B - COBIT 4th Edition IT Assurance Guide 4 1

Prévia do material em texto

Need for IT Governance and Assurance
The COBIT® Framework
IT Assurance Approaches
How COBIT Supports IT Assurance Activities
USING COBIT®
The IT Governance Institute®
The IT Governance Institute (ITGITM) (www.itgi.org) was established in 1998 to advance international thinking and standards in
directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business
goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers original
research, electronic resources and case studies to assist enterprise leaders and boards of directors in their IT governance
responsibilities.
Disclaimer
ITGI (the ‘Owner’) has designed and created this publication, titled IT Assurance Guide: Using COBIT ® (the ‘Work’), primarily
as an educational resource for assurance professionals. The Owner makes no claim that use of any of the Work will assure a
successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive
of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety
of any specific information, procedure or test, CIOs, senior management, IT management and control professionals should apply
their own professional judgement to the specific circumstances presented by the particular systems or IT environment.
Disclosure
© 2007 IT Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise), without the prior written authorisation of ITGI. Reproduction of selections of this
publication, for internal and non-commercial or academic use only, is permitted and must include full attribution of the
material’s source. No other right or permission is granted with respect to this work.
IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.590.7491
Fax: +1.847.253.1443
E-mail: info@itgi.org
Web site: www.itgi.org
ISBN 1-933284-74-9
IT Assurance Guide: Using COBIT®
Printed in the United States of America
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org2
ACKNOWLEDGEMENTS
3© 2007 IT Governance Institute. All rights reserved. www.itgi.org
ACKNOWLEDGEMENTS
IT Governance Institute wishes to recognise:
Project Managers and Thought Leaders
Roger S. Debreceny, Ph.D., FCPA, University of Hawaii, USA
Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium
Workshop Participants and Expert Reviewers
Mark Adler, CISA, CISM, CIA, CISSP, Allstate Insurance Co., USA
Peter Andrews, CISA, CITP, MCMI, PJA Consulting, UK
Georges Ataya, CISA, CISM, CISSP, MSCS, PBA, Solvay Business School, Belgium
Gary Austin, CISA, CIA, CISSP, CGFM, KPMG LLP, USA
Gary S. Baker, CA, Deloitte & Touche, Canada
David H. Barnett, CISM, CISSP, Applera Corp., USA
Christine Bellino, CPA, CITP, Jefferson Wells, USA 
John W. Beveridge, CISA, CISM, CFE, CGFM, CQA, Massachusetts Office of the State Auditor, USA
Alan Boardman, CISA, CISM, CA, CISSP, Fox IT, UK
David Bonewell, CISA, CISSP-ISSEP, Accomac Consulting LLC, USA
Dirk Bruyndonckx, CISA, CISM, KPMG Advisory, Belgium
Don Caniglia, CISA, CISM, USA
Luis A. Capua, CISM, Sindicatura General de la Nación, Argentina
Boyd Carter, PMP, Elegantsolutions.ca, Canada
Sean V. Casey, CISA, CPA, Ernst & Young LLP, USA
Sushil Chatterji, Edutech, Singapore
Ed Chavennes, CISA, Ernst & Young LLP, USA
Christina Cheng, CISA, CISSP, SSCP, Deloitte & Touche LLP, USA
Dharmesh Choksey, CISA, CPA, CISSP, PMP, KPMG LLP, USA
Jeffrey D. Custer, CISA, CPA, CIA, Ernst & Young LLP, USA
Beverly G. Davis, CISA, Federal Home Loan Bank of San Francisco, USA
Peter De Bruyne, CISA, Banksys, Belgium
Steven De Haes, University of Antwerp Management School, Belgium
Philip De Picker, CISA, MCA, National Bank of Belgium, Belgium
Kimberly de Vries, CISA, PMP, Zurich Financial Services, USA
Roger S. Debreceny, Ph.D., FCPA, University of Hawaii, USA
Zama Dlamini, Deloitte & Touche, South Africa
Troy DuMoulin, Pink Elephant, Canada
