

ced

staf

f fo

r sp

ecif

ic jo

bre

spon

sibi

litie

s•

Impr

oved

per

sona

l car

eer

deve

lopm

ent,

cont

ribu

tion

and

job

satis

fact

ion

• C

ontin

uous

dev

elop

men

t of

skill

s in

line

with

bus

ines

s ne

eds

Ris

k D

river

s

• IT

sta

ff n

ot s

kille

d as

req

uire

d fo

rbu

sine

ss c

ritic

al r

equi

rem

ents

• IT

sta

ff d

issa

tisfi

ed w

ith c

aree

rpr

ogre

ssio

n•

Mor

e in

cide

nts

and

erro

rs w

ith

grea

ter

impa

ct


APPENDIX II

Test

the

Con

trol

Des

ign

• In

spec

t a s

ampl

e of

rol

e de

scri

ptio

ns to

ens

ure

incl

usio

n of

an

adeq

uate

def

initi

on o

f re

spon

sibi

litie

s, c

ompe

tenc

ies,

and

sen

sitiv

e se

curi

ty a

nd c

ompl

ianc

e re

quir

emen

ts.

• In

spec

t a s

ampl

e of

ack

now

ledg

emen

ts f

or a

ccep

tanc

e of

rol

e de

scri

ptio

ns a

nd r

espo

nsib

ilitie

s fo

r IT

per

sonn

el.

• R

evie

w te

rms

and

cond

ition

s of

em

ploy

men

t for

exi

sten

ce o

f no

n-di

sclo

sure

, int

elle

ctua

l pro

pert

y ri

ghts

, res

pons

ibili

ty f

or in

form

atio

n se

curi

ty, i

nter

nal c

ontr

ol,

appl

icab

le la

ws

and

requ

irem

ents

. The

se s

houl

d al

ign

with

the

orga

nisa

tion’

s re

quir

emen

ts f

or n

on-d

iscl

osur

e of

con

fide

ntia

l inf

orm

atio

n.

• In

spec

t the

sam

ple

of jo

b de

scri

ptio

ns f

or h

igh-

risk

pos

ition

s to

det

erm

ine

whe

ther

the

span

of

cont

rol a

nd r

equi

red

supe

rvis

ion

is a

ppro

pria

te f

or e

ach

role

.

PO

7.3

Staf

fing

of

Rol

esD

efin

e, m

onito

r an

d su

perv

ise

role

s, r

espo

nsib

ilitie

s an

d co

mpe

nsat

ion

fram

ewor

ks f

or p

erso

nnel

, inc

ludi

ng th

e re

quir

emen

t to

adhe

re to

man

agem

ent

polic

ies

and

proc

edur

es, t

he c

ode

of e

thic

s, a

nd p

rofe

ssio

nal p

ract

ices

. The

leve

lof

sup

ervi

sion

sho

uld

be in

line

with

the

sens

itivi

ty o

f th

e po

sitio

n an

d ex

tent

of

resp

onsi

bilit

ies

assi

gned

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

omm

unic

atio

n of

and

adh

eren

ce

to o

rgan

isat

ion

polic

ies,

pra

ctic

es

and

ethi

cs•

Cle

ar a

ccou

ntab

ility

and

res

pons

ibili

tyfo

r ke

y fu

nctio

ns•

Impr

oved

alig

nmen

t of

staf

fco

ntri

butio

n to

bus

ines

s go

als

Ris

k D

river

s

• In

corr

ect a

ctio

ns a

nd d

ecis

ions

bas

edon

unc

lear

dir

ectio

n se

tting

• In

crea

sed

erro

rs a

nd in

cide

nts

caus

edby

lack

of

supe

rvis

ion

• St

aff

diss

atis

fact

ion

thro

ugh

poor

man

agem

ent a

nd o

vers

ight

PO

7 M

anag

e IT

Hum

an R

esou

rces

(co

nt.)

Test

the

Con

trol

Des

ign

• W

alk

thro

ugh

the

trai

ning

eff

ectiv

enes

s m

easu

rem

ent p

roce

ss to

con

firm

that

the

criti

cal t

rain

ing

and

awar

enes

s re

quir

emen

ts a

re in

clud

ed.

• In

spec

t tra

inin

g pr

ogra

mm

e co

nten

t for

com

plet

enes

s an

d ap

prop

riat

enes

s. I

nspe

ct d

eliv

ery

mec

hani

sms

to d

eter

min

e w

heth

er th

e in

form

atio

n is

del

iver

ed to

all

user

s of

IT r

esou

rces

, inc

ludi

ng c

onsu

ltant

s, c

ontr

acto

rs, t

empo

rary

sta

ff m

embe

rs a

nd, w

here

app

licab

le, c

usto

mer

s an

d su

pplie

rs.

• In

spec

t tra

inin

g pr

ogra

mm

e co

nten

t to

dete

rmin

e if

all

inte

rnal

con

trol

fra

mew

orks

and

sec

urity

req

uire

men

ts a

re in

clud

ed b

ased

on

the

orga

nisa

tion’

s se

curi

ty p

olic

ies

and

inte

rnal

con

trol

s (e

.g.,

impa

ct o

f no

n-ad

here

nce

to s

ecur

ity r

equi

rem

ents

, app

ropr

iate

use

of

com

pany

res

ourc

es a

nd f

acili

ties,

inci

dent

han

dlin

g, e

mpl

oyee

resp

onsi

bilit

y fo

r in

form

atio

n se

curi

ty).

•

Enq

uire

whe

ther

and

con

firm

that

trai

ning

mat

eria

ls a

nd p

rogr

amm

es h

ave

been

rev

iew

ed r

egul

arly

for

ade

quac

y.•

Insp

ect t

he p

olic

y fo

r de

term

inin

g tr

aini

ng r

equi

rem

ents

. Con

firm

that

the

trai

ning

req

uire

men

t’s p

olic

y en

sure

s th

at th

e or

gani

satio

n’s

criti

cal r

equi

rem

ents

are

ref

lect

edin

trai

ning

and

aw

aren

ess

prog

ram

mes

.

PO

7.4

Per

sonn

el T

rain

ing

Prov

ide

IT e

mpl

oyee

s w

ith a

ppro

pria

te o

rien

tatio

n w

hen

hire

d an

d on

goin

gtr

aini

ng to

mai

ntai

n th

eir

know

ledg

e, s

kills

, abi

litie

s, in

tern

al c

ontr

ols

and

secu

rity

aw

aren

ess

at th

e le

vel r

equi

red

to a

chie

ve o

rgan

isat

iona

l goa

ls.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

nhan

ced

pers

onal

con

trib

utio

n an

dpe

rfor

man

ce to

war

d or

gani

satio

nal

succ

ess

• E

ffec

tive

and

effi

cien

t del

iver

y of

each

em

ploy

ee’s

rol

e•

Supp

ort o

f te

chni

cal a

nd m

anag

emen

tde

velo

pmen

t, in

crea

sing

per

sonn

elre

tent

ion

• In

crea

se in

em

ploy

ees’

valu

e to

th

e en

terp

rise

Ris

k D

river

s

• In

suff

icie

nt s

ecur

ity a

war

enes

s,ca

usin

g er

rors

or

inci

dent

s•

Kno

wle

dge

gaps

reg

ardi

ng p

rodu

cts,

serv

ices

and

pra

ctic

es•

Insu

ffic

ient

ski

lls, l

eadi

ng to

ser

vice

degr

adat

ion

and

incr

ease

d er

rors

and

inci

dent

s

Test

the

Con

trol

Des

ign

• In

spec

t doc

umen

tatio

n on

key

rol

e pe

rson

nel f

or r

elia

nce

on s

ingl

e in

divi

dual

s fo

r cr

itica

l pro

cess

es w

ithin

the

IT o

rgan

isat

ion.

• E

nqui

re w

heth

er tr

aini

ng p

rogr

amm

es in

corp

orat

e te

chni

ques

to m

itiga

te th

e ri

sk o

f ov

erde

pend

ence

on

key

reso

urce

s. P

rogr

amm

es s

houl

d in

clud

e cr

oss-

trai

ning

,do

cum

enta

tion

of k

ey ta

sks,

job

rota

tion,

kno

wle

dge

shar

ing

and

succ

essi

on p

lann

ing

for

criti

cal r

oles

with

in th

e or

gani

satio

n.

Test

the

Con

trol

Des

ign

• In

spec

t sel

ectio

n cr

iteri

a fo

r pe

rfor

man

ce o

f se

curi

ty c

lear

ance

bac

kgro

und

chec

ks.

• R

evie

w f

or a

ppro

pria

te d

efin

ition

of

criti

cal r

oles

, for

whi

ch s

ecur

ity c

lear

ance

che

cks

are

requ

ired

. Thi

s sh

ould

app

ly to

em

ploy

ees,

con

trac

tors

and

ven

dors

.•

Enq

uire

whe

ther

and

con

firm

that

hir

ing

proc

esse

s in

clud

e cl

eara

nce

back

grou

nd c

heck

s. I

nspe

ct h

irin

g do

cum

enta

tion

for

a re

pres

enta

tive

sam

ple

of I

T s

taff

mem

bers

toev

alua

te w

heth

er b

ackg

roun

d ch

ecks

hav

e be

en c

ompl

eted

and

eva

luat

ed.

PO

7.5

Dep

ende

nce

Upo

n In

divi

dual

s M

inim

ise

the

expo

sure

to c

ritic

al d

epen

denc

y on

key

indi

vidu

als

thro

ugh

know

ledg

e ca

ptur

e (d

ocum

enta

tion)

, kno

wle

dge

shar

ing,

suc

cess

ion

plan

ning

and

staf

f ba

ckup

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Ade

quat

ely

supp

orte

d cr

itica

l IT

activ

ities

that

con

tinua

lly m

eet

obje

ctiv

es•

Con

tinge

ncy

in p

lace

for

non

-av

aila

bilit

y of

key

per

sonn

el•

Red

uced

ris

k of

inci

dent

s by

inte

rnal

IT s

taff

Ris

k D

river

s

• In

crea

sed

num

ber

and

impa

ct o

fin

cide

nts

caus

ed b

y un

avai

labi

lity

ofes

sent

ial s

kills

to p

erfo

rm a

cri

tical

role

• St

aff

diss

atis

fact

ion

due

to la

ck o

fsu

cces

sion

pla

nnin

g an

d jo

bad

vanc

emen

t opp

ortu

nitie

s•

Inab

ility

to p

erfo

rm c

ritic

al I

Tac

tiviti

es

PO

7 M

anag

e IT

Hum

an R

esou

rces

(co

nt.)

PO

7.6

Per

sonn

el C

lear

ance

Pro

cedu

res

Incl

ude

back

grou

nd c

heck

s in

the

IT r

ecru

itmen

t pro

cess

. The

ext

ent a

ndfr

eque

ncy

of p

erio

dic

revi

ews

of th

ese

chec

ks s

houl

d de

pend

on

the

sens

itivi

tyan

d/or

cri

tical

ity o

f th

e fu

nctio

n an

d sh

ould

be

appl

ied

for

empl

oyee

s,co

ntra

ctor

s an

d ve

ndor

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• R

ecru

itmen

t of

appr

opri

ate

pers

onne

l•

Proa

ctiv

e pr

even

tion

of in

form

atio

ndi

sclo

sure

and

con

fide

ntia

lity

stan

dard

s

Ris

k D

river

s

• In

crea

sed

risk

of

thre

ats

occu

rrin

gfr

om w

ithin

the

IT o

rgan

isat

ion

• D

iscl

osur

e of

cus

tom

er o

r co

rpor

ate

info

rmat

ion

and

incr

ease

d ex

posu

re o

fco

rpor

ate

asse

ts




APPENDIX II

Test

the

Con

trol

Des

ign

• In

spec

t a r

epre

sent

ativ

e sa

mpl

e of

em

ploy

ee jo

b pe

rfor

man

ce e

valu

atio

ns to

det

erm

ine

whe

ther

cri

teri

a fo

r go

al s

ettin

g in

clud

es S

MA

RR

T o

bjec

tives

. The

se s

houl

dre

flec

t the

cor

e co

mpe

tenc

ies,

com

pany

val

ues

and

skill

s re

quir

ed f

or e

ach

role

. Wal

k th

roug

h th

e jo

b pe

rfor

man

ce e

valu

atio

n pr

oces

s to

det

erm

ine

whe

ther

pol

icie

s an

dpr

oced

ures

for

the

use

and

stor

age

of p

erso

nal i

nfor

mat

ion

are

clea

r an

d co

mpl

y w

ith th

e ap

plic

able

legi

slat

ion.

•

Insp

ect t

he r

emun

erat

ion/

reco

gniti

on p

roce

ss to

det

erm

ine

if it

is in

line

with

per

form

ance

goa

ls a

nd o

rgan

isat

iona

l pol

icy.

•

Insp

ect p

erfo

rman

ce im

prov

emen

t pla

ns to

det

erm

ine

alig

nmen

t with

org

anis

atio

nal p

olic

ies

and

cons

iste

nt a

pplic

atio

n th

roug

hout

the

IT o

rgan

isat

ion.

Per

form

ance

impr

ovem

ent p

lans

sho

uld

incl

ude

spec

ific

ally

def

ined

goa

ls, t

imel

ines

for

com

plet

ion

and

an a

ppro

pria

te le

vel o

f di

scip

linar

y ac

tion

if im

prov

emen

ts a

re n

ot a

chie

ved.

Test

the

Con

trol

Des

ign

• E

nqui

re a

nd in

spec

t whe

ther

exi

t pro

cedu

res

for

volu

ntar

y te

rmin

atio

n of

em

ploy

men

t are

doc

umen

ted

and

cont

ain

all r

equi

red

elem

ents

, suc

h as

nec

essa

ry k

now

ledg

etr

ansf

er, t

imel

y se

curi

ng o

f lo

gica

l and

phy

sica

l acc

ess,

ret

urn

of th

e or

gani

satio

n’s

asse

ts, a

nd c

ondu

ctin

g of

exi

t int

ervi

ews.

• E

nqui

re w

heth

er jo

b ch

ange

pro

cedu

res

are

docu

men

ted

and

cont

ain

all r

equi

red

elem

ents

to m

inim

ise

disr

uptio

n of

bus

ines

s pr

oces

ses.

Exa

mpl

es in

clud

e th

e ne

ed f

orjo

b m

ento

ring

, job

han

d-ov

er s

teps

and

pre

para

tory

for

mal

trai

ning

. Ins

pect

job

chan

ge p

roce

dure

s to

det

erm

ine

if th

e pr

oced

ures

are

con

sist

ently

fol

low

ed.

• Acq

uire

thro

ugh

HR

a li

st o

f te

rmin

ated

/tran

sfer

red

user

s (f

or th

e pa

st s

ix m

onth

s to

one

yea

r).

PO

7.7

Em

ploy

ee J

ob P

erfo

rman

ce E

valu

atio

n R

equi

re a

tim

ely

eval

uatio

n to

be

perf

orm

ed o

n a

regu

lar

basi

s ag

ains

t ind

ivid

ual

obje

ctiv

es d

eriv

ed f

rom

the

orga

nisa

tion’

s go

als,

est

ablis

hed

stan

dard

s an

dsp

ecif

ic jo

b re

spon

sibi

litie

s. E

mpl

oyee

s sh

ould

rec

eive

coa

chin

g on

per

form

ance

and

cond

uct w

hene

ver

appr

opri

ate.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed in

divi

dual

and

col

lect

ive

perf

orm

ance

and

con

trib

utio

n to

orga

nisa

tiona

l goa

ls•

Impr

oved

sta

ff s

atis

fact

ion

• Im

prov

ed m

anag

emen

t per

form

ance

from

sta

ff f

eedb

ack

and

revi

ewpr

oces

ses

• E

ffec

tive

use

of I

T s

taff

Ris

k D

river

s

• In

abili

ty to

iden

tify

inef

fici

ent

oper

atio

ns•

Inef

fect

ive

trai

ning

pro

gram

me

• D

issa

tisfi

ed a

nd d

isgr

untle

d st

aff,

lead

ing

to r

eten

tion

prob

lem

s an

dpo

ssib

le in

cide

nts

• L

oss

of c

ompe

tent

sta

ff m

embe

rs a

ndre

late

d co

rpor

ate

know

ledg

e

PO

7 M

anag

e IT

Hum

an R

esou

rces

(co

nt.)

PO

7.8

Job

Cha

nge

and

Ter

min

atio

n Ta

ke e

xped

ient

act

ions

reg

ardi

ng jo

b ch

ange

s, e

spec

ially

job

term

inat

ions

.K

now

ledg

e tr

ansf

er s

houl

d be

arr

ange

d, r

espo

nsib

ilitie

s re

assi

gned

and

acc

ess

righ

ts r

emov

ed s

uch

that

ris

ks a

re m

inim

ised

and

con

tinui

ty o

f th

e fu

nctio

n is

guar

ante

ed.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffic

ient

and

eff

ectiv

e co

ntin

uatio

n of

busi

ness

-cri

tical

ope

ratio

ns

• Im

prov

ed s

taff

ret

entio

n• A

mor

e se

cure

info

rmat

ion

envi

ronm

ent t

hrou

gh ti

mel

y an

dap

prop

riat

e re

stri

ctio

n of

acc

ess

Ris

k D

river

s

• U

naut

hori

sed

acce

ss w

hen

empl

oyee

sar

e te

rmin

ated

• L

ack

of s

moo

th c

ontin

uatio

n of

busi

ness

-cri

tical

ope

ratio

ns



Take the following steps to test the outcome of the control objectives:• Inspect the IT human resource plan to verify that the IT needs of the organisation are defined. The IT human resource plan should

be based on organisational objectives and include strategic initiatives, applicable regulatory requirements and the associated ITskills required.

• Ensure that current and future needs are assessed against currently available skills and that gaps are translated into action plans. • Inspect the IT HR management plan and determine whether it addresses retention practices within the IT organisation, including

the identification of critical and scarce skills, consideration of personal evaluations, compensation and incentives, developmentplans, and individual training needs.

• Verify that job descriptions are periodically reviewed and that job descriptions include skill set competencies and qualifications ofcurrent personnel. Compare the skill sets of current employees to job description requirements. Inspect professional developmentplans from a sample of employees to determine the adequacy of career planning. Development plans should include encouragementof competency development, opportunities for personal advancement and measures to reduce dependence on key individuals.

• Review job descriptions to ensure that each is current and relevant. Include the employee handbook/third-party agreements toconfirm that the obligations of employees and third-party personnel are clearly stated and appropriate for the given role. Inspectfor employee acknowledgement of conditions for employment, including responsibility for information security, internal control,regulatory compliance, protection of intellectual property and non-disclosure of confidential information. Observe whether theamount of supervision applied to high-risk roles is appropriate. Review procedures governing the activities of high-risk roles todetermine if supervisory approval is required and has been performed for critical decisions.

• Determine whether appropriate benchmarking of human resource management activities has been performed against similarorganisations, appropriate international standards or industry best practices on a periodic basis. Confirm that the level ofsupervision is appropriate for the sensitivity of the position and responsibilities assigned.

• Inspect automation controls to track changes to privilege user permissions.• Verify that the personnel training process is being delivered to all new users prior to granting access and is redelivered on an

annual basis. Inspect the personnel training programme content for completeness and appropriateness (such as education on theorganisation’s requirements for internal control and ethical conduct).

• Inspect delivery mechanisms to determine if information is delivered to all users of IT resources, including consultants, contractorsand temporary staff members. Where applicable, it should include customers and suppliers as well.

• Verify that the personnel training programme includes certification and recertification processes for appropriate roles. • Enquire whether and confirm that training materials and programmes have been reviewed regularly for adequacy and include

impact on all necessary skills. • Confirm that a process exists to measure the completion and effectiveness of critical employee training and awareness programmes

and requirements. • Review documented strategies for the reduction of dependence on single individuals in critical roles. Verify the inclusion of

segregation of duties. Inspect the process to identify roles suitable for rotation, and confirm that rotation is occurring. Enquire ofemployees to determine whether knowledge sharing is occurring.

• Inspect the compiled performance evaluation information to assess whether it was compiled completely and accurately. Validatethat the information is used in an appropriate manner. Enquire of employees whether management provides appropriate feedbackregarding performance during, and following, the performance evaluation. Determine that performance is evaluated against theindividual’s goals and performance criteria established for the position. Determine if the performance evaluation process is appliedconsistently and is in line with performance goals and organisational policies.

• Inspect exit procedures and processes for evidence of consistent application throughout the organisation. • Review the appropriateness of access rights (logical and physical access) related to job changes. Determine the effects on

segregation of duties and compensating controls if old access permissions are retained during a period of transition.• Verify that user accounts have been disabled for terminated users and appropriate access has been applied for transferred users.

Take the following steps to document the impact of the control weaknesses:• Assess the organisation’s dependency on key individuals to ensure that loss of capability and historical knowledge is not realised.• Assess whether appropriate monitoring and supervision exist to ensure adherence to management policies and procedures, code of

ethics, professional practices, terms and conditions of employment, internal controls, information security policy and procedures,and compliance with regulatory requirements.

• Assess the level of awareness for security requirements to ensure compliance with regulatory requirements, protection ofintellectual property, organisational reputation and strategic position.

• Determine the adequacy of personnel training programmes to ensure the organisation’s ability to attract and retain qualified personnel.

• Assess dependence on key individuals and the IT organisation’s ability to provide continuous support of business processes in anefficient and effective manner. Determine whether appropriate segregation of duties exist for key roles to ensure that criticalcontrols function as intended.

• Assess the appropriateness of security-checking mechanisms for key employees to ensure that control over threats within theorganisation, such as theft, disclosure and compromise of sensitive corporate assets, is appropriately addressed.

• Determine whether a well-defined, timely and consistently applied performance evaluation process exists and results in theefficient and effective use of IT resources.

• Assess the level of appropriateness and consistency applied to job change policies and procedures to ensure that disruptions ofbusiness-critical operations and unauthorised access to secure environments and organisational assets do not occur.


APPENDIX IIP

O8 M

anag

e Q

ualit

y

A q

uali

ty m

anag

emen

t sy

stem

is

deve

lope

d an

d m

aint

aine

d th

at i

nclu

des

prov

en d

evel

opm

ent

and

acqu

isit

ion

proc

esse

s an

d st

anda

rds.

Thi

s is

ena

bled

by

plan

ning

,im

plem

enti

ng a

nd m

aint

aini

ng t

he Q

MS

by

prov

idin

g cl

ear

qual

ity

requ

irem

ents

, pro

cedu

res

and

poli

cies

. Qua

lity

req

uire

men

ts a

re s

tate

d an

d co

mm

unic

ated

in

quan

tifi

able

and

ach

ieva

ble

indi

cato

rs. C

onti

nuou

s im

prov

emen

t is

ach

ieve

d by

ong

oing

mon

itor

ing,

ana

lysi

s an

d ac

ting

upo

n de

viat

ions

, and

com

mun

icat

ing

resu

lts

to s

take

hold

ers.

Qua

lity

man

agem

ent

is e

ssen

tial

to

ensu

re t

hat

IT i

s de

liver

ing

valu

e to

the

bus

ines

s, c

onti

nuou

s im

prov

emen

t an

d tr

ansp

aren

cy f

or s

take

hold

ers.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er th

e Q

MS

was

dev

elop

ed w

ith in

put f

rom

IT

man

agem

ent,

othe

r st

akeh

olde

rs a

nd r

elev

ant e

nter

pris

ewid

e fr

amew

orks

.•

Enq

uire

whe

ther

fin

ding

s fr

om e

ach

qual

ity r

evie

w a

re c

omm

unic

ated

to I

T m

anag

emen

t and

oth

er s

take

hold

ers

in a

tim

ely

man

ner

to e

nabl

e re

med

ial a

ctio

n to

be

take

n.

• D

eter

min

e w

heth

er I

T q

ualit

y pl

ans

are

alig

ned

with

ent

erpr

ise

qual

ity m

anag

emen

t cri

teri

a an

d po

licie

s.

PO

8.1

Qua

lity

Man

agem

ent

Syst

em

Est

ablis

h an

d m

aint

ain

a Q

MS

that

pro

vide

s a

stan

dard

, for

mal

and

con

tinuo

usap

proa

ch r

egar

ding

qua

lity

man

agem

ent t

hat i

s al

igne

d w

ith b

usin

ess

requ

irem

ents

. The

QM

S sh

ould

iden

tify

qual

ity r

equi

rem

ents

and

cri

teri

a; k

ey I

Tpr

oces

ses

and

thei

r se

quen

ce a

nd in

tera

ctio

n; a

nd th

e po

licie

s, c

rite

ria

and

met

hods

for

def

inin

g, d

etec

ting,

cor

rect

ing

and

prev

entin

g no

n-co

nfor

mity

. The

QM

S sh

ould

def

ine

the

orga

nisa

tiona

l str

uctu

re f

or q

ualit

y m

anag

emen

t,co

veri

ng th

e ro

les,

task

s an

d re

spon

sibi

litie

s. A

ll ke

y ar

eas

shou

ld d

evel

op th

eir

qual

ity p

lans

in li

ne w

ith c

rite

ria

and

polic

ies

and

reco

rd q

ualit

y da

ta. M

onito

ran

d m

easu

re th

e ef

fect

iven

ess

and

acce

ptan

ce o

f th

e Q

MS,

and

impr

ove

it w

hen

need

ed.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Alig

nmen

t with

and

ach

ieve

men

t of

busi

ness

req

uire

men

ts f

or I

T•

Stak

ehol

der

satis

fact

ion

ensu

red

• C

onsi

sten

t QA

env

iron

men

tun

ders

tood

and

fol

low

ed b

y al

l sta

ffm

embe

rs•

Eff

icie

nt, e

ffec

tive

and

stan

dard

ised

oper

atio

n of

IT

pro

cess

es

Ris

k D

river

s

• In

suff

icie

nt q

ualit

y in

ser

vice

s an

dso

lutio

ns, r

esul

ting

in f

aults

, rew

ork

and

incr

ease

d co

sts

•A

d ho

can

d, th

eref

ore,

unr

elia

ble

QA

activ

ities

• M

isal

ignm

ent w

ith in

dust

ry g

ood

prac

tices

and

bus

ines

s ob

ject

ives

• Am

bigu

ous

resp

onsi

bilit

y fo

r qu

ality

,le

adin

g to

qua

lity

redu

ctio

n



Test

the

Con

trol

Des

ign

• R

evie

w I

T s

tand

ards

and

fra

mew

orks

to d

eter

min

e if

they

are

app

ropr

iate

for

the

syst

ems,

dat

a an

d in

form

atio

n in

the

envi

ronm

ent.

• In

spec

t the

aut

hori

satio

n of

dev

iatio

ns to

IT

sta

ndar

ds to

val

idat

e ad

here

nce

to o

r no

n-co

mpl

ianc

e w

ith m

anda

ted

or a

dopt

ed s

tand

ards

.•

Insp

ect m

ajor

mile

ston

es in

key

pro

ject

s to

ver

ify

that

the

QM

S ha

s be

en a

pplie

d.•

Con

firm

the

proc

ess

for

appl

ying

cha

nges

in m

anda

ted

or a

dopt

ed s

tand

ards

with

in th

e or

gani

satio

n.

PO

8 M

anag

e Q

ualit

y (c

ont.

)

PO

8.2

IT S

tand

ards

and

Qua

lity

Pra

ctic

es

Iden

tify

and

mai

ntai

n st

anda

rds,

pro

cedu

res

and

prac

tices

for

key

IT

pro

cess

es to

guid

e th

e or

gani

satio

n in

mee

ting

the

inte

nt o

f th

e Q

MS.

Use

indu

stry

goo

dpr

actic

es f

or r

efer

ence

whe

n im

prov

ing

and

tailo

ring

the

orga

nisa

tion’

s qu

ality

prac

tices

.

Valu

e D

river

s

• Alig

nmen

t of

the

QM

S to

bus

ines

sre

quir

emen

ts a

nd p

olic

ies

• C

onsi

sten

cy a

nd r

elia

bilit

y of

the

gene

ral q

ualit

y pl

an•

Eff

ectiv

e an

d ef

fici

ent o

pera

tion

of th

e Q

MS

• In

crea

sed

assu

ranc

e fo

r en

terp

rise

wid

em

anag

emen

t tha

t IT

sta

ndar

ds,

polic

ies,

pro

cess

es, p

ract

ices

and

ris

km

anag

emen

t are

eff

ectiv

e an

def

fici

ent

Ris

k D

river

s

• U

ndef

ined

res

pons

ibili

ties

with

inpr

ojec

ts a

nd s

ervi

ces

• Q

ualit

y fa

ilure

s in

key

IT

pro

cess

es•

Non

-com

plia

nce

with

def

ined

stan

dard

s an

d pr

oced

ures

• IT

pol

icie

s, s

tand

ards

, pro

cess

es a

ndpr

actic

es in

cons

iste

nt w

ith c

urre

ntgo

od p

ract

ices

• Fa

ilure

of

IT p

olic

ies,

sta

ndar

ds,

proc

esse

s an

d pr

actic

es to

mee

ten

terp

rise

obj

ectiv

es

Con

trol

Obj

ecti

ve

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er d

evel

opm

ent a

nd a

cqui

sitio

n st

anda

rds

for

chan

ges

to e

xist

ing

IT r

esou

rces

are

app

lied

(e.g

., se

cure

cod

ing

prac

tices

; sof

twar

e co

ding

sta

ndar

ds; n

amin

gco

nven

tions

; file

for

mat

s; s

chem

a an

d da

ta d

ictio

nary

des

ign

stan

dard

s; u

ser

inte

rfac

e st

anda

rds;

inte

rope

rabi

lity;

sys

tem

per

form

ance

eff

icie

ncy;

sca

labi

lity;

sta

ndar

dsfo

r de

velo

pmen

t and

test

ing;

val

idat

ion

agai

nst r

equi

rem

ents

; tes

t pla

ns; u

nit,

regr

essi

on a

nd in

tegr

atio

n te

stin

g).

• E

nqui

re o

r in

spec

t whe

ther

dev

elop

men

t and

acq

uisi

tion

stan

dard

s en

able

an

appr

opri

ate

leve

l of

cont

rol f

or c

hang

es to

exi

stin

g IT

res

ourc

es.

• E

nqui

re w

heth

er d

evel

opm

ent a

nd a

cqui

sitio

n gu

idan

ce is

inco

rpor

ated

into

IT

sta

ndar

ds a

nd f

ram

ewor

ks.

PO

8.3

Dev

elop

men

t an

d A

cqui

siti

on S

tand

ards

A

dopt

and

mai

ntai

n st

anda

rds

for

all d

evel

opm

ent a

nd a

cqui

sitio

n th

at f

ollo

w th

elif

e cy

cle

of th

e ul

timat

e de

liver

able

, and

incl

ude

sign

-off

at k

ey m

ilest

ones

base

d on

agr

eed-

upon

sig

n-of

f cr

iteri

a. C

onsi

der

soft

war

e co

ding

sta

ndar

ds;

nam

ing

conv

entio

ns; f

ile f

orm

ats;

sch

ema

and

data

dic

tiona

ry d

esig

n st

anda

rds;

user

inte

rfac

e st

anda

rds;

inte

rope

rabi

lity;

sys

tem

per

form

ance

eff

icie

ncy;

scal

abili

ty; s

tand

ards

for

dev

elop

men

t and

test

ing;

val

idat

ion

agai

nst

requ

irem

ents

; tes

t pla

ns; a

nd u

nit,

regr

essi

on a

nd in

tegr

atio

n te

stin

g.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffic

ient

and

eff

ectiv

e us

e of

tech

nolo

gy to

ena

ble

timel

yac

hiev

emen

t of

busi

ness

obj

ectiv

es•

Prop

er id

entif

icat

ion,

doc

umen

tatio

nan

d ex

ecut

ion

of k

ey a

cqui

sitio

n an

dde

velo

pmen

t act

iviti

es•

Form

ally

def

ined

, sta

ndar

dise

d an

dre

peat

able

app

roac

h fo

r m

anag

ing

acqu

isiti

ons

and

deve

lopm

ents

Ris

k D

river

s

• In

accu

rate

est

imat

ions

of

proj

ect

times

cale

s an

d bu

dget

s•

Unc

lear

res

pons

ibili

ties

with

inpr

ojec

ts•

Dev

elop

men

t and

impl

emen

tatio

ner

rors

, cau

sing

del

ays,

rew

ork

and

incr

ease

d co

sts

• In

tero

pera

bilit

y an

d in

tegr

atio

npr

oble

ms

• Su

ppor

t and

mai

nten

ance

pro

blem

s•

Uni

dent

ifie

d er

rors

occ

urri

ng in

prod

uctio

n


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er f

indi

ngs

from

eac

h qu

ality

rev

iew

are

com

mun

icat

ed to

IT

man

agem

ent a

nd o

ther

sta

keho

lder

s in

a ti

mel

y m

anne

r to

ena

ble

rem

edia

l act

ion

to b

e ta

ken.

•

Ens

ure

the

staf

f tr

aini

ng p

rogr

amm

e in

clud

es e

ffec

tive

cont

inuo

us im

prov

emen

t met

hodo

logi

es.

• E

valu

ate

whe

ther

con

tinuo

us im

prov

emen

t act

iviti

es a

re a

ctiv

ely

prom

oted

, eff

ectiv

ely

man

aged

and

impl

emen

ted

with

in th

e qu

ality

sta

ndar

ds, p

olic

ies,

pra

ctic

es a

ndpr

oced

ures

.•

Enq

uire

whe

ther

and

con

firm

that

a q

ualit

y m

anag

emen

t pla

n is

def

ined

. Ins

pect

the

plan

and

doc

umen

tatio

n to

val

idat

e th

e ap

prop

riat

enes

s of

the

lear

ning

and

know

ledg

e-sh

arin

g pr

oces

s.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er c

usto

mer

vie

ws

on th

e qu

ality

man

agem

ent p

roce

ss a

re o

btai

ned.

Rev

iew

the

proc

ess

to v

erif

y th

at v

iew

s ar

e ob

tain

ed p

erio

dica

lly.

• In

spec

t for

eff

ectiv

enes

s th

e qu

estio

nnai

res,

sur

veys

, fee

dbac

k fo

rms,

inte

rvie

ws,

etc

., fr

om c

usto

mer

s.•

Enq

uire

whe

ther

cus

tom

er v

iew

s on

the

qual

ity m

anag

emen

t pro

cess

are

obt

aine

d. R

evie

w th

e pr

oces

s to

ver

ify

that

vie

ws

are

obta

ined

per

iodi

cally

.•

Insp

ect t

he o

utpu

ts f

rom

the

follo

w-u

p pr

oces

s to

det

erm

ine

if th

e fe

edba

ck is

org

anis

ed a

nd u

sefu

l for

impr

ovin

g th

e co

mpl

aint

-han

dlin

g pr

oces

s.•

Insp

ect t

he d

ocum

enta

tion

of r

oles

and

res

pons

ibili

ties

to d

eter

min

e if

they

allo

w f

or e

ffec

tive

conf

lict r

esol

utio

n of

cus

tom

er c

ompl

aint

s.•

Enq

uire

whe

ther

and

con

firm

that

cus

tom

er in

tera

ctio

n as

pect

s ar

e in

clud

ed in

trai

ning

pro

gram

mes

.

PO

8.4

Cus

tom

er F

ocus

Fo

cus

qual

ity m

anag

emen

t on

cust

omer

s by

det

erm

inin

g th

eir

requ

irem

ents

and

alig

ning

them

to th

e IT

sta

ndar

ds a

nd p

ract

ices

. Def

ine

role

s an

d re

spon

sibi

litie

sco

ncer

ning

con

flic

t res

olut

ion

betw

een

the

user

/cus

tom

er a

nd th

e IT

orga

nisa

tion.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed c

usto

mer

sat

isfa

ctio

n•

Qua

lity

man

agem

ent a

ligne

d w

ithcu

stom

er e

xpec

tatio

ns

• C

lari

ty o

f ro

les

and

resp

onsi

bilit

ies

Ris

k D

river

s

• G

aps

betw

een

expe

ctat

ions

and

deliv

ery

• Fa

ilure

to a

dequ

atel

y un

ders

tand

cust

omer

exp

ecta

tions

• Fa

ilure

to a

dequ

atel

y re

spon

d to

cust

omer

dis

pute

s an

d fe

edba

ck•

Inap

prop

riat

e or

inef

fect

ive

cust

omer

disp

ute

reso

lutio

n pr

oces

ses

• In

appr

opri

ate

prio

rity

giv

en to

diff

eren

t ser

vice

s pr

ovid

ed•

Dis

pute

s w

ith d

eliv

erab

les

and

qual

ity d

efec

ts

PO

8 M

anag

e Q

ualit

y (c

ont.

)

PO

8.5

Con

tinu

ous

Impr

ovem

ent

Mai

ntai

n an

d re

gula

rly

com

mun

icat

e an

ove

rall

qual

ity p

lan

that

pro

mot

esco

ntin

uous

impr

ovem

ent.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed q

ualit

y of

ser

vice

s an

d so

lutio

ns•

Impr

oved

eff

icie

ncy

and

effe

ctiv

enes

sin

del

iver

y•

Impr

oved

sta

ff m

oral

e an

d jo

bsa

tisfa

ctio

n

Ris

k D

river

s

• U

ncon

trol

led

and

inef

fect

ive

serv

ice

deliv

ery

• Se

rvic

e fa

ilure

s•

Dev

elop

men

t fau

lts



Test

the

Con

trol

Des

ign

• R

evie

w e

xecu

tive-

leve

l rep

ortin

g on

qua

lity

perf

orm

ance

(e.

g., d

ashb

oard

rep

ortin

g an

d/or

bal

ance

d sc

orec

ard)

to id

entif

y tr

ends

of

stre

ngth

s an

d w

eakn

esse

s.•

Insp

ect w

heth

er th

e qu

ality

met

rics

inco

rpor

ate

the

achi

evem

ent o

f bu

sine

ss a

nd I

T s

trat

egy,

fin

anci

al c

ost,

risk

rat

ings

and

ava

ilabl

e in

dust

ry d

ata.

Rev

iew

whe

ther

the

mon

itori

ng p

roce

ss e

nabl

es c

orre

ctiv

e an

d pr

even

tive

actio

ns to

take

pla

ce.

• Pe

rfor

m a

wal

k-th

roug

h of

the

qual

ity m

anag

emen

t pro

cess

to v

erif

y th

at it

con

side

rs r

elev

ance

, app

licab

ility

, lat

est i

ndus

try

data

and

the

valu

e of

con

trib

utio

n to

cont

inuo

us im

prov

emen

t pro

gram

mes

with

in th

e or

gani

satio

n.

PO

8.6

Qua

lity

Mea

sure

men

t,M

onit

orin

g an

d R

evie

w

Def

ine,

pla

n an

d im

plem

ent m

easu

rem

ents

to m

onito

r co

ntin

uing

com

plia

nce

toth

e Q

MS,

as

wel

l as

the

valu

e th

e Q

MS

prov

ides

. Mea

sure

men

t, m

onito

ring

and

reco

rdin

g of

info

rmat

ion

shou

ld b

e us

ed b

y th

e pr

oces

s ow

ner

to ta

keap

prop

riat

e co

rrec

tive

and

prev

entiv

e ac

tions

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• St

aff

mem

bers

aw

are

of q

ualit

ype

rfor

man

ce•

Con

sist

ent r

epor

ting

• Q

ualit

y re

port

ing

inte

grat

ed in

to a

ndfa

cilit

atin

g th

e or

gani

satio

n’s

QM

S•

Mea

sura

ble

and

tang

ible

val

ue o

f th

e Q

MS

• Fe

edba

ck c

once

rnin

g co

mpl

ianc

e w

ithan

d us

eful

ness

of

the

QM

S

Ris

k D

river

s

• L

ack

of c

lear

and

con

sist

ent q

ualit

yob

ject

ives

• Pr

even

tive

and

corr

ectiv

e ac

tions

unid

entif

ied

• In

cons

iste

nt q

ualit

y re

port

ing

• R

epor

ts f

ailin

g to

con

trib

ute

to th

een

terp

rise

’s Q

MS

• L

ack

of c

lari

fied

obj

ectiv

es•

Inco

nsis

tent

qua

lity

repo

rtin

g•

Failu

re o

f th

e Q

MS

to e

nhan

ce th

eor

gani

satio

n’s

obje

ctiv

es•

QM

S no

t tak

en s

erio

usly

or

com

plie

d w

ith b

y th

e or

gani

satio

n•

Wea

knes

ses

and

stre

ngth

s w

ithin

the

QM

S no

t rec

ogni

sed

• N

on-c

ompl

ianc

e no

t ide

ntif

ied

• Pr

ojec

ts a

t ris

k to

be

over

tim

e an

dbu

dget

and

del

iver

ed w

ith p

oor

qual

ity

PO

8 M

anag

e Q

ualit

y (c

ont.

)


APPENDIX II

Take the following steps to test the outcome of the control objectives:• Inspect the QMS to verify that it provides a standard and continuous approach for quality management.• Verify IT management’s approval of the QMS.• Review the periodic performance reviews to determine whether the review programme includes all necessary elements. • Inspect the results of the periodic independent performance reviews of the QMS. • Inspect whether follow-up reviews in quality assurance plans exist where significant findings have arisen, and inspect the follow-

up reviews to verify that corrective action has been effective.• Inspect QMS benchmark results to determine if appropriate industry guidelines, standards and enterprises were included in the

comparison.• Inspect the authorisation of deviations to IT standards to validate adherence to or non-compliance with stakeholder requirements.• Inspect major milestones to verify that the QMS is in operation.• Inspect the customer quality standards and metric requirements for completeness (i.e., questionnaires, surveys, feedback forms,

interviews).• Inspect the outputs from the QMS follow-up process to determine if the feedback is organised and useful for improving the

complaint-handling process. • Inspect the documentation of roles and responsibilities to determine if it allows for effective conflict resolution of customer

complaints.• Inspect the training programme to verify the existence of customer care content.• Walk through the periodic performance reviews to determine whether the review programme includes necessary QMS elements. • Inspect the results of the periodic independent performance reviews of the QMS. • Inspect whether the quality metrics incorporate the achievement of business and IT strategy, financial cost, risk ratings, and

available industry data. • Review whether the monitoring process enables corrective and preventive actions to take place.• Perform a walk-through of the QMS process to verify that it considers relevance, applicability, latest industry data and the value of

contribution to the continuous improvement programme within the organisation.• Determine the reliability of quality assurance activities by assessing alignment with industry best practices and gaps between

current procedures and business expectations.

Take the following steps to document the impact of the control weaknesses:• Determine the level of compliance with organisational IT standards and quality practices to assess deviations that may result in

incompatible system architecture, leading to increased costs and the project not meeting goals and objectives. • Determine if development and acquisition standards include processes for accurate estimation of project timescales and budgets to

ensure efficient and effective use of IT and business resources and the attainment of strategic goals and objectives. • Confirm that quality management processes include mechanisms for conflict resolution and the determination of consistency of

understanding regarding customer expectations and product/process capability. • Assess whether customer requirements align with IT standards. • Determine whether the continuous improvement policy and procedures enable the organisation’s ability to maintain a

competitive advantage.• Assess whether quality measurement processes and reporting mechanisms enable corrective actions to be performed in a

timely manner.



PO

9 A

sses

s an

d M

anag

e IT

Ris

ks

A r

isk

man

agem

ent f

ram

ewor

k is

cre

ated

and

mai

ntai

ned.

The

fra

mew

ork

docu

men

ts a

com

mon

and

agr

eed-

upon

leve

l of

IT r

isks

, miti

gatio

n st

rate

gies

and

res

idua

l ris

ks.

Any

pot

entia

l im

pact

on

the

goal

s of

the

orga

nisa

tion

caus

ed b

y an

unp

lann

ed e

vent

is id

entif

ied,

ana

lyse

d an

d as

sess

ed. R

isk

miti

gatio

n st

rate

gies

are

ado

pted

to m

inim

ise

resi

dual

ris

k to

an

acce

pted

leve

l. T

he r

esul

t of

the

asse

ssm

ent i

s un

ders

tand

able

to th

e st

akeh

olde

rs a

nd e

xpre

ssed

in f

inan

cial

term

s, to

ena

ble

stak

ehol

ders

to a

lign

risk

toan

acc

epta

ble

leve

l of

tole

ranc

e.

Test

the

Con

trol

Des

ign

• In

spec

t whe

ther

the

IT r

isk

man

agem

ent f

ram

ewor

k al

igns

with

the

risk

man

agem

ent f

ram

ewor

k fo

r th

e or

gani

satio

n (e

nter

pris

e) a

nd in

clud

es b

usin

ess-

driv

enco

mpo

nent

s fo

r st

rate

gy, p

rogr

amm

es, p

roje

cts

and

oper

atio

ns. R

evie

w th

e IT

ris

k cl

assi

fica

tions

to v

erif

y th

at th

ey a

re b

ased

on

a co

mm

on s

et o

f ch

arac

teri

stic

s fr

om th

een

terp

rise

ris

k m

anag

emen

t fra

mew

ork.

Ins

pect

whe

ther

IT

ris

k m

easu

rem

ents

are

sta

ndar

dise

d an

d pr

iori

tised

and

whe

ther

they

incl

ude

impa

ct, a

ccep

tanc

e of

res

idua

lri

sk a

nd p

roba

bilit

ies

alig

ned

with

the

ente

rpri

se r

isk

man

agem

ent f

ram

ewor

k.

• V

erif

y w

heth

er I

T r

isks

are

con

side

red

in th

e de

velo

pmen

t and

rev

iew

of

IT s

trat

egic

pla

ns.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n ap

prop

riat

e ri

sk c

onte

xt h

as b

een

defi

ned

in li

ne w

ith e

nter

pris

e ri

sk m

anag

emen

t pol

icie

s an

d pr

inci

ples

and

incl

udes

pro

cess

es,

such

as

syst

ems,

pro

ject

man

agem

ent,

appl

icat

ion

soft

war

e lif

e cy

cles

, man

agem

ent o

f IT

ope

ratio

ns a

nd s

ervi

ces.

Int

erna

l and

ext

erna

l ris

k fa

ctor

s sh

ould

be

incl

uded

. •

Det

erm

ine

whe

ther

the

IT r

isk

cont

ext i

s co

mm

unic

ated

and

und

erst

ood.

PO

9.1

IT R

isk

Man

agem

ent

Fra

mew

ork

Est

ablis

h an

IT

ris

k m

anag

emen

t fra

mew

ork

that

is a

ligne

d to

the

orga

nisa

tion’

s(e

nter

pris

e’s)

ris

k m

anag

emen

t fra

mew

ork.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onsi

sten

t app

roac

h fo

r IT

ris

km

anag

emen

t•

Eff

ectiv

e m

anag

emen

t of

IT r

isks

• C

ontin

uous

eva

luat

ion

of c

urre

nt I

Tri

sks

and

thre

ats

to th

e or

gani

satio

n•

Bro

aden

ed I

T r

isk

man

agem

ent

appr

oach

Ris

k D

river

s

• IT

ris

ks a

nd b

usin

ess

risk

s m

anag

edin

depe

nden

tly•

The

impa

ct o

f an

IT

ris

k on

the

busi

ness

und

etec

ted

• L

ack

of c

ost c

ontr

ol f

or r

isk

man

agem

ent

• E

ach

risk

see

n as

a s

ingl

e th

reat

rat

her

than

in a

n ov

eral

l con

text

• In

effe

ctiv

e su

ppor

t for

ris

k as

sess

men

tby

sen

ior

man

agem

ent

PO

9.2

Est

ablis

hmen

t of

Ris

k C

onte

xt

Est

ablis

h th

e co

ntex

t in

whi

ch th

e ri

sk a

sses

smen

t fra

mew

ork

is a

pplie

d to

ensu

re a

ppro

pria

te o

utco

mes

. Thi

s sh

ould

incl

ude

dete

rmin

ing

the

inte

rnal

and

exte

rnal

con

text

of

each

ris

k as

sess

men

t, th

e go

al o

f th

e as

sess

men

t, an

d th

ecr

iteri

a ag

ains

t whi

ch r

isks

are

eva

luat

ed.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

and

effi

cien

t use

of

reso

urce

sfo

r m

anag

emen

t of

risk

s• A

lignm

ent o

f ri

sk m

anag

emen

tpr

iori

ties

to b

usin

ess

need

s• A

foc

us o

n re

leva

nt a

nd s

igni

fica

nt r

isks

• Pr

iori

tisat

ion

of r

isks

Ris

k D

river

s

• Ir

rele

vant

ris

ks c

onsi

dere

d im

port

ant

• Si

gnif

ican

t ris

ks n

ot g

iven

app

ropr

iate

atte

ntio

n•

Inap

prop

riat

e ap

proa

ch to

ris

kas

sess

men

t


APPENDIX II

Test

the

Con

trol

Des

ign

• In

spec

t the

pro

cess

use

d to

iden

tify

pote

ntia

l eve

nts

and

dete

rmin

e if

all

IT p

roce

sses

are

incl

uded

in th

e an

alys

is. T

he d

esig

n of

the

proc

ess

shou

ld c

over

inte

rnal

and

exte

rnal

eve

nts.

Ide

ntif

icat

ion

of p

oten

tial e

vent

s m

ay in

clud

e re

sults

of

form

er a

udits

, ins

pect

ions

and

iden

tifie

d in

cide

nts,

usi

ng c

heck

lists

, wor

ksho

ps a

nd p

roce

ss f

low

anal

ysis

. Tra

ce id

entif

ied

impa

cts

to th

e ri

sk r

egis

try

to d

eter

min

e if

the

regi

stry

is c

ompl

ete,

cur

rent

and

alig

ned

with

the

ente

rpri

se r

isk

man

agem

ent f

ram

ewor

kte

rmin

olog

y.

• E

nqui

re w

heth

er a

ppro

pria

te c

ross

-fun

ctio

nal t

eam

s ar

e in

volv

ed in

the

diff

eren

t eve

nt a

nd im

pact

iden

tific

atio

n ac

tiviti

es. R

evie

w a

sam

ple

of th

e ri

sk r

egis

try

for

rele

vanc

e of

thre

ats,

sig

nifi

canc

e of

vul

nera

bilit

ies

and

impo

rtan

ce o

f im

pact

, and

ana

lyse

the

effe

ctiv

enes

s of

the

proc

ess

to id

entif

y, r

ecor

d an

d ju

dge

risk

s.

Test

the

Con

trol

Des

ign

• W

alk

thro

ugh

the

risk

man

agem

ent p

roce

ss to

det

erm

ine

if in

here

nt a

nd r

esid

ual r

isks

are

def

ined

and

doc

umen

ted.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e ri

sk m

anag

emen

t pro

cess

ass

esse

s id

entif

ied

risk

s qu

alita

tivel

y an

d/or

qua

ntita

tivel

y.

• In

spec

t pro

ject

and

oth

er d

ocum

enta

tion

to a

sses

s th

e ap

prop

riat

enes

s of

qua

litat

ive

or q

uant

itativ

e ri

sk a

sses

smen

t. •

Wal

k th

roug

h th

e pr

oces

s to

det

erm

ine

if th

e so

urce

s of

info

rmat

ion

used

in th

e an

alys

is a

re r

easo

nabl

e.

• In

spec

t the

use

of

stat

istic

al a

naly

sis

and

prob

abili

ty d

eter

min

atio

ns to

mea

sure

the

likel

ihoo

d qu

alita

tivel

y or

qua

ntita

tivel

y.

• E

nqui

re o

r in

spec

t whe

ther

any

cor

rela

tion

betw

een

risk

s is

iden

tifie

d. R

evie

w a

ny c

orre

latio

n to

ver

ify

that

it e

xpos

es s

igni

fica

ntly

dif

fere

nt li

kelih

ood

and

impa

ct r

esul

tsar

isin

g fr

om s

uch

rela

tions

hip(

s).

PO

9.3

Eve

nt I

dent

ific

atio

n Id

entif

y ev

ents

(an

impo

rtan

t rea

listic

thre

at th

at e

xplo

its a

sig

nifi

cant

app

licab

levu

lner

abili

ty)

with

a p

oten

tial n

egat

ive

impa

ct o

n th

e go

als

or o

pera

tions

of

the

ente

rpri

se, i

nclu

ding

bus

ines

s, r

egul

ator

y, le

gal,

tech

nolo

gy, t

radi

ng p

artn

er,

hum

an r

esou

rces

and

ope

ratio

nal a

spec

ts. D

eter

min

e th

e na

ture

of

the

impa

ctan

d m

aint

ain

this

info

rmat

ion.

Rec

ord

and

mai

ntai

n re

leva

nt r

isks

in a

ris

kre

gist

ry.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onsi

sten

t app

roac

h to

ris

k ev

ent

iden

tific

atio

n•

Focu

s on

sig

nifi

cant

ris

k ev

ents

Ris

k D

river

s

• Ir

rele

vant

ris

k ev

ents

iden

tifie

d an

dfo

cuse

d on

whi

lst m

ore

impo

rtan

tev

ents

are

mis

sed

PO

9 A

sses

s an

d M

anag

e IT

Ris

ks

(con

t.)

PO

9.4

Ris

k A

sses

smen

t A

sses

s on

a r

ecur

rent

bas

is th

e lik

elih

ood

and

impa

ct o

f al

l ide

ntif

ied

risk

s,us

ing

qual

itativ

e an

d qu

antit

ativ

e m

etho

ds. T

he li

kelih

ood

and

impa

ct a

ssoc

iate

dw

ith in

here

nt a

nd r

esid

ual r

isk

shou

ld b

e de

term

ined

indi

vidu

ally

, by

cate

gory

and

on a

por

tfol

io b

asis

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed p

lann

ing

and

use

of I

T r

isk

man

agem

ent s

kills

and

res

ourc

es•

Org

anis

atio

nal c

redi

bilit

y of

IT

ris

kas

sess

men

t fun

ctio

n te

ams

• K

now

ledg

e tr

ansf

er b

etw

een

risk

man

ager

s•

Cre

atio

n of

IT

ass

et v

alue

aw

aren

ess

Ris

k D

river

s

• Ir

rele

vant

ris

ks c

onsi

dere

d im

port

ant

• E

ach

risk

see

n as

a s

ingl

e ev

ent r

athe

rth

an in

an

over

all c

onte

xt•

Inab

ility

to e

xpla

in s

igni

fica

nt r

isks

tom

anag

emen

t•

Sign

ific

ant r

isks

pos

sibl

y m

isse

d•

Los

s of

IT

ass

ets

• C

onfi

dent

ialit

y or

inte

grity

bre

ach

ofIT

ass

ets



Test

the

Con

trol

Des

ign

Insp

ect w

heth

er r

isk

asse

ssm

ent r

esul

ts w

ere

allo

cate

d to

a m

itiga

ting

resp

onse

to a

void

, tra

nsfe

r, re

duce

, sha

re o

r ac

cept

eac

h ri

sk a

nd a

lign

with

the

mec

hani

sms

used

tom

anag

e ri

sk in

the

orga

nisa

tion.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

ccep

ted

risk

s ar

e fo

rmal

ly r

ecog

nise

d an

d re

cord

ed in

a r

isk

actio

n pl

an.

• Ass

ess

the

appr

opri

aten

ess

of th

e el

emen

ts o

f th

e ri

sk m

anag

emen

t pla

n.•

Enq

uire

or

insp

ect w

heth

er e

xecu

tion,

rep

ort p

rogr

ess

and

devi

atio

ns a

re m

onito

red.

•

Insp

ect r

isk

resp

onse

s fo

r ap

prop

riat

e ap

prov

als.

•

Rev

iew

act

ions

to v

erif

y w

heth

er o

wne

rshi

p is

ass

igne

d an

d do

cum

ente

d.

• In

spec

t whe

ther

the

risk

act

ion

plan

is e

ffec

tivel

y m

aint

aine

d an

d ad

just

ed.

PO

9.5

Ris

k R

espo

nse

Dev

elop

and

mai

ntai

n a

risk

res

pons

e pr

oces

s de

sign

ed to

ens

ure

that

cos

t-ef

fect

ive

cont

rols

miti

gate

exp

osur

e to

ris

ks o

n a

cont

inui

ng b

asis

. The

ris

kre

spon

se p

roce

ss s

houl

d id

entif

y ri

sk s

trat

egie

s su

ch a

s av

oida

nce,

red

uctio

n,sh

arin

g or

acc

epta

nce;

det

erm

ine

asso

ciat

ed r

espo

nsib

ilitie

s; a

nd c

onsi

der

risk

tole

ranc

e le

vels

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

man

agem

ent o

f ri

sks

• C

onsi

sten

t app

roac

h fo

r ri

skm

itiga

tion

• C

ost-

effe

ctiv

e ri

sk r

espo

nse

Ris

k D

river

s

• R

isk

resp

onse

s no

t eff

ectiv

e•

Uni

dent

ifie

d re

sidu

al b

usin

ess

risk

s•

Inef

fect

ive

use

of r

esou

rces

to r

espo

ndto

ris

ks•

Ove

rrel

ianc

e on

exi

stin

g po

or c

ontr

ols

PO

9 A

sses

s an

d M

anag

e IT

Ris

ks

(con

t.)

PO

9.6

Mai

nten

ance

and

Mon

itor

ing

of a

Ris

k A

ctio

n P

lan

Prio

ritis

e an

d pl

an th

e co

ntro

l act

iviti

es a

t all

leve

ls to

impl

emen

t the

ris

kre

spon

ses

iden

tifie

d as

nec

essa

ry, i

nclu

ding

iden

tific

atio

n of

cos

ts, b

enef

its a

ndre

spon

sibi

lity

for

exec

utio

n. O

btai

n ap

prov

al f

or r

ecom

men

ded

actio

ns a

ndac

cept

ance

of

any

resi

dual

ris

ks, a

nd e

nsur

e th

at c

omm

itted

act

ions

are

ow

ned

byth

e af

fect

ed p

roce

ss o

wne

r(s)

. Mon

itor

exec

utio

n of

the

plan

s, a

nd r

epor

t on

any

devi

atio

ns to

sen

ior

man

agem

ent.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

man

agem

ent o

f ri

sks

• C

ontin

uous

eva

luat

ion

of c

urre

nt r

isks

and

thre

ats

for

the

orga

nisa

tion

Ris

k D

river

s

• R

isk

miti

gatio

n co

ntro

ls th

at d

o no

top

erat

e as

inte

nded

• C

ompe

nsat

ing

cont

rols

that

dev

iate

from

the

iden

tifie

d ri

sks


APPENDIX II

Take the following steps to test the outcome of the control objectives:• Enquire whether the IT risk management tolerance levels are aligned with enterprise risk tolerance levels. Determine whether

organisational risk tolerance is used as input for both business and the IT strategy development. • Enquire whether a process exists to apply enterprise risk tolerance levels to IT risk management decisions. Consider whether

benchmarking of the risk assessment framework against similar organisations, appropriate international standards and industry bestpractices has been performed.

• Test whether risk-related accountability and responsibilities are understood and accepted. Verify that the right skills and necessaryresources are available for risk management.

• Enquire through interviews with key staff members involved whether the control mechanism and its purpose, accountability andresponsibilities are understood and applied.

• Inspect whether the activities are effectively integrated into IT management processes. • Inspect whether the identified impacts are relevant and significant for the enterprise and whether they are either over- or under-

estimated. Determine whether cross-functional teams contribute to the event analysis process. Verify through interviews andimpact reports whether the members of the event identification work group are properly trained on the enterprise risk managementframework. Verify whether interdependencies and probabilities are accurately identified during impact assessment. Review anycorrelation to verify that it exposes significantly different likelihood and impact results arising from such relationships.

• Inspect the risk management process to determine if the sources of information used in the analysis are reasonable. • Inspect the use of statistical analysis and probability determinations to measure the risk likelihood qualitatively or quantitatively. • Walk through the process to determine if inherent and residual risks are defined and documented. • Inspect the risk action plan to determine if it identifies the priorities, responsibilities, schedules, expected outcome, risk mitigation,

costs, benefits, performance measures and review process to be established.• Inspect risk responses for appropriate approvals. Review actions to verify whether ownership is assigned and documented. • Inspect whether the risk management plan is effectively maintained/adjusted.• Inspect and review the action plan results to determine if they are performed consistently with the risk framework guidelines and

reflect changes to business objective. Review the plan to verify that it is designed in terms of risk avoidance, reduction andsharing. Inspect whether the risk responses to be included are selected on benefit and cost considerations.

Take the following steps to document the impact of the control weaknesses:• Assess the IT risk management strategy to determine whether it is aligned with the enterprise risk management strategy and

organisational risk appetite. Confirm that the potential for unidentified risks, misapplication of IT resources, non-compliance withregulatory requirements and organisational goals has been addressed.

• Assess the accuracy and completeness of event identification, including undetected risk, inefficient and ineffective costcontainment, unmitigated risks, uncontrolled aggregated risk levels, loss of organisational assets, harmed reputation, unmetstrategic goals, and non-compliance with regulatory requirements.

• Assess the risk action plan’s effectiveness at mitigating risks across the enterprise, and examine the correlation of risk andmitigation.

• Review the result of the risk action plan to evaluate effectiveness and ascertain whether owners are responsive and timely inmitigation activities.

• Review risk mitigation activities applied to high-risk threats to assess the effectiveness of the prioritisation.

PO

10 M

anag

e P

roje

cts

A p

rogr

amm

e an

d pr

ojec

t man

agem

ent f

ram

ewor

k fo

r th

e m

anag

emen

t of

all I

T p

roje

cts

is e

stab

lishe

d. T

he f

ram

ewor

k en

sure

s th

e co

rrec

t pri

oriti

satio

n an

d co

-ord

inat

ion

ofal

l pro

ject

s. T

he f

ram

ewor

k in

clud

es a

mas

ter

plan

, ass

ignm

ent o

f re

sour

ces,

def

initi

on o

f de

liver

able

s, a

ppro

val b

y us

ers,

a p

hase

d ap

proa

ch to

del

iver

y, Q

A, a

for

mal

test

plan

, and

test

ing

and

post

-im

plem

enta

tion

revi

ew a

fter

inst

alla

tion

to e

nsur

e pr

ojec

t ris

k m

anag

emen

t and

val

ue d

eliv

ery

to th

e bu

sine

ss. T

his

appr

oach

red

uces

the

risk

of

unex

pect

ed c

osts

and

pro

ject

can

cella

tions

, im

prov

es c

omm

unic

atio

ns to

and

invo

lvem

ent o

f bu

sine

ss a

nd e

nd u

sers

, ens

ures

the

valu

e an

d qu

ality

of

proj

ect d

eliv

erab

les,

and

max

imis

es th

eir

cont

ribu

tion

to I

T-en

able

d in

vest

men

t pro

gram

mes

.



Test

the

Con

trol

Des

ign

• R

evie

w th

e pr

ogra

mm

e m

anag

emen

t fra

mew

ork

to v

erif

y:–

Tha

t the

fra

mew

ork

is a

dequ

atel

y de

sign

ed to

ass

ess

the

aggr

egat

ed p

ortf

olio

of

IT p

roje

cts

agai

nst p

rogr

amm

e ob

ject

ives

– T

hat t

he p

rogr

amm

e sp

ecif

ies

requ

ired

res

ourc

es, i

nclu

ding

fun

ding

, pro

ject

man

ager

s, p

roje

ct te

ams,

IT

res

ourc

es a

nd b

usin

ess

reso

urce

s, w

here

app

licab

le, a

nd th

atth

e pr

ogra

mm

e m

anag

emen

t tea

m a

ssig

ns a

ccou

ntab

ility

for

eac

h pr

ojec

t, in

clud

ing

achi

evin

g th

e be

nefi

ts, c

ontr

ollin

g th

e co

sts,

man

agin

g th

e ri

sks,

and

co-

ordi

natin

gth

e pr

ojec

t act

iviti

es c

lear

ly a

nd u

nam

bigu

ousl

y.

– W

here

acc

ount

abili

ty is

ass

igne

d, th

at s

uch

acco

unta

bilit

y w

as a

ccep

ted;

ther

e is

a c

lear

man

date

and

sco

pe; a

nd th

e pe

rson

acc

ount

able

has

suf

fici

ent a

utho

rity

and

latit

ude

to a

ct, r

equi

site

com

pete

nce,

com

men

sura

te r

esou

rces

, cle

ar li

nes

of a

ccou

ntab

ility

, an

unde

rsta

ndin

g of

rig

hts

and

oblig

atio

ns, a

nd r

elev

ant p

erfo

rman

cem

easu

res.

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at th

e pr

ogra

mm

e m

anag

emen

t tea

m:

– D

eter

min

es th

e in

terd

epen

denc

ies

of m

ultip

le p

roje

cts

in th

e pr

ogra

mm

e –

Dev

elop

s a

sche

dule

for

com

plet

ion

that

will

ena

ble

the

over

all p

rogr

amm

e sc

hedu

le to

be

met

–

Iden

tifie

s pr

ogra

mm

e st

akeh

olde

rs in

side

and

out

side

the

ente

rpri

se

– E

stab

lishe

s ap

prop

riat

e le

vels

of

co-o

rdin

atio

n, c

omm

unic

atio

n an

d lia

ison

with

pro

gram

me

stak

ehol

ders

– M

aint

ains

com

mun

icat

ion

for

the

dura

tion

of th

e pr

ogra

mm

e w

ith p

rogr

amm

e st

akeh

olde

rs•

Ver

ify

that

, on

a re

gula

r ba

sis,

the

prog

ram

me

man

agem

ent t

eam

: –

Ver

ifie

s w

ith b

usin

ess

man

agem

ent t

hat t

he c

urre

nt p

rogr

amm

e as

des

igne

d w

ill m

eet b

usin

ess

requ

irem

ents

, and

mak

es a

djus

tmen

ts a

s ne

cess

ary

– R

evie

ws

prog

ress

of

indi

vidu

al p

roje

cts

and

adju

sts

the

avai

labi

lity

of r

esou

rces

, as

nece

ssar

y, to

mee

t sch

edul

e m

ilest

ones

– E

valu

ates

cha

nges

in te

chno

logy

and

IT

mar

kets

to d

eter

min

e if

adj

ustm

ents

to th

e pr

ogra

mm

e sh

ould

be

mad

e to

avo

id n

ewly

occ

urri

ng r

isks

, tak

es a

dvan

tage

of

new

er a

nd m

ore

effe

ctiv

e te

chno

logi

cal s

olut

ions

, or

take

s ad

vant

age

of c

hang

es in

the

mar

ket t

hat c

an lo

wer

cos

ts

PO

10.1

Pro

gram

me

Man

agem

ent

Fra

mew

ork

Mai

ntai

n th

e pr

ogra

mm

e of

pro

ject

s, r

elat

ed to

the

port

folio

of

IT-e

nabl

edin

vest

men

t pro

gram

mes

, by

iden

tifyi

ng, d

efin

ing,

eva

luat

ing,

pri

oriti

sing

,se

lect

ing,

initi

atin

g, m

anag

ing

and

cont

rolli

ng p

roje

cts.

Ens

ure

that

the

proj

ects

supp

ort t

he p

rogr

amm

e’s

obje

ctiv

es. C

o-or

dina

te th

e ac

tiviti

es a

ndin

terd

epen

denc

ies

of m

ultip

le p

roje

cts,

man

age

the

cont

ribu

tion

of a

ll th

epr

ojec

ts w

ithin

the

prog

ram

me

to e

xpec

ted

outc

omes

, and

res

olve

res

ourc

ere

quir

emen

ts a

nd c

onfl

icts

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• An

optim

ised

app

roac

h fo

rpr

ogra

mm

e m

anag

emen

t• A

sta

ndar

dise

d, r

elia

ble

and

effi

cien

tap

proa

ch f

or p

rogr

amm

e m

anag

emen

tac

ross

the

orga

nisa

tion

• E

nhan

ced

abili

ty to

foc

us o

n ke

ypr

ojec

ts w

ithin

the

prog

ram

me

Ris

k D

river

s

• In

appr

opri

ate

proj

ect p

rior

itisa

tion

• D

isor

gani

sed

and

inef

fect

ive

appr

oach

to p

roje

ct p

rogr

amm

es•

Mis

alig

nmen

t of

proj

ect a

ndpr

ogra

mm

e ob

ject

ives


APPENDIX II

Test

the

Con

trol

Des

ign

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at th

e pr

ojec

t man

agem

ent f

ram

ewor

k:–

Is c

onsi

sten

t with

, and

an

inte

gral

com

pone

nt o

f, th

e or

gani

satio

n’s

prog

ram

me

man

agem

ent f

ram

ewor

k–

Incl

udes

a c

hang

e co

ntro

l pro

cess

for

rec

ordi

ng, e

valu

atin

g, c

omm

unic

atin

g an

d au

thor

isin

g ch

ange

s to

the

proj

ect s

cope

– Is

sub

ject

to p

erio

dic

asse

ssm

ent t

o en

sure

its

ongo

ing

appr

opri

aten

ess

in li

ght o

f ch

angi

ng c

ondi

tions

– In

clud

es g

uida

nce

on th

e ro

le a

nd u

se o

f an

exi

stin

g pr

ogra

mm

e or

pro

ject

off

ice,

or

the

crea

tion

of s

uch

a fu

nctio

n fo

r a

proj

ect

PO

10.2

Pro

ject

Man

agem

ent

Fra

mew

ork

Est

ablis

h an

d m

aint

ain

a pr

ojec

t man

agem

ent f

ram

ewor

k th

at d

efin

es th

e sc

ope

and

boun

dari

es o

f m

anag

ing

proj

ects

, as

wel

l as

the

met

hod

to b

e ad

opte

d an

dap

plie

d to

eac

h pr

ojec

t und

erta

ken.

The

fra

mew

ork

and

supp

ortin

g m

etho

dsh

ould

be

inte

grat

ed w

ith th

e pr

ogra

mm

e m

anag

emen

t pro

cess

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

likel

ihoo

d of

pro

ject

suc

cess

• R

educ

ed c

ost a

ssoc

iate

d w

ithes

tabl

ishi

ng p

roje

ct m

anag

emen

tac

tiviti

es a

nd d

isci

plin

es•

Eff

ectiv

e co

mm

unic

atio

n of

pro

ject

obje

ctiv

es, p

roje

ct m

anag

emen

tac

tiviti

es a

nd p

roje

ct p

rogr

ess

• C

onsi

sten

t app

roac

h, to

ols

and

proc

esse

s

Ris

k D

river

s

• D

iffe

rent

pro

ject

man

agem

ent

appr

oach

es w

ithin

the

orga

nisa

tion

• L

ack

of c

ompl

ianc

e w

ith th

eor

gani

satio

n’s

repo

rtin

g st

ruct

ure

• In

cons

iste

nt to

ols

for

proj

ect

man

agem

ent

PO

10 M

anag

e P

roje

cts

(con

t.)



Test

the

Con

trol

Des

ign

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at:

– Pr

ior

to e

ach

proj

ect’s

initi

atio

n, th

e pr

ogra

mm

e m

anag

emen

t tea

m e

stab

lishe

s a

proj

ect m

anag

emen

t gov

erna

nce

stru

ctur

e ap

prop

riat

e to

the

proj

ect’s

siz

e, c

ompl

exity

and

risk

s (i

nclu

ding

lega

l, re

gula

tory

and

rep

utat

iona

l ris

ks).

The

pro

ject

man

agem

ent g

over

nanc

e st

ruct

ure

shou

ld a

ssig

n th

e re

spon

sibi

lity

and

acco

unta

bilit

y of

the

prog

ram

me

spon

sor,

proj

ect m

anag

er, a

nd, a

s ne

cess

ary,

thos

e of

a s

teer

ing

com

mitt

ee a

nd a

pro

ject

man

agem

ent o

ffic

e.–

The

pro

gram

me

man

agem

ent t

eam

ass

igns

eac

h IT

pro

ject

one

or

mor

e sp

onso

rs w

ith s

uffi

cien

t aut

hori

ty to

man

age

exec

utio

n of

the

proj

ect w

ithin

the

over

all s

trat

egic

prog

ram

me.

Thi

s as

sign

men

t is

mad

e un

ambi

guou

sly,

rol

es a

nd r

espo

nsib

ilitie

s ar

e m

ade

plai

n, a

nd th

e re

spon

sibi

lity

is a

ccep

ted

by th

e as

sign

ee(s

).•

Enq

uire

whe

ther

and

con

firm

that

eff

ectiv

e m

echa

nism

s to

trac

k th

e ex

ecut

ion

of th

e pr

ojec

t (e.

g., r

egul

ar r

epor

ting,

sta

ge r

evie

ws)

are

put

in p

lace

. Rev

iew

pla

ns,

polic

ies,

pro

cedu

res

and

repo

rts

to v

erif

y th

at th

e m

echa

nism

s ar

e de

sign

ed e

ffec

tivel

y by

the

prog

ram

me

man

agem

ent t

eam

and

that

they

are

use

d to

iden

tify

and

man

age

devi

atio

ns in

a ti

mel

y m

anne

r.

PO

10.3

Pro

ject

Man

agem

ent A

ppro

ach

Est

ablis

h a

proj

ect m

anag

emen

t app

roac

h co

mm

ensu

rate

with

the

size

,co

mpl

exity

and

reg

ulat

ory

requ

irem

ents

of

each

pro

ject

. The

pro

ject

gov

erna

nce

stru

ctur

e ca

n in

clud

e th

e ro

les,

res

pons

ibili

ties

and

acco

unta

bilit

ies

of th

epr

ogra

mm

e sp

onso

r, pr

ojec

t spo

nsor

s, s

teer

ing

com

mitt

ee, p

roje

ct o

ffic

e an

dpr

ojec

t man

ager

, and

the

mec

hani

sms

thro

ugh

whi

ch th

ey c

an m

eet t

hose

resp

onsi

bilit

ies

(suc

h as

rep

ortin

g an

d st

age

revi

ews)

. Mak

e su

re a

ll IT

pro

ject

sha

ve s

pons

ors

with

suf

fici

ent a

utho

rity

to o

wn

the

exec

utio

n of

the

proj

ect w

ithin

the

over

all s

trat

egic

pro

gram

me.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• O

ptim

ised

use

of

reso

urce

s fo

r pr

ojec

tm

anag

emen

t•

Cle

ar r

oles

and

res

pons

ibili

ties

ensu

ring

cle

ar a

ccou

ntab

ility

and

com

mitm

ent f

or k

ey d

ecis

ions

and

task

s•

Enh

ance

d al

ignm

ent o

f pr

ojec

tob

ject

ives

with

bus

ines

s ob

ject

ives

• T

imel

y an

d ni

mbl

e ab

ility

to r

eact

toan

d de

al w

ith p

roje

ct is

sues

Ris

k D

river

s

• C

onfu

sion

and

unc

erta

inty

cau

sed

bydi

ffer

ent p

roje

ct m

anag

emen

tap

proa

ches

with

in th

e or

gani

satio

n•

Lac

k of

com

plia

nce

with

the

orga

nisa

tion’

s re

port

ing

stru

ctur

e•

Failu

re to

res

pond

to p

roje

ct is

sues

with

opt

imal

and

app

rove

d de

cisi

ons

PO

10 M

anag

e P

roje

cts

(con

t.)


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– T

he p

roje

ct m

anag

emen

t fra

mew

ork

prov

ides

for

com

mitm

ent a

nd p

artic

ipat

ion

by k

ey s

take

hold

ers,

incl

udin

g m

anag

emen

t of

the

affe

cted

use

r de

part

men

t and

key

end

user

s, in

the

initi

atio

n, d

efin

ition

and

aut

hori

satio

n of

a p

roje

ct–

Key

sta

keho

lder

and

end

-use

r pa

rtic

ipat

ion

is s

ough

t dur

ing

proj

ect i

nitia

tion

and

furt

her

refi

ned

duri

ng th

e pr

ojec

t lif

e cy

cle

• R

evie

w p

roje

ct r

epor

ting

to v

erif

y th

at o

ngoi

ng in

volv

emen

t inc

lude

s pr

ojec

t app

rova

l, pr

ojec

t pha

se a

ppro

val,

proj

ect c

heck

poin

t rep

ortin

g, p

roje

ct b

oard

rep

rese

ntat

ion,

proj

ect p

lann

ing,

pro

duct

test

ing,

use

r tr

aini

ng, u

ser

proc

edur

es d

ocum

enta

tion

and

proj

ect c

omm

unic

atio

n m

ater

ials

dev

elop

men

t.•

Inte

rvie

w k

ey s

take

hold

ers

and

end

user

s, a

nd in

spec

t res

ults

of

post

-im

plem

enta

tion

revi

ews

to v

erif

y th

at in

volv

emen

t was

use

d to

impr

ove

the

qual

ity a

nd a

ccep

tanc

eof

pro

ject

del

iver

able

s.

Test

the

Con

trol

Des

ign

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at:

– T

he p

roje

ct m

anag

emen

t fra

mew

ork

prov

ides

to th

e st

akeh

olde

rs a

cle

ar, w

ritte

n st

atem

ent d

efin

ing

the

obje

ctiv

e, s

cope

and

bus

ines

s va

lue

of e

very

pro

ject

, bef

ore

wor

k on

the

proj

ect b

egin

s, to

cre

ate

a co

mm

on u

nder

stan

ding

of

proj

ect s

cope

am

ongs

t sta

keho

lder

s–

Req

uire

men

ts f

or th

e pr

ojec

t are

agr

eed

upon

and

acc

epte

d by

key

sta

keho

lder

s an

d pr

ogra

mm

e an

d pr

ojec

t spo

nsor

s w

ithin

the

orga

nisa

tion

and

IT, i

nclu

ding

initi

alco

nsid

erat

ion

of h

igh-

leve

l cri

tical

suc

cess

fac

tors

and

key

per

form

ance

indi

cato

rs–

All

subs

eque

nt c

hang

es to

the

proj

ect s

cope

are

app

ropr

iate

ly d

ocum

ente

d an

d ap

prov

ed b

y st

akeh

olde

rs

PO

10 M

anag

e P

roje

cts

(con

t.)

PO

10.4

Sta

keho

lder

Com

mit

men

t O

btai

n co

mm

itmen

t and

par

ticip

atio

n fr

om th

e af

fect

ed s

take

hold

ers

in th

ede

fini

tion

and

exec

utio

n of

the

proj

ect w

ithin

the

cont

ext o

f th

e ov

eral

l IT-

enab

led

inve

stm

ent p

rogr

amm

e.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

likel

ihoo

d of

the

proj

ect

bein

g dr

iven

by,

and

del

iver

ing,

busi

ness

ben

efits

• C

omm

on u

nder

stan

ding

of

the

proj

ect

obje

ctiv

es a

cros

s th

e bu

sine

ss, e

ndus

ers

and

IT•

Use

r co

mm

itmen

t and

buy

-in

for

the

proj

ect

Ris

k D

river

s

• U

ncle

ar r

espo

nsib

ilitie

s an

dac

coun

tabi

litie

s fo

r en

suri

ng c

ost

cont

rol a

nd p

roje

ct s

ucce

ss•

Insu

ffic

ient

sta

keho

lder

par

ticip

atio

nin

def

inin

g re

quir

emen

ts a

ndre

view

ing

deliv

erab

les

• R

educ

ed u

nder

stan

ding

and

del

iver

yof

bus

ines

s be

nefi

ts

PO

10.5

Pro

ject

Sco

pe S

tate

men

t D

efin

e an

d do

cum

ent t

he n

atur

e an

d sc

ope

of th

e pr

ojec

t to

conf

irm

and

dev

elop

amon

gst s

take

hold

ers

a co

mm

on u

nder

stan

ding

of

proj

ect s

cope

and

how

itre

late

s to

oth

er p

roje

cts

with

in th

e ov

eral

l IT-

enab

led

inve

stm

ent p

rogr

amm

e.T

he d

efin

ition

sho

uld

be f

orm

ally

app

rove

d by

the

prog

ram

me

and

proj

ect

spon

sors

bef

ore

proj

ect i

nitia

tion.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• B

asel

ine

prov

ided

aga

inst

whi

ch th

epr

ogre

ss a

nd, u

ltim

atel

y, th

e su

cces

s of

the

proj

ect c

an b

e m

easu

red

• Acc

ount

abili

ties

incl

udin

g th

ose

ofke

y bu

sine

ss s

take

hold

ers

assi

gned

and

clar

ifie

d•

Eff

ectiv

e us

e of

res

ourc

es f

or th

epr

ojec

ts•

Prep

arat

ion

of a

mas

ter

proj

ect p

lan

faci

litat

ed

Ris

k D

river

s

• M

isun

ders

tand

ing

of p

roje

ctob

ject

ives

and

req

uire

men

ts•

Failu

re o

f pr

ojec

ts to

mee

t bus

ines

san

d us

er r

equi

rem

ents

• M

isun

ders

tand

ing

of th

e im

pact

of

this

proj

ect w

ith o

ther

rel

ated

pro

ject

s



PO

10 M

anag

e P

roje

cts

(con

t.)

Test

the

Con

trol

Des

ign

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at th

e pr

ojec

t man

agem

ent f

ram

ewor

k pr

ovid

es f

or d

esig

nate

d m

anag

ers

and

end

user

s of

the

affe

cted

bus

ines

s an

d IT

func

tions

to a

ppro

ve a

nd s

ign

off

on th

e de

liver

able

s pr

oduc

ed in

eac

h pr

ojec

t pha

se (

e.g.

, req

uire

men

ts a

naly

sis,

des

ign,

bui

ld, t

est,

go-l

ive)

of

the

syst

ems

deve

lopm

ent

life

cycl

e, b

efor

e w

ork

on th

e ne

xt p

hase

beg

ins.

•

Enq

uire

whe

ther

and

con

firm

that

the

appr

oval

pro

cess

is b

ased

on

clea

rly

defi

ned

acce

ptan

ce c

rite

ria

agre

ed u

pon

with

key

sta

keho

lder

s pr

ior

to w

ork

com

men

cing

on

the

proj

ect p

hase

del

iver

able

and

, at a

min

imum

, in

adva

nce

of th

e co

mpl

etio

n of

the

deliv

erab

les

for

a ph

ase.

•

Rev

iew

pla

ns, p

olic

ies

and

proc

edur

es to

ver

ify

that

pha

se in

itiat

ion

and

appr

oval

incl

udes

con

side

ratio

n of

act

ual c

osts

, tim

e an

d pr

ogre

ss f

or th

e ph

ase

vs. t

he

budg

eted

val

ues.

•

Rev

iew

pla

ns, p

olic

ies

and

proc

edur

es to

ver

ify

that

sig

nifi

cant

var

ianc

es a

re a

sses

sed

agai

nst t

he p

roje

ct’s

exp

ecte

d be

nefi

ts, a

ppro

ved

by th

e ap

prop

riat

e pr

ogra

mm

ego

vern

ance

fun

ctio

n an

d re

flec

ted

in th

e pr

ogra

mm

e’s

busi

ness

cas

e.

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at, p

rior

to im

plem

enta

tion,

the

read

ines

s of

the

proj

ect t

o go

live

is a

ppro

ved

thro

ugh

a fo

rmal

ly c

ondu

cted

‘st

op/g

o’as

sess

men

t bas

ed o

n pr

edet

erm

ined

cri

tical

suc

cess

fac

tors

aim

ed a

t det

erm

inin

g sy

stem

qua

lity

and

the

prep

ared

ness

of

the

busi

ness

and

sup

port

fun

ctio

ns to

use

and

mai

ntai

n th

e sy

stem

.

PO

10.6

Pro

ject

Pha

se I

niti

atio

n A

ppro

ve th

e in

itiat

ion

of e

ach

maj

or p

roje

ct p

hase

and

com

mun

icat

e it

to a

llst

akeh

olde

rs. B

ase

the

appr

oval

of

the

initi

al p

hase

on

prog

ram

me

gove

rnan

cede

cisi

ons.

App

rova

l of

subs

eque

nt p

hase

s sh

ould

be

base

d on

rev

iew

and

acce

ptan

ce o

f th

e de

liver

able

s of

the

prev

ious

pha

se, a

nd a

ppro

val o

f an

upd

ated

busi

ness

cas

e at

the

next

maj

or r

evie

w o

f th

e pr

ogra

mm

e. I

n th

e ev

ent o

fov

erla

ppin

g pr

ojec

t pha

ses,

an

appr

oval

poi

nt s

houl

d be

est

ablis

hed

bypr

ogra

mm

e an

d pr

ojec

t spo

nsor

s to

aut

hori

se p

roje

ct p

rogr

essi

on.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onsi

sten

t pro

ject

goa

ls in

line

with

the

orga

nisa

tion’

s vi

sion

• Pr

iori

tised

pro

ject

exe

cutio

n•

Con

form

ance

of

proj

ect p

hase

s w

ithth

e pr

ojec

t def

initi

on• A

bilit

y to

mon

itor

and

com

mun

icat

eth

e pr

ogre

ss o

f th

e pr

ojec

t

Ris

k D

river

s

• L

ack

of a

lignm

ent o

f pr

ojec

ts to

the

orga

nisa

tion’

s vi

sion

• W

rong

pri

oriti

satio

n of

pro

ject

s•

Und

etec

ted

devi

atio

ns f

rom

the

over

all

proj

ect p

lan

• Po

or u

tilis

atio

n of

res

ourc

es


APPENDIX II

Test

the

Con

trol

Des

ign

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at th

e in

tegr

ated

pro

ject

pla

n pr

ovid

es in

form

atio

n to

per

mit

man

agem

ent t

o co

ntro

l pro

ject

pro

gres

s an

d th

at th

e pl

anin

clud

es a

sta

tem

ent o

f sc

ope,

det

ails

of

proj

ect p

rodu

cts

and

deliv

erab

les,

req

uire

d re

sour

ces

and

resp

onsi

bilit

ies,

cle

ar w

ork

brea

kdow

n st

ruct

ures

and

wor

k pa

ckag

es,

estim

ates

of

reso

urce

s re

quir

ed, m

ilest

ones

, key

dep

ende

ncie

s, a

nd id

entif

icat

ion

of a

cri

tical

pat

h.

• E

nqui

re w

heth

er a

nd e

nsur

e th

at th

e in

tegr

ated

pro

ject

pla

n an

d an

y de

pend

ent p

lans

are

upd

ated

with

the

agre

emen

t pla

n ow

ner

to r

efle

ct th

e ac

tual

pro

gres

s an

dm

ater

ial c

hang

es f

rom

mas

ter

proj

ect p

lan

chec

kpoi

nts.

•

Enq

uire

whe

ther

and

con

firm

that

the

proj

ect p

lan

incl

udes

a c

omm

unic

atio

n pl

an th

at a

ddre

sses

cha

nges

and

sta

tus

repo

rtin

g to

key

sta

keho

lder

s.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at r

esou

rce

need

s ar

e id

entif

ied

for

the

proj

ect a

nd a

ppro

pria

te r

oles

and

res

pons

ibili

ties

are

clea

rly

map

ped

out,

with

esc

alat

ion

and

deci

sion

-mak

ing

auth

oriti

es a

gree

d to

and

und

erst

ood.

•

Enq

uire

whe

ther

and

con

firm

that

rol

es a

re id

entif

ied

and

staf

fed

with

app

ropr

iate

per

sonn

el.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n ex

peri

ence

d pr

ojec

t man

agem

ent r

esou

rce

and

team

lead

er a

re u

tilis

ed, w

ith s

kills

app

ropr

iate

to th

e si

ze, c

ompl

exity

and

ris

k of

the

proj

ect b

eing

und

erta

ken.