Bill A. Durrand, CISA, CISM, CA, Ernst & Young LLP, Canada
Justus Ekeigwe, CISA, MBCS, Deloitte & Touche LLP, USA
Rafael Fabius, CISA, República AFAP SA, Uruguay
Urs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, Switzerland
Christopher Fox, ACA, USA
Bob Frelinger, CISA, Sun Microsystems Inc., USA
Zhiwei Fu, Ph. D, Fannie Mae, USA
Monique Garsoux, Dexia Bank, Belgium
Edson Gin, CISA, CFE, SSCP, USA
Sauvik Ghosh, CISA, CIA, CISSP, CPA, Ernst & Young LLP, USA
Guy Groner, CISA, CIA, CISSP, USA
Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium
Gary Hardy, IT Winners, South Africa
Benjamin K. Hsaio, CISA, Federal Deposit Insurance Corp., USA
Tom Hughes, Acumen Alliance, Australia
Monica Jain, CSQA, Covansys Corp., US
Avinash W. Kadam, CISA, CISM, CBCP, CISSP, MIEL e-Security Pvt. Ltd., India
John A. Kay, CISA, USA
Lisa Kinyon, CISA, Countrywide, USA
Rodney Kocot, Systems Control and Security Inc., USA
Luc Kordel, CISA, CISM, CISSP, CIA, RE, RFA, Dexia Bank, Belgium
Linda Kostic, CISA, CPA, USA
John W. Lainhart IV, CISA, CISM, IBM, USA
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org4
Lynn Lawton, CISA, BA, FCA, FIIA, PII, KPMG LLP, UK
Philip Le Grand, Capita Education Services, UK
Elsa K. Lee, CISA, CISM, CSQA, AdvanSoft International Inc., USA
Kenny K. Lee, CISA, CISSP, Countrywide SMART Governance, USA
Debbie Lew, CISA, Ernst & Young LLP, USA
Bjarne Lonberg, CISSP, A.P. Moller-Maersk A/S, Denmark
Donald Lorete, CPA, Deloitte & Touche LLP, USA
Addie C.P. Lui, MCSA, MCSE, First Hawaiian Bank, USA
Charles Mansour, CISA, Charles Mansour Audit & Risk Service, UK 
Mario Micallef, CPAA, FIA, National Australia Bank Group, Australia
Niels Thor Mikkelsen, CISA, CIA, Danske Bank, Denmark
John Mitchell, CISA, CFE, CITP, FBCS, FIIA, MIIA, QiCA, LHS Business Control, UK
Anita Montgomery, CISA, CIA, Countrywide, USA
Karl Muise, CISA, City National Bank, USA
Jay S. Munnelly, CISA, CIA, CGFM, Federal Deposit Insurance Corp., USA
Orillo Narduzzo, CISA, CISM, Banca Popolare di Vicenza, Italy
Sang Nguyen, CISA, CISSP, MCSE, Nova Southeastern University, USA
Anthony Noble, CISA, CCP, Viacom Inc., USA
Ed O’Donnell, Ph.D., CPA, University of Kansas, USA
Sue Owen, Department of Veterans Affairs, Australia
Robert G. Parker, CISA, CMC, FCA, Robert G. Parker Consulting, Canada
Bart Peeters, PricewaterhouseCoopers LLP, Belgium
Thomas Phelps IV, CISA, PricewaterhouseCoopers LLP, USA
Vitor Prisca, CISM, Novabase, Portugal
Claus Rosenquist, CISA, TrygVesata, Denmark
Jaco Sadie, Sasol, South Africa
Max Shanahan, CISA, FCPA, Max Shanahan & Associates, Australia
Craig W. Silverthorne, CISA, CISM, CPA, IBM Business Consulting Services, USA
Chad Smith, Great-West Life, Canada
Gustavo A. Solis, CISA, CISM, Grupo Cynthus, Mexico
Roger Southgate, CISA, CISM, FCCA, CubeIT Management Ltd., UK
Paula Spinner, CSC, USA
Mark Stanley, CISA, Toyota Financial Services, USA
Dirk Steuperaert, CISA, PricewaterhouseCoopers, Belgium
Robert E. Stroud, CA Inc., USA
Scott L. Summers, Ph.D., Brigham Young University, USA
Lance M. Turcato, CISA, CISM, CPA, City of Phoenix IT Audit Division, USA
Ingvar Van Droogenbroeck, PricewaterhouseCoopers, Belgium
Wim Van Grembergen, Ph.D., University of Antwerp Management School, Belgium
Johan Van Grieken, CISA, Deloitte, Belgium
Greet Volders, Voquals NV, Belgium
Robert M. Walters, CISA, CPA, CGA, Office of the Comptroller General, Canada
Tom Wong, CISA, CIA, CMA, Ernst & Young LLP, Canada
Amanda Xu, CISA, PMP, KPMG LLP, USA
The following professors and students for their work on the COBIT 4.1 control practices and assurance test steps
Scott L. Summers, Ph.D., Brigham Young University, USA
KeithBallante, Brigham Young University, USA
David Butler, Brigham Young University, USA
Phil Harrison, Brigham Young University, USA
William Lancaster, Brigham Young University, USA
Chase Manderino, Brigham Young University, USA
Paul Schneider, Brigham Young University, USA
Jacob Sperry, Brigham Young University, USA
Brian Updike, Brigham Young University, USA
ITGI Board of Trustees
Everett C. Johnson, CPA, Deloitte & Touche LLP (retired), USA, International President
Georges Ataya, CISA, CISM, CISSP, Solvay Business School, Belgium, Vice President
William C. Boni, CISM, Motorola, USA, Vice President
Avinash Kadam, CISA, CISM, CISSP, CBCP, GSEC, GCIH, Miel e-Security Pvt. Ltd., India, Vice President
Jean-Louis Leignel, MAGE Conseil, France, Vice President
Lucio Augusto Molina Focazzio, CISA, Colombia, Vice President
Howard Nicholson, CISA, City of Salisbury, Australia, Vice President
Frank Yam, CISA, FHKIoD, FHKCS, FFA, CIA, CFE, CCP, CFSA, Focus Strategic Group, Hong Kong, Vice President
Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President
Robert S. Roussey, CPA, University of Southern California, USA, Past International President
Ronald Saull, CSP, Great-West Life and IGM Financial, Canada, Trustee
IT Governance Committee
Tony Hayes, FCPA, Queensland Government, Australia, Chair
Max Blecher, Virtual Alliance, South Africa
Sushil Chatterji, Edutech, Singapore
Anil Jogani, CISA, FCA, Tally Solutions Limited, UK
John W. Lainhart IV, CISA, CISM, IBM, USA
Rómulo Lomparte, CISA, Banco de Crédito BCP, Peru
Michael Schirmbrand, Ph.D., CISA, CISM, CPA, KPMG LLP, Austria
Ronald Saull, CSP, Great-West Life and IGM Financial, Canada
Assurance Committee
Lynn C. Lawton, CISA, BA, FCA, FIIA, PII, KPMG LLP, UK
Pippa G. Andrews, CISA, ACA, CIA, Amcor, Australia
John Warner Beveridge, CISA, CISM, CFE, CGFM, Office of the Massachusetts State Auditor, USA
Daniel Patrick Casciano, CISA, Ernst & Young LLP, USA
Gregory T. Grocholski, CISA, The Dow Chemical Company, USA
Avinash W. Kadam, CISA, CISM, CBCP, CISSP, MIEL e-Security Pvt. Ltd., India
Anthony P. Noble, CISA, CCP, Viacom Inc., USA
Gustavo A. Solis, Grupo Cynthus S.A. de C.V., Mexico
Paul A. Zonneveld, CISA, CA, Deloitte & Touche, Canada
Corresponding Member Robert G. Parker, CISA, CA, CMC, FCA, Canada
COBIT Steering Committee
Roger S. Debreceny, Ph.D., FCPA, University of Hawaii, USA, Chair
Gary S. Baker, CA, Deloitte & Touche, Canada
Dan Casciano, CISA, Ernst & Young LLP, USA
Steven De Haes, University of Antwerp Management School, Belgium
Peter De Koninck, CISA, CFSA, CIA, SWIFT SC, Belgium
Rafael Fabius, CISA, República AFAP SA, Uruguay
Urs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, Switzerland
Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium
Gary Hardy, IT Winners, South Africa
Jimmy Heschl, CISA, CISM, KPMG LLP, Austria
Debbie Lew, CISA, Ernst & Young LLP, USA
Max Shanahan, FCPA, CISA, Max Shanahan & Associates, Australia
Dirk Steuperaert, CISA, PricewaterhouseCoopers, Belgium
Robert E. Stroud, CA Inc., USA
ITGI Advisory Panel
Ronald Saull, CSP, Great-West Life and IGM Financial, Canada, Chair
Roland Bader, F. Hoffmann-La Roche AG, Switzerland
Linda Betz, IBM Corporation, USA
Jean-Pierre Corniou, Renault, France
Rob Clyde, CISM, Symantec, USA
Richard Granger, NHS Connecting for Health, UK
Howard Schmidt, CISM, R&H Security Consulting LLC, USA
Alex Siow Yuen Khong, StarHub Ltd., Singapore
Amit Yoran, Yoran Associates, USA
ACKNOWLEDGEMENTS
5© 2007 IT Governance Institute. All rights reserved. www.itgi.org
ITGI Affiliates and Sponsors
ISACA chapters
American Institute of Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association of Corporate Governance
FIDA Inform
Information Security Forum
The Information Systems Security Association (ISSA)
Institut de la Gouvernance des Systèmes d’Information
Institute of Management Accountants
ISACA
ITGI Japan
Solvay Business School
University of Antwerp Management School
Aldion Consulting Pte. Ltd.