•

Insp

ect p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at th

e ro

les

and

resp

onsi

bilit

ies

of o

ther

inte

rest

ed p

artie

s ar

e co

nsid

ered

and

cle

arly

def

ined

(e

.g.,

inte

rest

ed p

artie

s in

clud

e, b

ut a

re n

ot li

mite

d to

, int

erna

l aud

it, c

ompl

ianc

e, f

inan

ce, l

egal

, pro

cure

men

t and

HR

).•

Enq

uire

whe

ther

and

con

firm

that

res

pons

ibili

ty f

or p

rocu

rem

ent a

nd m

anag

emen

t of

thir

d-pa

rty

proj

ect a

nd s

yste

m s

uppo

rt r

elat

ions

hips

is c

lear

ly d

efin

ed.

PO

10.7

Int

egra

ted

Pro

ject

Pla

n E

stab

lish

a fo

rmal

, app

rove

d in

tegr

ated

pro

ject

pla

n (c

over

ing

busi

ness

and

info

rmat

ion

syst

ems

reso

urce

s) to

gui

de p

roje

ct e

xecu

tion

and

cont

rol

thro

ugho

ut th

e lif

e of

the

proj

ect.

The

act

iviti

es a

nd in

terd

epen

denc

ies

ofm

ultip

le p

roje

cts

with

in a

pro

gram

me

shou

ld b

e un

ders

tood

and

doc

umen

ted.

The

pro

ject

pla

n sh

ould

be

mai

ntai

ned

thro

ugho

ut th

e lif

e of

the

proj

ect.

The

proj

ect p

lan,

and

cha

nges

to it

, sho

uld

be a

ppro

ved

in li

ne w

ith th

e pr

ogra

mm

ean

d pr

ojec

t gov

erna

nce

fram

ewor

k.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

prob

abili

ty th

at p

roje

ctm

ilest

ones

for

tim

e, b

udge

t or

scop

ear

e m

et•

Incr

ease

d m

anag

emen

t aw

aren

ess

ofpo

tent

ial p

roje

ct s

lippa

ge, a

nd th

eab

ility

to r

eact

in a

tim

ely

man

ner

• A m

echa

nism

for

sha

ring

pro

ject

pla

nan

d pr

ogre

ss d

etai

ls in

a c

onsi

sten

tm

anne

r w

ithin

, and

ext

erna

l to,

the

proj

ect

• Pr

ogre

ss o

f pr

ojec

t evi

denc

ed a

ndco

mm

unic

ated

Ris

k D

river

s

• U

ndet

ecte

d er

rors

in p

roje

ct p

lann

ing

and

budg

etin

g•

Lac

k of

alig

nmen

t of

proj

ects

to th

eor

gani

satio

n’s

obje

ctiv

es a

nd to

oth

erin

terd

epen

dent

pro

ject

s•

Und

etec

ted

devi

atio

ns f

rom

the

proj

ect p

lan

PO

10 M

anag

e P

roje

cts

(con

t.)

PO

10.8

Pro

ject

Res

ourc

es

Def

ine

the

resp

onsi

bilit

ies,

rel

atio

nshi

ps, a

utho

ritie

s an

d pe

rfor

man

ce c

rite

ria

ofpr

ojec

t tea

m m

embe

rs, a

nd s

peci

fy th

e ba

sis

for

acqu

irin

g an

d as

sign

ing

com

pete

nt s

taff

mem

bers

and

/or

cont

ract

ors

to th

e pr

ojec

t. T

he p

rocu

rem

ent o

fpr

oduc

ts a

nd s

ervi

ces

requ

ired

for

eac

h pr

ojec

t sho

uld

be p

lann

ed a

nd m

anag

edto

ach

ieve

pro

ject

obj

ectiv

es u

sing

the

orga

nisa

tion’

s pr

ocur

emen

t pra

ctic

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Sk

ills

and

reso

urce

s ef

fici

ently

and

effe

ctiv

ely

allo

cate

d an

d as

sign

edw

ithin

the

proj

ect

• T

imel

y de

tect

ion

of r

esou

rce

gaps

• Pr

ojec

t res

ourc

e al

loca

tion

in li

ne w

ithth

e co

rpor

ate

proc

urem

ent p

olic

y

Ris

k D

river

s

• G

aps

in s

kills

and

res

ourc

esje

opar

disi

ng c

ritic

al p

roje

ct ta

sks

• In

effi

cien

t use

of

reso

urce

s•

Con

trac

t dis

pute

s w

ith o

utso

urce

dre

sour

ces



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

for

mal

pro

ject

ris

k m

anag

emen

t fra

mew

ork

has

been

est

ablis

hed.

•

Rev

iew

pla

ns, p

olic

ies

and

proc

edur

es to

ver

ify

that

res

pons

ibili

ty f

or e

xecu

ting

the

orga

nisa

tion’

s pr

ojec

t ris

k m

anag

emen

t fra

mew

ork

with

in a

pro

ject

is c

lear

ly a

ssig

ned

to a

n ap

prop

riat

ely

skill

ed in

divi

dual

. •

Rev

iew

pla

ns, p

olic

ies

and

proc

edur

es to

ver

ify

that

this

rol

e m

ay b

e pe

rfor

med

by

the

proj

ect m

anag

er o

r de

lega

ted

by th

e pr

ojec

t man

ager

to a

noth

er m

embe

r of

the

proj

ect t

eam

. •

Enq

uire

whe

ther

and

con

firm

that

a p

roje

ct r

isk

asse

ssm

ent w

as p

erfo

rmed

to id

entif

ied

proj

ect r

isks

and

issu

es.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

roje

ct r

isks

are

rea

sses

sed

peri

odic

ally

, inc

ludi

ng a

t ent

ry in

to e

ach

maj

or p

roje

ct p

hase

and

as

part

of

maj

or c

hang

e re

ques

tas

sess

men

ts.

• In

spec

t doc

umen

tatio

n to

ver

ify

that

ris

k an

d is

sue

owne

rs a

re id

entif

ied;

act

ions

for

ris

k av

oida

nce,

acc

epta

nce

or m

itiga

tion

(i.e

., co

ntin

genc

y pl

an)

are

iden

tifie

d fo

rth

ese

risk

s; c

orre

ctiv

e ac

tions

are

ass

igne

d to

ow

ners

; cos

t im

plic

atio

ns a

re c

onsi

dere

d; a

nd a

ctio

ns a

re m

anag

ed to

agr

eed-

upon

act

ion

due

date

s.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

ject

ris

k lo

g an

d a

proj

ect i

ssue

s lo

g ar

e m

aint

aine

d an

d re

view

ed r

egul

arly

.

PO

10.9

Pro

ject

Ris

k M

anag

emen

t E

limin

ate

or m

inim

ise

spec

ific

ris

ks a

ssoc

iate

d w

ith in

divi

dual

pro

ject

s th

roug

ha

syst

emat

ic p

roce

ss o

f pl

anni

ng, i

dent

ifyi

ng, a

naly

sing

, res

pond

ing

to,

mon

itori

ng a

nd c

ontr

ollin

g th

e ar

eas

or e

vent

s th

at h

ave

the

pote

ntia

l to

caus

eun

wan

ted

chan

ge. R

isks

fac

ed b

y th

e pr

ojec

t man

agem

ent p

roce

ss a

nd th

epr

ojec

t del

iver

able

sho

uld

be e

stab

lishe

d an

d ce

ntra

lly r

ecor

ded.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

arly

iden

tific

atio

n of

pot

entia

lsh

owst

oppe

rs w

hen

cons

ider

ing

proj

ect f

easi

bilit

y an

d ap

prov

al•

Man

agem

ent a

ble

to id

entif

y an

d pl

anfo

r co

ntin

genc

ies

and

coun

term

easu

res

to r

educ

e ri

sk im

pact

• C

lear

ly id

entif

iabl

e ri

sk a

nd is

sue

owne

rs•

Miti

gatin

g ac

tions

mon

itore

d•

Con

sist

ent a

nd e

ffic

ient

app

roac

h fo

rri

sk m

anag

emen

t with

in p

roje

cts

alig

ned

to th

e or

gani

satio

n’s

risk

man

agem

ent f

ram

ewor

k

Ris

k D

river

s

• U

ndet

ecte

d pr

ojec

t ris

ks•

Lac

k of

miti

gatin

g ac

tions

for

iden

tifie

d ri

sks

• U

ndet

ecte

d pr

ojec

t sho

wst

oppe

rs

PO

10 M

anag

e P

roje

cts

(con

t.)


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

cha

nge

cont

rol p

roce

ss e

xist

s to

man

age,

ass

ess,

just

ify

and

appr

ove

proj

ect c

hang

es. A

sses

s th

e ap

prop

riat

enes

s of

the

chan

gere

ques

t as

part

of

the

proc

ess.

•

Insp

ect a

sam

ple

of p

roje

ct c

hang

e re

ques

ts to

det

erm

ine

whe

ther

they

are

initi

ated

by

desi

gnat

ed in

divi

dual

s an

d co

ntai

n a

com

plet

e de

scri

ptio

n of

the

chan

ge,

asso

ciat

ed r

isks

and

exp

ecte

d be

nefi

ts.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e pr

ogra

mm

e an

d pr

ojec

t pla

n an

d do

cum

enta

tion

are

upda

ted

for

appr

oved

cha

nges

.

PO

10 M

anag

e P

roje

cts

(con

t.)

Test

the

Con

trol

Des

ign

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at th

e qu

ality

pla

n cl

earl

y id

entif

ies

owne

rshi

p/re

spon

sibi

litie

s, p

roce

sses

and

met

rics

to p

rovi

de q

ualit

y as

sura

nce

ofth

e pr

ojec

t del

iver

able

s th

at m

ake

up th

e pr

ojec

t qua

lity

syst

em.

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at th

e qu

ality

pla

n ou

tline

s th

e re

quir

emen

ts, w

here

app

ropr

iate

, for

inde

pend

ent v

alid

atio

n an

d ve

rifi

catio

n of

the

busi

ness

and

tech

nica

l sol

utio

n.

PO

10.1

0 P

roje

ct Q

ualit

y P

lan

Prep

are

a qu

ality

man

agem

ent p

lan

that

des

crib

es th

e pr

ojec

t qua

lity

syst

em a

ndho

w it

will

be

impl

emen

ted.

The

pla

n sh

ould

be

form

ally

rev

iew

ed a

nd a

gree

d to

by a

ll pa

rtie

s co

ncer

ned

and

then

inco

rpor

ated

into

the

inte

grat

ed p

roje

ct p

lan.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Alig

nmen

t of

the

proj

ect q

ualit

y pl

anw

ith th

e co

rpor

ate

qual

ity f

ram

ewor

k•

Incr

ease

d lik

elih

ood

of th

eim

plem

ente

d sy

stem

or

syst

emm

odif

icat

ion

mee

ting

busi

ness

and

user

req

uire

men

ts• A

con

sist

ent l

evel

of

qual

ity a

ssur

ance

activ

ity a

cros

s th

e pr

ojec

t, in

clud

ing

thir

d pa

rtie

s

Ris

k D

river

s

• Pr

ojec

t del

iver

able

s fa

iling

to m

eet

busi

ness

and

use

r re

quir

emen

ts•

Gap

s in

exp

ecte

d an

d de

liver

ed q

ualit

yw

ithin

the

proj

ects

• In

effi

cien

t and

fra

gmen

ted

appr

oach

to q

ualit

y as

sura

nce

• Im

plem

ente

d sy

stem

or

chan

ges

adve

rsel

y im

pact

exi

stin

g sy

stem

s an

din

fras

truc

ture

PO

10.1

1 P

roje

ct C

hang

e C

ontr

ol

Est

ablis

h a

chan

ge c

ontr

ol s

yste

m f

or e

ach

proj

ect,

so a

ll ch

ange

s to

the

proj

ect

base

line

(e.g

., co

st, s

ched

ule,

sco

pe, q

ualit

y) a

re a

ppro

pria

tely

rev

iew

ed,

appr

oved

and

inco

rpor

ated

into

the

inte

grat

ed p

roje

ct p

lan

in li

ne w

ith th

epr

ogra

mm

e an

d pr

ojec

t gov

erna

nce

fram

ewor

k.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

lear

pri

oriti

es f

or m

anag

ing

reso

urce

conf

licts

• Abi

lity

to tr

ack

the

proj

ect s

cope

• D

ecis

ions

rel

atin

g to

cha

nges

in th

epr

ojec

t mad

e sa

fely

and

eff

icie

ntly

Ris

k D

river

s

• L

ack

of c

ontr

ol o

ver

proj

ect s

cope

,co

st a

nd s

ched

ule

• L

ost b

usin

ess

focu

s•

Inab

ility

to m

anag

e re

sour

ces



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e IT

pro

gram

me,

pro

ject

gov

erna

nce

and

man

agem

ent f

ram

ewor

ks c

onsi

st o

f th

e pr

esen

ce o

f ke

y IT

pro

ject

per

form

ance

cri

teri

a,in

clud

ing

scop

e, s

ched

ule,

qua

lity,

cos

t and

leve

l of

risk

. •

Rev

iew

bas

elin

e pr

ojec

t pla

ns to

det

erm

ine

if th

e IT

pro

gram

me

man

agem

ent t

eam

rec

omm

ends

, im

plem

ents

and

mon

itors

rem

edia

l act

ion

whe

n re

quir

ed. T

he p

lans

shou

ld b

e in

line

with

the

prog

ram

me

and

proj

ect g

over

nanc

e fr

amew

ork.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

roje

ct m

anag

emen

t sta

ndar

ds a

nd p

roce

dure

s in

clud

e st

eps

to c

onsi

der

com

plia

nce

requ

irem

ents

(e.

g., t

estin

g in

tern

al c

ontr

ols

and

secu

rity

req

uire

men

ts).

• In

spec

t pro

ject

man

agem

ent s

tand

ards

and

pro

cedu

res

to d

eter

min

e if

they

incl

ude

step

s to

con

side

r co

mpl

ianc

e re

quir

emen

ts. I

nspe

ct r

equi

rem

ents

doc

umen

tatio

n fo

rpr

ojec

ts im

pact

ing

com

plia

nce

to d

eter

min

e th

at a

ppro

pria

te c

ompl

ianc

e st

akeh

olde

rs a

re in

volv

ed a

nd r

equi

rem

ents

are

app

rove

d.•

Insp

ect d

ocum

enta

tion

for

proj

ects

that

incl

ude

syst

ems

with

acc

redi

tatio

n, a

ssur

ance

or

valid

atio

n re

quir

emen

ts to

det

erm

ine

if a

ppro

pria

te s

ubje

ct m

atte

r sp

ecia

lists

wer

e in

volv

ed in

req

uire

men

ts te

stin

g an

d ap

prov

ing

resu

lts.

PO

10 M

anag

e P

roje

cts

(con

t.)

PO

10.1

2 P

roje

ct P

lann

ing

of A

ssur

ance

Met

hods

Id

entif

y as

sura

nce

task

s re

quir

ed to

sup

port

the

accr

edita

tion

of n

ew o

r m

odif

ied

syst

ems

duri

ng p

roje

ct p

lann

ing,

and

incl

ude

them

in th

e in

tegr

ated

pro

ject

pla

n.T

he ta

sks

shou

ld p

rovi

de a

ssur

ance

that

inte

rnal

con

trol

s an

d se

curi

ty f

eatu

res

mee

t the

def

ined

req

uire

men

ts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

xter

nal r

equi

rem

ents

for

ass

uran

ce(e

.g.,

exte

rnal

aud

it) s

atis

fied

in a

timel

y an

d co

st-e

ffec

tive

man

ner

• E

xter

nal a

ccre

dita

tion

of s

yste

ms

orsy

stem

s m

odif

icat

ions

fac

ilita

ted

• K

ey s

take

hold

ers’

incr

ease

d co

nfid

ence

that

the

proj

ect i

s un

der

cont

rol a

nd o

ntr

ack

to r

ealis

e bu

sine

ss b

enef

its

Ris

k D

river

s

• U

ntru

stw

orth

y as

sura

nce

activ

ities

• In

effe

ctiv

e an

d/or

inef

fici

ent

assu

ranc

e ac

tiviti

es• A

ccre

dita

tion

and

impl

emen

tatio

nde

lays

PO

10.1

3 P

roje

ct P

erfo

rman

ce M

easu

rem

ent,

Rep

orti

ng a

nd M

onit

orin

g M

easu

re p

roje

ct p

erfo

rman

ce a

gain

st k

ey p

roje

ct p

erfo

rman

ce s

cope

, sch

edul

e,qu

ality

, cos

t and

ris

k cr

iteri

a. I

dent

ify

any

devi

atio

ns f

rom

the

plan

. Ass

ess

the

impa

ct o

f de

viat

ions

on

the

proj

ect a

nd o

vera

ll pr

ogra

mm

e, a

nd r

epor

t res

ults

toke

y st

akeh

olde

rs. R

ecom

men

d, im

plem

ent a

nd m

onito

r re

med

ial a

ctio

n, w

hen

requ

ired

, in

line

with

the

prog

ram

me

and

proj

ect g

over

nanc

e fr

amew

ork.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed c

usto

mer

sat

isfa

ctio

n an

d fo

cus

• St

rong

cus

tom

er b

ias

in th

e cu

lture

of

the

IT o

rgan

isat

ion

for

all I

T p

roje

cts

• D

evia

tions

to th

e pl

an p

rom

ptly

iden

tifie

d •

Posi

tive

resu

lts c

omm

unic

ated

and

built

upo

n to

boo

st s

take

hold

erco

nfid

ence

and

com

mitm

ent

Ris

k D

river

s

• In

effe

ctiv

e re

port

ing

on p

roje

ctpr

ogre

ss a

nd u

nide

ntif

ied

issu

es•

Lac

k of

con

trol

ove

r pr

ojec

t pro

gres

s•

Los

s of

foc

us o

n cu

stom

erex

pect

atio

ns a

nd b

usin

ess

need

s


APPENDIX II

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at I

T p

olic

ies

and

proc

edur

es in

clud

e ke

y st

eps

for

proj

ect c

losu

re, i

nclu

ding

an

effe

ctiv

e po

st-i

mpl

emen

tatio

n re

view

. •

Insp

ect d

ocum

enta

tion

of a

sam

ple

of p

ost-

impl

emen

tatio

n re

view

s to

det

erm

ine

if th

e re

view

s ar

e ef

fect

ivel

y pl

anne

d an

d ex

ecut

ed.

• W

alk

thro

ugh

the

proc

ess

used

to id

entif

y, c

omm

unic

ate

and

trac

k an

y un

com

plet

ed a

ctiv

ities

req

uire

d to

ach

ieve

pro

ject

pro

gram

me

bene

fits

. Ins

pect

pos

t-im

plem

enta

tion

docu

men

tatio

n to

det

erm

ine

if u

ncom

plet

ed a

ctiv

ities

are

iden

tifie

d, c

omm

unic

ated

and

res

olve

d.•

Wal

k th

roug

h th

e pr

oces

s us

ed to

col

lect

less

ons

lear

ned

to d

eter

min

e if

the

proc

ess

is e

ffec

tive

in im

prov

ing

futu

re p

roje

cts.

Ass

ess

cust

omer

invo

lvem

ent i

n th

e re

view

and

anal

ysis

pro

cess

.

PO

10 M

anag

e P

roje

cts

(con

t.)

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

likel

ihoo

d th

at th

e pr

ojec

tw

ill r

ealis

e ex

pect

ed a

nd a

gree

d-up

onbu

sine

ss b

enef

its•

Impr

ovem

ents

iden

tifie

d in

pro

ject

man

agem

ent a

nd s

yste

m d

evel

opm

ent

for

futu

re p

roje

cts

• In

crea

sed

focu

s on

exe

cutin

gre

mai

ning

act

ions

for

del

iver

y of

prom

ised

ben

efits

Ris

k D

river

s

• U

ndet

ecte

d pr

ojec

t man

agem

ent

wea

knes

ses

• M

isse

d op

port

uniti

es f

rom

less

ons

lear

ned

PO

10.1

4 P

roje

ct C

losu

re

Req

uire

that

, at t

he e

nd o

f ea

ch p

roje

ct, t

he p

roje

ct s

take

hold

ers

asce

rtai

nw

heth

er th

e pr

ojec

t del

iver

ed th

e pl

anne

d re

sults

and

ben

efits

. Ide

ntif

y an

dco

mm

unic

ate

any

outs

tand

ing

activ

ities

req

uire

d to

ach

ieve

the

plan

ned

resu

ltsof

the

proj

ect a

nd th

e be

nefi

ts o

f th

e pr

ogra

mm

e, a

nd id

entif

y an

d do

cum

ent

less

ons

lear

ned

for

use

on f

utur

e pr

ojec

ts a

nd p

rogr

amm

es.



Take the following steps to test the outcome of the control objectives:• Inspect documentation of the programme management framework to verify that the programme adequately assesses the aggregated

portfolio of IT projects against programme objectives. The programme should specify required resources, including funding,project managers, project teams, IT resources and business resources, where applicable.

• Inspect documentation and trace activities through the process to verify that the programme management team also specifiesrequired resources, including funding, project managers, project teams, IT resources and business resources, where applicable.

• Inspect documentation and trace activities through the process to verify that the programme management team effectively assignsaccountability for each project and that, where accountability is assigned, such accountability is accepted and the personaccountable has sufficient authority and latitude to act, requisite competence, commensurate resource, clear lines of accountability,an understanding of rights and obligations, and relevant performance measures.

• Inspect schedules and other documentation to determine whether the programme management team effectively discovered theinterdependencies of multiple projects in the programme and developed a schedule for their completion that enables the overallprogramme schedule to be met.

• Inspect communications and other documents to determine that the programme management team effectively determinesprogramme stakeholders inside and outside the enterprise; establishes appropriate levels of co-ordination, communication andliaison with these parties; and maintains communication with them for the duration of the programme.

• Inspect periodic assessments and other documents to verify that the project management framework is used effectively as anintegral component of, and is consistent with, the organisation’s programme management approach, and that it is appropriate inlight of changing conditions.

• Inspect major milestones to validate that appropriate sign-offs have been achieved before proceeding to the next phase (e.g., a review committee consisting of sponsors and end users to ensure that scope and requirements are appropriate).

• Inspect documentation to verify that the programme management team effectively assigns each IT project one or more sponsorswith sufficient authority to manage execution of the project within the overall strategic programme, the assignment is madeunambiguously, roles and responsibilities are made clear, and the responsibility is accepted by the assignee(s).

• Inspect documentation such as meeting minutes and sign-off documentation to verify that the project management team effectivelyprovides for commitment and participation by key stakeholders, including management of the affected user department and keyusers, in the initiation, definition and authorisation of a project.

• Inspect documents such as meeting minutes and sign-off documentation and trace activities through the process to verify that theongoing key stakeholder commitment and participation for the remainder of the project life cycle is effectively outlined during theproject initiation and an effective refining process is used further during the process.

• Verify that the project/programme communication plan is effectively maintained throughout the project.• Sample change requests to verify that stakeholders provided appropriate sign-off.• Inspect plans, policies and procedures to verify that the project management framework is designed effectively to provide for

designated managers and end users of the affected business and IT functions to approve and sign off on the deliverables producedin each project phase of the system development life cycle, before work on the next phase begins.

• Inspect documentation to verify that the basis of the approval process is effective to clearly define acceptance criteria agreed uponwith key stakeholders prior to work commencing on the project phase deliverable and, at a minimum, in advance of the completionof the deliverables for a phase.

• Inspect plans, policies and procedures to verify that phase initiation and approval is designed effectively to consider actual costs,time and progress management, and to assess significant variances against the project’s expected benefits.

• Inspect plans, policies and procedures to verify that the appropriate programme governance function is designed effectively toapprove assessments of significant variances and that the significant variances are reflected in the programme’s business case.

• Physically inspect documentation and search audit trails to verify that the integrated project plan permits management to controlproject progress.

• Inspect documents to evaluate that the integrated project plan and any dependent plans are kept up to date with the agreement planholder, to reflect actual progress and material changes from the programme management framework.

• Inspect the project manager organisation chart or RACI chart for completeness.• Review the project risk assessment and related documentation/meeting minutes to verify that risks (internal and external) are

managed and discussed at an appropriate level within the project governance structure throughout the project. • Determine that the risk management plan is integrated with the overall project plan. • Inspect assessments and reassessments of risk, change request assessments, and other documents to verify that periodic

reassessments are effective and responding to changes in risk over the course of the project. • Verify that any necessary updates are performed to the risk management plan.• Inspect documents, search audit trails, and trace transactions through the process to verify that project risk management is being

performed effectively, including workarounds for unexpected risks. • Inspect the project risk log, project issues log and other documents to verify that the project risk log and project issues log are

maintained along with corrective actions.• Inspect documentation to verify that the scope that documents project objectives and major project deliverables is included and a

quality process is defined.


APPENDIX II

Take the following steps to document the impact of the control weaknesses:• Assess the adequacy of the aggregated portfolio of projects to determine whether it adequately meets business objectives.• Assess whether resource conflicts exist, project interdependencies are not understood and projects successfully provide ROI. • Assess the organisation’s ability to manage resources effectively and efficiently.• Assess whether different project management approaches within the organisation utilise resources effectively. • Assess the organisational reporting structure for appropriate separation of duties.• Assess project management tools for effective monitoring and reporting.• Assess compliance with regulatory requirements to determine if resources are utilised effectively to avoid adverse impacts on time,

schedule and performance.• Assess the project sponsor’s review and approval of the project scope statement to ensure that objectives are clearly defined and

aligned with the IT-enabled investment programme.• Assess the approved integrated project plan for interdependencies of multiple projects to ensure that project execution and project

control exist throughout the life of the project.• Assess the changes to the integrated project plan for approval and alignment with the programme and project governance

framework to identify impacts to costs, schedule and performance.• Assess whether the project has defined an appropriate governance body to review and provide acceptance to major project phases.• Assess the organisation’s procurement practices to determine whether procurement processes are performed in a timely manner for

acquiring and assigning competent staff members and/or contractors to manage the projects cost, schedule and performance. • Assess the quality management plan to determine consistent levels of quality assurance activity across the project, including

third parties. • Assess whether quality management considerations have been incorporated in a timely manner to ensure cost containment and

alignment to the master project plan.• Assess whether changes are approved or justified and that they meet initial goals and objectives, including any negative impacts to

budget, schedules and performance. • Assess whether assurance tasks provide an appropriate level of system accreditation to provide assurance that internal controls and

security features meet the defined requirements.• Assess whether effective reporting mechanisms exist to monitor project progress.• Determine management’s ability to effectively and efficiently manage project risks.• Assess project closure for feedback to support future projects of similar type or scope to determine impacts on costs, schedule and

performance (e.g., collection of best practices/lessons learned).



Page intentionally left blank


APPENDIX IIIA

PPE

ND

IXII

I—A

CQ

UIR

EA

ND

IMPL

EM

EN

T(A

I)

PR

OC

ESS

ASS

UR

AN

CE

STEP

S

AI1

Ide

ntify

Aut

omat

ed S

olut

ions

The

nee

d fo

r a

new

app

licat

ion

or f

unct

ion

requ

ires

ana

lysi

s be

fore

acq

uisi

tion

or c

reat

ion

to e

nsur

e th

at b

usin

ess

requ

irem

ents

are

sat

isfi

ed in

an

effe

ctiv

e an

d ef

fici

ent

appr

oach

. Thi

s pr

oces

s co

vers

the

defi

nitio

n of

the

need

s, c

onsi

dera

tion

of a

ltern

ativ

e so

urce

s, r

evie

w o

f te

chno

logi

cal a

nd e

cono

mic

fea

sibi

lity,

exe

cutio

n of

a r

isk

anal

ysis

and

cost

-ben

efit

anal

ysis

, and

con

clus

ion

of a

fin

al d

ecis

ion

to ‘

mak

e’or

‘bu

y’. A

ll th

ese

step

s en

able

org

anis

atio

ns to

min

imis

e th

e co

st to

acq

uire

and

impl

emen

t sol

utio

nsw

hils

t ens

urin

g th

at th

ey e

nabl

e th

e bu

sine

ss to

ach

ieve

its

obje

ctiv

es.

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

bus

ines

s fu

nctio

nal a

nd te

chni

cal r

equi

rem

ents

hav

e be

en d

efin

ed a

nd a

mai

nten

ance

pro

cess

has

bee

n ag

reed

upon

. Ins

pect

doc

umen

tatio

n of

req

uire

men

ts a

nd m

aint

enan

ce p

roce

sses

, and

ens

ure

that

the

desi

gn is

app

ropr

iate

to th

e si

ze, c

ompl

exity

, obj

ectiv

es a

nd r

isks

of

the

acqu

isiti

on a

nd h

as b

een

appr

oved

by

the

rele

vant

ow

ner/

spon

sor.

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

all

requ

irem

ents

and

acc

epta

nce

crite

ria

have

bee

n co

nsid

ered

, cap

ture

d, p

rior

itise

d an

d re

cord

ed in

a w

ay th

at is

unde

rsta

ndab

le to

sta

keho

lder

s an

d sp

onso

rs.

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

app

licat

ion

and

infr

astr

uctu

re te

chni

cal r

equi

rem

ents

mee

t the

nee

ds o

f th

e or

gani

satio

n’s

info

rmat

ion

arch

itect

ure

stan

dard

s an

d st

rate

gic

tech

nica

l dir

ectio

n.

• R

evie

w p

lans

, pol

icie

s an

d pr

oced

ures

to id

entif

y ex

cept

ions

/dev

iatio

ns f

rom

the

info

rmat

ion

arch

itect

ure

stan

dard

s an

d st

rate

gic

tech

nica

l dir

ectio

n.

AI1

.1 D

efin

itio

n an

d M

aint

enan

ce o

f B

usin

ess

Fun

ctio

nal a

nd

Tec

hnic

al R

equi

rem

ents

Id

entif

y, p

rior

itise

, spe

cify

and

agr

ee o

n bu

sine

ss f

unct

iona

l and

tech

nica

lre

quir

emen

ts c

over

ing

the

full

scop

e of

all

initi

ativ

es r

equi

red

to a

chie

ve th

eex

pect

ed o

utco

mes

of

the

IT-e

nabl

ed in

vest

men

t pro

gram

me.

• All

sign

ific

ant f

unct

iona

l and

tech

nica

l req

uire

men

ts ta

ken

into

acco

unt w

hen

cons

ider

ing

pote

ntia

lso

lutio

ns•

Com

plet

e an

d ac

cura

te s

et o

ffu

nctio

nal a

nd te

chni

cal r

equi

rem

ents

avai

labl

e be

fore

dev

elop

men

t or

acqu

isiti

on b

egin

s•

Func

tiona

l and

tech

nica

l req

uire

men

tsde

fine

d ef

fect

ivel

y an

d ef

fici

ently

• Se

lect

ed s

olut

ion

likel

y to

be

impl

emen

ted

mor

e qu

ickl

y an

d w

ithle

ss r

ewor

k

Ris

k D

river

s

• In

corr

ect s

olut

ion

sele

cted

on

the

basi

s of

an

inad

equa

te u

nder

stan

ding

of r

equi

rem

ents

• Si

gnif

ican

t req

uire

men

ts d

isco

vere

dla

ter,

caus

ing

cost

ly r

ewor

king

and

impl

emen

tatio

n de

lays

Con

trol

Obj

ecti

veVa

lue

Driv

ers



Test

the

Con

trol

Des

ign

• E

nqui

re th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

whe

ther

a f

easi

bilit

y st

udy

proc

ess

exis

ts th

at s

ets

out a

ltern

ativ

e co

urse

s of

act

ion

that

will

sat

isfy

the

busi

ness

func

tiona

l and

tech

nica

l req

uire

men

ts (

e.g.

, fun

ctio

nalit

y m

eets

the

need

s of

bus

ines

s an

d te

chni

cal r

equi

rem

ents

).

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at m

anag

emen

t and

key

sta

ff m

embe

rs h

ave

dete

rmin

ed r

esou

rces

to b

e us

ed a

nd a

re a

war

e of

go/

no-g

o co

ntro

l che

ckpo

ints

. •

Con

firm

with

key

sta

ff m

embe

rs th

at th

e fe

asib

ility

stu

dy in

clud

es th

e po

tent

ial c

ost-

bene

fit a

naly

sis

of e

ach

of th

e id

entif

ied

alte

rnat

ives

and

sys

tem

fun

ctio

nalit

y.

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

, ins

pect

ion

of p

roje

ct d

ocum

enta

tion,

etc

., th

at a

hol

istic

app

roac

h to

the

risk

ana

lysi

s of

the

auto

mat

ed s

olut

ion

is u

sed.

• C

onfi

rm th

roug

h in

terv

iew

s th

at s

take

hold

ers

are

invo

lved

, inc

ludi

ng r

epre

sent

ativ

es f

rom

bot

h bu

sine

ss a

nd I

T.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ppro

pria

te r

isk

miti

gatio

n m

echa

nism

s ar

e co

nsid

ered

in th

e de

sign

of

the

solu

tion

and

built

in f

rom

the

outs

et, i

f ju

stif

ied

by th

e ri

sks

the

orga

nisa

tion

is f

acin

g.

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI1

.3 F

easi

bilit

y St

udy

and

Form

ulat

ion

of A

lter

nati

ve C

ours

es o

f Act

ion

Dev

elop

a f

easi

bilit

y st

udy

that

exa

min

es th

e po

ssib

ility

of

impl

emen

ting

the

requ

irem

ents

. Bus

ines

s m

anag

emen

t, su

ppor

ted

by th

e IT

fun

ctio

n, s

houl

d as

sess

the

feas

ibili

ty a

nd a

ltern

ativ

e co

urse

s of

act

ion

and

mak

e a

reco

mm

enda

tion

toth

e bu

sine

ss s

pons

or.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• T

he m

ost e

ffec

tive

and

effi

cien

tso

lutio

n ch

osen

for

the

ente

rpri

se•

Res

ourc

es a

vaila

ble

to im

plem

ent a

ndop

erat

e th

e se

lect

ed s

olut

ion

• Si

gnif

ican

t req

uire

men

ts v

erif

ied

befo

re c

omm

itmen

t to

acqu

ire

• Se

lect

ion

deci

sion

mak

ing

base

d on

valid

just

ific

atio

ns

Ris

k D

river

s

• So

lutio

n fa

iling

to m

eet r

equi

rem

ents

• So

lutio

n fa

iling

to p

erfo

rm a

sex

pect

ed•

Solu

tion

faili

ng to

inte

grat

e w

ithex

istin

g in

fras

truc

ture

AI1

.2 R

isk

Ana

lysi

s R

epor

t Id

entif

y, d

ocum

ent a

nd a

naly

se r

isks

ass

ocia

ted

with

the

busi

ness

req

uire

men

tsan

d so

lutio

n de

sign

as

part

of

the

orga

nisa

tion’

s pr

oces

s fo

r th

e de

velo

pmen

t of

requ

irem

ents

.

• E

arly

iden

tific

atio

n of

acq

uisi

tion

risk

s en

ablin

g th

e re

duct

ion

orav

oida

nce

of p

oten

tial i

mpa

ct•

Incr

ease

d m

anag

emen

t aw

aren

ess

ofpo

tent

ial r

isks

• Po

tent

ially

sig

nifi

cant

acq

uisi

tion

risk

sno

t ide

ntif

ied

• M

anag

emen

t una

war

e of

ris

ks a

ndfa

ilure

to a

pply

app

ropr

iate

con

trol

s•

Syst

em s

ecur

ity c

ompr

omis

ed

AI1

Ide

ntify

Aut

omat

ed S

olut

ions

(co

nt.)


APPENDIX III

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s w

ith th

e bu

sine

ss s

pons

or th

at q

ualit

y re

view

s ar

e be

ing

perf

orm

ed f

or b

usin

ess

func

tiona

l and

tech

nica

l req

uire

men

ts a

nd f

easi

bilit

y st

udy

repo

rts

and

that

the

busi

ness

spo

nsor

is a

war

e of

the

orig

inal

acc

epta

nce

crite

ria.

•

Eva

luat

e pr

ojec

t doc

umen

tatio

n fo

r a

repr

esen

tativ

e sa

mpl

e of

pro

ject

s to

ens

ure

that

the

busi

ness

spo

nsor

has

sig

ned

off

on th

e bu

sine

ss f

unct

iona

l and

tech

nica

lre

quir

emen

ts a

nd f

easi

bilit

y re

port

s.

AI1

.4 R

equi

rem

ents

and

Fea

sibi

lity

Dec

isio

n an

d A

ppro

val

Ver

ify

that

the

proc

ess

requ

ires

the

busi

ness

spo

nsor

to a

ppro

ve a

nd s

ign

off

onbu

sine

ss f

unct

iona

l and

tech

nica

l req

uire

men

ts a

nd f

easi

bilit

y st

udy

repo

rts

atpr

edet

erm

ined

key

sta

ges.

The

bus

ines

s sp

onso

r sh

ould

mak

e th

e fi

nal d

ecis

ion

with

res

pect

to th

e ch

oice

of

solu

tion

and

acqu

isiti

on a

ppro

ach.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• So

lutio

n lik

ely

to m

eet b

usin

ess

requ

irem

ents

• So

lutio

n ha

ving

bus

ines

s co

mm

itmen

tan

d in

volv

emen

t dur

ing

impl

emen

tatio

n•

Bus

ines

s ha

ving

a b

ette

r un

ders

tand

ing

of th

e na

ture

of

the

solu

tion

and

the

impa

ct it

will

hav

e on

the

busi

ness

proc

esse

s an

d or

gani

satio

n

Ris

k D

river

s

• So

lutio

ns f

ailin

g to

mee

t bus

ines

sre

quir

emen

ts• A

ltern

ativ

e so

lutio

ns n

ot id

entif

ied

prop

erly

• B

usin

ess

proc

ess

and

orga

nisa

tion

aspe

cts

of th

e po

tent

ial s

olut

ion

inad

equa

tely

con

side

red

AI1

Ide

ntify

Aut

omat

ed S

olut

ions

(co

nt.)



Take the following steps to test the outcome of the control objectives:• Inspect a selection of correspondence between business sponsors and stakeholders to ensure that key requirements (e.g., definition

of user requirements; formulation of alternative courses of action; identification of commercial software packages; performance oftechnology feasibility, economic feasibility, information architecture and risk analysis studies) have been captured and considered.

• Inspect a selection of requirements documentation to determine whether a proposed new or modified system has been clearlydefined, reviewed and approved in writing by the cognisant user before the development, implementation or modification of the project.

• Inspect a selection of application and infrastructure technical requirements documentation to determine if the requirement meetsthe organisation’s information architecture standards and strategic direction (e.g., business continuity planning, disaster recoveryplanning, security and legal requirements).

• Inspect a selection of risk analysis documentation, and determine whether business and IT risks are identified, examined, assessedand understood by both the business and IT and whether internal control measures and audit trails are identified as part of the riskanalysis (e.g., risks on business continuity planning, disaster recovery planning, security and legal requirements).

• Inspect a selection of risk analysis documentation to determine whether risk analysis documentation was signed off on by the keystakeholders, including representatives from the business and IT.

• Inspect a selection of project, audit or other assessment reports and corroborate through interviews with compliance, audit, riskmanagement and security staff members to determine whether a proper balance between detection and prevention controls isconsidered in the design of the risk response mechanisms.

• Inspect the feasibility study documentation to confirm that technical and economic feasibility met the needs of business andtechnical requirements.

• Inspect a selection of the feasibility study documentation to confirm that the plan sufficiently accounts for each stage of theacquisition or development life cycle and includes go/no-go control checkpoints.

• Inspect a selection of the technological and economic feasibility study documentation to confirm that identifiable costs andbenefits for each of the identified alternatives and system functionalities has been properly supported and included as part of therequired technological and economic feasibility study.

Take the following steps to document the impact of the control weaknesses:• Assess the impact to the time and cost of the project if requirements do not meet user needs. • Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that were not identified due to system

development efforts not including robust risk analyses.• Assess the impact to the time and cost of the project if system development efforts do not comply with policies, laws and

regulations.• Assess the additional cost of the key owner/sponsor not considering alternative courses of action, thereby resulting in a more costly

solution.• Identify deficiencies in the organisation’s system development life cycle methodology.• Identify solutions that do not meet user requirements.• Identify system development efforts that:

– Did not consider alternative courses of action, thereby resulting in a more costly solution– Did not consider commercial software packages that could have been implemented in less time and at less cost– Did not consider the technological feasibility of the alternatives or inappropriately considered the technological feasibility of the

chosen solution and, as a result, could not implement the solution as originally designed– Made erroneous assumptions in the economic feasibility study and, as a result, chose the wrong course of action– Did not consider the information architecture/enterprise data model and, as a result, chose the wrong course of action– Did not conduct robust risk analyses and, thus, either did not adequately identify risks (including threats, potential vulnerabilities

and impacts) or did not identify appropriate security and internal controls for reducing or eliminating identified risks• Identify solutions that:

– Were either overcontrolled or undercontrolled because the cost-effectiveness of control and security was improperly examined– Did not have adequate audit trails– Did not consider user-friendly design and ergonomic issues, thereby resulting in data input errors that could have been avoided– Did not follow the organisation’s established procurement approach and, thus, resulted in additional costs being borne by the

organisation


APPENDIX IIIA

I2 A

cqui

re a

nd M

aint

ain

App

licat

ion

Sof

twar

e

App

licat

ions

are

mad

e av

aila

ble

in li

ne w

ith b

usin

ess

requ

irem

ents

. Thi

s pr

oces

s co

vers

the

desi

gn o

f th

e ap

plic

atio

ns, t

he p

rope

r in

clus

ion

of a

pplic

atio

n co

ntro

ls a

ndse

curi

ty r

equi

rem

ents

, and

the

deve

lopm

ent a

nd c

onfi

gura

tion

in li

ne w

ith s

tand

ards

. Thi

s al

low

s or

gani

satio

ns to

pro

perl

y su

ppor

t bus

ines

s op

erat

ions

with

the

corr

ect

auto

mat

ed a

pplic

atio

ns.

Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith k

ey I

T s

taff

mem

bers

that

a h

igh-

leve

l des

ign

spec

ific

atio

n is

def

ined

that

tran

slat

es th

e bu

sine

ss r

equi

rem

ents

for

the

soft

war

e de

velo

pmen

t. •

Obt

ain

and

revi

ew a

sam

ple

of a

pro

ject

des

ign

spec

ific

atio

n to

det

erm

ine

whe

ther

it a

ddre

sses

all

the

busi

ness

req

uire

men

ts.

• C

onfi

rm w

ith k

ey I

T s

taff

mem

bers

whe

ther

the

proj

ect d

esig

n ap

proa

ch c

onfo

rms

with

the

orga

nisa

tion’

s de

sign

sta

ndar

d.

• R

evie

w h

igh-

leve

l des

ign

docu

men

tatio

n to

det

erm

ine

if th

e or

gani

satio

n’s

desi

gn s

tand

ards

are

bei

ng f

ollo

wed

. •

Rev

iew

pro

ject

doc

umen

tatio

n, s

uch

as th

e pr

ojec

t pla

n an

d sc

opin

g do

cum

ent,

to d

eter

min

e if

rol

es a

nd r

espo

nsib

ilitie

s of

use

rs in

the

desi

gn p

roce

ss a

re

prop

erly

incl

uded

. •

Cor

robo

rate

man

agem

ent’s

vie

ws

rega

rdin

g us

er in

volv

emen

t with

use

rs/s

take

hold

ers

to c

onfi

rm th

at u

sers

’/st

akeh

olde

rs’e

xper

tise

and

know

ledg

e ar

e co

nsid

ered

in th

ede

sign

pro

cess

of

new

sys

tem

s.

• R

evie

w s

uppo

rtin

g do

cum

ents

for

una

mbi

guou

s cr

oss-

refe

renc

es, i

nclu

ding

title

and

dat

e.

• C

onfi

rm w

ith s

take

hold

ers

(IT

and

bus

ines

s) th

at th

ey h

ave

appr

oved

and

sig

ned

off

on th

e hi

gh-l

evel

des

ign

and

that

thei

r in

puts

hav

e be

en in

corp

orat

ed in

to th

e de

sign

(e.g

., pr

oces

s ow

ners

, inf

orm

atio

n ow

ners

, sec

urity

, use

r re

pres

enta

tives

).

• C

onfi

rm w

ith s

take

hold

ers

(IT

and

bus

ines

s) th

at th

e hi

gh-l

evel

des

ign

cons

titut

es a

sol

utio

n th

at th

e or

gani

satio

n ca

n de

liver

, ope

rate

and

mai

ntai

n (e

.g.,

IT s

pons

or,

busi

ness

spo

nsor

).

AI2

.1 H

igh-

leve

l Des

ign

Tra

nsla

te b

usin

ess

requ

irem

ents

into

a h

igh-

leve

l des

ign

spec

ific

atio

n fo

rso

ftw

are

acqu

isiti

on, t

akin

g in

to a

ccou

nt th

e or

gani

satio

n’s

tech

nolo

gica

ldi

rect

ion

and

info

rmat

ion

arch

itect

ure.

Hav

e th

e de

sign

spe

cifi

catio

ns a

ppro

ved

by m

anag

emen

t to

ensu

re th

at th

e hi

gh-l

evel

des

ign

resp

onds

to th

ere

quir

emen

ts. R

eass

ess

whe

n si

gnif

ican

t tec

hnic

al o

r lo

gica

l dis

crep

anci

es o

ccur

duri

ng d

evel

opm

ent o

r m

aint

enan

ce.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• R

educ

ed c

osts

• C

onsi

sten

cy b

etw

een

busi

ness

requ

irem

ents

and

hig

h-le

vel d

esig

nre

sults

• Im

prov

ed ti

me

to d

eliv

ery

Ris

k D

river

s

• D

epen

denc

y on

kno

wle

dge

held

by

key

indi

vidu

als

• U

ndef

ined

dev

elop

men

t sco

pe•

Solu

tions

fai

ling

to d

eliv

er b

usin

ess

requ

irem

ents

• So

lutio

ns n

ot a

ligne

d w

ith s

trat

egic

IT

plan

, inf

orm

atio

n ar

chite

ctur

e an

dte

chno

logy

dir

ectio

n•

Hig

h co

sts

of f

ragm

ente

d so

lutio

ns



Test

the

Con

trol

Des

ign

• Pe

rfor

m c

ode

wal

k-th

roug

h an

d ex

amin

e do

cum

enta

tion

asso

ciat

ed w

ith d

ata

inpu

ts a

nd o

utpu

ts to

det

erm

ine

whe

ther

pro

per

stor

age,

loca

tion

and

retr

ieva

l met

hods

are

impl

emen

ted

acco

rdin

g to

dat

a di

ctio

nary

sta

ndar

ds.

• E

xam

ine

info

rmat

ion

arch

itect

ure

and

data

dic

tiona

ry d

ocum

enta

tion

to id

entif

y de

viat

ions

fro

m th

e da

ta d

ictio

nary

sta

ndar

ds in

the

prog

ram

me

desi

gn.

• E

nqui

re o

f ke

y st

aff

mem

bers

whe

ther

dat

a di

ctio

nary

sta

ndar

ds a

re b

eing

use

d, a

nd c

ompa

re a

ctua

l per

form

ance

of

data

inpu

ts/o

utpu

ts w

ith r

espo

nses

fro

m k

ey

staf

f m

embe

rs.

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

sou

rce

data

col

lect

ion

desi

gn is

spe

cifi

ed th

at in

corp

orat

es c

ompu

ted

and

stor

ed d

ata.

•

Perf

orm

cod

e w

alk-

thro

ugh

and

insp

ect p

lans

to c

onfi

rm th

at d

ata

are

colle

cted

and

val

idat

ed f

or p

roce

ssin

g tr

ansa

ctio

ns.

• C

onfi

rm w

ith k

ey I

T s

taff

mem

bers

that

ade

quat

e re

dund

ancy

, fai

lure

rec

over

y an

d ba

ckup

arr

ange

men

ts a

re d

efin

ed a

nd in

clud

ed in

the

deta

iled

desi

gn s

peci

fica

tion.

•

Rev

iew

the

back

up p

lan

and

proc

edur

es to

det

erm

ine

that

they

ade

quat

ely

addr

ess

the

avai

labi

lity

requ

irem

ents

of

the

new

sys

tem

and

are

cos

t-ef

fect

ive.

•

Enq

uire

of

key

IT s

taff

mem

bers

and

rev

iew

rel

evan

t pro

ject

doc

umen

tatio

n to

det

erm

ine

whe

ther

file

req

uire

men

ts f

or s

tora

ge, l

ocat

ion

and

retr

ieva

l of

data

are

def

ined

in th

e de

tail

desi

gn s

peci

fica

tion.

•

Rev

iew

pro

ject

doc

umen

tatio

n to

det

erm

ine

if b

est p

ract

ices

, suc

h as

ava

ilabi

lity,

con

trol

and

aud

itabi

lity,

sec

urity

, and

net

wor

k re

quir

emen

ts, a

re c

onsi

dere

d.

• E

nqui

re o

f ke

y st

aff

mem

bers

and

insp

ect r

elev

ant p

roje

ct d

ocum

enta

tion

to d

eter

min

e w

heth

er p

roce

ssin

g st

eps,

incl

udin

g tr

ansa

ctio

n ty

pes,

pro

cess

ing

rule

s in

clud

ing

logi

c tr

ansf

orm

atio

ns o

r sp

ecif

ic c

alcu

latio

ns a

re d

efin

ed a

nd in

clud

ed in

the

deta

iled

desi

gn s

peci

fica

tion.

•

Enq

uire

of

key

staf

f m

embe

rs a

nd in

spec

t rel

evan

t pro

ject

doc

umen

tatio

n to

det

erm

ine

whe

ther

inte

grat

ion

of s

yste

m (

exis

ting

or p

lann

ed s

ubsy

stem

s an

d ac

quir

edpa

ckag

ed s

oftw

are)

and

infr

astr

uctu

re a

re a

ddre

ssed

con

tinuo

usly

thro

ugho

ut th

e pr

oces

s lif

e cy

cle.

•

Con

firm

with

key

IT

sta

ff m

embe

rs th

at a

ll id

entif

ied

outp

ut d

ata

requ

irem

ents

are

pro

perl

y de

fine

d.

• R

evie

w d

etai

l des

ign

docu

men

tatio

n to

det

erm

ine

that

per

tinen

t des

ign

deta

ils, s

uch

as d

iffe

rent

type

s of

rec

ipie

nts,

usa

ge, d

etai

ls r

equi

red,

fre

quen

cy a

nd m

etho

d of

gene

ratio

n, a

re c

onsi

dere

d.

• R

evie

w d

etai

l des

ign

requ

irem

ent d

ocum

enta

tion

to d

eter

min

e if

the

avai

labi

lity,

com

plet

enes

s, in

tegr

ity a

nd c

onfi

dent

ialit

y of

out

put d

ata

as w

ell a

s th

e im

pact

of

data

outp

uts

to o

ther

pro

gram

mes

are

app

ropr

iate

ly a

ddre

ssed

. •

Con

firm

with

key

sta

ff m

embe

rs th

at th

e in

terf

ace

betw

een

the

user

and

the

syst

em a

pplic

atio

n is

def

ined

and

incl

uded

in th

e de

taile

d de

sign

spe

cifi

catio

n.

• In

spec

t the

det

aile

d de

sign

spe

cifi

catio

n to

con

firm

that

it a

dequ

atel

y ad

dres

ses

user

inte

rfac

e re

quir

emen

ts.

• E

nqui

re a

bout

the

syst

em d

esig

n re

asse

ssm

ent p

roce

dure

s th

at a

ddre

ss d

esig

n ch

ange

s as

a r

esul

t of

sign

ific

ant t

echn

olog

ical

and

/or

logi

cal d

iscr

epan

cies

. •

Rev

iew

doc

umen

ts s

uch

as s

yste

m d

esig

n an

alys

is r

epor

ts o

r sy

stem

des

ign

chan

ge r

eque

sts

to c

onfi

rm th

at th

e sy

stem

des

ign

reas

sess

men

t pro

cedu

res

are

follo

wed

(e.g

., ch

ange

in s

yste

m d

esig

n ne

eds

to b

e ap

prov

ed b

y bu

sine

ss a

nd I

T s

pons

ors)

.•

Rev

iew

det

aile

d de

sign

spe

cifi

catio

n do

cum

enta

tion

to d

eter

min

e if

it w

as p

repa

red

in c

onfo

rman

ce w

ith o

rgan

isat

ion-

and

indu

stry

-acc

epte

d sp

ecif

icat

ion

stan

dard

s an

dth

e in

form

atio

n ar

chite

ctur

e.

• C

onfi

rm w

ith I

T a

nd b

usin

ess

stak

ehol

ders

that

a d

esig

n w

alk-

thro

ugh

take

s pl

ace

befo

re d

evel

opm

ent c

omm

ence

s.

• R

evie

w th

e de

taile

d de

sign

spe

cifi

catio

n to

con

firm

that

a d

esig

n w

alk-

thro

ugh

is c

ondu

cted

for

all

stak

ehol

ders

and

that

sta

keho

lder

sig

n-of

f ha

s be

en in

itiat

ed b

efor

ede

velo

pmen

t (e.

g., s

igna

ture

and

dat

e or

e-m

ail c

onfi

rmat

ion)

.

AI2

.2 D

etai

led

Des

ign

Prep

are

deta

iled

desi

gn a

nd te

chni

cal s

oftw

are

appl

icat

ion

requ

irem

ents

. Def

ine

the

crite

ria

for

acce

ptan

ce o

f th

e re

quir

emen

ts. H

ave

the

requ

irem

ents

app

rove

dto

ens

ure

that

they

cor

resp

ond

to th

e hi

gh-l

evel

des

ign.

Per

form

rea

sses

smen

tw

hen

sign

ific

ant t

echn

ical

or

logi

cal d

iscr

epan

cies

occ

ur d

urin

g de

velo

pmen

t or

mai

nten

ance

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• R

educ

ed c

osts

• E

ffic

ient

app

licat

ion

codi

ng a

ndm

aint

enan

ce•

Prio

ritis

atio

n on

impo

rtan

t fea

ture

s• A

void

ance

of

data

red

unda

ncy

• App

licat

ion

mee

ting

usab

ility

requ

irem

ents

Ris

k D

river

s

• Pr

oces

sing

of

inva

lid tr

ansa

ctio

ns•

Incr

easi

ng c

osts

for

sys

tem

red

esig

n•

Dat

a in

app

licat

ion

syst

ems

proc

esse

din

corr

ectly

AI2

Acq

uire

and

Mai

ntai

n A

pplic

atio

n Sof

twar

e (c

ont.

)


APPENDIX III

Test

the

Con

trol

Des

ign

• R

evie

w th

e re

quir

emen

ts d

ocum

enta

tion

for

desi

gn o

f co

ntro

ls to

det

erm

ine

that

aut

omat

ed a

pplic

atio

n co

ntro

ls a

re d

efin

ed b

ased

on

busi

ness

pro

cess

co

ntro

l req

uire

men

ts.

• R

evie

w th

e re

quir

emen

ts d

ocum

enta

tion

for

desi

gn o

f co

ntro

ls, a

nd id

entif

y in

stan

ces

whe

re a

utho

risa

tion,

inpu

t, pr

oces

sing

, out

put a

nd b

ound

ary

cont

rols

ar

e in

adeq

uate

. •

Rev

iew

pla

ns f

or im

plem

entin

g au

tom

ated

con

trol

fun

ctio

ns in

pac

kage

d ap

plic

atio

n so

ftw

are,

and

det

erm

ine

that

bus

ines

s pr

oces

s co

ntro

l req

uire

men

ts a

re

adeq

uate

ly a

ddre

ssed

.•

Con

firm

with

bus

ines

s pr

oces

s ow

ners

and

IT

tech

nica

l des

ign

auth

oriti

es th

at d

esig

n sp

ecif

icat

ions

for

all

auto

mat

ed a

pplic

atio

n co

ntro

ls in

dev

elop

men

t or

purc

hase

dap

plic

atio

ns a

re a

ppro

ved.

•

Rev

iew

des

ign

spec

ific

atio

n fo

r al

l aut

omat

ed a

pplic

atio

n co

ntro

ls in

dev

elop

ed o

r pu

rcha

sed/

pack

aged

app

licat

ions

to c

onfi

rm th

at th

ey a

re a

ppro

ved.

•

Con

firm

with

pro

ject

per

sonn

el th

at a

utom

ated

con

trol

s ha

ve b

een

defi

ned

with

in th

e ap

plic

atio

n th

at s

uppo

rt g

ener

al c

ontr

ol o

bjec

tives

, suc

h as

sec

urity

, dat

a in

tegr

ity,

audi

t tra

ils, a

cces

s co

ntro

l and

dat

abas

e in

tegr

ity c

ontr

ols.

•

Perf

orm

wal

k-th

roug

hs o

f ap

plic

atio

n co

ntro

ls in

dev

elop

ed a

nd p

urch

ased

pac

kage

d so

ftw

are,

trac

e tr

ansa

ctio

ns, a

nd r

evie

w d

ocum

enta

tion

to e

nsur

e th

at g

ener

al c

ontr

olob

ject

ives

(e.

g., s

ecur

ity, d

ata

inte

grity

, aud

it tr

ails

, acc

ess

cont

rol,

data

base

inte

grity

con

trol

s) a

re a

ddre

ssed

ade

quat

ely.

• R

evie

w p

roje

ct d

ocum

enta

tion

to c

onfi

rm th

at d

esig

n sp

ecif

icat

ions

hav

e be

en a

sses

sed

agai

nst t

he in

tern

al a

udit,

con

trol

and

ris

k m

anag

emen

t sta

ndar

ds a

nd o

bjec

tives

. •

Rev

iew

pro

ject

doc

umen

tatio

n to

det

erm

ine

if th

e ef

fect

s of

com

pens

atin

g co

ntro

ls o

utsi

de th

e ap

plic

atio

n so

ftw

are

real

m h

ave

been

con

side

red.

•

Rev

iew

evi

denc

e of

hig

h-le

vel r

evie

w c

ondu

cted

to e

nsur

e th

at a

utom

ated

app

licat

ion

and

gene

ral c

ontr

ols

obje

ctiv

es a

re m

et (

e.g.

, ava

ilabi

lity,

sec

urity

, acc

urac

y,co

mpl

eten

ess,

tim

elin

ess,

aut

hori

satio

n, a

udita

bilit

y).

AI2

.3 A

pplic

atio

n C

ontr

ol a

nd A

udit

abili

ty

Impl

emen

t bus

ines

s co

ntro

ls, w

here

app

ropr

iate

, int

o au

tom

ated

app

licat

ion

cont

rols

suc

h th

at p

roce

ssin

g is

acc

urat

e, c

ompl

ete,

tim

ely,

aut

hori

sed

and

audi

tabl

e.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onsi

sten

t app

licat

ion

cont

rols

esta

blis

hed

• E

nsur

ed d

ata

inte

grity

• T

rans

actio

n da

ta h

isto

ry a

ble

to b

eva

lidat

ed a

nd r

econ

stru

cted

, if

need

ed

Ris

k D

river

s

• C

ostly

com

pens

atin

g co

ntro

ls•

Dat

a in

tegr

ity is

sues

• G

aps

betw

een

appl

icat

ion

cont

rols

and

actu

al th

reat

s an

d ri

sks

• Pr

oces

sing

res

ults

and

dat

are

posi

tori

es f

ailin

g to

mee

tco

mpl

ianc

e re

quir

emen

ts

AI2

Acq

uire

and

Mai

ntai

n A

pplic

atio

n Sof

twar

e (c

ont.

)



Test

the

Con

trol

Des

ign

• E

nqui

re w

ith k

ey s

taff

mem

bers

to a

sses

s kn

owle

dge

and

awar

enes

s of

how

sol

utio

ns f

or s

ecur

ity a

nd a

vaila

bilit

y in

the

infr

astr

uctu

re w

ill b

e in

tegr

ated

with

the

appl

icat

ion.

•

Rev

iew

app

licat

ion

acqu

isiti

on, i

mpl

emen

tatio

n an

d te

stin

g pl

ans

to c

onfi

rm th

at a

pplic

atio

n se

curi

ty a

nd a

vaila

bilit

y w

ithin

the

inte

grat

ed e

nvir

onm

ent h

ave

been

addr

esse

d.•

Enq

uire

whe

ther

and

con

firm

that

ava

ilabi

lity

desi

gn h

as b

een

appr

oved

by

tech

nica

l aut

hori

ties.

•

Insp

ect d

ocum

enta

tion

sign

-off

by

appr

opri

ate

stak

ehol

ders

. •

Inte

rvie

w b

usin

ess

spon

sors

and

rev

iew

wal

k-th

roug

h do

cum

enta

tion

to a

sses

s un

ders

tand

ing

and

adeq

uacy

of

avai

labi

lity

desi

gn; e

nqui

re w

heth

er th

e de

sign

is li

kely

tom

eet t

he s

ecur

ity a

nd a

vaila

bilit

y re

quir

emen

ts.

Test

the

Con

trol

Des

ign

• E

nqui

re o

f bu

sine

ss p

roce

ss o

wne

rs a

nd k

ey s

taff

mem

bers

to d

eter

min

e w

heth

er th

eir

inpu

t and

gui

danc

e ha

ve b

een

solic

ited

and

refl

ecte

d in

the

appl

icat

ion

cust

omis

atio

n an

d co

nfig

urat

ion.

Ide

ntif

y in

stan

ces

whe

re b

usin

ess

proc

ess

owne

r in

put h

as n

ot b

een

solic

ited.

•

Con

firm

with

key

sta

ff m

embe

rs w

heth

er th

e ap

plic

atio

n so

ftw

are

is c

usto

mis

ed a

nd c

onfi

gure

d ut

ilisi

ng b

est p

ract

ice

as a

dvis

ed b

y ve

ndor

s an

d in

con

form

ance

with

inte

rnal

arc

hite

ctur

e st

anda

rds.

•

Insp

ect b

est p

ract

ices

sup

plie

d by

ven

dors

, com

pare

with

the

impl

emen

tatio

n st

rate

gy, a

nd id

entif

y in

appr

opri

ate

conf

igur

atio

n an

d cu

stom

isat

ion.

•

Con

firm

with

key

sta

ff m

embe

rs th

at te

stin

g pr

oced

ures

are

in p

lace

that

cov

er v

erif

icat

ion

of a

cqui

red

appl

icat

ion

cont

rol o

bjec

tives

(e.

g., f

unct

iona

lity,

inte

rope

rabi

lity

with

exi

stin

g ap

plic

atio

ns a

nd in

fras

truc

ture

, sys

tem

s pe

rfor

man

ce e

ffic

ienc

y, in

tegr

atio

n, c

apac

ity a

nd lo

ad s

tres

s te

stin

g, d

ata

inte

grity

).

• In

spec

t uni

t and

inte

grat

ion

test

doc

umen

tatio

n an

d w

alk-

thro

ugh

test

ing

proc

edur

es to

ver

ify

the

adeq

uacy

of

the

test

s.

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

all

user

and

ope

ratio

n m

anua

ls a

re c

ompl

ete

and/

or u

pdat

ed w

here

nec

essa

ry. T

race

a s

ampl

e of

cus

tom

isat

ions

to u

ser

and

oper

atio

nal m

anua

ls to

con

firm

doc

umen

tatio

n up

date

s.

AI2

.4 A

pplic

atio

n Se

curi

ty a

nd A

vaila

bilit

y A

ddre

ss a

pplic

atio

n se

curi

ty a

nd a

vaila

bilit

y re

quir

emen

ts in

res

pons

e to

iden

tifie

d ri

sks

and

in li

ne w

ith th

e or

gani

satio

n’s

data

cla

ssif

icat

ion,

info

rmat

ion

arch

itect

ure,

info

rmat

ion

secu

rity

arc

hite

ctur

e an

d ri

sk to

lera

nce.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

even

tive

and

dete

ctiv

e se

curi

tyco

ntro

ls e

stab

lishe

d as

nec

essa

ry•

Ens

ured

dat

a co

nfid

entia

lity,

inte

grity

and

avai

labi

lity

• M

aint

aine

d sy

stem

ava

ilabi

lity

for

busi

ness

pro

cess

ing

Ris

k D

river

s

• U

ndet

ecte

d se

curi

ty v

iola

tions

•

Cos

tly c

ompe

nsat

ing

cont

rols

• G

aps

betw

een

cons

ider

ed s

ecur

ityco

ntro

ls a

nd a

ctua

l thr

eats

and

ris

ks

AI2

Acq

uire

and

Mai

ntai

n A

pplic

atio

n Sof

twar

e (c

ont.

)

AI2

.5 C

onfi

gura

tion

and

Im

plem

enta

tion

of A

cqui

red

App

licat

ion

Soft

war

e C

onfi

gure

and

impl

emen

t acq

uire

d ap

plic

atio

n so

ftw

are

to m

eet b

usin

ess

obje

ctiv

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Acq

uire

d sy

stem

con

figu

red

to m

eet

busi

ness

-def

ined

req

uire

men

ts• A

cqui

red

syst

em c

ompl

iant

with

exis

ting

arch

itect

ure

Ris

k D

river

s

• L

oss

of b

usin

ess

focu

s•

Inab

ility

to a

pply

fut

ure

upda

tes

effe

ctiv

ely

• R

educ

ed s

yste

m a

vaila

bilit

y an

din

tegr

ity o

f in

form

atio

n


APPENDIX III

Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith k

ey s

taff

mem

bers

and

insp

ect r

elev

ant d

ocum

enta

tion

to d

eter

min

e th

at im

pact

ass

essm

ent o

f m

ajor

upg

rade

s ha

s be

en m

ade

to a

ddre

ss th

e sp

ecif

ied

obje

ctiv

e cr

iteri

a (s

uch

as b

usin

ess

requ

irem

ent)

, the

ris

k in

volv

ed (

such

as

impa

ct o

n ex

istin

g sy

stem

s an

d pr

oces

ses

or s

ecur

ity),

cos

t-be

nefi

t jus

tific

atio

n an

d ot

her

requ

irem

ents

.•

Insp

ect r

elev

ant d

ocum

enta

tion

to id

entif

y de

viat

ions

fro

m n

orm

al d

evel

opm

ent a

nd im

plem

enta

tion

proc

esse

s.

• E

nqui

re o

f bu

sine

ss s

pons

ors

and

othe

r af

fect

ed s

take

hold

ers

and

insp

ect r

elev

ant d

ocum

enta

tion

to d

eter

min

e w

heth

er a

gree

men

t and

app

rova

l hav

e be

en o

btai

ned

for

the

deve

lopm

ent a

nd im

plem

enta

tion

proc

ess.

Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

all

deve

lopm

ent a

ctiv

ity h

as b

een

esta

blis

hed

to e

nsur

e ad

here

nce

to d

evel

opm

ent s

tand

ards

and

that

dev

elop

ed s

oftw

are

is b

ased

on

agre

ed-u

pon

spec

ific

atio

ns to

mee

t bus

ines

s, f

unct

iona

l and

tech

nica

l req

uire

men

ts.

• In

spec

t rel

evan

t doc

umen

tatio

n (s

uch

as d

esig

n, c

ode

revi

ew a

nd w

alk-

thro

ughs

) to

iden

tify

exce

ptio

ns to

spe

cifi

catio

ns a

nd s

tand

ards

.•

Obt

ain

and

revi

ew a

sses

smen

t doc

umen

tatio

n of

the

deve

lope

d so

ftw

are

to c

onfi

rm a

dequ

acy.

•

Con

firm

with

key

sta

ff m

embe

rs th

at te

chni

cal a

utho

ritie

s an

d op

erat

ions

man

agem

ent a

pplic

atio

ns a

re r

eady

and

sui

tabl

e fo

r m

igra

tion

to th

e pr

oduc

tion

envi

ronm

ent.

• Pe

rfor

m a

wal

k-th

roug

h of

cod

e an

d id

entif

y pr

oble

ms/

exce

ptio

ns.

• E

nqui

re o

f ke

y st

aff

mem

bers

to d

eter

min

e co

mpl

ianc

e w

ith a

ll ob

ligat

ions

and

req

uire

men

ts.

• R

evie

w c

ontr

actu

al o

blig

atio

ns a

nd li

cens

ing

requ

irem

ents

rel

atin

g to

thir

d-pa

rty

deve

lope

rs.

AI2

.6 M

ajor

Upg

rade

s to

Exi

stin

g Sy

stem

s In

the

even

t of

maj

or c

hang

es to

exi

stin

g sy

stem

s th

at r

esul

t in

sign

ific

ant

chan

ge in

cur

rent

des

igns

and

/or

func

tiona

lity,

fol

low

a s

imila

r de

velo

pmen

tpr

oces

s as

that

use

d fo

r th

e de

velo

pmen

t of

new

sys

tem

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onsi

sten

t sys

tem

ava

ilabi

lity

• M

aint

aine

d co

nfid

entia

lity,

inte

grity

and

avai

labi

lity

of th

e pr

oces

sed

data

• C

ost a

nd q

ualit

y co

ntro

l for

deve

lopm

ents

• M

aint

aine

d co

mpa

tibili

ty w

ithte

chni

cal i

nfra

stru

ctur

e

Ris

k D

river

s

• R

educ

ed s

yste

m a

vaila

bilit

y•

Com

prom

ised

con

fide

ntia

lity,

inte

grity

and

ava

ilabi

lity

of

proc

esse

d da

ta

• L

ack

of c

ost c

ontr

ol f

or m

ajor

deve

lopm

ents

AI2

Acq

uire

and

Mai

ntai

n A

pplic

atio

n Sof

twar

e (c

ont.

)

AI2

.7 D

evel

opm

ent

of A

pplic

atio

n So

ftw

are

Ens

ure

that

aut

omat

ed f

unct

iona

lity

is d

evel

oped

in a

ccor

danc

e w

ith d

esig

nsp

ecif

icat

ions

, dev

elop

men

t and

doc

umen

tatio

n st

anda

rds,

QA

req

uire

men

ts,

and

appr

oval

sta

ndar

ds. E

nsur

e th

at a

ll le

gal a

nd c

ontr

actu

al a

spec

ts a

reid

entif

ied

and

addr

esse

d fo

r ap

plic

atio

n so

ftw

are

deve

lope

d by

thir

d pa

rtie

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

nsur

ing

that

bus

ines

s, c

usto

mer

and

user

nee

ds a

re m

et• A

bilit

y to

man

age

and

prio

ritis

ere

sour

ces

• App

licat

ion

soft

war

e cr

eatin

gca

pabi

litie

s fo

r th

e bu

sine

ss• A

pplic

atio

n m

eetin

g us

abili

tyre

quir

emen

ts

Ris

k D

river

s

• W

aste

of

reso

urce

s•

Los

t foc

us o

n bu

sine

ss r

equi

rem

ents

• H

igh

num

ber

of f

ailu

res

• In

abili

ty to

mai

ntai

n ap

plic

atio

nsef

fect

ivel

y



Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

the

soft

war

e Q

A p

lan

has

been

def

ined

, inc

ludi

ng s

peci

fica

tion

of q

ualit

y cr

iteri

a, v

alid

atio

n an

d ve

rifi

catio

n pr

oces

ses,

and

defi

nitio

n of

how

qua

lity

will

be

revi

ewed

.•

Rev

iew

the

plan

for

the

crite

ria

liste

d ab

ove,

and

ens

ure

that

QA

rev

iew

s ar

e co

nduc

ted

inde

pend

ent o

f th

e de

velo

pmen

t tea

m.

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

a p

roce

ss f

or m

onito

ring

sof

twar

e qu

ality

has

bee

n de

sign

ed a

nd e

stab

lishe

d.•

Rev

iew

rel

evan

t doc

umen

tatio

n to

con

firm

that

the

proc

ess

is b

ased

on

proj

ect r

equi

rem

ents

, ent

erpr

ise

polic

ies,

qua

lity

man

agem

ent p

roce

dure

s an

d ac

cept

ance

cri

teri

a.•

Con

firm

with

key

sta

ff m

embe

rs th

at a

ll qu

ality

exc

eptio

ns a

re id

entif

ied

and

that

cor

rect

ive

actio

ns a

re ta

ken.

• In

spec

t rel

evan

t doc

umen

tatio

n of

QA

rev

iew

s, r

esul

ts, e

xcep

tions

and

cor

rect

ions

to d

eter

min

e th

at Q

A r

evie

ws

are

repe

ated

whe

n ne

cess

ary.

AI2

.8 S

oftw

are

Qua

lity

Ass

uran

ce

Dev

elop

, res

ourc

e an

d ex

ecut

e a

soft

war

e Q

A p

lan

to o

btai

n th

e qu

ality

spe

cifi

edin

the

requ

irem

ents

def

initi

on a

nd th

e or

gani

satio

n’s

qual

ity p

olic

ies

and

proc

edur

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• A

ll-em

brac

ing

test

app

roac

h•

Perf

orm

ed te

sts

refl

ectin

g th

e bu

sine

sspr

oces

ses

and

requ

irem

ents

• Fo

rmal

ly a

ccep

ted

soft

war

e

Ris

k D

river

s

• Po

or s

oftw

are

qual

ity•

Ret

estin

g of

dev

elop

ed s

oftw

are

• Te

sts

faili

ng to

ref

lect

cur

rent

bus

ines

spr

oces

ses

• Te

st d

ata

mis

used

and

com

prom

isin

gco

rpor

ate

secu

rity

• In

suff

icie

nt te

stin

g•

Bre

ach

of c

ompl

ianc

e re

quir

emen

ts

AI2

Acq

uire

and

Mai

ntai

n A

pplic

atio

n Sof

twar

e (c

ont.

)

Test

the

Con

trol

Des

ign

• E

nsur

e an

d co

nfir

m th

at c

hang

es to

indi

vidu

al r

equi

rem

ents

are

mon

itore

d, r

evie

wed

and

app

rove

d by

the

stak

ehol

ders

invo

lved

.•

Insp

ect r

elev

ant d

ocum

enta

tion

to c

onfi

rm th

at a

ll ch

ange

s an

d st

atus

of

chan

ges

are

reco

rded

in th

e ch

ange

man

agem

ent s

yste

m.

• Id

entif

y an

d re

port

cha

nges

that

are

not

trac

ked.

AI2

.9 A

pplic

atio

ns R

equi

rem

ents

Man

agem

ent

Tra

ck th

e st

atus

of

indi

vidu

al r

equi

rem

ents

(in

clud

ing

all r

ejec

ted

requ

irem

ents

)du

ring

the

desi

gn, d

evel

opm

ent a

nd im

plem

enta

tion,

and

app

rove

cha

nges

tore

quir

emen

ts th

roug

h an

est

ablis

hed

chan

ge m

anag

emen

t pro

cess

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Fo

rmal

ly d

efin

ed r

equi

rem

ents

and

clar

ifie

d bu

sine

ss e

xpec

tatio

ns•

Com

plia

nce

with

the

esta

blis

hed

chan

ge m

anag

emen

t pro

cedu

res

• An

agre

ed-u

pon

stan

dard

ised

appr

oach

for

per

form

ing

chan

ges

toth

e ap

plic

atio

ns in

an

effe

ctiv

e m

anne

r

Ris

k D

river

s

• U

naut

hori

sed

chan

ges

• C

hang

es n

ot a

pplie

d to

the

desi

red

syst

ems

• G

aps

betw

een

expe

ctat

ions

and

requ

irem

ents


APPENDIX IIIA

I2 A

cqui

re a

nd M

aint

ain

App

licat

ion

Sof

twar

e (c

ont.

)

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

an

effe

ctiv

e an

d ef

fici

ent p

roce

ss f

or a

pplic

atio

n so

ftw

are

mai

nten

ance

act

iviti

es h

as b

een

desi

gned

to e

nsur

eun

ifor

m a

pplic

atio

n fo

r al

l cha

nges

and

can

be

perf

orm

ed q

uick

ly a

nd e

ffec

tivel

y.•

Rev

iew

the

proc

ess

docu

men

tatio

n to

det

erm

ine

that

rel

evan

t iss

ues

(inc

ludi

ng r

elea

se p

lann

ing

and

cont

rol,

reso

urce

pla

nnin

g, b

ug f

ixin

g an

d fa

ult c

orre

ctio

n, m

inor

enha

ncem

ents

, mai

nten

ance

of

docu

men

tatio

n, e

mer

genc

y ch

ange

s, in

terd

epen

denc

ies

with

oth

er a

pplic

atio

ns a

nd in

fras

truc

ture

, upg

rade

str

ateg

ies,

con

trac

tual

cond

ition

s su

ch a

s su

ppor

t iss

ues

and

upgr

ades

, per

iodi

c re

view

aga

inst

bus

ines

s ne

eds,

ris

ks, a

nd s

ecur

ity r

equi

rem

ents

) ar

e in

clud

ed.

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

all

mai

nten

ance

cha

nges

com

ply

with

the

form

al c

hang

e m

anag

emen

t pro

cess

, inc

ludi

ng im

pact

on

exis

ting

appl

icat

ions

an

d in

fras

truc

ture

.•

Insp

ect r

elev

ant d

ocum

enta

tion

to c

onfi

rm th

at c

hang

es a

re p

rior

itise

d to

iden

tify

thos

e th

at w

ould

be

bette

r m

anag

ed a

s a

form

al r

edev

elop

men

t. Id

entif

y an

y de

viat

ions

from

the

form

al c

hang

e m

anag

emen

t pro

cess

.•

Enq

uire

and

con

firm

with

key

sta

ff w

heth

er c

hang

es a

pplie

d w

ithou

t fol

low

ing

the

form

al c

hang

e m

anag

emen

t pro

cess

hav

e be

en r

evie

wed

and

app

rove

d.•

Rev

iew

rel

evan

t doc

umen

tatio

n to

iden

tify

chan

ges

that

hav

e no

t bee

n re

view

ed a

nd a

ppro

ved.

• E

nqui

re a

nd c

onfi

rm w

ith k

ey s

taff

whe

ther

pat

tern

s an

d vo

lum

e of

mai

nten

ance

act

iviti

es a

re a

sses

sed

peri

odic

ally

for

abn

orm

al tr

ends

.•

Insp

ect r

elev

ant a

naly

tical

res

ults

doc

umen

tatio

n to

con

firm

that

all

unde

rlyi

ng q

ualit

y or

per

form

ance

pro

blem

s ar

e ap

prop

riat

ely

anal

ysed

and

rep

orte

d.•

Con

firm

with

key

sta

ff m

embe

rs th

at a

ll m

aint

enan

ce a

ctiv

ity h

as b

een

com

plet

ed s

ucce

ssfu

lly a

nd th

orou

ghly

.•

Perf

orm

a w

alk-

thro

ugh

of m

aint

enan

ce a

ctiv

ities

to e

nsur

e th

at a

ll ta

sks

and

phas

es h

ave

been

add

ress

ed, i

nclu

ding

upd

atin

g us

er, s

yste

ms

and

oper

atio

nal

docu

men

tatio

n an

d in

terd

epen

denc

ies.

• Id

entif

y al

l cha

nges

in c

ontr

actu

al c

ondi

tions

, bus

ines

s tr

ends

or

othe

r up

grad

es th

at h

ave

not b

een

addr

esse

d.

AI2

.10

App

licat

ion

Soft

war

e M

aint

enan

ce

Dev

elop

a s

trat

egy

and

plan

for

the

mai

nten

ance

of

soft

war

e ap

plic

atio

ns.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

ompl

ianc

e w

ith th

e es

tabl

ishe

dch

ange

man

agem

ent p

roce

dure

s• A

n ag

reed

-upo

n st

anda

rdis

edap

proa

ch f

or p

erfo

rmin

g ch

ange

s to

the

appl

icat

ions

in a

n ef

fect

ive

man

ner

Ris

k D

river

s

• U

naut

hori

sed

chan

ges

• C

hang

es n

ot a

pplie

d to

the

desi

red

syst

ems

• G

aps

betw

een

expe

ctat

ions

and

requ

irem

ents

• R

educ

ed s

yste

m a

vaila

bilit

y



Take the following steps to test the outcome of the control objectives:• Review project design documentation to confirm that the design is consistent with business plans, strategies, applicable regulations

and IT plans. • Obtain and review a sample of project sign-off documentation to determine whether the projects have gone through QA sign-off

and have proceeded with proper approval of the high-level design by IT and business stakeholders (project sponsors). • Corroborate with IT management and review relevant documentation to determine if the sampled project design specification

aligns with the organisation’s technological direction and information architecture.• Review the integration plan and procedures to determine their adequacy. • Review project documentation to determine if the impact of the new implementation on existing applications and infrastructure

has been assessed and appropriate integration approaches have been considered. • Review end-of-stage documentation to confirm that all development activities have been monitored and that change requests and

quality performance and design reviews have been tracked and considered at formal end-of-stage discussions. Also confirm thatstakeholders have been fully represented and that the end-of-stage reviews incorporate approval criteria. Inspect problem logs,review documentation and sign-offs to confirm the adequacy of the development activities and identify deviations.

• Review design documentation to confirm that appropriate solutions and approaches to security and availability are designed toadequately meet the defined requirements and build on or extend the existing infrastructure capability.

• Review QA documentation and fault logs to ensure that all significant quality exceptions are identified and corrective actions aretaken. Inspect relevant documentation of QA reviews, results, exceptions and corrections to determine that QA reviews arerepeated when necessary.

• Obtain and inspect change requests to determine that they are categorised and prioritised. Confirm with key staff members that theimpact of all change requests has been assessed.

• Review change control documentation to confirm that changes applied without following the formal change management processhave been reviewed and approved and to identify changes that have not been reviewed and approved.

• Inspect the risk analysis documentation, and determine whether business and IT risks are identified, examined, assessed andunderstood by both the business and IT and that there is evidence that all stakeholders are involved.

• Review the feasibility study documentation to confirm that both technical and economic feasibility have been adequately considered.

• Review quality review documentation, compare with original acceptance criteria, and identify exceptions or deviations fromoriginal acceptance criteria.

• Review end-of-stage documentation to confirm that sign-off has been obtained for proposed approaches and/or feedback requiringfurther feasibility analysis.

Take the following steps to document the impact of the control weaknesses:• Identify design specifications that do not reflect user requirements.• Identify data management requirements that are not consistent with the organisation’s data dictionary rules.• Identify new system development or modification projects that contain inadequately defined file, programme, source data

selection, input, user-machine interface, processing, and output and/or controllability requirements.• Identify designs where security and availability were not adequately considered. • Identify data integrity design deficiencies.• Identify test plan requirement deficiencies.• Identify significant technical and/or logical discrepancies that have occurred during system development or maintenance and did

not result in reassessment of the system design and, therefore, went uncorrected or resulted in inefficient, ineffective anduneconomical patches to the system.


APPENDIX IIIA

I3 A

cqui

re a

nd M

aint

ain

Tech

nolo

gy

Infr

astr

uctu

re

Org

anis

atio

ns h

ave

proc

esse

s fo

r th

e ac

quis

ition

, im

plem

enta

tion

and

upgr

ade

of th

e te

chno

logy

infr

astr

uctu

re. T

his

requ

ires

a p

lann

ed a

ppro

ach

to a

cqui

sitio

n, m

aint

enan

cean

d pr

otec

tion

of in

fras

truc

ture

in li

ne w

ith a

gree

d-up

on te

chno

logy

str

ateg

ies

and

the

prov

isio

n of

dev

elop

men

t and

test

env

iron

men

ts. T

his

ensu

res

that

ther

e is

ong

oing

tech

nolo

gica

l sup

port

for

bus

ines

s ap

plic

atio

ns.

Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith s

taff

mem

bers

that

a p

lan

for

the

acqu

isiti

on, i

mpl

emen

tatio

n an

d up

grad

e of

the

tech

nolo

gy in

fras

truc

ture

has

bee

n cr

eate

d th

at s

atis

fies

the

busi

ness

func

tiona

l and

tech

nica

l req

uire

men

ts.

• R

evie

w th

e pl

an to

con

firm

that

it c

onfo

rms

with

the

orga

nisa

tion’

s es

tabl

ishe

d te

chno

logy

dir

ectio

n an

d th

at a

ll ke

y as

pect

s ar

e in

clud

ed.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

has

bee

n de

fine

d an

d im

plem

ente

d to

cre

ate

and

mai

ntai

n an

infr

astr

uctu

re a

cqui

sitio

n pl

an th

at is

alig

ned

with

the

orga

nisa

tion’

s te

chno

logy

dir

ectio

n.•

Insp

ect t

he in

fras

truc

ture

acq

uisi

tion

plan

to id

entif

y ar

eas

whe

re k

ey a

spec

ts, s

uch

as r

equi

rem

ents

, ris

ks, t

rans

ition

and

mig

ratio

n, h

ave

not b

een

addr

esse

d.•

Rev

iew

the

fina

ncia

l app

rais

al f

or a

ccur

acy

and

over

all c

over

age.

AI3

.1 T

echn

olog

ical

Inf

rast

ruct

ure

Acq

uisi

tion

Pla

n Pr

oduc

e a

plan

for

the

acqu

isiti

on, i

mpl

emen

tatio

n an

d m

aint

enan

ce o

f th

ete

chno

logi

cal i

nfra

stru

ctur

e th

at m

eets

est

ablis

hed

busi

ness

fun

ctio

nal a

ndte

chni

cal r

equi

rem

ents

and

is in

acc

ord

with

the

orga

nisa

tion’

s te

chno

logy

dire

ctio

n.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onsi

sten

t tec

hnol

ogic

al p

lann

ing

• E

nhan

ced

syst

em s

ecur

ity•

Bal

ance

d ha

rdw

are

and

soft

war

eut

ilisa

tion

• Alig

nmen

t with

str

ateg

ic I

T p

lan,

info

rmat

ion

arch

itect

ure

and

tech

nolo

gy d

irec

tion

• E

nhan

ced

fina

ncia

l pla

nnin

g

Ris

k D

river

s

• N

o ac

quis

ition

mod

el•

Inco

nsis

tent

tech

nolo

gica

lin

fras

truc

ture

• Te

chno

logy

fai

ling

to s

uppo

rt

busi

ness

nee

ds•

Info

rmat

ion

secu

rity

com

prom

ises



Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

all

infr

astr

uctu

re d

ata

and

soft

war

e ar

e ba

cked

up

prio

r to

inst

alla

tion

and/

or m

aint

enan

ce ta

sks.

Ins

pect

bac

kup

logs

to c

onfi

rm th

atin

fras

truc

ture

dat

a an

d so

ftw

are

are

succ

essf

ully

bac

ked

up.

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

all

appl

icat

ion

soft

war

e is

test

ed p

rior

to in

stal

latio

n in

an

envi

ronm

ent s

epar

ate

from

, but

suf

fici

ently

sim

ilar

to, p

rodu

ctio

n.R

evie

w te

st s

peci

fica

tions

and

pro

cedu

res

to c

onfi

rm th

at te

sts

incl

ude

func

tiona

lity,

sec

urity

, ava

ilabi

lity

and

inte

grity

con

ditio

n, a

nd a

ny o

ther

ven

dor

reco

mm

enda

tions

.•

Insp

ect t

he s

oftw

are

conf

igur

atio

n to

con

firm

that

key

asp

ects

hav

e be

en a

ddre

ssed

, inc

ludi

ng th

e m

odif

icat

ion

of d

efau

lt pa

ssw

ords

, ini

tial a

pplic

atio

n pa

ram

eter

set

tings

rela

tive

to s

ecur

ity a

nd a

ny o

ther

ven

dor

defa

ults

.•

Enq

uire

whe

ther

and

con

firm

that

tem

pora

ry a

cces

s gr

ante

d fo

r in

stal

latio

n pu

rpos

es is

mon

itore

d an

d th

at p

assw

ords

are

cha

nged

imm

edia

tely

aft

er in

stal

latio

n is

com

plet

ed. I

nspe

ct th

e ap

plic

atio

n se

curi

ty s

ettin

gs to

con

firm

com

plia

nce.