CA
Hewlett-Packard
IBM
ITpreneurs Nederlands BV
LogLogic Inc.
Phoenix Business and Systems Process Inc.
Project Rx Inc.
Symantec Corporation
Wolcott Group LLC
World Pass IT Solutions
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org6
TABLE OF CONTENTS
7© 2007 IT Governance Institute. All rights reserved. www.itgi.org
TABLE OF CONTENTS
1. Introduction ......................................................................................................................................................9
Objectives of the Guide......................................................................................................................................9
Summary Overview of COBIT ...........................................................................................................................9
Target Audience................................................................................................................................................11
COBIT Guidance for IT Assurance Activities ..................................................................................................12
Components of IT Assurance Guide................................................................................................................12
Relationship With COBIT Control Practices....................................................................................................14
Document Road Map.......................................................................................................................................15
How to Use This Guide....................................................................................................................................15
2. IT Assurance Principles and Context ..........................................................................................................17
Introduction ......................................................................................................................................................17
Assurance Approach and Road Map ...............................................................................................................18
Relevant General Standards and Guidance .....................................................................................................22
Relevance for IT Assurance.............................................................................................................................23
3. Assurance Planning........................................................................................................................................25
Introduction ......................................................................................................................................................25
IT Assurance Universe .....................................................................................................................................25
Risk-based Assurance Planning.......................................................................................................................27
High-level Assessments ...................................................................................................................................29
Define the Scope and Objectives of the Assurance Initiative.........................................................................29
4. IT Resource and Control Scoping................................................................................................................31
Introduction ......................................................................................................................................................31
Steps in Scoping IT Resources and Control Objectives .................................................................................31
IT-related Business Goals and IT Goals..........................................................................................................33
5. Assurance Initiative Execution .....................................................................................................................35
Introduction ......................................................................................................................................................35
Step 1—Refine Understanding........................................................................................................................35
Step 2—Refine Scope......................................................................................................................................35
Step 3—Test the Control Design .....................................................................................................................36
Step 4—Test the Outcome of the Control Objectives.....................................................................................37
Step 5—Document the Impact of Control Weaknesses..................................................................................37
Step 6—Develop and Report Overall Conclusion and Recommendations....................................................38
6. Assurance Guidance for COBIT Processes and Controls ..........................................................................39
Introduction ......................................................................................................................................................39
Generic Process Controls.................................................................................................................................39
Generic Control Practices ................................................................................................................................39
IT General Controls .........................................................................................................................................40
Application Controls ........................................................................................................................................40
Examples of the Use of Detailed Assurance Steps .........................................................................................41
7. How COBIT Components Support IT Assurance Activities ......................................................................43
Introduction ......................................................................................................................................................43
COBIOBIT Components .........................................................................................................................................43
IT Assurance Activities ....................................................................................................................................44
The Strongest Links .........................................................................................................................................44
Appendix I—Process Control (PC)..................................................................................................................45
Process Assurance Steps ..................................................................................................................................45
Appendix II—Plan and Organise (PO) ...........................................................................................................51
Process Assurance Steps ..................................................................................................................................51
Appendix III—Acquire and Implement (AI) ...............................................................................................115
Process Assurance Steps ................................................................................................................................115
Appendix IV—Deliver and Support (DS) .....................................................................................................153
Process Assurance Steps ................................................................................................................................153
Appendix V—Monitor and Evaluate (ME) ..................................................................................................225
Process Assurance Steps ................................................................................................................................225
Appendix VI—Application Control (AC)......................................................................................................253
Process Assurance Steps ................................................................................................................................253
Appendix VII—Maturity Model for Internal Control ................................................................................263
Appendix VIII—IT Scoping ...........................................................................................................................265
Appendix IX—COBIT and Related Products ...............................................................................................269
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org8
IN
T
R
O
D
U
C
T
IO
N
I N T R O D U C T I O N
INTRODUCTION
9© 2007 IT Governance Institute. All rights reserved. www.itgi.org
1. INTRODUCTION
OBJECTIVES OF THE GUIDE
The objective of IT Assurance Guide is to provide guidance on how to use COBIT to support a variety of IT assurance activities. If
the organisation is already using COBIT as a framework for IT governance, it will enable the leverage of COBIT when planning and
performing assurance reviews, so that the business, IT and assurance professionals are aligned around a common framework and
common objectives. 