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

onl

y ap

prop

riat

ely

licen

sed

soft

war

e is

test

ed a

nd in

stal

led

and

that

inst

alla

tions

are

per

form

ed in

acc

orda

nce

with

ven

dor

guid

elin

es. I

dent

ify

inst

ance

s w

here

ven

dor

guid

elin

es w

ere

not f

ollo

wed

, and

con

firm

that

ven

dors

wer

e co

nsul

ted

rega

rdin

g th

e po

tent

ial i

mpa

ct.

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

an

inde

pend

ent g

roup

(e.

g., l

ibra

rian

) is

gra

nted

acc

ess

for

the

mov

emen

t of

the

prog

ram

s an

d da

ta a

mon

gst l

ibra

ries

. Whe

reap

plic

able

, ins

pect

use

r ac

cess

to th

e lib

rary

man

agem

ent s

yste

m.

• T

race

all

user

s w

ith a

cces

s to

che

ck-i

n/ch

eck-

out p

rogr

ams

and

data

fro

m th

e lib

rari

es to

thei

r or

igin

atin

g ac

cess

req

uest

for

ms,

and

con

firm

app

rova

l by

an a

ppro

pria

tese

nior

sta

ff m

embe

r.•

Enq

uire

with

sta

ff m

embe

rs w

heth

er a

ccep

tanc

e pr

oced

ures

are

enf

orce

d us

ing

obje

ctiv

e ac

cept

ance

cri

tieri

a an

d w

heth

er a

ccep

tanc

e cr

iteri

a en

sure

s th

at p

rodu

ctpe

rfor

man

ce is

con

sist

ent w

ith a

gree

d-up

on s

peci

fica

tions

and

req

uire

men

ts. R

evie

w a

gree

d-up

on s

peci

fica

tions

and

/or

SLA

req

uire

men

ts, a

nd c

ompa

re w

ith a

ccep

tanc

epr

oced

ures

iden

tifyi

ng a

reas

whe

re p

roce

dure

s ar

e no

t ade

quat

ely

follo

wed

.•

Con

firm

with

key

sta

ff m

embe

rs th

at a

cces

s to

mai

nten

ance

act

iviti

es o

ver

sens

itive

infr

astr

uctu

re c

ompo

nent

s is

logg

ed a

nd r

egul

arly

rev

iew

ed b

y a

resp

onsi

ble

seni

orst

aff

mem

ber.

• R

evie

w m

aint

enan

ce lo

gs a

nd c

onfi

rm th

at a

ll ite

ms

have

bee

n re

cord

ed. R

evie

w r

elev

ant d

ocum

enta

tion

(e.g

., th

e lo

g re

view

mat

rix

and

peri

odic

sys

tem

sec

urity

repo

rts)

to c

onfi

rm th

at lo

gs a

re r

evie

wed

on

a re

gula

r ba

sis.

AI3

.2 I

nfra

stru

ctur

e R

esou

rce

Pro

tect

ion

and

Ava

ilabi

lity

Impl

emen

t int

erna

l con

trol

, sec

urity

and

aud

itabi

lity

mea

sure

s du

ring

conf

igur

atio

n, in

tegr

atio

n an

d m

aint

enan

ce o

f ha

rdw

are

and

infr

astr

uctu

ral

soft

war

e to

pro

tect

res

ourc

es a

nd e

nsur

e av

aila

bilit

y an

d in

tegr

ity. R

espo

nsib

ilitie

sfo

r us

ing

sens

itive

infr

astr

uctu

re c

ompo

nent

s sh

ould

be

clea

rly

defi

ned

and

unde

rsto

od b

y th

ose

who

dev

elop

and

inte

grat

e in

fras

truc

ture

com

pone

nts.

The

irus

e sh

ould

be

mon

itore

d an

d ev

alua

ted.

• C

onsi

sten

t tec

hnol

ogic

al p

lann

ing

• E

nhan

ced

syst

em s

ecur

ity•

Bal

ance

d ha

rdw

are

and

soft

war

eut

ilisa

tion

• D

ata

inte

grity

and

con

fide

ntia

lity

mai

ntai

ned

in a

ll sy

stem

sta

ges

• D

isru

ptio

ns in

pro

duct

ion

proc

essi

ng•

Und

etec

ted

bypa

ssin

g of

acc

ess

cont

rols

• U

naut

hori

sed

acce

ss to

sen

sitiv

eso

ftw

are

• B

usin

ess

need

s no

t sup

port

ed b

yte

chno

logy

AI3

Acq

uire

and

Mai

ntai

n Te

chno

logy

Infr

astr

uctu

re (

cont

.)C

ontr

ol O

bjec

tive

Valu

e D

river

sR

isk

Driv

ers


APPENDIX III

Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

mai

nten

ance

of

the

inst

alle

d sy

stem

sof

twar

e pr

oces

s ut

ilise

s th

e sa

me

proc

ess

as a

pplic

atio

n up

date

s, w

here

app

licab

le. I

nspe

ct th

epl

anne

d sy

stem

sof

twar

e m

aint

enan

ce a

nd id

entif

y de

viat

ions

fro

m th

e no

rmal

pro

cess

for

app

licat

ion

upda

tes

and/

or e

xcep

tions

to v

endo

r pr

oced

ures

and

gui

delin

es.

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

doc

umen

tatio

n of

sys

tem

sof

twar

e is

mai

ntai

ned,

kep

t cur

rent

and

upd

ated

with

ven

dor

docu

men

tatio

n fo

r al

l sys

tem

m

aint

enan

ce a

ctiv

ity.

• In

spec

t rel

evan

t doc

umen

tatio

n an

d id

entif

y ar

eas

whe

re it

is in

com

plet

e or

out

of

date

.•

Enq

uire

of

key

staf

f m

embe

rs to

con

firm

the

proc

ess

or m

etho

d us

ed to

obt

ain

timel

y no

tific

atio

n of

ava

ilabi

lity

of v

endo

r up

grad

es a

nd/o

r pa

tche

s (e

.g.,

a sp

ecif

icve

ndor

agr

eem

ent,

mem

bers

hip

in a

pro

duct

use

r gr

oup,

sub

scri

ptio

ns to

a tr

ade

jour

nal)

.•

Insp

ect a

sam

ple

of s

yste

m s

oftw

are

and

conf

irm

that

upg

rade

s an

d/or

pat

ches

hav

e be

en a

pplie

d in

a ti

mel

y m

anne

r.•

Iden

tify

all d

evia

tions

and

/or

exce

ptio

ns.

• E

nqui

re o

f ke

y st

aff

mem

bers

whe

ther

the

amou

nt o

f m

aint

enan

ce b

eing

per

form

ed, t

he v

ulne

rabi

lity

to u

nsup

port

ed in

fras

truc

ture

, and

fut

ure

risk

s an

d se

curi

tyvu

lner

abili

ties

are

revi

ewed

on

a re

gula

r ba

sis.

• Pe

rfor

m a

n as

sess

men

t of

thes

e re

view

s an

d no

te a

reas

whe

re r

isks

iden

tifie

d by

the

asse

ssm

ent h

ave

not b

een

disc

usse

d by

key

sta

ff m

embe

rs.

• In

spec

t mai

nten

ance

trac

king

logs

and

fee

dbac

k to

ols

to e

nsur

e th

at th

e re

sults

of

thes

e re

view

s ar

e co

mm

unic

ated

to th

e IT

cou

ncil

or e

quiv

alen

t gro

up f

or c

onsi

dera

tion

with

in th

e in

fras

truc

ture

pla

nnin

g pr

oces

s.

Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

an

appr

oach

com

men

sura

te w

ith s

trat

egic

tech

nolo

gy p

lans

is d

esig

ned

that

will

ena

ble

the

crea

tion

of s

uita

ble

test

ing

and

sim

ulat

ion

envi

ronm

ents

to h

elp

veri

fy th

e fe

asib

ility

of

plan

ned

acqu

isiti

ons

or d

evel

opm

ents

.

AI3

.3 I

nfra

stru

ctur

e M

aint

enan

ce

Dev

elop

a s

trat

egy

and

plan

for

infr

astr

uctu

re m

aint

enan

ce, a

nd e

nsur

e th

atch

ange

s ar

e co

ntro

lled

in li

ne w

ith th

e or

gani

satio

n’s

chan

ge m

anag

emen

tpr

oced

ure.

Inc

lude

per

iodi

c re

view

s ag

ains

t bus

ines

s ne

eds,

pat

ch m

anag

emen

t,up

grad

e st

rate

gies

, ris

ks, v

ulne

rabi

litie

s as

sess

men

t and

sec

urity

req

uire

men

ts.

• M

onito

red

mai

nten

ance

con

trac

ts•

Eff

ectiv

e m

aint

enan

ce p

roce

sses

• O

pera

tiona

l cha

nge

man

agem

ent f

orre

plac

emen

t of

soft

war

e

• D

isru

ptio

ns in

pro

duct

ion

proc

essi

ng•

Una

utho

rise

d ac

cess

to s

ensi

tive

soft

war

e•

Tech

nolo

gy f

ailin

g to

sup

port

bu

sine

ss n

eeds

• V

iola

tion

of li

cenc

e ag

reem

ents

Con

trol

Obj

ecti

veVa

lue

Driv

ers

Ris

k D

river

s

AI3

.4 F

easi

bilit

y T

est

Env

iron

men

t E

stab

lish

deve

lopm

ent a

nd te

st e

nvir

onm

ents

to s

uppo

rt e

ffec

tive

and

effi

cien

tfe

asib

ility

and

inte

grat

ion

test

ing

of in

fras

truc

ture

com

pone

nts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

supp

ort f

or p

rovi

ngre

plac

emen

t of

soft

war

e•

Det

ectio

n of

err

ors

and

issu

es b

efor

eth

ey im

pact

pro

duct

ion

proc

essi

ng

Ris

k D

river

s

• B

usin

ess

disr

uptio

ns•

Mal

icio

us d

amag

es

AI3

Acq

uire

and

Mai

ntai

n Te

chno

logy

Infr

astr

uctu

re (

cont

.)



Take the following steps to test the outcome of the control objectives:• Review acquisition infrastructure plans to confirm that they have been reviewed and approved and that risks, costs and benefits,

and technical conformance have been considered. Inspect the plans to confirm sign-off by the IT council or equivalent.• Confirm with key staff members that all security requirements associated with the application software installation and

maintenance processes have been addressed and any new risks have been assessed and actioned. • Confirm with the training department and key personnel who use sensitive infrastructure components that appropriate training has

been provided.• Confirm with key staff members that a plan and strategy are in place to guide infrastructure maintenance in line with change

management procedures. Inspect relevant plan documentation to confirm that all aspects of the infrastructure maintenancerequirements (including change requests, patches, upgrades, fixes) are included. Also confirm that the strategy and plan are in linewith the organisation’s technology direction, are reviewed in a timely manner and are approved by the responsible management.

• Confirm that the method used to segregate system environments into development and testing is adequate.• Confirm that a test environment has been created that appropriately considers functionality, hardware and software configuration,

integration and performance testing, migration between environments, version control, test data and tools, and security.

Take the following steps to document the impact of the control weaknesses:• Identify performance problems that have impacted the overall performance of the system.• Identify preventive maintenance problems that have impacted the overall performance of the system.• Identify weaknesses in the setup, installation and maintenance of system software (including the selection of inappropriate system

software parameters) that have jeopardised the security of the data and programmes being stored on the system.• Identify weaknesses in the testing of system software that could jeopardise the security of the data and programmes being stored

on the system.• Identify weaknesses in the system software change control process that could jeopardise the security of the data and programmes

being stored on the system.


APPENDIX IIIA

I4 E

nabl

e O

pera

tion

and

Use

Kno

wle

dge

abou

t new

sys

tem

s is

mad

e av

aila

ble.

Thi

s pr

oces

s re

quir

es th

e pr

oduc

tion

of d

ocum

enta

tion

and

man

uals

for

use

rs a

nd I

T, a

nd p

rovi

des

trai

ning

to e

nsur

e th

epr

oper

use

and

ope

ratio

n of

app

licat

ions

and

infr

astr

uctu

re.

Test

the

Con

trol

Des

ign

• C

onfi

rm w

ith k

ey s

taff

mem

bers

that

ope

ratio

nal p

roce

dure

s an

d us

er d

ocum

enta

tion

(inc

ludi

ng o

nlin

e as

sist

ance

) ha

ve b

een

defi

ned

and

docu

men

ted

prio

r to

impl

emen

tatio

n of

new

or

upgr

aded

aut

omat

ed s

yste

ms

or in

fras

truc

ture

.•

Insp

ect r

elev

ant d

ocum

enta

tion

to c

onfi

rm r

espo

nsib

ility

for

the

prod

uctio

n of

man

agem

ent,

user

and

ope

ratio

nal p

roce

dure

s in

rel

atio

n to

the

new

or

upgr

aded

auto

mat

ed s

yste

ms

or in

fras

truc

ture

.

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

man

agem

ent’s

aw

aren

ess

and

know

ledg

e of

the

proc

ess

to e

nabl

e ow

ners

hip

and

oper

atio

n of

the

syst

em (

e.g.

, acc

ess

appr

oval

, pri

vile

ge m

anag

emen

t, se

greg

atio

n of

dut

ies,

aut

omat

ed b

usin

ess

cont

rols

, bac

kup

reco

very

, phy

sica

l sec

urity

, sou

rce

docu

men

t arc

hiva

l).

• R

evie

w tr

aini

ng a

nd im

plem

enta

tion

mat

eria

ls to

det

erm

ine

if th

e de

fine

d pr

oces

s in

clud

es th

e re

quir

ed c

onte

nt.

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

man

agem

ent i

s aw

are

of a

nd a

ble

to u

se th

e fe

edba

ck m

echa

nism

to a

sses

s ad

equa

cy o

f th

e su

ppor

tdo

cum

enta

tion,

pro

cedu

res

and

rela

ted

trai

ning

.•

Inte

rvie

w b

usin

ess

man

agem

ent p

erso

nnel

to a

sses

s th

eir

abili

ty to

use

the

syst

em e

ffec

tivel

y.•

Wal

k th

roug

h ke

y sy

stem

fun

ctio

ns w

ith b

usin

ess

man

agem

ent p

erso

nnel

to id

entif

y ar

eas

whe

re a

dditi

onal

trai

ning

wou

ld b

e he

lpfu

l.•

Rev

iew

and

ass

ess

trai

ning

mat

eria

ls f

or a

reas

that

are

not

cov

ered

or

are

uncl

ear.

AI4

.1 P

lann

ing

for

Ope

rati

onal

Sol

utio

ns

Dev

elop

a p

lan

to id

entif

y an

d do

cum

ent a

ll te

chni

cal,

oper

atio

nal a

nd u

sage

aspe

cts

such

that

all

thos

e w

ho w

ill o

pera

te, u

se a

nd m

aint

ain

the

auto

mat

edso

lutio

ns c

an e

xerc

ise

thei

r re

spon

sibi

lity.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onsi

sten

t use

r an

d op

erat

ions

man

uals

• Su

ppor

t of

user

trai

ning

• E

nhan

ced

serv

ice

qual

ity

Ris

k D

river

s

• O

verd

ue c

hang

es•

Gap

s be

twee

n ex

pect

atio

ns a

ndca

pabi

lity

• In

appr

opri

ate

prio

rity

giv

en to

diff

eren

t ser

vice

s pr

ovid

ed•

Inad

equa

te b

udge

ts a

nd r

esou

rces

toad

dres

s ga

ps

AI4

.2 K

now

ledg

e T

rans

fer

to B

usin

ess

Man

agem

ent

Tra

nsfe

r kn

owle

dge

to b

usin

ess

man

agem

ent t

o al

low

thos

e in

divi

dual

s to

take

owne

rshi

p of

the

syst

em a

nd d

ata,

and

exe

rcis

e re

spon

sibi

lity

for

serv

ice

deliv

ery

and

qual

ity, i

nter

nal c

ontr

ol, a

nd a

pplic

atio

n ad

min

istr

atio

n.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• K

now

ledg

e tr

ansf

er w

ithin

the

orga

nisa

tion

• C

onsi

sten

t qua

lity

over

all

affe

cted

team

s•

Eff

icie

nt s

uppo

rt f

or b

usin

ess

• U

ser

man

uals

sup

port

ing

busi

ness

proc

esse

s

Ris

k D

river

s

• In

crea

sed

relia

nce

on k

ey s

taff

mem

bers

• Pr

oble

ms

in d

aily

ope

ratio

ns•

Inci

dent

s en

coun

tere

d an

d re

peat

ed•

Hel

p de

sk o

verl

oad



Test

the

Con

trol

Des

ign

• In

terv

iew

key

sta

ff m

embe

rs a

bout

the

user

gro

up’s

aw

aren

ess

and

know

ledg

e of

the

proc

ess

to e

ffec

tivel

y an

d ef

fici

ently

use

the

appl

icat

ion

syst

em to

sup

port

bus

ines

spr

oces

ses

(e.g

., tr

aini

ng a

nd s

kills

dev

elop

men

t, tr

aini

ng m

ater

ials

, use

r m

anua

ls, p

roce

dure

man

uals

, onl

ine

help

, ser

vice

des

k su

ppor

t, ke

y us

er id

entif

icat

ion,

eval

uatio

n).

• R

evie

w tr

aini

ng a

nd im

plem

enta

tion

mat

eria

ls to

det

erm

ine

if th

e de

fine

d pr

oces

s in

clud

es th

e re

quir

ed c

onte

nt.

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

the

user

is a

war

e of

and

abl

e to

use

the

feed

back

mec

hani

sm to

ass

ess

the

adeq

uacy

of

the

supp

ort

docu

men

tatio

n, p

roce

dure

s an

d re

late

d tr

aini

ng.

AI4

Ena

ble

Ope

rati

on a

nd U

se (

cont

.)

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI4

.3 K

now

ledg

e T

rans

fer

to E

nd U

sers

T

rans

fer

know

ledg

e an

d sk

ills

to a

llow

end

use

rs to

eff

ectiv

ely

and

effi

cien

tlyus

e th

e sy

stem

in s

uppo

rt o

f bu

sine

ss p

roce

sses

.

• K

now

ledg

e tr

ansf

er to

sta

keho

lder

s•

Eff

icie

nt a

nd e

ffec

tive

trai

ning

• O

ptim

ised

ope

ratio

n an

d sy

stem

usa

ge

• In

cons

iste

nt s

yste

m u

sage

• In

suff

icie

nt d

ocum

enta

tion

• In

crea

sed

relia

nce

on k

ey s

taff

mem

bers

• Pr

oble

ms

in d

aily

ope

ratio

ns•

Tra

inin

g fa

iling

to m

eet u

ser

requ

irem

ents

• H

elp

desk

ove

rloa

d

Test

the

Con

trol

Des

ign

• In

terv

iew

key

sta

ff m

embe

rs a

bout

the

oper

atio

n an

d te

chni

cal s

uppo

rt s

taff

’s a

war

enes

s an

d kn

owle

dge

of th

e pr

oces

s to

eff

ectiv

ely

and

effi

cien

tly d

eliv

er, s

uppo

rt a

ndm

aint

ain

the

appl

icat

ion

syst

em a

nd a

ssoc

iate

d in

fras

truc

ture

acc

ordi

ng to

ser

vice

leve

ls (

e.g.

, tra

inin

g an

d sk

ills

deve

lopm

ent,

trai

ning

mat

eria

ls, u

ser

man

uals

,pr

oced

ure

man

uals

, onl

ine

help

, ser

vice

des

k sc

enar

ios)

.•

Rev

iew

trai

ning

and

impl

emen

tatio

n m

ater

ials

to d

eter

min

e if

the

defi

ned

proc

ess

incl

udes

the

requ

ired

con

tent

.•

Con

firm

thro

ugh

inte

rvie

ws

with

key

sta

ff m

embe

rs th

at o

pera

tion

and

tech

nica

l sup

port

per

sonn

el a

re a

war

e of

and

abl

e to

use

the

feed

back

mec

hani

sm to

ass

ess

adeq

uacy

of

the

supp

ort d

ocum

enta

tion,

pro

cedu

res

and

rela

ted

trai

ning

.•

Det

erm

ine

if o

pera

tions

and

sup

port

sta

ff m

embe

rs a

re in

volv

ed in

the

deve

lopm

ent a

nd m

aint

enan

ce o

f op

erat

ions

and

sup

port

doc

umen

tatio

n.•

Iden

tify

area

s w

here

ope

ratio

nal s

uppo

rt p

roce

dure

s ar

e no

t int

egra

ted

with

exi

stin

g op

erat

iona

l sup

port

pro

cedu

res.

AI4

.4 K

now

ledg

e T

rans

fer

to O

pera

tion

s an

d Su

ppor

t St

aff

Tra

nsfe

r kn

owle

dge

and

skill

s to

ena

ble

oper

atio

ns a

nd te

chni

cal s

uppo

rt s

taff

toef

fect

ivel

y an

d ef

fici

ently

del

iver

, sup

port

and

mai

ntai

n th

e sy

stem

and

ass

ocia

ted

infr

astr

uctu

re.

• K

now

ledg

e tr

ansf

er to

sta

keho

lder

s•

Eff

icie

nt a

nd e

ffec

tive

trai

ning

• O

ptim

ised

ope

ratio

n an

d sy

stem

supp

ort

• Fo

rmal

ly d

efin

ed a

ppro

ache

s fo

r al

lst

ages

of

appl

icat

ion

deve

lopm

ent

• In

suff

icie

nt d

ocum

enta

tion

• In

crea

sed

relia

nce

on k

ey s

taff

mem

bers

• Pr

oble

ms

in d

aily

ope

ratio

ns•

Tra

inin

g fa

iling

to m

eet o

pera

tions

or

supp

ort r

equi

rem

ents

• H

elp

desk

ove

rloa

d

Con

trol

Obj

ecti

veVa

lue

Driv

ers

Ris

k D

river

s


APPENDIX III

Take the following steps to test the outcome of the control objectives:• For a selection of solution delivery projects, inspect documentation to determine that user and operational procedures manuals are

in place. • Assess management’s knowledge to determine if members of management have directed the creation of management procedures

for their business areas (e.g., access approval, privilege management, segregation of duties, automated business controls,backup/recovery, physical security, source document archival). Confirm that these procedures are integrated with existingmanagement and control procedures, and investigate to determine if management is aware of discrepancies.

• Walk through new or upgraded applications with business management to identify areas where additional training is needed.Review and assess the training materials used.

• Inspect a selection of feedback documentation to determine if adequate feedback mechanisms have been used for developingsupport documentation, procedures and related training material.

• Assess users’ involvement in the creation of user procedures for their business areas (e.g., training and skills development, trainingmaterials, user manuals, procedure manuals, online help, service desk support, key user identification, evaluation). Confirm thatthese procedures are integrated with existing user and control procedures (e.g., system inputs/outputs, system integration, errormessages), and investigate to determine if users are aware of discrepancies.

• Walk through new or upgraded applications and infrastructure with operations management and technical support staff to identifyareas where additional training would be helpful. Review and assess training materials for adequacy.

• Assess operation and technical support staff’s involvement in the creation of operation and technical support staff procedures fortheir areas (e.g., training and skills development, training materials, user manuals, procedure manuals, online help, service deskscenarios). Confirm that these procedures (e.g., backup, restart/restore, reports/output distribution, emergency fixes, operatorcommand/parameters, problem escalation) are integrated with existing operation and technical support staff members procedures.Investigate to determine if operation and technical support staff members are aware of discrepancies.

Take the following steps to document the impact of the control weaknesses:• Assess the cost and operational inefficiency of inadequate training and/or user and operational procedures. • Identify deficiencies in users, operations and training manuals.



AI5

Pro

cure

IT

Res

ourc

es

IT r

esou

rces

, inc

ludi

ng p

eopl

e, h

ardw

are,

sof

twar

e an

d se

rvic

es, n

eed

to b

e pr

ocur

ed. T

his

requ

ires

the

defi

nitio

n an

d en

forc

emen

t of

proc

urem

ent p

roce

dure

s, th

e se

lect

ion

of v

endo

rs, t

he s

etup

of

cont

ract

ual a

rran

gem

ents

, and

the

acqu

isiti

on it

self

. Doi

ng s

o en

sure

s th

at th

e or

gani

satio

n ha

s al

l req

uire

d IT

res

ourc

es in

a ti

mel

y an

dco

st-e

ffec

tive

man

ner.

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

the

polic

ies

and

stan

dard

s ar

e in

pla

ce f

or e

stab

lishi

ng c

ontr

acts

with

sup

plie

rs. T

he p

olic

ies

and

stan

dard

ssh

ould

add

ress

, sup

plie

r-cl

ient

res

pons

ibili

ties,

sup

plie

r SL

As,

mon

itori

ng a

nd r

epor

ting

agai

nst S

LA

s, tr

ansi

tion

arra

ngem

ents

, not

ific

atio

n an

d es

cala

tion

proc

edur

es,

secu

rity

sta

ndar

ds, r

ecor

ds m

anag

emen

t and

con

trol

req

uire

men

ts a

nd r

equi

red

supp

lier

QA

pra

ctic

es. C

ontr

acts

sho

uld

also

incl

ude

lega

l, fi

nanc

ial,

orga

nisa

tiona

l,do

cum

enta

ry, p

erfo

rman

ce, s

ecur

ity, a

udita

bilit

y, in

telle

ctua

l pro

pert

y, r

espo

nsib

ility

and

liab

ility

asp

ects

.

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

the

IT p

rocu

rem

ent p

roce

ss a

nd a

cqui

sitio

n st

rate

gy a

re a

ligne

d w

ith th

e or

gani

satio

n’s

proc

urem

ent p

olic

ies

and

proc

edur

es (

e.g.

, leg

isla

tive

requ

irem

ents

, com

plia

nce

with

the

orga

nisa

tion’

s IT

acq

uisi

tion

polic

y, li

cens

ing

and

leas

ing

requ

irem

ents

, tec

hnol

ogy

upgr

ade

clau

ses,

invo

lvem

ent o

f th

e bu

sine

ss, t

otal

cos

t of

owne

rshi

p, a

cqui

sitio

n pl

an f

or m

ajor

acq

uisi

tions

, rec

ordi

ng o

f as

sets

).•

Insp

ect p

roje

ct m

anag

emen

t pol

icie

s an

d pr

oced

ures

to e

valu

ate

conf

orm

ance

with

ent

erpr

ise

proc

urem

ent p

olic

ies

and

proc

edur

es.

AI5

.1 P

rocu

rem

ent

Con

trol

D

evel

op a

nd f

ollo

w a

set

of

proc

edur

es a

nd s

tand

ards

that

is c

onsi

sten

t with

the

busi

ness

org

anis

atio

n’s

over

all p

rocu

rem

ent p

roce

ss a

nd a

cqui

sitio

n st

rate

gy to

acqu

ire

IT-r

elat

ed in

fras

truc

ture

, fac

ilitie

s, h

ardw

are,

sof

twar

e an

d se

rvic

esne

eded

by

the

busi

ness

.

• O

ptim

ised

sup

plie

r re

latio

ns•

Hig

h-qu

ality

con

trib

utio

n to

bus

ines

san

d IT

pro

cess

es•

Proc

urem

ents

sup

port

ing

the

achi

evem

ent o

f de

sire

d bu

sine

ss a

ndIT

goa

ls

• G

aps

in f

ulfi

ling

requ

irem

ents

by

supp

liers

• C

omm

erci

al a

nd c

ontr

actu

alpr

ocur

emen

t exp

osur

es

• Aut

omat

ed s

olut

ions

not

in li

ne w

ithth

e or

gani

satio

n’s

shor

t- a

nd lo

ng-t

erm

plan

s•

Insu

ffic

ient

sof

twar

e qu

ality

inpr

ocur

ed s

olut

ions

• L

ack

of c

ost c

ontr

ol

Con

trol

Obj

ecti

veR

isk

Driv

ers

Valu

e D

river

s

AI5

.2 S

uppl

ier

Con

trac

t M

anag

emen

t Se

t up

a pr

oced

ure

for

esta

blis

hing

, mod

ifyi

ng a

nd te

rmin

atin

g co

ntra

cts

for

all

supp

liers

. The

pro

cedu

re s

houl

d co

ver,

at a

min

imum

, leg

al, f

inan

cial

,or

gani

satio

nal,

docu

men

tary

, per

form

ance

, sec

urity

, int

elle

ctua

l pro

pert

y, a

ndte

rmin

atio

n re

spon

sibi

litie

s an

d lia

bilit

ies

(inc

ludi

ng p

enal

ty c

laus

es).

All

cont

ract

s an

d co

ntra

ct c

hang

es s

houl

d be

rev

iew

ed b

y le

gal a

dvis

ors.

• D

efin

ed s

uppl

ier

rela

tions

hip

obje

ctiv

es a

nd g

oals

• E

ffic

ient

ly m

anag

ed p

rocu

rem

ent o

fre

sour

ces

• H

igh-

qual

ity c

ontr

ibut

ion

to b

usin

ess

and

IT p

roce

sses

• L

ack

of c

ost m

anag

emen

t•

Gap

s be

twee

n bu

sine

ss e

xpec

tatio

nsan

d su

pplie

r ca

pabi

litie

s•

Und

efin

ed s

ervi

ce c

osts

incu

rred

• Se

rvic

es f

ailin

g to

ref

lect

bus

ines

sre

quir

emen

ts•

Lac

k of

ope

ratio

nal s

uppo

rt

Con

trol

Obj

ecti

veVa

lue

Driv

ers

Ris

k D

river

s


APPENDIX III

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

pre

defi

ned,

spe

cifi

ed a

nd e

stab

lishe

d cr

iteri

a (e

.g.,

requ

irem

ents

def

initi

on, t

imet

able

, dec

isio

n pr

oces

s) a

re u

sed

for

supp

lier

and

acqu

isiti

on s

elec

tions

.•

Insp

ect r

eque

sts

for

info

rmat

ion

(RFI

s) a

nd r

eque

sts

for

prop

osal

(R

FPs)

to d

eter

min

e if

the

esta

blis

hed

crite

ria

are

defi

ned.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

oftw

are

acqu

isiti

ons

incl

ude

and

enfo

rce

the

righ

ts a

nd o

blig

atio

ns o

f al

l par

ties

(e.g

., ow

ners

hip

and

licen

sing

of

inte

llect

ual p

rope

rty;

mai

nten

ance

war

rant

ies;

arb

itrat

ion

proc

edur

es; u

pgra

de te

rms;

and

fitn

ess

for

purp

ose,

incl

udin

g se

curi

ty, e

scro

w a

nd a

cces

s ri

ghts

). F

or a

sel

ectio

n of

sof

twar

eac

quis

ition

s, in

spec

t rel

evan

t doc

umen

tatio

n an

d de

term

ine

if th

e co

ntra

ctua

l ter

ms

incl

ude

the

righ

ts a

nd o

blig

atio

ns o

f al

l par

ties.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

cqui

sitio

ns o

f de

velo

pmen

t res

ourc

es in

clud

e an

d en

forc

e th

e ri

ghts

and

obl

igat

ions

of

all p

artie

s (v

erif

y, f

or e

xam

ple,

ow

ners

hip

and

licen

sing

of

inte

llect

ual p

rope

rty;

fitn

ess

for

purp

ose,

incl

udin

g de

velo

pmen

t met

hodo

logi

es; l

angu

ages

; tes

ting;

qua

lity

man

agem

ent p

roce

sses

, inc

ludi

ng r

equi

red

perf

orm

ance

cri

teri

a; p

erfo

rman

ce r

evie

ws;

bas

is f

or p

aym

ent;

war

rant

ies;

arb

itrat

ion

proc

edur

es; h

uman

res

ourc

e m

anag

emen

t; an

d co

mpl

ianc

e w

ith th

e or

gani

satio

n’s

polic

ies)

.•

Det

erm

ine

if le

gal a

dvic

e ha

s be

en o

btai

ned

on r

esou

rce

deve

lopm

ent a

cqui

sitio

n ag

reem

ents

reg

ardi

ng o

wne

rshi

p an

d lic

ensi

ng o

f in

telle

ctua

l pro

pert

y.•

For

a se

lect

ion

of a

cqui

sitio

ns o

f de

velo

pmen

t res

ourc

es, i

nspe

ct r

elev

ant d

ocum

enta

tion

and

dete

rmin

e if

the

cont

ract

ual t

erm

s in

clud

e th

e ri

ghts

and

obl

igat

ions

of

all p

artie

s.•

Enq

uire

whe

ther

and

con

firm

that

acq

uisi

tions

of

infr

astr

uctu

re, f

acili

ties

and

rela

ted

serv

ices

incl

ude

and

enfo

rce

the

righ

ts a

nd o

blig

atio

ns o

f al

l par

ties

(e.g

., se

rvic

ele

vels

, mai

nten

ance

pro

cedu

res,

acc

ess

cont

rols

, sec

urity

, per

form

ance

rev

iew

, bas

is f

or p

aym

ent,

arbi

trat

ion

proc

edur

es).

• Fo

r a

sele

ctio

n of

acq

uisi

tion

of in

fras

truc

ture

, fac

ilitie

s an

d re

late

d se

rvic

es, i

nspe

ct r

elev

ant d

ocum

enta

tion

and

dete

rmin

e if

the

cont

ract

ual t

erm

s in

clud

e th

e ri

ghts

and

oblig

atio

ns o

f al

l par

ties.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at R

FIs

and

RFP

s ar

e ev

alua

ted

in a

ccor

danc

e w

ith th

e ap

prov

ed p

roce

ss a

nd c

rite

ria.

• D

eter

min

e if

doc

umen

tary

evi

denc

e is

eff

ectiv

ely

mai

ntai

ned.

AI5

.3 S

uppl

ier

Sele

ctio

n Se

lect

sup

plie

rs a

ccor

ding

to a

fai

r an

d fo

rmal

pra

ctic

e to

ens

ure

a vi

able

bes

t fit

base

d on

spe

cifi

ed r

equi

rem

ents

. Req

uire

men

ts s

houl

d be

opt

imis

ed w

ith in

put

from

pot

entia

l sup

plie

rs.

• C

ontr

ibut

ion

to n

ew id

eas

and

prac

tices

• A c

ontin

uous

con

trib

utio

n to

the

orga

nisa

tion’

s ob

ject

ives

bey

ond

supp

lier

SLA

s

• In

appr

opri

ate

supp

lier

sele

ctio

n•

Inad

equa

te s

uppo

rt f

or th

eac

hiev

emen

t of

the

orga

nisa

tion’

sob

ject

ives

• G

aps

betw

een

supp

lier

requ

irem

ents

and

capa

bilit

ies

AI5

Pro

cure

IT

Res

ourc

es (

cont

.)

Con

trol

Obj

ecti

veVa

lue

Driv

ers

Ris

k D

river

s



Test

the

Con

trol

Des

ign

• D

eter

min

e w

heth

er a

ll ac

quis

ition

agr

eem

ents

are

ver

ifie

d.•

Rev

iew

the

agre

emen

ts, c

ompa

re th

em to

pol

icy

docu

men

tatio

n an

d de

term

ine

whe

ther

they

com

ply

with

com

pany

pol

icy.

• D

eter

min

e w

heth

er a

cqui

sitio

ns a

re r

evie

wed

and

app

rove

d by

app

ropr

iate

per

sonn

el a

nd w

heth

er le

gal a

dvic

e ha

s be

en o

btai

ned.

• In

spec

t doc

umen

tatio

n of

con

trac

t rev

iew

and

app

rova

l.•

Enq

uire

whe

ther

com

mon

pro

cess

es a

re e

stab

lishe

d an

d us

ed f

or a

cqui

sitio

n of

sof

twar

e, in

fras

truc

ture

and

fac

ilitie

s.•

Perf

orm

a w

alk-

thro

ugh

of th

e pr

oces

ses

to d

eter

min

e if

they

ope

rate

eff

ectiv

ely.

• E

nqui

re w

heth

er r

ight

s an

d ob

ligat

ions

of

all p

artie

s to

the

acqu

isiti

on a

re e

valu

ated

in th

e ac

quis

ition

pro

cess

es. T

hese

rig

hts

and

oblig

atio

ns c

ould

incl

ude:

– A

ppro

val

– Se

rvic

e le

vels

– M

aint

enan

ce p

roce

dure

s–

Acc

ess

cont

rols

– Se

curi

ty–

Perf

orm

ance

rev

iew

– B

asis

for

pay

men

t –

Arb

itrat

ion

proc

edur

es•

For

a re

pres

enta

tive

sam

ple

of a

cqui

sitio

ns, d

eter

min

e if

the

righ

ts a

nd o

blig

atio

ns o

f al

l par

ties

are

eval

uate

d.•

Enq

uire

whe

ther

the

acqu

isiti

on p

roce

ss a

dequ

atel

y co

nsid

ers

all r

elev

ant r

ight

s an

d ob

ligat

ions

, whi

ch m

ay in

clud

e:–

Ow

ners

hip

and

licen

sing

of

inte

llect

ual p

rope

rty

– M

aint

enan

ce–

War

rant

ies

and

arbi

trat

ion

proc

edur

es–

Upg

rade

term

s–

Fitn

ess

for

purp

ose,

incl

udin

g se

curi

ty–

Esc

row

and

acc

ess

righ

ts•

Det

erm

ine

if m

anag

emen

t rep

ortin

g re

quir

emen

ts a

ssoc

iate

d w

ith a

cqui

sitio

ns a

re a

ddre

ssed

.•

Enq

uire

whe

ther

a q

ualit

y as

sess

men

t and

acc

epta

nce

proc

ess

for

all a

cqui

sitio

ns h

as b

een

esta

blis

hed

and

used

, and

det

erm

ine

whe

ther

this

pro

cess

is e

ffec

tivel

ype

rfor

med

on

all a

cqui

sitio

ns b

efor

e pa

ymen

t is

mad

e.•

Enq

uire

whe

ther

all

hard

war

e an

d so

ftw

are

acqu

isiti

ons

are

reco

rded

.•

Sele

ct a

rep

rese

ntat

ive

sam

ple

of a

cqui

sitio

ns a

nd v

erif

y th

at th

ey a

re r

ecor

ded

in a

sset

reg

iste

rs.

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI5

.4 I

T R

esou

rces

Acq

uisi

tion

Pr

otec

t and

enf

orce

the

orga

nisa

tion’

s in

tere

sts

in a

ll ac

quis

ition

con

trac

tual

agre

emen

ts, i

nclu

ding

the

righ

ts a

nd o

blig

atio

ns o

f al

l par

ties

in th

e co

ntra

ctua

lte

rms

for

the

acqu

isiti

on o

f so

ftw

are,

dev

elop

men

t res

ourc

es, i

nfra

stru

ctur

e an

dse

rvic

es.

• E

ffic

ient

and

eff

ectiv

e in

cide

ntm

anag

emen

t•

Syst

ems

oper

atin

g as

inte

nded

and

not

pron

e to

dis

rupt

ion

• In

cide

nts

able

to b

e so

lved

in a

tim

ely

man

ner

• So

ftw

are

upda

tes

not a

vaila

ble

whe

nne

eded

• So

ftw

are

unab

le to

sup

port

the

busi

ness

pro

cess

es•

Cha

nges

to th

e ap

plic

atio

n un

able

tobe

app

lied

as in

tend

ed•

Syst

em p

rone

to p

robl

ems

and

inci

dent

s, c

ausi

ng b

usin

ess

disr

uptio

ns

AI5

Pro

cure

IT

Res

ourc

es (

cont

.)


APPENDIX III

Take the following steps to test the outcome of the control objectives:• For a selection of recent procurements, determine if the selection approach was responsive to the unique risks of the procurement

(e.g., meets business functional and technical requirements, addresses risks identified in the risk analysis report, complies withprocurement decisions).

• Inspect evidence of approvals at key decision points for a selection of IT procurements, including evidence of senior managementsign-offs on sections that did not follow standard policies.

• For a selection of contracts, determine if only authorised suppliers were used. • For a selection of supplier and acquisitions contracts, compare RFIs and RFPs with the predefined requirements, and determine if

established criteria have been met. • Enquire whether and confirm that software acquisitions include and enforce the rights and obligations of all parties (e.g.,

ownership and licensing of intellectual property; maintenance warranties; arbitration procedures; upgrade terms; fitness forpurpose, including security; escrow and access rights). For a selection of software acquisitions, inspect relevant documentationand determine if the contractual terms include the rights and obligations of all parties.

• Enquire whether and confirm that acquisitions of development resources include and enforce the rights and obligations of allparties (verify, for example, ownership and licensing of intellectual property; fitness for purpose, including developmentmethodologies; languages; testing; quality management processes, including required performance criteria; performance reviews;basis for payment; warranties; arbitration procedures; human resource management; compliance with the organisation’s policies).

• Determine if legal advice has been obtained for resource development acquisition agreements regarding ownership and licensingof intellectual property.

• Enquire whether and confirm that acquisitions of infrastructure, facilities and related services include and enforce the rights andobligations of all parties (e.g., service levels, maintenance procedures, access controls, security, performance review, basis forpayment, arbitration procedures). For a selection of acquisition of infrastructure, facilities and related services, inspect relevantdocumentation and determine if the contractual terms include the rights and obligations of all parties.

• Enquire whether and confirm that RFIs and RFPs have been evaluated in accordance with the approved process and criteria.Determine if documentary evidence is effectively maintained.

Take the following steps to document the impact of the control weaknesses:• Assess the cost and time impact of IT procurement not being aligned with the organisation’s procurement policies. • Assess the cost and time impact of IT procurement not meeting business, legal and contractual requirements. • Assess the legal implications of the supplier and acquisition selection process not complying with legal and contractual

requirements.

AI6

Man

age

Cha

nges

All

chan

ges,

incl

udin

g em

erge

ncy

mai

nten

ance

and

pat

ches

, rel

atin

g to

infr

astr

uctu

re a

nd a

pplic

atio

ns w

ithin

the

prod

uctio

n en

viro

nmen

t are

for

mal

ly m

anag

ed in

aco

ntro

lled

man

ner.

Cha

nges

(in

clud

ing

thos

e to

pro

cedu

res,

pro

cess

es, s

yste

m a

nd s

ervi

ce p

aram

eter

s) a

re lo

gged

, ass

esse

d an

d au

thor

ised

pri

or to

impl

emen

tatio

n an

dre

view

ed a

gain

st p

lann

ed o

utco

mes

fol

low

ing

impl

emen

tatio

n. T

his

assu

res

miti

gatio

n of

the

risk

s of

neg

ativ

ely

impa

ctin

g th

e st

abili

ty o

r in

tegr

ity o

f th

e pr

oduc

tion

envi

ronm

ent.



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e pr

oces

ses

and

proc

edur

es f

or h

andl

ing

chan

ge r

eque

sts

(inc

ludi

ng m

aint

enan

ce a

nd p

atch

es)

appl

y to

app

licat

ions

, pro

cedu

res,

proc

esse

s, s

yste

m a

nd s

ervi

ce p

aram

eter

s, a

nd th

e un

derl

ying

pla

tfor

ms.

• R

evie

w th

e ch

ange

man

agem

ent f

ram

ewor

k to

det

erm

ine

if th

e fr

amew

ork

incl

udes

:–

The

def

initi

on o

f ro

les

and

resp

onsi

bilit

ies

– C

lass

ific

atio

n (e

.g.,

betw

een

infr

astr

uctu

re a

nd a

pplic

atio

n so

ftw

are)

and

pri

oriti

satio

n of

all

chan

ges

– A

sses

smen

t of

impa

ct, a

utho

risa

tion

and

appr

oval

– T

rack

ing

of c

hang

es–

Ver

sion

con

trol

mec

hani

sm–

Impa

ct o

n da

ta in

tegr

ity (

e.g.

, all

chan

ges

to d

ata

file

s m

ade

unde

r sy

stem

and

app

licat

ion

cont

rol r

athe

r th

an b

y di

rect

use

r in

terv

entio

n)–

Man

agem

ent o

f ch

ange

fro

m in

itiat

ion

to r

evie

w a

nd c

losu

re–

Def

initi

on o

f ro

llbac

k pr

oced

ures

– U

se o

f em

erge

ncy

chan

ge p

roce

sses

– B

usin

ess

cont

inui

ty p

lann

ing

– U

se o

f a

reco

rd m

anag

emen

t sys

tem

– A

udit

trai

ls–

Segr

egat

ion

of d

utie

s•

Enq

uire

whe

ther

and

con

firm

that

pro

cess

es a

nd p

roce

dure

s fo

r co

ntra

cted

ser

vice

s pr

ovid

ers

(e.g

., in

fras

truc

ture

, app

licat

ion

deve

lopm

ent,

appl

icat

ion

serv

ice

prov

ider

s,sh

ared

ser

vice

s) a

re in

clud

ed in

the

chan

ge m

anag

emen

t pro

cess

.•

Det

erm

ine

if th

e pr

oces

s an

d pr

oced

ures

incl

ude

the

cont

ract

ual t

erm

s an

d SL

As.

AI6

.1 C

hang

e St

anda

rds

and

Pro

cedu

res

Set u

p fo

rmal

cha

nge

man

agem

ent p

roce

dure

s to

han

dle

in a

sta

ndar

dise

dm

anne

r al

l req

uest

s (i

nclu

ding

mai

nten

ance

and

pat

ches

) fo

r ch

ange

s to

appl

icat

ions

, pro

cedu

res,

pro

cess

es, s

yste

m a

nd s

ervi

ce p

aram

eter

s, a

nd th

eun

derl

ying

pla

tfor

ms.

• An

agre

ed-u

pon

and

stan

dard

ised

appr

oach

for

man

agin

g ch

ange

s in

an

effi

cien

t and

eff

ectiv

e m

anne

r •

Cha

nges

rev

iew

ed a

nd a

ppro

ved

in a

cons

iste

nt a

nd c

o-or

dina

ted

way

• Fo

rmal

ly d

efin

ed e

xpec

tatio

ns a

ndpe

rfor

man

ce m

easu

rem

ent

• In

appr

opri

ate

reso

urce

allo

catio

n•

No

trac

king

of

chan

ges

• In

suff

icie

nt c

ontr

ol o

ver

emer

genc

ych

ange

s•

Incr

ease

d lik

elih

ood

of u

naut

hori

sed

chan

ges

bein

g in

trod

uced

to k

eybu

sine

ss s

yste

ms

• Fa

ilure

to c

ompl

y w

ith c

ompl

ianc

ere

quir

emen

ts•

Una

utho

rise

d ch

ange

s•

Red

uced

sys

tem

ava

ilabi

lity

Con

trol

Obj

ecti

veVa

lue

Driv

ers

Ris

k D

river

s


APPENDIX III

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e ch

ange

man

agem

ent p

roce

ss a

llow

s bu

sine

ss p

roce

ss o

wne

rs a

nd I

T to

req

uest

cha

nges

to in

fras

truc

ture

, sys

tem

s or

app

licat

ions

.•

Enq

uire

whe

ther

and

con

firm

that

req

uest

ed c

hang

es a

re c

ateg

oris

ed (

e.g.

, bet

wee

n in

fras

truc

ture

s, o

pera

ting

syst

ems,

net

wor

ks, a

pplic

atio

n sy

stem

s, p

urch

ased

/pac

kage

dap

plic

atio

n so

ftw

are)

.•

Con

firm

thro

ugh

inte

rvie

ws

with

key

sta

ff m

embe

rs th

at r

eque

sted

cha

nges

are

pri

oriti

sed

base

d on

pre

defi

ned

crite

ria

(e.g

., bu

sine

ss a

nd te

chni

cal n

eeds

for

the

chan

gean

d le

gal,

regu

lato

ry a

nd c

ontr

actu

al r

equi

rem

ents

).•

Enq

uire

whe

ther

and

con

firm

that

cha

nge

requ

ests

are

ass

esse

d an

d do

cum

ente

d in

a s

truc

ture

d m

etho

d th

at a

ddre

sses

impa

ct a

naly

sis

on in

fras

truc

ture

, sys

tem

s an

dap

plic

atio

ns.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

ecur

ity, l

egal

, con

trac

tual

and

com

plia

nce

impl

icat

ions

are

con

side

red

in th

e as

sess

men

t pro

cess

for

the

requ

este

d ch

ange

and

that

busi

ness

ow

ners

are

invo

lved

.•

Enq

uire

whe

ther

and

con

firm

that

eac

h re

ques

ted

chan

ge is

for

mal

ly a

ppro

ved

by th

e bu

sine

ss p

roce

ss o

wne

rs a

nd I

T te

chni

cal s

take

hold

ers.

• In

spec

t a r

epre

sent

ativ

e sa

mpl

e of

cha

nge

man

agem

ent r

eque

sts

to e

nsur

e th

at th

ey w

ere

appr

opri

atel

y as

sess

ed, e

valu

ated

, pri

oriti

sed

and

revi

ewed

.

AI6

.2 I

mpa

ct A

sses

smen

t,P

rior

itis

atio

n an

d A

utho

risa

tion

A

sses

s al

l req

uest

s fo

r ch

ange

in a

str

uctu

red

way

to d

eter

min

e th

e im

pact

on

the

oper

atio

nal s

yste

m a

nd it

s fu

nctio

nalit

y. E

nsur

e th

at c

hang

es a

re c

ateg

oris

ed,

prio

ritis

ed a

nd a

utho

rise

d.

• An

agre

ed-u

pon

and

stan

dard

ised

appr

oach

for

ass

essi

ng im

pact

s in

an

effi

cien

t and

eff

ectiv

e m

anne

r •

Form

ally

def

ined

cha

nge

impa

ctex

pect

atio

ns b

ased

on

busi

ness

ris

kan

d pe

rfor

man

ce m

easu

rem

ent

• C

onsi

sten

t cha

nge

proc

edur

e

• U

nint

ende

d si

de e

ffec

ts• A

dver

se e

ffec

ts o

n ca

paci

ty a

ndpe

rfor

man

ce o

f th

e in

fras

truc

ture

• L

ack

of p

rior

ity m

anag

emen

t of

chan

ges

AI6

Man

age

Cha

nges

(co

nt.)

Con

trol

Obj

ecti

veR

isk

Driv

ers

Valu

e D

river

s



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

ere

is a

n es

tabl

ishe

d pr

oces

s to

allo

w r

eque

stor

s an

d st

akeh

olde

rs to

trac

k th

e st

atus

of

requ

ests

thro

ugho

ut th

e va

riou

s st

ages

of

the

chan

ge m

anag

emen

t pro

cess

.•

Enq

uire

whe

ther

and

con

firm

that

the

trac

king

and

rep

ortin

g sy

stem

mon

itors

the

stat

us o

f th

e ch

ange

req

uest

s (e

.g.,

reje

cted

, app

rove

d bu

t not

initi

ated

, app

rove

d,

in p

roce

ss).

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at m

anag

emen

t rev

iew

s an

d m

onito

rs th

e de

taile

d st

atus

of

chan

ges

and

over

all s

tate

(e.

g., a

ged

anal

ysis

of

chan

ge r

eque

sts)

.•

Enq

uire

whe

ther

and

con

firm

that

ope

n an

d ap

prov

ed c

hang

es a

re c

lose

d in

a ti

mel

y m

anne

r, de

pend

ing

on p

rior

ity.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e ov

eral

l cha

nge

man

agem

ent p

roce

ss in

clud

es e

mer

genc

y ch

ange

pro

cedu

res

(e.g

., de

fini

ng, r

aisi

ng, t

estin

g, d

ocum

entin

g, a

sses

sing

and

auth

oris

ing

emer

genc

y ch

ange

s).

• In

spec

t the

doc

umen

tatio

n fo

r a

repr

esen

tativ

e sa

mpl

e of

em

erge

ncy

chan

ges

and,

by

inte

rvie

win

g ke

y st

aff

mem

bers

, est

ablis

h w

heth

er e

mer

genc

y ch

ange

s ar

eim

plem

ente

d as

spe

cifi

ed in

the

chan

ge m

anag

emen

t pro

cess

.•

Con

firm

thro

ugh

inte

rvie

ws

with

key

sta

ff m

embe

rs th

at e

mer

genc

y ac

cess

arr

ange

men

ts a

re a

utho

rise

d, d

ocum

ente

d an

d re

voke

d af

ter

the

chan

ge h

as

been

app

lied.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pos

t-im

plem

enta

tion

revi

ew o

f em

erge

ncy

chan

ges

is c

ondu

cted

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI6

.3 E

mer

genc

y C

hang

es

Est

ablis

h a

proc

ess

for

defi

ning

, rai

sing

, tes

ting,

doc

umen

ting,

ass

essi

ng a

ndau

thor

isin

g em

erge

ncy

chan

ges

that

do

not f

ollo

w th

e es

tabl

ishe

d ch

ange

proc

ess.

• An

agre

ed-u

pon

and

stan

dard

ised

appr

oach

for

man

agin

g ch

ange

s in

an

effi

cien

t and

eff

ectiv

e m

anne

r •

Form

ally

def

ined

em

erge

ncy

chan

geex

pect

atio

ns a

nd p

erfo

rman

cem

easu

rem

ent

• C

onsi

sten

t pro

cedu

re f

or e

mer

genc

ych

ange

s

• In

abili

ty to

res

pond

eff

ectiv

ely

toem

erge

ncy

chan

ge n

eeds

• A

dditi

onal

acc

ess

auth

oris

atio

n no

tte

rmin

ated

pro

perl

y•

Una

utho

rise

d ch

ange

s ap

plie

d,re

sulti

ng in

com

prom

ised

sec

urity

and

unau

thor

ised

acc

ess

to c

orpo

rate

info

rmat

ion

AI6

Man

age

Cha

nges

(co

nt.)

AI6

.4 C

hang

e St

atus

Tra

ckin

g an

d R

epor

ting

E

stab

lish

a tr

acki

ng a

nd r

epor

ting

syst

em to

doc

umen

t rej

ecte

d ch

ange

s,co

mm

unic

ate

the

stat

us o

f ap

prov

ed a

nd in

-pro

cess

cha

nges

, and

com

plet

ech

ange

s. M

ake

cert

ain

that

app

rove

d ch

ange

s ar

e im

plem

ente

d as

pla

nned

.

• An

agre

ed-u

pon

and

stan

dard

ised

appr

oach

for

man

agin

g ch

ange

s in

an

effi

cien

t and

eff

ectiv

e m

anne

r •

Form

ally

def

ined

exp

ecta

tions

and

perf

orm

ance

mea

sure

men

t•

Con

sist

ent c

hang

e pr

oced

ure

• In

suff

icie

nt a

lloca

tion

of r

esou

rces

• C

hang

es n

ot r

ecor

ded

and

trac

ked

• U

ndet

ecte

d un

auth

oris

ed c

hang

es to

the

prod

uctio

n en

viro

nmen

t

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s


APPENDIX III

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at c

hang

e do

cum

enta

tion

(e.g

., op

erat

iona

l pro

cedu

res,

con

figu

ratio

n in

form

atio

n, a

pplic

atio

n do

cum

enta

tion,

hel

p sc

reen

s, tr

aini

ngm

ater

ials

) is

up

to d

ate.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at c

hang

e do

cum

enta

tion

(e.g

., pr

e- a

nd p

ost-

impl

emen

tatio

n sy

stem

and

use

r do

cum

enta

tion)

is r

etai

ned.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at b

usin

ess

proc

ess

docu

men

tatio

n is

upd

ated

for

the

chan

ges

impl

emen

ted

in h

ardw

are

or s

oftw

are.

AI6

Man

age

Cha

nges

(co

nt.)

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI6

.5 C

hang

e C

losu

re a

nd D

ocum

enta

tion

W

hene

ver

chan

ges

are

impl

emen

ted,

upd

ate

the

asso

ciat

ed s

yste

m a

nd u

ser

docu

men

tatio

n an

d pr

oced

ures

acc

ordi

ngly

.

• An

agre

ed-u

pon

and

stan

dard

ised

appr

oach

for

doc

umen

ting

chan

ges

• Fo

rmal

ly d

efin

ed e

xpec

tatio

ns•

Con

sist

ent c

hang

e an

d do

cum

enta

tion

proc

edur

es

• In

crea

sed

depe

nden

ce o

n ke

yin

divi

dual

s•

Con

figu

ratio

n do

cum

enta

tion

faili

ngto

ref

lect

the

curr

ent s

yste

mco

nfig

urat

ion

• L

ack

of d

ocum

enta

tion

of b

usin

ess

proc

esse

s•

Failu

re o

f up

date

s fo

r ha

rdw

are

and

soft

war

e ch

ange

s



Take the following steps to test the outcome of the control objectives:• For a sample of changes, confirm that the following have been approved by appropriate stakeholders (business process owners and

IT management):– Request for change– Specification of change– Access to source programme– Programmer completion of change– Request to move source into test environment– Completion of acceptance testing– Request for compilation and move into production– Determination and acceptance of overall and specific security impact

• Develop a distribution process.• Review change control documentation for inclusion of:

– Date of requested change– Person(s) requesting– Approval of change request– Approval of change made—IT function– Approval of change made—users– Documentation update date– Move date into production– QA sign-off of change– Acceptance by operations

• For a selection of changes, review documentation to determine the existence of a version control mechanism. • For a selection of changes related to contracted service providers, inspect implemented changes and determine if they follow

vendor-provided instructions. • Inspect a selection of changes and determine if requests have been categorised. • Inspect a selection of changes and determine if changes have been prioritised based on predefined criteria. • Inspect a selection of changes and determine if changes have been assessed in a structured method (e.g., security, legal, contractual

and compliance implications are considered and business owners are involved). • Inspect a sample of emergency changes and verify that they have been processed in accordance with the change management

framework. Verify that procedures have been followed to authorise, document and revoke access after the change has been applied.• Inspect a sample of emergency changes and determine if a post-implementation review has been conducted after the changes were

applied. Consider implications for further application system maintenance, impact on development and test environments,application software development quality, documentation and manuals, and data integrity.

• Walk through the tracking and reporting system and verify that documentation is kept for rejected changes, the status of approvedand in-process changes, and closed changes, and confirm with users to ensure that the status is current.

• Inspect a selection of change status reports to determine if an audit trail is used to track changes from inception to disposition.• Inspect a sample of change status reports to determine if performance metrics are used to aid management’s review and

monitoring.• Inspect a sample of changes to determine if change documentation has been retained in accordance with the appropriate

retention period. • Inspect business process manuals to determine if they have been updated with new or improved functionality changes in

hardware and software. • Select a sample of changes and assess the quality of co-ordination with third parties.• Confirm the process of assessing the performance of the change management process. Assess any potential improvements

identified that resulted in recommendations to IT management to improve the change management process.

Take the following steps to document the impact of the control weaknesses:• Assess the time and cost of lack of formal change management standards and procedures (e.g., improper resource allocation,

unclear roles and responsibilities, security breaches, lack of rollback procedures, lack of documentation and audit trails, inadequatetraining).

• Assess the time and cost of lack of formal impact assessment to prioritise and authorise changes.• Assess the time and cost of lack of formal emergency change standards and procedures (e.g., compromised security, failure to

properly terminate additional access authorisations, unauthorised access to corporate information).• Assess the impact (e.g., insufficient allocation of resources, lack of priority management, changes not recorded and tracked,

unauthorised changes to the productive environment undetected) of lack of tracking and reporting changes.• Assess the impact (e.g., increased dependence on key individuals, configuration documentation not reflecting the current system

configuration, documentation lacking business processes, failure of updates for hardware and software changes) of lack of systemand user documentation.

• Assess the impact (e.g., failure of systems to meet end users’ needs, lack of cost and resource control for changes, loss of businessfocus for changes, failure of return on investments to meet management’s expectations, unavailability of new systems for thebusiness processes) of lack of evaluation of the change process.


APPENDIX IIIA

I7 Ins

tall

and

Acc

redi

t Sol

utio

ns a

nd C

hang

es

New

sys

tem

s ne

ed to

be

mad

e op

erat

iona

l onc

e de

velo

pmen

t is

com

plet

e. T

his

requ

ires

pro

per

test

ing

in a

ded

icat

ed e

nvir

onm

ent w

ith r

elev

ant t

est d

ata,

def

initi

on o

f ro

llout

and

mig

ratio

n in

stru

ctio

ns, r

elea

se p

lann

ing

and

actu

al p

rom

otio

n to

pro

duct

ion,

and

a p

ost-

impl

emen

tatio

n re

view

. Thi

s as

sure

s th

at o

pera

tiona

l sys

tem

s ar

e in

line

with

the

agre

ed-u

pon

expe

ctat

ions

and

out

com

es.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

trai

ning

pla

n is

par

t of

the

over

all p

roje

ct m

aste

r pl

an f

or d

evel

opm

ent p

roje

cts.

• E

nqui

re w

heth

er a

nd c

onfi

rm (

e.g.

, thr

ough

inte

rvie

ws

with

key

sta

ff m

embe

rs o

r in

spec

tion

of p

roje

ct p

lan)

that

the

trai

ning

pla

n id

entif

ies

and

addr

esse

s im

pact

edgr

oups

(e.

g., b

usin

ess

end

user

s, I

T o

pera

tions

, sup

port

and

IT

app

licat

ion

deve

lopm

ent t

rain

ing,

ser

vice

pro

vide

rs).

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ltern

ativ

e tr

aini

ng s

trat

egie

s ar

e co

nsid

ered

to e

nsur

e th

at a

cos

t-ef

fect

ive

appr

oach

is s

elec

ted

and

inco

rpor

ated

in th

e tr

aini

ng f

ram

ewor

k.•

Enq

uire

whe

ther

and

con

firm

that

ther

e is

a p

roce

ss to

ver

ify

com

plia

nce

with

the

trai

ning

pla

n.•

Insp

ect t

rain

ing

docu

men

tatio

n to

det

erm

ine

com

plia

nce

to th

e tr

aini

ng p

lan

(e.g

., lis

t of

staf

f m

embe

rs in

vite

d to

trai

ning

, atte

ndee

s lis

t, ev

alua

tion

form

s fo

r th

eac

hiev

emen

t of

lear

ning

obj

ectiv

es a

nd o

ther

fee

dbac

k).

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

ere

is a

pro

cess

of

mon

itori

ng tr

aini

ng to

obt

ain

feed

back

that

cou

ld le

ad to

pot

entia

l im

prov

emen

ts in

the

syst

em.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

lann

ed c

hang

es a

re m

onito

red

to e

nsur

e th

at tr

aini

ng r

equi

rem

ents

are

con

side

red

and

suita

ble

plan

s ar

e cr

eate

d.

AI7

.1 T

rain

ing

Tra

in th

e st

aff

mem

bers

of

the

affe

cted

use

r de

part

men

ts a

nd th

e op

erat

ions

grou

p of

the

IT f

unct

ion

in a

ccor

danc

e w

ith th

e de

fine

d tr

aini

ng a

ndim

plem

enta

tion

plan

and

ass

ocia

ted

mat

eria

ls, a

s pa

rt o

f ev

ery

info

rmat

ion

syst

ems

deve

lopm

ent,

impl

emen

tatio

n or

mod

ific

atio

n pr

ojec

t.

• C

onsi

sten

t dev

elop

men

t of

new

ski

lls•

Enh

ance

d tr

aini

ng f

or e

ffec

tive

and

effi

cien

t job

per

form

ance

• Fa

mili

aris

atio

n w

ith n

ew o

r m

odif

ied

syst

ems

• Fa

ilure

to p

rom

ptly

det

ect p

robl

ems

with

sys

tem

s or

thei

r us

e•

Gap

s in

kno

wle

dge

to p

erfo

rmre

quir

ed d

utie

s an

d ac

tiviti

es•

Err

ors

resu

lting

fro

m n

ew p

roje

cts

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

test

pla

n is

dev

elop

ed a

nd d

ocum

ente

d in

acc

orda

nce

with

the

proj

ect q

ualit

y pl

an a

nd r

elev

ant o

rgan

isat

iona

l sta

ndar

ds a

nd th

at it

isco

mm

unic

ated

to a

ppro

pria

te b

usin

ess

owne

rs a

nd I

T s

take

hold

ers.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e te

st p

lan

refl

ects

an

asse

ssm

ent o

f th

e pr

ojec

t’s r

isks

and

that

all

func

tiona

l and

tech

nica

l tes

ting

requ

irem

ents

are

incl

uded

.•

Enq

uire

whe

ther

and

con

firm

that

the

test

pla

n id

entif

ies

reso

urce

s to

exe

cute

the

test

s an

d ev

alua

te te

st r

esul

ts.

• C

onfi

rm th

at s

take

hold

ers

are

cons

ulte

d on

res

ourc

e im

plic

atio

ns o

f th

e te

st p

lan.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e te

st p

lan

cons

ider

s te

st p

repa

ratio

n, in

clud

ing

site

pre

para

tion;

trai

ning

req

uire

men

ts; i

nsta

llatio

n or

upd

ate

of a

def

ined

test

envi

ronm

ent;

plan

ning

/per

form

ance

/doc

umen

tatio

n/re

tent

ion

of te

st c

ases

; err

or a

nd p

robl

em h

andl

ing,

cor

rect

ion

and

esca

latio

n; a

nd f

orm

al a

ppro

val.

• Fo

r a

sam

ple

of te

st p

lans

, ins

pect

doc

umen

tatio

n to

det

erm

ine

if a

ppro

pria

te te

st p

hase

s ar

e pe

rfor

med

.•

Enq

uire

whe

ther

and

con

firm

that

the

test

pla

n es

tabl

ishe

s cl

ear

crite

ria

for

mea

suri

ng th

e su

cces

s of

und

erta

king

eac

h te

stin

g ph

ase

and

that

con

sulta

tions

with

the

busi

ness

pro

cess

ow

ners

and

IT

sta

keho

lder

s ar

e co

nsid

ered

in d

efin

ing

the

succ

ess

crite

ria.

• D

eter

min

e if

the

plan

est

ablis

hes

rem

edia

tion

proc

edur

es w

hen

the

succ

ess

crite

ria

are

not m

et (

e.g.

, in

case

of

sign

ific

ant f

ailu

res

in a

test

ing

phas

e, th

e pl

an p

rovi

des

guid

ance

on

whe

ther

to p

roce

ed to

the

next

pha

se, s

top

test

ing

or p

ostp

one

impl

emen

tatio

n).

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at te

st p

lans

are

app

rove

d by

sta

keho

lder

s, in

clud

ing

busi

ness

pro

cess

ow

ners

and

IT,

as

appr

opri

ate.

Exa

mpl

es o

f ot

her

stak

ehol

ders

are

appl

icat

ion

deve

lopm

ent m

anag

ers,

pro

ject

man

ager

s an

d bu

sine

ss p

roce

ss e

nd u

sers

.

AI7

.2 T

est

Pla

n E

stab

lish

a te

st p

lan

base

d on

org

anis

atio

nwid

e st

anda

rds

that

def

ines

rol

es,

resp

onsi

bilit

ies,

and

ent

ry a

nd e

xit c

rite

ria.

Ens

ure

that

the

plan

is a

ppro

ved

byre

leva

nt p

artie

s.

• C

omm

itmen

t of

key

stak

ehol

ders

• M

inim

ised

bus

ines

s in

terr

uptio

nsre

sulti

ng f

rom

sys

tem

pro

cess

ing

failu

re

• In

suff

icie

nt te

stin

g by

aut

omat

ed

test

scr

ipts

• Pe

rfor

man

ce p

robl

ems

unde

tect

ed•

Lac

k of

cos

t con

trol

ove

r te

stin

gac

tiviti

es•

Und

efin

ed te

stin

g ro

les

and

resp

onsi

bilit

ies

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI7

Ins

tall

and

Acc

redi

t Sol

utio

ns a

nd C

hang

es (

cont

.)


APPENDIX III

Test

the

Con

trol

Des

ign

• C

onfi

rm f

or a

rep

rese

ntat

ive

sam

ple

of p

roje

cts

that

the

impl

emen

tatio

n pl

an h

as b

een

revi

ewed

and

app

rove

d.•

Enq

uire

whe

ther

and

con

firm

that

an

impl

emen

tatio

n pl

an h

as b

een

crea

ted

that

incl

udes

the

broa

d im

plem

enta

tion

stra

tegy

, the

seq

uenc

e of

impl

emen

tatio

n st

eps,

reso

urce

req

uire

men

ts, i

nter

depe

nden

cies

, cri

teri

a fo

r m

anag

emen

t agr

eem

ent t

o th

e pr

oduc

tion

impl

emen

tatio

n, in

stal

latio

n ve

rifi

catio

n re

quir

emen

ts a

nd tr

ansi

tion

stra

tegy

for

pro

duct

ion

supp

ort.

• Se

lect

a r

epre

sent

ativ

e sa

mpl

e of

pro

ject

s an

d va

lidat

e th

at th

e im

plem

enta

tion

plan

is a

ligne

d w

ith th

e bu

sine

ss c

hang

e m

anag

emen

t pla

n.•

Enq

uire

whe

ther

and

con

firm

that

thir

d pa

rtie

s ar

e co

mm

itted

to b

e in

volv

ed in

eac

h st

ep o

f th

e im

plem

enta

tion.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at f

allb

ack

and

reco

very

pro

cess

es a

re id

entif

ied

and

docu

men

ted

in th

e im

plem

enta

tion

plan

.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e te

st e

nvir

onm

ent i

s se

t up

to m

irro

r th

e pr

oduc

tion

envi

ronm

ent (

fact

ors

incl

ude

wor

kloa

d/st

ress

, ope

ratin

g sy

stem

s, n

eces

sary

appl

icat

ion

soft

war

e, d

atab

ase

man

agem

ent s

yste

ms,

net

wor

k an

d co

mpu

ting

infr

astr

uctu

re).

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e te

st e

nvir

onm

ent i

s in

capa

ble

of in

tera

ctin

g w

ith p

rodu

ctio

n en

viro

nmen

ts.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

test

dat

abas

e ex

ists

.•

Eva

luat

e th

e ex

iste

nce

and

qual

ity o

f a

data

-san

itisi

ng p

roce

ss in

cre

atin

g a

test

dat

abas

e.• A

sses

s pr

otec

tion

mea

sure

s an

d th

e au

thor

isat

ion

of a

cces

s to

the

test

env

iron

men

t.•

Enq

uire

whe

ther

and

con

firm

that

a p

roce

ss e

xist

s an

d is

com

plie

d w

ith to

man

age

rete

ntio

n or

dis

posa

l of

test

res

ults

.•

Enq

uire

whe

ther

and

con

firm

that

the

rete

ntio

n pr

oces

s m

eets

or

exce

eds

regu

lato

ry o

r co

mpl

ianc

e re

quir

emen

ts.

AI7

.3 I

mpl

emen

tati

on P

lan

Est

ablis

h an

impl

emen

tatio

n an

d fa

llbac

k/ba

ckou

t pla

n. O

btai

n ap

prov

al f

rom

rele

vant

par

ties.

• An

agre

ed-u

pon

and

stan

dard

ised

appr

oach

for

impl

emen

ting

chan

ges

inan

eff

icie

nt a

nd e

ffec

tive

man

ner

• Fo

rmal

ly d

efin

ed e

xpec

tatio

ns a

ndpe

rfor

man

ce m

easu

rem

ent

• E

ffec

tive

reco

very

in th

e ev

ent o

fim

plem

enta

tion

failu

re

• Im

prop

er r

esou

rce

allo

catio

n to

ens

ure

effe

ctiv

e im

plem

enta

tion

of c

hang

es•

Secu

rity

bre

ache

s

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI7

Ins

tall

and

Acc

redi

t Sol

utio

ns a

nd C

hang

es (

cont

.)

AI7

.4 T

est

Env

iron

men

t D

efin

e an

d es

tabl

ish

a se

cure

test

env

iron

men

t rep

rese

ntat

ive

of th

e pl

anne

dop

erat

ions

env

iron

men

t rel

ativ

e to

sec

urity

, int

erna

l con

trol

s, o

pera

tiona

lpr

actic

es, d

ata

qual

ity a

nd p

riva

cy r

equi

rem

ents

, and

wor

kloa

ds.

• M

inim

ised

bus

ines

s in

terr

uptio

ns in

prod

uctio

n•

Insu

ffic

ient

test

ing

usin

g au

tom

ated

test

scr

ipts

• Pe

rfor

man

ce p

robl

ems

unde

tect

ed•

Syst

em s

ecur

ity c

ompr

omis

ed

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s



Test

the

Con

trol

Des

ign

• C

onfi

rm (

e.g.

, thr

ough

inte

rvie

ws

with

key

sta

ff m

embe

rs o

r in

spec

tion

of p

olic

ies

and

proc

edur

es)

that

dat

a co

nver

sion

and

infr

astr

uctu

re m

itiga

tion

plan

s ex

ist,

and

cons

ider

the

follo

win

g: h

ardw

are,

net

wor

ks, o

pera

ting

syst

ems,

sof

twar

e, tr

ansa

ctio

n da

ta, m

aste

r fi

les,

bac

kups

and

arc

hive

s, in

terf

aces

with

oth

er in

tern

al a

nd e

xter

nal

syst

ems,

pro

cedu

res,

sys

tem

doc

umen

tatio

n, e

tc.

• T

hrou

gh in

terv

iew

s w

ith k

ey s

taff

mem

bers

, enq

uire

abo

ut th

e tim

ing

and

com

plet

enes

s of

con

vers

ion

cuto

ver.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

bac

kup

is ta

ken

prio

r to

con

vers

ion,

aud

it tr

ails

are

mai

ntai

ned,

and

a f

allb

ack

and

reco

very

pla

n ex

ists

.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at te

stin

g of

cha

nges

is d

evel

oped

with

inde

pend

ence

(se

para

tion

of d

utie

s) a

nd c

ondu

cted

onl

y in

the

test

env

iron

men

t.•

Enq

uire

whe

ther

and

con

firm

that

test

scr

ipts

exi

st to

val

idat

e se

curi

ty a

nd p

erfo

rman

ce r

equi

rem

ents

.•

Con

firm

thro

ugh

inte

rvie

ws

that

fal

lbac

k or

bac

kout

pla

ns a

re p

repa

red

and

test

ed p

rior

to c

hang

es b

eing

pro

mot

ed in

to p

rodu

ctio

n.

AI7

.5 S

yste

m a

nd D

ata

Con

vers

ion

Plan

dat

a co

nver

sion

and

infr

astr

uctu

re m

igra

tion

as p

art o

f th

e or

gani

satio

n’s

deve

lopm

ent m

etho

ds, i

nclu

ding

aud

it tr

ails

, rol

lbac

ks a

nd f

allb

acks

.

• Im

prop

er c

ompo

nent

s de

tect

ed a

ndre

mov

ed f

rom

pro

duct

ion

• N

ew s

yste

m o

pera

ting

as in

tend

ed a

ndsu

ppor

ting

the

busi

ness

pro

cess

es

• O

ld s

yste

ms

not a

vaila

ble

whe

nne

eded

• U

nrel

iabl

e sy

stem

and

con

vers

ion

resu

lts•

Subs

eque

nt p

roce

ssin

g in

terr

uptio

ns•

Dat

a in

tegr

ity is

sues

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI7

Ins

tall

and

Acc

redi

t Sol

utio

ns a

nd C

hang

es (

cont

.)

AI7

.6 T

esti

ng o

f C

hang

es

Test

cha

nges

inde

pend

ently

in a

ccor

danc

e w

ith th

e de

fine

d te

st p

lan

prio

r to

mig

ratio

n to

the

oper

atio

nal e

nvir

onm

ent.

Ens

ure

that

the

plan

con

side

rs s

ecur

ityan

d pe

rfor

man

ce.

• A

chie

ved

syst

em p

erfo

rman

ce•

Eff

ectiv

e co

st c

ontr

ol•

Incr

ease

d cu

stom

er c

onfi

denc

e

• W

aste

of

reso

urce

s•

Deg

rade

d ov

eral

l sec

urity

• C

hang

es im

pact

ing

syst

empe

rfor

man

ce a

nd a

vaila

bilit

y

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s


APPENDIX III

Test

the

Con

trol

Des

ign

• C

onfi

rm th

at k

ey s

take

hold

ers

are

cons

ider

ed in

the

fina

l acc

epta

nce

test

ing

activ

ities

.•

Enq

uire

whe

ther

and

con

firm

that

in th

e fi

nal a

ccep

tanc

e st

ages

, suc

cess

cri

teri

a ar

e id

entif

ied

in th

e te

stin

g pl

an.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ppro

pria

te d

ocum

enta

tion

for

revi

ew a

nd e

valu

atio

n ex

ists

.•

Enq

uire

of

key

stak

ehol

der

whe

ther

the

docu

men

tatio

n an

d pr

esen

tatio

n of

fin

al a

ccep

tanc

e te

stin

g re

sults

are

com

plet

e an

d tim

ely.

AI7

.7 F

inal

Acc

epta

nce

Tes

t E

nsur

e th

at b

usin

ess

proc

ess

owne

rs a

nd I

T s

take

hold

ers

eval

uate

the

outc

ome

ofth

e te

stin

g pr

oces

s as

det

erm

ined

by

the

test

pla

n. R

emed

iate

sig

nifi

cant

err

ors

iden

tifie

d in

the

test

ing

proc

ess,

hav

ing

com

plet

ed th

e su

ite o

f te

sts

iden

tifie

d in

the

test

pla

n an

d an

y ne

cess

ary

regr

essi

on te

sts.

Fol

low

ing

eval

uatio

n, a

ppro

vepr

omot

ion

to p

rodu

ctio

n.

• M

inim

ised

bus

ines

s in

terr

uptio

ns in

prod

uctio

n•

Cri

tical

dat

a fl

ows

prot

ecte

d•

Dev

iatio

ns f

rom

exp

ecte

d se

rvic

equ

ality

iden

tifie

d• A

pplic

atio

n m

eetin

g us

abili

tyre

quir

emen

ts

• Pe

rfor

man

ce p

robl

ems

unde

tect

ed•

Bus

ines

s re

ject

ion

of d

eliv

ered

capa

bilit

ies

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI7

Ins

tall

and

Acc

redi

t Sol

utio

ns a

nd C

hang

es (

cont

.)



Test

the

Con

trol

Des

ign

• R

evie

w p

roce

dure

s fo

r pr

ogra

m tr

ansf

er to

ver

ify

that

a f

orm

al p

roce

ss e

xist

s th

at r

equi

res

docu

men

ted

appr

oval

fro

m u

ser

man

agem

ent a

nd s

yste

m d

evel

opm

ent.

• C

onfi

rm th

at th

e ap

prov

al p

roce

ss id

entif

ies

effe

ctiv

e da

tes

for

prom

otio

n of

new

sys

tem

s, a

pplic

atio

ns o

r in

fras

truc

ture

to p

rodu

ctio

n, a

s w

ell a

s fo

r th

e re

tirem

ent o

f ol

dsy

stem

s, a

pplic

atio

ns a

nd in

fras

truc

ture

.•

Enq

uire

whe

ther

and

con

firm

that

the

appr

oval

pro

cess

incl

udes

a f

orm

al d

ocum

ente

d si

gn-o

ff f

rom

bus

ines

s pr

oces

s ow

ners

, thi

rd p

artie

s an

d IT

sta

keho

lder

s as

appr

opri

ate

(e.g

., de

velo

pmen

t gro

up, s

ecur

ity g

roup

, dat

abas

e m

anag

emen

t, us

er s

uppo

rt a

nd o

pera

tions

gro

up).

• C

onfi

rm p

roce

dure

s fo

r up

datin

g co

pies

of

syst

em d

ocum

enta

tion

and

rele

vant

con

tinge

ncy

plan

.•

Enq

uire

of

key

staf

f m

embe

rs c

once

rnin

g pr

oced

ures

for

upd

atin

g al

l sou

rce

prog

ram

libr

arie

s an

d pr

oced

ures

for

labe

lling

and

ret

aini

ng p

rior

ver

sion

s.•

Enq

uire

of

key

staf

f m

embe

rs r

egar

ding

req

uire

d pr

oced

ures

for

obt

aini

ng f

rom

the

acce

ptan

ce te

stin

g fu

nctio

n th

e m

edia

use

d fo

r im

plem

enta

tion.

• E

nqui

re o

f ke

y st

aff

mem

bers

whe

ther

aut

omat

ed s

oftw

are

dist

ribu

tion

is c

ontr

olle

d an

d w

heth

er th

ere

are

chec

ks in

the

dist

ribu

tion

proc

ess

that

ver

ify

that

the

dest

inat

ion

envi

ronm

ent i

s of

the

corr

ect s

tand

ard

impl

emen

tatio

n an

d ve

rsio

n.•

Eva

luat

e th

e ef

fect

iven

ess

of th

e co

ntro

l to

veri

fy th

at d

istr

ibut

ion

occu

rs o

nly

to a

utho

rise

d an

d co

rrec

tly id

entif

ied

dest

inat

ions

.•

Enq

uire

of

key

staf

f m

embe

rs w

heth

er a

for

mal

log

is k

ept o

f w

hat s

oftw

are

and

conf

igur

atio

n ite

ms

have

bee

n di

stri

bute

d, to

who

m th

ey h

ave

been

dis

trib

uted

, whe

reth

ey h

ave

been

impl

emen

ted,

and

whe

n ea

ch h

as b

een

upda

ted.

• E

nqui

re o

f ke

y st

aff

mem

bers

con

cern

ing

proc

edur

es f

or p

rom

ptly

upd

atin

g al

l pro

gram

cop

ies

and

proc

edur

es f

or p

rovi

ding

impl

emen

tatio

n or

der

inst

ruct

ions

inad

vanc

e to

all

impa

cted

loca

tions

.

AI7

.8 P

rom

otio

n to

Pro

duct

ion

Follo

win

g te

stin

g, c

ontr

ol th

e ha

ndov

er o

f th

e ch

ange

d sy

stem

to o

pera

tions

,ke

epin

g it

in li

ne w

ith th

e im

plem

enta

tion

plan

. Obt

ain

appr

oval

of

the

key

stak

ehol

ders

, suc

h as

use

rs, s

yste

m o

wne

r an

d op

erat

iona

l man

agem

ent.

Whe

reap

prop

riat

e, r

un th

e sy

stem

in p

aral

lel w

ith th

e ol

d sy

stem

for

a w

hile

, and

com

pare

beh

avio

ur a

nd r

esul

ts.

• An

agre

ed-u

pon

and

stan

dard

ised

appr

oach

for

pro

mot

ing

chan

ges

into

prod

uctio

n in

an

effi

cien

t and

effe

ctiv

e m

anne

r •

Form

ally

def

ined

exp

ecta

tions

and

perf

orm

ance

mea

sure

men

t•

Con

sist

ent c

hang

e pr

oced

ure

• Se

greg

atio

n of

dut

ies

viol

atio

ns•

Syst

ems

expo

sed

to f

raud

or

othe

rm

alic

ious

act

s•

No

rollb

ack

to p

revi

ous

appl

icat

ion

syst

em v

ersi

on p

ossi

ble

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI7

Ins

tall

and

Acc

redi

t Sol

utio

ns a

nd C

hang

es (

cont

.)


APPENDIX III

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

pos

t-im

plem

enta

tion

proc

edur

es h

ave

been

est

ablis

hed.

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

bus

ines

s pr

oces

s ow

ners

and

IT

tech

nica

l man

agem

ent a

re in

volv

ed in

the

sele

ctio

n of

met

rics

for

mea

suri

ngsu

cces

s an

d ac

hiev

emen

t of

requ

irem

ents

and

ben

efits

.•

Con

firm

thro

ugh

inte

rvie

ws

with

key

sta

ff m

embe

rs th

at th

e fo

rm o

f th

e po

st-i

mpl

emen

tatio

n re

view

is in

acc

orda

nce

with

the

orga

nisa

tiona

l cha

nge

man

agem

ent

proc

ess

and

that

bus

ines

s pr

oces

s ow

ners

and

thir

d pa

rtie

s ar

e in

volv

ed, a

s ap

prop

riat

e.•

Con

firm

thro

ugh

inte

rvie

ws

with

key

sta

ff m

embe

rs th

at r

equi

rem

ents

for

pos

t-im

plem

enta

tion

revi

ew a

risi

ng f

rom

out

side

bus

ines

s an

d IT

are

con

side

red.

• C

onfi

rm th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

that

an

actio

n pl

an e

xist

s to

add

ress

issu

es id

entif

ied

in th

e po

st-i

mpl

emen

tatio

n re

view

and

that

bus

ines

s pr

oces

sow

ners

and

IT

tech

nica

l man

agem

ent a

re in

volv

ed in

the

deve

lopm

ent o

f th

e ac

tion

plan

.

AI7

.9 P

ost-

impl

emen

tati

on R

evie

w

Est

ablis

h pr

oced

ures

in li

ne w

ith th

e or

gani

satio

nal c

hang

e m

anag

emen

tst

anda

rds

to r

equi

re a

pos

t-im

plem

enta

tion

revi

ew a

s se

t out

in th

eim

plem

enta

tion

plan

.

• An

agre

ed-u

pon

and

stan

dard

ised

appr

oach

for

pos

t-im

plem

enta

tion

revi

ews

• C

onsi

sten

t and

tran

spar

ent r

evie

wpr

oced

ure

• E

ffic

ient

use

of

orga

nisa

tiona

lre

sour

ces

• Im

prov

ed e

nd-u

ser

satis

fact

ion

• Fa

ilure

to id

entif

y th

at s

yste

ms

do n

otm

eet e

nd u

sers

’nee

ds•

Ret

urn

on in

vest

men

ts f

ailin

g to

mee

tm

anag

emen

t’s e

xpec

tatio

ns

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

AI7

Ins

tall

and

Acc

redi

t Sol

utio

ns a

nd C

hang

es (

cont

.)



Take the following steps to test the outcome of the control objectives:• Inspect the training plan to determine if it clearly identifies learning objectives, resources, key milestones, dependencies and

critical path tasks. Confirm that the training plan considers alternative training strategies depending on the business needs.

• Inspect training plan documentation to confirm that:– It identifies the staff members who must be trained – The training was delivered in a timely manner– A cost-effective approach is selected and used (e.g., train the trainer, end-user accreditation, intranet-based training)– Feedback (e.g., evaluation forms, comment sheet) is received and used in identifying areas of potential improvements in

the system– Planned changes are considered training requirements– It aligns with the project quality plan and relevant organisational standards– Test plans were communicated to appropriate business owners and IT stakeholders

• Inspect test documentation to determine if testing was performed based on the project’s risk assessment. Confirm that allfunctional and technical testing requirements are covered (e.g., performance, stress, usability, pilot and security testing) and thatthe test plan addressed any requirement for internal or external accreditation.

• Inspect test documentation to determine if resources were identified for executing the test and evaluating the results (e.g.,construction of test environments and staff members for the test group, including potential temporary replacement of test staffmembers in the production or development environments).

• Review a sample of test scripts to ensure that they adequately address each test criterion.• For a sample of system development, implementation or modification projects, inspect test documentation to determine if

appropriate test phases are performed (e.g., unit test, system test, integration test, user acceptance test, performance test, stress test,data conversion test, security test, operational readiness test).

• For a sample of test plans, inspect documentation to determine if the:– Criteria for measuring success for each testing phase are considered– Test plans are approved– Test database uses only sanitised data and is protected against disclosure

• Inspect conversion plans for adequacy, and confirm with the data owners the results of the conversion for completeness and integrity.

• Inspect and evaluate documentation for fallback/backout plans. • Verify that error logs include audit trails to facilitate timely bug fixing and remediation. • Review the final acceptance testing activities to evaluate whether the scope effectively covered all components and effectively

addressed the acceptance criteria.• Review acceptance testing results and evaluate the effectiveness of their interpretation and presentation.• Inspect results of testing to verify that formal sign-off exists prior to promotion to production.• Inspect source program libraries to verify that they are updated to the current versions and that prior versions are clearly labelled

and retained for a reasonable period of time.• Evaluate the effectiveness of the control to verify that distribution occurs only to authorised and correctly identified destinations.• Inspect the log and verify that a procedure has been implemented to ensure its integrity and completeness.• Physically inspect implementation orders/instructions on file.• Select a sample of system development, implementation or modification projects and inspect change documentation to determine

if management sign-off is performed to ensure that the change is authorised, tested and properly documented before software isreleased to production.

• Walk through the archive environment, and physically inspect archived versions and documentation.• Assess the effectiveness of the change handover process in ensuring that only authorised, tested and documented changes are

accepted in production.• Assess the effectiveness of the process in ensuring that software implemented is unchanged from what has been tested. • Select a sample of build requests and inspect documentation to determine if media preparation is based only on formal build

requests.• Confirm the effectiveness of the backout or reversal procedures.• Confirm that a distribution audit trail includes the software and configuration items that have been distributed, to whom they have

been distributed, where they have been implemented and when each has been updated. • Confirm that automated software distribution occurs only to authorised and correctly identified destinations.• Confirm that post-implementation procedures identify, assess and report on the extent to which business requirements have been

met; expected benefits have been realised; the system is considered usable; internal and external stakeholders’ expectations aremet; unexpected impacts on the organisation may have occurred; key risks are mitigated; and the change management, installationand accreditation processes were performed effectively and efficiently.

• Enquire whether and confirm that requirements for post-implementation review arising from outside business and IT areconsidered.

• For a sample of system development or implementation projects, confirm that outside business and IT requirements (e.g., internalaudit, enterprise risk management, regulatory compliance) are included in the post-implementation review.


• Select a sample of system development and implementation projects and confirm that the post-implementation plan includes anaction plan to address the issues identified. Confirm that business process owners and IT technical management are involved in thedevelopment of action plans.

• Assess the effectiveness of the process for verification of success or failure of changes. • Assess the configuration inventory to determine if changes are reviewed and accepted.• Identify:

– Any changes that were made without approval– Any changes not accounted for– Current libraries (source and object) not reflecting the most recent changes– Change control procedure variances

• Assess the impact of failed or erroneous changes.• Assess the impact of late or delayed changes.

Take the following steps to document the impact of the control weaknesses:• Assess the cost and operational inefficiency (e.g., failure to detect problems promptly, gaps in knowledge to perform the duties) of

lack of training. • Assess the impact (e.g., insufficient testing by automated test scripts, failure to detect performance problems, lack of cost control,

undefined roles and responsibilities) due to the lack of a test plan.• Assess whether the implementation plan has been reviewed and approved by major stakeholders to ensure that appropriate

commitment exists throughout the life of the project.• Assess the existence of a test environment to mirror production and provide a reliable future state for changes to business

operations.• Assess the data conversion plan for completeness to ensure that it includes audit trail, rollback procedures and fallback procedures.• Assess changes that are tested independently in accordance with the defined test plans prior to migration into production. • Assess the test plans to include a test to validate security and performance requirements.• Assess the outcome of the testing process to identify errors requiring timely remediation prior to promotion to production. • Assess the impact of a the lack of a post-implementation plan.

APPENDIX III


APPENDIX IVA

PPE

ND

IXIV

—D

EL

IVE

RA

ND

SUPP

OR

T(D

S)

PR

OC

ESS

ASS

UR

AN

CE

STEP

S

DS1 D

efin

e an

d M

anag

e Ser

vice

Lev

els

Eff

ectiv

e co

mm

unic

atio

n be

twee

n IT

man

agem

ent a

nd b

usin

ess

cust

omer

s re

gard

ing

serv

ices

req

uire

d is

ena

bled

by

a do

cum

ente

d de

fini

tion

of a

nd a

gree

men

t on

IT s

ervi

ces

and

serv

ice

leve

ls. T

his

proc

ess

also

incl

udes

mon

itori

ng a

nd ti

mel

y re

port

ing

to s

take

hold

ers

on th

e ac

com

plis

hmen

t of

serv

ice

leve

ls. T

his

proc

ess

enab

les

alig

nmen

tbe

twee

n IT

ser

vice

s an

d th

e re

late

d bu

sine

ss r

equi

rem

ents

.

Test

the

Con

trol

Des

ign

• In

spec

t SL

A p

olic

ies

and

proc

edur

es f

or th

e al

ignm

ent o

f SL

A o

bjec

tives

and

per

form

ance

mea

sure

s w

ith b

usin

ess

obje

ctiv

es a

nd I

T s

trat

egy.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

olic

ies

exis

t for

the

alig

nmen

t of

SLA

obj

ectiv

es a

nd p

erfo

rman

ce m

easu

res

with

bus

ines

s ob

ject

ives

and

IT

str

ateg

y.•

Insp

ect t

he s

ervi

ce c

atal

ogue

and

ver

ify

that

it in

corp

orat

es s

ervi

ce r

equi

rem

ents

, ser

vice

def

initi

ons,

SL

As,

OL

As

and

fund

ing

sour

ces.

• E

nqui

re o

f st

aff

mem

bers

acc

ount

able

for

SL

A e

scal

atio

n an

d re

solu

tion

to d

eter

min

e w

heth

er th

e pr

oced

ures

or

met

hods

est

ablis

hed

reas

onab

le s

ervi

ce le

vels

inre

spon

ding

to is

sues

.•

Insp

ect a

sam

ple

of r

elev

ant c

hang

es a

nd v

erif

y th

at c

hang

es w

ere

impl

emen

ted

in a

ccor

danc

e w

ith th

e ch

ange

man

agem

ent p

roce

ss.

• In

spec

t the

des

ign

of th

e se

rvic

e im

prov

emen

t pro

gram

me

for

stan

dard

s to

mea

sure

per

form

ance

.

DS1

.1 S

ervi

ce L

evel

Man

agem

ent

Fra

mew

ork

Def

ine

a fr

amew

ork

that

pro

vide

s a

form

alis

ed s

ervi

ce le

vel m

anag

emen

tpr

oces

s be

twee

n th

e cu

stom

er a

nd s

ervi

ce p

rovi

der.

The

fra

mew

ork

shou

ldm

aint

ain

cont

inuo

us a

lignm

ent w

ith b

usin

ess

requ

irem

ents

and

pri

oriti

es a

ndfa

cilit

ate

com

mon

und

erst

andi

ng b

etw

een

the

cust

omer

and

pro

vide

r(s)

. The

fram

ewor

k sh

ould

incl

ude

proc

esse

s fo

r cr

eatin

g se

rvic

e re

quir

emen

ts, s

ervi

cede

fini

tions

, SL

As,

OL

As

and

fund

ing

sour

ces.

The

se a

ttrib

utes

sho

uld

beor

gani

sed

in a

ser

vice

cat

alog

ue. T

he f

ram

ewor

k sh

ould

def

ine

the

orga

nisa

tiona

lst

ruct

ure

for

serv

ice

leve

l man

agem

ent,

cove

ring

the

role

s, ta

sks

and

resp

onsi

bilit

ies

of in

tern

al a

nd e

xter

nal s

ervi

ce p

rovi

ders

and

cus

tom

ers.

• C

lari

fied

IT

serv

ice

resp

onsi

bilit

ies

and

ITob

ject

ives

alig

ned

with

busi

ness

obj

ectiv

es•

Impr

oved

com

mun

icat

ion

and

unde

rsta

ndin

g be

twee

n bu

sine

sscu

stom

ers

and

IT s

ervi

ce p

rovi

ders

• C

onsi

sten

cy p

rom

oted

in s

ervi

cele

vels

, ser

vice

def

initi

ons,

and

ser

vice

deliv

ery

and

supp

ort

• G

aps

betw

een

expe

ctat

ions

and

capa

bilit

ies,

lead

ing

to d

ispu

tes

• C

usto

mer

s an

d pr

ovid

ers

not

unde

rsta

ndin

g th

eir

resp

onsi

bilit

ies

• In

appr

opri

ate

prio

rity

giv

en to

diff

eren

t ser

vice

s pr

ovid

ed•

Inef

fici

ent a

nd c

ostly

ope

ratio

nal

serv

ice

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

take

hold

ers

agre

e to

, rec

ord

and

com

mun

icat

e th

e SL

A, a

nd w

hat i

s in

clud

ed in

the

form

at a

nd c

onte

nts.

• In

spec

t the

for

mat

of

the

SLA

’s c

onte

nt to

ver

ify

that

it in

clud

es e

xclu

sion

s, c

omm

erci

al a

rran

gem

ents

and

OL

As.

• In

spec

t the

SL

A m

anag

emen

t pro

cess

to v

erif

y th

at it

mea

sure

s SL

As

(qua

litat

ive

and

quan

titat

ive)

and

mon

itors

the

SLA

obj

ectiv

es.

• In

spec

t SL

A’s

for

app

rova

l and

app

ropr

iate

sig

natu

res.

• O

bser

ve a

nd r

evie

w th

e SL

A r

evie

w p

roce

ss to

eva

luat

e its

ade

quac

y.•

Ver

ify

that

the

proc

ess

for

impr

ovem

ents

or

adju

stm

ents

to S

LA

s is

bas

ed o

n pe

rfor

man

ce f

eedb

ack

and

chan

ges

to c

usto

mer

and

bus

ines

s re

quir

emen

ts.

• E

nqui

re o

f ke

y st

aff

mem

bers

whe

ther

ser

vice

s ar

e be

ing

rend

ered

that

are

not

doc

umen

ted

in th

e SL

A.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

exi

sts

for

deve

lopi

ng, r

evie

win

g an

d ad

just

ing

the

serv

ice

cata

logu

e or

por

tfol

io o

f se

rvic

es.

• C

onfi

rm th

e ex

iste

nce

of a

man

agem

ent p

roce

ss to

ens

ure

that

the

serv

ice

cata

logu

e or

por

tfol

io is

ava

ilabl

e, c

ompl

ete

and

up to

dat

e.•

Insp

ect t

he s

ervi

ce c

atal

ogue

or

port

folio

pro

cess

to v

erif

y th

at it

is r

evie

wed

on

a re

gula

r ba

sis.

DS1

.3 S

ervi

ce L

evel

Agr

eem

ents

D

efin

e an

d ag

ree

to S

LA

s fo

r al

l cri

tical

IT

ser

vice

s ba

sed

on c

usto

mer

requ

irem

ents

and

IT

cap

abili

ties.

Thi

s sh

ould

cov

er c

usto

mer

com

mitm

ents

;se

rvic

e su

ppor

t req

uire

men

ts; q

uant

itativ

e an

d qu

alita

tive

met

rics

for

mea

suri

ngth

e se

rvic

e si

gned

off

on

by th

e st

akeh

olde

rs; f

undi

ng a

nd c

omm

erci

alar

rang

emen

ts, i

f ap

plic

able

; and

rol

es a

nd r

espo

nsib

ilitie

s, in

clud

ing

over

sigh

t of

the

SLA

. Con

side

r ite

ms

such

as

avai

labi

lity,

rel

iabi

lity,

per

form

ance

, cap

acity

for

grow

th, l

evel

s of

sup

port

, con

tinui

ty p

lann

ing,

sec

urity

and

dem

and

cons

trai

nts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Se

rvic

e re

spon

sibi

litie

s an

d IT

obje

ctiv

es a

ligne

d w

ith b

usin

ess

obje

ctiv

es•

Serv

ice

qual

ity e

nhan

ced

due

topr

oper

und

erst

andi

ng a

nd a

lignm

ent

of s

ervi

ce d

eliv

ery

• Se

rvic

e ef

fici

ency

incr

ease

d an

d co

sts

redu

ced

due

to e

ffic

ient

dep

loym

ent o

fIT

serv

ices

bas

ed o

n re

al n

eeds

and

prio

ritie

s

Ris

k D

river

s

• Fa

ilure

to m

eet c

usto

mer

ser

vice

requ

irem

ents

• In

effi

cien

t and

inef

fect

ive

use

ofse

rvic

e de

liver

y re

sour

ces

• Fa

ilure

to id

entif

y an

d re

spon

d to

criti

cal s

ervi

ce in

cide

nts

DS1

.2 D

efin

itio

n of

Ser

vice

s B

ase

defi

nitio

ns o

f IT

ser

vice

s on

ser

vice

cha

ract

eris

tics

and

busi

ness

requ

irem

ents

. Ens

ure

that

they

are

org

anis

ed a

nd s

tore

d ce

ntra

lly v

ia th

eim

plem

enta

tion

of a

ser

vice

cat

alog

ue p

ortf

olio

app

roac

h.

• IT

ser

vice

obj

ectiv

es a

ligne

d w

ithbu

sine

ss o

bjec

tives

• IT

ope

ratio

nal s

ervi

ce b

ased

on

corr

ect r

equi

rem

ents

and

pri

oriti

es•

Inci

dent

s lin

ked

to s

ervi

ces

they

impa

ct, e

nabl

ing

inci

dent

res

pons

e to

be e

ffec

tivel

y pr

iori

tised

• In

appr

opri

atel

y de

liver

ed s

ervi

ces

• In

corr

ect p

rior

ity f

or p

rovi

ded

serv

ices

• M

isun

ders

tood

impa

ct o

f in

cide

nts,

lead

ing

to s

low

res

pons

e an

dsi

gnif

ican

t bus

ines

s im

pact

• D

iffe

rent

inte

rpre

tatio

ns a

ndm

isun

ders

tand

ing

of I

T s

ervi

ces

prov

ided

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS1 D

efin

e an

d M

anag

e Ser

vice

Lev

els

(con

t.)


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

has

bee

n de

fine

d to

dev

elop

, man

age,

rev

iew

and

adj

ust O

LA

s.•

Insp

ect t

he S

LA

(s)

and

conf

irm

that

the

OL

A s

uppo

rts

the

tech

nica

l req

uire

men

ts o

f th

e re

spec

tive

SLA

(s).

• O

btai

n a

repr

esen

tativ

e sa

mpl

e of

OL

As

and

eval

uate

whe

ther

the

OL

As

cont

ain

oper

able

and

opt

imal

def

initi

ons

of d

eliv

ery

of s

ervi

ces.

Test

the

Con

trol

Des

ign

• T

hrou

gh in

terv

iew

s w

ith k

ey s

taff

mem

bers

res

pons

ible

for

mon

itori

ng s

ervi

ce le

vel p

erfo

rman

ce, d

eter

min

e re

port

ing

crite

ria.

• O

btai

n sa

mpl

es o

f SL

A p

erfo

rman

ce r

epor

ting,

and

ver

ify

dist

ribu

tion.

• In

spec

t rev

iew

s fo

r fo

reca

st a

nd tr

ends

in s

ervi

ce le

vel p

erfo

rman

ce.

DS1

.4 O

pera

ting

Lev

el A

gree

men

ts

Def

ine

OL

As

that

exp

lain

how

the

serv

ices

will

be

tech

nica

lly d

eliv

ered

tosu

ppor

t the

SL

A(s

) in

an

optim

al m

anne

r. T

he O

LA

s sh

ould

spe

cify

the

tech

nica

l pro

cess

es in

term

s m

eani

ngfu

l to

the

prov

ider

and

may

sup

port

sev

eral

SLA

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• O

pera

tiona

l ser

vice

s al

igne

d w

ithSL

As

and,

ther

efor

e, to

bus

ines

s ne

eds

• O

ptim

isat

ion

of o

pera

tiona

l res

ourc

esby

sta

ndar

disa

tion

and

alig

nmen

t with

serv

ice

requ

irem

ents

• C

ost r

educ

tion

by o

ptim

ised

use

of

reso

urce

s an

d fe

wer

ser

vice

inci

dent

s

Ris

k D

river

s

• Fa

ilure

of

the

prov

ided

ser

vice

s to

mee

t the

bus

ines

s re

quir

emen

ts•

Gap

s in

tech

nica

l und

erst

andi

ng o

fse

rvic

es le

adin

g to

inci

dent

s•

Inef

fici

ent a

nd c

ostly

use

of

oper

atio

nal r

esou

rces

DS1 D

efin

e an

d M

anag

e Ser

vice

Lev

els

(con

t.)

DS1

.5 M

onit

orin

g an

d R

epor

ting

of

Serv

ice

Lev

el A

chie

vem

ents

C

ontin

uous

ly m

onito

r sp

ecif

ied

serv

ice

leve

l per

form

ance

cri

teri

a. R

epor

ts o

nac

hiev

emen

t of

serv

ice

leve

ls s

houl

d be

pro

vide

d in

a f

orm

at th

at is

mea

ning

ful

to th

e st

akeh

olde

rs. T

he m

onito

ring

sta

tistic

s sh

ould

be

anal

ysed

and

act

ed u

pon

to id

entif

y ne

gativ

e an

d po

sitiv

e tr

ends

for

indi

vidu

al s

ervi

ces

as w

ell a

s fo

rse

rvic

es o

vera

ll.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• U

sers

abl

e to

mon

itor

serv

ice

leve

lpe

rfor

man

ce b

ased

on

relia

ble

info

rmat

ion

• T

he v

alue

s of

IT

ser

vice

sco

mm

unic

ated

with

in th

e en

terp

rise

• C

onsi

sten

t com

mun

icat

ion

betw

een

rele

vant

par

ties

Ris

k D

river

s

• L

ack

of d

efin

ed m

easu

res

impo

rtan

tto

the

orga

nisa

tion

• U

nide

ntif

ied

unde

rlyi

ng s

ervi

cepr

oble

ms

and

issu

es•

Dis

satis

fied

use

rs d

ue to

lack

of

info

rmat

ion,

irre

spec

tive

of q

ualit

y of

serv

ice



Test

the

Con

trol

Des

ign

• In

spec

t the

SL

As,

com

pare

the

UC

s, a

nd d

eter

min

e ef

fect

iven

ess

and

curr

ency

of

chan

ges.

• O

btai

n a

wal

k-th

roug

h of

SL

A d

ocum

enta

tion

requ

irem

ents

.•

Rev

iew

SL

As

and

UC

s, a

nd c

onfi

rm th

at a

lignm

ent w

ith b

usin

ess

obje

ctiv

es is

eva

luat

ed o

n a

regu

lar

basi

s.

DS1

.6 R

evie

w o

f Se

rvic

e L

evel

Agr

eem

ents

and

Con

trac

ts

Reg

ular

ly r

evie

w S

LA

s an

d un

derp

inni

ng c

ontr

acts

(U

Cs)

with

inte

rnal

and

exte

rnal

ser

vice

pro

vide

rs to

ens

ure

that

they

are

eff

ectiv

e an

d up

to d

ate

and

that

chan

ges

in r

equi

rem

ents

hav

e be

en ta

ken

into

acc

ount

.

• D

eliv

ered

IT

ser

vice

s al

igne

d w

ithch

angi

ng b

usin

ess

need

s•

Wea

knes

ses

in e

xist

ing

serv

ice

agre

emen

ts id

entif

ied

and

corr

ecte

d

• C

omm

erci

al a

nd le

gal r

equi

rem

ents

not m

et d

ue to

out

-of-

date

con

trac

ts•

Serv

ices

not

mee

ting

chan

ged

requ

irem

ents

• Fi

nanc

ial l

osse

s an

d in

cide

nts

due

tom

isal

igne

d se

rvic

es

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS1 D

efin

e an

d M

anag

e Ser

vice

Lev

els

(con

t.)


APPENDIX IV

Take the following steps to test the outcome of the control objectives:• Enquire of senior management, representing the business and IT functions, about their involvement in the design and approval of

the SLA framework.• Enquire of key staff members if performance critieria have been formalised to support and measure achievement of SLA

objectives, and if a process is in place to monitor and report the attainment of the objectives.• Inspect the internal and external performance SLAs, and compare actual results for alignment with the expected SLA requirements.• Confirm that the IT service objectives align with business objectives, and formally define expectations and performance

measurements.• Inspect service records to ascertain reasons for non-performance, and validate that a performance improvement programme

is in place.• Analyse the historical performance records, and determine that results are tracked against prior service improvement commitments.• Enquire of key staff members whether stakeholders agree to, record and communicate the SLA and what is included in the format

and contents.• Inspect the format of contents of the SLAs to verify that they include exclusions, commercial arrangements and OLAs.• For a sample of past and in-process SLAs, determine that content includes:

– Definition of service– Cost of service– Quantifiable minimum service level– Level of support from the IT function– Availability, reliability and capacity for growth– Change procedure for any portion of the agreement– Continuity planning– Security requirements– Written and formally approved agreement between the provider and user of the service– Effective period and new period review/renewal/non-renewal– Content and frequency of performance reporting and payment for services– Realistic charges compared to history, industry and best practices– Calculation for charges– Service improvement commitment– Formal approval of the user and provider

• Confirm that appropriate users are aware and understand SLA processes and procedures.• Inspect SLAs to verify that the OLAs and UCs support the technical requirements of the SLAs and are delivered in an

optimal manner.• Select a sample of SLAs, and confirm that resolutions procedures for inappropriate service delivery, specifically non-performance,

are included and being met.• Inspect the service catalogue and ascertain that all services are defined properly. • Enquire whether and confirm that distinct IT services to which costs will be allocated have been defined and documented.• Ascertain whether business process owners have knowledge of those IT services that support their business process.• Inspect any documentation available that identifies business processes and their supporting infrastructure or IT services, and

determine whether the mapping is accurate and complete. This can be accomplished, for example, by comparing the mapping tothe organisational chart, lines of business, etc.

• Enquire of business process owners and IT service owners whether they have agreed on a mapping of IT services to businessprocesses.

• Enquire of business process owners and users regarding their degree of satisfaction with IT services provided to identify potentialweak areas. Such enquiries may be conducted in person or via an anonymous survey.

• Inspect documentation that relates to the mapping between IT service areas and business processes to determine if the operationalaspects of the mapping are in place (e.g., SLAs should be examined for appropriateness).

Take the following steps to document the impact of the control weaknesses:• Benchmark SLAs against similar organisations or appropriate international standards/recognised industry best practices.• Determine the existence of gaps between service level expectations and delivered services through inquiry and review of

documented disputes and fee discounts.• Determine if services result in frequent fee surcharges and base fee overruns. • Determine if service level failures were escalated and resolved in a timely manner.• Determine if the service catalogue is up to date and aligned with business goals.• Assess the adequacy of proposed service improvements in comparison with the cost-benefit analysis.• Determine that gaps in expected services are appropriately prioritised and address control requirements for managing services

based on service characteristics and business requirements.• Assess the adequacy of the provision, describing, co-ordinating and communicating the relationship between the provider and user

of information services.



• Assess the adequacy of the provider’s ability to meet improvement commitments in the future.• Enquire of key management staff members whether service level framework provides assurance that SLAs and contracts are

current and aligned with business objectives.• Determine whether reports on achievement of the specified service performance are appropriately used by management to ensure

satisfactory performance.• Determine whether reports of all problems encountered are appropriately used by management to ensure that corrective actions are

taken.• Assess the services provided to determine whether operational agreements align with SLAs. • For selected categories of reported SLA information, determine the existence of inconsistency of service delivery.• Assess users’ satisfaction levels with the current service level process and actual agreements.• Assess the service level measurement criteria, and determine the effectiveness of the communication flow between all

relevant parties.• Review SLAs to determine qualitative and quantitative provisions confirming that obligations are defined and being met.• Assess management’s ongoing review of and corrective action for service level reporting.• Determine whether financial losses incurred are reflective of insufficient service quality.• Verify the service catalogues’ completeness by reviewing and reconciling change requests, network plans, server documentation,

incident records, timesheets and other means of communication• Enquire of IT service leaders regarding daily duties and responsibilities to ascertain whether those duties provide sufficient

coverage of IT infrastructure. • Corroborate outcomes of discussions with outputs of data centre tours, asset registries, network diagrams or other infrastructure

inventories, and identify infrastructure not linked to an IT leader.• Inspect asset registries, network diagrams or other infrastructure inventories, and ascertain the percentage of assets that are not

assigned to an IT service area. • Document the criticality of those assets in light of the service provided.• Inspect documentation identifying IT services and business processes, and ascertain the degree of unallocated IT service areas.• Document the criticality of those service areas in light of the affected business processes.


APPENDIX IVD

S2 M

anag

e Th

ird-

part

y Ser

vice

s

The

nee

d to

ass

ure

that

ser

vice

s pr

ovid

ed b

y th

ird

part

ies

(sup

plie

rs, v

endo

rs a

nd p

artn

ers)

mee

t bus

ines

s re

quir

emen

ts r

equi

res

an e

ffec

tive

thir

d-pa

rty

man

agem

ent p

roce

ss.

Thi

s pr

oces

s is

acc

ompl

ishe

d by

cle

arly

def

inin

g th

e ro

les,

res

pons

ibili

ties

and

expe

ctat

ions

in th

ird-

part

y ag

reem

ents

as

wel

l as

revi

ewin

g an

d m

onito

ring

suc

h ag

reem

ents

for

effe

ctiv

enes

s an

d co

mpl

ianc

e. E

ffec

tive

man

agem

ent o

f th

ird-

part

y se

rvic

es m

inim

ises

the

busi

ness

ris

k as

soci

ated

with

non

-per

form

ing

supp

liers

.

Test

the

Con

trol

Des

ign

• In

spec

t ser

vice

sup

plie

r do

cum

enta

tion

for

evid

ence

of

form

alis

ed r

oles

and

res

pons

ibili

ties,

and

det

erm

ine

if s

uppl

ier

man

agem

ent r

oles

hav

e be

en d

ocum

ente

d an

dco

mm

unic

ated

with

in th

e or

gani

satio

n.•

Det

erm

ine

if p

olic

ies

exis

t to

addr

ess

the

need

for

for

mal

con

trac

ts, d

efin

ition

of

cont

ent o

f co

ntra

cts,

and

ass

ignm

ent o

f ow

ner

or r

elat

ions

hip

man

ager

res

pons

ibili

ties

for

ensu

ring

that

con

trac

ts a

re c

reat

ed, m

aint

aine

d, m

onito

red

and

rene

gotia

ted

as r

equi

red.

• Ass

ess

if th

e as

sign

men

t of

supp

lier

man

agem

ent r

oles

is r

easo

nabl

e an

d ba

sed

on th

e le

vel a

nd te

chni

cal s

kills

req

uire

d to

eff

ectiv

ely

man

age

the

rela

tions

hip.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

reg

iste

r of

sup

plie

r re

latio

nshi

ps is

mai

ntai

ned.

• O

btai

n an

d in

spec

t sup

plie

r re

latio

nshi

p cr

iteri

a fo

r re

ason

able

ness

and

com

plet

enes

s of

cat

egor

isat

ions

by

supp

lier

type

, sig

nifi

canc

e an

d cr

itica

lity.

• D

eter

min

e if

the

supp

lier

cate

gori

satio

n sc

hem

e is

suf

fici

ently

det

aile

d to

cat

egor

ise

all s

uppl

ier

rela

tions

hips

bas

ed o

n th

e na

ture

of

cont

ract

ed s

ervi

ces.

• V

erif

y w

heth

er p

ast h

isto

ries

on

supp

lier

sele

ctio

n/re

ject

ion

are

kept

and

use

d.•

Insp

ect t

he r

egis

ter

of s

uppl

ier

rela

tions

hips

to e

nsur

e th

at it

is u

p to

dat

e, a

ppro

pria

tely

cat

egor

ised

and

suf

fici

ently

det

aile

d to

ens

ure

that

it p

rovi

des

a fo

unda

tion

for

mon

itori

ng o

f ex

istin

g su

pplie

rs.

• In

spec

t a r

epre

sent

ativ

e sa

mpl

e of

sup

plie

r co

ntra

cts,

SL

As

and

othe

r do

cum

enta

tion

to e

nsur

e th

at th

ey c

orre

spon

d w

ith th

e su

pplie

r re

gist

er.

DS2

.1 I

dent

ific

atio

n of

All

Supp

lier

Rel

atio

nshi

ps

Iden

tify

all s

uppl

ier

serv

ices

, and

cat

egor

ise

them

acc

ordi

ng to

sup

plie

r ty

pe,

sign

ific

ance

and

cri

tical

ity. M

aint

ain

form

al d

ocum

enta

tion

of te

chni

cal a

ndor

gani

satio

nal r

elat

ions

hips

cov

erin

g th

e ro

les

and

resp

onsi

bilit

ies,

goa

ls,

expe

cted

del

iver

able

s, a

nd c

rede

ntia

ls o

f re

pres

enta

tives

of

thes

e su

pplie

rs.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

entr

alis

ed s

ervi

ce s

uppl

ier

over

view

to s

uppo

rt s

uppl

ier

deci

sion

mak

ing

• Pr

efer

red

supp

liers

iden

tifie

d fo

rfu

ture

acq

uisi

tions

• Su

pplie

r m

anag

emen

t res

ourc

esfo

cuse

d on

cri

tical

sup

plie

rs

Ris

k D

river

s

• U

nide

ntif

ied

sign

ific

ant a

nd c

ritic

alsu

pplie

rs•

Inef

fici

ent a

nd in

effe

ctiv

e us

age

ofsu

pplie

r m

anag

emen

t res

ourc

es•

Unc

lear

rol

es a

nd r

espo

nsib

ilitie

sle

adin

g to

mis

com

mun

icat

ions

, poo

rse

rvic

es a

nd in

crea

sed

cost

s

DS2

.2 S

uppl

ier

Rel

atio

nshi

p M

anag

emen

t Fo

rmal

ise

the

supp

lier

rela

tions

hip

man

agem

ent p

roce

ss f

or e

ach

supp

lier.

The

rela

tions

hip

owne

rs s

houl

d lia

ise

on c

usto

mer

and

sup

plie

r is

sues

and

ens

ure

the

qual

ity o

f th

e re

latio

nshi

p ba

sed

on tr

ust a

nd tr

ansp

aren

cy (

e.g.

, thr

ough

SL

As)

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• R

elat

ions

hips

pro

mot

ed th

at s

uppo

rtth

e ov

eral

l ent

erpr

ise

obje

ctiv

es (

both

busi

ness

and

IT

)•

Eff

ectiv

e an

d ef

fici

ent c

omm

unic

atio

nan

d pr

oble

m r

esol

utio

n•

Cle

ar o

wne

rshi

p of

res

pons

ibili

ties

betw

een

cust

omer

and

sup

plie

r

Ris

k D

river

s

• Su

pplie

r no

t res

pons

ive

or c

omm

itted

to th

e re

latio

nshi

p•

Prob

lem

s an

d is

sues

not

res

olve

d•

Inad

equa

te s

ervi

ce q

ualit

y



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er r

isks

ass

ocia

ted

with

the

inab

ility

to f

ulfi

l the

sup

plie

r co

ntra

cts

are

defi

ned.

• E

nqui

re w

heth

er r

emed

ies

wer

e co

nsid

ered

whe

n de

fini

ng th

e su

pplie

r co

ntra

ct.

• In

spec

t con

trac

t doc

umen

tatio

n fo

r ev

iden

ce o

f re

view

.•

Enq

uire

of

key

staf

f m

embe

rs w

heth

er a

ris

k m

anag

emen

t pro

cess

exi

sts

to id

entif

y an

d m

onito

r su

pplie

r ri

sk.

• D

eter

min

e if

pol

icie

s ex

ist r

equi

ring

inde

pend

ence

with

in th

e ve

ndor

sou

rcin

g an

d se

lect

ion

proc

ess,

and

bet

wee

n ve

ndor

and

man

agem

ent p

erso

nnel

with

in th

eor

gani

satio

n.

Test

the

Con

trol

Des

ign

• Se

lect

a s

ampl

e of

sup

plie

r in

voic

es, d

eter

min

e if

they

iden

tify

char

ges

for

cont

ract

ed s

ervi

ces,

as

spec

ifie

d w

ithin

ser

vice

con

trac

ts, a

nd a

sses

s th

e re

ason

able

ness

of

char

ges

com

pare

d to

var

ious

inte

rnal

, ext

erna

l and

indu

stry

com

para

ble

perf

orm

ance

.•

Insp

ect a

sam

ple

of s

uppl

ier

serv

ice

repo

rts

to d

eter

min

e if

the

supp

lier

regu

larl

y re

port

s on

agr

eed-

upon

per

form

ance

cri

teri

a an

d if

per

form

ance

rep

ortin

g is

obj

ectiv

ean

d m

easu

rabl

e an

d in

alig

nmen

t with

def

ined

SL

As

and

the

supp

lier

cont

ract

.

DS2

.3 S

uppl

ier

Ris

k M

anag

emen

t Id

entif

y an

d m

itiga

te r

isks

rel

atin

g to

sup

plie

rs’a

bilit

y to

con

tinue

eff

ectiv

ese

rvic

e de

liver

y in

a s

ecur

e an

d ef

fici

ent m

anne

r on

a c

ontin

ual b

asis

. Ens

ure

that

con

trac

ts c

onfo

rm to

uni

vers

al b

usin

ess

stan

dard

s in

acc

orda

nce

with

lega

lan

d re

gula

tory

req

uire

men

ts. R

isk

man

agem

ent s

houl

d fu

rthe

r co

nsid

er n

on-

disc

losu

re a

gree

men

ts (

ND

As)

, esc

row

con

trac

ts, c

ontin

ued

supp

lier

viab

ility

,co

nfor

man

ce w

ith s

ecur

ity r

equi

rem

ents

, alte

rnat

ive

supp

liers

, pen

altie

s an

dre

war

ds, e

tc.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

ompl

ianc

e w

ith le

gal a

nd c

ontr

actu

alre

quir

emen

ts•

Red

uced

inci

dent

s an

d po

tent

ial l

osse

s•

Iden

tific

atio

n of

low

-ris

k, w

ell-

man

aged

sup

plie

rs

Ris

k D

river

s

• N

on-c

ompl

ianc

e w

ith r

egul

ator

y an

dle

gal o

blig

atio

ns•

Secu

rity

as

wel

l as

othe

r in

cide

nts

• Fi

nanc

ial l

osse

s an

d re

puta

tiona

lda

mag

e be

caus

e of

ser

vice

inte

rrup

tion

DS2 M

anag

e Th

ird-

part

y Ser

vice

s (c

ont.

)

DS2

.4 S

uppl

ier

Per

form

ance

Mon

itor

ing

Est

ablis

h a

proc

ess

to m

onito

r se

rvic

e de

liver

y to

ens

ure

that

the

supp

lier

ism

eetin

g cu

rren

t bus

ines

s re

quir

emen

ts a

nd c

ontin

uing

to a

dher

e to

the

cont

ract

agre

emen

ts a

nd S

LA

s, a

nd th

at p

erfo

rman

ce is

com

petit

ive

with

alte

rnat

ive

supp

liers

and

mar

ket c

ondi

tions

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• T

imel

y de

tect

ion

of s

ervi

ce le

vel

non-

com

plia

nce

• B

enef

its o

f se

rvic

e co

ntra

ct r

ealis

ed•

Cos

ts c

ontr

olle

d•

Cos

tly d

ispu

tes

and

poss

ible

litig

atio

nav

oide

d

Ris

k D

river

s

• U

ndet

ecte

d se

rvic

e de

grad

atio

n•

Inab

ility

to c

halle

nge

cost

s an

d se

rvic

equ

ality

• In

abili

ty to

opt

imis

e ch

oice

of

supp

liers


APPENDIX IV

Take the following steps to test the outcome of the control objectives:• For a sample of suppliers, assess if supplier records are aligned to the defined catogorisation scheme used to identify and

categorise all supplier relationships. • Obtain and validate the list of supplier relationship criteria for completeness, and review suppliers’ records against the

catogorisation scheme used to identify and categorise all supplier relationships. Assess if supplier type, significance and criticalityof services provided have been documented.

• Obtain a register of suppliers, and verify the accuracy of data through inspection of a sample of service contracts.• Obtain a register of suppliers, and verify the accuracy of data. Consideration should be given to organisational changes or recent

changes in the IT landscape that would require changes in the supplier relationship criteria.• Determine if supplier documentation is sufficiently detailed to identify methods of communication, prioritisation of services and

escalation procedures, minimum service levels, and operational objectives. • Ascertain if documentation clearly delineates responsibilities between the service provider and the user organisation.• Determine if service supplier documentation is centrally managed and maintained and if a process exists for the periodic review

and updating of documents.• Perform a detailed review of each third-party contract to determine the existence of qualitative and quantitative provisions

confirming obligations, including provisions for co-ordinating and communicating the relationship between the provider and userof information services.

• Determine if policies exist for management’s periodic review of service supplier reporting, and select a sample of supplier reportsfor evidence of management’s review.

• Obtain and inspect service supplier incident reports for existence, and determine if incidents were categorised and escalatedaccording to agreed-upon levels of severity and if they were tracked and communicated within the organisation until resolved.Reported incidents should include communication to supplier management and users of the services.

• Verify that goals and expected service levels are periodically reviewed to ensure that they continue to support current businessrequirements and that suggested changes are communicated clearly to service suppliers.

• Inspect the supplier register for assignment of a relationship manager, and obtain and inspect evidence of a service suppliercommunication process.

• Obtain and review contracts for existence of clauses relating to third-party reviews, and determine if management has obtained andreviewed reports from such reviews.

• For a sample of suppliers, inspect available documentation to determine if supplier risk has been considered and if identified riskhas been addressed/mitigated.

• For a sample of supplier relationships, determine if the following have been addressed within the supplier contract:– Security requirements– Non-disclosure guarantees– Right to access and right to audit– Formal management and legal approval– Legal entity providing services– Services provided– SLAs, both qualitative and quantitative– Cost of services and frequency of payment for services– Resolution of problem process– Penalties for non-performance– Dissolution process– Modification process– Reporting of service—content, frequency and distribution– Roles between contracting parties during the life of the contract– Continuity assurances that services will be provided by the vendor– Communications process and frequency between the user of services and provider– Duration of contract– Level of access provided to vendor– Regulatory requirements

• For a sample of suppliers, determine if services have been assessed for criticality to the organisation, and determine if continuity ofservices has been addressed within the supplier contract, including contingency planning by the supplier, to ensure continuousservice to the organisation.

• For a sample of supplier relationships, determine if legal counsel and management approved the supplier contracts.• Select a sample of supplier invoices, determine if they identify charges for contracted services, as specified within service

contracts, and assess the reasonableness of charges compared to various internal, external and industry comparable performance.• Inspect a sample of supplier service reports to determine if the supplier regularly reports on agreed-upon performance criteria and

if performance reporting is objective, measurable and in alignment with defined SLAs and the supplier contract.



Take the following steps to document the impact of the control weaknesses:• Through inquiry of user and IT management and benchmarking of the organisation to similarly sized organisations and

organisations within the same industry, identify any supplier relationships that have been excluded from the supplier register.Consider the following supplier relationships:– Private branch exchange (PBX) suppliers– Paper and form suppliers– Maintenance support suppliers– Offsite data storage and hot-site services providers– Service organisations providing data processing (e.g., ASP, co-location)– External software developers and quality assurance

• Inquire of supplier management to ascertain if they are knowledgeable of the nature of the service supplier relationship andcontracted services.

• Inspect a sample of service supplier billings for out-of-scope billings, and determine the involvement of supplier management inreviewing and approving the overage.

• For a sample of service suppliers, obtain the supplier’s reported performance metrics, and review for deviations from agreed-uponperformance objectives. Determine if supplier management was aware of any deviations and the reasonableness of actions takenfor deviation (e.g., establishment of action plan, service fee penalties for non-performance).

• For a sample of supplier relationships, determine if the level of services compares to the stated contractual obligations. For changesin the supplier relationships, determine if the risk assessments has been updated and if the supplier contract has been appropriatelymodified.

• Inspect a sample of supplier-reported performance metrics, and identify where performance objectives have not consistently beenattained.

• Determine if management has identified and assessed the performance failures, and if an assessment has been performed, re-evaluate the relationship or evaluate the need for modifying the relationship.

• For supplier relationships with the greatest impact on the organisation, determine if contingency plans exist for the recovery orsecondary sourcing of contracted services.

• Determine the availability of supplier third-party assessments (e.g., SAS No. 70, ISA 402 or attestation reports) or audit reportsand whether management has received and reviewed the reports. For reported control deficiencies (i.e., report qualifications,testing exceptions), determine if management has discussed the deficiencies with the supplier and if an action plan has beenimplemented. Through review of past or subsequent reports, determine if the supplier promptly remediates control deficiencies.

• Determine if key suppliers are included in the annual risk assessment and audit planning process. • Inspect a sample of supplier-reported performance metrics, and identify where performance objectives have not consistently been

attained.• Determine if management has identified and assessed the performance failures and if corrective action and a process for ongoing

monitoring has been implemented.• For a sample of service suppliers, obtain the supplier’s reported performance metrics, and review them for deviations from

agreed-upon performance objectives. • Determine if supplier management is aware of the deviation and the reasonableness of actions taken (e.g., establishment of action

plan, service fee penalties for non-performance).

APPENDIX IVD

S3 M

anag

e P

erfo

rman

ce a

nd C

apac

ity

The

nee

d to

man

age

perf

orm

ance

and

cap

acity

of

IT r

esou

rces

req

uire

s a

proc

ess

to p

erio

dica

lly r

evie

w c

urre

nt p

erfo

rman

ce a

nd c

apac

ity o

f IT

res

ourc

es. T

his

proc

ess

incl

udes

for

ecas

ting

futu

re n

eeds

bas

ed o

n w

orkl

oad,

sto

rage

and

con

tinge

ncy

requ

irem

ents

. Thi

s pr

oces

s pr

ovid

es a

ssur

ance

that

info

rmat

ion

reso

urce

s su

ppor

ting

busi

ness

requ

irem

ents

are

con

tinua

lly a

vaila

ble.


Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

or

fram

ewor

k fo

r de

velo

ping

, rev

iew

ing

and

adju

stin

g a

perf

orm

ance

and

cap

acity

pla

n is

def

ined

.•

Enq

uire

thro

ugh

inte

rvie

ws

with

key

sta

ff m

embe

rs in

volv

ed in

the

deve

lopm

ent o

f th

e pe

rfor

man

ce a

nd c

apac

ity p

lan

whe

ther

the

appr

opri

ate

elem

ents

(e.

g., c

usto

mer

requ

irem

ents

, bus

ines

s re

quir

emen

ts, c

ost,

appl

icat

ion

perf

orm

ance

req

uire

men

ts, s

cala

bilit

y re

quir

emen

ts)

have

bee

n co

nsid

ered

dur

ing

deve

lopm

ent o

f th

e ca

paci

ty p

lan.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e pe

rfor

man

ce a

nd c

apac

ity p

lan

has

been

dev

elop

ed a

nd is

mai

ntai

ned.

• In

spec

t sup

port

ing

docu

men

ts to

ver

ify

stak

ehol

der

invo

lvem

ent a

nd to

ens

ure

that

the

plan

has

bee

n re

cord

ed a

nd is

up

to d

ate.

DS3

.1 P

erfo

rman

ce a

nd C

apac

ity

Pla

nnin

g E

stab

lish

a pl

anni

ng p

roce

ss f

or th

e re

view

of

perf

orm

ance

and

cap

acity

of

ITre

sour

ces

to e

nsur

e th

at c

ost-

just

ifia

ble

capa

city

and

per

form

ance

are

ava

ilabl

eto

pro

cess

the

agre

ed-u

pon

wor

kloa

ds a

s de

term

ined

by

the

SLA

s. C

apac

ity a

ndpe

rfor

man

ce p

lans

sho

uld

leve

rage

app

ropr

iate

mod

ellin

g te

chni

ques

to p

rodu

cea

mod

el o

f th

e cu

rren

t and

for

ecas

ted

perf

orm

ance

, cap

acity

and

thro

ughp

ut o

fth

e IT

res

ourc

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffic

ient

res

ourc

e m

anag

emen

t by

avoi

ding

ove

rhea

d co

sts

• O

ptim

ised

sys

tem

per

form

ance

achi

eved

thro

ugh

inte

rnal

benc

hmar

king

• Pr

edic

tion

of f

utur

e pe

rfor

man

ce a

ndca

paci

ty r

equi

rem

ents

• Abi

lity

to b

ench

mar

k ca

paci

tyam

ongs

t are

as o

f th

e or

gani

satio

n an

dex

tern

ally

to id

entif

y im

prov

emen

ts

Ris

k D

river

s

• U

nexp

ecte

d in

cide

nts

due

to la

ck o

fca

paci

ty•

Syst

em a

vaila

bilit

y fa

ults

due

to a

mis

sing

pro

activ

e re

sour

ce c

apac

ityan

d pe

rfor

man

ce p

lann

ing

• Fa

ilure

to m

eet b

usin

ess

requ

irem

ents

due

to o

utda

ted

perf

orm

ance

and

capa

city

pla

ns



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

yste

m m

onito

ring

sof

twar

e ha

s be

en im

plem

ente

d on

the

appr

opri

ate

IT r

esou

rces

bas

ed o

n fa

ctor

s su

ch a

s:–

Bus

ines

s cr

itica

lity

of th

e IT

res

ourc

e –

Req

uire

men

ts id

entif

ied

in th

e SL

A

– L

ikel

ihoo

d or

his

tori

cal t

ende

ncy

of th

e IT

res

ourc

e to

exp

erie

nce

perf

orm

ance

or

capa

city

issu

es

– O

pera

tiona

l/fin

anci

al/r

egul

ator

y im

pact

fro

m p

erfo

rman

ce o

r ca

paci

ty is

sues

•

Det

erm

ine

whe

ther

thre

shol

ds h

ave

been

est

ablis

hed

and

impl

emen

ted

on I

T r

esou

rces

bas

ed o

n bu

sine

ss r

equi

rem

ents

and

SL

As.

Exa

mpl

es o

f th

resh

olds

incl

ude:

–

The

cal

l cen

tre

addi

ng a

dditi

onal

trun

k ca

paci

ty o

n in

boun

d to

ll fr

ee li

nes

whe

n tr

unks

are

80

perc

ent b

usy

– Se

rver

s ad

ding

add

ition

al d

isk

spac

e w

hen

hard

dri

ves

reac

h a

spec

ific

cap

acity

leve

l•

Det

erm

ine

how

inci

dent

s of

inad

equa

te p

erfo

rman

ce a

re id

entif

ied

and

trac

ked.

• O

btai

n tr

oubl

e tic

kets

and

trac

e id

entif

ied

tran

sact

ions

thro

ugh

the

syst

em to

det

erm

ine

if p

rope

r fo

llow

-up

has

occu

rred

.•

Enq

uire

of

key

staf

f m

embe

rs r

espo

nsib

le f

or th

e or

gani

satio

n’s

deliv

ery

with

SL

As

to d

eter

min

e ho

w th

ey m

onito

r, tr

ack

and

repo

rt o

n IT

res

ourc

e ca

paci

ty a

nd

perf

orm

ance

met

rics

.•

Rev

iew

ope

ratio

nal r

epor

ts th

at a

re p

rovi

ded

to k

ey s

take

hold

ers.

DS3

.2 C

urre

nt P

erfo

rman

ce a

nd C

apac

ity

Ass

ess

curr

ent p

erfo

rman

ce a

nd c

apac

ity o

f IT

res

ourc

es to

det

erm

ine

ifsu

ffic

ient

cap

acity

and

per

form

ance

exi

st to

del

iver

aga

inst

agr

eed-

upon

ser

vice

leve

ls.

• E

ffic

ient

and

eff

ectiv

e IT

res

ourc

em

anag

emen

t•

Impr

oved

per

form

ance

and

cap

acity

plan

ning

• Sy

stem

per

form

ance

opt

imis

ed b

ypr

oact

ive

perf

orm

ance

and

cap

acity

plan

ning

• B

usin

ess

disr

uptio

ns•

SLA

s no

t met

• B

usin

ess

requ

irem

ents

not

met

• U

nder

- or

ove

r-co

mm

itmen

ts o

nse

rvic

e de

liver

y du

e to

unk

now

nca

paci

ty m

easu

res

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS3 M

anag

e P

erfo

rman

ce a

nd C

apac

ity

(con

t.)


APPENDIX IVD

S3 M

anag

e P

erfo

rman

ce a

nd C

apac

ity

(con

t.)

Test

the

Con

trol

Des

ign

• C

onfi

rm (

by in

terv

iew

ing

key

staf

f m

embe

rs a

nd in

spec

ting

proc

ess

docu

men

tatio

n an

d re

port

s) th

e us

e of

app

ropr

iate

tool

s, te

chni

ques

and

pro

cess

es to

per

form

the

follo

win

g:–

Mea

suri

ng a

ctua

l per

form

ance

and

cap

acity

–

Perf

orm

ing

revi

ews

of c

apac

ity u

sage

, ban

dwid

th (

e.g.

, net

wor

k an

d tr

unk

utili

satio

n re

port

s) a

nd p

erfo

rman

ce r

epor

ts

– C

ompa

ring

act

ual v

s. f

orec

aste

d de

man

d of

res

ourc

es

– In

volv

ing

man

agem

ent i

n re

view

ing

fore

cast

ing

repo

rts

and

disc

ussi

ng a

ny v

aria

nces

•

Insp

ect d

ocum

ents

that

mea

sure

act

ual I

T r

esou

rce

perf

orm

ance

with

exp

ecte

d ca

paci

ty a

nd p

erfo

rman

ce.

• D

eter

min

e ho

w v

aria

nces

in a

ctua

ls v

s. b

asel

ines

/mod

els

are

used

in r

evis

ing

fore

cast

ing

mod

els,

and

ens

ure

that

an

anal

ysis

is p

erio

dica

lly p

erfo

rmed

in a

tim

ely

man

ner.

• E

nqui

re o

f ke

y st

aff

mem

bers

whe

ther

they

are

kno

wle

dgea

ble

of th

e ca

paci

ty p

lann

ing

proc

ess

and

how

they

are

mad

e aw

are

of n

ew b

usin

ess

requ

irem

ents

that

may

requ

ire

chan

ges

to a

pplic

atio

ns, s

erve

rs o

r ot

her

IT r

esou

rces

.•

Con

firm

with

key

sta

ff m

embe

rs th

e pr

oces

s fo

r co

-ord

inat

ing

the

plan

ning

and

acq

uisi

tion

of I

T r

esou

rces

whe

n di

ctat

ed b

y fo

reca

stin

g m

odel

s.•

Rev

iew

a r

epre

sent

ativ

e sa

mpl

e of

SL

As

and

OL

As

and

the

capa

city

pla

n fo

r re

gula

r ad

just

men

ts n

eces

sita

ted

by th

e re

view

s of

for

ecas

ted

perf

orm

ance

and

ca

paci

ty u

sage

.

DS3

.3 F

utur

e P

erfo

rman

ce a

nd C

apac

ity

Con

duct

per

form

ance

and

cap

acity

for

ecas

ting

of I

T r

esou

rces

at r

egul

arin

terv

als

to m

inim

ise

the

risk

of

serv

ice

disr

uptio

ns d

ue to

insu

ffic

ient

cap

acity

or p

erfo

rman

ce d

egra

datio

n, a

nd id

entif

y ex

cess

cap

acity

for

pos

sibl

ere

depl

oym

ent.

Iden

tify

wor

kloa

d tr

ends

and

det

erm

ine

fore

cast

s to

be

inpu

t to

perf

orm

ance

and

cap

acity

pla

ns.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• O

ptim

ised

usa

ge o

f IT

res

ourc

es•

Fore

cast

ed b

usin

ess

dem

ands

on

the

IT in

fras

truc

ture

• Im

prov

ed p

erfo

rman

ce a

nd c

apac

itypl

anni

ng

Ris

k D

river

s

• L

ever

aged

ser

vice

leve

ls n

ot p

rovi

ded

to th

e bu

sine

ss•

Syst

em u

nava

ilabi

lity

due

to f

ailin

g IT

reso

urce

s•

Hig

h pr

oces

sing

load

s no

t met

by

the

syst

ems



Test

the

Con

trol

Des

ign

• E

nqui

re o

f ke

y st

aff

mem

bers

abo

ut th

e pr

oces

s to

obt

ain,

rev

iew

and

impl

emen

t ven

dor

requ

irem

ents

, and

con

firm

that

the

curr

ent c

apac

ity a

nd p

erfo

rman

ce c

apab

ilitie

sha

ve in

corp

orat

ed th

e ve

ndor

req

uire

men

ts.

• In

spec

t ven

dor

docu

men

tatio

n to

val

idat

e th

at it

spe

cifi

es v

endo

r re

quir

emen

ts a

nd r

ecom

men

datio

ns f

or m

inim

al a

nd o

ptim

al I

T r

esou

rce

capa

city

and

per

form

ance

.•

Enq

uire

of

man

agem

ent f

or k

now

n pe

rfor

man

ce a

nd c

apac

ity g

aps.

• C

ompa

re th

is in

form

atio

n w

ith th

e re

sults

of

curr

ent p

erfo

rman

ce m

onito

ring

and

for

ecas

ted

capa

city

req

uire

men

ts.

• V

erif

y w

heth

er th

ere

is a

pri

oriti

sed

list o

f ac

tiviti

es to

be

supp

orte

d by

the

IT a

pplic

atio

ns.

• V

erif

y th

at th

e ca

paci

ty p

lan

has

been

upd

ated

with

cor

rect

ive

actio

ns.

• V

erif

y w

heth

er th

e pl

anni

ng p

roce

sses

(PO

2-PO

3) h

ave

rece

ived

the

upda

ted

capa

city

pla

n fo

r th

eir

inpu

t.•

Ver

ify

whe

ther

cor

rect

ive

actio

ns h

ave

been

dul

y pr

oces

sed

by th

e ch

ange

man

agem

ent p

roce

ss.

• E

nqui

re o

f ke

y st

aff

mem

bers

abo

ut th

e pr

oces

s to

cor

rect

per

form

ance

and

cap

acity

issu

es.

• O

btai

n tr

oubl

e tic

kets

and

trac

e id

entif

ied

tran

sact

ions

(i.e

., ad

ding

add

ition

al s

yste

ms,

shi

ftin

g pr

oces

sing

wor

kloa

ds to

alte

rnat

ive

serv

ers)

thro

ugh

the

syst

em to

dete

rmin

e if

pro

per

corr

ectiv

e ac

tion

has

been

per

form

ed.

• In

spec

t the

esc

alat

ion

proc

edur

es r

elat

ed to

IT

res

ourc

e pe

rfor

man

ce is

sues

.•

Enq

uire

of

key

staf

f m

embe

rs w

heth

er e

mer

genc

y pr

oble

ms

have

occ

urre

d in

the

rece

nt p

ast,

veri

fy c

ompl

ianc

e to

the

proc

edur

e an

d de

term

ine

whe

ther

it w

as e

ffec

tive.

DS3

.4 I

T R

esou

rces

Ava

ilabi

lity

Prov

ide

the

requ

ired

cap

acity

and

per

form

ance

, tak

ing

into

acc

ount

asp

ects

suc

has

nor

mal

wor

kloa

ds, c

ontin

genc

ies,

sto

rage

req

uire

men

ts a

nd I

T r

esou

rce

life

cycl

es. P

rovi

sion

s su

ch a

s pr

iori

tisin

g ta

sks,

fau

lt-to

lera

nce

mec

hani

sms

and

reso

urce

allo

catio

n pr

actic

es s

houl

d be

mad

e. M

anag

emen

t sho

uld

ensu

re th

atco

ntin

genc

y pl

ans

prop

erly

add

ress

ava

ilabi

lity,

cap

acity

and

per

form

ance

of

indi

vidu

al I

T r

esou

rces

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

IT r

esou

rce

utili

satio

n•

Serv

ice

leve

ls m

eetin

g th

e bu

sine

ssre

quir

emen

ts•

Eff

ectiv

e IT

res

ourc

e av

aila

bilit

ym

anag

emen

t

Ris

k D

river

s

• Sy

stem

una

vaila

bilit

y du

e to

fai

ling

ITre

sour

ces

• In

abili

ty to

pre

dict

ava

ilabi

lity

and

serv

icea

bilit

y of

IT

ser

vice

s•

Une

xpec

ted

outa

ges

of I

T s

ervi

ces

DS3 M

anag

e P

erfo

rman

ce a

nd C

apac

ity

(con

t.)


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

invo

lved

whe

ther

a p

roce

ss f

or g

athe

ring

dat

a (e

.g.,

IT r

esou

rce

requ

irem

ents

, cap

acity

, ava

ilabi

lity,

util

isat

ion,

reco

mm

enda

tions

on

reso

urce

allo

catio

n, p

rior

itisa

tion)

to a

id m

anag

emen

t has

bee

n es

tabl

ishe

d.•

Enq

uire

thro

ugh

inte

rvie

ws

with

man

agem

ent w

heth

er m

onito

ring

and

rep

ortin

g ac

tiviti

es a

re f

orm

alis

ed a

nd in

tegr

ated

.•

Tra

ce f

eedb

ack

of m

onito

ring

and

rep

ortin

g re

sults

to c

apac

ity p

lann

ing

and

perf

orm

ance

act

iviti

es.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at c

apac

ity r

epor

ts a

re f

ed in

to th

e st

rate

gic

IT p

lann

ing

and

budg

etin

g pr

oces

s.

DS3

.5 M

onit

orin

g an

d R

epor

ting

C

ontin

uous

ly m

onito

r th

e pe

rfor

man

ce a

nd c

apac

ity o

f IT

res

ourc

es. D

ata

gath

ered

sho

uld

serv

e tw

o pu

rpos

es:

• To

mai

ntai

n an

d tu

ne c

urre

nt p

erfo

rman

ce w

ithin

IT

and

add

ress

suc

h is

sues

as

resi

lienc

e, c

ontin

genc

y, c

urre

nt a

nd p

roje

cted

wor

kloa

ds, s

tora

ge p

lans

, and

reso

urce

acq

uisi

tion

• To

rep

ort d

eliv

ered

ser

vice

ava

ilabi

lity

to th

e bu

sine

ss, a

s re

quir

ed b

y th

e SL

As

Acc

ompa

ny a

ll ex

cept

ion

repo

rts

with

rec

omm

enda

tions

for

cor

rect

ive

actio

n.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Is

sues

iden

tifie

d im

pact

ing

effe

ctiv

ese

rvic

e de

liver

y•

Bas

elin

ed s

ervi

ce le

vels

iden

tifyi

ngga

ps in

exp

ecta

tions

• In

crea

sed

IT r

esou

rce

utili

satio

n fo

rim

prov

ed s

ervi

ce d

eliv

ery

Ris

k D

river

s

• L

ack

of p

erfo

rman

ce m

onito

ring

• Se

rvic

e fa

iling

to m

eet t

he e

xpec

ted

qual

ity•

Dev

iatio

ns n

ot id

entif

ied

in a

tim

ely

man

ner,

thus

impa

ctin

g th

e se

rvic

equ

ality

DS3 M

anag

e P

erfo

rman

ce a

nd C

apac

ity

(con

t.)



Take the following steps to test the outcome of the control objectives:• Inspect IT resource performance and capacity planning documentation to identify if the planning process:

– Requires the inclusion of key metrics to be derived from SLAs– Factors in business requirements, technical requirements and cost considerations– Includes models of current and forecasted performance and capacity– Involves the documentation of approvals from stakeholders– Involves the continuous monitoring and reporting of IT

• Inspect IT resource uptime and utilisation reports to determine whether current IT capabilities are adequate.• Enquire whether and confirm that benchmarking studies are performed to identify how competitors in similar industries are

addressing performance and capacity forecasting.• Inspect documentation that provides IT resource availability information on areas such as:

– Storage requirements and current capacity– Fault tolerance and redundancy – Reallocation of IT resources to address availability, capacity and performance issues

• Enquire of key staff members on whether monitoring processes exist and are reported on to manage the performance, capacity andallocation of IT resources.

• Inspect performance reporting documents to verify that appropriate information is provided to management on a periodic basis.• Verify that performance and availability plans are used in budgeting processes and for improvements to the information

architecture.

Take the following steps to document the impact of the control weaknesses:• Inspect incident reports and enquire of key staff members whether any outages are consistently being caused by capacity or

performance issues.• Enquire of key staff members responsible for maintaining IT resources to determine whether they are informed of changes to

business requirements and SLAs that impact capacity and performance.


APPENDIX IVD

S4 E

nsur

e C

onti

nuou

s Ser

vice

The

nee

d fo

r pr

ovid

ing

cont

inuo

us I

T s

ervi

ces

requ

ires

dev

elop

ing,

mai

ntai

ning

and

test

ing

IT c

ontin

uity

pla

ns, u

tilis

ing

offs

ite b

acku

p st

orag

e an

d pr

ovid

ing

peri

odic

cont

inui

ty p

lan

trai

ning

. An

effe

ctiv

e co

ntin

uous

ser

vice

pro

cess

min

imis

es th

e pr

obab

ility

and

impa

ct o

f a

maj

or I

T s

ervi

ce in

terr

uptio

n on

key

bus

ines

s fu

nctio

ns a

ndpr

oces

ses.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n en

terp

rise

wid

e bu

sine

ss c

ontin

uity

man

agem

ent p

roce

ss is

des

igne

d an

d ap

prov

ed b

y ex

ecut

ive-

leve

l man

agem

ent.

• In

spec

t the

cur

rent

bus

ines

s im

pact

ana

lysi

s an

d de

term

ine

whe

ther

con

tinui

ty p

lann

ing

has

resu

lted

in c

lear

pos

ition

ing

of r

equi

red

reso

urce

s to

rec

over

the

busi

ness

oper

atio

ns d

urin

g a

disr

uptio

n.•

Insp

ect t

he b

usin

ess

cont

inui

ty f

ram

ewor

k to

con

firm

that

it in

clud

es a

ll th

e el

emen

ts r

equi

red

to r

esum

e bu

sine

ss p

roce

ssin

g in

the

even

t of

a bu

sine

ss in

terr

uptio

n(c

onsi

der

acco

unta

bilit

y, c

omm

unic

atio

n, e

scal

atio

n pl

an, r

ecov

ery

stra

tegi

es, I

T a

nd b

usin

ess

serv

ice

leve

ls, a

nd e

mer

genc

y pr

oced

ures

).

DS4

.1 I

T C

onti

nuit

y F

ram

ewor

k D

evel

op a

fra

mew

ork

for

IT c

ontin

uity

to s

uppo

rt e

nter

pris

ewid

e bu

sine

ssco

ntin

uity

man

agem

ent u

sing

a c

onsi

sten

t pro

cess

. The

obj

ectiv

e of

the

fram

ewor

k sh

ould

be

to a

ssis

t in

dete

rmin

ing

the

requ

ired

res

ilien

ce o

f th

ein

fras

truc

ture

and

to d

rive

the

deve

lopm

ent o

f di

sast

er r

ecov

ery

and

ITco

ntin

genc

y pl

ans.

The

fra

mew

ork

shou

ld a

ddre

ss th

e or

gani

satio

nal s

truc

ture

for

cont

inui

ty m

anag

emen

t, co

veri

ng th

e ro

les,

task

s an

d re

spon

sibi

litie

s of

inte

rnal

and

ext

erna

l ser

vice

pro

vide

rs, t

heir

man

agem

ent a

nd th

eir

cust

omer

s,an

d th

e pl

anni

ng p

roce

sses

that

cre

ate

the

rule

s an

d st

ruct

ures

to d

ocum

ent,

test

and

exec

ute

the

disa

ster

rec

over

y an

d IT

con

tinge

ncy

plan

s. T

he p

lan

shou

ld a

lso

addr

ess

item

s su

ch a

s th

e id

entif

icat

ion

of c

ritic

al r

esou

rces

, not

ing

key

depe

nden

cies

, the

mon

itori

ng a

nd r

epor

ting

of th

e av

aila

bilit

y of

cri

tical

reso

urce

s, a

ltern

ativ

e pr

oces

sing

, and

the

prin

cipl

es o

f ba

ckup

and

rec

over

y.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

ontin

uous

ser

vice

acr

oss

IT•

Con

sist

ent,

docu

men

ted

IT

cont

inui

ty p

lans

• G

over

ned

serv

ices

for

bus

ines

s ne

eds

• Ach

ieve

d sh

ort-

and

long

-ran

geob

ject

ives

sup

port

ing

the

orga

nisa

tion’

s ob

ject

ives

Ris

k D

river

s

• In

suff

icie

nt c

ontin

uity

pra

ctic

es•

IT c

ontin

uity

ser

vice

s no

t man

aged

prop

erly

• In

crea

sed

depe

nden

cy o

n ke

yin

divi

dual

s



DS4

.2 I

T C

onti

nuit

y P

lans

D

evel

op I

T c

ontin

uity

pla

ns b

ased

on

the

fram

ewor

k an

d de

sign

ed to

red

uce

the

impa

ct o

f a

maj

or d

isru

ptio

n on

key

bus

ines

s fu

nctio

ns a

nd p

roce

sses

. The

pla

nssh

ould

be

base

d on

ris

k un

ders

tand

ing

of p

oten

tial b

usin

ess

impa

cts

and

addr

ess

requ

irem

ents

for

res

ilien

ce, a

ltern

ativ

e pr

oces

sing

and

rec

over

y ca

pabi

lity

of a

llcr

itica

l IT

ser

vice

s. T

hey

shou

ld a

lso

cove

r us

age

guid

elin

es, r

oles

and

resp

onsi

bilit

ies,

pro

cedu

res,

com

mun

icat

ion

proc

esse

s, a

nd th

e te

stin

g ap

proa

ch.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

ontin

uous

ser

vice

acr

oss

IT,

addr

essi

ng th

e re

quir

emen

ts f

orcr

itica

l IT

res

ourc

es•

Def

ined

and

doc

umen

ted

guid

elin

es,

role

s an

d re

spon

sibi

litie

s • A

chie

ved

shor

t- a

nd lo

ng-r

ange

obje

ctiv

es s

uppo

rtin

g th

eor

gani

satio

n’s

obje

ctiv

es

Ris

k D

river

s

• Fa

ilure

to r

ecov

er I

T s

yste

ms

and

serv

ices

in a

tim

ely

man

ner

• Fa

ilure

of

alte

rnat

ive

deci

sion

-mak

ing

proc

esse

s•

Lac

k of

req

uire

d re

cove

ry r

esou

rces

•

Faile

d co

mm

unic

atio

n to

inte

rnal

and

exte

rnal

sta

keho

lder

s

DS4 E

nsur

e C

onti

nuou

s Ser

vice

(co

nt.)

Test

the

Con

trol

Des

ign

• C

onfi

rm th

at b

usin

ess

cont

inui

ty p

lans

exi

st f

or a

ll ke

y bu

sine

ss f

unct

ions

and

pro

cess

es.

• R

evie

w a

n ap

prop

riat

e sa

mpl

e of

bus

ines

s co

ntin

uity

pla

ns a

nd c

onfi

rm th

at e

ach

plan

:–

Is d

esig

ned

to e

stab

lish

the

resi

lienc

e, a

ltern

ativ

e pr

oces

sing

and

rec

over

y ca

pabi

lity

in li

ne w

ith s

ervi

ce c

omm

itmen

ts a

nd a

vaila

bilit

y ta

rget

s–

Def

ines

rol

es a

nd r

espo

nsib

ilitie

s–

Incl

udes

com

mun

icat

ion

proc

esse

s–

Def

ines

the

min

imum

acc

epta

ble

reco

very

con

figu

ratio

n•

Obt

ain

the

over

all t

estin

g st

rate

gy f

or b

usin

ess

cont

inui

ty p

lans

and

evi

denc

e th

at te

sts

are

bein

g ex

ecut

ed w

ith th

e ag

reed

-upo

n fr

eque

ncy.

• R

evie

w th

e ou

tcom

e of

test

ing,

and

ens

ure

that

res

ultin

g ac

tions

are

fol

low

ed u

p.


APPENDIX IV

Test

the

Con

trol

Des

ign

• O

btai

n a

list o

f bu

sine

ss f

unct

ions

with

thei

r re

spec

tive

busi

ness

cri

tical

ity, a

nd e

nsur

e th

at c

ontin

uity

pla

ns e

xist

for

the

mos

t cri

tical

bus

ines

s fu

nctio

ns, s

uppo

rtin

gpr

oces

ses

and

reso

urce

s.•

Rev

iew

the

plan

s to

ens

ure

that

they

are

des

igne

d (a

nd te

sted

) to

mee

t bus

ines

s ob

ject

ives

and

lega

l and

reg

ulat

ory

requ

irem

ents

.•

Det

erm

ine

how

con

sist

ency

bet

wee

n pl

ans

is e

nsur

ed.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ll co

pies

of

the

IT c

ontin

uity

pla

n ar

e up

date

d w

ith r

evis

ions

and

are

sto

red

on-

and

offs

ite•

Enq

uire

whe

ther

and

con

firm

that

all

criti

cal c

hang

es to

IT

res

ourc

es a

re c

omm

unic

ated

to th

e co

ntin

uity

man

ager

for

upd

ate

of th

e IT

con

tinui

ty p

lan.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at c

hang

es to

the

cont

inui

ty p

lan

are

mad

e at

inte

rval

s ap

prop

riat

e fo

r th

e tr

igge

rs a

nd f

ollo

w a

ccep

ted

chan

ge c

ontr

ol p

roce

dure

s.

DS4

.3 C

riti

cal I

T R

esou

rces

Fo

cus

atte

ntio

n on

item

s sp

ecif

ied

as m

ost c

ritic

al in

the

IT c

ontin

uity

pla

n to

build

in r

esili

ence

and

est

ablis

h pr

iori

ties

in r

ecov

ery

situ

atio

ns. A

void

the

dist

ract

ion

of r

ecov

erin

g le

ss-c

ritic

al it

ems

and

ensu

re r

espo

nse

and

reco

very

inlin

e w

ith p

rior

itise

d bu

sine

ss n

eeds

, whi

le e

nsur

ing

that

cos

ts a

re k

ept a

t an

acce

ptab

le le

vel a

nd c

ompl

ying

with

reg

ulat

ory

and

cont

ract

ual r

equi

rem

ents

.C

onsi

der

resi

lienc

e, r

espo

nse

and

reco

very

req

uire

men

ts f

or d

iffe

rent

tier

s, e

.g.,

one

to f

our

hour

s, f

our

to 2

4 ho

urs,

mor

e th

an 2

4 ho

urs

and

criti

cal b

usin

ess

oper

atio

nal p

erio

ds.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

ost m

anag

emen

t for

con

tinui

ty•

Eff

ectiv

e m

anag

emen

t of

criti

cal

IT r

esou

rces

• Pr

iori

tised

rec

over

y m

anag

emen

t

Ris

k D

river

s

• U

nava

ilabi

lity

of c

ritic

al I

T r

esou

rces

• In

crea

sed

cost

s fo

r co

ntin

uity

man

agem

ent

• Pr

iori

tisat

ion

of s

ervi

ces

reco

very

not

base

d on

bus

ines

s ne

eds

DS4 E

nsur

e C

onti

nuou

s Ser

vice

(co

nt.)

DS4

.4 M

aint

enan

ce o

f th

e IT

Con

tinu

ity

Pla

n E

ncou

rage

IT

man

agem

ent t

o de

fine

and

exe

cute

cha

nge

cont

rol p

roce

dure

s to

ensu

re th

at th

e IT

con

tinui

ty p

lan

is k

ept u

p to

dat

e an

d co

ntin

ually

ref

lect

sac

tual

bus

ines

s re

quir

emen

ts. C

omm

unic

ate

chan

ges

in p

roce

dure

s an

dre

spon

sibi

litie

s cl

earl

y an

d in

a ti

mel

y m

anne

r.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• App

ropr

iate

IT

con

tinui

ty p

lans

supp

ortin

g th

e or

gani

satio

n’s

obje

ctiv

es•

Cha

nge

cont

rol p

roce

dure

s fo

r IT

cont

inui

ty p

lans

• Fa

mili

arity

of

IT c

ontin

uity

pla

ns f

orap

prop

riat

e in

divi

dual

s

Ris

k D

river

s

• In

appr

opri

ate

reco

very

pla

ns

• Pl

ans

faili

ng to

ref

lect

cha

nges

tobu

sine

ss n

eeds

and

tech

nolo

gy•

Lac

k of

cha

nge

cont

rol p

roce

dure

s



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at I

T c

ontin

uity

test

s ar

e sc

hedu

led

and

com

plet

ed o

n a

regu

lar

basi

s af

ter

chan

ges

to th

e IT

infr

astr

uctu

re o

r bu

sine

ss a

nd r

elat

edap

plic

atio

ns.

• E

nsur

e th

at n

ew c

ompo

nent

s an

d up

date

s ar

e in

clud

ed in

the

sche

dule

.•

Enq

uire

whe

ther

and

con

firm

that

a d

etai

led

test

sch

edul

e ha

s be

en c

reat

ed a

nd in

clud

es te

stin

g de

tails

and

eve

nt c

hron

olog

y to

ens

ure

a lo

gica

l and

rea

l seq

uenc

e of

oc

curr

ing

inte

rrup

tions

.•

Enq

uire

whe

ther

and

con

firm

that

a te

st ta

sk f

orce

has

bee

n es

tabl

ishe

d, a

nd th

e m

embe

rs a

re n

ot k

ey p

erso

nnel

def

ined

in th

e pl

an a

nd th

e re

port

ing

is a

ppro

pria

te.

• E

nqui

re th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

whe

ther

deb

rief

ing

even

ts o

ccur

and

, with

in th

ese

even

ts, w

heth

er f

ailu

res

are

anal

ysed

and

sol

utio

ns a

re d

evel

oped

.•

Enq

uire

thro

ugh

inte

rvie

ws

with

key

sta

ff m

embe

rs w

heth

er a

ltern

ativ

e m

eans

are

eva

luat

ed w

hen

test

ing

is n

ot f

easi

ble.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

ucce

ss o

r fa

ilure

of

the

test

is m

easu

red

and

repo

rted

and

the

cons

eque

ntia

l cha

nge

is m

ade

to th

e IT

con

tinui

ty p

lan.

• R

evie

w r

esul

ts a

nd e

valu

ate

how

the

resu

lts a

re r

evie

wed

to d

eter

min

e op

erat

ing

effe

ctiv

enes

s.

Test

the

Con

trol

Des

ign

• E

nqui

re th

roug

h in

terv

iew

s w

ith k

ey s

taff

mem

bers

whe

ther

reg

ular

trai

ning

is p

erfo

rmed

.•

Enq

uire

whe

ther

and

con

firm

that

trai

ning

nee

ds a

nd s

ched

ules

are

ass

esse

d an

d up

date

d re

gula

rly.

• R

evie

w s

ched

ules

and

trai

ning

mat

eria

l to

dete

rmin

e op

erat

ing

effe

ctiv

enes

s.•

Enq

uire

thro

ugh

inte

rvie

ws

with

key

sta

ff m

embe

rs w

heth

er I

T c

ontin

uity

aw

aren

ess

prog

ram

mes

are

bei

ng p

erfo

rmed

on

all l

evel

s.

DS4

.5 T

esti

ng o

f th

e IT

Con

tinu

ity

Pla

n Te

st th

e IT

con

tinui

ty p

lan

on a

reg

ular

bas

is to

ens

ure

that

IT

sys

tem

s ca

n be

effe

ctiv

ely

reco

vere

d, s

hort

com

ings

are

add

ress

ed a

nd th

e pl

an r

emai

ns r

elev

ant.

Thi

s re

quir

es c

aref

ul p

repa

ratio

n, d

ocum

enta

tion,

rep

ortin

g of

test

res

ults

and

,ac

cord

ing

to th

e re

sults

, im

plem

enta

tion

of a

n ac

tion

plan

. Con

side

r th

e ex

tent

of

test

ing

reco

very

of

sing

le a

pplic

atio

ns to

inte

grat

ed te

stin

g sc

enar

ios

to e

nd-t

o-en

d te

stin

g an

d in

tegr

ated

ven

dor

test

ing.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

reco

very

of

IT s

yste

ms

• St

aff

expe

rien

ced

in th

e re

cove

rypr

oces

ses

for

IT s

yste

ms

• U

pgra

ded

plan

s ov

erco

min

gsh

ortc

omin

gs in

the

rest

orat

ion

ofsy

stem

s

Ris

k D

river

s

• Sh

ortc

omin

gs in

rec

over

y pl

ans

• O

utda

ted

reco

very

pla

ns th

at d

o no

tre

flec

t the

cur

rent

arc

hite

ctur

e•

Inap

prop

riat

e re

cove

ry s

teps

and

proc

esse

s•

Inab

ility

to e

ffec

tivel

y re

cove

r sh

ould

real

dis

aste

r oc

cur

DS4 E

nsur

e C

onti

nuou

s Ser

vice

(co

nt.)

DS4

.6 I

T C

onti

nuit

y P

lan

Tra

inin

g Pr

ovid

e al

l con

cern

ed p

artie

s w

ith r

egul

ar tr

aini

ng s

essi

ons

rega

rdin

g th

epr

oced

ures

and

thei

r ro

les

and

resp

onsi

bilit

ies

in c

ase

of a

n in

cide

nt o

r di

sast

er.

Ver

ify

and

enha

nce

trai

ning

acc

ordi

ng to

the

resu

lts o

f th

e co

ntin

genc

y te

sts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• St

aff

expe

rien

ced

in th

e re

cove

rypr

oces

ses

for

IT s

yste

ms

• St

aff

trai

ned

in th

e re

cove

ry p

roce

sses

• Sc

hedu

led

trai

ning

for

all

resp

onsi

ble

staf

f m

embe

rs•

Tra

inin

g pl

ans

upda

ted

to r

efle

ct th

ere

sults

of

the

cont

inge

ncy

test

s

Ris

k D

river

s

• O

utda

ted

trai

ning

sch

edul

es•

Failu

re to

rec

over

as

expe

cted

due

toin

adeq

uate

or

outd

ated

trai

ning


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

dis

trib

utio

n lis

t for

the

IT c

ontin

uity

pla

n is

cre

ated

, def

ined

and

mai

ntai

ned.

Rev

iew

whe

ther

the

need

-to-

know

pri

ncip

les

have

bee

nm

aint

aine

d du

ring

dev

elop

men

t of

the

list.

• O

btai

n th

e di

stri

butio

n pr

oced

ure

from

man

agem

ent.

• E

valu

ate

the

proc

edur

e an

d ve

rify

com

plia

nce.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ll di

gita

l and

phy

sica

l cop

ies

of th

e pl

an a

re p

rote

cted

in a

n ap

prop

riat

e m

anne

r an

d th

at th

e do

cum

ents

are

acc

essi

ble

only

by

auth

oris

ed p

erso

nnel

.

DS4 E

nsur

e C

onti

nuou

s Ser

vice

(co

nt.)

Test

the

Con

trol

Des

ign

• O

btai

n a

copy

of

the

inci

dent

han

dlin

g pr

oced

ure,

and

ens

ure

that

it in

clud

es s

teps

for

dam

age

asse

ssm

ent a

s w

ell a

s fo

rmal

dec

isio

n po

ints

and

thre

shol

ds to

act

ivat

eco

ntin

uity

pla

ns.

• R

evie

w I

T r

ecov

ery

plan

s, a

nd c

onfi

rm th

at th

ey m

eet b

usin

ess

requ

irem

ents

.

Con

trol

Obj

ecti

ve

DS4

.7 D

istr

ibut

ion

of t

he I

T C

onti

nuit

y P

lan

Det

erm

ine

that

a d

efin

ed a

nd m

anag

ed d

istr

ibut

ion

stra

tegy

exi

sts

to e

nsur

e th

atpl

ans

are

prop

erly

and

sec

urel

y di

stri

bute

d an

d av

aila

ble

to a

ppro

pria

tely

auth

oris

ed in

tere

sted

par

ties

whe

n an

d w

here

nee

ded.

Atte

ntio

n sh

ould

be

paid

tom

akin

g th

e pl

ans

acce

ssib

le u

nder

all

disa

ster

sce

nari

os.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• St

aff

expe

rien

ced

in th

e re

cove

rypr

oces

ses

for

IT s

yste

ms

• St

aff

trai

ned

in th

e re

cove

ry p

roce

sses

• Pl

ans

avai

labl

e an

d ac

cess

ible

to a

llaf

fect

ed p

artie

s

Ris

k D

river

s

• C

onfi

dent

ial i

nfor

mat

ion

in th

e pl

ans

com

prom

ised

• Pl

ans

not a

cces

sibl

e to

all

requ

ired

part

ies

• U

pgra

des

of th

e pl

an n

ot p

erfo

rmed

ina

timel

y m

anne

r du

e to

unc

ontr

olle

ddi

stri

butio

n st

rate

gies

DS4

.8 I

T S

ervi

ces

Rec

over

y an

d R

esum

ptio

n Pl

an th

e ac

tions

to b

e ta

ken

for

the

peri

od w

hen

IT is

rec

over

ing

and

resu

min

gse

rvic

es. T

his

may

incl

ude

activ

atio

n of

bac

kup

site

s, in

itiat

ion

of a

ltern

ativ

epr

oces

sing

, cus

tom

er a

nd s

take

hold

er c

omm

unic

atio

n, a

nd r

esum

ptio

npr

oced

ures

. Ens

ure

that

the

busi

ness

und

erst

ands

IT

rec

over

y tim

es a

nd th

ene

cess

ary

tech

nolo

gy in

vest

men

ts to

sup

port

bus

ines

s re

cove

ry a

nd r

esum

ptio

nne

eds.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• M

inim

ised

rec

over

y tim

es•

Min

imis

ed r

ecov

ery

cost

s•

Prio

ritis

ed r

ecov

ery

of b

usin

ess-

criti

cal

task

s

Ris

k D

river

s

• Sh

ortc

omin

gs in

rec

over

y pl

ans

• In

appr

opri

ate

reco

very

ste

ps a

ndpr

oces

ses

• Fa

ilure

to r

ecov

er b

usin

ess-

criti

cal

syst

ems

and

serv

ices

in a

tim

ely

man

ner



DS4 E

nsur

e C

onti

nuou

s Ser

vice

(co

nt.)

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at d

ata

are

prot

ecte

d w

hen

they

are

take

n of

fsite

, whi

lst t

hey

are

in tr

ansp

ort a

nd w

hen

they

are

at t

he s

tora

ge lo

catio

n.•

Enq

uire

whe

ther

and

con

firm

that

the

back

up f

acili

ties

are

not s

ubje

ct to

the

sam

e ri

sks

as th

e pr

imar

y si

te.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at r

egul

ar te

stin

g is

per

form

ed to

ens

ure

the

qual

ity o

f th

e ba

ckup

s an

d m

edia

.•

Rev

iew

test

ing

proc

edur

es to

det

erm

ine

oper

atin

g ef

fect

iven

ess.

• V

erif

y th

at th

e ba

ckup

med

ia c

onta

in a

ll in

form

atio

n re

quir

ed b

y th

e IT

con

tinui

ty p

lan,

e.g

., by

com

pari

ng th

e co

nten

ts o

f th

e ba

ckup

s an

d/or

the

rest

ored

sys

tem

s w

ithth

e op

erat

iona

l sys

tem

s.•

Enq

uire

whe

ther

and

con

firm

that

suf

fici

ent r

ecov

ery

inst

ruct

ions

and

labe

lling

exi

st.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n in

vent

ory

of b

acku

ps a

nd m

edia

exi

sts,

and

ver

ify

its c

orre

ctne

ss.

DS4

.9 O

ffsi

te B

acku

p St

orag

e St

ore

offs

ite a

ll cr

itica

l bac

kup

med

ia, d

ocum

enta

tion

and

othe

r IT

res

ourc

esne

cess

ary

for

IT r

ecov

ery

and

busi

ness

con

tinui

ty p

lans

. Det

erm

ine

the

cont

ent

of b

acku

p st

orag

e in

col

labo

ratio

n be

twee

n bu

sine

ss p

roce

ss o

wne

rs a

nd I

Tpe

rson

nel.

Man

agem

ent o

f th

e of

fsite

sto

rage

fac

ility

sho

uld

resp

ond

to th

e da

tacl

assi

fica

tion

polic

y an

d th

e en

terp

rise

’s m

edia

sto

rage

pra

ctic

es. I

T m

anag

emen

tsh

ould

ens

ure

that

off

site

arr

ange

men

ts a

re p

erio

dica

lly a

sses

sed,

at l

east

annu

ally

, for

con

tent

, env

iron

men

tal p

rote

ctio

n an

d se

curi

ty. E

nsur

eco

mpa

tibili

ty o

f ha

rdw

are

and

soft

war

e to

res

tore

arc

hive

d da

ta, a

nd p

erio

dica

llyte

st a

nd r

efre

sh a

rchi

ved

data

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Ava

ilabi

lity

of b

acku

p da

ta in

the

even

t of

phys

ical

des

truc

tion

ofha

rdw

are

• O

ffsi

te d

ata

cons

iste

ntly

man

aged

thro

ugho

ut th

e or

gani

satio

n• A

ppro

pria

te p

rote

ctio

n of

off

site

stor

age

Ris

k D

river

s

• U

nava

ilabi

lity

of b

acku

p da

ta a

ndm

edia

due

to m

issi

ng d

ocum

enta

tion

in o

ffsi

te s

tora

ge•

Los

s of

dat

a du

e to

dis

aste

r• A

ccid

enta

l des

truc

tion

of b

acku

p da

ta•

Inab

ility

to lo

cate

bac

kup

tape

s w

hen

need

ed

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e sh

ortc

omin

gs o

f th

e pl

an h

ave

been

hig

hlig

hted

and

pos

t-re

cove

ry m

eetin

gs d

iscu

ssin

g op

port

uniti

es f

or im

prov

emen

t ar

e pe

rfor

med

.•

Rev

iew

pla

ns, p

olic

ies

and

proc

edur

es to

det

erm

ine

oper

atin

g ef

fect

iven

ess.

DS4

.10

Pos

t-re

sum

ptio

n R

evie

w

Det

erm

ine

whe

ther

IT

man

agem

ent h

as e

stab

lishe

d pr

oced

ures

for

ass

essi

ng th

ead

equa

cy o

f th

e pl

an in

reg

ard

to th

e su

cces

sful

res

umpt

ion

of th

e IT

fun

ctio

naf

ter

a di

sast

er, a

nd u

pdat

e th

e pl

an a

ccor

ding

ly.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• U

pdat

ed r

ecov

ery

plan

s•

Obj

ectiv

es m

et b

y th

e re

cove

ry p

lans

• Ade

quat

e re

sum

ptio

n pl

ans

acco

rdin

gto

bus

ines

s ne

eds

Ris

k D

river

s

• In

appr

opri

ate

reco

very

pla

ns•

Rec

over

y pl

ans

faili

ng to

mee

tbu

sine

ss n

eeds

• O

bjec

tives

not

met

by

the

reco

very

plan

s


APPENDIX IV

Take the following steps to test the outcome of the control objectives:• Determine the management level for establishing the continuity framework to support enterprisewide business processing recovery

processes.• Determine the components defined to address the IT continuity accountabilities and responsibilities for supporting the business

strategy in response to a business disruption.• Assess the IT continuity plans for recovery strategies and required service levels to meet the business processing objectives.• Determine the effectiveness of the communications plan created to ensure the safety of all affected parties and co-ordination with

public authorities.• Assess the guidelines, roles and responsibilities achieving recovery of short- and long-range business processing requirements.• Assess whether IT continuity planning training is provided on a periodic basis.

Take the following steps to document the impact of the control weaknesses:• Assess whether the IT continuity services sufficiently support achieving business processing services to meet short- and long-

range organisation objectives.• Assess the framework to determine whether the planning invokes dependencies on key individuals rather than prioritisation of

recovery strategies.• Assess the impact on business processing in the event IT systems are not recovered in a timely manner without an alternative

decision-making process.• Determine the business impact required if recovery resources are not available and there is no ability to communicate with internal

and external stakeholders.• Enquire of management whether IT disruptions were prolonged as a result of untrained staff members who did not follow IT

continuity planning procedures.