This guide is designed to enable efficient and effective development of IT assurance initiatives, providing guidance on planning,
scoping and executing assurance reviews using a road map based on well-accepted assurance approaches. Guidance is also provided
on how the COBIT resources can be used during these stages supported by detailed tests based on COBIT’s processes and control
objectives. The guidance and suggested tests, like all the COBIT resources, are not intended to be prescriptive, but should be tailored
to suit the specific assurance initiative.
This guide is aimed primarily at assurance professionals, but may be of interest to IT professionals and advisors. 
SUMMARY OVERVIEW OF COBIT
Control Objectives for Information and related Technology (COBIT) is a comprehensive set of resources that contains all the
information organisations need to adopt an IT governance and control framework. COBIT provides good practices across a domain
and process framework in a manageable and logical structure to help optimise IT-enabled investments and ensure that IT is
successful in delivering against business requirements.
COBIT contributes to enterprise needs by:
• Making a measurable link between the business requirements and IT goals
• Organising IT activities into a generally accepted process model
• Identifying the major IT resources to be leveraged
• Defining the management control objectives to be considered
• Providing tools for management:
– Goals and metrics to enable IT performance to be measured
– Maturity models to enable process capability to be benchmarked
– Responsible, Accountable, Consulted and Informed (RACI) charts to clarify roles and responsibilities
COBIT is focused on what is required to achieve adequate governance, management and control of IT, and is positioned at a high
level. COBIT has been aligned and harmonised with other, more detailed IT frameworks, standards and best practices. COBIT acts as
an integrator of these differentguidance materials, summarising key objectives under one umbrella framework that also links to
governance and business requirements. In this context, the Committee of Sponsoring Organisations of the Treadway Commission
(COSO) Internal Control Framework and similar compliant frameworks are generally seen as the internal control frameworks for
enterprises. COBIT is generally seen as the management and control framework for IT.
The benefits of implementing COBIT as a governance framework over IT include:
• Better alignment of business and IT, based on a business focus
• Shared understanding amongst all stakeholders, based on a common language
• An understandable view of what IT does for business management 
• Clear ownership and responsibilities, based on a process orientation
• Widespread acceptance by third parties and regulators
• Fulfilment of the COSO requirements for the IT control environment
The COBIT framework is summarised in figure 1.
The COBIT products have been organised into three levels designed to support:
• Boards of directors and executive management 
• Business and IT management
• Governance, assurance, control and security professionals
Figure 2 illustrates the COBIT products within the IT governance body of knowledge aimed at each of these three levels.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org10
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
AI1 Identify automated solutions.
AI2 Acquire and maintain application software.
AI3 Acquire and maintain technology infrastructure. 
AI4 Enable operation and use. 
AI5 Procure IT resources. 
AI6 Manage changes.
AI7 Install and accredit solutions and changes. 
DS1 Define and manage service levels. 
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service. 
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users. 
DS8 Manage service desk and incidents. 
DS9 Manage the configuration.
DS10 Manage problems. 
DS11 Manage data. 
DS12 Manage the physical environment. 
DS13 Manage operations.
ME1 Monitor and evaluate IT performance. 
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance. 