DS5 E

nsur

e Sys

tem

s Sec

urit

y

The

nee

d to

mai

ntai

n th

e in

tegr

ity o

f in

form

atio

n an

d pr

otec

t IT

ass

ets

requ

ires

a s

ecur

ity m

anag

emen

t pro

cess

. Thi

s pr

oces

s in

clud

es e

stab

lishi

ng a

nd m

aint

aini

ng I

Tse

curi

ty r

oles

and

res

pons

ibili

ties,

pol

icie

s, s

tand

ards

, and

pro

cedu

res.

Sec

urity

man

agem

ent a

lso

incl

udes

per

form

ing

secu

rity

mon

itori

ng a

nd p

erio

dic

test

ing

and

impl

emen

ting

corr

ectiv

e ac

tions

for

iden

tifie

d se

curi

ty w

eakn

esse

s or

inci

dent

s. E

ffec

tive

secu

rity

man

agem

ent p

rote

cts

all I

T a

sset

s to

min

imis

e th

e bu

sine

ss im

pact

of

secu

rity

vul

nera

bilit

ies

and

inci

dent

s.



Test

the

Con

trol

Des

ign

• D

eter

min

e if

a s

ecur

ity s

teer

ing

com

mitt

ee e

xist

s, w

ith r

epre

sent

atio

n fr

om k

ey f

unct

iona

l are

as, i

nclu

ding

inte

rnal

aud

it, H

R, o

pera

tions

, IT

sec

urity

and

lega

l.•

Det

erm

ine

if a

pro

cess

exi

sts

to p

rior

itise

pro

pose

d se

curi

ty in

itiat

ives

, inc

ludi

ng r

equi

red

leve

ls o

f po

licie

s, s

tand

ards

and

pro

cedu

res.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n in

form

atio

n se

curi

ty c

hart

er e

xist

s.•

Rev

iew

and

ana

lyse

the

char

ter

to v

erif

y th

at it

ref

ers

to th

e or

gani

satio

nal r

isk

appe

tite

rela

tive

to in

form

atio

n se

curi

ty a

nd th

at th

e ch

arte

r cl

earl

y in

clud

es:

– Sc

ope

and

obje

ctiv

es o

f th

e se

curi

ty m

anag

emen

t fun

ctio

n–

Res

pons

ibili

ties

of th

e se

curi

ty m

anag

emen

t fun

ctio

n –

Com

plia

nce

and

risk

dri

vers

•

Enq

uire

whe

ther

and

con

firm

that

the

info

rmat

ion

secu

rity

pol

icy

cove

rs th

e re

spon

sibi

litie

s of

boa

rd, e

xecu

tive

man

agem

ent,

line

man

agem

ent,

staf

f m

embe

rs a

nd a

llus

ers

of th

e en

terp

rise

IT

infr

astr

uctu

re a

nd th

at it

ref

ers

to d

etai

led

secu

rity

sta

ndar

ds a

nd p

roce

dure

s.•

Enq

uire

whe

ther

and

con

firm

that

a d

etai

led

secu

rity

pol

icy,

sta

ndar

ds a

nd p

roce

dure

s ex

ist.

Exa

mpl

es o

f po

licie

s, s

tand

ards

and

pro

cedu

res

incl

ude:

–

Secu

rity

com

plia

nce

polic

y –

Man

agem

ent r

isk

acce

ptan

ce (

secu

rity

non

-com

plia

nce

ackn

owle

dgem

ent)

–

Ext

erna

l com

mun

icat

ions

sec

urity

pol

icy

– Fi

rew

all p

olic

y–

E-m

ail s

ecur

ity p

olic

y –

An

agre

emen

t to

com

ply

with

IS

polic

ies

– L

apto

p/de

skto

p co

mpu

ter

secu

rity

pol

icy

– In

tern

et u

sage

pol

icy

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n ad

equa

te o

rgan

isat

iona

l str

uctu

re a

nd r

epor

ting

line

for

info

rmat

ion

secu

rity

exi

st, a

nd a

sses

s if

the

secu

rity

man

agem

ent a

ndad

min

istr

atio

n fu

nctio

ns h

ave

suff

icie

nt a

utho

rity

.•

Enq

uire

whe

ther

and

con

firm

that

a s

ecur

ity m

anag

emen

t rep

ortin

g m

echa

nism

exi

sts

that

info

rms

the

boar

d, b

usin

ess

and

IT m

anag

emen

t of

the

stat

us o

f in

form

atio

n se

curi

ty.

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS5

.1 M

anag

emen

t of

IT

Sec

urit

y M

anag

e IT

sec

urity

at t

he h

ighe

st a

ppro

pria

te o

rgan

isat

iona

l lev

el, s

o th

em

anag

emen

t of

secu

rity

act

ions

is in

line

with

bus

ines

s re

quir

emen

ts.

• C

ritic

al I

T a

sset

s pr

otec

ted

• IT

sec

urity

str

ateg

y su

ppor

ting

busi

ness

nee

ds•

IT s

ecur

ity s

trat

egy

alig

ned

with

the

over

all b

usin

ess

plan

• App

ropr

iate

ly im

plem

ente

d an

dm

aint

aine

d se

curi

ty p

ract

ices

cons

iste

nt w

ith a

pplic

able

law

s an

dre

gula

tions

• L

ack

of I

T s

ecur

ity g

over

nanc

e•

Mis

alig

ned

IT a

nd b

usin

ess

obje

ctiv

es•

Unp

rote

cted

dat

a an

d in

form

atio

nas

sets


APPENDIX IV

Test

the

Con

trol

Des

ign

• D

eter

min

e th

e ef

fect

iven

ess

of th

e co

llect

ion

and

inte

grat

ion

of in

form

atio

n se

curi

ty r

equi

rem

ents

into

an

over

all I

T s

ecur

ity p

lan

that

is r

espo

nsiv

e to

the

chan

ging

nee

dsof

the

orga

nisa

tion.

• V

erif

y th

at th

e IT

sec

urity

pla

n co

nsid

ers

IT ta

ctic

al p

lans

(PO

1), d

ata

clas

sifi

catio

n (P

O2)

, tec

hnol

ogy

stan

dard

s (P

O3)

, sec

urity

and

con

trol

pol

icie

s (P

O6)

, ris

km

anag

emen

t (PO

9), a

nd e

xter

nal c

ompl

ianc

e re

quir

emen

ts (

ME

3).

• D

eter

min

e if

a p

roce

ss e

xist

s to

per

iodi

cally

upd

ate

the

IT s

ecur

ity p

lan,

and

if th

e pr

oces

s re

quir

es a

ppro

pria

te le

vels

of

man

agem

ent r

evie

w a

nd a

ppro

val o

f ch

ange

s.•

Det

erm

ine

if e

nter

pris

e in

form

atio

n se

curi

ty b

asel

ines

for

all

maj

or p

latf

orm

s ar

e co

mm

ensu

rate

with

the

over

all I

T s

ecur

ity p

lan,

if th

e ba

selin

es h

ave

been

rec

orde

d in

the

conf

igur

atio

n ba

selin

e (D

S9)

cent

ral r

epos

itory

, and

if a

pro

cess

exi

sts

to p

erio

dica

lly u

pdat

e th

e ba

selin

es b

ased

on

chan

ges

in th

e pl

an.

• D

eter

min

e if

the

IT s

ecur

ity p

lan

incl

udes

the

follo

win

g:

– A

com

plet

e se

t of

secu

rity

pol

icie

s an

d st

anda

rds

in li

ne w

ith th

e es

tabl

ishe

d in

form

atio

n se

curi

ty p

olic

y fr

amew

ork

– Pr

oced

ures

to im

plem

ent a

nd e

nfor

ce th

e po

licie

s an

d st

anda

rds

– R

oles

and

res

pons

ibili

ties

– St

affi

ng r

equi

rem

ents

–

Secu

rity

aw

aren

ess

and

trai

ning

–

Enf

orce

men

t pra

ctic

es–

Inve

stm

ents

in r

equi

red

secu

rity

res

ourc

es

• D

eter

min

e if

a p

roce

ss e

xist

s to

inte

grat

e in

form

atio

n se

curi

ty r

equi

rem

ents

and

impl

emen

tatio

n ad

vice

fro

m th

e IT

sec

urity

pla

n in

to o

ther

pro

cess

es, i

nclu

ding

the

deve

lopm

ent o

f SL

As

and

OL

As

(DS1

-DS2

), a

utom

ated

sol

utio

n re

quir

emen

ts (

AI1

), a

pplic

atio

n so

ftw

are

(AI2

), a

nd I

T in

fras

truc

ture

com

pone

nts

(AI3

).

DS5

.2 I

T S

ecur

ity

Pla

n T

rans

late

bus

ines

s, r

isk

and

com

plia

nce

requ

irem

ents

into

an

over

all I

T s

ecur

itypl

an, t

akin

g in

to c

onsi

dera

tion

the

IT in

fras

truc

ture

and

the

secu

rity

cul

ture

.E

nsur

e th

at th

e pl

an is

impl

emen

ted

in s

ecur

ity p

olic

ies

and

proc

edur

es to

geth

erw

ith a

ppro

pria

te in

vest

men

ts in

ser

vice

s, p

erso

nnel

, sof

twar

e an

d ha

rdw

are.

Com

mun

icat

e se

curi

ty p

olic

ies

and

proc

edur

es to

sta

keho

lder

s an

d us

ers.

• T

he I

T s

ecur

ity p

lan

satis

fyin

gbu

sine

ss r

equi

rem

ents

and

cov

erin

g al

lri

sks

to w

hich

the

busi

ness

is e

xpos

ed•

Inve

stm

ents

in I

T s

ecur

ity m

anag

ed in

a co

nsis

tent

man

ner

to e

nabl

e th

ese

curi

ty p

lan

• Se

curi

ty p

olic

ies

and

proc

edur

esco

mm

unic

ated

to s

take

hold

ers

and

user

s•

Use

rs a

war

e of

the

IT s

ecur

ity p

lan

• IT

sec

urity

pla

n no

t alig

ned

with

busi

ness

req

uire

men

ts•

IT s

ecur

ity p

lan

not c

ost e

ffec

tive

• B

usin

ess

expo

sed

to th

reat

s no

tco

vere

d in

the

stra

tegy

• G

aps

betw

een

plan

ned

and

impl

emen

ted

IT s

ecur

ity m

easu

res

• U

sers

not

aw

are

of th

e IT

sec

urity

pla

n•

Secu

rity

mea

sure

s co

mpr

omis

ed b

yst

akeh

olde

rs a

nd u

sers

DS5 E

nsur

e Sys

tem

s Sec

urit

y (c

ont.

)

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s



Test

the

Con

trol

Des

ign

• D

eter

min

e if

pro

cedu

res

exis

t to

peri

odic

ally

ass

ess

and

rece

rtif

y sy

stem

and

app

licat

ion

acce

ss a

nd a

utho

ritie

s.•

Det

erm

ine

if a

cces

s co

ntro

l pro

cedu

res

exis

t to

cont

rol a

nd m

anag

e sy

stem

and

app

licat

ion

righ

ts a

nd p

rivi

lege

s ac

cord

ing

to th

e or

gani

satio

n’s

secu

rity

pol

icie

s an

dco

mpl

ianc

e an

d re

gula

tory

req

uire

men

ts.

• D

eter

min

e if

sys

tem

s, a

pplic

atio

ns a

nd d

ata

have

bee

n cl

assi

fied

by

leve

ls o

f im

port

ance

and

ris

k, a

nd if

pro

cess

ow

ners

hav

e be

en id

entif

ied

and

assi

gned

.•

Det

erm

ine

if u

ser

prov

isio

ning

pol

icie

s, s

tand

ards

and

pro

cedu

res

exte

nd to

all

syst

em u

sers

and

pro

cess

es, i

nclu

ding

ven

dors

, ser

vice

pro

vide

rs a

nd b

usin

ess

part

ners

.

Test

the

Con

trol

Des

ign

• D

eter

min

e if

sec

urity

pra

ctic

es r

equi

re u

sers

and

sys

tem

pro

cess

es to

be

uniq

uely

iden

tifia

ble

and

syst

ems

to b

e co

nfig

ured

to e

nfor

ce a

uthe

ntic

atio

n be

fore

acc

ess

isgr

ante

d.•

If p

rede

term

ined

and

pre

appr

oved

rol

es a

re u

tilis

ed to

gra

nt a

cces

s, d

eter

min

e if

the

role

s cl

earl

y de

linea

te r

espo

nsib

ilitie

s ba

sed

on le

ast p

rivi

lege

s an

d en

sure

that

the

esta

blis

hmen

t and

mod

ific

atio

n of

rol

es a

re a

ppro

ved

by p

roce

ss o

wne

r m

anag

emen

t.•

Det

erm

ine

if a

cces

s pr

ovis

ioni

ng a

nd a

uthe

ntic

atio

n co

ntro

l mec

hani

sms

are

utili

sed

for

cont

rolli

ng lo

gica

l acc

ess

acro

ss a

ll us

ers,

sys

tem

pro

cess

es a

nd I

T r

esou

rces

, for

in-h

ouse

and

rem

otel

y m

anag

ed u

sers

, pro

cess

es a

nd s

yste

ms.

• U

naut

hori

sed

chan

ges

to h

ardw

are

and

soft

war

e• A

cces

s m

anag

emen

t fai

ling

busi

ness

requ

irem

ents

and

com

prom

isin

g th

ese

curi

ty o

f bu

sine

ss-c

ritic

al s

yste

ms

• U

nspe

cifi

ed s

ecur

ity r

equi

rem

ents

for

all s

yste

ms

• Se

greg

atio

n-of

-dut

y vi

olat

ions

• C

ompr

omis

ed s

yste

m in

form

atio

n

DS5

.3 I

dent

ity

Man

agem

ent

Ens

ure

that

all

user

s (i

nter

nal,

exte

rnal

and

tem

pora

ry)

and

thei

r ac

tivity

on

ITsy

stem

s (b

usin

ess

appl

icat

ion,

IT

env

iron

men

t, sy

stem

ope

ratio

ns, d

evel

opm

ent

and

mai

nten

ance

) ar

e un

ique

ly id

entif

iabl

e. E

nabl

e us

er id

entit

ies

via

auth

entic

atio

n m

echa

nism

s. C

onfi

rm th

at u

ser

acce

ss r

ight

s to

sys

tem

s an

d da

taar

e in

line

with

def

ined

and

doc

umen

ted

busi

ness

nee

ds a

nd th

at jo

bre

quir

emen

ts a

re a

ttach

ed to

use

r id

entit

ies.

Ens

ure

that

use

r ac

cess

rig

hts

are

requ

este

d by

use

r m

anag

emen

t, ap

prov

ed b

y sy

stem

ow

ners

and

impl

emen

ted

byth

e se

curi

ty-r

espo

nsib

le p

erso

n. M

aint

ain

user

iden

titie

s an

d ac

cess

rig

hts

in a

cent

ral r

epos

itory

. Dep

loy

cost

-eff

ectiv

e te

chni

cal a

nd p

roce

dura

l mea

sure

s, a

ndke

ep th

em c

urre

nt to

est

ablis

h us

er id

entif

icat

ion,

impl

emen

t aut

hent

icat

ion

and

enfo

rce

acce

ss r

ight

s.

• E

ffec

tive

impl

emen

tatio

n of

cha

nges

• Pr

oper

inve

stig

atio

n of

impr

oper

acce

ss a

ctiv

ity•

Secu

re c

omm

unic

atio

n en

suri

ngap

prov

ed b

usin

ess

tran

sact

ions

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS5 E

nsur

e Sys

tem

s Sec

urit

y (c

ont.

)

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS5

.4 U

ser

Acc

ount

Man

agem

ent

Add

ress

req

uest

ing,

est

ablis

hing

, iss

uing

, sus

pend

ing,

mod

ifyi

ng a

nd c

losi

ngus

er a

ccou

nts

and

rela

ted

user

pri

vile

ges

with

a s

et o

f us

er a

ccou

nt m

anag

emen

tpr

oced

ures

. Inc

lude

an

appr

oval

pro

cedu

re o

utlin

ing

the

data

or

syst

em o

wne

rgr

antin

g th

e ac

cess

pri

vile

ges.

The

se p

roce

dure

s sh

ould

app

ly f

or a

ll us

ers,

incl

udin

g ad

min

istr

ator

s (p

rivi

lege

d us

ers)

and

inte

rnal

and

ext

erna

l use

rs, f

orno

rmal

and

em

erge

ncy

case

s. R

ight

s an

d ob

ligat

ions

rel

ativ

e to

acc

ess

toen

terp

rise

sys

tem

s an

d in

form

atio

n sh

ould

be

cont

ract

ually

arr

ange

d fo

r al

l typ

esof

use

rs. P

erfo

rm r

egul

ar m

anag

emen

t rev

iew

of

all a

ccou

nts

and

rela

ted

priv

ilege

s.

• C

onsi

sten

tly m

anag

ed a

ndad

min

iste

red

user

acc

ount

s•

Rul

es a

nd r

egul

atio

ns f

or a

ll ki

nds

of u

sers

• T

imel

y di

scov

ery

of s

ecur

ity in

cide

nts

• Pr

otec

tion

of I

T s

yste

ms

and

conf

iden

tial d

ata

from

una

utho

rise

dus

ers

• Se

curi

ty b

reac

hes

• U

sers

fai

ling

to c

ompl

y w

ith s

ecur

itypo

licy

• In

cide

nts

not s

olve

d in

a ti

mel

ym

anne

r•

Failu

re to

term

inat

e un

used

acc

ount

sin

a ti

mel

y m

anne

r, th

us im

pact

ing

corp

orat

e se

curi

ty


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n in

vent

ory

of a

ll ne

twor

k de

vice

s, s

ervi

ces

and

appl

icat

ions

exi

sts

and

that

eac

h co

mpo

nent

has

bee

n as

sign

ed a

sec

urity

ris

k ra

ting.

• D

eter

min

e if

sec

urity

bas

elin

es e

xist

for

all

IT u

tilis

ed b

y th

e or

gani

satio

n.•

Det

erm

ine

if a

ll or

gani

satio

n-cr

itica

l, hi

gher

-ris

k ne

twor

k as

sets

are

rou

tinel

y m

onito

red

for

secu

rity

eve

nts.

• D

eter

min

e if

the

IT s

ecur

ity m

anag

emen

t fun

ctio

n ha

s be

en in

tegr

ated

with

in th

e or

gani

satio

n’s

proj

ect m

anag

emen

t ini

tiativ

es to

ens

ure

that

sec

urity

is c

onsi

dere

d in

deve

lopm

ent,

desi

gn a

nd te

stin

g re

quir

emen

ts, t

o m

inim

ise

the

risk

of

new

or

exis

ting

syst

ems

intr

oduc

ing

secu

rity

vul

nera

bilit

ies.

DS5

.5 S

ecur

ity

Tes

ting

,Sur

veill

ance

and

Mon

itor

ing

Test

and

mon

itor

the

IT s

ecur

ity im

plem

enta

tion

in a

pro

activ

e w

ay. I

T s

ecur

itysh

ould

be

reac

cred

ited

in a

tim

ely

man

ner

to e

nsur

e th

at th

e ap

prov

eden

terp

rise

’s in

form

atio

n se

curi

ty b

asel

ine

is m

aint

aine

d. A

logg

ing

and

mon

itori

ng f

unct

ion

will

ena

ble

the

earl

y pr

even

tion

and/

or d

etec

tion

and

subs

eque

nt ti

mel

y re

port

ing

of u

nusu

al a

nd/o

r ab

norm

al a

ctiv

ities

that

may

nee

dto

be

addr

esse

d.

• St

aff

expe

rien

ced

in s

ecur

ity te

stin

gan

d m

onito

ring

of

IT s

yste

ms

• R

egul

arly

rev

iew

ed s

ecur

ity le

vel

• D

evia

tions

fro

m b

usin

ess

requ

irem

ents

hig

hlig

hted

• Se

curi

ty b

reac

hes

dete

cted

pro

activ

ely

• M

isus

e of

use

rs’a

ccou

nts,

com

prom

isin

g or

gani

satio

nal s

ecur

ity•

Und

etec

ted

secu

rity

bre

ache

s•

Unr

elia

ble

secu

rity

logs

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS5 E

nsur

e Sys

tem

s Sec

urit

y (c

ont.

)



Test

the

Con

trol

Des

ign

• D

eter

min

e if

a c

ompu

ter

emer

genc

y re

spon

se te

am (

CE

RT

) ex

ists

to r

ecog

nise

and

eff

ectiv

ely

man

age

secu

rity

em

erge

ncie

s. T

he f

ollo

win

g ar

eas

shou

ld e

xist

as

part

of

an e

ffec

tive

CE

RT

pro

cess

: –

Inci

dent

han

dlin

g—G

ener

al a

nd s

peci

fic

proc

edur

es a

nd o

ther

req

uire

men

ts to

ens

ure

effe

ctiv

e ha

ndlin

g of

inci

dent

s an

d re

port

ed v

ulne

rabi

litie

s–

Ven

dor

rela

tions

—T

he r

ole

and

resp

onsi

bilit

ies

of v

endo

rs in

inci

dent

pre

vent

ion

and

follo

w-u

p, s

oftw

are

flaw

cor

rect

ion,

and

oth

er a

reas

– C

omm

unic

atio

ns—

Req

uire

men

ts, i

mpl

emen

tatio

n an

d op

erat

ion

of e

mer

genc

y an

d ro

utin

e co

mm

unic

atio

ns c

hann

els

amon

gst k

ey m

embe

rs o

f m

anag

emen

t–

Leg

al a

nd c

rim

inal

inve

stig

ativ

e is

sues

—Is

sues

dri

ven

by le

gal c

onsi

dera

tions

and

the

requ

irem

ents

or

cons

trai

nts

resu

lting

fro

m th

e in

volv

emen

t of

crim

inal

inve

stig

ativ

e or

gani

satio

ns d

urin

g an

inci

dent

– C

onst

ituen

cy r

elat

ions

—R

espo

nse

cent

re s

uppo

rt s

ervi

ces

and

met

hods

of

inte

ract

ion

with

con

stitu

ents

, inc

ludi

ng tr

aini

ng a

nd a

war

enes

s, c

onfi

gura

tion

man

agem

ent,

and

auth

entic

atio

n–

Res

earc

h ag

enda

and

inte

ract

ion—

Iden

tific

atio

n of

exi

stin

g re

sear

ch a

ctiv

ities

and

req

uire

men

ts a

nd r

atio

nale

for

nee

ded

rese

arch

rel

atin

g to

res

pons

e ce

ntre

act

iviti

es–

Mod

el o

f th

e th

reat

—D

evel

opm

ent o

f a

basi

c m

odel

that

cha

ract

eris

es p

oten

tial t

hrea

ts a

nd r

isks

to h

elp

focu

s ri

sk r

educ

tion

activ

ities

and

pro

gres

s in

thos

e ac

tiviti

es–

Ext

erna

l iss

ues—

Fact

ors

that

are

out

side

the

dire

ct c

ontr

ol o

f th

e co

mpa

ny (

e.g.

, leg

isla

tion,

pol

icy,

pro

cedu

ral r

equi

rem

ents

) bu

t tha

t cou

ld a

ffec

t the

ope

ratio

n an

def

fect

iven

ess

of th

e co

mpa

ny’s

act

iviti

es•

Det

erm

ine

if th

e se

curi

ty in

cide

nt m

anag

emen

t pro

cess

app

ropr

iate

ly in

terf

aces

with

key

org

anis

atio

n fu

nctio

ns, i

nclu

ding

the

help

des

k, e

xter

nal s

ervi

ce p

rovi

ders

and

netw

ork

man

agem

ent.

• E

valu

ate

if th

e se

curi

ty in

cide

nt m

anag

emen

t pro

cess

incl

udes

the

follo

win

g ke

y el

emen

ts:

– E

vent

det

ectio

n –

Cor

rela

tion

of e

vent

s an

d ev

alua

tion

of th

reat

/inci

dent

–

Res

olut

ion

of th

reat

, or

crea

tion

and

esca

latio

n w

ork

orde

r –

Cri

teri

a fo

r in

itiat

ing

the

orga

nisa

tion’

s C

ER

T p

roce

ss

– V

erif

icat

ion

and

requ

ired

leve

ls o

f do

cum

enta

tion

of th

e re

solu

tion

– Po

st-r

emed

iatio

n an

alys

is–

Wor

k or

der/

inci

dent

clo

sure

DS5 E

nsur

e Sys

tem

s Sec

urit

y (c

ont.

)

DS5

.6 S

ecur

ity

Inci

dent

Def

init

ion

Cle

arly

def

ine

and

com

mun

icat

e th

e ch

arac

teri

stic

s of

pot

entia

l sec

urity

inci

dent

s so

they

can

be

prop

erly

cla

ssif

ied

and

trea

ted

by th

e in

cide

nt a

ndpr

oble

m m

anag

emen

t pro

cess

.

• Pr

oact

ive

secu

rity

inci

dent

det

ectio

n•

Rep

ortin

g of

sec

urity

bre

ache

s on

ade

fine

d an

d do

cum

ente

d le

vel

• Id

entif

ied

way

s of

com

mun

icat

ion

for

secu

rity

inci

dent

s

• U

ndet

ecte

d se

curi

ty b

reac

hes

• L

ack

of in

form

atio

n fo

r pe

rfor

min

gco

unte

ratta

cks

• M

issi

ng c

lass

ific

atio

n of

sec

urity

brea

ches

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

olic

ies

and

proc

edur

es h

ave

been

est

ablis

hed

to a

ddre

ss s

ecur

ity b

reac

h co

nseq

uenc

es (

spec

ific

ally

to a

ddre

ss c

ontr

ols

toco

nfig

urat

ion

man

agem

ent,

appl

icat

ion

acce

ss, d

ata

secu

rity

and

phy

sica

l sec

urity

req

uire

men

ts).

• In

spec

t the

con

trol

rec

ords

gra

ntin

g an

d ap

prov

ing

acce

ss a

nd lo

ggin

g un

succ

essf

ul a

ttem

pts,

lock

outs

, aut

hori

sed

acce

ss to

sen

sitiv

e fi

les

and/

or d

ata,

and

phy

sica

l ac

cess

to f

acili

ties.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e se

curi

ty d

esig

n fe

atur

es f

acili

tate

pas

swor

d ru

les

(e.g

., m

axim

um le

ngth

, cha

ract

ers,

exp

irat

ion,

reu

se).

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e co

ntro

l req

uire

s an

nual

man

agem

ent r

evie

ws

of s

ecur

ity f

eatu

res

for

phys

ical

and

logi

cal a

cces

s to

file

s an

d da

ta.

• V

erif

y th

at a

cces

s is

aut

hori

sed

and

appr

opri

atel

y ap

prov

ed.

• In

spec

t sec

urity

rep

orts

gen

erat

ed f

rom

sys

tem

tool

s pr

even

ting

netw

ork

pene

trat

ion

vuln

erab

ility

atta

cks.

DS5

.7 P

rote

ctio

n of

Sec

urit

y T

echn

olog

y M

ake

secu

rity

-rel

ated

tech

nolo

gy r

esis

tant

to ta

mpe

ring

, and

do

not d

iscl

ose

secu

rity

doc

umen

tatio

n un

nece

ssar

ily.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

orpo

rate

sec

urity

tech

nolo

gypr

otec

ted

• R

elia

ble

info

rmat

ion

secu

red

• C

orpo

rate

ass

ets

prot

ecte

d

Ris

k D

river

s

• E

xpos

ure

of in

form

atio

n•

Bre

ach

of tr

ust w

ith o

ther

orga

nisa

tions

• V

iola

tions

of

lega

l and

reg

ulat

ory

requ

irem

ents

DS5 E

nsur

e Sys

tem

s Sec

urit

y (c

ont.

)



Test

the

Con

trol

Des

ign

• D

eter

min

e if

a d

efin

ed k

ey li

fe c

ycle

man

agem

ent p

roce

ss e

xist

s. T

he p

roce

ss s

houl

d in

clud

e:–

Min

imum

key

siz

es r

equi

red

for

the

gene

ratio

n of

str

ong

keys

– U

se o

f re

quir

ed k

ey g

ener

atio

n al

gori

thm

s–

Iden

tific

atio

n of

req

uire

d st

anda

rds

for

the

gene

ratio

n of

key

s–

Purp

oses

for

whi

ch k

eys

shou

ld b

e us

ed a

nd r

estr

icte

d–

Allo

wab

le u

sage

per

iods

or

activ

e lif

etim

es f

or k

eys

– A

ccep

tabl

e m

etho

ds o

f ke

y di

stri

butio

n–

Key

bac

kup,

arc

hiva

l and

des

truc

tion

• Ass

ess

if c

ontr

ols

over

pri

vate

key

s ex

ist t

o en

forc

e th

eir

conf

iden

tialit

y an

d in

tegr

ity. C

onsi

dera

tion

shou

ld b

e gi

ven

to th

e fo

llow

ing:

– St

orag

e of

pri

vate

sig

ning

key

s w

ithin

sec

ure

cryp

togr

aphi

c de

vice

s (e

.g.,

FIPS

140

-1, I

SO 1

5782

-1, A

NSI

X9.

66)

– Pr

ivat

e ke

ys n

ot e

xpor

ted

from

a s

ecur

e cr

ypto

grap

hic

mod

ule

– Pr

ivat

e ke

ys b

acke

d up

, sto

red

and

reco

vere

d on

ly b

y au

thor

ised

per

sonn

el u

sing

dua

l con

trol

in a

phy

sica

lly s

ecur

ed e

nvir

onm

ent

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e or

gani

satio

n ha

s im

plem

ente

d in

form

atio

n cl

assi

fica

tion

and

asso

ciat

ed p

rote

ctiv

e co

ntro

ls f

or in

form

atio

n th

at a

ccou

nt f

or th

eor

gani

satio

n’s

need

s fo

r sh

arin

g or

res

tric

ting

info

rmat

ion

and

the

orga

nisa

tiona

l im

pact

s as

soci

ated

with

suc

h ne

eds.

• D

eter

min

e if

pro

cedu

res

are

defi

ned

to e

nsur

e th

at in

form

atio

n la

belli

ng a

nd h

andl

ing

is p

erfo

rmed

in a

ccor

danc

e w

ith th

e or

gani

satio

n’s

info

rmat

ion

clas

sifi

catio

n sc

hem

e.

DS5 E

nsur

e Sys

tem

s Sec

urit

y (c

ont.

)

DS5

.8 C

rypt

ogra

phic

Key

Man

agem

ent

Det

erm

ine

that

pol

icie

s an

d pr

oced

ures

are

in p

lace

to o

rgan

ise

the

gene

ratio

n,ch

ange

, rev

ocat

ion,

des

truc

tion,

dis

trib

utio

n, c

ertif

icat

ion,

sto

rage

, ent

ry, u

se a

ndar

chiv

ing

of c

rypt

ogra

phic

key

s to

ens

ure

the

prot

ectio

n of

key

s ag

ains

tm

odif

icat

ion

and

unau

thor

ised

dis

clos

ure.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• D

efin

ed a

nd d

ocum

ente

d ke

ym

anag

emen

t•

Key

s ha

ndle

d in

a s

ecur

e m

anne

r•

Secu

re c

omm

unic

atio

n

Ris

k D

river

s

• K

eys

mis

used

by

unau

thor

ised

par

ties

• R

egis

trat

ion

of n

on-v

erif

ied

user

s,th

us c

ompr

omis

ing

syst

em s

ecur

ity•

Una

utho

rise

d ac

cess

to c

rypt

ogra

phic

keys


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

mal

icio

us s

oftw

are

prev

entio

n po

licy

is e

stab

lishe

d, d

ocum

ente

d an

d co

mm

unic

ated

thro

ugho

ut th

e or

gani

satio

n.•

Ens

ure

that

aut

omat

ed c

ontr

ols

have

bee

n im

plem

ente

d to

pro

vide

vir

us p

rote

ctio

n an

d th

at v

iola

tions

are

app

ropr

iate

ly c

omm

unic

ated

.•

Enq

uire

of

key

staf

f m

embe

rs w

heth

er th

ey a

re a

war

e of

the

mal

icio

us s

oftw

are

prev

entio

n po

licy

and

thei

r re

spon

sibi

lity

for

ensu

ring

com

plia

nce.

• Fr

om a

sam

ple

of u

ser

wor

ksta

tions

, obs

erve

whe

ther

a v

irus

pro

tect

ion

tool

has

bee

n in

stal

led

and

incl

udes

vir

us d

efin

ition

file

s an

d th

e la

st ti

me

the

defi

nitio

ns

wer

e up

date

d.•

Enq

uire

whe

ther

and

con

firm

that

the

prot

ectio

n so

ftw

are

is c

entr

ally

dis

trib

uted

(ve

rsio

n an

d pa

tch-

leve

l) u

sing

a c

entr

alis

ed c

onfi

gura

tion

and

chan

ge

man

agem

ent p

roce

ss.

• R

evie

w th

e di

stri

butio

n pr

oces

s to

det

erm

ine

the

oper

atin

g ef

fect

iven

ess.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at in

form

atio

n on

new

pot

entia

l thr

eats

is r

egul

arly

rev

iew

ed a

nd e

valu

ated

and

, as

nece

ssar

y, m

anua

lly u

pdat

ed to

the

viru

s de

fini

tion

file

s.•

Rev

iew

the

revi

ew a

nd e

valu

atio

n pr

oces

s to

det

erm

ine

oper

atin

g ef

fect

iven

ess.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at in

com

ing

e-m

ail i

s fi

ltere

d ap

prop

riat

ely

agai

nst u

nsol

icite

d in

form

atio

n.•

Rev

iew

the

filte

ring

pro

cess

to d

eter

min

e op

erat

ing

effe

ctiv

enes

s, o

r re

view

the

auto

mat

ed p

roce

ss e

stab

lishe

d fo

r fi

lteri

ng p

urpo

ses.

DS5 E

nsur

e Sys

tem

s Sec

urit

y (c

ont.

)

DS5

.9 M

alic

ious

Sof

twar

e P

reve

ntio

n,D

etec

tion

and

Cor

rect

ion

Put p

reve

ntiv

e, d

etec

tive

and

corr

ectiv

e m

easu

res

in p

lace

(es

peci

ally

up-

to-d

ate

secu

rity

pat

ches

and

vir

us c

ontr

ol)

acro

ss th

e or

gani

satio

n to

pro

tect

info

rmat

ion

syst

ems

and

tech

nolo

gy f

rom

mal

war

e (e

.g.,

viru

ses,

wor

ms,

spy

war

e, s

pam

).

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Sy

stem

sec

urity

ens

ured

by

proa

ctiv

em

alw

are

prot

ectio

n•

Ens

ured

sys

tem

inte

grity

• T

imel

y de

tect

ion

of s

ecur

ity th

reat

s

Ris

k D

river

s

• E

xpos

ure

of in

form

atio

n•

Vio

latio

ns o

f le

gal a

nd r

egul

ator

yre

quir

emen

ts•

Syst

ems

and

data

that

are

pro

ne to

viru

s at

tack

s•

Inef

fect

ive

coun

term

easu

res



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at d

ata

tran

smis

sion

s ou

tsid

e th

e or

gani

satio

n re

quir

e en

cryp

ted

form

at p

rior

to tr

ansm

issi

on.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at c

orpo

rate

dat

a ar

e cl

assi

fied

acc

ordi

ng to

exp

osur

e le

vel a

nd c

lass

ific

atio

n sc

hem

e (e

.g.,

conf

iden

tial,

sens

itive

).•

Enq

uire

whe

ther

and

con

firm

that

sen

sitiv

e da

ta p

roce

ssin

g is

con

trol

led

thro

ugh

appl

icat

ion

cont

rols

that

val

idat

e th

e tr

ansa

ctio

n pr

ior

to tr

ansm

issi

on.

• R

evie

w th

at th

e ap

plic

atio

n lo

gs o

r ha

lts p

roce

ssin

g fo

r in

valid

or

inco

mpl

ete

tran

sact

ions

.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

net

wor

k se

curi

ty p

olic

y (e

.g.,

prov

ided

ser

vice

s, a

llow

ed tr

affi

c, ty

pes

of c

onne

ctio

ns p

erm

itted

) ha

s be

en e

stab

lishe

d an

d is

mai

ntai

ned.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

roce

dure

s an

d gu

idel

ines

for

adm

inis

teri

ng a

ll cr

itica

l net

wor

king

com

pone

nts

(e.g

., co

re r

oute

rs, D

MZ

, VPN

sw

itche

s) a

rees

tabl

ishe

d an

d up

date

d re

gula

rly

by th

e ke

y ad

min

istr

atio

n pe

rson

nel,

and

chan

ges

to th

e do

cum

enta

tion

are

trac

ked

in th

e do

cum

ent h

isto

ry.

DS5

.10

Net

wor

k Se

curi

ty

Use

sec

urity

tech

niqu

es a

nd r

elat

ed m

anag

emen

t pro

cedu

res

(e.g

., fi

rew

alls

,se

curi

ty a

pplia

nces

, net

wor

k se

gmen

tatio

n, in

trus

ion

dete

ctio

n) to

aut

hori

seac

cess

and

con

trol

info

rmat

ion

flow

s fr

om a

nd to

net

wor

ks.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

orpo

rate

sec

urity

tech

nolo

gypr

otec

ted

• R

elia

ble

info

rmat

ion

secu

red

• C

orpo

rate

ass

ets

prot

ecte

d•

Net

wor

k se

curi

ty m

anag

ed in

aco

nsis

tent

man

ner

Ris

k D

river

s

• Fa

ilure

of

fire

wal

l rul

es to

ref

lect

the

orga

nisa

tion’

s se

curi

ty p

olic

y•

Und

etec

ted

unau

thor

ised

mod

ific

atio

ns to

fir

ewal

l rul

es•

Com

prom

ised

ove

rall

secu

rity

arch

itect

ure

• Se

curi

ty b

reac

hes

not d

etec

ted

in a

timel

y m

anne

r

DS5 E

nsur

e Sys

tem

s Sec

urit

y (c

ont.

)

DS5

.11

Exc

hang

e of

Sen

siti

ve D

ata

Exc

hang

e se

nsiti

ve tr

ansa

ctio

n da

ta o

nly

over

a tr

uste

d pa

th o

r m

ediu

m w

ithco

ntro

ls to

pro

vide

aut

hent

icity

of

cont

ent,

proo

f of

sub

mis

sion

, pro

of o

f re

ceip

tan

d no

n-re

pudi

atio

n of

ori

gin.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• T

rust

ed w

ays

of c

omm

unic

atio

ns

• R

elia

ble

info

rmat

ion

exch

ange

• Sy

stem

and

dat

a in

tegr

ity s

afeg

uard

ed

Ris

k D

river

s

• Se

nsiti

ve in

form

atio

n ex

pose

d•

Inad

equa

te p

hysi

cal s

ecur

ity m

easu

res

• U

naut

hori

sed

exte

rnal

con

nect

ions

tore

mot

e si

tes

• D

iscl

osur

e of

cor

pora

te a

sset

s an

dse

nsiti

ve in

form

atio

n ac

cess

ible

for

unau

thor

ised

par

ties


APPENDIX IV

Take the following steps to test the outcome of the control objectives:• Through inquiry and observation, determine if the security management function effectively interacts with key enterprise

functions, including areas such as risk management, compliance and audit.• Review the process for identifying and responding to security incidents, selecting a sample of recorded incidents. Through inquiry

and review of supporting documentation, determine whether appropriate management action has been taken to resolve the incident.• Select a sample of employees and determine if computer usage and confidentiality (non-disclosure) agreements have been signed

as part of their initial terms and conditions of employment.• Review the IT security strategy, plans, policies and procedures to determine their relevance to the organisation’s current IT

landscape, and determine when they were last reviewed and updated.• Review the IT security strategy, plans, policies and procedures, and verify that they reflect the data classification.• Interview stakeholders and users on their knowledge of the IT security strategy, plans, policies and procedures, and determine if

stakeholders and users find them to be relevant to risks and organisational practices.• Ask executive management about any recent or planned changes to the organisation (e.g., business unit acquisitions/dispositions,

new systems, changes in regulatory environment), and determine if the IT security plan is properly aligned.• Determine if security processes have been implemented to uniquely identify and control the actions of all users and processes

through review of system (development, test and production systems) and application accounts, job queues and services, andsecurity software mode settings.

• Through a sample of access control lists (ACLs), determine whether the security provisioning process appropriately considers thefollowing:– Sensitivity of the information and applications involved (data classification)– Policies for information protection and dissemination (legal, regulatory and contractual requirements)– The ‘need-to-have’ of the function– Standard user access profiles for common job roles in the organisation– The need for segregation for the access rights involved– Data owner and management’s authorisation for access– The documentation of identity and access rights in a central repository– Creation, communication and change of initial passwords

• Through inquiry and review of sampled ACLs, determine if a process exists for resolving access provisioning requests that are notcommensurate with established security authentication practices and roles.

• Determine if a risk assessment process was utilised to identify possible segregation of duties and if an escalation process wasutilised to obtain added levels of management authorisation.

• Determine if authentication and authorisation mechanisms exist to enforce access rights according to the sensitivity and criticalityof information (e.g., password, token, digital signature).

• Determine if trust relationships enforce comparable security levels and maintain user and process identities.• Select a sample of user and system accounts and a sample ACL to determine existence of the following:

– Clearly defined requested role and/or privileges– Business justification for assignment– Data owner and management authorisation– Business/risk justification and management approval for non-standard requests– Access requested commensurate with job function/role and required segregation of duties– Documentation evidencing adherence to and completion of the provisioning process

• Obtain from HR a sample of employee transfers and terminations and, through review of system account profiles and/or ACLs,determine if access has been appropriately altered and/or revoked in a timely manner.

• Select a sample of critical network devices and system services, and determine if access control mechanisms have been routinelyevaluated and tested to confirm their operational effectiveness.

• Select a sample of critical network devices and system services, and determine if they have been routinely monitored for existenceof security incidents.

• Sample security baselines and determine if they are appropriately aligned to the organisation’s risk profile and levels of acceptedrisk and if they take into account common risks and vulnerabilities (i.e., conform to leading practices).

• Select a sample of IT devices and determine their compliance with established security baselines. For deviations from baselines,determine if a risk assessment was performed and if management approved the deviation from the baseline.

• Determine if a security review process has been integrated into the organisation’s acquisition and implementation processes (AI)and delivery and support processes (DS), requiring security management’s involvement and approval of any IT changes that wouldimpact the design or operation systems security. The review process should consider:– Overall technology architecture– Database access and security design– Protocol, port and socket usage– Required services



– User remote access and modem requirements– Server-to-server authentication and encryption– Scalability, availability and redundancy– Session management and cookie usage– Administrative capabilities– User ID and password management– Audit trails and logging/reporting

• Determine if security audit trails capture user identification (ID), type of event, date and time, success or failure indication,origination of event, and the identity or the name of the affected object. Logged events should include accesses to sensitive data,actions by administrative and privileged accounts, initialisation of audit logs, and modification of system-level objects.

• Inspect and review documents supporting the recording, analysis and resolution of potential security incidents, and perform thefollowing steps:– Understand the methods used to categorise incidents and identify actionable threats.– Identify specific logged security incidents, and inquire as to the nature and disposition of the incident.

• Inspect documentation evidencing the process used to match the organisation’s network device inventory to publishedvulnerabilities for the purpose of verifying that all devices are at current release and security patch levels.

• Determine if formal management responsibilities and procedures exist throughout the key management life cycle, includingchanges to encryption equipment, software and operating procedures.

• For a sample of new keys, determine if key pairs have been generated in accordance with industry standards and compliance orregulatory requirements (e.g., ISO 15782-1, FIPS 140-1, ANSI X9.66) and if documentation evidences the existence of split-knowledge and dual-control keys (requiring two or three people, each knowing only his/her part of the key, to reconstruct thewhole key).

• For a sample of expired keys, determine if documentation exists evidencing the complete destruction of keys at the end of thekey-pair life cycle.

• Review maintenance records evidencing that cryptographic hardware is routinely tested. • Obtain a list of individuals who have access to cryptographic hardware, software and keys, and determine if access is limited to

properly authorised individuals responsible for the creation and injection of keys. • Determine if key custodians formally acknowledge, understand and accept their key custodian responsibilities.• Determine if encryption keys are generated, stored and used in a manner such that the keys and their components are known only

to authorised custodians.• For keys received from third-party vendors, determine if they are sent in separate parts by different carriers on different dates, and

if each part of the key is stored in a separate safe, for which the combination is known by a separate key officer.• Assess the system security features to evaluate whether proactive controls have been established to protect from malicious security

attacks.• Assess whether the data/system protection software is centrally distributed throughout the network environment.• Assess the control features for filtering incoming traffic against unsolicited information.• Select a sample of critical network devices, and confirm that the devices are properly secured with special mechanisms and tools

(e.g., authentication for device management, secure communications, strong authentication mechanisms) and that activemonitoring and pattern recognition are in place to protect devices from attack.

• Select a sample of network devices, and determine if the devices have been configured with minimal features enabled (e.g., features that are necessary for functionality and hardened for security applications); all unnecessary services, functionalitiesand interfaces have been removed; and all relevant security patches and major updates are applied to the system in a timely mannerbefore going to production.

• Select a sample of new network devices or changes to existing network devices and determine that the organisation’s Acquire andImplement (AI) process controls and Deliver and Support (DS) process controls have been followed.

• Select a sample of firewall devices, and review ACLs for the following:– Access rules effectively segregating trusted and non-trusted network segments– Documentation evidencing the business purpose and management’s approval of rules– Configurations following management-approved baselines– Devices that are current on version and patch release levels

• Determine if encryption is utilised for all non-console administrative access, such as SSH, VPN or SSL/TLS.• Assess whether automated controls safeguard the data and systems, such that data are transmitted through reliable sources. • Determine if user management periodically reviews user profiles and access rights to ensure the adequacy of access rights and

requirements for segregation of duties.• Verify that direct access to data is prevented or, where required, controlled and documented accordingly.• Verify that the quality requirements for passwords are defined and enforced by systems.


APPENDIX IV

Take the following steps to document the impact of the control weaknesses:• Determine the level of security consciousness within the organisation by reviewing functional and operational documentation for

the existence of security considerations (e.g., involvement of the security management function within the SDLC).• Benchmark the information security organisation (e.g., size, lines of reporting) against similar organisations, and benchmark

formalised policies, standards and procedures to international standards/recognised industry best practices. • Determine if the security management function is commensurate with the size and complexity of the IT landscape. Consider the

following:– Size, complexity and diversity of the IT landscape– Use of security administration tools and technology– Alignment of security management to business lines (e.g., do organisation segments have competing security functions?)– Skills and training of security management personnel

• Determine if members of executive management communicate the importance and their support of the security managementorganisation. Consideration should be given to executive management or security steering committee approval of formalisedsecurity policies.

• Determine the existence of a management-approved security charter and policies, standards and procedures that address logicalsecurity for all relevant aspects of the organisation’s IT landscape.

• Determine if the IT security plan has adequately considered the security profile of the organisation, including any regulatory andcompliance requirements.

• Assess the ability of the security management organisation to execute and monitor compliance with the plan. Consideration shouldbe given to the size of the organisation, use of security assessment and administration technology and tools, and requiredexperience levels and ongoing training received by security personnel.

• Select policy, standards and procedural documentation from various financial, operational and compliance areas within theorganisation, and determine if key provisions of the IT security plan have been appropriately reflected in the documentation.

• Determine if a security review process has been integrated into the organisation’s AI and DS processes, requiring securitymanagement’s involvement and approval of any IT changes that would impact the design or operation systems security.

• Determine if the organisation’s AI processes and controls are supported by segregated development, test and assurance, andproduction environments.

• Identify the existence and reasonableness of anonymous and group accounts (e.g., nobody, web user, everybody), remote processesand started tasks. Consideration should be given to the nature and scope of transaction authorities, the risk of possible escalation ofprivileges, the process origin (e.g., trusted, non-trusted), or if a security design review was performed for system and application-initiated jobs and processes.

• Determine if security software, applications and supporting systems software has been configured to enforce user authentication orpropagate user and process identities. Determine if default accounts exist to authenticate anonymous users or processes.

• Determine sources of non-trusted access (e.g., business partners, vendors), and determine how access has been assigned to provideuniquely identifiable account holders and appropriate protection of information.

• Through the use of audit software tools or scripts, identify the existence of inactive or unused accounts and determine theexistence of a business justification.

• Identify active vendor or contractor accounts, and determine if access is commensurate with the terms and duration of the contract.• Determine if vendor-supplied accounts have been appropriately safeguarded (e.g., default passwords changed, accounts revoked).• Assess the reasonableness of the nature and frequency of verification and vulnerability assessment processes utilised, considering

the organisation’s risk profile, size, complexity and diversity.• Determine if security scripts and tools are utilised to test the existence of common vulnerabilities, the effectiveness of security

mechanisms and the effectiveness of user access administration processes (e.g., existence of inactive or never used accounts,terminated user accounts, accounts without passwords or forced password changes).

• Identify and select a sample of organisation-critical network devices (hardware and application systems) and at-risk perimeternetwork devices. Determine the existence of security sensors or use of host logging to capture incidents, and ensure that securityincidents are included in the daily review process.

• Obtain a sample of security-related incident work order tickets, and determine if the issue has been appropriately resolved andclosed in a timely manner.

• Determine if security tool deployment appropriately addresses all principal technologies utilised by the organisation and ifpersonnel possess the required skills to appropriately operate the security tools and technologies.

• Determine if security personnel are required to attend annual training and if security tools receive routine updates to threat andvulnerability engines and supporting database/signatures.

• Select a sample of business-critical or sensitive data, and determine if data have been secured in accordance with the organisation’sencryption standards.

• Verify that the cryptographic system used to protect stored data effectively renders data unreadable, and determine if any methodcan be utilised to access erased data through forensic techniques.

• Determine whether the security controls have been implemented to prevent exposure from malicious attacks and vulnerabilities.



• Determine if portable code (e.g., Java, JavaScript) and downloaded binaries and executables are scanned before being allowed intothe network or blocked from entering the network.

• Determine that the organisation’s network documentation accurately reflects the current network environment, including wirelessdevices, and examine the network design to determine if security barriers are strategically placed at the network’s perimeter,between the organisation’s trusted internal network and non-trusted public (i.e., Internet), vendor (i.e., service organisation) orbusiness partner (i.e., extranet) segments.

• Verify that changes to security-relevant parameters follow the organisation’s change management processes and are authorised andtested accordingly.

• Confirm that sensitive information is not disclosed or exposed to unauthorised parties.


APPENDIX IVD

S6 Ide

ntify

and

Allo

cate

Cos

ts

The

nee

d fo

r a

fair

and

equ

itabl

e sy

stem

of

allo

catin

g IT

cos

ts to

the

busi

ness

req

uire

s ac

cura

te m

easu

rem

ent o

f IT

cos

ts a

nd a

gree

men

t with

bus

ines

s us

ers

on f

air

allo

catio

n. T

his

proc

ess

incl

udes

bui

ldin

g an

d op

erat

ing

a sy

stem

to c

aptu

re, a

lloca

te a

nd r

epor

t IT

cos

ts to

the

user

s of

ser

vice

s. A

fai

r sy

stem

of

allo

catio

n en

able

s th

ebu

sine

ss to

mak

e m

ore

info

rmed

dec

isio

ns r

egar

ding

the

use

of I

T s

ervi

ces.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pol

icy

exis

ts f

or c

ost a

lloca

tions

to d

epar

tmen

ts.

• In

spec

t the

doc

umen

tatio

n th

at d

efin

es th

e IT

ser

vice

s an

d ve

rify

that

the

dist

inct

IT

ser

vice

s to

whi

ch c

osts

will

be

allo

cate

d ha

ve b

een

defi

ned

and

docu

men

ted.

• In

spec

t the

map

ping

of

IT s

ervi

ces

to I

T in

fras

truc

ture

, and

det

erm

ine

if th

e m

appi

ng is

app

ropr

iate

by,

for

exa

mpl

e, o

btai

ning

a c

opy

of th

e ha

rdw

are

and

soft

war

ein

vent

orie

s an

d th

e lis

ting

of I

T s

ervi

ces

to e

nsur

e th

at a

ll in

fras

truc

ture

and

ser

vice

s ha

ve b

een

map

ped.

• C

onfi

rm th

e so

urce

s of

info

rmat

ion

used

to c

reat

e th

e m

appi

ng to

det

erm

ine

whe

ther

the

sour

ces

of in

form

atio

n w

ere

appr

opri

ate

for

the

map

ping

exe

rcis

e.•

Insp

ect t

he m

appi

ng o

f IT

ser

vice

s to

the

busi

ness

pro

cess

to e

nsur

e th

at th

e m

appi

ng h

as b

een

done

com

plet

ely

and

appr

opri

atel

y. T

his

can

be a

ccom

plis

hed

by, f

orex

ampl

e, c

ompa

ring

the

map

ping

to th

e or

gani

satio

nal c

hart

or

lines

of

busi

ness

.•

Enq

uire

whe

ther

and

det

erm

ine

if r

esul

ts o

f th

e m

appi

ng h

ave

been

con

firm

ed w

ith th

e bu

sine

ss p

roce

ss o

wne

rs. E

nqui

ries

sho

uld

focu

s on

asc

erta

inin

g th

e ag

reem

ent o

fth

e bu

sine

ss p

roce

ss o

wne

rs w

ith th

e al

ignm

ent o

f IT

ser

vice

s pr

ovid

ed.

• In

spec

t doc

umen

tatio

n su

ppor

ting

the

com

mun

icat

ion

and

agre

emen

t on

map

ping

to d

eter

min

e w

heth

er a

gree

men

t was

ach

ieve

d. S

uch

docu

men

tatio

n m

ay in

clud

em

eetin

g m

inut

es, b

udge

t doc

umen

tatio

n an

d SL

As.

DS6

.1 D

efin

itio

n of

Ser

vice

s Id

entif

y al

l IT

cos

ts, a

nd m

ap th

em to

IT

ser

vice

s to

sup

port

a tr

ansp

aren

t cos

tm

odel

. IT

ser

vice

s sh

ould

be

linke

d to

bus

ines

s pr

oces

ses

such

that

the

busi

ness

can

iden

tify

asso

ciat

ed s

ervi

ce b

illin

g le

vels

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed m

anag

emen

t und

erst

andi

ngan

d ac

cept

ance

of

IT c

osts

, the

reby

faci

litat

ing

mor

e ef

fect

ive

budg

etin

gfo

r IT

ser

vice

s•

Use

r m

anag

emen

t em

pow

ered

with

relia

ble,

tran

spar

ent i

nfor

mat

ion

abou

tco

ntro

llabl

e IT

cos

ts to

fac

ilita

te m

ore

effi

cien

t con

trol

and

pri

oriti

satio

n of

reso

urce

s•

Bus

ines

s m

anag

emen

t abl

e to

see

the

tota

l cos

t of

each

bus

ines

s fu

nctio

nan

d, th

eref

ore,

mak

e be

tter

info

rmed

deci

sion

s

Ris

k D

river

s

• C

osts

acc

ount

ed f

or in

corr

ectly

• In

vest

men

t dec

isio

ns b

ased

on

inva

lidco

st in

form

atio

n•

Bus

ines

s us

ers

havi

ng a

n in

corr

ect

view

of

IT’s

cos

t and

val

ueco

ntri

butio

n



Test

the

Con

trol

Des

ign

• O

btai

n a

copy

of

the

cost

ele

men

ts d

efin

ed (

e.g.

, in

an I

T c

ost a

lloca

tion

mod

el o

r co

stin

g sy

stem

), c

ompa

re th

em to

cos

t ele

men

ts d

efin

ed f

or th

e ov

eral

l org

anis

atio

n,an

d ex

amin

e w

here

dif

fere

nces

exi

st.

• Id

entif

y th

e el

emen

ts th

at a

re u

niqu

e to

IT,

and

ass

ess

the

appr

opri

aten

ess

of th

e co

st e

lem

ents

def

ined

.•

Insp

ect b

illin

gs’c

ost a

lloca

tion

jour

nal e

ntri

es to

rec

ord

the

allo

catio

ns o

f IT

cos

ts a

nd a

sses

s th

e ap

prop

riat

enes

s of

thos

e al

loca

tions

. For

exa

mpl

e, c

ompa

riso

ns a

cros

sde

part

men

ts o

r as

a p

erce

ntag

e of

dep

artm

ent e

xpen

ditu

res

may

iden

tify

mis

allo

catio

ns o

r un

allo

cate

d co

sts.

• O

btai

n a

copy

of

the

ente

rpri

se c

ost a

ccou

ntin

g sy

stem

set

up, a

nd a

sses

s th

e tr

eatm

ent o

f IT

cos

ts th

roug

h ex

amin

atio

n of

IT

exp

ense

reg

iste

rs, i

nter

depa

rtm

ent b

illin

gs,

jour

nal e

ntri

es, e

tc.

• O

btai

n an

d in

spec

t a c

opy

of th

e do

cum

enta

tion

that

req

uire

s bu

dget

s an

d fo

reca

sts

to b

e up

date

d on

cha

nges

in c

ost s

truc

ture

s, a

nd r

evie

w th

at d

ocum

enta

tion

with

busi

ness

pro

cess

ow

ners

and

IT

ser

vice

lead

ers

to d

eter

min

e w

heth

er th

e pr

oces

s is

und

erst

ood

and

depl

oyed

.•

Insp

ect d

ocum

enta

tion

of th

e pr

oces

s fo

r cr

eatin

g IT

bud

gets

, for

ecas

ts a

nd a

ctua

l cos

t rep

ortin

g.•

Ens

ure

that

thos

e pr

oces

ses

are

in a

lignm

ent w

ith th

e ov

eral

l org

anis

atio

nal p

roce

sses

, and

det

erm

ine

whe

ther

the

dist

ribu

tion

lists

and

sch

edul

e fo

r re

port

ing

on in

itial

budg

ets,

for

ecas

ts a

nd a

ctua

l to

date

are

app

ropr

iate

. App

ropr

iate

ness

of

dist

ribu

tion

incl

udes

con

side

ring

all

impa

cted

bus

ines

s pr

oces

s ow

ners

, sen

ior

man

agem

ent,

etc.

App

ropr

iate

ness

of

the

sche

dule

for

dis

trib

utio

n of

rep

ortin

g in

clud

es e

nsur

ing

that

IT

is a

ligne

d w

ith b

usin

ess

repo

rtin

g tim

elin

es.

• Ass

ess

the

defi

nitio

ns o

f ro

les

for

reci

pien

ts o

f bu

dget

s, f

orec

asts

and

act

ual a

naly

sis

to d

eter

min

e w

heth

er a

ll ap

prop

riat

e pa

rtie

s ha

ve b

een

assi

gned

as

reci

pien

ts.

• M

ore

effe

ctiv

e al

ignm

ent p

rom

oted

betw

een

busi

ness

obj

ectiv

es a

nd th

eco

st o

f IT

• Fa

cilit

ated

allo

catio

n of

IT

res

ourc

esto

com

petin

g IT

pro

ject

s an

d pr

oces

ses

• B

usin

ess

units

abl

e to

ful

ly u

nder

stan

dth

e to

tal I

T c

ost i

nvol

ved

for

deliv

erin

g va

riou

s bu

sine

ss p

roce

sses

• T

he le

vel o

f pr

oduc

tivity

incr

ease

d an

dth

e bu

sine

ss v

iew

and

pro

fess

iona

lism

of s

taff

with

in th

e IT

org

anis

atio

nex

pand

ed th

roug

h in

crea

sed

fina

ncia

lac

coun

tabi

lity

Valu

e D

river

sD

S6.2

IT

Acc

ount

ing

Cap

ture

and

allo

cate

act

ual c

osts

acc

ordi

ng to

the

ente

rpri

se c

ost m

odel

.V

aria

nces

bet

wee

n fo

reca

sts

and

actu

al c

osts

sho

uld

be a

naly

sed

and

repo

rted

on,

in c

ompl

ianc

e w

ith th

e en

terp

rise

’s f

inan

cial

mea

sure

men

t sys

tem

s.

Con

trol

Obj

ecti

veR

isk

Driv

ers

• Fa

ilure

of

the

curr

ent a

ccou

ntin

gm

odel

to s

uppo

rt e

quita

ble

serv

ice

char

geba

ck•

Cos

ts r

ecor

ded

faili

ng to

com

ply

with

the

ente

rpri

se’s

fin

anci

al a

ccou

ntin

gpo

licie

s•

The

bus

ines

s ha

ving

an

inco

rrec

t vie

wof

IT

cos

ts a

nd v

alue

pro

vide

d

DS6 Ide

ntify

and

Allo

cate

Cos

ts (

cont

.)


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ll ch

arge

able

item

s an

d se

rvic

es p

rovi

ded

by th

e IT

dep

artm

ent a

re p

rope

rly

cate

gori

sed

and

item

ised

and

that

the

corr

espo

ndin

gch

arge

s fo

r ev

ery

serv

ice

are

liste

d.•

Ver

ify

that

the

mat

eria

l is

orga

nise

d in

line

with

the

ente

rpri

se a

ccou

ntin

g fr

amew

ork.

• C

onfi

rm th

roug

h in

terv

iew

s w

ith m

ajor

use

rs a

nd a

rev

iew

of

user

dep

artm

ent c

ompl

aint

s in

cha

rgeb

ack

invo

ices

that

the

char

geba

ck m

odel

is tr

ansp

aren

t and

fai

r.•

Con

firm

thro

ugh

inte

rvie

ws

with

IT

man

agem

ent t

hat t

he c

ostin

g an

d ch

arge

back

mod

el a

llow

s fo

r ef

fici

ent r

esou

rce

plan

ning

.•

Sele

ct a

sam

ple

reso

urce

/ser

vice

, com

pare

the

tota

l cos

t to

inco

me

from

cha

rgeb

ack,

and

ana

lyse

the

gap.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e co

st/c

harg

e m

odel

is r

evie

wed

on

a re

gula

r ba

sis

(e.g

., an

nual

ly o

r se

mi-

annu

ally

), in

clud

ing

the

curr

ent b

usin

ess

requ

irem

ents

and

chan

ges

in th

e IT

ser

vice

s an

d co

sts.

• In

spec

t the

rea

sses

sed

char

ging

mod

el d

ocum

ents

to lo

ok f

or m

anag

emen

t app

rova

l and

to d

eter

min

e op

erat

ing

effe

ctiv

enes

s.•

Insp

ect t

he p

olic

y or

sta

ndar

ds r

equi

ring

IT

cos

t cha

rge

mod

els

to b

e pe

rfor

med

, and

ens

ure

that

ther

e is

a r

equi

rem

ent f

or r

egul

ar r

evie

w a

gain

st th

e en

terp

rise

mod

el(e

.g.,

annu

ally

or

sem

i-an

nual

ly),

or

that

ther

e is

a p

roce

ss f

or c

hang

es to

the

ente

rpri

se m

odel

to b

e re

flec

ted

in th

e IT

mod

els.

DS6

.3 C

ost

Mod

ellin

g an

d C

harg

ing

Est

ablis

h an

d us

e an

IT

cos

ting

mod

el b

ased

on

the

serv

ice

defi

nitio

ns th

atsu

ppor

t the

cal

cula

tion

of c

harg

ebac

k ra

tes

per

serv

ice.

The

IT

cos

t mod

elsh

ould

ens

ure

that

cha

rgin

g fo

r se

rvic

es is

iden

tifia

ble,

mea

sura

ble

and

pred

icta

ble

by u

sers

to e

ncou

rage

pro

per

use

of r

esou

rces

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• IT

cos

t allo

catio

n tr

ansp

aren

t for

all

affe

cted

par

ties

• R

elia

ble

info

rmat

ion

prov

ided

to th

eor

gani

satio

n ab

out i

ts to

tal I

T c

ost

• In

vest

men

t dec

isio

ns r

elat

able

tocu

rren

t cos

ts

Ris

k D

river

s

• T

he c

ost m

odel

not

in li

ne w

ith th

eov

eral

l acc

ount

ing

proc

edur

es•

Gap

s in

iden

tifie

d an

d ch

arge

dse

rvic

es•

Serv

ice

usag

e in

suff

icie

ntly

mea

sure

dan

d fa

iling

to r

efle

ct a

ctua

l bus

ines

sus

age

DS6 Ide

ntify

and

Allo

cate

Cos

ts (

cont

.)

DS6

.4 C

ost

Mod

el M

aint

enan

ce

Reg

ular

ly r

evie

w a

nd b

ench

mar

k th

e ap

prop

riat

enes

s of

the

cost

/rec

harg

e m

odel

to m

aint

ain

its r

elev

ance

and

app

ropr

iate

ness

to th

e ev

olvi

ng b

usin

ess

and

ITac

tiviti

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• IT

cos

t allo

catio

ns c

ontin

uous

lyal

igne

d w

ith a

ctua

l bus

ines

s us

age

ofIT

ser

vice

s•

Cos

t allo

catio

ns b

ased

on

the

mos

tap

prop

riat

e ap

proa

ch f

or th

e bu

sine

ssan

d IT

Ris

k D

river

s

• T

he c

ost m

odel

not

in li

ne w

ith a

ctua

lus

age

• T

he m

etho

d us

ed f

or c

ost a

lloca

tion

not a

ppro

pria

te f

or th

e ne

eds

of th

ebu

sine

ss a

nd I

T



Take the following steps to test the outcome of the control objectives:• Enquire whether and confirm that cost allocations to departments are acceptable and/or appropriate for the organisation.• Enquire whether and confirm that costs are allocated to distinct IT services.• Enquire whether and confirm that the responsibility for gathering and allocating costs has been assigned appropriately.• Inspect documentation that defines the cost allocation approach to ascertain whether all costs are allocated reasonably. This can be

accomplished by, for example, comparing cost allocations to the budget or actual expenses incurred.• Obtain the IT budget and departmental budgets, and determine whether IT service costs exist in departmental budgets.• Consider whether the IT budget appears to be in alignment with the business needs through examination of departmental budgets,

applications supported by department, etc.• Select a sample of costs incurred and trace those costs to ascertain that they have been appropriately allocated to the IT services.• Extract significant costs (e.g., the top 10 percent, significant department costs), and trace those costs to ascertain that they have

been appropriately allocated to the IT services.• Extract all IT costs and stratify by type for comparison to IT service definitions.• Confirm with IT service leaders that all infrastructure inventory is accounted for and owned by IT services provided. This can be

accomplished by examining the geographic scope of IT service and the nature of applications and business services provided, anddiscussing those scopes with the IT service leaders or through corroborating the IT service scope discussed with the currentnetwork diagrams.

• Select a sample of IT services and inspect the allocations of IT infrastructure for completeness by considering the nature of the ITservice provided and known infrastructure required for support.

• Select a sample of IT infrastructure and ensure that it is mapped or assigned to an IT service area.• Inspect asset registries, network diagrams or other infrastructure inventories, and determine whether allocations to service owners

have been made.• Select a sample of assets from a tour of the data centre and ensure that the assets are appropriately logged in asset registries,

network diagrams or other infrastructure inventories.• Enquire whether and confirm that all defined cost elements (e.g., people, accommodations, transfers, hardware, software) have

been captured.• Inspect billings/cost allocations/journal entries to record the allocations of IT costs and assess the appropriateness of those

allocations. For example, comparisons across departments, or a percentage of department expenditures, may identifymisallocations or unallocated costs.

• Compare and reconcile costs allocated to departments against IT expenditures to determine whether complete and accurateallocations are occurring.

• Inspect the general ledger accounts for IT expenditures to identify high-risk accounts (e.g., accounts that are not regularly used orthat have high volumes of transactions flowing through them), and review for unusual entries.

• Select a sample of invoices from the IT department, and ensure that the accounting treatment is in accordance with the enterprise’scost allocation models.

• Analyse IT cost information obtained from the general ledger accounts to determine whether accounts that are subject to auto-posted or standard journal entries are posted correctly. For example, reperform the calculation of depreciation expense on IT assetsto verify that accumulated amortisation on IT is allocated appropriately to the departments based on service usage or percentageallocations.

• Confirm with business process owners that there are processes in place to prevent unauthorised changes to cost allocations and todetect/monitor changes to cost allocations.

• Inspect a sample of cost structure changes, and ensure that budgets and forecasts for the affected departments have been revisedand are numerically correct.

• Inspect the change logs to identify significant changes or deployment of new systems, and determine whether those changes havehad an impact on cost structures and have resulted in a subsequent change in budgets and forecasts.

• Inspect any analysis of variance amongst budgeted cost, forecasted cost and actual cost and determine whether they have beencompleted on a timely basis and with sufficient detail. Assess whether the analysis has been performed in alignment withorganisational standards.

• Inspect distribution lists to validate whether all relevant senior management and business process owners receive analysis.• Confirm with the business process owners how they are informed of changes to the IT service costs allocated to their departments.• Enquire whether and confirm that inquiries due to unclear cost or pricing procedures are followed up on immediately and

captured for summary analysis. Trace an inquiry through the system to determine operating effectiveness and ensure immediatefollow-up.

Take the following steps to document the impact of the control weaknesses:• Compare IT expenditure as a percentage of overall corporate expenditures, and determine if IT expenditures appear reasonable by

using, for example, trend analysis over years or benchmarking against industry standards.• Select a statistical sample of expenditures from each of the IT expense accounts and determine through statistical extrapolation the

impact of misallocations and the ways in which accounts and/or departments have been affected.


APPENDIX IV

• Compare and reconcile costs allocated to departments against IT expenditures to determine whether complete and accurateallocations are occurring.

• Inspect HR records to determine changes in headcount since the last cost structure change, and quantify the impact of the changeon the costing models. Compare payroll registers from the prior year to the current year to assess the consistency of payrollexpenditures and whether those changes have been reflected in the costing models.

• Inspect the change logs to identify significant changes or deployment of new systems, determine whether those changes have hadan impact on cost structures, and quantify the impact on the costing models.

• Compare the asset registers from the prior year to the current year, identify any significant new assets, and determine whetherthose assets have had an impact on cost structures in terms of, for example, depreciation and amortisation. Assess whether anysignificant decommissioned assets have not been removed appropriately.

• Enquire of business process owners whether the lack of budget, forecast and actual cost information from IT has impacted theirability to manage costs. Determine the impact through discussion with those process owners.

• Enquire whether and confirm that all chargeable items and services provided by the IT department are itemised and that thecorresponding charges for every service are listed.

• Select a statistical sample of expenditures from each of the IT expense accounts and determine through statistical extrapolation theimpact of misallocations and the ways in which accounts and/or departments have been affected.



DS7 E

duca

te a

nd T

rain

Use

rs

Eff

ectiv

e ed

ucat

ion

of a

ll us

ers

of I

T s

yste

ms,

incl

udin

g th

ose

with

in I

T, r

equi

res

iden

tifyi

ng th

e tr

aini

ng n

eeds

of

each

use

r gr

oup.

In

addi

tion

to id

entif

ying

nee

ds, t

his

proc

ess

incl

udes

def

inin

g an

d ex

ecut

ing

a st

rate

gy f

or e

ffec

tive

trai

ning

and

mea

suri

ng th

e re

sults

. An

effe

ctiv

e tr

aini

ng p

rogr

amm

e in

crea

ses

effe

ctiv

e us

e of

tech

nolo

gy b

yre

duci

ng u

ser

erro

rs, i

ncre

asin

g pr

oduc

tivity

and

incr

easi

ng c

ompl

ianc

e w

ith k

ey c

ontr

ols,

suc

h as

use

r se

curi

ty m

easu

res.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pla

n fo

r tr

aini

ng a

nd p

rofe

ssio

nal d

evel

opm

ent o

f IT

sta

ff m

embe

rs e

xist

s.•

Obt

ain

and

insp

ect t

he c

urri

culu

m f

or c

ompl

eten

ess

(e.g

., de

pth

and

brea

dth

of c

over

age,

fre

quen

cy o

f cl

asse

s, c

lass

sch

edul

e, c

ompl

exity

of

clas

s, s

ourc

e of

trai

ning

—ve

ndor

loca

l sch

ool o

r tr

ade

inst

itute

).•

Obt

ain

and

insp

ect t

he tr

aini

ng c

alen

dar.

• O

btai

n an

d re

view

the

trai

ning

bud

get.

• O

btai

n a

copy

of

test

com

plet

ions

, sco

ring

and

atte

ndan

ce c

onfi

rmat

ion

(e.g

., on

line

trai

ning

cou

rse

evid

ence

of

exam

s an

d at

tend

ance

).•

Det

erm

ine

man

agem

ent’s

pro

cess

for

dev

elop

ing

and

mai

ntai

ning

a s

kill

inve

ntor

y.•

Obt

ain

and

revi

ew th

e sk

ills

inve

ntor

y ca

talo

gue

to d

eter

min

e w

heth

er th

e sk

ills

cata

logu

ed m

ap to

the

syst

ems

depl

oyed

.•

Det

erm

ine

that

the

skill

s da

taba

se is

cur

rent

and

ava

ilabl

e kn

owle

dge

is m

aint

aine

d as

cur

rent

.•

Insp

ect t

he tr

aini

ng s

trat

egy

to e

nsur

e th

at tr

aini

ng n

eeds

are

to b

e in

corp

orat

ed in

to u

sers

’ind

ivid

ual p

erfo

rman

ce p

lans

.•

Insp

ect d

ocum

enta

tion

deta

iling

the

requ

irem

ent t

o an

alys

e ro

ot c

ause

s, in

clud

ing

trai

ning

, fro

m th

e se

rvic

e de

sk o

utpu

ts.

DS7

.1 I

dent

ific

atio

n of

Edu

cati

on a

nd T

rain

ing

Nee

ds

Est

ablis

h an

d re

gula

rly

upda

te a

cur

ricu

lum

for

eac

h ta

rget

gro

up o

f em

ploy

ees

cons

ider

ing:

• C

urre

nt a

nd f

utur

e bu

sine

ss n

eeds

and

str

ateg

y•

Val

ue o

f in

form

atio

n as

an

asse

t•

Cor

pora

te v

alue

s (e

thic

al v

alue

s, c

ontr

ol a

nd s

ecur

ity c

ultu

re, e

tc.)

• Im

plem

enta

tion

of n

ew I

T in

fras

truc

ture

and

sof

twar

e (i

.e.,

pack

ages

,ap

plic

atio

ns)

• C

urre

nt a

nd f

utur

e sk

ills,

com

pete

nce

prof

iles,

and

cer

tific

atio

n an

d/or

cred

entia

ling

need

s as

wel

l as

requ

ired

rea

ccre

dita

tion

• D

eliv

ery

met

hods

(e.

g., c

lass

room

, web

-bas

ed),

targ

et g

roup

siz

e, a

cces

sibi

lity

and

timin

g

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Tra

inin

g ne

eds

for

pers

onne

l ide

ntif

ied

to f

ulfi

l bus

ines

s re

quir

emen

ts• A

bas

elin

e fo

r th

e ef

fect

ive

use

of th

eor

gani

satio

n’s

tech

nolo

gy b

ype

rson

nel,

both

imm

edia

tely

and

inth

e fu

ture

• E

stab

lishm

ent o

f tr

aini

ng a

nded

ucat

ion

prog

ram

mes

that

are

rele

vant

to th

e ri

sks

and

oppo

rtun

ities

the

orga

nisa

tion

face

s cu

rren

tly a

nd in

the

futu

re•

Inst

alle

d ap

plic

atio

n ca

pabi

litie

sop

timis

ed to

sat

isfy

bus

ines

s ne

eds

Ris

k D

river

s

• St

aff

mem

bers

inad

equa

tely

trai

ned

tofu

lfil

thei

r jo

b fu

nctio

n•

Inef

fect

ive

trai

ning

mec

hani

sms

• T

rain

ing

prov

ided

not

app

ropr

iate

for

trai

ning

nee

d•

Inst

alle

d ap

plic

atio

n ca

pabi

litie

sun

deru

tilis

ed


APPENDIX IV

Test

the

Con

trol

Des

ign

• R

evie

w th

e ev

alua

tion

form

s to

ver

ify

that

they

eff

ectiv

ely

mea

sure

the

qual

ity a

nd r

elev

ance

of

the

cont

ents

and

the

leve

l of

the

expe

ctat

ions

met

.•

Det

erm

ine

if f

eedb

ack

is s

umm

aris

ed in

to a

for

mat

use

ful f

or d

efin

ing

the

futu

re tr

aini

ng c

urri

culu

m.

• O

btai

n a

list o

f fo

llow

-up

actio

ns a

nd o

btai

n ev

iden

ce th

at th

ey h

ave

been

act

ed u

pon.

• E

nsur

e th

at th

e ta

rget

aud

ienc

e w

as r

each

ed.

Test

the

Con

trol

Des

ign

• R

evie

w th

e tr

aini

ng s

ched

ule,

and

con

firm

that

it m

eets

trai

ning

nee

ds.

• E

nsur

e th

at a

dequ

ate

reso

urce

s ar

e av

aila

ble

to d

eliv

er tr

aini

ng.

• Ana

lyse

a s

ampl

e of

the

trai

ning

pro

gram

mes

and

ver

ify:

– C

onte

nts

vs. o

bjec

tives

– A

ctua

l vs.

pla

nned

atte

ndan

ce–

Atte

ndee

sat

isfa

ctio

n–

App

licat

ion

of f

eedb

ack

rece

ived

DS7 E

duca

te a

nd T

rain

Use

rs (

cont

.)

DS7

.2 D

eliv

ery

of T

rain

ing

and

Edu

cati

on

Bas

ed o

n th

e id

entif

ied

educ

atio

n an

d tr

aini

ng n

eeds

, ide

ntif

y ta

rget

gro

ups

and

thei

r m

embe

rs, e

ffic

ient

del

iver

y m

echa

nism

s, te

ache

rs, t

rain

ers,

and

men

tors

.A

ppoi

nt tr

aine

rs a

nd o

rgan

ise

timel

y tr

aini

ng s

essi

ons.

Rec

ord

regi

stra

tion

(inc

ludi

ng p

rere

quis

ites)

, atte

ndan

ce a

nd tr

aini

ng s

essi

on p

erfo

rman

ceev

alua

tions

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Fo

rmal

ised

and

com

mun

icat

edm

anag

emen

t com

mitm

ent f

or tr

aini

ng•

Eff

ectiv

e tr

aine

rs a

nd tr

aini

ngpr

ogra

mm

es•

Suff

icie

nt a

ttend

ance

and

invo

lvem

ent

in tr

aini

ng p

rogr

amm

es a

nd s

essi

ons

Ris

k D

river

s

• In

appr

opri

ate

and

inef

fect

ive

trai

ning

prog

ram

mes

and

mec

hani

sms

sele

cted

• O

utda

ted

trai

ning

mat

eria

ls u

sed

• Po

or a

ttend

ance

and

invo

lvem

ent

reco

rded

DS7

.3 E

valu

atio

n of

Tra

inin

g R

ecei

ved

Eva

luat

e ed

ucat

ion

and

trai

ning

con

tent

del

iver

y up

on c

ompl

etio

n fo

r re

leva

nce,

qual

ity, e

ffec

tiven

ess,

the

rete

ntio

n of

kno

wle

dge,

cos

t and

val

ue. T

he r

esul

ts o

fth

is e

valu

atio

n sh

ould

ser

ve a

s in

put f

or f

utur

e cu

rric

ulum

def

initi

on a

nd th

ede

liver

y of

trai

ning

ses

sion

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffec

tive

trai

ning

pro

gram

mes

bas

edon

use

r fe

edba

ck•

Rel

evan

t tra

inin

g pr

ogra

mm

es•

Enh

ance

d qu

ality

of

trai

ning

prog

ram

mes

• T

rain

ing

cont

ent a

ppro

pria

tely

desi

gned

and

str

uctu

red

to h

elp

user

sre

tain

and

reu

se k

now

ledg

e•

Eff

ectiv

e tr

acki

ng/m

onito

ring

of

cost

s(f

inan

cial

, mat

eria

l, et

c.)

and

valu

ead

ded

Ris

k D

river

s

• In

appr

opri

ate

and

inef

fect

ive

trai

ning

prog

ram

mes

sel

ecte

d•

Out

date

d tr

aini

ng m

ater

ial u

sed

• D

ecre

asin

g qu

ality

of

end-

user

trai

ning

pro

gram

mes

• T

rain

ing

cont

ent d

esig

n an

d st

ruct

ure

faili

ng to

ass

ist k

now

ledg

e re

tent

ion

and

reus

e•

Tra

inin

g co

st o

utw

eigh

ing

its b

enef

itan

d va

lue-

add



Take the following steps to test the outcome of the control objectives:• Review management communications to personnel encouraging additional education and self-study programmes.• Obtain and review expense reimbursement requests for training. • Obtain a list of vendor-provided training materials (e.g., manuals, CDs, training packets, syllabi).• Obtain and review the inventory of educational books in the IT library.• Speak with individual staff members to determine whether they have set a training plan that is aligned with their department’s or

the organisation’s requirements.• Inspect incident management records to identify trends in system support and usage that may indicate skill gaps.• Enquire of management as to which specific competencies are required to support the environment, and ascertain whether there is

a plan to build and maintain those skills for the organisation or to acquire those skills through third-party arrangements.• Inspect a sample of individual performance plans to determine if technology training needs were incorporated.• Enquire of management regarding results of performance evaluations and any potential skill gaps identified.• Inspect problem management records to identify trends in system support and usage that may indicate skill gaps.• Walk though the process for defining effective training programmes to determine if:

– All relevant needs, including timing, are considered– Training sessions effectively meet training needs identified– Information on delivery mechanisms is up to date– Recent evaluations of trainers and programmes are reviewed

• Inspect the record of attendance and completion of training and education programmes for accuracy. • Inspect the participant and trainer feedback from a sample of completed training sessions. • Interview users to evaluate their understanding of the training sessions and then review the tests to verify that they effectively

measure the quality and relevance of the contents of the sessions and the level of the expectations met.• Enquire whether and confirm that stakeholders were interviewed and provided feedback on education and training. • Enquire of management regarding results of performance evaluations and any potential skill gaps identified in areas where training

has been delivered.• Enquire of management and users whether user effectiveness and knowledge improved after the training was delivered.• Determine whether indicators such as reduced number of service desk calls and productivity of users are assessed to indicate

whether training had the intended impact.• Inspect course evaluations to determine the degree of trainee satisfaction with the training delivered. Specifically consider the

satisfaction with the instructors, course content and course location.

Take the following steps to document the impact of the control weaknesses:• Obtain personnel files/résumés to analyse whether skills are appropriate for the job/position.• Obtain personnel files/résumés to analyse skills against deployed systems.• Enquire of management and review reports (e.g., listings of month-end and year-end accounting and reporting corrections) to

determine whether corrections of information processed are required. Analyse to determine whether the incorrect information wascaused by inadequate knowledge of users.

• Determine aggregate costs associated with downtime in areas where training or skills are undefined, and compare them to servicecosts for other areas or against peer groups.

• Inspect incident management records to identify trends in system support and usage that may indicate skill gaps.• Enquire of management regarding results of performance evaluations and any potential skill gaps identified, such as in areas where

training has been delivered.• Assess benchmark indicators such as reduced number of service desk calls and productivity of users to indicate whether training

had the intended impact.


APPENDIX IVD

S8 M

anag

e Ser

vice

Des

k a

nd Inc

iden

ts

Tim

ely

and

effe

ctiv

e re

spon

se to

IT

use

r qu

erie

s an

d pr

oble

ms

requ

ires

a w

ell-

desi

gned

and

wel

l-ex

ecut

ed s

ervi

ce d

esk

and

inci

dent

man

agem

ent p

roce

ss. T

his

proc

ess

incl

udes

set

ting

up a

ser

vice

des

k fu

nctio

n w

ith r

egis

trat

ion,

inci

dent

esc

alat

ion,

tren

d an

d ro

ot c

ause

ana

lysi

s, a

nd r

esol

utio

n. T

he b

usin

ess

bene

fits

incl

ude

incr

ease

dpr

oduc

tivity

thro

ugh

quic

k re

solu

tion

of u

ser

quer

ies.

In

addi

tion,

the

busi

ness

can

add

ress

roo

t cau

ses

(suc

h as

poo

r us

er tr

aini

ng)

thro

ugh

effe

ctiv

e re

port

ing.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n IT

ser

vice

des

k ex

ists

.•

Enq

uire

whe

ther

and

con

firm

that

ana

lysi

s ha

s be

en p

erfo

rmed

to d

eter

min

e th

e se

rvic

e de

sk m

odel

, sta

ffin

g, to

ols

and

inte

grat

ion

with

oth

er p

roce

sses

.•

Con

firm

that

the

hour

s of

ope

ratio

n an

d ex

pect

ed r

espo

nse

time

to a

cal

l mee

t bus

ines

s re

quir

emen

ts.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at in

stru

ctio

ns e

xist

for

the

hand

ling

of a

que

ry th

at c

anno

t be

imm

edia

tely

res

olve

d by

ser

vice

des

k st

aff.

Que

ries

sho

uld

have

pri

ority

leve

ls th

at d

eter

min

e th

e de

sire

d re

solu

tion

time

and

esca

latio

n pr

oced

ures

.• A

sk r

elev

ant p

erso

nnel

abo

ut w

heth

er to

ols

for

the

serv

ice

desk

are

impl

emen

ted

in a

ccor

danc

e w

ith s

ervi

ce d

efin

ition

s an

d SL

A r

equi

rem

ents

.•

Enq

uire

abo

ut th

e ex

iste

nce

of s

tand

ards

of

serv

ice

and

com

mun

icat

ion

of th

e st

anda

rds

with

cus

tom

ers.

DS8

.1 S

ervi

ce D

esk

Est

ablis

h a

serv

ice

desk

fun

ctio

n, w

hich

is th

e us

er in

terf

ace

with

IT,

to r

egis

ter,

com

mun

icat

e, d

ispa

tch

and

anal

yse

all c

alls

, rep

orte

d in

cide

nts,

ser

vice

req

uest

san

d in

form

atio

n de

man

ds. T

here

sho

uld

be m

onito

ring

and

esc

alat

ion

proc

edur

esba

sed

on a

gree

d-up

on s

ervi

ce le

vels

rel

ativ

e to

the

appr

opri

ate

SLA

that

allo

wcl

assi

fica

tion

and

prio

ritis

atio

n of

any

rep

orte

d is

sue

as a

n in

cide

nt, s

ervi

cere

ques

t or

info

rmat

ion

requ

est.

Mea

sure

end

use

rs’s

atis

fact

ion

with

the

qual

ityof

the

serv

ice

desk

and

IT

ser

vice

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

cust

omer

sat

isfa

ctio

n•

Def

ined

and

mea

sura

ble

serv

ice

desk

perf

orm

ance

•

Inci

dent

s re

port

ed, f

ollo

wed

up

and

solv

ed in

a ti

mel

y m

anne

r

Ris

k D

river

s

• In

crea

sed

dow

ntim

e•

Dec

reas

ed c

usto

mer

sat

isfa

ctio

n •

Use

rs u

naw

are

of th

e fo

llow

-up

proc

edur

es o

n re

port

ed in

cide

nts

• R

ecur

ring

pro

blem

s no

t add

ress

ed



Test

the

Con

trol

Des

ign

• C

onfi

rm th

at p

roce

sses

and

tool

s ar

e in

pla

ce to

reg

iste

r cu

stom

er q

ueri

es, s

tatu

s an

d ac

tions

tow

ard

reso

lutio

n.•

Ass

ess

how

com

plet

ely

and

accu

rate

ly th

is r

epos

itory

is m

aint

aine

d.•

Con

firm

that

the

proc

ess

incl

udes

wor

kflo

w f

or th

e ha

ndlin

g an

d es

cala

tion

of c

usto

mer

que

ries

.•

Rev

iew

a s

ampl

e of

ope

n an

d cl

osed

cus

tom

er q

ueri

es to

che

ck c

ompl

ianc

e w

ith th

e pr

oces

s an

d se

rvic

e co

mm

itmen

ts.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e se

rvic

e de

sk m

aint

ains

ow

ners

hip

of c

usto

mer

-rel

ated

req

uest

s an

d in

cide

nts.