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
INFORMATION
CRITERIA
ACQUIRE AND
IMPLEMENT
DELIVER AND
SUPPORT
MONITOR AND
EVALUATE PLAN AND
ORGANISE
Applications
Information
Infrastructure
People
IT RESOURCES
BUSINESS OBJECTIVES
GOVERNANCE OBJECTIVES
COBIT
Figure 1—COBIT Framework
INTRODUCTION
11© 2007 IT Governance Institute. All rights reserved. www.itgi.org
For more details on each product, see appendix X, COBIT and Related Products. For the most complete and up-to-date information
on COBIT and related products, case studies, training opportunities, newsletters and other COBIT-specific information, visit
www.isaca.org/cobit.
TARGET AUDIENCE 
This IT Assurance Guide provides detailed guidance for assurance and IT professionals on how COBIT can be used to support a
variety of assurance activities for each of the 34 IT processes. Assurance steps and advice are provided for:
• Generic controls that apply to all processes (identified within the COBIT framework by a PCn identifier)
• Application controls (identified within the COBIT framework by an ACn identifier)
• Specific process controls (identified within the COBIT framework by domain identification and process number, 
e.g., PO6.3, AI4.1)
Assurance steps and guidelines are provided to:
• Test the control design of the control objective
• Test the outcome of the control objective (operational effectiveness)
• Document control weaknesses and their impact
It is assumed that users of this guide are familiar with the concepts of COBIT and have a level of knowledge equivalent to at least the
COBIT foundation level (which can be tested online to obtain the COBIT® Foundation Certificate). If this is not the case, it is
recommended that the reader undertake the COBIT Foundation CourseTM. Information on these opportunities is available from
education@isaca.org and at www.isaca.org/cobitcampus.
The guide also assumes that the readers are familiar with assurance concepts in general. 
Maturity models
Management guidelines
Board Briefing on IT
Governance, 2nd EditionHow
does the
board exercise
its responsibilities?
Executives and Boards
How do we measure performance?
How do we compare to others?
And how do we improve over time?
Business and Technology Management
What is the 
IT governance 
framework?
How do we assess 
the IT governance
framework?
How do we
implement it in 
the enterprise?
Governance, Assurance, Control and Security Professionals
IT Governance
Implementation Guide,
2nd Edition
COBIT Control Practices,
2nd Edition
Control objectives
IT Assurance GuideCOBIT and Val IT
TM
frameworks
Key management
practices
This COBIT-based product diagram presents the generally applicable products and their primary audience. There are 
also derived products for specific purposes (IT Control Objectives for Sarbanes-Oxley, 2nd Edition), for domains such as security 
(COBIT Security Baseline and Information Security Governance: Guidance for Boards of Directors and Executive Management),
or for specific enterprises (COBIT Quickstart for small and medium-sized enterprises or for large enterprises wishing to ramp 
up to a more extensive IT governance implementation).
Figure 2—Major COBIT-based Products
COBIT GUIDANCE FOR IT ASSURANCE ACTIVITIES
The COBIT framework, represented in figure 3, provides the basis for two guides:
• IT Governance Implementation Guide: Using COBIT ® and Val IT TM, 2nd Edition, which provides a road map and process guidance
on how to implement IT governance using the COBIT resources
• IT Assurance Guide: Using COBIT, which provides professional guidance for the assurance team and offers a structured assurance
approach linked to the COBIT framework that business and IT professionals can understand
As seen in figure 3, each guide is fed with different inputs. The IT Governance Implementation Guide leverages COBIT Control
Practices, whilst the IT Assurance Guide is based on assurance steps. The two inputs (control practices and assurance steps) are
considered mutually exclusive, allowing the guides’ users to focus on either part of the IT governance process (implementation 
or assurance). 
IT Assurance Guide provides assurance advice at different levels. At the process level, process-specific advice is provided on how to
test whether control objectives are being achieved and on how to document control weaknesses. At the control objective level,
assurance steps are provided to test the control design for each specific control objective based on its control practices. This detailed
guidance can be found in appendices I through VI. In chapter 6, Assurance Guidance for COBIT Processes and Controls, some
examples can be found on how the detailed guidance can be leveraged for a specific assurance initiative. 
At the different levels, generic advice is also provided. Generic advice applies to all processes or control objectives and can be used
in addition to, or as an alternative to, the specific advice. These processes are further described in chapter 6. 
For the testing steps of the execution stage, this guide provides generic guidance as well as specific, more detailed guidance to assist
the IT assurance professional. Generic advice means that it can be applied to any process, control objective or control practice
depending on the type of advice. Specific advice refers to adviceprovided for a specific process, control objective or control
practice. An overview of the IT assurance framework that underpins this process is shown in figure 4.