• V

erif

y th

at th

e en

d-to

-end

life

cyc

le o

f re

ques

ts/in

cide

nts

is m

onito

red

and

esca

late

d ap

prop

riat

ely

by th

e se

rvic

e de

sk.

• C

onfi

rm w

ith m

embe

rs o

f m

anag

emen

t tha

t sig

nifi

cant

inci

dent

s ar

e re

port

ed to

them

.•

Rev

iew

pro

cedu

res

for

repo

rtin

g si

gnif

ican

t inc

iden

ts to

man

agem

ent.

• C

onfi

rm th

e ex

iste

nce

of a

pro

cess

to e

nsur

e th

at th

e in

cide

nt r

ecor

ds a

re u

pdat

ed to

sho

w th

e da

te a

nd ti

me

of a

nd th

e as

sign

men

t of

IT p

erso

nnel

to e

ach

quer

y.•

Enq

uire

whe

ther

and

con

firm

that

ther

e is

a p

roce

ss in

pla

ce to

ens

ure

that

IT

sta

ff m

embe

rs a

re in

volv

ed in

dea

ling

with

que

ries

and

inci

dent

s an

d th

at th

e in

cide

ntre

ques

t rec

ords

are

upd

ated

thro

ugho

ut th

e lif

e cy

cle.

DS8

.2 R

egis

trat

ion

of C

usto

mer

Que

ries

E

stab

lish

a fu

nctio

n an

d sy

stem

to a

llow

logg

ing

and

trac

king

of

calls

, inc

iden

ts,

serv

ice

requ

ests

and

info

rmat

ion

need

s. I

t sho

uld

wor

k cl

osel

y w

ith s

uch

proc

esse

s as

inci

dent

man

agem

ent,

prob

lem

man

agem

ent,

chan

ge m

anag

emen

t,ca

paci

ty m

anag

emen

t and

ava

ilabi

lity

man

agem

ent.

Inci

dent

s sh

ould

be

clas

sifi

ed a

ccor

ding

to a

bus

ines

s an

d se

rvic

e pr

iori

ty a

nd r

oute

d to

the

appr

opri

ate

prob

lem

man

agem

ent t

eam

, whe

re n

eces

sary

. Cus

tom

ers

shou

ld b

eke

pt in

form

ed o

f th

e st

atus

of

thei

r qu

erie

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

ffic

ient

sol

ving

of

inci

dent

s in

atim

ely

man

ner

• Add

ed v

alue

for

end

use

rs• A

ccou

ntab

ility

for

inci

dent

sol

ving

Ris

k D

river

s

• N

ot a

ll in

cide

nts

trac

ked

• Pr

iori

tisat

ion

of in

cide

nts

faili

ng to

refl

ect b

usin

ess

need

s•

Inci

dent

s no

t sol

ved

in a

tim

ely

man

ner

DS8 M

anag

e Ser

vice

Des

k a

nd Inc

iden

ts (

cont

.)

DS8

.3 I

ncid

ent

Esc

alat

ion

Est

ablis

h se

rvic

e de

sk p

roce

dure

s, s

o in

cide

nts

that

can

not b

e re

solv

edim

med

iate

ly a

re a

ppro

pria

tely

esc

alat

ed a

ccor

ding

to li

mits

def

ined

in th

e SL

Aan

d, if

app

ropr

iate

, wor

karo

unds

are

pro

vide

d. E

nsur

e th

at in

cide

nt o

wne

rshi

pan

d lif

e cy

cle

mon

itori

ng r

emai

n w

ith th

e se

rvic

e de

sk f

or u

ser-

base

d in

cide

nts,

rega

rdle

ss w

hich

IT

gro

up is

wor

king

on

reso

lutio

n ac

tiviti

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

cust

omer

sat

isfa

ctio

n•

Con

sist

ent p

roce

ss f

or p

robl

em s

olvi

ng• A

ccou

ntab

ility

for

res

olve

d in

cide

nt•

Cle

ar tr

ack

on in

cide

nt r

esol

utio

npr

ogre

ss

Ris

k D

river

s

• In

effi

cien

t use

of

reso

urce

s•

Una

vaila

bilit

y of

ser

vice

des

kre

sour

ces

• In

abili

ty to

fol

low

up

inci

dent

reso

lutio

n


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

is in

pla

ce to

man

age

the

reso

lutio

n of

eac

h in

cide

nt.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ll re

solv

ed in

cide

nts

are

desc

ribe

d in

det

ail,

incl

udin

g a

deta

iled

log

of a

ll st

eps

to r

esol

ve th

e in

cide

nts.

• In

spec

t a s

ampl

e of

inci

dent

s an

d ve

rify

that

the

stat

us o

f m

anag

ing

the

life

cycl

e of

the

inci

dent

, inc

ludi

ng r

esol

utio

n an

d cl

osur

e, is

rep

orte

d.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

is in

pla

ce to

iden

tify,

fur

ther

inve

stig

ate

and

repo

rt o

n al

l que

ries

whe

re th

e ag

reed

-upo

n tim

e fr

ames

for

res

olut

ion

have

been

exc

eede

d.•

Enq

uire

whe

ther

and

con

firm

that

tren

d an

alys

is is

bei

ng p

erfo

rmed

on

all q

ueri

es to

iden

tify

repe

atin

g in

cide

nts

and

patte

rns,

in s

uppo

rt o

f pr

oble

m id

entif

icat

ion.

• V

erif

y if

pro

blem

man

agem

ent i

s re

gula

rly

prov

ided

with

inci

dent

and

tren

d an

alys

is d

ata.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e an

alys

is is

per

form

ed o

n th

e fe

edba

ck r

ecei

ved

from

cus

tom

ers

to e

valu

ate

the

leve

ls o

f sa

tisfa

ctio

n w

ith th

e se

rvic

e pr

ovid

ed b

yth

e se

rvic

e de

sk.

• C

onfi

rm th

e ex

iste

nce

of c

usto

mer

fee

dbac

k an

alys

is r

epor

ts, a

nd v

erif

y w

heth

er c

orre

ctiv

e ac

tions

hav

e be

en ta

ken

to im

prov

e se

rvic

e.•

Con

firm

that

ser

vice

des

k pe

rfor

man

ce is

com

pare

d to

indu

stry

sta

ndar

ds.

• V

erif

y w

heth

er b

ench

mar

k an

alys

is is

use

d fo

r co

ntin

uous

impr

ovem

ent.

DS8

.4 I

ncid

ent

Clo

sure

E

stab

lish

proc

edur

es f

or th

e m

onito

ring

of

timel

y cl

eara

nce

of c

usto

mer

que

ries

.W

hen

the

inci

dent

has

bee

n re

solv

ed, e

nsur

e th

at th

e se

rvic

e de

sk r

ecor

ds th

ere

solu

tion

step

s, a

nd c

onfi

rm th

at th

e ac

tion

take

n ha

s be

en a

gree

d to

by

the

cust

omer

. Als

o re

cord

and

rep

ort u

nres

olve

d in

cide

nts

(kno

wn

erro

rs a

ndw

orka

roun

ds)

to p

rovi

de in

form

atio

n fo

r pr

oper

pro

blem

man

agem

ent.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• In

crea

sed

cust

omer

sat

isfa

ctio

n•

Con

sist

ent a

nd s

yste

mat

ic in

cide

ntre

solu

tion

proc

ess

• Pr

even

tion

of p

robl

em r

ecur

renc

e

Ris

k D

river

s

• In

corr

ect i

nfor

mat

ion

gath

erin

g•

Com

mon

inci

dent

s no

t sol

ved

prop

erly

• In

cide

nts

not r

esol

ved

on a

tim

ely

basi

s

DS8 M

anag

e Ser

vice

Des

k a

nd Inc

iden

ts (

cont

.)

DS8

.5 R

epor

ting

and

Tre

nd A

naly

sis

Prod

uce

repo

rts

of s

ervi

ce d

esk

activ

ity to

ena

ble

man

agem

ent t

o m

easu

rese

rvic

e pe

rfor

man

ce a

nd s

ervi

ce r

espo

nse

times

and

to id

entif

y tr

ends

or

recu

rrin

g pr

oble

ms,

so

serv

ice

can

be c

ontin

ually

impr

oved

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• D

ecre

ased

ser

vice

dow

ntim

e•

Incr

ease

d cu

stom

er s

atis

fact

ion

• C

onfi

denc

e in

the

offe

red

serv

ices

• H

elp

desk

per

form

ance

mea

sure

d an

dop

timis

ed

Ris

k D

river

s

• Se

rvic

e de

sk a

ctiv

ity f

ailin

g to

sup

port

busi

ness

act

iviti

es•

Cus

tom

ers

not s

atis

fied

by

the

offe

red

serv

ices

• In

cide

nts

not s

olve

d in

a ti

mel

ym

anne

r•

Incr

easi

ng c

usto

mer

dow

ntim

e



Take the following steps to test the outcome of the control objectives:• Confirm how customers and users are advised of the service desk standards, and inspect the existence of these methods (postings

at the service desk or online, etc.). • Confirm the existence of user feedback logs. • Enquire about the effectiveness of the system in terms of monitoring and improving customer satisfaction rates.• Enquire about the existence of service desk performance reports.• Inspect a sample of entries in the call log that were not immediately resolved, and determine whether the proper escalation

procedures were followed.• Inspect whether reported metrics address the relevant service desk goals. Enquire as to who uses the reports and for what purpose.• Monitor several service desk calls to confirm whether existing procedures are being followed. Trace observed calls to the service

incident tracking system.• Enquire whether and confirm that incidents are properly prioritised according to policy. • Review a sample of incident tickets to verify adherence to policy.• Select a sample query and verify that incident records are updated to show the date and time of and the assignment of IT personnel

to each query. • Inspect samples of documentation of trouble incidents, and confirm that such incidents conform to priority levels set by policy.• Enquire whether and confirm that users are informed on the progress of incident resolution. • Enquire whether and confirm that all request and incident records are monitored through their life cycle and reviewed on a regular

basis to guarantee a timely resolution of customer queries.• Enquire whether and confirm that requests and incidents are closed only after confirmation of the requester.• Inspect a sample of incidents and verify that there has been a manual or automated follow-up of the resolution. • Confirm through inspection that incidents are reviewed for update in the knowledge base, including workarounds, known errors

and the root cause for similar incidents arising in the future. Physically inspect the knowledge base, and inspect a sample of entriesto ensure that the workaround is included, as well as the root cause, if known.

• Inspect a sample of incident records, and verify if they were monitored and fulfiled according to SLAs. • Select a sample of records and confirm with the requester that they were consulted for closure.• Identify whether appropriate definitions exist for incident classification (e.g., by impact and urgency).• Identify whether procedures for functional and hierarchical escalation are defined.• Enquire whether and confirm that incident management is clearly linked with continuity/contingency plans.

Take the following steps to document the impact of the control weaknesses:• Observe several service desk calls to confirm undocumented procedures. Undocumented escalation procedures should assign

trouble tickets that the service desk cannot resolve to the appropriate IT staff members. • Verify that all critical service calls are prioritised by the service desk manager or a senior staff member.• Observe operations of the IT support team, and record undocumented procedures to log and prioritise incidents.


APPENDIX IVD

S9 M

anag

e th

e C

onfig

urat

ion

Ens

urin

g th

e in

tegr

ity o

f ha

rdw

are

and

soft

war

e co

nfig

urat

ions

req

uire

s th

e es

tabl

ishm

ent a

nd m

aint

enan

ce o

f an

acc

urat

e an

d co

mpl

ete

conf

igur

atio

n re

posi

tory

. Thi

spr

oces

s in

clud

es c

olle

ctin

g in

itial

con

figu

ratio

n in

form

atio

n, e

stab

lishi

ng b

asel

ines

, ver

ifyi

ng a

nd a

uditi

ng c

onfi

gura

tion

info

rmat

ion,

and

upd

atin

g th

e co

nfig

urat

ion

repo

sito

ry a

s ne

eded

. Eff

ectiv

e co

nfig

urat

ion

man

agem

ent f

acili

tate

s gr

eate

r sy

stem

ava

ilabi

lity,

min

imis

es p

rodu

ctio

n is

sues

and

res

olve

s is

sues

mor

e qu

ickl

y.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

enio

r m

anag

emen

t set

s sc

ope

and

mea

sure

s fo

r co

nfig

urat

ion

man

agem

ent f

unct

ions

, and

ass

esse

s pe

rfor

man

ce.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

tool

is in

pla

ce to

ena

ble

the

effe

ctiv

e lo

ggin

g of

con

figu

ratio

n m

anag

emen

t inf

orm

atio

n in

a r

epos

itory

.•

Det

erm

ine

that

acc

ess

to th

e to

ol is

res

tric

ted

to a

ppro

pria

te p

erso

nnel

.•

Rev

iew

a s

ampl

e of

con

figu

ratio

n ite

ms

to e

nsur

e th

at a

uni

que

iden

tifie

r is

ass

igne

d.•

Enq

uire

whe

ther

and

con

firm

that

con

figu

ratio

n ba

selin

es f

or c

ompo

nent

s ar

e de

fine

d an

d do

cum

ente

d.•

Rev

iew

that

bas

elin

es e

nabl

e id

entif

icat

ion

of s

yste

m c

onfi

gura

tion

at d

iscr

ete

poin

ts in

tim

e.•

Enq

uire

whe

ther

and

con

firm

that

ther

e is

a d

ocum

ente

d pr

oces

s to

rev

ert t

o th

e ba

selin

e co

nfig

urat

ion.

• Te

st a

sam

ple

of s

yste

ms

and

appl

icat

ions

by

veri

fyin

g th

at th

ey c

an b

e re

vert

ed to

bas

elin

e co

nfig

urat

ions

.•

Enq

uire

whe

ther

and

con

firm

that

mec

hani

sms

exis

t to

mon

itor

chan

ges

agai

nst t

he d

efin

ed r

epos

itory

and

bas

elin

e.•

Ver

ify

that

man

agem

ent i

s re

ceiv

ing

regu

lar

repo

rts

and

that

thes

e re

port

s re

sult

in c

ontin

uous

impr

ovem

ent p

lans

.

DS9

.1 C

onfi

gura

tion

Rep

osit

ory

and

Bas

elin

e E

stab

lish

a su

ppor

ting

tool

and

a c

entr

al r

epos

itory

to c

onta

in a

ll re

leva

ntin

form

atio

n on

con

figu

ratio

n ite

ms.

Mon

itor

and

reco

rd a

ll as

sets

and

cha

nges

toas

sets

. Mai

ntai

n a

base

line

of c

onfi

gura

tion

item

s fo

r ev

ery

syst

em a

nd s

ervi

ceas

a c

heck

poin

t to

whi

ch to

ret

urn

afte

r ch

ange

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• H

ardw

are

and

soft

war

e pl

anne

def

fect

ivel

y to

mai

ntai

n bu

sine

ss s

ervi

ces

• T

he c

onfi

gura

tion

depl

oyed

cons

iste

ntly

acr

oss

the

ente

rpri

se•

Plan

ning

enh

ance

d so

that

cha

nges

are

in a

ccor

danc

e w

ith th

e ov

eral

lar

chite

ctur

e•

Cos

t sav

ings

thro

ugh

supp

lier

cons

olid

atio

n•

Fast

inci

dent

res

olut

ion

Ris

k D

river

s

• Fa

ilure

of

chan

ges

to c

ompl

y w

ith th

eov

eral

l tec

hnol

ogy

arch

itect

ure

• Ass

ets

not p

rote

cted

pro

perl

y•

Una

utho

rise

d ch

ange

s to

har

dwar

e an

dso

ftw

are

not d

isco

vere

d, w

hich

cou

ldre

sult

in s

ecur

ity b

reac

hes

• D

ocum

ente

d in

form

atio

n fa

iling

tore

flec

t the

cur

rent

arc

hite

ctur

e•

Inab

ility

to f

all b

ack



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pol

icy

is in

pla

ce to

ens

ure

that

all

conf

igur

atio

n ite

ms

and

thei

r at

trib

utes

are

iden

tifie

d an

d m

aint

aine

d.•

Enq

uire

whe

ther

and

con

firm

that

ther

e is

a p

olic

y fo

r ph

ysic

al a

sset

tagg

ing.

• V

erif

y th

at a

sset

s ar

e ph

ysic

ally

tagg

ed a

ccor

ding

to p

olic

y.•

Enq

uire

whe

ther

and

con

firm

that

a r

ole-

base

d ac

cess

pol

icy

exis

ts.

• V

erif

y th

at a

utho

rise

d an

d ap

prop

riat

e pe

rson

nel h

ave

desi

gnat

ed a

cces

s to

the

conf

igur

atio

n re

posi

tory

as

per

the

polic

y.•

Enq

uire

whe

ther

and

con

firm

that

a p

olic

y is

in p

lace

to e

nsur

e th

at c

hang

e an

d pr

oble

m m

anag

emen

t pro

cedu

res

are

inte

grat

ed w

ith th

e m

aint

enan

ce o

f th

eco

nfig

urat

ion

repo

sito

ry.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

is in

pla

ce to

rec

ord

new

, mod

ifie

d an

d de

lete

d co

nfig

urat

ion

item

s, a

nd id

entif

y an

d m

aint

ain

the

rela

tions

hips

am

ongs

tco

nfig

urat

ion

item

s in

the

conf

igur

atio

n re

posi

tory

.•

Insp

ect r

elev

ant d

ocum

enta

tion,

tim

ely

exec

utio

n an

d da

ta in

tegr

ity o

f th

e pr

oces

s.•

Enq

uire

whe

ther

and

con

firm

that

a p

roce

ss is

in p

lace

to e

nsur

e th

at a

naly

sis

is d

one

to id

entif

y cr

itica

l con

figu

ratio

n ite

ms.

• V

erif

y th

at th

is p

roce

ss s

uppo

rts

chan

ge m

anag

emen

t and

ana

lysi

s of

fut

ure

proc

essi

ng d

eman

ds a

nd te

chno

logy

acq

uisi

tions

.•

Enq

uire

whe

ther

and

con

firm

that

pro

cure

men

t pro

cedu

res

prov

ide

for

the

reco

rdin

g of

new

ass

ets

with

in th

e co

nfig

urat

ion

man

agem

ent t

ool.

• V

alid

ate

that

the

conf

irm

atio

n m

anag

emen

t dat

a m

atch

the

proc

urem

ent r

ecor

ds.

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS9

.2 I

dent

ific

atio

n an

d M

aint

enan

ce o

f C

onfi

gura

tion

Ite

ms

Est

ablis

h co

nfig

urat

ion

proc

edur

es to

sup

port

man

agem

ent a

nd lo

ggin

g of

all

chan

ges

to th

e co

nfig

urat

ion

repo

sito

ry. I

nteg

rate

thes

e pr

oced

ures

with

cha

nge

man

agem

ent,

inci

dent

man

agem

ent a

nd p

robl

em m

anag

emen

t pro

cedu

res.

• E

ffec

tive

chan

ge a

nd in

cide

ntm

anag

emen

t•

Com

plia

nce

with

acc

ount

ing

requ

irem

ents

• Fa

ilure

to id

entif

y bu

sine

ss-c

ritic

alco

mpo

nent

s•

Unc

ontr

olle

d ch

ange

man

agem

ent,

caus

ing

busi

ness

dis

rupt

ions

• In

abili

ty to

ass

ess

the

impa

ct o

f a

chan

ge b

ecau

se o

f in

accu

rate

info

rmat

ion

• In

abili

ty to

acc

urat

ely

acco

unt

for

asse

ts

DS9 M

anag

e th

e C

onfig

urat

ion

(con

t.)


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

is in

pla

ce to

reg

ular

ly e

nsur

e th

e in

tegr

ity o

f al

l con

figu

ratio

n da

ta.

• R

evie

w r

epor

ts th

at c

ompa

re r

ecor

ded

data

aga

inst

the

phys

ical

env

iron

men

t.•

Ver

ify

that

dev

iatio

ns a

re r

epor

ted

and

corr

ecte

d.•

Ver

ify

that

har

dwar

e an

d so

ftw

are

reco

ncili

atio

n is

per

iodi

cally

per

form

ed a

gain

st th

e co

nfig

urat

ion

data

base

.•

If a

utom

ated

tool

s ar

e be

ing

used

, per

form

a m

anua

l rec

onci

liatio

n ag

ains

t the

aut

omat

ed r

ecor

d.•

Ver

ify

that

per

iodi

c re

view

s ar

e pe

rfor

med

aga

inst

the

polic

y fo

r so

ftw

are

usag

e to

det

ect p

erso

nal,

unlic

ense

d so

ftw

are

or a

ny s

oftw

are

inst

ance

s in

exc

ess

of c

urre

ntlic

ense

agr

eem

ents

.

DS9

.3 C

onfi

gura

tion

Int

egri

ty R

evie

w

Peri

odic

ally

rev

iew

the

conf

igur

atio

n da

ta to

ver

ify

and

conf

irm

the

inte

grity

of

the

curr

ent a

nd h

isto

rica

l con

figu

ratio

n. P

erio

dica

lly r

evie

w in

stal

led

soft

war

eag

ains

t the

pol

icy

for

soft

war

e us

age

to id

entif

y pe

rson

al o

r un

licen

sed

soft

war

eor

any

sof

twar

e in

stan

ces

in e

xces

s of

cur

rent

lice

nse

agre

emen

ts. R

epor

t, ac

t on

and

corr

ect e

rror

s an

d de

viat

ions

.

• Id

entif

icat

ion

of d

evia

tions

fro

m th

eba

selin

e•

Enh

ance

d id

entif

icat

ion

and

solv

ing

of p

robl

ems

• Id

entif

icat

ion

of u

naut

hori

sed

soft

war

e

• Fa

ilure

to id

entif

y bu

sine

ss-c

ritic

alco

mpo

nent

s•

Unc

ontr

olle

d ch

ange

man

agem

ent,

caus

ing

busi

ness

dis

rupt

ions

• M

isus

ed a

sset

s•

Incr

ease

d co

sts

for

prob

lem

sol

ving

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS9 M

anag

e th

e C

onfig

urat

ion

(con

t.)



Take the following steps to test the outcome of the control objectives:• Enquire of management whether any failed configuration changes or security breaches have occurred, and ascertain whether those

issues resulted in a loss of corporate assets, disclosure information or downtime. Determine that access to the logging tool isrestricted to appropriate personnel.

• Review a sample of configuration items to ensure that a unique identifier is assigned. • Verify that baselines enable identification of system configuration at discrete points in time.• Enquire whether and confirm that there is a documented process to revert to the baseline configuration. • Inspect the outputs of tools designed to detect changes to the configuration, and assess whether those changes are in alignment

with the organisation’s design specifications and security strategy.• Inspect the tools used for the configuration management database (CMDB), and verify that the quantity and quality of information

provided by the CMDB are appropriate for all IT processes.• Determine whether configuration information is held in redundant information systems.• Select a sample of desktops and examine the configuration and software deployed against baseline standards to ensure that no

unauthorised changes have been made.• Identify whether the use of unlicensed software is prevented and procedures exist to detect unauthorised software.• Verify that management is receiving regular reports and that these reports result in continuous improvement plans.• Test a sample of systems and applications by verifying that they can be reverted to baseline configurations. • Obtain vulnerability assessment tools for deployed technologies, and run them to determine whether known vulnerabilities have

been corrected.• Determine what should be documented (e.g., configuration items, incident records, change records, change schedules,

availability information, service levels) for the review of configuration information and to document the relationship amongstconfiguration items.

Take the following steps to document the impact of the control weaknesses:• Enquire of management if any failed configuration changes or security breaches have occurred, and ascertain whether those issues

have resulted in a loss of corporate assets, disclosure information or downtime.• Inspect copies of internal or external reports on configuration assessments, and determine whether configuration weaknesses have

been identified.• Use vulnerability assessment tools for deployed technologies to determine whether known vulnerabilities have been corrected.


APPENDIX IVD

S10 M

anag

e P

robl

ems

Eff

ectiv

e pr

oble

m m

anag

emen

t req

uire

s th

e id

entif

icat

ion

and

clas

sifi

catio

n of

pro

blem

s, r

oot c

ause

ana

lysi

s an

d re

solu

tion

of p

robl

ems.

The

pro

blem

man

agem

ent p

roce

ssal

so in

clud

es th

e fo

rmul

atio

n of

rec

omm

enda

tions

for

impr

ovem

ent,

mai

nten

ance

of

prob

lem

rec

ords

and

rev

iew

of

the

stat

us o

f co

rrec

tive

actio

ns. A

n ef

fect

ive

prob

lem

man

agem

ent p

roce

ss m

axim

ises

sys

tem

ava

ilabi

lity,

impr

oves

ser

vice

leve

ls, r

educ

es c

osts

, and

impr

oves

cus

tom

er c

onve

nien

ce a

nd s

atis

fact

ion.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

dequ

ate

proc

esse

s su

ppor

ted

by a

ppro

pria

te to

ols

are

in p

lace

to id

entif

y an

d cl

assi

fy p

robl

ems.

• R

evie

w e

stab

lishe

d cr

iteri

a to

cla

ssif

y an

d pr

iori

tise

prob

lem

s, e

nsur

ing

that

they

res

ult i

n cl

assi

fica

tions

in li

ne w

ith s

ervi

ce c

omm

itmen

ts a

nd o

rgan

isat

iona

l uni

tsre

spon

sibl

e fo

r re

solv

ing

or c

onta

inin

g th

e pr

oble

m.

• C

onfi

rm th

at a

pro

cess

is in

pla

ce f

or th

e ac

cura

cy o

f cl

assi

fica

tion,

and

iden

tify

reas

ons

for

mis

clas

sifi

catio

n so

they

can

be

addr

esse

d.•

Take

a r

epre

sent

ativ

e sa

mpl

e fr

om th

e pr

oble

m d

atab

ase

to e

nsur

e th

at th

e pr

oble

ms

are

appr

opri

atel

y cl

assi

fied

and

cat

egor

ised

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS1

0.1

Iden

tifi

cati

on a

nd C

lass

ific

atio

n of

Pro

blem

s Im

plem

ent p

roce

sses

to r

epor

t and

cla

ssif

y pr

oble

ms

that

hav

e be

en id

entif

ied

aspa

rt o

f in

cide

nt m

anag

emen

t. T

he s

teps

invo

lved

in p

robl

em c

lass

ific

atio

n ar

esi

mila

r to

the

step

s in

cla

ssif

ying

inci

dent

s; th

ey a

re to

det

erm

ine

cate

gory

,im

pact

, urg

ency

and

pri

ority

. Cat

egor

ise

prob

lem

s as

app

ropr

iate

into

rel

ated

grou

ps o

r do

mai

ns (

e.g.

, har

dwar

e, s

oftw

are,

sup

port

sof

twar

e). T

hese

gro

ups

may

mat

ch th

e or

gani

satio

nal r

espo

nsib

ilitie

s of

the

user

and

cus

tom

er b

ase,

and

shou

ld b

e th

e ba

sis

for

allo

catin

g pr

oble

ms

to s

uppo

rt s

taff

.

• Su

ppor

t too

ls f

or s

ervi

ce d

esk

perf

orm

ance

• Pr

oact

ive

prob

lem

man

agem

ent

• E

nhan

ced

end-

user

trai

ning

• E

ffic

ient

and

eff

ectiv

e pr

oble

m a

ndin

cide

nt h

andl

ing

• Pr

oble

ms

and

inci

dent

s so

lved

in a

timel

y m

anne

r•

Impr

oved

qua

lity

of I

T s

ervi

ces

• D

isru

ptio

n of

IT

ser

vice

s•

Incr

ease

d lik

elih

ood

of p

robl

emre

curr

ence

• Pr

oble

ms

and

inci

dent

s no

t sol

ved

in a

timel

y m

anne

r•

Lac

k of

aud

it tr

ails

of

prob

lem

s,in

cide

nts

and

thei

r so

lutio

ns f

orpr

oact

ive

prob

lem

and

inci

dent

man

agem

ent

• R

ecur

renc

e of

inci

dent

s



Test

the

Con

trol

Des

ign

• C

onfi

rm th

at p

roce

sses

and

tool

s ar

e in

pla

ce to

reg

iste

r, cl

assi

fy, p

rior

itise

and

trac

k pr

oble

ms

to r

esol

utio

n.•

Con

firm

that

tool

s in

clud

e re

port

ing

faci

litie

s th

at a

re u

sed

to p

rodu

ce m

anag

emen

t rep

orts

on

prob

lem

s.•

Sele

ct a

sam

ple

of p

robl

em r

epor

ts a

nd v

erif

y th

e ad

equa

cy o

f:–

Prob

lem

doc

umen

tatio

n fo

r an

alys

is o

f ro

ot c

ause

s–

Iden

tific

atio

n of

pro

blem

ow

ners

hip

and

reso

lutio

n re

spon

sibi

lity

– Pr

oble

m s

tatu

s in

form

atio

n

DS1

0.2

Pro

blem

Tra

ckin

g an

d R

esol

utio

n E

nsur

e th

at th

e pr

oble

m m

anag

emen

t sys

tem

pro

vide

s fo

r ad

equa

te a

udit

trai

lfa

cilit

ies

that

allo

w tr

acki

ng, a

naly

sing

and

det

erm

inin

g th

e ro

ot c

ause

of

all

repo

rted

pro

blem

s co

nsid

erin

g:• A

ll as

soci

ated

con

figu

ratio

n ite

ms

• O

utst

andi

ng p

robl

ems

and

inci

dent

s•

Kno

wn

and

susp

ecte

d er

rors

• T

rack

ing

of p

robl

em tr

ends

Iden

tify

and

initi

ate

sust

aina

ble

solu

tions

add

ress

ing

the

root

cau

se, r

aisi

ngch

ange

req

uest

s vi

a th

e es

tabl

ishe

d ch

ange

man

agem

ent p

roce

ss. T

hrou

ghou

t the

reso

lutio

n pr

oces

s, p

robl

em m

anag

emen

t sho

uld

obta

in r

egul

ar r

epor

ts f

rom

chan

ge m

anag

emen

t on

prog

ress

in r

esol

ving

pro

blem

s an

d er

rors

. Pro

blem

man

agem

ent s

houl

d m

onito

r th

e co

ntin

uing

impa

ct o

f pr

oble

ms

and

know

ner

rors

on

user

ser

vice

s. I

n th

e ev

ent t

hat t

his

impa

ct b

ecom

es s

ever

e, p

robl

emm

anag

emen

t sho

uld

esca

late

the

prob

lem

, per

haps

ref

erri

ng it

to a

n ap

prop

riat

ebo

ard

to in

crea

se th

e pr

iori

ty o

f th

e re

ques

t for

cha

nge

(RFC

) or

to im

plem

ent a

nur

gent

cha

nge

as a

ppro

pria

te. M

onito

r th

e pr

ogre

ss o

f pr

oble

m r

esol

utio

n ag

ains

t SL

As.

• L

imite

d di

srup

tion

to o

r re

duct

ion

ofIT

ser

vice

qua

lity

• E

ffic

ient

and

eff

ectiv

e ha

ndlin

g of

prob

lem

s an

d in

cide

nts

• M

inim

ised

ela

psed

tim

e fo

r pr

oble

mde

tect

ion

to r

esol

utio

n• A

ppro

pria

te p

robl

em s

olvi

ng w

ithre

spec

t to

the

agre

ed-u

pon

serv

ice

leve

ls•

Impr

oved

qua

lity

of I

T s

ervi

ces

• R

ecur

renc

e of

pro

blem

s an

d in

cide

nts

• L

oss

of in

form

atio

n•

Cri

tical

inci

dent

s no

t sol

ved

prop

erly

• B

usin

ess

disr

uptio

ns•

Insu

ffic

ient

ser

vice

qua

lity

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS10 M

anag

e P

robl

ems

(con

t.)


APPENDIX IV

Test

the

Con

trol

Des

ign

• R

evie

w th

e pr

oces

ses

for

conf

igur

atio

n, in

cide

nt a

nd p

robl

em m

anag

emen

t, an

d co

nfir

m th

at th

ey a

re a

ppro

pria

tely

inte

grat

ed.

• R

evie

w r

ecor

ds to

con

firm

that

the

resp

onsi

ble

man

ager

s of

the

diff

eren

t are

as r

egul

arly

mee

t and

res

olve

com

mon

issu

es.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

robl

ems

are

clos

ed o

nly

afte

r co

nfir

mat

ion

of r

esol

utio

n by

the

stak

ehol

ders

.•

Sele

ct a

rep

rese

ntat

ive

sam

ple

of p

robl

ems

and

veri

fy th

roug

h in

terv

iew

s w

ith s

take

hold

ers

that

the

stak

ehol

ders

wer

e in

form

ed c

ompl

etel

y an

d in

a ti

mel

y m

anne

r of

prob

lem

clo

sure

s.

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

DS1

0.4

Inte

grat

ion

of C

onfi

gura

tion

,Inc

iden

t an

d P

robl

em M

anag

emen

t In

tegr

ate

the

rela

ted

proc

esse

s of

con

figu

ratio

n, in

cide

nt a

nd p

robl

emm

anag

emen

t to

ensu

re e

ffec

tive

man

agem

ent o

f pr

oble

ms

and

enab

leim

prov

emen

ts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Im

prov

ed c

usto

mer

sat

isfa

ctio

n•

Eff

icie

nt a

nd e

ffec

tive

prob

lem

and

inci

dent

han

dlin

g•

Doc

umen

ted

prob

lem

and

inci

dent

repo

rtin

g•

Eff

ectiv

e se

rvic

e m

anag

emen

t

Ris

k D

river

s

• L

oss

of in

form

atio

n•

Cri

tical

inci

dent

s no

t sol

ved

prop

erly

• B

usin

ess

disr

uptio

ns•

Incr

easi

ng n

umbe

r of

pro

blem

s•

Dec

reas

ed s

atis

fact

ion

with

IT

serv

ices

DS1

0.3

Pro

blem

Clo

sure

Pu

t in

plac

e a

proc

edur

e to

clo

se p

robl

em r

ecor

ds e

ither

aft

er c

onfi

rmat

ion

ofsu

cces

sful

elim

inat

ion

of th

e kn

own

erro

r or

aft

er a

gree

men

t with

the

busi

ness

on h

ow to

alte

rnat

ivel

y ha

ndle

the

prob

lem

.

• Q

ueri

es r

esol

ved

with

in th

e ag

reed

-up

on ti

me

fram

es•

Impr

oved

cus

tom

er a

nd u

ser

satis

fact

ion

• E

ffic

ient

and

eff

ectiv

e pr

oble

m a

ndin

cide

nt h

andl

ing

• Abi

lity

to a

pply

less

ons

lear

ned

whe

nad

dres

sing

fut

ure

prob

lem

s si

mila

r in

natu

re

• O

utst

andi

ng q

ueri

es•

Incr

ease

d se

rvic

e di

srup

tion

• C

ritic

al in

cide

nts

not s

olve

d pr

oper

ly•

Dis

satis

fact

ion

with

IT

ser

vice

s

DS10 M

anag

e P

robl

ems

(con

t.)



Take the following steps to test the outcome of the control objectives:• Compare the incident list to incident reports and error logs to ensure that the incident process is working correctly.• Verify the existence of problem identification and handling documentation.• Inspect a sample of reports to ensure that they are being used when appropriate and that they contain the necessary information.• Verify that known errors, incident analysis tools and root causes are communicated to the incident management processes.• Verify that the status of the problem handling process is monitored throughout its life cycle, including input from change and

configuration management.• Review schedules and minutes of meetings amongst process owners for configuration, incident and problem management.• Inspect and review records and reports regarding the total costs of problems.

Take the following step to document the impact of the control weaknesses:• Enquire whether and confirm that changes resulting from the problem management process are monitored to determine the overall

improvement of IT services.


APPENDIX IVD

S11 M

anag

e D

ata

Eff

ectiv

e da

ta m

anag

emen

t req

uire

s id

entif

ying

dat

a re

quir

emen

ts. T

he d

ata

man

agem

ent p

roce

ss a

lso

incl

udes

the

esta

blis

hmen

t of

effe

ctiv

e pr

oced

ures

to m

anag

e th

e m

edia

libra

ry, b

acku

p an

d re

cove

ry o

f da

ta, a

nd p

rope

r di

spos

al o

f m

edia

. Eff

ectiv

e da

ta m

anag

emen

t hel

ps e

nsur

e th

e qu

ality

, tim

elin

ess

and

avai

labi

lity

of b

usin

ess

data

.

Test

the

Con

trol

Des

ign

• O

btai

n th

e in

vent

ory

of d

ata

elem

ents

.•

For

each

dat

a el

emen

t, co

nfir

m th

at r

equi

rem

ents

for

con

fide

ntia

lity,

inte

grity

and

ava

ilabi

lity

have

bee

n de

fine

d an

d th

at th

ese

requ

irem

ents

hav

e be

en v

alid

ated

with

the

data

ow

ners

.•

Ens

ure

that

con

trol

s co

mm

ensu

rate

with

req

uire

men

ts h

ave

been

def

ined

and

impl

emen

ted.

Test

the

Con

trol

Des

ign

• R

evie

w th

e da

ta m

odel

, and

ens

ure

that

sto

rage

tech

niqu

es s

atis

fy b

usin

ess

requ

irem

ents

.•

Rev

iew

ret

entio

n pe

riod

s fo

r da

ta, a

nd e

nsur

e th

at th

ey a

re in

line

with

con

trac

tual

, leg

al a

nd r

egul

ator

y re

quir

emen

ts.

DS1

1.1

Bus

ines

s R

equi

rem

ents

for

Dat

a M

anag

emen

t V

erif

y th

at a

ll da

ta e

xpec

ted

for

proc

essi

ng a

re r

ecei

ved

and

proc

esse

dco

mpl

etel

y, a

ccur

atel

y an

d in

a ti

mel

y m

anne

r, an

d al

l out

put i

s de

liver

ed in

acco

rdan

ce w

ith b

usin

ess

requ

irem

ents

. Sup

port

dat

a pr

oces

sing

res

tart

and

repr

oces

sing

nee

ds.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• D

ata

man

agem

ent i

n su

ppor

t of

busi

ness

req

uire

men

ts•

Gui

danc

e fo

r da

ta h

andl

ing

• D

ata

tran

sact

ions

aut

hori

sed

• Sa

fegu

arde

d st

orag

e of

sou

rces

Ris

k D

river

s

• D

ata

man

agem

ent f

ailin

g to

sup

port

busi

ness

req

uire

men

ts•

Secu

rity

bre

ache

s •

Bus

ines

s, le

gal a

nd r

egul

ator

yre

quir

emen

ts n

ot m

et

DS1

1.2

Stor

age

and

Ret

enti

on A

rran

gem

ents

D

efin

e an

d im

plem

ent p

roce

dure

s fo

r ef

fect

ive

and

effi

cien

t dat

a st

orag

e,re

tent

ion

and

arch

ivin

g to

mee

t bus

ines

s ob

ject

ives

, the

org

anis

atio

n’s

secu

rity

polic

y an

d re

gula

tory

req

uire

men

ts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• D

ata

man

agem

ent i

n su

ppor

t of

busi

ness

req

uire

men

ts•

Gui

danc

e fo

r da

ta h

andl

ing

• Sa

fegu

arde

d st

orag

e of

sou

rces

• D

ata

retr

ieve

d in

an

effi

cien

t man

ner

Ris

k D

river

s

• D

ata

not p

rote

cted

fro

m u

naut

hori

sed

view

ing

or a

lteri

ng•

Doc

umen

ts n

ot r

etri

eved

whe

n ne

eded

• N

on-c

ompl

ianc

e w

ith r

egul

ator

y an

dle

gal o

blig

atio

ns•

Una

utho

rise

d da

ta a

cces

s



Test

the

Con

trol

Des

ign

• O

btai

n th

e m

edia

inve

ntor

y an

d, o

n a

sam

ple

basi

s, e

nsur

e th

at m

edia

on

the

inve

ntor

y lis

t can

be

iden

tifie

d an

d ite

ms

in s

tora

ge c

an b

e tr

aced

bac

k to

the

inve

ntor

y.•

On

a sa

mpl

e ba

sis,

con

firm

that

ext

erna

l lab

els

corr

espo

nd w

ith in

tern

al la

bels

, or

othe

rwis

e va

lidat

e th

at e

xter

nal l

abel

s ar

e af

fixe

d to

the

corr

ect m

edia

.

DS11 M

anag

e D

ata

(con

t.)

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– R

espo

nsib

ility

for

the

deve

lopm

ent a

nd c

omm

unic

atio

n of

pol

icie

s on

dis

posa

l is

clea

rly

defi

ned

– E

quip

men

t and

med

ia c

onta

inin

g se

nsiti

ve in

form

atio

n ar

e sa

nitis

ed p

rior

to r

euse

or

disp

osal

in s

uch

a w

ay th

at d

ata

mar

ked

as ‘

dele

ted’

or ‘

to b

e di

spos

ed’c

anno

t be

retr

ieve

d (e

.g.,

med

ia c

onta

inin

g hi

ghly

sen

sitiv

e da

ta h

ave

been

phy

sica

lly d

estr

oyed

)–

Dis

pose

d eq

uipm

ent a

nd m

edia

con

tain

ing

sens

itive

info

rmat

ion

have

bee

n lo

gged

to m

aint

ain

an a

udit

trai

l–

The

re is

a p

roce

dure

to r

emov

e ac

tive

med

ia f

rom

the

med

ia in

vent

ory

list u

pon

disp

osal

. Che

ck th

at th

e cu

rren

t inv

ento

ry h

as b

een

upda

ted

to r

efle

ct r

ecen

t dis

posa

lsin

the

log.

– U

nsan

itise

d eq

uipm

ent a

nd m

edia

are

tran

spor

ted

in a

sec

ure

way

thro

ugho

ut th

e di

spos

al p

roce

ss–

Dis

posa

l con

trac

tors

hav

e th

e ne

cess

ary

phys

ical

sec

urity

and

pro

cedu

res

to s

tore

and

han

dle

the

equi

pmen

t and

med

ia b

efor

e an

d du

ring

dis

posa

l

DS1

1.3

Med

ia L

ibra

ry M

anag

emen

t Sy

stem

D

efin

e an

d im

plem

ent p

roce

dure

s to

mai

ntai

n an

inve

ntor

y of

sto

red

and

arch

ived

med

ia to

ens

ure

thei

r us

abili

ty a

nd in

tegr

ity.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• A

ccou

ntin

g of

all

med

ia•

Impr

oved

bac

kup

man

agem

ent

• Sa

fegu

ardi

ng o

f da

ta a

vaila

bilit

y•

Red

uced

tim

e fo

r da

ta r

esto

ratio

n

Ris

k D

river

s

• M

edia

inte

grity

com

prom

ised

• B

acku

p m

edia

una

vaila

ble

whe

nne

eded

• U

naut

hori

sed

acce

ss to

dat

a ta

pes

• D

estr

uctio

n of

bac

kups

• In

abili

ty to

det

erm

ine

loca

tion

ofba

ckup

med

ia

DS1

1.4

Dis

posa

l D

efin

e an

d im

plem

ent p

roce

dure

s to

ens

ure

that

bus

ines

s re

quir

emen

ts f

orpr

otec

tion

of s

ensi

tive

data

and

sof

twar

e ar

e m

et w

hen

data

and

har

dwar

e ar

edi

spos

ed o

r tr

ansf

erre

d.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

oper

pro

tect

ion

of c

orpo

rate

info

rmat

ion

• E

nhan

ced

back

up m

anag

emen

t•

Safe

guar

ding

of

data

ava

ilabi

lity

Ris

k D

river

s

• D

iscl

osur

e of

cor

pora

te in

form

atio

n•

Com

prom

ised

inte

grity

of

sens

itive

data

• U

naut

hori

sed

acce

ss to

dat

a ta

pes


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– C

ritic

al d

ata

that

aff

ect b

usin

ess

oper

atio

ns a

re p

erio

dica

lly id

entif

ied

in a

lignm

ent w

ith th

e ri

sk m

anag

emen

t mod

el a

nd I

T s

ervi

ce c

ontin

uity

pla

n–

Ade

quat

e po

licie

s an

d pr

oced

ures

for

the

back

up o

f sy

stem

s, a

pplic

atio

ns, d

ata

and

docu

men

tatio

n ex

ist a

nd c

onsi

der

fact

ors

incl

udin

g:. F

requ

ency

of

back

up (

e.g.

, dis

k m

irro

ring

for

rea

l-tim

e ba

ckup

s vs

. DV

D-R

OM

for

long

-ter

m r

eten

tion)

. Typ

e of

bac

kup

(e.g

., fu

ll vs

. inc

rem

enta

l). T

ype

of m

edia

. Aut

omat

ed o

nlin

e ba

ckup

s. D

ata

type

s (e

.g.,

voic

e, o

ptic

al)

. Cre

atio

n of

logs

. Cri

tical

end

-use

r co

mpu

ting

data

(e.

g., s

prea

dshe

ets)

. Phy

sica

l and

logi

cal l

ocat

ion

of d

ata

sour

ces

. Sec

urity

and

acc

ess

righ

ts. E

ncry

ptio

n–

Res

pons

ibili

ties

have

bee

n as

sign

ed f

or ta

king

and

mon

itori

ng b

acku

ps–

A s

ched

ule

exis

ts f

or ta

king

and

logg

ing

back

ups

in a

ccor

danc

e w

ith e

stab

lishe

d po

licie

s an

d pr

oced

ures

– Sy

stem

, app

licat

ion,

dat

a an

d do

cum

enta

tion

mai

ntai

ned

or p

roce

ssed

by

thir

d pa

rtie

s ar

e ad

equa

tely

bac

ked

up o

r ot

herw

ise

secu

red.

The

ret

urn

of b

acku

ps f

rom

thir

dpa

rtie

s sh

ould

be

requ

ired

and

esc

row

or

depo

sit a

rran

gem

ents

con

side

red.

– R

equi

rem

ents

for

ons

ite a

nd o

ffsi

te s

tora

ge o

f ba

ckup

dat

a ha

ve b

een

defi

ned

that

mee

t the

bus

ines

s re

quir

emen

ts, i

nclu

ding

the

acce

ss r

equi

red

to b

acku

p da

ta–

Suff

icie

nt r

esto

ratio

n te

sts

have

bee

n pe

rfor

med

per

iodi

cally

to e

nsur

e th

at a

ll co

mpo

nent

s of

bac

kups

can

be

effe

ctiv

ely

rest

ored

– T

he ti

me

fram

e re

quir

ed f

or r

esto

ratio

n ha

s be

en a

gree

d up

on a

nd c

omm

unic

ated

with

the

busi

ness

or

IT p

roce

ss o

wne

r. T

he p

rior

ity f

or d

ata

reco

very

has

bee

n ba

sed

on b

usin

ess

requ

irem

ents

and

IT

ser

vice

con

tinui

ty p

roce

dure

s.

DS1

1.5

Bac

kup

and

Res

tora

tion

D

efin

e an

d im

plem

ent p

roce

dure

s fo

r ba

ckup

and

res

tora

tion

of s

yste

ms,

appl

icat

ions

, dat

a an

d do

cum

enta

tion

in li

ne w

ith b

usin

ess

requ

irem

ents

and

the

cont

inui

ty p

lan.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

orpo

rate

info

rmat

ion

prop

erly

rest

ored

• E

nhan

ced

back

up m

anag

emen

t alig

ned

with

the

busi

ness

req

uire

men

ts a

nd th

eba

ckup

pla

n•

Safe

guar

ding

of

data

ava

ilabi

lity

and

inte

grity

Ris

k D

river

s

• D

iscl

osur

e of

cor

pora

te in

form

atio

n•

Inab

ility

to r

ecov

er b

acku

p da

ta w

hen

need

ed•

Rec

over

y pr

oced

ures

fai

ling

to m

eet

busi

ness

req

uire

men

ts•

Inab

ility

to r

esto

re d

ata

in th

e ev

ent o

fa

disa

ster

• In

appr

opri

ate

time

requ

irem

ent f

orpe

rfor

min

g ba

ckup

s

DS11 M

anag

e D

ata

(con

t.)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– A

pro

cess

is in

pla

ce th

at id

entif

ies

sens

itive

dat

a an

d ad

dres

ses

the

busi

ness

nee

d fo

r co

nfid

entia

lity

of th

e da

ta, c

ompl

ianc

e w

ith a

pplic

able

law

s an

d re

gula

tions

has

been

add

ress

ed, a

nd th

e cl

assi

fica

tion

of d

ata

has

been

agr

eed

upon

with

the

busi

ness

pro

cess

ow

ners

– A

pol

icy

has

been

def

ined

and

impl

emen

ted

to p

rote

ct s

ensi

tive

data

and

mes

sage

s fr

om u

naut

hori

sed

acce

ss a

nd in

corr

ect t

rans

mis

sion

and

tran

spor

t, in

clud

ing,

but

not l

imite

d to

, enc

rypt

ion,

mes

sage

aut

hent

icat

ion

code

s, h

ash

tota

ls, b

onde

d co

urie

rs a

nd ta

mpe

r-re

sist

ant p

acka

ging

for

phy

sica

l tra

nspo

rt–

Req

uire

men

ts h

ave

been

est

ablis

hed

for

phys

ical

and

logi

cal a

cces

s to

dat

a ou

tput

, and

con

fide

ntia

lity

of o

utpu

t is

clea

rly

defi

ned

and

take

n in

to c

onsi

dera

tion

– R

ules

and

pro

cedu

res

have

bee

n es

tabl

ishe

d fo

r en

d-us

er a

cces

s to

dat

a an

d m

anag

emen

t and

bac

kup

of s

ensi

tive

data

– R

ules

and

pro

cedu

res

have

bee

n es

tabl

ishe

d fo

r en

d-us

er a

pplic

atio

ns th

at m

ay a

dver

sely

impa

ct d

ata

stor

ed o

n en

d-us

er c

ompu

ters

or

netw

orke

d ap

plic

atio

ns o

r da

ta(e

.g.,

cons

ider

pol

icie

s on

use

r ri

ghts

on

netw

orke

d pe

rson

al c

ompu

ters

)–

Aw

aren

ess

prog

ram

mes

hav

e be

en in

stitu

ted

to c

reat

e an

d m

aint

ain

awar

enes

s of

sec

urity

in th

e ha

ndlin

g an

d pr

oces

sing

of

sens

itive

dat

a–

Sens

itive

info

rmat

ion

proc

essi

ng f

acili

ties

are

with

in s

ecur

e ph

ysic

al lo

catio

ns p

rote

cted

by

defi

ned

secu

rity

per

imet

ers

coup

led

with

app

ropr

iate

sur

veill

ance

, sec

urity

barr

iers

and

ent

ry c

ontr

ols

– T

he d

esig

n of

the

phys

ical

infr

astr

uctu

re p

reve

nts

loss

es f

rom

fir

e, in

terf

eren

ce, e

xter

nal a

ttack

or

unau

thor

ised

acc

ess.

The

re a

re s

ecur

e ou

tput

dro

poff

poi

nts

for

sens

itive

out

puts

or

tran

sfer

of

data

to th

ird

part

ies.

DS1

1.6

Secu

rity

Req

uire

men

ts f

or D

ata

Man

agem

ent

Def

ine

and

impl

emen

t pol

icie

s an

d pr

oced

ures

to id

entif

y an

d ap

ply

secu

rity

requ

irem

ents

app

licab

le to

the

rece

ipt,

proc

essi

ng, s

tora

ge a

nd o

utpu

t of

data

tom

eet b

usin

ess

obje

ctiv

es, t

he o

rgan

isat

ion’

s se

curi

ty p

olic

y an

d re

gula

tory

requ

irem

ents

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Se

nsiti

ve in

form

atio

n pr

oper

ly s

ecur

edan

d pr

otec

ted

• Abi

lity

to v

iew

or

alte

r in

form

atio

nav

aila

ble

to a

utho

rise

d us

ers

• C

ompl

eten

ess

and

accu

racy

of

tran

smitt

ed d

ata

Ris

k D

river

s

• Se

nsiti

ve d

ata

mis

used

or

dest

roye

d•

Una

utho

rise

d da

ta a

cces

s•

Inco

mpl

eten

ess

and

inac

cura

cy o

ftr

ansm

itted

dat

a•

Dat

a al

tere

d by

una

utho

rise

d us

ers

DS11 M

anag

e D

ata

(con

t.)


APPENDIX IV

Take the following steps to test the outcome of the control objectives:• Review business requirements documentation to ensure that the documentation mechanism is being used as designed.• Inspect the data management tools to make sure that they are being used as described.• Verify that access to media and systems is restricted to authorised personnel. • Verify if media that are susceptible to degradation, such as tape, are routinely replaced.• Select a sample of the media disposal list and verify that the disposed media are not on the media inventory list.• Inspect on- and offsite storage facilities and check for accessibility.• Review a sample of test results to ensure that restorations are successful and the time required for restoration is reconciled with

SLAs and continuity requirements.• Verify that backup information is stored offsite, as required by continuity processes.• Verify that procedures to ensure integrity of archived information are in place and followed.

Take the following steps to document the impact of the control weaknesses:• Enquire whether and confirm that a policy is in place that meets business requirements for disposal or reuse of equipment and

media to minimise the risk of exposure of sensitive data to unauthorised persons.• Enquire whether and confirm that critical data that affect business operations are periodically identified, in alignment with the risk

management model and IT service continuity plan.• Verify that consideration is given to the confidentiality, integrity and availability of the data as well as applicable laws and

regulations.



DS12 M

anag

e th

e P

hysi

cal Env

iron

men

t

Prot

ectio

n fo

r co

mpu

ter

equi

pmen

t and

per

sonn

el r

equi

res

wel

l-de

sign

ed a

nd w

ell-

man

aged

phy

sica

l fac

ilitie

s. T

he p

roce

ss o

f m

anag

ing

the

phys

ical

env

iron

men

t inc

lude

sde

fini

ng th

e ph

ysic

al s

ite r

equi

rem

ents

, sel

ectin

g ap

prop

riat

e fa

cilit

ies,

and

des

igni

ng e

ffec

tive

proc

esse

s fo

r m

onito

ring

env

iron

men

tal f

acto

rs a

nd m

anag

ing

phys

ical

acc

ess.

Eff

ectiv

e m

anag

emen

t of

the

phys

ical

env

iron

men

t red

uces

bus

ines

s in

terr

uptio

ns f

rom

dam

age

to c

ompu

ter

equi

pmen

t and

per

sonn

el.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– Ph

ysic

al s

ites

for

IT e

quip

men

t hav

e be

en s

elec

ted

acco

rdin

g to

a te

chno

logy

str

ateg

y th

at m

eets

bus

ines

s re

quir

emen

ts a

nd a

sec

urity

pol

icy,

con

side

ring

suc

h is

sues

as

geog

raph

ic p

ositi

on, n

eigh

bour

s, in

fras

truc

ture

and

ris

ks (

e.g.

, the

ft, t

empe

ratu

re, f

ire,

sm

oke,

wat

er, v

ibra

tion,

terr

oris

m, v

anda

lism

, che

mic

als,

exp

losi

ves)

– A

pro

cess

is d

efin

ed a

nd im

plem

ente

d th

at id

entif

ies

the

pote

ntia

l ris

ks a

nd th

reat

s to

the

orga

nisa

tion’

s IT

site

s an

d as

sess

es th

e bu

sine

ss im

pact

on

an o

ngoi

ng b

asis

,ta

king

into

acc

ount

the

risk

ass

ocia

ted

with

nat

ural

and

man

-mad

e di

sast

ers

– T

he s

elec

tion

and

desi

gn o

f th

e si

te ta

ke in

to a

ccou

nt r

elev

ant l

aws

and

regu

latio

ns, s

uch

as b

uild

ing

code

s; e

nvir

onm

enta

l, fi

re, e

lect

rica

l eng

inee

ring

; and

occu

patio

nal h

ealth

and

saf

ety

regu

latio

ns

DS1

2.1

Site

Sel

ecti

on a

nd L

ayou

t D

efin

e an

d se

lect

the

phys

ical

site

s fo

r IT

equ

ipm

ent t

o su

ppor

t the

tech

nolo

gyst

rate

gy li

nked

to th

e bu

sine

ss s

trat

egy.

The

sel

ectio

n an

d de

sign

of

the

layo

ut o

fa

site

sho

uld

take

into

acc

ount

the

risk

ass

ocia

ted

with

nat

ural

and

man

-mad

edi

sast

ers,

whi

lst c

onsi

deri

ng r

elev

ant l

aws

and

regu

latio

ns, s

uch

as o

ccup

atio

nal

heal

th a

nd s

afet

y re

gula

tions

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• M

inim

ised

thre

ats

to p

hysi

cal s

ecur

ity

• D

ecre

ased

ris

k of

a p

hysi

cal a

ttack

on

the

IT s

ite v

ia r

educ

tion

of th

epo

ssib

ility

of

the

site

bei

ng id

entif

ied

by u

naut

hori

sed

pers

ons

who

may

initi

ate

such

an

atta

ck•

Red

uctio

n in

insu

ranc

e co

sts

as a

resu

lt of

dem

onst

ratin

g op

timal

phys

ical

sec

urity

man

agem

ent

Ris

k D

river

s

• T

hrea

ts to

phy

sica

l sec

urity

not

iden

tifie

d•

Incr

ease

d vu

lner

abili

ty to

sec

urity

risk

s, r

esul

ting

from

site

loca

tion

and/

or la

yout


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– A

pol

icy

is d

efin

ed a

nd im

plem

ente

d fo

r th

e ph

ysic

al s

ecur

ity a

nd a

cces

s co

ntro

l mea

sure

s to

be

follo

wed

for

IT

site

s. T

he p

olic

y is

reg

ular

ly r

evie

wed

to e

nsur

e th

at it

rem

ains

rel

evan

t and

up

to d

ate.

– A

cces

s to

info

rmat

ion

abou

t sen

sitiv

e IT

site

s an

d th

eir

desi

gn p

lans

is li

mite

d–

Ext

erna

l sig

ns a

nd o

ther

iden

tific

atio

n of

sen

sitiv

e IT

site

s ar

e di

scre

et a

nd d

o no

t obv

ious

ly id

entif

y th

e si

te f

rom

out

side

– O

rgan

isat

iona

l dir

ecto

ries

/site

map

s do

not

iden

tify

the

loca

tion

of th

e IT

site

– T

he d

esig

n of

phy

sica

l sec

urity

mea

sure

s ta

kes

into

acc

ount

the

risk

s as

soci

ated

with

the

busi

ness

and

ope

ratio

n. W

here

app

ropr

iate

, phy

sica

l sec

urity

mea

sure

s in

clud

eal

arm

sys

tem

s, b

uild

ing

hard

enin

g, a

rmou

red

cabl

ing

prot

ectio

n, s

ecur

e pa

rtiti

onin

g, e

tc.

– Te

sts

of th

e pr

even

tive,

det

ectiv

e an

d co

rrec

tive

phys

ical

sec

urity

mea

sure

s ar

e pe

rfor

med

per

iodi

cally

to v

erif

y de

sign

, im

plem

enta

tion

and

effe

ctiv

enes

s–

The

site

des

ign

take

s in

to a

ccou

nt th

e ph

ysic

al c

ablin

g of

tele

com

mun

icat

ion

and

pipi

ng o

f w

ater

, pow

er a

nd s

ewer

– A

pro

cess

sup

port

ed b

y th

e ap

prop

riat

e au

thor

isat

ion

is d

efin

ed a

nd im

plem

ente

d fo

r th

e se

cure

rem

oval

of

IT e

quip

men

t –

Rec

eivi

ng a

nd s

hipp

ing

area

s of

IT

equ

ipm

ent a

re s

afeg

uard

ed in

the

sam

e m

anne

r an

d sc

ope

as n

orm

al I

T s

ites

and

oper

atio

ns–

A p

olic

y an

d pr

oces

s ar

e de

fine

d to

tran

spor

t and

sto

re e

quip

men

t sec

urel

y–

A p

roce

ss e

xist

s to

ens

ure

that

sto

rage

dev

ices

con

tain

ing

sens

itive

info

rmat

ion

are

phys

ical

ly d

estr

oyed

or

sani

tised

– A

pro

cess

exi

sts

for

reco

rdin

g, m

onito

ring

, man

agin

g, r

epor

ting

and

reso

lvin

g ph

ysic

al s

ecur

ity in

cide

nts,

in li

ne w

ith th

e ov

eral

l IT

inci

dent

man

agem

ent p

roce

ss–

Part

icul

arly

sen

sitiv

e si

tes

are

chec

ked

freq

uent

ly (

incl

udin

g w

eeke

nds

and

holid

ays)

by

secu

rity

per

sonn

el

DS1

2.2

Phy

sica

l Sec

urit

y M

easu

res

Def

ine

and

impl

emen

t phy

sica

l sec

urity

mea

sure

s in

line

with

bus

ines

sre

quir

emen

ts to

sec

ure

the

loca

tion

and

the

phys

ical

ass

ets.

Phy

sica

l sec

urity

mea

sure

s m

ust b

e ca

pabl

e of

eff

ectiv

ely

prev

entin

g, d

etec

ting

and

miti

gatin

g ri

sks

rela

ting

to th

eft,

tem

pera

ture

, fir

e, s

mok

e, w

ater

, vib

ratio

n, te

rror

, van

dalis

m,

pow

er o

utag

es, c

hem

ical

s or

exp

losi

ves.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

otec

tion

of c

ritic

al I

T s

yste

ms

from

phys

ical

thre

ats

• E

ffec

tive

depl

oym

ent o

f ph

ysic

alse

curi

ty m

easu

res

• Pr

omot

ion

of a

war

enes

s am

ongs

t sta

ffan

d m

anag

emen

t of

the

orga

nisa

tion’

sre

quir

emen

ts f

or p

hysi

cal s

ecur

ity

Ris

k D

river

s

• T

hrea

ts to

phy

sica

l sec

urity

not

iden

tifie

d•

Har

dwar

e st

olen

by

unau

thor

ised

peop

le•

Phys

ical

atta

ck o

n th

e IT

site

• D

evic

es r

econ

figu

red

with

out

auth

oris

atio

n•

Con

fide

ntia

l inf

orm

atio

n be

ing

acce

ssed

by

devi

ces

conf

igur

ed to

read

the

radi

atio

n em

itted

by

the

com

pute

rs

DS12 M

anag

e th

e P

hysi

cal Env

iron

men

t (c

ont.

)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– A

pro

cess

is in

pla

ce th

at g

over

ns th

e re

ques

ting

and

gran

ting

of a

cces

s to

the

com

putin

g fa

cilit

ies

– Fo

rmal

acc

ess

requ

ests

are

com

plet

ed a

nd a

utho

rise

d by

man

agem

ent o

f th

e IT

site

, the

rec

ords

are

ret

aine

d, a

nd th

e fo

rms

spec

ific

ally

iden

tify

the

area

s to

whi

ch th

ein

divi

dual

is g

rant

ed a

cces

s. T

his

is v

erif

ied

by o

bser

vatio

n or

rev

iew

of

appr

oval

s.–

Proc

edur

es a

re in

pla

ce to

ens

ure

that

acc

ess

prof

iles

rem

ain

curr

ent.

Ver

ify

that

acc

ess

to I

T s

ites

(ser

ver

room

s, b

uild

ings

, are

as o

r zo

nes)

is b

ased

on

job

func

tion

and

resp

onsi

bilit

ies.

– T

here

is a

pro

cess

to lo

g an

d m

onito

r al

l ent

ry p

oint

s to

IT

site

s, r

egis

teri

ng a

ll vi

sito

rs, i

nclu

ding

con

trac

tors

and

ven

dors

, to

the

site

– A

pol

icy

exis

ts in

stru

ctin

g al

l per

sonn

el to

dis

play

vis

ible

iden

tific

atio

n at

all

times

and

pre

vent

s th

e is

suan

ce o

f id

entit

y ca

rds

or b

adge

s w

ithou

t pro

per

auth

oris

atio

n.O

bser

ve w

heth

er b

adge

s ar

e be

ing

wor

n in

pra

ctic

e.–

A p

olic

y ex

ists

req

uiri

ng v

isito

rs to

be

esco

rted

at a

ll tim

es b

y a

mem

ber

of th

e IT

ope

ratio

ns g

roup

whi

lst o

nsite

, and

indi

vidu

als

who

are

not

wea

ring

app

ropr

iate

iden

tific

atio

n ar

e po

inte

d ou

t to

secu

rity

per

sonn

el–

Acc

ess

to s

ensi

tive

IT s

ites

is r

estr

icte

d th

roug

h pe

rim

eter

res

tric

tions

, suc

h as

fen

ces/

wal

ls a

nd s

ecur

ity d

evic

es o

n in

teri

or a

nd e

xter

ior

door

s. V

erif

y th

at th

e de

vice

sre

cord

ent

ry a

nd s

ound

an

alar

m in

the

even

t of

unau

thor

ised

acc

ess.

Exa

mpl

es o

f su

ch d

evic

es in

clud

e ba

dges

or

key

card

s, k

ey p

ads,

clo

sed-

circ

uit t

elev

isio

n an

dbi

omet

ric

scan

ners

.–

Reg

ular

phy

sica

l sec

urity

aw

aren

ess

trai

ning

is c

ondu

cted

. Ver

ify

by r

evie

win

g tr

aini

ng lo

gs.

DS1

2.3

Phy

sica

l Acc

ess

Def

ine

and

impl

emen

t pro

cedu

res

to g

rant

, lim

it an

d re

voke

acc

ess

to p

rem

ises

,bu

ildin

gs a

nd a

reas

acc

ordi

ng to

bus

ines

s ne

eds,

incl

udin

g em

erge

ncie

s. A

cces

sto

pre

mis

es, b

uild

ings

and

are

as s

houl

d be

just

ifie

d, a

utho

rise

d, lo

gged

and

mon

itore

d. T

his

shou

ld a

pply

to a

ll pe

rson

s en

teri

ng th

e pr

emis

es, i

nclu

ding

staf

f, te

mpo

rary

sta

ff, c

lient

s, v

endo

rs, v

isito

rs o

r an

y ot

her

thir

d pa

rty.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• App

ropr

iate

acc

ess

to e

nsur

e tim

ely

reso

lutio

n of

a c

ritic

al in

cide

nt• A

ll vi

sito

rs id

entif

iabl

e an

d tr

acea

ble

• St

aff

awar

e of

res

pons

ibili

ties

inre

spec

t to

visi

tors

Ris

k D

river

s

• V

isito

rs g

aini

ng u

naut

hori

sed

acce

ssto

IT

equ

ipm

ent o

r in

form

atio

n•

Una

utho

rise

d en

try

to s

ecur

e ar

eas

DS12 M

anag

e th

e P

hysi

cal Env

iron

men

t (c

ont.

)


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– A

pro

cess

is in

pla

ce to

iden

tify

natu

ral a

nd m

an-m

ade

disa

ster

s th

at m

ight

occ

ur in

the

area

with

in w

hich

the

sens

itive

IT

fac

ilitie

s ar

e lo

cate

d. R

evie

w r

epor

ts to

veri

fy th

at th

e po

tent

ial i

mpa

ct is

ass

esse

d ac

cord

ing

to b

usin

ess

cont

inui

ty p

lann

ing

proc

edur

es.

– A

pol

icy

is in

pla

ce th

at o

utlin

es h

ow I

T e

quip

men

t, in

clud

ing

mob

ile a

nd o

ffsi

te e

quip

men

t, is

pro

tect

ed a

gain

st th

eft a

nd e

nvir

onm

enta

l thr

eats

. Rev

iew

docu

men

tatio

n to

ens

ure

that

the

polic

y, f

or e

xam

ple,

bar

s ea

ting,

dri

nkin

g an

d sm

okin

g in

sen

sitiv

e ar

eas,

and

pro

hibi

ts s

tora

ge o

f st

atio

nery

and

oth

er s

uppl

ies

posi

nga

fire

haz

ard

with

in c

ompu

ter

room

s.–

IT f

acili

ties

are

situ

ated

and

con

stru

cted

in a

way

to m

inim

ise

and

miti

gate

sus

cept

ibili

ty to

env

iron

men

tal t

hrea

ts–

Suita

ble

devi

ces

are

in p

lace

that

will

det

ect e

nvir

onm

enta

l thr

eats

. Ins

pect

con

tinuo

us m

onito

ring

don

e at

thes

e de

vice

s.–

Ala

rms

or o

ther

not

ific

atio

ns a

re r

aise

d in

cas

e of

an

envi

ronm

enta

l exp

osur

e, p

roce

dure

s in

res

pons

e to

suc

h oc

curr

ence

s ar

e do

cum

ente

d an

d te

sted

, and

per

sonn

el a

regi

ven

suita

ble

trai

ning

– A

pro

cess

is in

pla

ce to

com

pare

mea

sure

s an

d co

ntin

genc

y pl

ans

agai

nst i

nsur

ance

pol

icy

requ

irem

ents

. Rev

iew

the

repo

rts

and

the

insu

ranc

e po

licy

to v

erif

y co

mpl

ianc

e.–

Man

agem

ent t

akes

act

ion

to e

nsur

e th

at a

ny p

oint

s of

non

-com

plia

nce

are

addr

esse

d in

a ti

mel

y m

anne

r–

IT s

ites

are

built

in lo

catio

ns th

at m

inim

ise

the

impa

ct o

f en

viro

nmen

tal r

isk,

suc

h as

thef

t, ai

r, fi

re, s

mok

e, w

ater

, vib

ratio

n, te

rror

ism

and

van

dalis

m. P

hysi

cally

insp

ect

the

loca

tions

of

the

IT s

ites

to e

nsur

e th

at th

e de

sign

is p

rope

rly

impl

emen

ted.

Rev

iew

the

risk

ass

essm

ent r

epor

t mad

e pr

ior

to th

e de

sign

and

con

stru

ctio

n of

the

site

.–

A p

olic

y is

in p

lace

to e

nsur

e on

goin

g cl

eani

ng a

nd c

lean

-up

in p

roxi

mity

of

IT o

pera

tions

. Che

ck th

e IT

site

s an

d se

rver

roo

ms

to m

ake

sure

that

they

are

kep

t in

acl

ean,

tidy

and

saf

e co

nditi

on a

t all

times

(e.

g., n

o m

ess/

litte

r, pa

per

or c

ardb

oard

box

es, f

illed

dus

tbin

s, f

lam

mab

le c

hem

ical

s or

mat

eria

ls).

Enq

uire

whe

ther

the

site

sar

e al

way

s ke

pt c

lean

.

DS1

2.4

Pro

tect

ion

Aga

inst

Env

iron

men

tal F

acto

rs

Des

ign

and

impl

emen

t mea

sure

s fo

r pr

otec

tion

agai

nst e

nvir

onm

enta

l fac

tors

.In

stal

l spe

cial

ised

equ

ipm

ent a

nd d

evic

es to

mon

itor

and

cont

rol t

he e

nvir

onm

ent.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Id

entif

icat

ion

of a

ll po

tent

ial

envi

ronm

enta

l thr

eats

to th

e IT

faci

litie

s•

Prev

entio

n or

tim

ely

dete

ctio

n of

envi

ronm

enta

l thr

eats

• R

educ

ed r

isk

of c

laim

s ag

ains

tin

sura

nce

com

pani

es b

eing

rej

ecte

dfo

r no

n-co

mpl

ianc

e w

ith th

ere

quir

emen

ts o

f in

sura

nce

polic

ies,

and

min

imis

ed in

sura

nce

prem

ium

s• A

ppro

pria

te p

rote

ctio

n ag

ains

ten

viro

nmen

tal f

acto

rs

Ris

k D

river

s

• Fa

cilit

ies

expo

sed

to e

nvir

onm

enta

lim

pact

s•

Inad

equa

te e

nvir

onm

enta

l thr

eat

dete

ctio

n•

Inad

equa

te m

easu

res

for

envi

ronm

enta

l thr

eat p

rote

ctio

n

DS12 M

anag

e th

e P

hysi

cal Env

iron

men

t (c

ont.

)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– A

pro

cess

exi

sts

that

exa

min

es th

e IT

fac

ilitie

s’ne

ed f

or p

rote

ctio

n ag

ains

t env

iron

men

tal c

ondi

tions

and

pow

er f

luct

uatio

ns a

nd o

utag

es, i

n co

njun

ctio

n w

ith o

ther

busi

ness

con

tinui

ty p

lann

ing

proc

edur

es–

Uni

nter

rupt

ible

pow

er s

uppl

ies

(UPS

s) a

re a

cqui

red

and

mee

t ava

ilabi

lity

and

busi

ness

con

tinui

ty r

equi

rem

ents

– A

pro

cess

is in

pla

ce to

reg

ular

ly te

st th

e U

PS’s

ope

ratio

n an

d to

ens

ure

that

pow

er c

an b

e sw

itche

d to

the

supp

ly w

ithou

t any

sig

nifi

cant

eff

ect o

n bu

sine

ss o

pera

tions

– T

he te

sts

have

bee

n pe

rfor

med

and

cor

rect

ive

actio

n is

take

n w

here

nee

ded

– In

fac

ilitie

s ho

usin

g se

nsiti

ve I

T s

yste

ms,

mor

e th

an o

ne p

ower

sup

ply

entr

y is

ava

ilabl

e–

The

phy

sica

l ent

ranc

e of

pow

er is

sep

arat

ed–

Cab

ling

exte

rnal

to th

e IT

site

is lo

cate

d un

derg

roun

d or

has

sui

tabl

e al

tern

ativ

e pr

otec

tion

– B

luep

rint

s an

d pl

ans

exis

t–

Cab

ling

with

in th

e IT

site

is c

onta

ined

with

in s

ecur

ed c

ondu

its–

Cab

ling

is p

rote

cted

and

har

dene

d ag

ains

t env

iron

men

tal r

isk

– W

irin

g ca

bine

ts a

re lo

cked

with

res

tric

ted

acce

ss–

Cab

ling

and

phys

ical

pat

chin

g (d

ata

and

phon

e) a

re w

ell s

truc

ture

d an

d or

gani

sed

– D

ocum

enta

tion

for

cabl

ing

and

cond

uits

is a

vaila

ble

for

refe

renc

e–

For

faci

litie

s ho

usin

g hi

gh-a

vaila

bilit

y sy

stem

s, a

naly

sis

is d

one

for

redu

ndan

cy a

nd f

ail-

over

cab

ling

requ

irem

ents

(ex

tern

al a

nd in

tern

al)

– A

pro

cess

is in

pla

ce to

ens

ure

that

IT

site

s an

d fa

cilit

ies

are

in o

ngoi

ng c

ompl

ianc

e w

ith r

elev

ant h

ealth

and

saf

ety

law

s, r

egul

atio

ns, g

uide

lines

, or

vend

orsp

ecif

icat

ions

– A

pro

cess

is in

pla

ce to

edu

cate

per

sonn

el o

n he

alth

and

saf

ety

law

s, r

egul

atio

ns o

r gu

idel

ines

. Thi

s al

so in

clud

es e

duca

tion

of p

erso

nnel

on

fire

and

res

cue

drill

s to

ensu

re k

now

ledg

e an

d ac

tions

mad

e in

cas

e of

fir

e or

sim

ilar

inci

dent

s.–

The

trai

ning

pro

gram

me

asse

sses

kno

wle

dge

of th

e gu

idel

ines

and

the

trai

ning

pro

gram

me

is d

ocum

ente

d–

A p

roce

ss is

in p

lace

to r

ecor

d, m

onito

r, m

anag

e an

d re

solv

e fa

cilit

ies

inci

dent

s in

line

with

the

IT in

cide

nt m

anag

emen

t pro

cess

– R

epor

ts o

n in

cide

nts

are

mad

e av

aila

ble

whe

re d

iscl

osur

e is

req

uire

d in

term

s of

law

s an

d re

gula

tions

– A

pro

cess

is in

pla

ce to

ens

ure

that

IT

site

s an

d eq

uipm

ent a

re m

aint

aine

d pe

r th

e su

pplie

r’s r

ecom

men

ded

serv

ice

inte

rval

s an

d sp

ecif

icat

ions

– M

aint

enan

ce is

car

ried

out

onl

y by

aut

hori

sed

pers

onne

l. R

evie

w d

ocum

enta

tion

and

enqu

ire

of p

erso

nnel

to c

onfi

rm.

– Ph

ysic

al a

ltera

tions

to I

T s

ites

or p

rem

ises

are

ana

lyse

d to

rea

sses

s th

e en

viro

nmen

tal r

isk

(e.g

., fi

re, w

ater

dam

age)

– R

esul

ts o

f th

is a

naly

sis

are

repo

rted

to b

usin

ess

cont

inui

ty a

nd f

acili

ties

man

agem

ent

• W

alk

thro

ugh

the

faci

litie

s an

d co

mpa

re f

indi

ngs

with

the

heal

th a

nd s

afet

y gu

idel

ines

.•

Enq

uire

of

pers

onne

l abo

ut p

ossi

ble

brea

ches

of

the

stan

dard

s.•

Wal

k th

roug

h re

cent

ly c

hang

ed s

ites

to e

nsur

e th

at th

ey s

till m

eet s

tand

ards

for

ris

ks.

DS1

2.5

Phy

sica

l Fac

iliti

es M

anag

emen

t M

anag

e fa

cilit

ies,

incl

udin

g po

wer

and

com

mun

icat

ions

equ

ipm

ent,

in li

ne w

ithla

ws

and

regu

latio

ns, t

echn

ical

and

bus

ines

s re

quir

emen

ts, v

endo

r sp

ecif

icat

ions

,an

d he

alth

and

saf

ety

guid

elin

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

otec

tion

of c

ritic

al I

T s

yste

ms

from

the

effe

cts

of p

ower

out

ages

and

oth

erfa

cilit

y-re

late

d ri

sks

• E

ffec

tive

and

effi

cien

t use

of

faci

lity

reso

urce

s

Ris

k D

river

s

• N

on-c

ompl

ianc

e w

ith h

ealth

and

safe

ty r

egul

atio

ns•

IT s

yste

ms

failu

re d

ue to

impr

oper

prot

ectio

n fr

om p

ower

out

ages

and

othe

r fa

cilit

y-re

late

d ri

sks

• Acc

iden

ts to

sta

ff m

embe

rs

DS12 M

anag

e th

e P

hysi

cal Env

iron

men

t (c

ont.

)


APPENDIX IV

Take the following steps to test the outcome of the control objectives:• Review the risk analysis report to verify that the report has been updated within the last year.• Review policies to verify that new/updated regulations and laws are reflected in the policies.• Walk through the areas to ensure that they are secure according to procedures.• Review the security logs for confirmation of minimum security checks.• Inspect the logs to verify that they include, at minimum, the visitor’s name, the visitor’s company, the purpose of the visit, the

name of the member of the IT operations group authorising the visit, the date of visit, and the times of entry and exit.• Select a sample of personnel with badges and verify authorisiation.• Verify whether wiring cabinets are locked and have restricted access.• Verify that documentation for cabling and conduits is available for reference.• Walk through the facilities and compare findings with the health and safety guidelines.• Interview personnel to assess their knowledge of the guidelines.

Take the following steps to document the impact of the control weaknesses:• Verify that special considerations are taken into account (e.g., geographic position, neighbours, infrastructure). Other risks that

need consideration are theft, temperature, fire, smoke, water, vibration, terrorism, vandalism, chemicals and explosives.• Enquire whether and confirm that a process exists that examines the IT facilities’ need for protection against environmental

conditions and power fluctuations and outages, in conjunction with other business continuity planning procedures.



DS13 M

anag

e O

pera

tion

s

Com

plet

e an

d ac

cura

te p

roce

ssin

g of

dat

a re

quir

es e

ffec

tive

man

agem

ent o

f da

ta p

roce

ssin

g pr

oced

ures

and

dili

gent

mai

nten

ance

of

hard

war

e. T

his

proc

ess

incl

udes

def

inin

gop

erat

ing

polic

ies

and

proc

edur

es f

or e

ffec

tive

man

agem

ent o

f sc

hedu

led

proc

essi

ng, p

rote

ctin

g se

nsiti

ve o

utpu

t, m

onito

ring

infr

astr

uctu

re p

erfo

rman

ce a

nd e

nsur

ing

prev

entiv

e m

aint

enan

ce o

f ha

rdw

are.

Eff

ectiv

e op

erat

ions

man

agem

ent h

elps

mai

ntai

n da

ta in

tegr

ity a

nd r

educ

es b

usin

ess

dela

ys a

nd I

T o

pera

ting

cost

s.

Test

the

Con

trol

Des

ign

• In

spec

t a c

opy

of th

e st

anda

rd I

T o

pera

tiona

l pro

cedu

res.

• R

evie

w o

pera

tiona

l pro

cedu

res

for

com

plet

enes

s. C

onte

nt m

ay in

clud

e ro

les

and

resp

onsi

bilit

ies

of I

T s

taff

mem

bers

, org

anis

atio

n ch

arts

, dir

ect s

uper

viso

r ro

les

and

repo

rts,

pro

cedu

res

for

abno

rmal

ope

ratin

g sy

stem

term

inat

ion,

a c

allo

ut li

st in

the

case

of

emer

genc

y, e

tc.

• In

spec

t the

org

anis

atio

n ch

art a

nd r

evie

w jo

b ro

les.

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– B

atch

job

exec

utio

n pr

oced

ures

are

com

plet

e–

Proc

edur

es in

clud

e an

exp

ecte

d da

ily jo

b sc

hedu

le, p

oint

of

cont

acts

in th

e ca

se o

f jo

b fa

ilure

s an

d a

runn

ing

list o

f jo

b fa

ilure

cod

es–

Bat

ch jo

b du

ties

and

resp

onsi

bilit

ies

for

each

com

pute

r op

erat

or e

xist

– C

ompu

ter

oper

ator

shi

ft s

ched

ules

exi

st–

Sche

dule

s in

clud

e st

art a

nd e

nd s

hift

s an

d na

mes

of

the

oper

ator

s–

At l

east

one

ope

rato

r is

pre

sent

dur

ing

the

exec

utio

n of

bat

ch jo

bs

DS1

3.1

Ope

rati

ons

Pro

cedu

res

and

Inst

ruct

ions

D

efin

e, im

plem

ent a

nd m

aint

ain

proc

edur

es f

or I

T o

pera

tions

, ens

urin

g th

at th

eop

erat

ions

sta

ff m

embe

rs a

re f

amili

ar w

ith a

ll op

erat

ions

task

s re

leva

nt to

them

.O

pera

tiona

l pro

cedu

res

shou

ld c

over

shi

ft h

ando

ver

(for

mal

han

dove

r of

act

ivity

,st

atus

upd

ates

, ope

ratio

nal p

robl

ems,

esc

alat

ion

proc

edur

es a

nd r

epor

ts o

ncu

rren

t res

pons

ibili

ties)

to s

uppo

rt a

gree

d-up

on s

ervi

ce le

vels

and

ens

ure

cont

inuo

us o

pera

tions

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• D

emon

stra

tion

that

IT

ope

ratio

ns a

rem

eetin

g SL

As

• Pr

omot

ion

of c

ontin

uity

of

oper

atio

nal

supp

ort b

y do

cum

entin

g st

aff

expe

rien

ce a

nd r

etai

ning

it in

akn

owle

dge

base

• St

ruct

ured

, sta

ndar

dise

d an

d cl

earl

ydo

cum

ente

d IT

ope

ratio

ns p

roce

dure

san

d su

ppor

t sta

ff in

stru

ctio

ns•

Red

uced

tim

e to

tran

sfer

kno

wle

dge

betw

een

skill

ed o

pera

tion

supp

ort s

taff

and

new

rec

ruits

Ris

k D

river

s

• E

rror

s an

d re

wor

k du

e to

mis

unde

rsta

ndin

g of

pro

cedu

res

• In

effi

cien

cies

due

to u

ncle

ar a

nd/o

rno

n-st

anda

rd p

roce

dure

s•

Inab

ility

to d

eal q

uick

ly w

ithop

erat

iona

l pro

blem

s, n

ew s

taff

and

oper

atio

nal c

hang

es

DS1

3.2

Job

Sche

dulin

g O

rgan

ise

the

sche

dulin

g of

jobs

, pro

cess

es a

nd ta

sks

into

the

mos

t eff

icie

ntse

quen

ce, m

axim

isin

g th

roug

hput

and

util

isat

ion

to m

eet b

usin

ess

requ

irem

ents

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• O

ptim

ised

use

of

syst

em r

esou

rces

by

equa

lisin

g lo

ads

and

min

imis

ing

the

impa

ct to

onl

ine

user

s•

Min

imis

ed e

ffec

t of

chan

ges

to jo

bsc

hedu

les

to a

void

pro

duct

ion

disr

uptio

ns

Ris

k D

river

s

• R

esou

rce

utili

satio

n pe

aks

• Pr

oble

ms

with

sch

edul

ing

of a

d ho

cjo

bs•

Rer

uns

or r

esta

rts

of jo

bs


APPENDIX IV

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– A

pla

nned

pro

cess

for

eve

nt lo

ggin

g id

entif

ies

the

leve

l of

info

rmat

ion

to b

e re

cord

ed b

ased

on

a co

nsid

erat

ion

of r

isk

and

perf

orm

ance

– In

fras

truc

ture

ass

ets

that

nee

d to

be

mon

itore

d ar

e id

entif

ied

base

d on

ser

vice

cri

tical

ity a

nd th

e re

latio

nshi

p be

twee

n co

nfig

urat

ion

item

s an

d se

rvic

es th

at d

epen

d on

them

– D

ocum

enta

tion

of th

e pr

oces

s pl

an f

or lo

ggin

g ex

ists

. Phy

sica

lly in

spec

t the

doc

umen

ts.

– T

he li

st o

f as

sets

pro

perl

y id

entif

ies

the

asse

ts. E

nqui

re o

f pe

rson

nel a

s to

wha

t ass

ets

are

mos

t im

port

ant,

and

trac

e th

ose

asse

ts to

the

list.

DS1

3.3

IT I

nfra

stru

ctur

e M

onit

orin

g D

efin

e an

d im

plem

ent p

roce

dure

s to

mon

itor

the

IT in

fras

truc

ture

and

rel

ated

even

ts. E

nsur

e th

at s

uffi

cien

t chr

onol

ogic

al in

form

atio

n is

bei

ng s

tore

d in

oper

atio

ns lo

gs to

ena

ble

the

reco

nstr

uctio

n, r

evie

w a

nd e

xam

inat

ion

of th

e tim

ese

quen

ces

of o

pera

tions

and

the

othe

r ac

tiviti

es s

urro

undi

ng o

r su

ppor

ting

oper

atio

ns.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

oact

ive

dete

ctio

n of

infr

astr

uctu

repr

oble

ms

likel

y to

res

ult i

n an

inci

dent

• Abi

lity

to m

onito

r tr

ends

and

dea

lw

ith p

oten

tial i

nfra

stru

ctur

e pr

oble

ms

befo

re th

ey o

ccur

• Abi

lity

to o

ptim

ise

the

depl

oym

ent

and

use

of r

esou

rces

Ris

k D

river

s

• In

fras

truc

ture

pro

blem

s un

dete

cted

and

occu

rren

ce o

f in

cide

nts

• In

fras

truc

ture

pro

blem

s ca

usin

ggr

eate

r op

erat

iona

l and

bus

ines

sim

pact

than

if th

ey h

ad b

een

prev

ente

dor

det

ecte

d ea

rlie

r •

Poor

ly u

tilis

ed a

nd d

eplo

yed

infr

astr

uctu

re r

esou

rces

DS13 M

anag

e O

pera

tion

s (c

ont.

)

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– Pr

oced

ures

exi

st to

gov

ern

the

rece

ipt,

rem

oval

and

dis

posa

l of

spec

ial f

orm

s an

d ou

tput

dev

ices

into

, with

in a

nd o

ut o

f th

e or

gani

satio

n–

At l

east

a s

emi-

annu

al r

evie

w e

xist

s of

acc

ess

to s

ensi

tive

asse

ts–

A p

roce

dure

exi

sts

to g

ain,

cha

nge

and

rem

ove

acce

ss to

sen

sitiv

e as

sets

– R

emov

al a

nd d

ispo

sal p

roce

dure

s do

cum

enta

tion

exis

ts

DS1

3.4

Sens

itiv

e D

ocum

ents

and

Out

put

Dev

ices

E

stab

lish

appr

opri

ate

phys

ical

saf

egua

rds,

acc

ount

ing

prac

tices

and

inve

ntor

ym

anag

emen

t ove

r se

nsiti

ve I

T a

sset

s, s

uch

as s

peci

al f

orm

s, n

egot

iabl

ein

stru

men

ts, s

peci

al p

urpo

se p

rint

ers

or s

ecur

ity to

kens

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Add

ition

al p

rote

ctio

n fo

r sp

ecia

l for

ms

and

com

mer

cial

ly s

ensi

tive

outp

ut d

ata

thro

ugh

inve

ntor

y m

anag

emen

t•

Prev

entio

n of

thef

t, fr

aud,

tam

peri

ng,

dest

ruct

ion

or o

ther

abu

ses

of s

ensi

tive

IT a

sset

s•

Ver

ific

atio

n of

acc

ess

auth

oris

atio

nsbe

fore

gra

ntin

g ph

ysic

al a

cces

s to

spec

ial f

orm

s an

d ou

tput

dev

ices

, and

rete

ntio

n of

evi

denc

e re

gard

ing

the

inte

grity

of

spec

ial o

utpu

t dev

ices

Ris

k D

river

s

• M

isus

e of

sen

sitiv

e IT

ass

ets,

lead

ing

to f

inan

cial

loss

es a

nd o

ther

bus

ines

sim

pact

s•

Inab

ility

to a

ccou

nt f

or a

ll se

nsiti

ve

IT a

sset

s



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– A

pre

vent

ive

mai

nten

ance

pla

n fo

r al

l cri

tical

har

dwar

e is

in p

lace

and

that

it is

des

igne

d co

nsid

erin

g co

st-b

enef

it an

alys

is, v

endo

r re

com

men

datio

ns, r

isk

of o

utag

e,qu

alif

ied

pers

onne

l and

oth

er r

elev

ant f

acto

rs–

Act

ivity

logs

are

rev

iew

ed f

or id

entif

icat

ion

of p

reve

ntiv

e m

aint

enan

ce n

eeds

, and

the

expe

cted

impa

ct (

e.g.

, per

form

ance

res

tric

tions

, SL

As)

of

mai

nten

ance

act

iviti

esis

com

mun

icat

ed to

aff

ecte

d cu

stom

ers

and

user

s

DS13 M

anag

e O

pera

tion

s (c

ont.

)

DS1

3.5

Pre

vent

ive

Mai

nten

ance

for

Har

dwar

e D

efin

e an

d im

plem

ent p

roce

dure

s to

ens

ure

timel

y m

aint

enan

ce o

f in

fras

truc

ture

to r

educ

e th

e fr

eque

ncy

and

impa

ct o

f fa

ilure

s or

per

form

ance

deg

rada

tion.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• O

ptim

ised

sys

tem

per

form

ance

and

avai

labi

lity

• Pr

even

tive

inci

dent

and

pro

blem

man

agem

ent

• Pr

otec

tion

of w

arra

ntie

s

Ris

k D

river

s

• In

fras

truc

ture

pro

blem

s th

at c

ould

have

bee

n av

oide

d or

pre

vent

ed•

War

rant

ies

viol

ated

due

to n

on-

com

plia

nce

with

mai

nten

ance

requ

irem

ents


APPENDIX IV

Take the following steps to test the outcome of the control objectives:• Enquire whether and confirm that standard IT operational procedures that support agreed-upon service levels are in place.

Procedures should include a trouble escalation system to track and monitor downtime.• Enquire whether and confirm that roles and responsibilities, including those of external service providers, are defined. Review any

relevant documentation for existence.• Enquire whether and confirm that support staff members are aware of and understand the operations procedures and related tasks

for which they are responsible. Walk through the support staff work area to confirm that the operations processes are beingimplemented correctly.

• Enquire whether and confirm that the procedures are consistently maintained and implemented properly by reviewing logs. • Enquire whether and confirm that handover communications and related responsibilities are defined.• Enquire whether and confirm that procedures for exception handling exist and are integrated with incident management.• Confirm job and role descriptions for segregation of duties. For example, computer operators should not have access to the

programs, and computer programmers should not have access to production data or write directly to the media (BLP, bypass labelprocessing).

• Verify the existence of documentation of the procedures. Observe and interview staff members to verify adherence to theprocedures.

• Inspect access privileges to verify that segregation of duties is appropriate.• Inspect documentation and interview operational staff members to verify that procedures are followed.• Observe operational staff members to confirm use of procedures and document performance.• Enquire whether and confirm that scheduling of batch jobs is controlled by the use of job scheduling software. Ensure that proper

security controls are in place to prevent unauthorised jobs from running.• Enquire whether and confirm that batch jobs are scheduled.• Evaluate the scheduling process to ensure that the scheduling of batch jobs takes into consideration:

– Business requirements– Priority of job– Conflicts between jobs– Workload balancing (performance and capacity management)

• Enquire whether and confirm that the outcomes of batch jobs are monitored and verified.• Enquire whether and confirm that automated processes are in place to immediately notify when batch jobs fail. Inspect hardware

and software related to the automated processes to verify existence.• Ensure that control of batch jobs is not limited to technical information (e.g., time required to complete the job) and that business

process requirements for the data are controlled (e.g., completeness and correctness of data processed).• Inspect relevant documentation for existence and to ensure that the formal procedures properly address the scheduling of

batch jobs.• Inspect change documentation to verify accuracy.• Verify the existence of schedules. • Inspect documentation and evidence that batch job incidents were raised and solved in a timely manner.• Enquire whether and confirm that rules are defined covering thresholds and event conditions and are implemented within the

system to ensure that real events are triggered when required.• Enquire whether and confirm that event logs are produced and kept for an appropriate period to assist in future investigations and

access control monitoring.• Enquire whether and confirm that procedures for monitoring event logs are established, the results of the monitoring activities are

reviewed regularly and, if appropriate, incidents are escalated to the service desk.• Enquire whether and confirm that incidents are created for all deviations noted.• Inspect event logs to ensure that they are not overloaded with minor events and that all major events are recorded. • Inspect event logs to verify existence and appropriateness.• Obtain a sample query of event log entries that may trigger a service desk ticket. Trace the event log entry to the service

ticket logs.• Enquire whether and confirm that access to sensitive documents and output devices is assigned appropriately.• Enquire whether and confirm that a regular reconciliation of sensitive documents and devices is conducted. Perform a

reconciliation of a sample of sensitive documents and devices, comparing actual to recorded amounts.• Enquire whether and confirm that appropriate physical safeguards are established. • Inspect and test the physical safeguards of sensitive assets.• Inspect whether appropriate critical equipment is available.• Enquire whether and confirm that all activity logs are reviewed on a regular basis, to identify critical hardware components that

require preventive maintenance.• Enquire whether and confirm that communication means are effective in informing users of the impact of outages immediately

(e.g., e-mail, phone tree).• Confirm with the business and IT that scheduling was performed in accordance to business requirements. Review the production

schedule, and verify that all relevant equipment is considered and scheduling considers service requirements.



• Physically inspect the hardware to confirm that maintenance has been taking place. Inspect the plan to ensure that it is designed effectively considering cost-benefit analysis, vendor recommendations, risk of outage, qualified personnel and otherrelevant factors.

• Determine if appropriate action is taken in a timely manner for critical maintenance.

Take the following steps to document the impact of the control weaknesses:• Enquire whether a lack of documented procedures impacts continuous operations, i.e., computer operators are able to conduct

daily operations without an operations manual, and lines of communication are known.• Enquire whether undocumented IT operations procedures reflect current operations. If not, it may hinder cross-training or training

of new hires and lead to improper procedures being followed during a shift turnover.• Enquire whether and confirm that all batch jobs are completed via reports or other means.• Observe that computer operators are monitoring and completing batch jobs as scheduled.• Enquire of IT staff members about the last service outage, and review the event log for existence. Confirm that proper

documentation, including reason and resolution, is recorded.• Inspect event logs for a week-long period to confirm existence and enquire of IT staff members of resolution of event log entries.• Inspect access to sensitive assets, and confirm whether access to assets is appropriate by tracing access to organisation chart.• Observe physical safeguards to assets, and determine whether such safeguards are appropriate.• Physically inspect the hardware to confirm that maintenance has been taking place. Inspect the plan to ensure that it is

designed effectively considering cost-benefit analysis, vendor recommendations, risk of outage, qualified personnel and otherrelevant factors.


APPENDIX VA

PPE

ND

IXV

—M

ON

ITO

RA

ND

EV

AL

UA

TE

(ME

)

PR

OC

ESS

ASS

UR

AN

CE

STEP

S

ME1 M

onit

or a

nd E

valu

ate

IT P

erfo

rman

ce

Eff

ectiv

e IT

per

form

ance

man

agem

ent r

equi

res

a m

onito

ring

pro

cess

. Thi

s pr

oces

s in

clud

es d

efin

ing

rele

vant

per

form

ance

indi

cato

rs, s

yste

mat

ic a

nd ti

mel

y re

port

ing

ofpe

rfor

man

ce, a

nd p

rom

pt a

ctin

g up

on d

evia

tions

. Mon

itori

ng is

nee

ded

to m

ake

sure

that

the

righ

t thi

ngs

are

done

and

are

in li

ne w

ith th

e se

t dir

ectio

ns a

nd p

olic

ies.

Test

the

Con

trol

Des

ign

• O

btai

n an

d re

view

man

agem

ent’s

def

initi

on o

f cr

itica

l bus

ines

s pr

oces

ses,

str

ateg

ic in

itiat

ives

and

key

IT

pro

cess

es to

ens

ure

that

they

sup

port

the

corp

orat

e pe

rfor

man

cem

anag

emen

t sys

tem

.•

Und

erst

and

man

agem

ent’s

met

hod

of c

omm

unic

atin

g its

cri

tical

bus

ines

s pr

oces

ses,

str

ateg

ic in

itiat

ives

and

key

IT

pro

cess

es.

• C

onfi

rm th

at th

ere

is a

met

rics

-bas

ed m

onito

ring

app

roac

h fo

r IT

per

form

ance

dri

vers

(e.

g., i

nspe

ct c

orpo

rate

pol

icie

s an

d ot

her

rele

vant

doc

umen

tatio

n).

• D

eter

min

e if

the

mon

itori

ng a

ppro

ach

prov

ides

app

ropr

iate

goa

l and

per

form

ance

indi

cato

rs w

ith e

ffor

ts to

inst

ill r

atio

s th

at b

ring

impo

rtan

t bus

ines

s is

sues

to li

ght.

• Id

entif

y w

heth

er a

ppro

pria

te s

yste

ms

are

used

to m

onito

r IT

per

form

ance

.•

Inte

rvie

w m

embe

rs o

f m

anag

emen

t to

iden

tify

thei

r aw

aren

ess

of r

elat

ions

hips

and

dep

ende

ncie

s be

twee

n IT

pro

cess

es w

hen

mon

itori

ng I

T p

roce

ss a

ctiv

ities

(e.

g.,

expe

ctat

ion

gaps

, und

efin

ed in

terf

aces

, ‘th

ings

fal

ling

betw

een

the

crac

ks’,

dup

licat

ion

of e

ffor

t, in

effi

cien

cies

).•

Und

erst

and

man

agem

ent’s

app

roac

h re

gard

ing

revi

ew o

ver

the

rele

vanc

e of

inte

rdep

ende

ncie

s of

key

IT

pro

cess

es to

alig

n w

ith b

usin

ess

goal

s an

d ob

ject

ives

.

ME

1.1

Mon

itor

ing

App

roac

h E

stab

lish

a ge

nera

l mon

itori

ng f

ram

ewor

k an

d ap

proa

ch to

def

ine

the

scop

e,m

etho

dolo

gy a

nd p

roce

ss to

be

follo

wed

for

mea

suri

ng I

T’s

sol

utio

n an

d se

rvic

ede

liver

y, a

nd m

onito

r IT

’s c

ontr

ibut

ion

to th

e bu

sine

ss. I

nteg

rate

the

fram

ewor

kw

ith th

e co

rpor

ate

perf

orm

ance

man

agem

ent s

yste

m.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• A tr

ansp

aren

t vie

w o

f IT

’spe

rfor

man

ce, b

ased

on

relia

ble

info

rmat

ion

• O

ppor

tuni

ties

for

impr

ovem

ent

iden

tifie

d•

Faci

litat

ed a

chie

vem

ent o

f bu

sine

ssan

d go

vern

ance

req

uire

men

ts•

Cos

t-ef

fici

ent I

T s

ervi

ces

• M

ore

info

rmed

IT

inve

stm

ent

deci

sion

s, im

prov

ing

valu

e de

liver

y •

Con

sist

ent u

se a

nd in

tegr

ity o

fpe

rfor

man

ce in

dica

tors

Ris

k D

river

s

• Pe

rfor

man

ce r

epor

ts b

ased

on

out-

of-

date

, ina

ccur

ate

or u

nrel

iabl

e da

ta•

Perf

orm

ance

met

rics

not

alig

ned

with

busi

ness

and

gov

erna

nce

requ

irem

ents

• L

ack

of ti

mel

y id

entif

icat

ion

of is

sues

rela

ted

to I

T a

nd b

usin

ess

alig

nmen

t•

Cus

tom

er e

xpec

tatio

ns a

nd b

usin

ess

need

s no

t ade

quat

ely

iden

tifie

d•

Mon

itore

d da

ta f

ailin

g to

sup

port

the

anal

ysis

of

the

over

all p

roce

sspe

rfor

man

ce



Test

the

Con

trol

Des

ign

Enq

uire

whe

ther

and

con

firm

that

:•

Targ

ets

have

bee

n de

fine

d fo

r th

e IT

met

rics

in li

ne w

ith th

e co

vera

ge a

nd c

hara

cter

istic

s of

the

met

rics

def

ined

in th

e m

onito

ring

fra

mew

ork.

Obt

ain

IT a

nd b

usin

ess

man

agem

ent a

ppro

val f

or th

e ta

rget

s.•

Perf

orm

ance

dat

a ne

eded

by

the

mon

itori

ng a

ppro

ach

are

colle

cted

sat

isfa

ctor

ily a

nd in

an

auto

mat

ed f

ashi

on, w

here

ver

feas

ible

. Ver

ify

that

the

mea

sure

d pe

rfor

man

ce is

com

pare

d to

the

targ

ets

at a

gree

d-to

inte

rval

s.•

The

re a

re p

roce

dure

s fo

r en

suri

ng c

onsi

sten

cy, c

ompl

eten

ess

and

inte

grity

of

perf

orm

ance

mon

itori

ng s

ourc

e da

ta•

The

re is

a p

roce

ss to

con

trol

all

chan

ges

to p

erfo

rman

ce m

onito

ring

dat

a so

urce

s•

Perf

orm

ance

targ

ets

have

bee

n de

fine

d an

d fo

cus

on th

ose

that

pro

vide

the

larg

est i

nsig

ht-t

o-ef

fort

rat

io•

The

inte

grity

of

the

data

col

lect

ed is

ass

esse

d by

car

ryin

g ou

t rec

onci

liatio

n an

d co

ntro

l che

cks

at a

gree

d-up

on in

terv

als

ME

1.2

Def

init

ion

and

Col

lect

ion

of M

onit

orin

g D

ata

Wor

k w

ith th

e bu

sine

ss to

def

ine

a ba

lanc

ed s

et o

f pe

rfor

man

ce ta

rget

s an

d ha

veth

em a

ppro

ved

by th

e bu

sine

ss a

nd o

ther

rel

evan

t sta

keho

lder

s. D

efin

ebe

nchm

arks

with

whi

ch to

com

pare

the

targ

ets,

and

iden

tify

avai

labl

e da

ta to

be

colle

cted

to m

easu

re th

e ta

rget

s. E

stab

lish

proc

esse

s to

col

lect

tim

ely

and

accu

rate

dat

a to

rep

ort o

n pr

ogre

ss a

gain

st ta

rget

s.

• Id

entif

icat

ion

and

mea

sure

men

t of

the

mos

t cri

tical

and

mea

ning

ful m

etri

cs•

Stro

ng c

usto

mer

bia

s in

the

cultu

re o

fth

e IT

org

anis

atio

n fo

r al

l IT

pro

cess

es•

Impr

oved

cus

tom

er s

atis

fact

ion

and

focu

s• A

bilit

y of

sys

tem

s to

eff

icie

ntly

prov

ide

the

data

req

uire

d to

mon

itor

the

proc

esse

s• A

his

tory

of

orga

nisa

tiona

lpe

rfor

man

ce to

mon

itor

tren

ds a

ndch

ange

s in

per

form

ance

• M

etri

cs b

ased

on

obje

ctiv

es th

at a

reno

t alig

ned

with

bus

ines

s ob

ject

ives

• M

etri

cs b

ased

on

inco

rrec

t or

inco

mpl

ete

data

• In

effe

ctiv

e re

port

ing

on

orga

nisa

tionw

ide

IT p

roce

sspe

rfor

man

ce in

dica

tors

• C

usto

mer

exp

ecta

tions

and

bus

ines

sne

eds

not i

dent

ifie

d•

Mon

itore

d da

ta f

ailin

g to

sup

port

the

anal

ysis

of

the

over

all p

roce

sspe

rfor

man

ce

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

ME1 M

onit

or a

nd E

valu

ate

IT P

erfo

rman

ce (

cont

.)


APPENDIX V

Test

the

Con

trol

Des

ign

• C

onfi

rm th

at th

e IT

pro

cess

per

form

ance

rep

orts

are

inte

grat

ed in

to th

e IT

mon

itori

ng s

yste

m.

• E

nsur

e th

at th

e da

ta in

thes

e re

port

s ar

e ea

sy to

und

erst

and

and

conc

ise

and

that

they

mee

t man

agem

ent a

nd e

nd-u

ser

requ

irem

ents

for

eff

ectiv

e, ti

mel

y de

cisi

on m

akin

g.•

Insp

ect p

erfo

rman

ce r

epor

ts to

con

firm

that

they

app

ropr

iate

ly c

over

IT

obj

ectiv

es a

nd o

utco

me

and

perf

orm

ance

mea

sure

s an

d cl

arif

y ca

use-

and-

effe

ct r

elat

ions

hips

.

Test

the

Con

trol

Des

ign

• In

terv

iew

pro

cess

ow

ners

to c

onfi

rm th

at ta

rget

per

form

ance

leve

ls f

or k

ey p

roce

sses

are

est

ablis

hed

and

valid

ated

aga

inst

the

indu

stry

and

com

petit

ion.

• In

spec

t per

form

ance

rep

orts

for

tim

elin

ess

of m

easu

rem

ent a

nd e

ffec

tiven

ess

of c

ompa

riso

n to

the

targ

ets.

• V

erif

y th

at in

form

al f

eedb

ack

is o

btai

ned

and

used

for

ser

vice

del

iver

y an

d/or

rep

ortin

g im

prov

emen

ts.

• Ana

lyse

per

form

ance

rep

orts

to v

erif

y th

at r

esul

ts a

re c

onsi

sten

tly a

sses

sed

agai

nst t

arge

ts a

t agr

eed-

to in

terv

als

and

that

rel

evan

t sta

keho

lder

s re

ceiv

e re

port

ing

data

.•

Insp

ect e

vide

nce

of p

erfo

rman

ce a

sses

smen

t, an

d de

term

ine

if th

e as

sess

men

t and

ana

lysi

s ar

e co

mpl

ete

and

effe

ctiv

e.•

For

an a

ppro

pria

te s

ampl

e, v

erif

y th

at c

ause

s ar

e id

entif

ied

and

tran

slat

ed in

to r

emed

ial a

ctio

ns th

at a

re a

ssig

ned

to s

omeo

ne w

ith th

e ap

prop

riat

e au

thor

ity a

nd r

esou

rce

and

follo

wed

up

appr

opri

atel

y.•

Enq

uire

whe

ther

and

con

firm

that

roo

t cau

ses

are

peri

odic

ally

iden

tifie

d ac

ross

dev

iatio

ns a

nd a

ppro

pria

tely

act

ed u

pon.

ME

1.3

Mon

itor

ing

Met

hod

Dep

loy

a pe

rfor

man

ce m

onito

ring

met

hod

(e.g

., ba

lanc

ed s

core

card

) th

at r

ecor

dsta

rget

s; c

aptu

res

mea

sure

men

ts; p

rovi

des

a su

ccin

ct, a

ll-ar

ound

vie

w o

f IT

perf

orm

ance

; and

fits

with

in th

e en

terp

rise

mon

itori

ng s

yste

m.

• M

onito

ring

met

hod

and

appr

oach

mee

ting

man

agem

ent’s

exp

ecta

tions

• E

nhan

ced

deci

sion

sup

port

for

IT

• Alig

nmen

t with

the

ente

rpri

sede

cisi

on-m

akin

g pr

oces

s•

Tra

nspa

rent

and

rel

iabl

e pe

rfor

man

cein

form

atio

n

• In

effe

ctiv

e re

port

ing

onor

gani

satio

nwid

e IT

pro

cess

perf

orm

ance

indi

cato

rs•

Bus

ines

s ex

pect

atio

ns a

nd n

eeds

no

t met

• W

rong

dec

isio

ns b

ased

on

unre

liabl

epe

rfor

man

ce in

form

atio

n

ME

1.4

Per

form

ance

Ass

essm

ent

Peri

odic

ally

rev

iew

per

form

ance

aga

inst

targ

ets,

ana

lyse

the

caus

e of

any

devi

atio

ns, a

nd in

itiat

e re

med

ial a

ctio

n to

add

ress

the

unde

rlyi

ng c

ause

s. A

tap

prop

riat

e tim

es, p

erfo

rm r

oot c

ause

ana

lysi

s ac

ross

dev

iatio

ns.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• E

nhan

ced

cost

-eff

icie

ncy

of s

ervi

cequ

ality

and

rea

dine

ss f

or f

utur

e ch

ange

• C

ontin

uous

pro

cess

impr

ovem

ent

• A g

reat

er le

vel o

f ac

coun

tabi

lity

and

owne

rshi

p of

per

form

ance

with

in th

eor

gani

satio

n

Ris

k D

river

s

• Pr

oces

s pe

rfor

man

ce w

eakn

esse

sre

mai

ning

and

rep

eatin

g th

emse

lves

• L

ost o

ppor

tuni

ties

for

impr

ovem

ent

• G

ood

perf

orm

ance

not

rec

ogni

sed,

dem

otiv

atin

g st

aff

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

ME1 M

onit

or a

nd E

valu

ate

IT P

erfo

rman

ce (

cont

.)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

boa

rd a

nd e

xecu

tive

repo

rtin

g pr

oces

s ha

s be

en e

stab

lishe

d.•

Ver

ify

that

the

repo

rtin

g co

vers

IT

’s c

ontr

ibut

ion

to th

e bu

sine

ss b

y m

easu

ring

ach

ieve

men

t of

IT g

oals

, miti

gatio

n of

IT

ris

ks a

nd th

e us

age

of r

esou

rces

and

that

it is

base

d on

the

perf

orm

ance

mon

itori

ng f

ram

ewor

k (e

.g.,

bala

nced

sco

reca

rds,

tren

ding

ana

lysi

s, e

xecu

tive

dash

boar

ds).

• C

onfi

rm th

at b

oard

and

exe

cutiv

e re

port

s ar

e ba

sed

on c

onso

lidat

ed in

form

atio

n of

IT

per

form

ance

mea

sure

men

t.•

Ver

ify

that

ther

e is

a p

roce

ss in

pla

ce to

man

age

repo

rt v

ersi

ons

and

itera

tions

.

ME

1.5

Boa

rd a

nd E

xecu

tive

Rep

orti

ng

Dev

elop

sen

ior

man

agem

ent r

epor

ts o

n IT

’s c

ontr

ibut

ion

to th

e bu

sine

ss,

spec

ific

ally

in te

rms

of th

e pe

rfor

man

ce o

f th

e en

terp

rise

’s p

ortf

olio

, IT-

enab

led

inve

stm

ent p

rogr

amm

es, a

nd th

e so

lutio

n an

d se

rvic

e de

liver

able

per

form

ance

of

indi

vidu

al p

rogr

amm

es. I

nclu

de in

sta

tus

repo

rts

the

exte

nt to

whi

ch p

lann

edob

ject

ives

hav

e be

en a

chie

ved,

bud

gete

d re

sour

ces

used

, set

per

form

ance

targ

ets

met

and

iden

tifie

d ri

sks

miti

gate

d. A

ntic

ipat

e se

nior

man

agem

ent’s

rev

iew

by

sugg

estin

g re

med

ial a

ctio

ns f

or m

ajor

dev

iatio

ns. P

rovi

de th

e re

port

to s

enio

rm

anag

emen

t, an

d so

licit

feed

back

fro

m m

anag

emen

t’s r

evie

w.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Q

ualit

y re

port

ing

that

mee

ts th

ebo

ard’

s go

vern

ance

req

uire

men

ts•

Perf

orm

ance

info

rmat

ion

that

can

be

effe

ctiv

ely

and

effi

cien

tly u

sed

for

stra

tegi

c, m

anag

eria

l and

day

-to-

day

oper

atio

ns•

Enh

ance

d de

cisi

on-m

akin

g pr

oces

ses

in r

espo

ndin

g to

bus

ines

s ne

eds

and

conc

erns

, and

a f

ocus

on

proc

ess

impr

ovem

ent o

ppor

tuni

ties

• In

crea

sed

satis

fact

ion

of m

anag

emen

tan

d th

e bo

ard

with

per

form

ance

repo

rtin

g

Ris

k D

river

s

• D

ecis

ions

fai

ling

to s

uppo

rt th

ebu

sine

ss n

eeds

and

con

cern

s•

Seni

or m

anag

emen

t dis

satis

fied

with

IT p

erfo

rman

ce

• D

isco

nnec

t bet

wee

n m

anag

emen

t an

d IT

• In

abili

ty o

f th

e bo

ard

and

exec

utiv

e to

dire

ct a

nd c

ontr

ol k

ey I

T a

ctiv

ities

ME1 M

onit

or a

nd E

valu

ate

IT P

erfo

rman

ce (

cont

.)


APPENDIX V

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er p

roce

sses

, pol

icie

s an

d pr

oced

ures

exi

st to

initi

ate,

pri

oriti

se a

nd a

lloca

te r

espo

nsib

ility

and

trac

king

for

all

rem

edia

l act

ions

. Con

firm

by

insp

ectin

g th

edo

cum

enta

tion

of th

e ap

proa

ch a

nd o

bser

ving

the

proc

ess,

whe

re p

ossi

ble.

• Fo

r a

sam

ple,

test

whe

ther

rem

edia

l act

ion

task

s ar

e ac

cura

tely

res

pond

ing

to th

e pe

rfor

man

ce is

sue

dete

cted

and

that

pro

gres

s re

view

s ar

e co

nduc

ted

peri

odic

ally

.• A

naly

se h

isto

ric

perf

orm

ance

rep

orts

, and

ver

ify

that

sub

stan

dard

per

form

ance

tren

ds a

re r

outin

ely

iden

tifie

d an

d co

nsis

tent

ly e

scal

ated

to s

enio

r m

anag

emen

t, in

clud

ing

devi

atio

ns f

rom

agr

eed-

upon

impl

emen

tatio

n of

cor

rect

ive

actio

ns.

• Se

arch

act

ivity

logs

/rep

orts

for

sat

isfa

ctor

y co

mpl

etio

n of

rem

edia

l act

ion

task

s de

term

ined

by

pre-

spec

ifie

d ou

tcom

es, a

nd c

onfi

rm th

at th

ese

rem

edia

l act

ion

task

s w

ere

sign

ed o

ff a

s ap

prop

riat

ely

addr

essi

ng th

e ca

use.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

erfo

rman

ce m

easu

rem

ent t

rain

ing

is p

erfo

rmed

.

ME

1.6

Rem

edia

l Act

ions

Id

entif

y an

d in

itiat

e re

med

ial a

ctio

ns b

ased

on

perf

orm

ance

mon

itori

ng,

asse

ssm

ent a

nd r

epor

ting.

Thi

s in

clud

es f

ollo

w-u

p of

all

mon

itori

ng, r

epor

ting

and

asse

ssm

ents

thro

ugh:

• R

evie

w, n

egot

iatio

n an

d es

tabl

ishm

ent o

f m

anag

emen

t res

pons

es• A

ssig

nmen

t of

resp

onsi

bilit

y fo

r re

med

iatio

n•

Tra

ckin

g of

the

resu

lts o

f ac

tions

com

mitt

ed

Valu

e D

river

sC

ontr

ol O

bjec

tive

• M

anag

emen

t’s p

roac

tive

com

mitm

ent

to r

emed

ial a

ctio

n•

Und

erly

ing

perf

orm

ance

pro

blem

sre

solv

ed e

ffec

tivel

y an

d in

a ti

mel

ym

anne

r•

Proc

ess

perf

orm

ance

take

n se

riou

sly,

and

a cu

lture

of

cont

inuo

usim

prov

emen

t enc

oura

ged

Ris

k D

river

s

• In

cide

nts

due

to u

nres

olve

d pr

oble

ms

• Po

or p

erfo

rman

ce n

ot a

cted

upo

n,le

adin

g to

fur

ther

deg

rada

tion

• Pe

rfor

man

ce m

easu

rem

ent n

ot ta

ken

seri

ousl

y

ME1 M

onit

or a

nd E

valu

ate

IT P

erfo

rman

ce (

cont

.)



Take the following steps to test the outcome of the control objectives:• Interview stakeholders and assess their knowledge and awareness of key IT processes and how they are measured and monitored to

ensure that the monitoring system supports the corporate performance management system. • Review plans, policies and procedures for monitoring the performance of key IT processes to ensure that they support critical

business processes.• Determine if the IT monitoring system supports the current business strategy and facilitates effective monitoring. • Corroborate with independent sources (stakeholders and systems-related source) that management is measuring the appropriate

performance indicators. • Review plans, policies and procedures for monitoring the performance of key IT processes for integration with the enterprise’s

performance management system.• Review the documentation and communication of relationships and dependencies between key IT processes, particularly

flowcharts, systems overview diagrams and dataflow diagrams. • Review documented performance metrics with management to ensure appropriate coverage as follows:

– Business contribution including, but not limited to, financials– Performance against the strategic business and IT plan– Risk and compliance with relevant legislation and regulations– Internal and external user satisfaction with service levels– Key IT processes, including solution and service delivery– Future-oriented activities, e.g., forecasting of implications related to emerging technology, reusable infrastructure, and business

and IT personnel skill sets• Review documented performance metrics to confirm that they:

– Represent business and IT goals and objectives– Are based on accepted good practices– Focus on the most important ones– Are useful for internal and external comparison– Reflect business expectations – Are meaningful to IT’s customers and sponsors

• Confirm that IT performance requirements are established in conjunction with business management and aligned with enterprisemanagement’s key performance metrics.

• Review appropriate approval by senior and business management of IT performance measurements and plans for communicationto all process stakeholders.

• Review minutes, action lists, policies, plans and procedures related to performance measurement for evidence of regular reviewand update of the performance measurement approach.

• Review whether collection of performance data is covered adequately in the business requirements documentation.• Review the data collection process and confirm that automation is considered.• Assess the consistency, completeness and integrity of source data. • Confirm that targets have been defined and properly signed off on by IT, senior and business management.• Review plans, policies and procedures for organisational training to ensure skills in measurement, data collection and analysis and

that the staff members adopt and promote the performance measurement culture.• Determine if the data collected are reconciled to the source data at agreed-upon intervals.• Inspect the measurement reports (e.g., balanced scorecard, pie charts, KPI matrices) of the enterprise and IT measurement systems,

and determine if the method is integrated in the enterprise monitoring system. • Confirm through interviews with key staff members whether the monitoring and reporting method/system is suitable and relevant

for the objectives of performance measurement. • Enquire whether and confirm that quality and completeness of output are verified. (e.g., compare actual output with expected

findings and confirm results with management).• Review the performance measurement system to determine if targets and measurement data are correct and complete. • Enquire whether and confirm that management regularly reviews the integrity of the data quality measurements.• Inspect performance reports for timeliness of measurement and effectiveness of comparison to the targets.• Inspect performance reports to verify that performance results are consistently and completely assessed against targets at agreed-to

intervals and that relevant stakeholders receive reporting data. • Ensure that causes are identified and translated into remedial actions that are assigned to someone with the appropriate authority

and resource and are followed up appropriately.• Enquire whether and confirm that root causes are periodically identified across deviations and appropriately acted upon. • Through independent sources, verify that root cause analysis does occur and results in reaction. • Inspect that documentation exists and verify that those responsible for the underlying causes are aware of the issues.• Confirm that senior management reports highlight key issues (positive and negative) generally relating to IT’s contribution to the

business and specifically to IT solution and service delivery capability and performance. • Enquire whether and confirm that IT performance measurement is clearly linked to business outcomes and how IT supports

business strategy.


APPENDIX V

• Verify that IT performance measurement is translated into business performance impacts and incorporated into standard periodicreports to the board.

• Trace results from the source to consolidated reports to assess the accuracy, completeness and reasonableness of consolidatedperformance reports.

• Review management reports to verify that deviations from expected performance are identified and management has committed toaddressing issues (e.g., action items, management comments to recommendations, estimated resolution time frame).

• Review project documentation to confirm that remediation actions identified in senior management reports follow theorganisation’s change management process (e.g., AI6 Manage change) and that it covers elements of change management, such asproject plan, appropriate approvals, progress reporting, project changes/deviation tracking, completion and sign-off.

• Inspects project documentation for remedial action tasks, and compare to the agreed-upon resolution to ensure that all monitoringdeficiencies have been properly mitigated.

• Determine whether progress reviews are conducted periodically.

Take the following steps to document the impact of the control weaknesses:• Independently benchmark the performance measurement and monitoring approach against similar organisations or appropriate

international standards/recognised industry best practices. • Corroborate performance metrics used by the enterprise with independent sources (e.g., good practice, internal and industry

benchmarks).• Benchmark the performance targets and monitoring data collection approach against similar organisations or appropriate

international standards/recognised industry best practices.• Compare actual to planned performance in all IT areas.• Compare actual to anticipated user satisfaction with all IT areas.• Corroborate with enterprise, IT and business management to determine if IT performance reports are useful and understandable.• Benchmark the performance targets and monitoring data collection approach against similar organisations or appropriate

international standards/recognised industry best practices.• Assess whether senior management is satisfied with reporting on performance monitoring.



ME2 M

onit

or a

nd E

valu

ate

Inte

rnal

Con

trol

Est

ablis

hing

an

effe

ctiv

e in

tern

al c

ontr

ol p

rogr

amm

e fo

r IT

req

uire

s a

wel

l-de

fine

d m

onito

ring

pro

cess

. Thi

s pr

oces

s in

clud

es th

e m

onito

ring

and

rep

ortin

g of

con

trol

exce

ptio

ns, r

esul

ts o

f se

lf-a

sses

smen

ts a

nd th

ird-

part

y re

view

s. A

key

ben

efit

of in

tern

al c

ontr

ol m

onito

ring

is to

pro

vide

ass

uran

ce r

egar

ding

eff

ectiv

e an

d ef

fici

ent

oper

atio

ns a

nd c

ompl

ianc

e w

ith a

pplic

able

law

s an

d re

gula

tions

.

Test

the

Con

trol

Des

ign

• Ass

ess

whe

ther

ther

e is

exe

cutiv

e-le

vel s

uppo

rt f

or o

rgan

isat

iona

l gov

erna

nce

stan

dard

s fo

r in

tern

al c

ontr

ol a

nd r

isk

man

agem

ent (

e.g.

, min

utes

, cor

pora

te p

olic

ies,

inte

rvie

w w

ith C

EO

). V

erif

y th

at p

olic

ies

and

proc

edur

es in

clud

e go

vern

ance

for

inte

rnal

sta

ndar

ds a

nd r

isk

man

agem

ent (

e.g.

, ado

ptio

n of

CO

SO I

nter

nal

Con

trol

—In

tegr

ated

Fra

mew

ork,

CO

SO E

nter

pris

e R

isk

Man

agem

ent—

Inte

grat

ed F

ram

ewor

k, C

OB

IT).

• Ass

ess

whe

ther

ther

e is

a c

ontin

uous

impr

ovem

ent a

ppro

ach

to in

tern

al c

ontr

ol m

onito

ring

(i.e

., ba

lanc

ed s

core

card

, sel

f-as

sess

men

t).

Test

the

Con

trol

Des

ign

• C

onfi

rm th

at th

e in

tern

al c

ontr

ols

that

req

uire

sup

ervi

sory

ove

rsig

ht a

nd r

evie

w a

re id

entif

ied

and

cons

ider

the

criti

calit

y an

d ri

sk o

f th

e re

late

d IT

pro

cess

act

iviti

es (

e.g.

,ex

iste

nce

of r

isk

rank

ing

of k

ey p

roce

sses

/con

trol

s).

• C

onfi

rm th

at a

n es

cala

tion

proc

ess

for

issu

es id

entif

ied

by s

uper

viso

ry r

evie

ws

has

been

def

ined

.•

Und

erst

and

the

auto

mat

ion

of c

ontr

ol m

onito

ring

and

rep

ortin

g.

ME

2.1

Mon

itor

ing

of I

nter

nal C

ontr

ol F

ram

ewor

k C

ontin

uous

ly m

onito

r, be

nchm

ark

and

impr

ove

the

IT c

ontr

ol e

nvir

onm

ent a

ndco

ntro

l fra

mew

ork

to m

eet o

rgan

isat

iona

l obj

ectiv

es.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• IT

mee

ting

its o

bjec

tives

for

the

busi

ness

• R

educ

ed im

pact

of

cont

rol f

ailu

re o

rde

fici

ency

on

the

busi

ness

pro

cess

es•

Con

tinuo

us im

prov

emen

t of

proc

ess

cont

rols

with

res

pect

to in

dust

rypr

actic

es•

Proa

ctiv

e de

tect

ion

and

reso

lutio

n of

cont

rol d

evia

tions

• C

ompl

ianc

e w

ith la

ws

and

regu

latio

ns

Ris

k D

river

s

• In

crea

sed

adve

rse

impa

ct o

n th

eor

gani

satio

n’s

oper

atio

ns o

r re

puta

tion

• C

ontr

ol w

eakn

esse

s ha

mpe

ring

effe

ctiv

e bu

sine

ss p

roce

ss e

xecu

tion

• U

ndet

ecte

d m

alfu

nctio

ning

of

inte

rnal

cont

rol c

ompo

nent

s

ME

2.2

Supe

rvis

ory

Rev

iew

M

onito

r an

d ev

alua

te th

e ef

fici

ency

and

eff

ectiv

enes

s of

inte

rnal

IT

man

ager

ial

revi

ew c

ontr

ols.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onfi

rmat

ion

that

IT

pro

cess

essu

ppor

ting

the

achi

evem

ent o

fbu

sine

ss g

oals

are

und

er e

ffec

tive

and

effi

cien

t con

trol

• C

ontr

ibut

ion

of r

evie

wed

res

ults

to th

eov

eral

l dec

isio

n-m

akin

g pr

oces

s

Ris

k D

river

s

• C

ontr

ol d

efic

ienc

ies

ham

peri

ng th

ebu

sine

ss p

roce

sses

• In

accu

rate

or

inco

mpl

ete

cont

rol

defi

cien

cy d

ata,

res

ultin

g in

err

oneo

usm

anag

emen

t dec

isio

ns


APPENDIX V

Test

the

Con

trol

Des

ign

• C

onfi

rm th

at p

olic

ies

incl

ude

esta

blis

hing

thre

shol

ds f

or a

ccep

tabl

e le

vels

of

cont

rol e

xcep

tions

and

con

trol

bre

akdo

wns

.•

Con

firm

that

the

esca

latio

n pr

oced

ures

for

con

trol

exc

eptio

ns h

ave

been

com

mun

icat

ed a

nd r

epor

ted

to b

usin

ess

and

IT s

take

hold

ers

(e.g

., vi

a th

e in

tran

et, h

ard

copy

proc

edur

es).

The

esc

alat

ion

proc

edur

es s

houl

d in

clud

e cr

iteri

a or

thre

shol

ds f

or e

scal

atio

ns (

e.g.

, con

trol

exc

eptio

ns le

ss th

an a

spe

cifi

c am

ount

of

impa

ct d

o no

t nee

d to

be e

scal

ated

, con

trol

exc

eptio

ns g

reat

er th

an a

spe

cifi

c am

ount

of

impa

ct n

eed

imm

edia

te r

epor

ting

to C

IO, a

nd c

ontr

ol e

xcep

tions

gre

ater

than

a s

peci

fic

amou

nt o

fim

pact

req

uire

imm

edia

te r

epor

ting

to th

e bo

ard

of d

irec

tors

). I

nter

view

man

agem

ent t

o as

sess

kno

wle

dge

and

awar

enes

s of

the

esca

latio

n pr

oced

ures

, as

wel

l as

root

cau

se a

naly

sis

and

repo

rtin

g.•

Con

firm

that

indi

vidu

als

have

bee

n as

sign

ed a

ccou

ntab

ility

for

roo

t cau

se a

naly

sis

and

repo

rtin

g as

wel

l as

exce

ptio

n re

solu

tion.

ME2 M

onit

or a

nd E

valu

ate

Inte

rnal

Con

trol

(co

nt.)

ME

2.3

Con

trol

Exc

epti

ons

Iden

tify

cont

rol e

xcep

tions

, and

ana

lyse

and

iden

tify

thei

r un

derl

ying

roo

tca

uses

. Esc

alat

e co

ntro

l exc

eptio

ns a

nd r

epor

t to

stak

ehol

ders

app

ropr

iate

ly.

Inst

itute

nec

essa

ry c

orre

ctiv

e ac

tion.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Abi

lity

to im

plem

ent p

reve

ntiv

em

easu

res

for

recu

rrin

g ex

cept

ions

• Abi

lity

to a

pply

cor

rect

ive

mea

sure

sin

a ti

mel

y m

anne

r•

Enh

ance

d re

port

ing

to a

ll af

fect

edpa

rtie

s to

com

ply

with

the

defi

ned

serv

ice

leve

ls•

Min

imis

ed p

oten

tial f

or c

ompl

ianc

efa

ilure

s

Ris

k D

river

s

• C

ontr

ol d

efic

ienc

ies

iden

tifie

d no

t in

atim

ely

man

ner

• M

anag

emen

t not

info

rmed

abo

utco

ntro

l def

icie

ncie

s•

Ext

ende

d tim

e re

quir

ed to

res

olve

the

iden

tifie

d is

sues

, thu

s de

crea

sing

the

proc

ess

perf

orm

ance



Test

the

Con

trol

Des

ign

• R

evie

w c

ontr

ol s

elf-

asse

ssm

ent p

roce

dure

s to

ens

ure

the

incl

usio

n of

rel

evan

t inf

orm

atio

n su

ch a

s sc

ope,

sel

f-as

sess

men

t app

roac

h, e

valu

atio

n cr

iteri

a, f

requ

ency

of

self

-ass

essm

ent,

role

s an

d re

spon

sibi

litie

s, a

nd r

esul

ts r

epor

ting

to e

xecu

tive

busi

ness

and

IT

sta

keho

lder

s (e

.g.,

refe

renc

e in

tern

al a

udit

stan

dard

s or

acc

epte

d pr

actic

es in

the

desi

gn o

f se

lf-a

sses

smen

ts).

• C

orro

bora

te w

ith m

anag

emen

t to

dete

rmin

e if

inde

pend

ent r

evie

ws

of c

ontr

ol s

elf-

asse

ssm

ent a

re p

erfo

rmed

aga

inst

indu

stry

sta

ndar

ds a

nd b

est p

ract

ices

to e

nsur

eob

ject

ivity

and

to e

nabl

e th

e sh

arin

g of

inte

rnal

con

trol

goo

d pr

actic

es (

e.g.

, ben

chm

arki

ng a

gain

st m

atur

ity m

odel

leve

ls a

cros

s si

mila

r or

gani

satio

ns a

nd th

e re

leva

ntin

dust

ry).

ME

2.4

Con

trol

Sel

f-as

sess

men

t E

valu

ate

the

com

plet

enes

s an

d ef

fect

iven

ess

of m

anag

emen

t’s c

ontr

ol o

ver

ITpr

oces

ses,

pol

icie

s an

d co

ntra

cts

thro

ugh

a co

ntin

uing

pro

gram

me

of s

elf-

asse

ssm

ent.

• Abi

lity

to im

plem

ent p

reve

ntiv

em

easu

res

for

recu

rrin

g ex

cept

ions

• Abi

lity

to a

pply

cor

rect

ive

mea

sure

sin

a ti

mel

y m

anne

r•

Enh

ance

d re

port

ing

to a

ll af

fect

edpa

rtie

s to

com

ply

with

the

defi

ned

serv

ice

leve

ls•

Con

trol

def

icie

ncie

s id

entif

ied

befo

read

vers

e im

pact

occ

urs

• Pr

oact

ive

appr

oach

to im

prov

ing

serv

ice

qual

ity•

Min

imis

ed p

oten

tial f

or c

ompl

ianc

efa

ilure

s

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

ontr

ol d

efic

ienc

ies

not i

dent

ifie

d in

atim

ely

man

ner

• M

anag

emen

t not

info

rmed

abo

utco

ntro

l def

icie

ncie

s•

Ext

ende

d tim

e re

quir

ed to

res

olve

the

iden

tifie

d is

sues

, thu

s de

crea

sing

the

proc

ess

perf

orm

ance

Ris

k D

river

s

ME2 M

onit

or a

nd E

valu

ate

Inte

rnal

Con

trol

(co

nt.)


APPENDIX V

Test

the

Con

trol

Des

ign

• V

erif

y th

at in

depe

nden

t con

trol

rev

iew

s, c

ertif

icat

ions

or

accr

edita

tions

are

per

form

ed p

erio

dica

lly a

ccor

ding

to r

isk

and

busi

ness

obj

ectiv

es a

long

with

req

uire

d ex

tern

alsk

ill s

ets

(e.g

., co

nduc

t an

annu

al r

isk

asse

ssm

ent a

nd d

efin

e ri

sk a

reas

for

rev

iew

).•

Ver

ify

that

the

revi

ew r

esul

ts h

ave

been

rep

orte

d to

an

appr

opri

ate

man

agem

ent l

evel

(e.

g., a

udit

com

mitt

ee)

and

rem

edia

l act

ion

has

been

initi

ated

.

ME

2.5

Ass

uran

ce o

f In

tern

al C

ontr

ol

Obt

ain,

as

need

ed, f

urth

er a

ssur

ance

of

the

com

plet

enes

s an

d ef

fect

iven

ess

ofin

tern

al c

ontr

ols

thro

ugh

thir

d-pa

rty

revi

ews.

• Id

entif

icat

ion

of p

roce

ss c

ontr

olim

prov

emen

t opp

ortu

nitie

s, r

esul

ting

in im

prov

ed s

ervi

ce to

the

busi

ness

• E

stab

lishm

ent a

nd m

aint

enan

ce o

fef

fect

ive

inte

rnal

con

trol

fra

mew

ork

• C

ontr

ol s

kills

and

kno

wle

dge

com

mun

icat

ed w

ithin

the

orga

nisa

tion

to in

crea

se th

e aw

aren

ess

of in

tern

alco

ntro

l pri

ncip

les

and

prac

tice

• Pr

oces

ses

not e

ffec

tivel

y co

ntro

lled

and

faili

ng to

mee

t the

bus

ines

sre

quir

emen

ts•

Obj

ectiv

e re

com

men

datio

ns n

otob

tain

ed, r

esul

ting

in I

T c

ontr

olar

rang

emen

ts n

ot b

eing

opt

imis

ed•

Con

trol

gap

s no

t ide

ntif

ied

• C

ompl

ianc

e w

ith r

egul

ator

y,co

ntra

ctua

l and

lega

l req

uire

men

ts n

otac

hiev

ed

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

ME2 M

onit

or a

nd E

valu

ate

Inte

rnal

Con

trol

(co

nt.)



Test

the

Con

trol

Des

ign

• C

onfi

rm th

at in

tern

al c

ontr

ol r

equi

rem

ents

are

add

ress

ed in

the

polic

ies

and

proc

edur

es f

or c

ontr

acts

and

agr

eem

ents

with

thir

d pa

rtie

s an

d th

at a

ppro

pria

te p

rovi

sion

s fo

rri

ghts

to a

udit

are

incl

uded

.•

Con

firm

that

ther

e is

a p

roce

ss in

pla

ce to

ens

ure

that

rev

iew

s ar

e pe

riod

ical

ly p

erfo

rmed

to a

cces

s th

e in

tern

al c

ontr

ols

of a

ll th

ird

part

ies

and

that

no

n-co

mpl

ianc

e is

sues

are

com

mun

icat

ed.

• C

onfi

rm th

at p

olic

ies

and

proc

edur

es a

re in

pla

ce to

con

firm

rec

eipt

of

any

requ

ired

lega

l or

regu

lato

ry in

tern

al c

ontr

ol a

sser

tions

fro

m a

ffec

ted

thir

d-pa

rty

serv

ice

prov

ider

s.•

Con

firm

that

pol

icie

s an

d pr

oced

ures

are

in p

lace

to in

vest

igat

e ex

cept

ions

, and

obt

ain

assu

ranc

e th

at a

ppro

pria

te r

emed

ial a

ctio

ns h

ave

been

impl

emen

ted.

ME

2.6

Inte

rnal

Con

trol

at T

hird

Par

ties

A

sses

s th

e st

atus

of

exte

rnal

ser

vice

pro

vide

rs’i

nter

nal c

ontr

ols.

Con

firm

that

exte

rnal

ser

vice

pro

vide

rs c

ompl

y w

ith le

gal a

nd r

egul

ator

y re

quir

emen

ts a

ndco

ntra

ctua

l obl

igat

ions

.

• Id

entif

icat

ion

of s

ervi

ce im

prov

emen

top

port

uniti

es f

or th

ird

part

ies

• C

onfi

rmat

ion

of a

n ef

fect

ive

inte

rnal

cont

rol f

ram

ewor

k ov

er th

ird-

part

yse

rvic

e pr

ovid

ers

• Ass

uran

ce p

rovi

ded

over

the

serv

ice

prov

ider

’s p

erfo

rman

ce a

ndco

mpl

ianc

e w

ith in

tern

al c

ontr

ols

• In

suff

icie

nt a

ssur

ance

ove

r th

e se

rvic

epr

ovid

er’s

con

trol

fra

mew

ork

and

cont

rol p

erfo

rman

ce•

Failu

res

of m

issi

on-c

ritic

al s

yste

ms

duri

ng o

pera

tion

• IT

ser

vice

s fa

iling

to m

eet t

he s

ervi

cesp

ecif

icat

ions

• Fa

ilure

s an

d de

grad

atio

ns o

f se

rvic

efr

om th

e pr

ovid

er n

ot id

entif

ied

in a

timel

y m

anne

r•

Rep

utat

iona

l dam

age

caus

ed b

ypr

ovid

er s

ervi

ce p

erfo

rman

cede

grad

atio

n

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

ME2 M

onit

or a

nd E

valu

ate

Inte

rnal

Con

trol

(co

nt.)


APPENDIX V

Test

the

Con

trol

Des

ign

• C

onfi

rm th

at p

roce

dure

s ar

e es

tabl

ishe

d to

initi

ate,

pri

oriti

se a

nd a

ssig

n re

spon

sibi

lity

for

all r

emed

ial a

ctio

ns, w

ith a

ppro

pria

te tr

acki

ng o

f ac

tions

.•

Con

firm

that

ther

e is

a m

echa

nism

to d

etec

t sub

stan

dard

per

form

ance

of

the

rem

edia

tion

and

that

cor

rect

ive

actio

ns a

re id

entif

ied

and

revi

ewed

by

man

agem

ent

(e.g

., pr

ojec

t mile

ston

es).

Con

firm

that

con

tinue

d su

bsta

ndar

d pe

rfor

man

ce o

f th

e re

med

iatio

n is

esc

alat

ed to

sen

ior

man

agem

ent f

or f

urth

er a

ctio

n (e

.g.,

proj

ect s

tatu

sre

port

ing,

IT

ste

erin

g co

mm

ittee

min

utes

).•

Con

firm

that

est

ablis

hed

proc

edur

es r

equi

re r

emed

ial a

ctio

n ta

sks

to b

e ap

prov

ed u

pon

satis

fact

ory

com

plet

ion

agai

nst p

resp

ecif

ied

outc

omes

.

Valu

e D

river

sR

isk

Driv

ers

Con

trol

Obj

ecti

ve

ME

2.7

Rem

edia

l Act

ions

Id

entif

y, in

itiat

e, tr

ack

and

impl

emen

t rem

edia

l act

ions

ari

sing

fro

m c

ontr

olas

sess

men

ts a

nd r

epor

ting.

• Ass

uran

ce th

at id

entif

ied

cont

rol g

aps

are

rem

edia

ted

as n

eces

sary

• Sa

fegu

ardi

ng o

f co

ntin

ued

func

tioni

ngof

bus

ines

s-cr

itica

l app

licat

ions

• Su

ppor

t of

the

orga

nisa

tion’

s ov

eral

lri

sk m

anag

emen

t pro

cess

• M

aint

enan

ce o

f ag

reed

-upo

n se

rvic

ele

vels

• Pr

evio

usly

iden

tifie

d co

ntro

l gap

sco

ntin

uing

to c

ause

pro

blem

s•

Mal

func

tioni

ng o

f bu

sine

ss-c

ritic

alap

plic

atio

ns•

Rep

utat

iona

l dam

age

caus

ed b

y fa

ilure

to c

orre

ct s

ervi

ce p

rovi

der

cont

rol

defi

cien

cies

ME2 M

onit

or a

nd E

valu

ate

Inte

rnal

Con

trol

(co

nt.)



Take the following steps to test the outcome of the control objectives:• Review internal control monitoring policies and procedures to ensure that they adhere to organisational governance standards,

industry-accepted frameworks and industry best practices. • Determine whether independent assessments of IT controls are required and reports on IT internal control systems are generated

for management review.• Review the independent evaluation reports (e.g., outsourced development or production activities) of the IT internal control system

to determine if the proper boundaries are considered and approved by executive management.• Review and confirm the establishment of processes and procedures to ensure that control exceptions are promptly reported,

followed up and analysed. • Confirm that corrective actions are chosen and implemented to address the control exceptions. • Review activity logs or pertinent documentation for control exceptions, and confirm that exceptions are promptly reported,

followed up, analysed, tracked and corrected.• Confirm that periodic review is performed to ensure that the IT internal control system is current to recent business changes and

the associated business and IT risks. • Confirm that any gaps between the framework and business processes have been identified and evaluated along with appropriate

recommendations. For example, ensure that business systems for operations are not maintained by IT, so established controlspolicies and procedures used by IT are not applied.

• Confirm that the performance of the IT control framework is regularly reviewed, evaluated, and compared to industry standardsand best practices.

• Review the last control exceptions resolution progress status report to confirm that control exceptions monitoring is timely andeffective.

• Review control self-assessment schedules, and select a sample of control self-assessment plans and reports to determine if controlself-assessments procedures are followed for effective ongoing monitoring.

• Review a sample of the control self-assessment reports for independent review, benchmarking and remedial actions for controlexceptions noted (consider ranking the significance of the control exceptions and prioritise remedial actions accordingly).

• Confirm that control self-assessment outcomes and exceptions are reported and there is a process to track control exceptions andremedial actions.

• Assess the competence of external specialists or staff members performing independent reviews for relevant IT audit experience,relevant industry knowledge and appropriate certifications/training.

• Confirm that the personnel performing the reviews are independent (e.g., review the signed confidentiality agreement).• Review existing contracts for third-party services on IT controls, and validate that the terms and conditions cover clear scope,

assignment of liability and confidentiality.• Confirm that any significant internal control deficiencies identified are reported for immediate management attention.• Corroborate with members of management to determine if they review the results of third-party compliance review to ensure that

third parties comply with required legal, regulatory and contractual obligations.• Select a sample of the third-party contracts and examine for specification of internal control requirements and establishment of

rights to audit provision(s) as appropriate. • Corroborate to determine if any of the following is performed: certification/accreditation review, appropriate audit engagement

(e.g., SAS 70 Type II engagement) or direct audit of the service provider by IT management.• For a sample of third parties, obtain and review internal control compliance testing reports to ensure that the third-party service

providers comply with applicable laws, regulations and contractual commitments. • Review evidence to ensure that non-compliance issues are communicated and there are remedial action plans (including time

frame) in place to address the issues.• Review the method used to prioritise remediation of control deficiencies for reasonableness.• Review the list of remediation issues and determine whether those issues are properly prioritised (e.g., critical, high, medium and

low).• Review project scheduling tools and compare to remediation actions to confirm that the areas identified as high risk are adequately

prioritised.• Inspect the sign-offs and determine whether they occurred in a timely manner.

Take the following steps to document the impact of the control weaknesses:• Calculate the impact on the organisation for each actual key control failure.• Quantify the risk and likelihood to the impact on the organisation for each potential key control failure.


APPENDIX VM

E3 E

nsur

e C

ompl

ianc

e W

ith

Ext

erna

l R

equi

rem

ents

Eff

ectiv

e ov

ersi

ght o

f co

mpl

ianc

e re

quir

es th

e es

tabl

ishm

ent o

f a

revi

ew p

roce

ss to

ens

ure

com

plia

nce

with

law

s, r

egul

atio

ns a

nd c

ontr

actu

al r

equi

rem

ents

. Thi

s pr

oces

sin

clud

es id

entif

ying

com

plia

nce

requ

irem

ents

, opt

imis

ing

and

eval

uatin

g th

e re

spon

se, o

btai

ning

ass

uran

ce th

at th

e re

quir

emen

ts h

ave

been

com

plie

d w

ith a

nd, f

inal

ly,

inte

grat

ing

IT’s

com

plia

nce

repo

rtin

g w

ith th

e re

st o

f th

e bu

sine

ss.

Test

the

Con

trol

Des

ign

• C

onfi

rm th

at p

roce

dure

s ar

e in

pla

ce to

ens

ure

that

lega

l, re

gula

tory

and

con

trac

tual

obl

igat

ions

impa

ctin

g IT

are

rev

iew

ed. T

hese

reg

ulat

ory

com

plia

nce

proc

edur

es s

houl

d:–

Iden

tify

and

asse

ss th

e im

pact

of

the

appl

icab

le le

gal o

r re

gula

tory

req

uire

men

ts r

elev

ant t

o th

e IT

org

anis

atio

n–

Upd

ate

the

asso

ciat

ed I

T p

olic

ies

and

proc

edur

es a

ffec

ted

by th

e le

gal a

nd r

egul

ator

y re

quir

emen

ts–

Incl

ude

area

s su

ch a

s la

ws

and

regu

latio

ns f

or e

lect

roni

c co

mm

erce

, dat

a fl

ow, p

riva

cy, i

nter

nal c

ontr

ols,

fin

anci

al r

epor

ting,

indu

stry

-spe

cifi

c re

gula

tions

, int

elle

ctua

lpr

oper

ty c

opyr

ight

, and

hea

lth a

nd s

afet

y–

Incl

ude

the

freq

uenc

y of

lega

l or

regu

lato

ry r

equi

rem

ents

rev

iew

(e.

g., a

nnua

lly o

r w

hen

ther

e is

a n

ew o

r up

date

d le

gal,

regu

lato

ry a

nd c

ontr

actu

al r

equi

rem

ent)

• C

onfi

rm th

at a

log

of a

ll ap

plic

able

lega

l, re

gula

tory

and

con

trac

tual

req

uire

men

ts; t

heir

impa

ct; a

nd r

equi

red

actio

ns a

re m

aint

aine

d an

d up

to d

ate.

ME

3.1

Iden

tifi

cati

on o

f E

xter

nal L

egal

,Reg

ulat

ory

and

Con

trac

tual

Com

plia

nce

Req

uire

men

ts

Iden

tify,

on

a co

ntin

uous

bas

is, l

ocal

and

inte

rnat

iona

l law

s, r

egul

atio

ns, a

ndot

her

exte

rnal

req

uire

men

ts th

at m

ust b

e co

mpl

ied

with

for

inco

rpor

atio

n in

toth

e or

gani

satio

n’s

IT p

olic

ies,

sta

ndar

ds, p

roce

dure

s an

d m

etho

dolo

gies

.

• Id

entif

icat

ion

of g

ood

prac

tices

for

deal

ing

with

law

s an

d re

gula

tions

• Im

prov

ed p

erso

nnel

aw

aren

ess

for

regu

lato

ry r

equi

rem

ents

• In

crea

sing

pro

cess

per

form

ance

and

com

plia

nce

with

law

s an

d re

gula

tions

• Im

prov

ed c

orpo

rate

per

form

ance

• R

elev

ant l

aws

or r

egul

atio

nsov

erlo

oked

, lea

ding

to n

on-c

ompl

ianc

e•

Pote

ntia

l are

as o

f fi

nanc

ial l

osse

s an

dpe

nalti

es n

ot id

entif

ied

• D

ecre

ased

cus

tom

er a

nd b

usin

ess

part

ner

satis

fact

ion

• In

crea

sed

likel

ihoo

d of

dis

pute

s w

ithcu

stom

ers

and

regu

lato

rs•

Incr

ease

d ri

sk to

bus

ines

s co

ntin

uity

from

san

ctio

ns im

pose

d by

reg

ulat

ors

• Po

or c

orpo

rate

ope

ratio

nal a

ndfi

nanc

ial p

erfo

rman

ce

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s



Test

the

Con

trol

Des

ign

• C

onfi

rm th

at th

ere

are

proc

edur

es a

nd p

ract

ices

to e

nsur

e co

mpl

ianc

e w

ith le

gal,

regu

lato

ry a

nd c

ontr

actu

al r

equi

rem

ents

.•

Con

firm

that

app

ropr

iate

fun

ctio

ns a

re in

clud

ed (

e.g.

, leg

al d

epar

tmen

t, pr

oduc

tion,

acc

ount

ing,

HR

).

• N

on-c

ompl

ianc

e ar

eas

not i

dent

ifie

d•

Out

date

d co

mpl

ianc

e re

quir

emen

tsre

mai

ning

in e

ffec

t•

Polic

ies

faili

ng to

mee

t the

ent

erpr

ise’

sco

mpl

ianc

e ne

eds

• Pe

rson

nel u

naw

are

of p

roce

dure

s an

dpr

actic

es to

com

ply

with

lega

l and

regu

lato

ry r

equi

rem

ents

ME

3.2

Opt

imis

atio

n of

Res

pons

e to

Ext

erna

l Req

uire

men

ts

Rev

iew

and

adj

ust I

T p

olic

ies,

sta

ndar

ds, p

roce

dure

s an

d m

etho

dolo

gies

toen

sure

that

lega

l, re

gula

tory

and

con

trac

tual

req

uire

men

ts a

re a

ddre

ssed

and

com

mun

icat

ed.

• Su

ppor

t of

the

ente

rpri

se’s

com

plia

nce

with

app

licab

le la

ws

and

regu

latio

nsth

roug

h th

e us

e of

sta

ndar

ds a

ndm

etho

dolo

gies

• Po

licie

s re

gula

rly

revi

ewed

and

alig

ned

with

the

orga

nisa

tion’

sob

ject

ives

• Im

prov

ed p

erso

nnel

aw

aren

ess

of le

gal

and

regu

lato

ry c

ompl

ianc

ere

quir

emen

ts•

Incr

easi

ng p

roce

ss p

erfo

rman

ce in

rela

tion

to c

ompl

ianc

e w

ith la

ws

and

regu

latio

ns

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

ME3 E

nsur

e C

ompl

ianc

e W

ith

Ext

erna

l R

equi

rem

ents

(co

nt.)

Test

the

Con

trol

Des

ign

• R

evie

w th

e IT

org

anis

atio

n po

licie

s, s

tand

ards

and

pro

cedu

res

and

conf

irm

thei

r re

gula

r an

d tim

ely

upda

te to

add

ress

any

non

-com

plia

nce

(leg

al a

nd r

egul

ator

y)

gaps

iden

tifie

d.

ME

3.3

Eva

luat

ion

of C

ompl

ianc

e W

ith

Ext

erna

l Req

uire

men

ts

Con

firm

com

plia

nce

of I

T p

olic

ies,

sta

ndar

ds, p

roce

dure

s an

d m

etho

dolo

gies

with

lega

l and

reg

ulat

ory

requ

irem

ents

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• G

ood

prac

tices

for

dea

ling

with

law

san

d re

gula

tions

inco

rpor

ated

effe

ctiv

ely

into

ent

erpr

ise

arra

ngem

ents

• In

crea

sing

pro

cess

per

form

ance

and

com

plia

nce

with

law

s an

d re

gula

tions

• D

evia

tions

iden

tifie

d to

sup

port

tim

ely

corr

ectiv

e ac

tion

Ris

k D

river

s

• Fi

nanc

ial l

osse

s an

d pe

nalti

es

• D

ecre

ased

cus

tom

er a

nd b

usin

ess

part

ner

satis

fact

ion

• N

on-c

ompl

ianc

e in

cide

nts

not

iden

tifie

d, a

dver

sely

impa

ctin

g th

een

terp

rise

’s p

erfo

rman

ce a

ndre

puta

tion

• In

crea

sed

likel

ihoo

d of

dis

pute

s


APPENDIX V

Test

the

Con

trol

Des

ign

• R

evie

w f

rom

pro

cess

ow

ners

evi

denc

e of

reg

ular

con

firm

atio

n of

com

plia

nce

with

app

licab

le la

ws,

reg

ulat

ions

and

con

trac

tual

com

mitm

ents

(i.e

., fi

nal r

epor

t and

lette

rfr

om r

egul

ator

s ac

know

ledg

ing

the

com

plet

ion

of th

eir

revi

ew).

• R

evie

w th

at p

roce

sses

are

in p

lace

to tr

ack

and

exec

ute

inte

rnal

and

ext

erna

l rev

iew

s to

ens

ure

that

ther

e is

ade

quat

e pl

anni

ng a

nd r

esou

rce

allo

catio

n to

ass

ist/c

ompl

ete

revi

ews

(e.g

., in

vent

ory

of r

egul

ator

y re

quir

emen

ts, s

ched

ulin

g of

inte

rnal

com

plia

nce

revi

ews,

sch

edul

ing

of r

esou

rces

req

uire

d to

ass

ist r

evie

ws)

.•

Enq

uire

whe

ther

pro

cedu

res

are

in p

lace

to r

egul

arly

ass

ess

leve

ls o

f co

mpl

ianc

e w

ith le

gal a

nd r

egul

ator

y re

quir

emen

ts b

y in

depe

nden

t par

ties.

• R

evie

w p

olic

ies

and

proc

edur

es to

ens

ure

that

con

trac

ts w

ith th

ird-

part

y se

rvic

e pr

ovid

ers

requ

ire

regu

lar

conf

irm

atio

n of

com

plia

nce

(e.g

., re

ceip

t of

asse

rtio

ns)

with

appl

icab

le la

ws,

reg

ulat

ions

and

con

trac

tual

com

mitm

ents

.•

Con

firm

that

a p

roce

ss to

mon

itor

and

repo

rt o

n in

cide

nts

of n

on-c

ompl

ianc

e is

impl

emen

ted

that

incl

udes

, whe

re n

eces

sary

, fur

ther

inve

stig

atio

n of

the

root

cau

se o

fin

cide

nts

taki

ng p

lace

.

ME

3.4

Pos

itiv

e A

ssur

ance

of

Com

plia

nce

Obt

ain

and

repo

rt a

ssur

ance

of

com

plia

nce

and

adhe

renc

e to

all

inte

rnal

pol

icie

sde

rive

d fr

om in

tern

al d

irec

tives

or

exte

rnal

lega

l, re

gula

tory

or

cont

ract

ual

requ

irem

ents

, con

firm

ing

that

any

cor

rect

ive

actio

ns to

add

ress

any

com

plia

nce

gaps

hav

e be

en ta

ken

by th

e re

spon

sibl

e pr

oces

s ow

ner

in a

tim

ely

man

ner.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• C

onfi

rmat

ion

of th

e en

terp

rise

’sco

mpl

ianc

e w

ith a

pplic

able

law

s an

dre

gula

tions

thro

ugh

the

use

ofst

anda

rds

and

met

hodo

logi

es•

Goo

d pr

actic

es id

entif

ied

for

deal

ing

with

law

s an

d re

gula

tions

eff

ectiv

ely

inco

rpor

ated

into

ent

erpr

ise

arra

ngem

ents

• In

crea

sing

pro

cess

per

form

ance

inre

latio

n to

com

plia

nce

with

app

licab

lela

ws

and

regu

latio

ns•

Con

firm

atio

n th

at d

evia

tions

fro

mco

mpl

ianc

e re

quir

emen

ts a

reid

entif

ied

and

corr

ecte

d in

a ti

mel

ym

anne

r

Ris

k D

river

s

• Fa

ilure

to r

epor

t non

-com

plia

nce

inci

dent

s, a

dver

sely

impa

ctin

g th

een

terp

rise

’s p

erfo

rman

ce a

ndre

puta

tion

• In

crea

sed

likel

ihoo

d of

dis

pute

s• A

reas

of

non-

com

plia

nce

not

iden

tifie

d an

d re

port

ed•

Cor

rect

ive

actio

ns n

ot in

itiat

ed in

atim

ely

man

ner,

adve

rsel

y im

pact

ing

the

over

all p

erfo

rman

ce o

f th

eor

gani

satio

n

ME3 E

nsur

e C

ompl

ianc

e W

ith

Ext

erna

l R

equi

rem

ents

(co

nt.)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– R

equi

rem

ents

are

co-

ordi

nate

d fo

r co

rpor

ate

repo

rtin

g on

lega

l and

reg

ulat

ory

com

plia

nce,

incl

udin

g th

e re

quir

emen

t to

reta

in a

ny h

isto

rica

l inf

orm

atio

n–

IT c

ompl

ianc

e re

port

ing

conf

orm

s w

ith c

orpo

rate

rep

ortin

g re

quir

emen

ts, s

uch

as d

istr

ibut

ion,

fre

quen

cy, s

cope

, con

tent

and

for

mat

, to

ensu

re r

epor

ting

cons

iste

ncy

and

com

plet

enes

s

ME

3.5

Inte

grat

ed R

epor

ting

In

tegr

ate

IT r

epor

ting

on le

gal,

regu

lato

ry a

nd c

ontr

actu

al r

equi

rem

ents

with

sim

ilar

outp

ut f

rom

oth

er b

usin

ess

func

tions

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Fa

cilit

ated

cor

pora

te r

epor

ting

onco

mpl

ianc

e is

sues

• E

nabl

ing

of ti

mel

y de

tect

ion

ofco

ntro

l gap

s w

here

they

are

inte

rfer

ing

with

oth

er b

usin

ess

func

tions

• Su

ppor

t of

the

orga

nisa

tion’

s st

anda

rds

and

met

hodo

logi

es in

est

ablis

hing

effe

ctiv

e co

mpl

ianc

e ar

rang

emen

ts•

Red

uced

ove

rall

com

plia

nce

risk

faci

ng th

e en

terp

rise

Ris

k D

river

s

• In

crea

sed

ente

rpri

se n

on-c

ompl

ianc

eex

posu

re•

Oth

er b

usin

ess

func

tions

una

war

e of

com

plia

nce

requ

irem

ents

and

sta

tus

rela

ted

to I

T p

roce

sses

• Fa

ilure

to in

tegr

ate

IT-r

elat

edco

mpl

ianc

e is

sues

into

ove

rall

repo

rtin

g, r

esul

ting

in e

rron

eous

stra

tegi

c de

cisi

on m

akin

g by

ente

rpri

se m

anag

emen

t

ME3 E

nsur

e C

ompl

ianc

e W

ith

Ext

erna

l R

equi

rem

ents

(co

nt.)


APPENDIX V

Take the following steps to test the outcome of the control objectives:• Trace specific compliance requirements from recognition and documentation through the procedures to prevent and detect non-

compliance. Interview and assess relevant staff members to confirm that they are aware of legal, regulatory and contractualrequirements that have been identified.

• Review evidence or a log of applicable laws, regulations and standards and the company’s compliance status from internal andindependent counsel’s input. For non-compliance areas, identify management remedial actions to address the requirements.

• Confirm that coverage, procedures and practices for compliance are regularly reviewed by internal and external experts (e.g., security audits, SAS 70s).

• Confirm that advice from appropriate third parties is obtained as required.• Review IT processes documentation for evidence of periodic legal and regulatory compliance review, and ensure that the

documents are updated where appropriate. • Enquire if recurring patterns of compliance failures are looked for and their cause evaluated on a regular basis (e.g., determine if

changes to policies, standards, procedures, processes and activities are implemented as a result of the evaluations). • Review compliance assessment reports on legal and regulatory requirements performed by independent internal or external parties

to ensure that regular reviews take place.• Review a sample of third-party contracts to determine if there are provisions to require regular confirmation of compliance with

applicable laws, regulations and contractual commitments.• Select a sample of third-party service providers and obtain evidence of their assertions of compliance to determine if they comply

with the contractual requirement of regular confirmation of compliance.• Review findings from third-party compliance reporting as well as from non-compliance investigation and resolution to determine

if operating effectiveness deficiencies are addressed.• Confirm that standards for IT compliance reporting conform with the agreed-upon format, including scope, content and format,

required to ensure consistency and completeness (e.g., review agreement procedures) • Review compliance reports to ensure that the IT compliance assessment results were incorporated and presented consistently with

similar reports from other business functions.

Take the following steps to document the impact of the control weaknesses:• Identify and quantify the cost of fines and other penalties levied against the enterprise as a result of non-compliance.• Quantify the risk and likelihood of non-compliance with regulatory requirements (e.g., “Statement of the Securities and Exchange

Commission Concerning Financial Penalties,” US Securities and Exchange Commission [SEC], 2006), to assist in theunderstanding of the impact on the enterprise.

ME4 P

rovi

de IT

Gov

erna

nce

Est

ablis

hing

an

effe

ctiv

e go

vern

ance

fra

mew

ork

incl

udes

def

inin

g or

gani

satio

nal s

truc

ture

s, p

roce

sses

, lea

ders

hip,

rol

es a

nd r

espo

nsib

ilitie

s to

ens

ure

that

ent

erpr

ise

ITin

vest

men

ts a

re a

ligne

d an

d de

liver

ed in

acc

orda

nce

with

ent

erpr

ise

stra

tegi

es a

nd o

bjec

tives

.



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– A

n ag

reed

-upo

n pr

oces

s ex

ists

to a

lign

the

IT g

over

nanc

e fr

amew

ork

with

the

over

all e

nter

pris

e go

vern

ance

and

con

trol

env

iron

men

t–

The

fra

mew

ork

is b

ased

on

a co

mpr

ehen

sive

IT

pro

cess

and

con

trol

mod

el a

nd d

efin

es le

ader

ship

, una

mbi

guou

s ac

coun

tabi

lity,

rol

es a

nd r

espo

nsib

ilitie

s, in

form

atio

nre

quir

emen

ts, o

rgan

isat

iona

l str

uctu

res,

and

pra

ctic

es to

avo

id b

reak

dow

n in

inte

rnal

con

trol

and

ove

rsig

ht–

App

ropr

iate

man

agem

ent g

over

nanc

e st

ruct

ures

exi

st, s

uch

as th

e IT

str

ateg

y co

mm

ittee

, IT

ste

erin

g co

mm

ittee

, tec

hnol

ogy

coun

cil,

IT a

rchi

tect

ure

revi

ew b

oard

and

IT

aud

it co

mm

ittee

. Ver

ify

that

term

s of

ref

eren

ce e

xist

for

eac

h of

thes

e.–

The

IT

gov

erna

nce

fram

ewor

k fo

cuse

s on

str

ateg

ic a

lignm

ent,

valu

e de

liver

y, r

esou

rce

man

agem

ent,

risk

man

agem

ent a

nd p

erfo

rman

ce m

easu

rem

ent

– A

pro

cess

exi

sts

to m

easu

re a

nd e

valu

ate

deliv

ery

of I

T’s

str

ateg

ies

and

obje

ctiv

es, a

nd to

agg

rega

te a

ll IT

gov

erna

nce

issu

es a

nd r

emed

ial a

ctio

ns in

to a

con

solid

ated

man

agem

ent r

epos

itory

or

trac

king

mec

hani

sm–

Una

mbi

gous

res

pons

ibili

ties

for

IT r

isk

man

agem

ent h

ave

been

est

ablis

hed

– IT

gov

erna

nce

stat

us a

nd is

sues

are

rep

orte

d to

the

corp

orat

e go

vern

ance

ove

rsig

ht b

ody

ME

4.1

Est

ablis

hmen

t of

an

IT G

over

nanc

e F

ram

ewor

k D

efin

e, e

stab

lish

and

alig

n th

e IT

gov

erna

nce

fram

ewor

k w

ith th

e ov

eral

len

terp

rise

gov

erna

nce

and

cont

rol e

nvir

onm

ent.

Bas

e th

e fr

amew

ork

on a

suita

ble

IT p

roce

ss a

nd c

ontr

ol m

odel

and

pro

vide

for

una

mbi

guou

sac

coun

tabi

lity

and

prac

tices

to a

void

a b

reak

dow

n in

inte

rnal

con

trol

and

over

sigh

t. C

onfi

rm th

at th

e IT

gov

erna

nce

fram

ewor

k en

sure

s co

mpl

ianc

e w

ithla

ws

and

regu

latio

ns a

nd is

alig

ned

with

, and

con

firm

s de

liver

y of

, the

ente

rpri

se’s

str

ateg

ies

and

obje

ctiv

es. R

epor

t IT

gov

erna

nce

stat

us a

nd is

sues

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• IT

dec

isio

ns in

line

with

the

ente

rpri

se’s

str

ateg

ies

and

obje

ctiv

es• A

con

sist

ent a

ppro

ach

for

ago

vern

ance

fra

mew

ork

achi

eved

and

alig

ned

with

the

ente

rpri

se a

ppro

ach

• Pr

oces

ses

over

seen

eff

ectiv

ely

and

tran

spar

ently

• C

ompl

ianc

e w

ith le

gal a

nd r

egul

ator

yre

quir

emen

ts c

onfi

rmed

• B

oard

req

uire

men

ts f

or g

over

nanc

elik

ely

to b

e m

et

Ris

k D

river

s

• In

effe

ctiv

e re

spon

sibi

litie

s an

dac

coun

tabi

litie

s es

tabl

ishe

d fo

r IT

pro

cess

es•

The

IT

por

tfol

io f

ailin

g to

sup

port

the

ente

rpri

se’s

obj

ectiv

es a

nd s

trat

egie

s•

Rem

edia

l act

ions

to m

aint

ain

and

impr

ove

IT p

roce

ss e

ffec

tiven

ess

and

effi

cien

cy n

ot id

entif

ied

orim

plem

ente

d•

Con

trol

s no

t ope

ratin

g as

exp

ecte

d


APPENDIX V

Test

the

Con

trol

Des

ign

• In

spec

t IT

str

ateg

y do

cum

enta

tion

and

asse

ss w

heth

er it

sup

port

s th

e di

rect

ion

prov

ided

by

the

boar

d/se

nior

man

agem

ent.

It s

houl

d re

flec

t bus

ines

s st

rate

gies

and

IT

’sap

prop

riat

e al

ignm

ent w

ith b

usin

ess

oper

atio

ns.

• D

eter

min

e w

heth

er th

e IT

str

ateg

ic p

lann

ing

proc

ess

incl

udes

invo

lvem

ent f

rom

bus

ines

s op

erat

ions

and

dem

onst

rate

s al

ignm

ent w

ith b

usin

ess

stra

tegi

es a

nd o

bjec

tives

.•

Rev

iew

the

IT s

trat

egy

docu

men

ts a

nd a

sses

s w

heth

er th

ey in

clud

e th

e ro

le o

f IT

, IT

gui

ding

pri

ncip

les

from

bus

ines

s m

axim

s, h

ow I

T m

onito

rs th

e bu

sine

ss im

pact

of

the

IT in

fras

truc

ture

and

app

licat

ions

por

tfol

io, a

nd th

e po

tent

ial c

ontr

ibut

ion

of I

T to

the

over

all b

usin

ess

stra

tegy

(e.

g., e

valu

atin

g, p

ost-

impl

emen

tatio

n, b

enef

itsde

liver

ed b

y IT

pro

ject

s).

ME

4.2

Stra

tegi

c A

lignm

ent

Ena

ble

boar

d an

d ex

ecut

ive

unde

rsta

ndin

g of

str

ateg

ic I

T is

sues

, suc

h as

the

role

of I

T, te

chno

logy

insi

ghts

and

cap

abili

ties.

Ens

ure

that

ther

e is

a s

hare

dun

ders

tand

ing

betw

een

the

busi

ness

and

IT

reg

ardi

ng th

e po

tent

ial c

ontr

ibut

ion

of I

T to

the

busi

ness

str

ateg

y. W

ork

with

the

boar

d an

d th

e es

tabl

ishe

dgo

vern

ance

bod

ies,

suc

h as

an

IT s

trat

egy

com

mitt

ee, t

o pr

ovid

e st

rate

gic

dire

ctio

n to

man

agem

ent r

elat

ive

to I

T, e

nsur

ing

that

the

stra

tegy

and

obj

ectiv

esar

e ca

scad

ed in

to b

usin

ess

units

and

IT

fun

ctio

ns, a

nd th

at c

onfi

denc

e an

d tr

ust

are

deve

lope

d be

twee

n th

e bu

sine

ss a

nd I

T. E

nabl

e th

e al

ignm

ent o

f IT

to th

ebu

sine

ss in

str

ateg

y an

d op

erat

ions

, enc

oura

ging

co-

resp

onsi

bilit

y be

twee

n th

ebu

sine

ss a

nd I

T f

or m

akin

g st

rate

gic

deci

sion

s an

d ob

tain

ing

bene

fits

fro

m

IT-e

nabl

ed in

vest

men

ts.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• IT

mor

e re

spon

sive

to th

e en

terp

rise

’sob

ject

ives

• IT

res

ourc

es h

elpi

ng to

fac

ilita

te th

ebu

sine

ss g

oals

in a

n ef

fici

ent a

ndef

fect

ive

man

ner

• IT

cap

abili

ties

enab

ling

oppo

rtun

ities

for

the

busi

ness

str

ateg

y•

Eff

icie

nt a

lloca

tion

and

man

agem

ent

of I

T in

vest

men

ts

Ris

k D

river

s

• In

effe

ctiv

e al

loca

tion

and

man

agem

ent

of I

T in

vest

men

ts•

IT f

ailin

g to

sup

port

the

ente

rpri

se’s

obje

ctiv

es•

Stra

tegi

c IT

pla

nnin

g no

t alig

ned

with

the

over

all c

orpo

rate

str

ateg

y•

IT d

irec

tions

not

def

ined

and

not

supp

ortin

g bu

sine

ss g

oals

ME4 P

rovi

de IT

Gov

erna

nce

(con

t.)



Test

the

Con

trol

Des

ign

• C

onfi

rm th

at th

ere

is c

o-re

spon

sibi

lity

betw

een

the

busi

ness

and

IT

for

all

IT in

vest

men

ts.

• In

spec

t doc

umen

tatio

n th

at id

entif

ies

how

IT

del

iver

s ag

ains

t the

str

ateg

y. I

t sho

uld

incl

ude

deliv

erin

g on

tim

e an

d w

ithin

bud

get,

with

app

ropr

iate

fun

ctio

nalit

y an

d th

ein

tend

ed b

enef

its.

• D

eter

min

e w

heth

er th

ere

is a

pro

cess

to r

egul

arly

iden

tify

and

eval

uate

way

s to

incr

ease

IT

val

ue c

ontr

ibut

ion

whi

lst m

anag

ing

busi

ness

and

exe

cutiv

e ex

pect

atio

ns w

ithre

spec

t to

emer

ging

tech

nolo

gy (

i.e.,

stee

ring

com

mitt

ee m

eetin

gs).

• D

eter

min

e w

heth

er th

ere

is a

par

tner

ship

bet

wee

n th

e bu

sine

ss a

nd th

e IT

pro

vide

rs, w

ith s

hare

d re

spon

sibi

lity

for

sour

cing

dec

isio

ns.

• D

eter

min

e w

heth

er I

T is

aw

are

of (

or h

as d

ocum

ente

d) b

usin

ess

expe

ctat

ions

for

IT

val

ue (

i.e.,

time-

to-m

arke

t, co

st a

nd ti

me

man

agem

ent,

part

neri

ng s

ucce

ss)

and

that

IT

per

ceiv

es th

e va

lue

of I

T c

onsi

sten

tly.

• D

eter

min

e w

heth

er th

ere

is a

n ef

fect

ive

proc

ess

to e

nsur

e th

at I

T a

nd b

usin

ess

arch

itect

ures

are

des

igne

d to

dri

ve m

axim

um v

alue

.•

Det

erm

ine

whe

ther

ther

e is

an

effe

ctiv

e pr

oces

s in

pla

ce to

adj

ust I

T in

vest

men

ts b

ased

on

a ba

lanc

e of

ris

k, c

ost a

nd b

enef

it w

ith b

udge

ts th

at a

re a

ccep

tabl

e an

d ta

kein

to a

ccou

nt r

etur

n an

d co

mpe

titiv

e as

pect

s of

IT

inve

stm

ents

.•

Insp

ect I

T d

ocum

enta

tion

to a

sses

s w

heth

er th

e bu

sine

ss h

as s

et e

xpec

tatio

ns f

or th

e co

nten

t of

IT d

eliv

erab

les,

incl

udin

g m

eetin

g bu

sine

ss r

equi

rem

ents

; fle

xibi

lity

toad

opt f

utur

e re

quir

emen

ts; t

hrou

ghpu

t and

res

pons

e tim

es; e

ase

of u

se; s

ecur

ity; a

nd th

e in

tegr

ity, a

ccur

acy

and

curr

ency

of

info

rmat

ion.

• D

eter

min

e w

heth

er th

ere

is a

n ef

fect

ive

IT p

ortf

olio

man

agem

ent p

roce

ss th

at is

bei

ng e

valu

ated

on

a re

gula

r ba

sis

to o

ptim

ise

valu

e in

rel

atio

n to

cos

ts a

nd th

at r

esul

ts

in (

for

the

busi

ness

) co

mpe

titiv

e ad

vant

age,

ela

psed

tim

e fo

r or

der/

serv

ice

fulf

ilmen

t, cu

stom

er s

atis

fact

ion,

em

ploy

ee p

rodu

ctiv

ity a

nd p

rofi

tabi

lity.