COMPONENTS OF IT ASSURANCE GUIDE
The content of the detailed assurance guidance is organised around the 34 COBIT processes and contains the following components:
• Control objectives—Increasingly, organisations are recognising that control of IT is critical for ensuring that IT delivers value to
the organisation, risks are managed, regulatory requirements are met, and investments in IT deliver a reasonable return.
IT control objectives are statements of the desired result or purpose to be achieved by implementing control practices in a
particular IT process and often relate directly to specific activities within the process.
COBIT’s control objectives are high-level requirements to be considered for effective control of each IT process. They are written as
short, action-oriented management practices. Wherever possible, they follow a logical life cycle sequence. 
Enterprise management has choices relative to control objectives. Members of management should:
– Select applicable control objectives
– Balance the investment required to implement management practices required to achieve each control objective with the risk that
arises in not achieving it 
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org12
Board
Briefing*
Executive
Baseline for
IT Governance
(in development)
IT Governance
Implementation Guide: 
Using COBIT and Val IT,
2nd Edition
Board
Briefing*
Audit Director
Baseline for
IT Governance
(future development)
IT Assurance Guide:
Using COBIT
Framework
Control
Objectives
Management
Guidelines
Maturity
Models
Control
Objective Value Risk
COBIT
Control
Practices,
2nd Edition
Assurance
Steps
WHAT
HOW HOW
Figure 3—Implementation and Assurance Guides
* Board Briefing on IT Governance, 2nd Edition
– Decide which control practices to implement
– Choose how to implement each control practice
COBIT’s more than 200 control objectives define what needs to be managed in each IT process to address business requirements
and manage risk. They help to define clear policies, foster good practices for IT controls and encourage process ownership. They
also provide the reference point for linking good practices to business requirements. Constructed by harmonising more than 40
different control guidance sources, COBIT can be integrated with other standards and practices that focus on specific areas, such as
the ISO/IEC 27000 series on information security-related standards, ISO/IEC 9001:2000 Quality Management Systems—
Requirements, IT Infrastructure Library (ITIL), Capability Maturity Model® Integration (CMMI®), Projects in Controlled
Environments 2 (PRINCE2) and A Guide to the Project Management Body of Knowledge® (PMBOK®).
• Value and risk drivers—Value and risk drivers provide valuable inputs to professionals for use in communicating a business
justification for achieving particular control objectives and implementing associated control practices. The value drivers provide
examples of the business benefits that can result from good control, whilst the risk drivers provide examples of the risks that may
need to be avoided or mitigated. They provide to assurance professionals and IT governance implementors the argument for
implementing controls and substantiate the impact of not implementing them.
• Assurance testing steps—The assurance testing steps provide guidance at the control objective level for assurance professionals
conducting an IT assurance process. The steps are derived from the control practices, which, in turn, are derived from each control
objective. The assurance testing steps: 
– Evaluate the design of the controls
– Confirm that controls are placed in operation
– Assess the operational effectiveness of the control
These different testing steps are elaborated in more in detail in chapter 6, Assurance Guidance for COBIT Processes and Controls.
Generic assurance steps cover the existence and design effectiveness of the proposed control design as well as the associated
responsibilities. Specific assurance steps test the effective operation of controls and are stated at the control objective level. In
addition, assurance steps are provided to test the outcomes of control weakness or failure. 
The assurance testing steps are designed to provide the first level of the development of an assurance programme by an internal or
external assurance professional. The objective is not to provide a detailed assurance programme that can be used as is and
executed. Rather, the intent is for an assurance professional with some experience to use it as the basis for efficiently developing
customised assurance programmes that can be used and executed by staff members with less experience. The assurance
professional should take the testing steps as a foundation for implementing the assurance initiative. He/she should adjust the
testing steps for the reality of the organisation and the objectives of the assurance initiative. The steps are guidance only—they are
not a cookbook.
The combination of all assurance components provides a testing method to assist in forming opinions against assurance objectives
by combining one or more of the following test types:
• Enquire (via a different source) and confirm. 
• Inspect (via walk-through, search, compare and review).