• R

evie

w th

e re

sults

of

man

agem

ent’s

mon

itori

ng o

f th

e IT

bud

get a

nd in

vest

men

t pla

nnin

g to

ens

ure

that

it r

emai

ns r

ealis

tic a

nd in

tegr

ated

into

the

over

all f

inan

cial

pla

n(t

his

may

incl

ude

com

plia

nce

with

reg

ulat

ory

requ

irem

ents

).•

Det

erm

ine

that

the

IT a

sset

por

tfol

io m

anag

emen

t pro

cess

eff

ectiv

ely

man

ages

and

rep

orts

on

the

actu

al c

osts

and

the

RO

I.

ME

4.3

Val

ue D

eliv

ery

Man

age

IT-e

nabl

ed in

vest

men

t pro

gram

mes

and

oth

er I

T a

sset

s an

d se

rvic

es to

ensu

re th

at th

ey d

eliv

er th

e gr

eate

st p

ossi

ble

valu

e in

sup

port

ing

the

ente

rpri

se’s

stra

tegy

and

obj

ectiv

es. E

nsur

e th

at th

e ex

pect

ed b

usin

ess

outc

omes

of

IT-

enab

led

inve

stm

ents

and

the

full

scop

e of

eff

ort r

equi

red

to a

chie

ve th

ose

outc

omes

are

und

erst

ood;

that

com

preh

ensi

ve a

nd c

onsi

sten

t bus

ines

s ca

ses

are

crea

ted

and

appr

oved

by

stak

ehol

ders

; tha

t ass

ets

and

inve

stm

ents

are

man

aged

thro

ugho

ut th

eir

econ

omic

life

cyc

le; a

nd th

at th

ere

is a

ctiv

e m

anag

emen

t of

the

real

isat

ion

of b

enef

its, s

uch

as c

ontr

ibut

ion

to n

ew s

ervi

ces,

eff

icie

ncy

gain

s an

dim

prov

ed r

espo

nsiv

enes

s to

cus

tom

er d

eman

ds. E

nfor

ce a

dis

cipl

ined

app

roac

hto

por

tfol

io, p

rogr

amm

e an

d pr

ojec

t man

agem

ent,

insi

stin

g th

at th

e bu

sine

ssta

kes

owne

rshi

p of

all

IT-e

nabl

ed in

vest

men

ts a

nd I

T e

nsur

es o

ptim

isat

ion

of th

eco

sts

of d

eliv

erin

g IT

cap

abili

ties

and

serv

ices

.

• C

ost-

effi

cien

t del

iver

y of

sol

utio

nsan

d se

rvic

es

• O

ptim

ised

use

of

IT r

esou

rces

• B

usin

ess

need

s su

ppor

ted

effi

cien

tly•

Incr

easi

ng s

uppo

rt f

or u

se o

f IT

by

ente

rpri

se s

take

hold

ers

• In

crea

sed

valu

e co

ntri

butio

n of

IT

tobu

sine

ss o

bjec

tives

• R

elia

ble

and

accu

rate

pic

ture

of

cost

san

d lik

ely

bene

fits

• M

isdi

rect

ed I

Tin

vest

men

ts•

Val

ue n

ot o

btai

ned

from

the

IT a

sset

san

d se

rvic

es•

Dec

reas

ing

cust

omer

sat

isfa

ctio

n•

Incr

easi

ng c

osts

for

IT

inve

stm

ents

and

oper

atio

ns•

Lac

k of

alig

nmen

t bet

wee

n th

ebu

sine

ss o

bjec

tives

and

the

ITar

chite

ctur

e•

Exp

ecte

d be

nefi

ts n

ot r

ealis

ed

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

ME4 P

rovi

de IT

Gov

erna

nce

(con

t.)


APPENDIX V

Test

the

Con

trol

Des

ign

• C

onfi

rm th

roug

h qu

estio

ning

of

man

agem

ent t

hat a

hig

h-le

vel d

irec

tion

for

sour

cing

and

use

of

IT r

esou

rces

is in

pla

ce.

• R

evie

w m

inut

es o

f m

eetin

gs w

ith h

igh-

leve

l dir

ecto

rs to

det

erm

ine

effe

ctiv

enes

s of

thes

e di

rect

ion

activ

ities

.•

Enq

uire

whe

ther

and

con

firm

that

sui

tabl

e IT

res

ourc

es, s

kills

and

infr

astr

uctu

re a

re a

vaila

ble

to m

eet s

trat

egic

obj

ectiv

es a

nd th

at p

olic

ies

are

in p

lace

to e

nabl

eco

ntin

ued

avai

labi

lity.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at I

T in

fras

truc

ture

s ar

e pr

ovid

ed th

at f

acili

tate

the

crea

tion

and

shar

ing

of b

usin

ess

info

rmat

ion

at o

ptim

al c

ost.

• R

evie

w th

at p

olic

ies,

pro

cedu

res

and

proc

esse

s ar

e in

pla

ce f

or r

esou

rce

man

agem

ent,

and

veri

fy th

at th

ey a

re o

pera

ting

effe

ctiv

ely

to:

– O

ptim

ise

and

bala

nce

over

all I

T in

vest

men

ts a

nd u

se o

f re

sour

ces

betw

een

sust

aini

ng a

nd g

row

ing

the

ente

rpri

se–

Cap

italis

e on

info

rmat

ion

and

know

ledg

e re

sour

ces

– E

stab

lish

busi

ness

pri

oriti

es s

o th

at r

esou

rces

are

allo

cate

d to

ena

ble

effe

ctiv

e IT

per

form

ance

• In

depe

nden

tly d

evel

op a

nd e

stim

ate

optim

al b

alan

ce o

f ov

eral

l IT

inve

stm

ents

and

use

of

reso

urce

s, a

nd c

ompa

re w

ith a

ctua

l fin

ding

s.•

Tra

ce it

ems

thro

ugh

the

IT in

fras

truc

ture

s, a

nd d

eter

min

e w

heth

er c

reat

ion

and

shar

ing

of in

form

atio

n is

fac

ilita

ted

effe

ctiv

ely.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at c

ritic

al r

oles

are

allo

cate

d an

d de

fine

d fo

r dr

ivin

g m

axim

um v

alue

fro

m I

T w

ith a

ppro

pria

te s

taff

ing

and

reso

urce

s.•

Rev

iew

the

defi

ned

role

s, a

nd e

nsur

e th

at th

ey a

re e

ffec

tivel

y al

loca

ted

and

exec

uted

.•

Enq

uire

whe

ther

and

con

firm

that

pro

cedu

res

for

capa

bilit

y as

sess

men

ts a

re in

pla

ce a

nd r

egul

arly

per

form

ed to

ens

ure

an a

bilit

y to

sup

port

the

busi

ness

str

ateg

y.•

Rep

erfo

rm c

apab

ility

ass

essm

ents

and

com

pare

to d

efin

ed b

usin

ess

stra

tegi

es.

ME

4.4

Res

ourc

e M

anag

emen

t O

vers

ee th

e in

vest

men

t, us

e an

d al

loca

tion

of I

T r

esou

rces

thro

ugh

regu

lar

asse

ssm

ents

of

IT in

itiat

ives

and

ope

ratio

ns to

ens

ure

appr

opri

ate

reso

urci

ng a

ndal

ignm

ent w

ith c

urre

nt a

nd f

utur

e st

rate

gic

obje

ctiv

es a

nd b

usin

ess

impe

rativ

es.

• E

ffic

ient

and

eff

ectiv

e pr

iori

tisat

ion

and

utili

satio

n of

IT

res

ourc

es•

IT c

osts

opt

imis

ed•

Incr

ease

d lik

elih

ood

of b

enef

itre

alis

atio

n•

IT p

lann

ing

supp

orte

d an

d op

timis

ed•

Rea

dine

ss f

or f

utur

e ch

arge

• Fr

agm

ente

d, in

effi

cien

t inf

rast

ruct

ures

• In

suff

icie

nt c

apab

ilitie

s, s

kills

and

reso

urce

s to

ach

ieve

des

ired

goa

ls•

Stra

tegi

c ob

ject

ives

not

ach

ieve

d•

Inap

prop

riat

e pr

iori

ties

used

for

allo

catio

n of

res

ourc

es

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

ME4 P

rovi

de IT

Gov

erna

nce

(con

t.)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– B

ased

on

info

rmat

ion

from

man

agem

ent,

such

as

IT r

isk

expo

sure

s, r

isk

man

agem

ent m

easu

res

and

asso

ciat

ed c

osts

, the

boa

rd d

efin

es, r

egul

arly

re-

eval

uate

s an

dco

mm

unic

ates

the

ente

rpri

se’s

ris

k ap

petit

e–

Man

agem

ent r

evie

ws

the

outc

ome

of th

e ev

alua

tion

of th

e ri

sk o

f IT

act

iviti

es, t

o co

nfir

m th

at th

e to

tal r

isk

expo

sure

doe

s no

t exc

eed

the

defi

ned

risk

app

etite

,co

nsid

erin

g m

itiga

ting

cont

rols

in p

lace

, and

ove

rsee

s th

e im

plem

enta

tion

of a

dditi

onal

miti

gatin

g co

ntro

ls to

red

uce

the

over

all r

isk

expo

sure

as

need

ed–

A p

roce

ss e

xist

s to

incl

ude

IT r

isk

man

agem

ent i

ssue

s in

IT

gov

erna

nce

stat

us a

nd is

sues

rep

ortin

g an

d to

pro

vide

tran

spar

ency

of

IT r

isks

to a

ll st

akeh

olde

rs

ME4 P

rovi

de IT

Gov

erna

nce

(con

t.)

ME

4.5

Ris

k M

anag

emen

t W

ork

with

the

boar

d to

def

ine

the

ente

rpri

se’s

app

etite

for

IT

ris

k, a

nd o

btai

nre

ason

able

ass

uran

ce th

at I

T r

isk

man

agem

ent p

ract

ices

are

app

ropr

iate

to e

nsur

eth

at th

e ac

tual

IT

ris

k do

es n

ot e

xcee

d th

e bo

ard’

s ri

sk a

ppet

ite. E

mbe

d ri

skm

anag

emen

t res

pons

ibili

ties

into

the

orga

nisa

tion,

ens

urin

g th

at th

e bu

sine

ss a

ndIT

reg

ular

ly a

sses

s an

d re

port

IT-

rela

ted

risk

s an

d th

eir

impa

ct a

nd th

at th

een

terp

rise

’s I

T r

isk

posi

tion

is tr

ansp

aren

t to

all s

take

hold

ers.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• R

isks

iden

tifie

d be

fore

they

mat

eria

lise

• In

crea

sed

awar

enes

s of

ris

k ex

posu

res

• C

lear

acc

ount

abili

ty a

nd r

espo

nsib

ility

for

man

agin

g cr

itica

l ris

ks

• E

ffec

tive

appr

oach

for

man

agin

g IT

ris

ks•

IT r

isk

prof

ile a

ligne

d w

ithm

anag

emen

t’s e

xpec

tatio

ns•

Min

imis

ed p

oten

tial f

or c

ompl

ianc

efa

ilure

s

Ris

k D

river

s

• R

isks

iden

tifie

d or

man

aged

inef

fect

ivel

y•

Incr

ease

d ex

pens

es a

nd c

osts

incu

rred

to m

anag

e un

antic

ipat

ed r

isks

• C

ritic

al I

T a

pplic

atio

ns a

nd s

ervi

ces

failu

re•

Lac

k of

ow

ners

hip

of I

T r

isks


APPENDIX V

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at:

– T

he I

T s

core

card

per

form

ance

mea

sure

s ar

e pr

oper

ly a

ligne

d w

ith th

e bu

sine

ss s

core

card

mea

sure

s an

d ac

cept

ed b

y th

e bu

sine

ss–

Man

agem

ent a

sses

ses

and

acce

pts

the

effe

ctiv

enes

s of

the

proc

esse

s an

d th

e ac

cura

cy a

nd c

ompl

eten

ess

of th

e de

liver

able

s to

mea

sure

and

rep

ort I

T p

erfo

rman

ce in

rela

tion

to a

chie

vem

ent o

f th

e st

rate

gic

IT o

bjec

tives

. Ver

ify

that

sta

tus

repo

rts

incl

ude

the

exte

nt to

whi

ch p

lann

ed o

bjec

tives

hav

e be

en a

chie

ved,

del

iver

able

s ob

tain

edan

d pe

rfor

man

ce ta

rget

s m

et.

– T

he b

oard

eva

luat

es th

e ap

prop

riat

enes

s of

man

agem

ent’s

cor

rect

ive

actio

ns f

or s

igni

fica

nt p

erfo

rman

ce p

robl

ems

and

prov

ides

dir

ectio

n to

rec

tify

orga

nisa

tiona

l or

syst

emic

cau

ses

as n

eces

sary

ME

4.6

Per

form

ance

Mea

sure

men

t C

onfi

rm th

at a

gree

d-up

on I

T o

bjec

tives

hav

e be

en m

et o

r ex

ceed

ed, o

r th

atpr

ogre

ss to

war

d IT

goa

ls m

eets

exp

ecta

tions

. Whe

re a

gree

d-up

on o

bjec

tives

hav

ebe

en m

isse

d or

pro

gres

s is

not

as

expe

cted

, rev

iew

man

agem

ent’s

re

med

ial a

ctio

n. R

epor

t to

the

boar

d re

leva

nt p

ortf

olio

s, p

rogr

amm

e an

d IT

perf

orm

ance

, sup

port

ed b

y re

port

s to

ena

ble

seni

or m

anag

emen

t to

revi

ew th

een

terp

rise

’s p

rogr

ess

tow

ard

iden

tifie

d go

als.

• In

crea

sed

proc

ess

perf

orm

ance

• Are

as o

f im

prov

emen

t ide

ntif

ied

• IT

obj

ectiv

es a

nd s

trat

egie

s be

ing

and

rem

aini

ng in

line

with

the

ente

rpri

se’s

stra

tegy

• Pr

oces

ses

over

seen

eff

ectiv

ely

and

tran

spar

ently

• T

imel

y an

d ef

fect

ive

man

agem

ent

repo

rtin

g en

able

d

• Pe

rfor

man

ce g

aps

not i

dent

ifie

d in

atim

ely

man

ner

• D

ecre

ased

sta

keho

lder

con

fide

nce

• Se

rvic

e de

viat

ions

and

deg

rada

tions

not r

ecog

nise

d an

d ad

dres

sed,

resu

lting

in f

ailu

re to

del

iver

bus

ines

sre

quir

emen

ts•

Serv

ice

perf

orm

ance

fai

lure

s ca

usin

gle

gal a

nd r

egul

ator

y co

mpl

ianc

eex

posu

res

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s

ME4 P

rovi

de IT

Gov

erna

nce

(con

t.)



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n au

dit c

omm

ittee

has

bee

n es

tabl

ishe

d w

ith a

man

date

to c

onsi

der

wha

t the

sig

nifi

cant

ris

ks a

re; a

sses

s ho

w th

ey a

re id

entif

ied,

eval

uate

d an

d m

anag

ed; c

omm

issi

on I

T a

nd s

ecur

ity a

udits

; and

rig

orou

sly

follo

w u

p cl

osur

e of

sub

sequ

ent r

ecom

men

datio

ns.

• In

terv

iew

the

audi

t com

mitt

ee a

nd a

sses

s its

kno

wle

dge

and

awar

enes

s of

its

resp

onsi

bilit

ies.

Det

erm

ine

whe

ther

the

esta

blis

hed

audi

t com

mitt

ee is

ope

ratin

g ef

fect

ivel

y.•

Enq

uire

whe

ther

and

con

firm

that

inde

pend

ent r

evie

ws,

cer

tific

atio

ns o

r ac

cred

itatio

ns o

f co

mpl

ianc

e w

ith I

T p

olic

ies,

sta

ndar

ds a

nd p

roce

dure

s ha

ve b

een

obta

ined

.Ph

ysic

ally

insp

ect f

or a

dequ

acy

the

docu

men

ts p

rodu

ced

by th

e in

depe

nden

t rev

iew

s.

ME4 P

rovi

de IT

Gov

erna

nce

(con

t.)

ME

4.7

Inde

pend

ent A

ssur

ance

O

btai

n in

depe

nden

t ass

uran

ce (

inte

rnal

or

exte

rnal

) ab

out t

he c

onfo

rman

ce o

f IT

with

rel

evan

t law

s an

d re

gula

tions

; the

org

anis

atio

n’s

polic

ies,

sta

ndar

ds a

ndpr

oced

ures

; gen

eral

ly a

ccep

ted

prac

tices

; and

the

effe

ctiv

e an

d ef

fici

ent

perf

orm

ance

of

IT.

• O

ppor

tuni

ties

for

serv

ice

impr

ovem

ents

iden

tifie

d•

Gap

s de

tect

ed in

a ti

mel

y m

anne

r•

Rel

iabl

e as

sura

nce

of e

ffec

tive

gove

rnan

ce, r

isk

man

agem

ent,

and

inte

rnal

con

trol

mec

hani

sms

and

proc

edur

es• A

ssur

ance

to th

e bo

ard

and

exec

utiv

em

anag

emen

t tha

t gov

erna

nce

isw

orki

ng e

ffec

tivel

y

• R

eput

atio

nal d

amag

e th

roug

h fa

ilure

to d

etec

t or

prev

ent s

ervi

cepe

rfor

man

ce d

egra

datio

n•

Inef

fect

ive

IT g

over

nanc

e, r

isk

man

agem

ent a

nd in

tern

al c

ontr

olar

rang

emen

ts•

Une

thic

al b

ehav

iour

s ad

opte

d an

dac

cept

ed

Valu

e D

river

sC

ontr

ol O

bjec

tive

Ris

k D

river

s


APPENDIX V

Take the following steps to test the outcome of the control objectives:• Review board/senior management meeting minutes to determine whether business direction is provided over enterprise use of IT

resources and capabilities.• Review the enterprise leadership and organisational structures related to the use of IT resources to determine their appropriateness

in relation to the overall enterprise and the completeness of their coverage of oversight and management of IT resources.• Identify the process model being used to establish and support IT governance, and assess its adequacy and effectiveness of

application.• Review IT strategic planning minutes to verify that IT and business goals and objectives are aligned.• Confirm that there are business sponsors designated to have direct active involvement in and accountability for all major

IT-enabled investments. • Review plans for IT services and compare with the business strategy to assess that the direction allows IT to provide optimal

support.• Confirm through interviews with those responsible for IT strategy that it is integrating well with overall business goals. • Assess whether the goals and objectives of the business and IT are clearly communicated to relevant parties and that appropriate

mediation exists and is functioning effectively (e.g., technology plans).• Assess whether an IT steering committee drives business alignment by ensuring that IT strategy is aligned with business strategy

and that supporting strategies and plans are consistent and integrated.• Determine whether there is a process for executive management to regularly review IT governance reports to determine whether IT

strategic issues and actions to resolve them are reported. Such reports should include progress against strategic plans, key serviceperformance measures, and significant risk assessment and mitigation aspects.

• Identify and assess the extent of independent assurance provided to the enterprise in relation to the establishment and effectivenessof IT governance arrangements.

Take the following steps to document the impact of the control weaknesses:• Quantify the impact of failures of IT to support new business initiatives or critical business services.• Identify IT-related incidents and issues that attract media attention and comment (e.g., major failed projects, compliance violations,

security failures).


APPENDIX VIA

PPE

ND

IXV

I—A

PPL

ICA

TIO

NC

ON

TR

OL

(AC

)

PR

OC

ESS

ASS

UR

AN

CE

STEP

S

Test

the

Con

trol

Des

ign

• E

nsur

e th

at th

e de

sign

of

the

syst

em p

rovi

des

for

the

iden

tific

atio

n an

d m

anag

emen

t of

auth

oris

atio

n le

vels

.•

Enq

uire

whe

ther

and

con

firm

that

the

desi

gn o

f th

e sy

stem

pro

vide

s fo

r th

e us

e of

pre

appr

oved

aut

hori

satio

n lis

ts a

nd r

elat

ed s

igna

ture

s fo

r us

e in

det

erm

inin

g th

atdo

cum

ents

hav

e be

en a

ppro

pria

tely

aut

hori

sed.

• A

sses

s w

heth

er s

ourc

e do

cum

ents

and

/or

inpu

t scr

eens

are

des

igne

d w

ith p

rede

term

ined

cod

ing,

cho

ices

, etc

., to

enc

oura

ge ti

mel

y co

mpl

etio

n an

d m

inim

ise

the

pote

ntia

lfo

r er

ror.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e de

sign

of

the

syst

em e

ncou

rage

s re

view

of

the

form

s fo

r co

mpl

eten

ess

and

auth

oris

atio

n an

d id

entif

ies

situ

atio

ns w

here

atte

mpt

s to

proc

ess

inco

mpl

ete

and/

or u

naut

hori

sed

docu

men

ts o

ccur

.•

Enq

uire

whe

ther

and

con

firm

that

, onc

e id

entif

ied,

the

syst

em is

des

igne

d to

trac

k an

d re

port

upo

n in

com

plet

e an

d/or

una

utho

rise

d do

cum

ents

that

are

rej

ecte

d an

dre

turn

ed to

the

owne

r fo

r co

rrec

tion.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• V

erif

y, th

roug

h in

spec

tion

of a

utho

risa

tion

lists

, tha

t aut

hori

satio

n le

vels

are

pro

perl

y de

fine

d fo

r ea

ch g

roup

of

tran

sact

ions

. Obs

erve

that

aut

hori

satio

n le

vels

are

prop

erly

app

lied.

• In

spec

t and

obs

erve

cre

atio

n an

d do

cum

enta

tion

of d

ata

prep

arat

ion

proc

edur

es, a

nd e

nqui

re w

heth

er a

nd c

onfi

rm th

at p

roce

dure

s ar

e un

ders

tood

and

the

corr

ect s

ourc

em

edia

are

use

d.

• W

here

req

uire

d by

pro

cedu

res,

obs

erve

whe

ther

and

ens

ure

that

ade

quat

e se

greg

atio

n of

dut

ies

betw

een

orig

inat

or a

nd a

ppro

ver

exis

ts.

• In

spec

t doc

umen

ts, t

race

tran

sact

ions

thro

ugh

the

proc

ess

and,

whe

re p

ossi

ble,

use

aut

omat

ed e

vide

nce

colle

ctio

n, in

clud

ing

sam

ple

data

, em

bedd

ed a

udit

mod

ules

or

CA

AT

s, to

trac

e tr

ansa

ctio

ns to

ver

ify

that

aut

hori

satio

n ac

cess

con

trol

s ar

e ef

fect

ive.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

list

of

auth

oris

ed p

erso

nnel

and

thei

r si

gnat

ures

is m

aint

aine

d by

the

appr

opri

ate

depa

rtm

ents

. Whe

re p

ossi

ble,

use

aut

omat

edev

iden

ce c

olle

ctio

n, in

clud

ing

sam

ple

data

, em

bedd

ed a

udit

mod

ules

or

CA

AT

s, to

trac

e tr

ansa

ctio

ns to

ver

ify

that

the

list o

f au

thor

ised

per

sonn

el is

eff

ectiv

ely

desi

gned

to a

llow

/res

tric

t per

sonn

el to

ent

er d

ata.

•

Insp

ect t

he li

st o

f au

thor

ised

per

sonn

el a

nd o

ther

doc

umen

tatio

n, a

nd o

bser

ve p

roce

sses

and

pro

cedu

res

to v

erif

y th

at th

e pr

oces

ses

and

proc

edur

es u

sed

to m

aint

ain

the

list a

re ti

mel

y an

d ef

fect

ive.

Sel

ect a

sam

ple

of e

mpl

oyee

s an

d as

sess

whe

ther

thei

r au

thor

isat

ion

leve

ls a

re c

omm

ensu

rate

with

thei

r ro

les

and

resp

onsi

bilit

ies.

•

Enq

uire

whe

ther

and

con

firm

that

all

sour

ce d

ocum

ents

incl

ude

stan

dard

com

pone

nts

such

as

pred

eter

min

ed in

put c

odes

and

def

ault

valu

es to

red

uce

erro

rs, r

ecor

dtr

ansa

ctio

n tim

e an

d da

te to

pro

vide

for

mon

itori

ng, a

nd c

aptu

re a

utho

risa

tion

info

rmat

ion

to e

nsur

e va

lidity

. •

Whe

re p

ossi

ble,

use

aut

omat

ed e

vide

nce

colle

ctio

n, in

clud

ing

sam

ple

data

, em

bedd

ed a

udit

mod

ules

or

CA

AT

s, to

sel

ect t

rans

actio

ns f

or s

ubse

quen

t ver

ific

atio

n of

the

use

of s

tand

ard

com

pone

nts

that

impr

ove

accu

racy

and

pro

vide

evi

denc

e of

aut

hori

satio

n.

Ens

ure

that

sou

rce

docu

men

ts a

re p

repa

red

by a

utho

rise

d an

d qu

alif

ied

pers

onne

l fol

low

ing

esta

blis

hed

proc

edur

es, t

akin

g in

to a

ccou

nt a

dequ

ate

segr

egat

ion

of d

utie

s re

gard

ing

the

orig

inat

ion

and

appr

oval

of

thes

e do

cum

ents

.M

inim

ise

erro

rs a

nd o

mis

sion

s th

roug

h go

od in

put f

orm

des

ign.

Det

ect e

rror

san

d ir

regu

lari

ties

so th

ey c

an b

e re

port

ed a

nd c

orre

cted

.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• D

ata

inte

grity

• St

anda

rdis

ed a

nd a

utho

rise

dtr

ansa

ctio

n do

cum

enta

tion

• Im

prov

ed a

pplic

atio

n pe

rfor

man

ce•

Acc

urac

y of

tran

sact

ion

data

Ris

k D

river

s

• C

ompr

omis

ed in

tegr

ity o

f cr

itica

l dat

a•

Una

utho

rise

d an

d/or

err

oneo

ustr

ansa

ctio

ns•

Proc

essi

ng in

effi

cien

cies

and

rew

ork

AC

1 S

ourc

e D

ata

Pre

para

tion

and

Aut

horisa

tion



Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve (

cont

.)

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at, d

urin

g da

ta e

ntry

, sou

rce

docu

men

ts a

re r

evie

wed

; inc

ompl

ete,

uns

igne

d or

inap

prop

riat

ely

auth

oris

ed d

ocum

ents

are

ret

urne

d to

orig

inat

ors

for

corr

ectio

n an

d ar

e lo

gged

; and

logs

are

per

iodi

cally

rev

iew

ed to

ver

ify

that

cor

rect

ed d

ocum

ents

are

ret

urne

d by

ori

gina

tors

in a

tim

ely

fash

ion.

Ins

pect

sour

ce d

ocum

ents

and

rev

iew

logs

and

oth

er d

ocum

ents

to v

erif

y th

at in

com

plet

e do

cum

ents

are

eff

ectiv

ely

dete

cted

and

com

plet

ed b

y or

igin

ator

s in

a ti

mel

y m

anne

r.•

Rev

iew

sou

rce

docu

men

t for

ms

and

veri

fy if

they

are

usa

ble,

fac

ilita

te e

rror

pre

vent

ion,

and

ena

ble

spee

dy a

nd e

ffic

ient

pre

para

tion.

AC

1 S

ourc

e D

ata

Pre

para

tion

and

Aut

horisa

tion

(co

nt.)


APPENDIX VI

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at c

rite

ria

for

timel

ines

s, c

ompl

eten

ess

and

accu

racy

of

sour

ce d

ocum

ents

are

def

ined

and

com

mun

icat

ed.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at d

ocum

ente

d pr

oced

ures

for

the

corr

ectio

n of

err

ors,

out

-of-

bala

nce

cond

ition

s an

d en

try

of o

verr

ides

exi

st. E

nsur

e th

at th

e pr

oced

ures

incl

ude

mec

hani

sms

for

timel

y fo

llow

-up,

cor

rect

ion,

app

rova

l and

res

ubm

issi

on. A

sses

s pr

oced

ures

for

fac

tors

suc

h as

des

crip

tions

of

erro

r m

essa

ges

and

over

ride

mec

hani

sms.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

olic

ies

and

proc

esse

s ar

e es

tabl

ishe

d to

est

ablis

h cr

iteri

a fo

r th

e id

entif

icat

ion

of c

lass

es o

f cr

itica

l tra

nsac

tions

that

req

uire

pre

-nu

mbe

red

sour

ce d

ocum

ents

or

othe

r un

ique

met

hods

of

iden

tifyi

ng s

ourc

e da

ta.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

ere

are

polic

ies

and

proc

edur

es in

pla

ce to

det

erm

ine

docu

men

t ret

entio

n po

licie

s. F

acto

rs to

con

side

r in

ass

essi

ng th

e do

cum

ent

rete

ntio

n po

licy

incl

ude

criti

calit

y of

the

tran

sact

ion,

for

m o

f th

e so

urce

dat

a, m

etho

d of

ret

entio

n, lo

catio

n of

ret

entio

n, ti

me

peri

od f

or r

eten

tion,

com

plia

nce

and

regu

lato

ry r

equi

rem

ents

.•

For

each

maj

or g

roup

of

tran

sact

ions

, enq

uire

whe

ther

and

con

firm

ther

e is

doc

umen

tatio

n of

cri

teri

a to

def

ine

auth

oris

atio

n fo

r in

put,

editi

ng, a

ccep

tanc

e, r

ejec

tion

and

over

ride

.•

Insp

ect d

ocum

enta

tion

of p

olic

ies

and

proc

edur

es to

ens

ure

that

cri

teri

a fo

r tim

elin

ess,

com

plet

enes

s an

d ac

cura

cy a

re a

ppro

pria

tely

rep

rese

nted

.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at c

ritic

al s

ourc

e do

cum

ents

are

pre

num

bere

d an

d ou

t-of

-seq

uenc

e nu

mbe

rs a

re id

entif

ied

and

take

n in

to a

ccou

nt.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at e

rror

mes

sage

s ar

e ge

nera

ted

in a

tim

ely

man

ner,

tran

sact

ions

are

not

pro

cess

ed u

nles

s er

rors

are

cor

rect

ed o

r ap

prop

riat

ely

over

ridd

en,

erro

rs th

at c

anno

t be

corr

ecte

d im

med

iate

ly a

re lo

gged

and

val

id tr

ansa

ctio

n pr

oces

sing

con

tinue

s, a

nd e

rror

logs

are

rev

iew

ed a

nd a

cted

upo

n w

ithin

a s

peci

fied

and

reas

onab

le p

erio

d of

tim

e.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at r

epor

ts o

n er

rors

and

out

-of-

bala

nce

cond

ition

s ar

e re

view

ed b

y ap

prop

riat

e pe

rson

nel;

all e

rror

s ar

e id

entif

ied,

cor

rect

ed a

nd c

heck

edw

ithin

a r

easo

nabl

e pe

riod

of

time;

and

err

ors

are

repo

rted

unt

il co

rrec

ted.

•

For

a sa

mpl

e of

tran

sact

ion

flow

s, e

nqui

re w

heth

er a

nd c

onfi

rm th

at r

eten

tion

of s

ourc

e do

cum

ents

is d

efin

ed a

nd a

pplie

d in

rel

atio

n to

est

ablis

hed

crite

ria

for

sour

cedo

cum

ent r

eten

tion.

• Se

lect

a s

et o

f cr

itica

l tra

nsac

tions

and

:–

Com

pare

the

actu

al s

tate

of

acce

ss c

ontr

ols

over

tran

sact

ion

inpu

t, ed

iting

, acc

epta

nce,

etc

., w

ith e

stab

lishe

d cr

iteri

a, p

olic

ies

or p

roce

dure

s.–

Ins

pect

whe

ther

cri

tical

sou

rce

docu

men

ts a

re p

renu

mbe

red

or th

at o

ther

uni

que

met

hods

of

iden

tifyi

ng s

ourc

e da

ta a

re u

sed.

– I

nspe

ct d

ocum

enta

tion

or w

alk-

thro

ugh

tran

sact

ions

to id

entif

y th

ose

pers

onne

l who

can

inpu

t, ed

it, a

utho

rise

, acc

ept a

nd r

ejec

t tra

nsac

tions

and

ove

rrid

e er

rors

.–

Tak

e a

sam

ple

of tr

ansa

ctio

ns w

ithin

this

set

for

a s

peci

fic

peri

od, a

nd in

spec

t the

sou

rce

docu

men

ts f

or th

ose

tran

sact

ions

. Ver

ify

that

all

appr

opri

ate

sour

ce d

ocum

ents

are

avai

labl

e.•

Iden

tify

and

revi

ew o

ut-o

f-se

quen

ce n

umbe

rs, g

aps

and

dupl

icat

es u

sing

aut

omat

ed to

ols

(CA

AT

s).

• In

spec

t doc

umen

ts, t

race

tran

sact

ions

thro

ugh

the

proc

ess

and,

whe

re p

ossi

ble,

use

aut

omat

ed e

vide

nce

colle

ctio

n, in

clud

ing

sam

ple

data

, em

bedd

ed a

udit

mod

ules

or

CA

AT

s, to

trac

e tr

ansa

ctio

ns to

ver

ify

that

aut

hori

satio

n co

ntro

ls a

re e

ffec

tive

and

that

suf

fici

ent e

vide

nce

is r

elia

bly

reco

rded

and

rev

iew

ed.

Ens

ure

that

dat

a in

put i

s pe

rfor

med

in a

tim

ely

man

ner

by a

utho

rise

d an

dqu

alif

ied

staf

f. C

orre

ctio

n an

d re

subm

issi

on o

f da

ta th

at w

ere

erro

neou

sly

inpu

tsh

ould

be

perf

orm

ed w

ithou

t com

prom

isin

g or

igin

al tr

ansa

ctio

n au

thor

isat

ion

leve

ls. W

here

app

ropr

iate

for

rec

onst

ruct

ion,

ret

ain

orig

inal

sou

rce

docu

men

tsfo

r th

e ap

prop

riat

e am

ount

of

time.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Acc

urat

e da

ta e

ntry

and

eff

icie

ntpr

oces

sing

• E

rror

s de

tect

ed in

a ti

mel

y m

anne

r•

Sens

itive

tran

sact

ion

data

sec

ured

Ris

k D

river

s

• Pr

oces

sing

inef

fici

enci

es d

ue to

inco

mpl

ete

data

ent

ry•

Com

prom

ised

inte

grity

of

criti

cal d

ata

• Acc

ess

cont

rol v

iola

tions

• D

ata

entr

y er

rors

und

etec

ted

AC

2 S

ourc

e D

ata

Col

lect

ion

and

Ent

ry



AC

2 S

ourc

e D

ata

Col

lect

ion

and

Ent

ry (

cont

.)

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve (

cont

.)

• In

spec

t doc

umen

ts, t

race

tran

sact

ions

thro

ugh

the

proc

ess

and,

whe

re p

ossi

ble,

use

aut

omat

ed e

vide

nce

colle

ctio

n, in

clud

ing

sam

ple

data

, em

bedd

ed a

udit

mod

ules

or

CA

AT

s, to

trac

e tr

ansa

ctio

ns to

ver

ify

that

tim

ely

erro

r m

essa

ges,

tran

sact

ion

proc

ess

rest

rict

ions

and

err

or lo

gs a

re g

ener

ated

, app

lied

and

revi

ewed

eff

ectiv

ely.

• In

spec

t err

or a

nd o

ut-o

f-ba

lanc

e re

port

s, e

rror

cor

rect

ions

, and

oth

er d

ocum

ents

to v

erif

y th

at e

rror

s an

d ou

t-of

-bal

ance

con

ditio

ns a

re e

ffec

tivel

y re

view

ed, c

orre

cted

,ch

ecke

d an

d re

port

ed u

ntil

corr

ecte

d.


APPENDIX VI

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

olic

ies

and

proc

edur

es e

xist

for

the

hand

ling

of tr

ansa

ctio

ns th

at f

ail e

dit a

nd v

alid

atio

n ch

ecks

. •

Enq

uire

whe

ther

and

con

firm

that

pro

cess

es a

nd p

roce

dure

s ar

e es

tabl

ishe

d fo

r th

e se

greg

atio

n of

dut

ies

for

entr

y, m

odif

icat

ion

and

appr

oval

of

tran

sact

ion

data

as

wel

las

for

val

idat

ion

rule

s. F

acto

rs to

con

side

r in

the

asse

ssm

ent o

f se

greg

atio

n of

dut

ies

polic

ies

incl

ude

criti

calit

y of

the

tran

sact

ion

syst

em a

nd m

etho

ds f

or th

e en

forc

emen

tof

seg

rega

tion

of d

utie

s.•

Enq

uire

whe

ther

and

con

firm

that

val

idat

ion

crite

ria

and

para

met

ers

on in

put d

ata

are

peri

odic

ally

rev

iew

ed, c

onfi

rmed

and

upd

ated

in a

tim

ely,

app

ropr

iate

and

au

thor

ised

man

ner.

• Fo

r im

port

ant o

r cr

itica

l sys

tem

s, in

spec

t the

dat

a in

put d

esig

n to

ens

ure

that

the

auth

oris

atio

n co

ntro

ls a

llow

onl

y ap

prop

riat

ely

auth

oris

ed p

erso

ns to

inpu

t or

mod

ify

data

.•

Obt

ain

func

tiona

l des

crip

tion

and

desi

gn in

form

atio

n on

dat

a in

put c

ontr

ols.

Ins

pect

the

func

tiona

lity

and

desi

gn f

or a

ppro

pria

te c

ontr

ols.

Exa

mpl

es o

f co

ntro

ls in

clud

eth

e pr

esen

ce o

f se

quen

ce, l

imit,

ran

ge, v

alid

ity, r

easo

nabl

enes

s, ta

ble

look

-ups

, exi

sten

ce, k

ey v

erif

icat

ion,

che

ck d

igit,

com

plet

enes

s (e

.g.,

tota

l mon

etar

y am

ount

, tot

alite

ms,

tota

l doc

umen

ts, h

ash

tota

ls),

dup

licat

ion,

logi

cal r

elat

ions

hip

chec

ks a

nd ti

me

edits

. •

Obt

ain

func

tiona

l des

crip

tion

and

desi

gn in

form

atio

n on

dat

a in

put a

utho

risa

tion

cont

rols

. Ins

pect

the

func

tiona

lity

and

desi

gn f

or th

e pr

esen

ce o

f au

thor

isat

ion

chec

ks.

• O

btai

n fu

nctio

nal d

escr

iptio

n an

d de

sign

info

rmat

ion

on tr

ansa

ctio

n da

ta e

ntry

. Ins

pect

the

func

tiona

lity

and

desi

gn f

or th

e pr

esen

ce o

f tim

ely

and

com

plet

e ch

ecks

and

erro

r m

essa

ges.

If

poss

ible

, obs

erve

tran

sact

ion

data

ent

ry.

• O

btai

n fu

nctio

nal d

escr

iptio

n an

d de

sign

info

rmat

ion

on tr

ansa

ctio

n da

ta v

alid

atio

n.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• In

spec

t err

or a

nd o

ut-o

f-ba

lanc

e re

port

s, e

rror

cor

rect

ions

, and

oth

er d

ocum

ents

to v

erif

y th

at e

rror

s an

d ou

t-of

-bal

ance

con

ditio

ns a

re e

ffec

tivel

y re

view

ed, c

orre

cted

,ch

ecke

d an

d re

port

ed u

ntil

corr

ecte

d.•

Insp

ect e

rror

cor

rect

ions

, out

-of-

bala

nce

cond

ition

s, e

ntry

ove

rrid

es a

nd o

ther

doc

umen

ts to

ver

ify

that

the

proc

edur

es a

re f

ollo

wed

.•

Sele

ct a

sam

ple

of in

put s

ourc

e da

ta o

f so

urce

doc

umen

ts. U

sing

insp

ectio

n, C

AA

Ts,

or

othe

r au

tom

ated

evi

denc

e co

llect

ion

and

asse

ssm

ent t

ools

, val

idat

e th

at in

put d

ata

are

a co

mpl

ete

and

accu

rate

rep

rese

ntat

ion

of u

nder

lyin

g so

urce

doc

umen

ts.

• Se

lect

a s

ampl

e of

sou

rce

data

inpu

t pro

cess

es. E

nqui

re w

heth

er a

nd c

onfi

rm th

at m

echa

nism

s ar

e in

pla

ce to

ens

ure

that

the

sour

ce d

ata

inpu

t pro

cess

es h

ave

been

perf

orm

ed in

line

with

est

ablis

hed

crite

ria

for

timel

ines

s, c

ompl

eten

ess

and

accu

racy

•

Enq

uire

whe

ther

and

con

firm

that

tran

sact

ions

fai

ling

edit

and

valid

atio

n ro

utin

es a

re s

ubje

ct to

app

ropr

iate

fol

low

-up

until

they

are

rem

edia

ted.

Ens

ure

that

tran

sact

ions

are

acc

urat

e, c

ompl

ete

and

valid

. Val

idat

e da

ta th

at w

ere

inpu

t, an

d ed

it or

sen

d ba

ck f

or c

orre

ctio

n as

clo

se to

the

poin

t of

orig

inat

ion

aspo

ssib

le.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• D

ata

proc

essi

ng e

rror

s ef

fici

ently

rem

edia

ted

• D

ata

accu

racy

, com

plet

enes

s an

dva

lidity

mai

ntai

ned

duri

ng p

roce

ssin

g•

Uni

nter

rupt

ed tr

ansa

ctio

n pr

oces

sing

• Se

greg

atio

n of

dut

ies

for

data

ent

ryan

d pr

oces

sing

Ris

k D

river

s

• Pr

oces

sing

inef

fici

enci

es a

nd r

ewor

ksdu

e to

inco

mpl

ete,

inva

lid o

rin

accu

rate

dat

a en

try

• C

ompr

omis

ed in

tegr

ity o

f cr

itica

l dat

a•

Dat

a en

try

erro

rs u

ndet

ecte

d•

Una

utho

rise

d da

ta e

ntry

AC

3 A

ccur

acy,

Com

plet

enes

s an

d A

uthe

ntic

ity

Che

cks



Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at tr

ansa

ctio

n pr

oces

sing

take

s pl

ace

only

aft

er a

ppro

pria

te a

utho

risa

tion

is g

iven

. •

Rev

iew

the

docu

men

tatio

n of

the

tool

s an

d ap

plic

atio

ns to

ver

ify

they

are

app

licab

le a

nd s

uita

ble

for

the

task

. Whe

re a

ppro

pria

te f

or c

ritic

al tr

ansa

ctio

ns, r

evie

w th

e co

deto

con

firm

that

con

trol

s in

the

tool

s an

d ap

plic

atio

ns o

pera

te a

s de

sign

ed. R

epro

cess

a r

epre

sent

ativ

e sa

mpl

e to

ver

ify

that

aut

omat

ed to

ols

oper

ate

as in

tend

ed.

• O

btai

n fu

nctio

nal d

escr

iptio

n an

d de

sign

info

rmat

ion

on d

ata

inpu

t con

trol

s. I

nspe

ct th

e fu

nctio

nalit

y an

d de

sign

for

the

pres

ence

of

sequ

ence

and

dup

licat

ion

erro

rs,

refe

rent

ial i

nteg

rity

che

cks,

con

trol

, and

has

h to

tals

. With

sea

rchi

ng to

ols,

iden

tify

case

s w

here

err

ors

wer

e id

entif

ied

erro

neou

sly

and

case

s w

here

err

ors

wer

e no

tde

tect

ed.

• In

spec

t the

fun

ctio

nal d

escr

iptio

n an

d de

sign

info

rmat

ion

on tr

ansa

ctio

n da

ta e

ntry

to v

erif

y w

heth

er tr

ansa

ctio

ns f

ailin

g ed

it an

d va

lidat

ion

rout

ines

are

pos

ted

tosu

spen

se f

iles.

Ver

ify

whe

ther

sus

pens

e fi

les

are

corr

ectly

and

con

sist

ently

pro

duce

d an

d th

at u

sers

are

info

rmed

of

tran

sact

ions

pos

ted

to s

uspe

nse

acco

unts

. Ver

ify

that

proc

essi

ng o

f tr

ansa

ctio

ns is

not

del

ayed

by

data

ent

ry o

r tr

ansa

ctio

n au

thor

isat

ion

erro

rs. U

se a

utom

ated

evi

denc

e co

llect

ion,

incl

udin

g sa

mpl

e da

ta, b

ase

case

s (p

repa

red

tran

sact

ions

with

an

expe

cted

out

com

e), e

mbe

dded

aud

it m

odul

es o

r C

AA

TS,

to tr

ace

tran

sact

ions

to v

erif

y th

at tr

ansa

ctio

ns a

re p

roce

ssed

eff

ectiv

ely,

val

id tr

ansa

ctio

nsar

e pr

oces

sed

with

out i

nter

rupt

ion

from

inva

lid tr

ansa

ctio

ns a

nd e

rron

eous

tran

sact

ions

are

rep

orte

d.• A

naly

se a

rep

rese

ntat

ive

sam

ple

of e

rror

tran

sact

ions

on

susp

ense

acc

ount

s an

d fi

les,

and

ver

ify

that

tran

sact

ions

fai

ling

valid

atio

n ro

utin

es a

re c

heck

ed u

ntil

rem

edia

tion.

Ver

ify

whe

ther

sus

pens

e ac

coun

ts a

nd f

iles

for

tran

sact

ions

fai

ling

valid

atio

n ro

utin

es c

onta

in o

nly

rece

nt e

rror

s, c

onfi

rmin

g th

at o

lder

one

s ha

ve b

een

appr

opri

atel

yre

med

iate

d.•

Enq

uire

whe

ther

and

con

firm

that

jobs

seq

uenc

e is

indi

cate

d to

IT

ope

ratio

ns. E

nqui

re w

heth

er a

nd c

onfi

rm th

at jo

bs p

rovi

de a

dequ

ate

inst

ruct

ions

to th

e jo

b sc

hedu

ling

syst

em s

o da

ta a

re n

ot in

appr

opri

atel

y ad

ded,

cha

nged

or

lost

dur

ing

proc

essi

ng. I

nspe

ct s

ourc

e do

cum

ents

, tra

ce tr

ansa

ctio

ns th

roug

h th

e pr

oces

s an

d, w

here

pos

sibl

e,us

e au

tom

ated

evi

denc

e co

llect

ion,

incl

udin

g sa

mpl

e da

ta, e

mbe

dded

aud

it m

odul

es o

r C

AA

TS,

to tr

ace

tran

sact

ions

to v

erif

y th

at p

rodu

ctio

n jo

b sc

hedu

ling

soft

war

e is

used

eff

ectiv

ely

so th

at jo

bs r

un in

the

corr

ect s

eque

nce

and

prov

ide

adeq

uate

inst

ruct

ions

to th

e sy

stem

s.•

Enq

uire

whe

ther

and

con

firm

that

eve

ry tr

ansa

ctio

n is

ass

igne

d a

uniq

ue a

nd s

eque

ntia

l num

ber

or id

entif

ier

(e.g

., in

dex,

dat

e, ti

me)

. Ins

pect

doc

umen

ts, t

race

tran

sact

ions

thro

ugh

the

proc

ess

and,

whe

re p

ossi

ble,

use

aut

omat

ed e

vide

nce

colle

ctio

n, in

clud

ing

sam

ple

data

, em

bedd

ed a

udit

mod

ules

or

CA

AT

S, to

trac

e tr

ansa

ctio

nsto

ver

ify

that

ther

e ar

e no

dup

licat

es f

or tr

ansa

ctio

ns th

at r

equi

re u

niqu

e ID

s an

d th

ere

are

no g

aps

that

nee

d to

be

sequ

entia

lly n

umbe

red.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at th

e au

dit t

rail

of tr

ansa

ctio

ns p

roce

ssed

is m

aint

aine

d. I

nspe

ct th

e au

dit t

rail

and

othe

r do

cum

ents

to v

erif

y th

at th

e au

dit t

rail

isde

sign

ed e

ffec

tivel

y. U

se a

utom

ated

evi

denc

e co

llect

ion,

incl

udin

g sa

mpl

e da

ta, e

mbe

dded

aud

it m

odul

es o

r C

AA

TS

to tr

ace

tran

sact

ions

to v

erif

y th

at th

e au

dit t

rail

ism

aint

aine

d ef

fect

ivel

y. V

erif

y th

at b

efor

e an

d af

ter

imag

es a

re m

aint

aine

d an

d pe

riod

ical

ly r

evie

wed

by

appr

opri

ate

pers

onne

l. •

Enq

uire

whe

ther

and

con

firm

that

the

tran

sact

ion

audi

t tra

il is

mai

ntai

ned

and

peri

odic

ally

rev

iew

ed f

or u

nusu

al a

ctiv

ity. V

erif

y th

at th

e re

view

is d

one

by a

sup

ervi

sor

who

doe

s no

t per

form

dat

a en

try.

Ins

pect

the

audi

t tra

il, tr

ansa

ctio

ns (

or b

atch

es),

rev

iew

s an

d ot

her

docu

men

ts; t

race

tran

sact

ions

thro

ugh

the

proc

ess;

and

, whe

repo

ssib

le, u

se a

utom

ated

evi

denc

e co

llect

ion,

incl

udin

g sa

mpl

e da

ta, e

mbe

dded

aud

it m

odul

es o

r C

AA

TS,

ver

ify

that

per

iodi

c re

view

and

mai

nten

ance

of

the

audi

t tra

ilef

fect

ivel

y de

tect

s un

usua

l act

ivity

and

sup

ervi

sor

revi

ews

are

effe

ctiv

e to

ver

ify

the

valid

ity o

f ad

just

men

ts, o

verr

ides

and

hig

h-va

lue

tran

sact

ions

in a

tim

ely

man

ner.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

ppro

pria

te to

ols

are

used

and

mai

nten

ance

of

thre

shol

ds c

ompl

ies

with

the

secu

rity

req

uire

men

ts. E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

supe

rvis

or p

erio

dica

lly r

evie

ws

syst

em o

utpu

t and

thre

shol

ds. U

se a

utom

ated

evi

denc

e co

llect

ion,

incl

udin

g sa

mpl

e da

ta, e

mbe

dded

aud

it m

odul

es o

r C

AA

TS,

to tr

ace

tran

sact

ions

to v

erif

y th

at th

e to

ols

wor

k as

des

igne

d.•

Enq

uire

whe

ther

and

con

firm

that

util

ities

are

use

d, w

here

pos

sibl

e, to

aut

omat

ical

ly m

aint

ain

the

inte

grity

of

data

dur

ing

unex

pect

ed in

terr

uptio

ns in

dat

a pr

oces

sing

.In

spec

t the

aud

it tr

ail a

nd o

ther

doc

umen

ts, p

lans

, pol

icie

s an

d pr

oced

ures

to v

erif

y th

at s

yste

m c

apab

ilitie

s ar

e ef

fect

ivel

y de

sign

ed to

aut

omat

ical

ly m

aint

ain

data

inte

grity

. Rev

iew

the

reco

rds

of a

ctua

l int

erru

ptio

ns in

volv

ing

data

inte

grity

issu

es a

nd v

erif

y th

at a

ppro

pria

te to

ols

wer

e us

ed e

ffec

tivel

y.

Mai

ntai

n th

e in

tegr

ity a

nd v

alid

ity o

f da

ta th

roug

hout

the

proc

essi

ng c

ycle

.E

nsur

e th

at d

etec

tion

of e

rron

eous

tran

sact

ions

doe

s no

t dis

rupt

pro

cess

ing

ofva

lid tr

ansa

ctio

ns.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Pr

oces

sing

err

ors

dete

cted

in a

tim

ely

man

ner

• Abi

lity

to in

vest

igat

e pr

oble

ms

Ris

k D

river

s

• In

suff

icie

nt e

vide

nce

of e

rror

s or

mis

use

• D

ata

entr

y er

rors

und

etec

ted

• U

naut

hori

sed

data

pro

cess

ing

AC

4 P

roce

ssin

g Int

egrity

and

Val

idit

y


APPENDIX VI

Test

ing

the

Con

trol

Des

ign

(con

t.)

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• Fo

r a

sam

ple

appl

icat

ion,

enq

uire

whe

ther

and

con

firm

that

seg

rega

tion

of d

utie

s is

in p

lace

. Ver

ify

whe

ther

seg

rega

tion

of d

utie

s is

impl

emen

ted

for

entr

y, m

odif

icat

ion

and

appr

oval

of

tran

sact

ion

data

as

wel

l as

for

valid

atio

n ru

les.

• Fo

r a

sam

ple

of c

ritic

al tr

ansa

ctio

ns p

roce

sses

, tes

t whe

ther

acc

ess

cont

rols

pre

vent

una

utho

rise

d da

ta e

ntry

. With

sea

rchi

ng to

ols,

iden

tify

case

s w

here

una

utho

rise

dpe

rson

nel a

re a

ble

to in

put o

r m

odif

y da

ta.

• Fo

r a

sam

ple

of tr

ansa

ctio

n sy

stem

s, v

erif

y w

heth

er s

uspe

nse

acco

unts

and

sus

pens

e fi

les

for

tran

sact

ions

fai

ling

edit

and

valid

atio

n ro

utin

es c

onta

in o

nly

rece

nt e

rror

s.C

onfi

rm th

at o

lder

fai

ling

tran

sact

ions

hav

e be

en a

ppro

pria

tely

rem

edia

ted.

• Fo

r a

sam

ple

of tr

ansa

ctio

ns, v

erif

y th

at d

ata

entr

y is

not

del

ayed

by

inva

lid tr

ansa

ctio

ns.

• Fo

r hi

ghly

cri

tical

tran

sact

ions

, set

up

a te

st s

yste

m th

at o

pera

tes

like

the

live

syst

em. E

nter

dif

fere

nt ty

pes

of e

rror

s.

• V

erif

y w

heth

er e

rror

det

ectio

n an

d re

port

ing

are

timel

y an

d co

mpl

ete

and

if th

ey p

rovi

de s

uffi

cien

t inf

orm

atio

n to

cor

rect

the

tran

sact

ion.

• Fo

r hi

ghly

cri

tical

tran

sact

ions

, set

up

a te

st s

yste

m th

at o

pera

tes

like

the

live

syst

em. P

roce

ss tr

ansa

ctio

ns in

the

test

sys

tem

to e

nsur

e th

at v

alid

tran

sact

ions

are

proc

esse

d ap

prop

riat

ely

and

in a

tim

ely

fash

ion.

•

Ens

ure

that

err

ors

are

repo

rted

app

ropr

iate

ly a

nd in

a ti

mel

y fa

shio

n.•

Insp

ect e

rror

mes

sage

s up

on d

ata

entr

y or

onl

ine

proc

essi

ng.

• E

nsur

e th

at e

rror

mes

sage

s ar

e ap

prop

riat

e fo

r th

e tr

ansa

ctio

n fl

ow. E

xam

ples

of

appr

opri

ate

attr

ibut

es o

f m

essa

ges

incl

ude

unde

rsta

ndab

ility

, im

med

iacy

and

vis

ibili

ty.

• D

eter

min

e w

heth

er tr

ansa

ctio

ns f

ailin

g ed

it an

d va

lidat

ion

rout

ines

are

pos

ted

to s

uspe

nse

file

s.

• V

erif

y w

heth

er s

uspe

nse

file

s ar

e co

rrec

tly a

nd c

onsi

sten

tly p

rodu

ced.

•

Ver

ify

whe

ther

the

user

is in

form

ed o

f tr

ansa

ctio

ns p

oste

d to

sus

pens

e ac

coun

ts.

• Ta

ke a

sam

ple

of d

ata

inpu

t tra

nsac

tions

. Use

app

ropr

iate

aut

omat

ed a

naly

sis

and

sear

ch to

ols

to id

entif

y ca

ses

whe

re e

rror

s w

ere

iden

tifie

d er

rone

ousl

y an

d ca

ses

whe

reer

rors

wer

e no

t det

ecte

d.

• U

se a

utom

ated

evi

denc

e co

llect

ion,

incl

udin

g sa

mpl

e da

ta, e

mbe

dded

aud

it m

odul

es o

r C

AA

TS,

to v

erif

y th

at v

alid

tran

sact

ions

are

pro

cess

ed w

ithou

t int

erru

ptio

n.In

spec

t whe

ther

and

con

firm

that

inva

lid tr

ansa

ctio

ns a

re r

epor

ted

in a

tim

ely

man

ner.

AC

4 P

roce

ssin

g Int

egrity

and

Val

idit

y (

cont

.)

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

djus

tmen

ts, o

verr

ides

and

hig

h-va

lue

tran

sact

ions

are

pro

mpt

ly r

evie

wed

in d

etai

l for

app

ropr

iate

ness

by

a su

perv

isor

who

doe

s no

tpe

rfor

m d

ata

entr

y. I

nspe

ct th

e au

dit t

rail,

oth

er d

ocum

ents

, pla

ns, p

olic

ies

and

proc

edur

es to

ver

ify

that

adj

ustm

ents

, ove

rrid

es a

nd h

igh-

valu

e tr

ansa

ctio

ns a

re d

esig

ned

effe

ctiv

ely

to b

e pr

ompt

ly r

evie

wed

in d

etai

l. In

spec

t the

aud

it tr

ail,

tran

sact

ions

(or

bat

ches

), r

evie

ws

and

othe

r do

cum

ents

; tra

ce tr

ansa

ctio

ns th

roug

h th

e pr

oces

s; a

nd,

whe

re p

ossi

ble,

use

aut

omat

ed e

vide

nce

colle

ctio

n, in

clud

ing

sam

ple

data

, em

bedd

ed a

udit

mod

ules

or

CA

AT

S, to

ver

ify

that

sup

ervi

sor

revi

ews

are

effe

ctiv

e to

ens

ure

the

valid

ity o

f ad

just

men

ts, o

verr

ides

and

hig

h-va

lue

tran

sact

ions

in a

tim

ely

man

ner.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at r

econ

cilia

tion

of f

ile to

tals

is p

erfo

rmed

on

a ro

utin

e ba

sis

and

that

out

-of-

bala

nce

cond

ition

s ar

e re

port

ed. I

nspe

ct r

econ

cilia

tions

and

othe

r do

cum

ents

and

trac

e tr

ansa

ctio

ns th

roug

h th

e pr

oces

s to

ver

ify

that

rec

onci

liatio

ns e

ffec

tivel

y de

term

ine

whe

ther

file

tota

ls m

atch

or

the

out-

of-b

alan

ce c

ondi

tion

isre

port

ed to

the

appr

opri

ate

pers

onne

l.



Test

the

Con

trol

Des

ign

• R

evie

w d

esig

n cr

iteri

a an

d co

nfir

m th

at th

ey r

equi

re th

e us

e of

inte

grity

-bas

ed c

ontr

ol p

roce

sses

, suc

h as

the

use

of c

ontr

ol to

tals

in h

eade

r an

d/or

trai

ler

reco

rds

and

the

bala

ncin

g of

out

put b

ack

to c

ontr

ol to

tals

pro

duce

d by

the

syst

em.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at d

etec

ted

out-

of-b

alan

ce c

ondi

tions

are

rep

orte

d, r

epor

ts h

ave

been

des

igne

d in

to th

e sy

stem

and

pro

cedu

res

have

bee

n de

velo

ped

toen

sure

that

rep

orts

are

pro

vide

d to

the

appr

opri

ate

leve

l of

man

agem

ent.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

roce

dure

s re

quir

e th

at o

ut-o

f-ba

lanc

e co

nditi

ons

and

othe

r ab

norm

aliti

es r

equi

re p

rom

pt in

vest

igat

ion

and

repo

rtin

g.•

Rev

iew

the

docu

men

tatio

n an

d en

sure

that

pro

cedu

res

spec

ify

that

per

iodi

c in

vent

orie

s be

take

n of

key

sen

sitiv

e do

cum

ents

and

dif

fere

nces

be

inve

stig

ated

.•

Enq

uire

whe

ther

and

con

firm

that

pro

cedu

res

have

bee

n de

sign

ed to

ens

ure

that

the

com

plet

enes

s an

d ac

cura

cy o

f ap

plic

atio

n ou

tput

are

val

idat

ed p

rior

to th

e ou

tput

bein

g us

ed f

or s

ubse

quen

t pro

cess

ing,

incl

udin

g us

e in

end

-use

r pr

oces

sing

.•

Enq

uire

whe

ther

and

con

firm

that

pro

cedu

res

have

bee

n de

velo

ped

to e

nsur

e th

at o

utpu

t is

revi

ewed

for

rea

sona

blen

ess,

acc

urac

y or

oth

er c

rite

ria

esta

blis

hed

by th

epr

oces

s ow

ner

prio

r to

use

. • A

sses

s w

heth

er p

roce

dure

s ha

ve b

een

defi

ned

that

req

uire

the

logg

ing

of p

oten

tial e

rror

s an

d th

eir

reso

lutio

n pr

ior

to d

istr

ibut

ion

of th

e re

port

s.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at c

ontr

ol to

tals

are

pro

perl

y im

plem

ente

d in

hea

der

and/

or tr

aile

r re

cord

s of

out

put t

o ba

lanc

e ba

ck to

con

trol

tota

ls p

rodu

ced

by th

esy

stem

.•

Enq

uire

whe

ther

and

con

firm

that

det

ecte

d ou

t-of

-bal

ance

con

ditio

ns a

re r

epor

ted

to th

e ap

prop

riat

e le

vel o

f m

anag

emen

t. In

spec

t out

-of-

bala

nce

repo

rts.

Whe

re p

ossi

ble,

use

auto

mat

ed e

vide

nce

colle

ctio

n to

look

for

con

trol

tota

l err

ors

and

veri

fy th

at th

ey w

ere

acte

d up

on c

orre

ctly

and

in a

tim

ely

man

ner.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at p

hysi

cal i

nven

tori

es o

f se

nsiti

ve o

utpu

ts a

re ta

ken

at a

ppro

pria

te in

terv

als.

Ens

ure

that

they

are

com

pare

d to

inve

ntor

y re

cord

s an

d th

atan

y di

ffer

ence

s ar

e ac

ted

upon

. Con

firm

that

aud

it tr

ails

are

cre

ated

to a

ccou

nt f

or a

ll ex

cept

ions

and

rej

ectio

ns o

f se

nsiti

ve o

utpu

t doc

umen

ts. I

nspe

ct a

rep

rese

ntat

ive

sam

ple

of a

udit

trai

ls u

sing

aut

omat

ed e

vide

nce

colle

ctio

n, if

pos

sibl

e, to

iden

tify

exce

ptio

ns a

nd v

erif

y w

heth

er th

ey h

ave

been

det

ecte

d an

d ac

tion

has

been

take

n. T

ake

a ph

ysic

al in

vent

ory

sam

ple,

and

com

pare

it to

the

asso

ciat

ed a

udit

trai

ls to

ver

ify

that

det

ectio

n op

erat

es e

ffec

tivel

y.•

Obt

ain

a lis

t of

all e

lect

roni

c ou

tput

s th

at a

re r

euse

d in

end

-use

r ap

plic

atio

ns. V

erif

y th

at th

e el

ectr

onic

out

put i

s te

sted

for

com

plet

enes

s an

d ac

cura

cy b

efor

e th

e ou

tput

isre

used

and

rep

roce

ssed

. Sel

ect a

rep

rese

ntat

ive

sam

ple

of e

lect

roni

c ou

tput

, and

trac

e se

lect

ed d

ocum

ents

thro

ugh

the

proc

ess

to e

nsur

e th

at c

ompl

eten

ess

and

accu

racy

are

veri

fied

bef

ore

othe

r op

erat

ions

are

per

form

ed. R

eper

form

com

plet

enes

s an

d ac

cura

cy te

sts

to v

alid

ate

that

they

are

eff

ectiv

e.•

Enq

uire

whe

ther

and

con

firm

that

out

put i

s re

view

ed f

or r

easo

nabl

enes

s an

d ac

cura

cy. S

elec

t a r

epre

sent

ativ

e sa

mpl

e of

out

put r

epor

ts a

nd te

st th

e re

ason

able

ness

and

accu

racy

of

the

outp

ut. V

erif

y th

at p

oten

tial e

rror

s ar

e re

port

ed a

nd c

entr

ally

logg

ed. S

elec

t a s

ampl

e of

rep

rese

ntat

ive

tran

sact

ions

and

ver

ify

that

err

ors

are

iden

tifie

dan

d ad

dres

sed

in a

tim

ely

man

ner.

Insp

ect e

rror

logs

to v

erif

y th

at e

rror

s ar

e ef

fect

ivel

y ad

dres

sed

in a

tim

ely

man

ner.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

ensi

tive

info

rmat

ion

is d

efin

ed, a

gree

d up

on b

y th

e pr

oces

s ow

ner

and

trea

ted

appr

opri

atel

y. T

his

may

incl

ude

labe

lling

sen

sitiv

eap

plic

atio

n ou

tput

and

, whe

re r

equi

red,

sen

ding

sen

sitiv

e ou

tput

to s

peci

al a

cces

s-co

ntro

lled

outp

ut d

evic

es. F

or a

sam

ple

of s

ensi

tive

data

, sea

rch

outp

ut f

iles

and

conf

irm

that

they

are

pro

perl

y la

belle

d. R

evie

w th

e di

stri

butio

n m

etho

ds o

f se

nsiti

ve in

form

atio

n an

d th

e ac

cess

con

trol

mec

hani

sms

of s

ensi

tive

outp

ut d

evic

es. V

erif

yth

at th

e m

echa

nism

s co

rrec

tly e

nfor

ce p

re-e

stab

lishe

d ac

cess

rig

hts.

Est

ablis

h pr

oced

ures

and

ass

ocia

ted

resp

onsi

bilit

ies

to e

nsur

e th

at o

utpu

t is

hand

led

in a

n au

thor

ised

man

ner,

deliv

ered

to th

e ap

prop

riat

e re

cipi

ent a

ndpr

otec

ted

duri

ng tr

ansm

issi

on; t

hat v

erif

icat

ion,

det

ectio

n an

d co

rrec

tion

of th

eac

cura

cy o

f ou

tput

occ

urs;

and

that

info

rmat

ion

prov

ided

in th

e ou

tput

is u

sed.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• Se

nsiti

ve d

ata

outp

ut p

rote

cted

• C

ompl

ete

and

erro

r-fr

ee p

roce

ssin

gre

sults

del

iver

ed to

the

righ

t rec

ipie

nt•

Err

ors

dete

cted

in a

tim

ely

man

ner

Ris

k D

river

s

• Se

nsiti

ve tr

ansa

ctio

n da

ta d

eliv

ered

tow

rong

rec

ipie

nt•

Com

prom

ised

dat

a co

nfid

entia

lity

• In

effi

cien

t tra

nsac

tion

proc

essi

ng•

Tra

nsac

tion

data

out

put e

rror

sun

dete

cted

AC

5 O

utpu

t R

evie

w, R

econ

cilia

tion

and

Err

or H

andl

ing


APPENDIX VI

Test

the

Con

trol

Des

ign

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at a

pro

cess

has

bee

n de

sign

ed to

ens

ure

that

, for

cri

tical

tran

sact

ions

, app

ropr

iate

agr

eem

ents

hav

e be

en m

ade

with

cou

nter

part

ies

that

incl

ude

com

mun

icat

ion

and

tran

sact

ion

pres

enta

tion

stan

dard

s, r

espo

nsib

ilitie

s, a

uthe

ntic

atio

n an

d se

curi

ty r

equi

rem

ents

.•

Enq

uire

whe

ther

and

con

firm

that

sys

tem

s ar

e de

sign

ed to

inco

rpor

ate

appr

opri

ate

mec

hani

sms

for

inte

grity

, aut

hent

icity

and

non

-rep

udia

tion,

suc

h as

ado

ptio

n of

ase

cure

sta

ndar

d or

one

that

is in

depe

nden

tly v

erif

ied.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

yste

ms

are

desi

gned

to in

corp

orat

e in

dust

ry s

tand

ard

outp

ut ta

ggin

g to

iden

tify

auth

entic

ated

info

rmat

ion.

• In

spec

t man

uals

and

doc

umen

tatio

n fo

r cr

itica

l app

licat

ions

to c

onfi

rm th

at d

esig

n sp

ecif

icat

ions

req

uire

that

inpu

t be

appr

opri

atel

y ve

rifi

ed f

or a

uthe

ntic

ity.

• E

nqui

re w

heth

er a

nd c

onfi

rm th

at s

yste

ms

are

desi

gned

to id

entif

y tr

ansa

ctio

ns r

ecei

ved

from

oth

er p

roce

ssin

g ap

plic

atio

ns, a

nd a

naly

se th

at in

form

atio

n to

det

erm

ine

auth

entic

ity o

f or

igin

of

the

info

rmat

ion

and

whe

ther

inte

grity

of

cont

ent w

as m

aint

aine

d du

ring

tran

smis

sion

. •

Obt

ain

and

insp

ect a

gree

men

ts m

ade

with

cou

nter

part

ies

for

criti

cal t

rans

actio

ns, a

nd e

nsur

e th

at th

e ag

reem

ents

spe

cify

req

uire

men

ts f

or c

omm

unic

atio

n an

d tr

ansa

ctio

npr

esen

tatio

n st

anda

rds,

res

pons

ibili

ties,

aut

hent

icat

ion

and

secu

rity

req

uire

men

ts.

• Se

lect

a s

ampl

e of

cou

nter

part

y ag

reem

ents

for

cri

tical

tran

sact

ions

and

ver

ify

that

they

are

com

plet

e.

• Se

lect

a s

ampl

e of

aut

hent

icat

ion

failu

res

to v

erif

y th

at th

e co

unte

rpar

ty a

gree

men

ts o

pera

te e

ffec

tivel

y.•

Rev

iew

doc

umen

tatio

n an

d pe

rfor

m a

wal

k-th

roug

h to

iden

tify

appl

icat

ions

that

are

cri

tical

for

tran

sact

ion

auth

entic

ity, i

nteg

rity

and

non

-rep

udia

tion.

For

thes

eap

plic

atio

ns, e

nqui

re w

heth

er a

nd c

onfi

rm th

at a

n ap

prop

riat

e m

echa

nism

for

inte

grity

, aut

hent

icity

and

non

-rep

udia

tion

is a

dopt

ed (

i.e.,

a se

cure

sta

ndar

d or

one

that

isin

depe

nden

tly v

erif

ied)

.•

Insp

ect a

pplic

atio

n m

anua

ls a

nd d

ocum

enta

tion

for

criti

cal a

pplic

atio

ns to

con

firm

that

spe

cifi

catio

ns a

nd th

e de

sign

sta

te th

at o

utpu

t is

appr

opri

atel

y ta

gged

with

auth

entic

atio

n in

form

atio

n.•

Perf

orm

a w

alk-

thro

ugh

of th

e co

de o

f a

sam

ple

of a

pplic

atio

ns to

con

firm

that

this

spe

cifi

catio

n an

d de

sign

are

app

lied.

Ver

ify

that

thes

e sp

ecif

icat

ions

hav

e be

en te

sted

with

goo

d re

sult.

• Se

lect

a r

epre

sent

ativ

e sa

mpl

e of

tran

sact

ions

, and

ver

ify

that

aut

hent

icity

and

inte

grity

info

rmat

ion

is c

orre

ctly

car

ried

for

war

d th

roug

hout

the

proc

essi

ng c

ycle

. •

Rev

iew

err

or lo

gs f

or tr

ansa

ctio

ns th

at f

aile

d au

then

ticat

ion,

and

ver

ify

the

caus

e.

Test

the

Out

com

e of

the

Con

trol

Obj

ecti

ve

• Pe

rfor

m a

wal

k-th

roug

h of

the

code

of

a sa

mpl

e of

app

licat

ions

to c

onfi

rm th

at s

peci

fica

tions

for

aut

hent

icity

hav

e be

en a

pplie

d. V

erif

y th

at th

ese

spec

ific

atio

ns h

ave

been

test

ed w

ith g

ood

resu

lt.•

Rev

iew

err

or lo

gs f

or tr

ansa

ctio

ns th

at f

aile

d au

then

ticat

ion,

and

ver

ify

the

caus

e.

Bef

ore

pass

ing

tran

sact

ion

data

bet

wee

n in

tern

al a

pplic

atio

ns a

nd b

usin

ess/

oper

atio

nal f

unct

ions

(in

or

outs

ide

the

ente

rpri

se),

che

ck it

for

pro

per

addr

essi

ng, a

uthe

ntic

ity o

f or

igin

and

inte

grity

of

cont

ent.

Mai

ntai

n au

then

ticity

and

inte

grity

dur

ing

tran

smis

sion

or

tran

spor

t.

Valu

e D

river

sC

ontr

ol O

bjec

tive

• St

raig

ht-t

hrou

gh p

roce

ssin

g•

Con

fide

nce

in v

alid

ity a

nd a

uthe

ntic

ityof

tran

sact

ions

• E

rror

s an

d m

isus

e pr

even

ted

Ris

k D

river

s

• E

rron

eous

and

/or

unau

thor

ised

tran

sact

ions

• T

rans

actio

n er

rors

und

etec

ted

• In

effi

cien

cies

and

rew

ork

AC

6 T

rans

acti

on A

uthe

ntic

atio

n an

d In

tegrity


APPENDIX VII

APPENDIX VII—MATURITY MODEL FOR INTERNAL CONTROL

This appendix provides a generic maturity model showing the status of the internal control environment and the establishment ofinternal controls in an enterprise. It shows how the management of internal control, and an awareness of the need to establish betterinternal controls, typically develops from an ad hoc to an optimised level. The model provides a high-level guide to help COBITusers appreciate what is required for effective internal controls in IT and to help position their enterprise on the maturity scale

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls0 Non-existent There is no recognition of the need for internal There is no intent to assess the need for internal control.

control. Control is not part of the organisation’s Incidents are dealt with as they arise.culture or mission. There is a high risk of control deficiencies and incidents.

1 Initial/ad hoc There is some recognition of the need for internal There is no awareness of the need for assessment of what is control. The approach to risk and control needed in terms of IT controls. When performed, it is only on anrequirements is ad hoc and disorganised, without ad hoc basis, at a high level and in reaction to significant incidents.communication or monitoring. Deficiencies are not Assessment addresses only the actual incident.identified. Employees are not aware of their responsibilities.

2 Repeatable but Controls are in place but are not documented. Their Assessment of control needs occurs only when needed for selectedIntuitive operation is dependent on the knowledge and IT processes to determine the current level of control maturity,

motivation of individuals. Effectiveness is not the target level that should be reached and the gaps that exist. adequately evaluated. Many control weaknesses An informal workshop approach, involving IT managers and the exist and are not adequately addressed; the impact team involved in the process, is used to define an adequate can be severe. Management actions to resolve approach to controls for the process and to motivate an control issues are not prioritised or consistent. agreed-upon action plan.Employees may not be aware of their responsibilities.

3 Defined Controls are in place and adequately documented. Critical IT processes are identified based on value and risk drivers.Operating effectiveness is evaluated on a periodic A detailed analysis is performed to identify control requirements basis and there is an average number of issues. and the root cause of gaps and to develop improvement However, the evaluation process is not documented. opportunities. In addition to facilitated workshops, tools are used While management is able to deal predictably with and interviews are performed to support the analysis and ensure most control issues, some control weaknesses that an IT process owner owns and drives the assessment and persist and impacts could still be severe. Employees improvement process.are aware of their responsibilities for control.

4 Managed and There is an effective internal control and risk IT process criticality is regularly defined with full support and Measurable management environment. A formal, documented agreement from the relevant business process owners. Assessment

evaluation of controls occurs frequently. Many of control requirements is based on policy and the actual maturity controls are automated and regularly reviewed. of these processes, following a thorough and measured analysis Management is likely to detect most control issues, involving key stakeholders. Accountability for these assessments but not all issues are routinely identified. There is is clear and enforced. Improvement strategies are supported by consistent follow-up to address identified control business cases. Performance in achieving the desired outcomes is weaknesses. A limited, tactical use of technology is consistently monitored. External control reviews are organised applied to automate controls. occasionally.

5 Optimised An enterprisewide risk and control programme Business changes consider the criticality of IT processes and cover provides continuous and effective control and risk any need to reassess process control capability. IT process owners issues resolution. Internal control and risk regularly perform self-assessments to confirm that controls are at management are integrated with enterprise practices, the right level of maturity to meet business needs and they consider supported with automated real-time monitoring with maturity attributes to find ways to make controls more efficient and full accountability for control monitoring, risk effective. The organisation benchmarks to external best practices management and compliance enforcement. Control and seeks external advice on internal control effectiveness. For evaluation is continuous, based on self-assessments critical processes, independent reviews take place to provide and gap and root cause analyses. Employees are assurance that the controls are at the desired level of maturity and proactively involved in control improvements. working as planned.

APPENDIX VIII

APPENDIX VIII—IT SCOPING

1. Define the Initiative.Define the purpose of the initiative, the business objective and the expected value to be returned. Document the enterprise areasaddressed and impacted. List the success factors, compliance requirements, potential risks and project closure criteria. Establish howchanges to these project drivers and outcomes will be handled.

Step Activities DeliverablesStep 1.1 Define objectives. • Identify reasons and objectives for • Documented business valuesIdentify the primary objectives and goals of undertaking the project and review with • Documented objectives of the IT initiativethe initiative. Develop the value proposition management. • Documented expected outcomesand indicate how the objectives support and • Research and document key issues and enhance the goals of the enterprise. concerns.

• Learn from similar projects that have been undertaken.

• Identify and obtain relevant documents.• Identify the expected outcome and

deliverables of the initiative (high level).• Identify the competitive landscape.

Step 1.2 Define boundaries. • Identify key activities, business units, • Documented scope of the IT initiativeDefine the IT project and its boundaries, organisational entities, operations, etc., to • Documented scope of boundary issues andwhat is included and what is excluded. be included within the scope of the project. their treatmentIdentify the organisational units, business • Identify and document items that are • Communication of the boundaries with key activities and processes that are included, normally within the scope of such projects stakeholdersand those that are excluded from the but that are to be excluded.project scope. • Identify any scope issues, such as partially

owned entities, foreign jurisdictions or exclusions.

• Ensure that the scope is sufficient to ensure that the results obtained will meet the objectives and expected deliverables.

• Establish liaison with affected entities to ensure co-ordination.

Step 1.3 Define standards. • Identify contractual, legislative, regulatory, • Documented standards that will be used in Identify standards, reference frameworks, industry or other standards to which the undertaking the projectpolicies and/or contracts with which the entity and the project must comply. • Documented key success factors and metrics initiative needs to comply. Standards may • Identify any standards or frameworks that for use in assessing project resultsinclude industry requirements, regulatory the project/initiative should consider.standards and entity policies. Identify • Document success factors to enable, and key indicators for measuring, and establish key metrics to evidence, compliance success factors for achieving compliance. with standards.Step 1.4 Define risks. • Identify potential reasons for failure or delay • Documented risk assessment of the IT initiativeIdentify and assess risks associated with the of the initiative in meeting objectives. • Risk mitigation plan (as needed) and estimatedproject, including business risks as well as • Identify important scenarios that may costsproject risks. The degree of risk assessment endanger the initiative’s objectives, as well as and mitigation depends on the project’s size, the negative impacts this initiative may have value delivered and impact. on other enterprise objectives.

• Identify the significance of risks and likelihood of occurrence.

• Create plans to manage and mitigate the risks.Step 1.5 Define change process. • Identify and analyse internal and external • Change process descriptionIdentify internal and external factors that factors that could cause changes to • Change management guidance, including the could cause changes to the project, and the project. use of tools and techniquesdefine how changes will be made to the • Define and document the process and project’s objectives, scope, risks and procedures for authorising, accepting and success factors. communicating changes to the drivers

and outcomes.• Identify appropriate tools and techniques to

manage the change process.




Step Activities DeliverablesStep 1.6 Define success. • Identify post-project acceptance activities. • Evidence (metrics, quality criteria, etc.) required Identify the conditions that must exist for the • Identify evidence required to indicate that the to indicate that the project has been successfully project to be considered complete, including project deliverables have been provided and completedthe specific activities, tasks and deliverables accepted by the project owner and by those • Evidence that post-completion activities have required to complete the project. Define the taking responsibility for the ongoing activities been identified and provided to appropriateexit criteria of the initiative (i.e., the the project may create. organisational unitsconditions that determine if the objectiveshave been achieved).Step 1.7 Define resources. • Define the number and level (skills) of • Resource modelIdentify the resources required to resources needed to achieve the objectives • Resource cost plansuccessfully complete the initiative, of the initiative.including people, technology, funding • Assess the need for technology and and skills. equipment to support the initiative.Step 1.8 Define deliverables. • Identify the external deliverables that will • List of project deliverablesDefine the specific deliverables that are to result from the initiative. • Sample of selected deliverablesbe produced during the initiative. • Create an illustrative sample deliverable.

2. Plan the initiative.Define the deliverables in detail. Based on that, identify the resources, support and accountabilities required to produce thedeliverables. Obtain approval, set priorities within the initiative, activate resources and develop a communication plan so that theinitiative can be stage-gated.

Step Activities DeliverablesStep 2.1 Obtain executive support. • Determine the suitability of potential sponsors. • Initiative sponsor/ownerIdentify and appoint the appropriate project • Assess the availability of potential sponsors • Completed project documentation and chartersponsor for the initiative. to fulfil the requirements.

• Develop executive presentation materialbased on project objectives and benefits.

Step 2.2 Finalise resource requirements. • Review the expected resource model and • Updated resource modelAcquire the necessary funding and resources cost plan. • Detailed resource acquisition timelineas defined in the resource model. • Prepare a detailed acquisition timeline. • Detailed project budget

• Prepare a detailed calendar-based projectbudget, including resource consumption/use and funding requirements.

Step 2.3 Define organisation for the initiative. • Document roles and responsibilities. • Organisation modelDefine and implement the organisational • Define leadership expectations. • Reporting authoritystructure required to make the initiative • Create and establish the organisation • Roles and responsibilitiessuccessful. This will include leadership, structure.staffing, key sponsor, etc., and may include • Initially populate the organisation with a project management office. key personnel.

• Create position descriptions, roles and responsibilities.

Step 2.4 Define timeline. • Review goals and objectives and the • Documented timelines integrated with the Define the specific timeline for the initiative expected resource model. resource planning informationto be completed to meet stated goals and • Based on the review, define key milestones • Project timeline document indicating:objectives given the expected resources and for deliverables and major initiative - Activities and tasksdeliverables defined for the initiative. checkpoints with project sponsors. - Activity dependenceInclude key milestones and identify the • Prepare a high-level timing diagram, and - Major milestone datescritical path. identify potential critical path and dependent - Major project checkpoints

activities. - Key deliverable dates• Prepare Gantt charts for each major phase - Status and reporting dates

of the subproject, including critical and slack - Business activities and other key datespath analysis, skill requirements, and • Defined communications documentsresource plans.

• Ensure that timing will meet critical external reporting, financing and other deadlines within the business cycle.

• Define ongoing status reporting within theproject and to key external stakeholders and affected staff members.

APPENDIX VIII


Step Activities DeliverablesStep 2.5 Define approach and methodology. • Develop project phases and subphases, each • Detailed project planDetermine the methodologies to be used with objectives, activities and deliverables.and develop detailed plans, complete with • Determine the approach and methodologies phases, subphases, activities and tasks, to to be used and the information to enable the project to successfully meet be obtained.its objectives. • Develop detailed work plans for each phase,

subphase and activity.Step 2.6 Create communication plan. • Communicate project status, resource plan • Documented communication plan, including Design a plan to communicate information and costs (as appropriate). time line and key milestonesabout the initiative, manage expectations • Communicate the status of the risk and support the objectives of the initiative management plan.throughout its life cycle. Consider the key • Communicate changes in project goals milestones and different audiences. and objectives.

• Communicate project progress.


APPENDIX IX

APPENDIX IX—COBIT AND RELATED PRODUCTS

The COBIT framework, in versions 4.0 and higher, includes all of the following:• Framework—Explains how COBIT organises IT governance management and control objectives and good practices by IT domains

and processes, and links them to business requirements• Process descriptions—Include 34 IT processes covering the IT responsibility areas from beginning to end• Control objectives—Provide generic best practice management objectives for IT processes• Management guidelines—Offer tools to help assign responsibility and measure performance• Maturity models—Provide profiles of IT processes describing possible current and future states

In the years since its inception, COBIT’s core content has continued to evolve, and the number of COBIT-based derivative works hasincreased. Following are the publications currently derived from COBIT:• Board Briefing on IT Governance, 2nd Edition—Designed to help executives understand why IT governance is important, what its

issues are and what their responsibility is for managing it• COBIT Online—Allows users to customise a version of COBIT for their own enterprise, then store and manipulate that version as

desired. It offers online, real-time surveys, frequently asked questions, benchmarking and a discussion facility for sharingexperiences and questions.

• COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition—Providesguidance on the risks to be avoided and value to be gained from implementing a control objective, and instruction on how toimplement the objective. Control practices are strongly recommended for use with IT Governance Implementation Guide: UsingCOBIT and Val IT, 2nd Edition.

• IT Assurance Guide: Using COBIT ®—Provides guidance on how COBIT can be used to support a variety of assurance activitiesand offers suggested testing steps for all the COBIT IT processes and control objectives. It replaces the information in AuditGuidelines for auditing and self-assessment against the control objectives in COBIT 4.1.

• IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over FinancialReporting, 2nd Edition—Provides guidance on how to assure compliance for the IT environment based on the COBIT controlobjectives

• IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition—Provides a generic road map for implementing ITgovernance using COBIT and Val IT resources and a supporting tool kit

• COBIT Quickstart—Provides a baseline of control for the smaller organisation and a possible first step for the larger enterprise.The second edition is in development at the time of this writing.

• COBIT Security Baseline, 2nd Edition—Focuses on essential steps for implementing information security within the enterprise. Thesecond edition is in final development at the time of this writing.

• COBIT Mappings—Currently posted at www.isaca.org/downloads:– Aligning COBIT, ITIL and ISO 17799 for Business Benefit– COBIT Mapping: Overview of International IT Guidance, 2nd Edition– COBIT Mapping: Mapping of CMMI ® for Development V1.2 With COBIT 4.0 – COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, 2nd Edition– COBIT Mapping: Mapping of ISO/IEC 17799:2005 With COBIT 4.0 – COBIT Mapping: Mapping of ITIL With COBIT 4.0 – COBIT Mapping: Mapping of PMBOK With COBIT 4.0 – COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0 – COBIT Mapping: Mapping of SEI’s CMM for Software With COBIT 4.0

• Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition—Presentsinformation security in business terms and contains tools and techniques to help uncover security-related problems

Val IT is the umbrella term used to describe the publications and future additional products and activities addressing the Val ITframework.

Current Val IT-related publications are:• Enterprise Value: Governance of IT Investments—The Val IT Framework, which explains how an enterprise can extract optimal

value from IT-enabled investments and is based on the COBIT framework. It is organised into: – Three processes—Value Governance, Portfolio Management and Investment Management– IT key management practices—Essential management practices that positively influence the achievement of the desired result or

purpose of a particular activity. They support the Val IT processes and play roughly the same role as do COBIT’s control objectives.• Enterprise Value: Governance of IT Investments—The Business Case, which focuses on one key element of the investment

management process• Enterprise Value: Governance of IT Investments—The ING Case Study, which describes how a global financial services

company manages a portfolio of IT investments in the context of the Val IT framework

For the most complete and up-to-date information on COBIT, Val IT and related products, case studies, training opportunities,newsletters and other framework-specific information, visit www.isaca.org/cobit and www.isaca.org/valit.

USING COBIT - csbweb01.uncw.edu

Documents

Transcript of USING COBIT - csbweb01.uncw.edu