INTRODUCTION
13© 2007 IT Governance Institute. All rights reserved. www.itgi.org
Generic ( ) and Specific ( ) Advice in the Assurance Guide
Documented
Control
Weaknesses
improved
with
assessed
with
derived
by
assessed
with
implemented
with
derived
from
controlled
by
Testing the
Control Objective
Outcome
Control
Objectives
Testing the
Control Design
of the
Control Objectives
Control
Practices
IT
Processes
Figure 4—Overview of the IT Assurance Advice Provided
• Observe (i.e., confirmation through observation).
• Reperform or recalculate and analyse (often based on a sample).
• Collect (e.g., sample, trace, extract) and analyse automated evidence.
RELATIONSHIP WITH COBIT CONTROL PRACTICES
IT Assurance Guide is part of the COBIT family of products. The assurance test steps have been derived from the COBIT ® Control
Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, and are expressed in a form usable
by assurance professionals for testing activities.
COBIT Control Practices extends the capabilities of the COBIT framework and provides an additional level of detail. The COBIT IT
processes, business requirements and control objectives define what needs to be done to implement an effective control structure.
COBIT Control Practices provides the more detailed guidance at the control objective level on how to achieve the objectives. The
control practices consist of the following elements for each of the COBIT control objectives:
• Value and risk drivers, providing ‘why do it’ guidance
• Control practices to be considered when assessing IT processes and implementing improvements
For each of the control objectives, a list of specific control practices is defined. In addition, three generic control practices are
defined, which are applicable to all control objectives. The complete set of generic and specific control practices provides one control
approach, consisting of practices that are necessary for achieving the control objective. They provide high-level generic guidance, at a
more detailed level under the control objective, for assessing process maturity, considering potential improvements and implementing
the controls. They do not describe specific solutions, and further guidance may need to be obtained from specific, relevant standards
and best practices, such as ITIL or PRINCE2. The control practices meet the following design criteria in that they:
• Are relevant to the purpose of the control objective
• Can be executed in a timely fashion
•Are realistic and cost-effective
• Are measurable
• Provide for a definition of the roles involved and segregated roles, where appropriate
• Are action-oriented 
• Are life-cycle-based, wherever possible
Control practices help ensure that the solutions put forward are more likely to be completely and successfully implemented, by
providing guidance on why controls are needed and what the good practices are for meeting specific control objectives.
The control practices are designed to support two audiences:
• Implementors of IT governance (e.g., management, service providers, end users, control professionals) 
• Assurance professionals (e.g., internal and external assurance professionals) 
For assurance purposes, all the control practices were used to develop detailed assurance steps. The assurance testing steps are
designed to provide the first stage of the development of an assurance programme by an internal or external assurance professional.
Therefore, professionals using this assurance guide need to take into account that the assurance steps are derived from the control
practices. The control practices themselves are not provided in this guide. 
The table in figure 5 provides an overview of the control material that is provided by COBIT and forms the basis for the assurance
material in this guide.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org14
Figure 5—Control Objectives and Control Practices
CONTROL
Control Objectives Control Practices
The COBIT framework provides six process When translating control objectives into practices,
controls that apply to each process. When the first steps are always the same and cover 
reviewing a process, these control objectives designing, recording and communicating theGeneric and the associated practices and assurance steps approach for achieving the objective, and
should be added to the specific control assigning responsibility and accountability for
objectives material. making it happen.
For each process, a number of specific control COBIT provides specific practices for each
objectives are provided in the COBIT framework. control objective. Together with the generic
Specific practices they provide a control design consisting
of the necessary and sufficient steps to achieve
the control objective.
The table in figure 6 describes the assurance material that is derived from the COBIT control material and provided in this guide.
Finally, additional advice is provided on testing the six application controls (as provided in COBIT), again addressing design,
outcome and impact testing.
COBIT, and many of its supporting products, provides detailed support in a wide range of IT assurance activities. 
DOCUMENT ROAD MAP
The main sections of this document follow the structure of a suggested IT assurance road map. That road map will be explained in
more detail in chapter 2, IT Assurance Principles and Context. The main sections or titles of this road map are: 
• Planning
• Scoping
• Execution, including:
– Refining the understanding of the IT assurance subject
– Refining the scope of key control objectives
– Testing the effectiveness of control design
– Testing the outcomes of key control objectives
– Documenting the impact of control weaknesses
– Developing/communicating conclusions and recommendations
Planning is elaborated in chapter 3, Assurance Planning. Scoping is addressed in chapter 4, IT Resource and Control Scoping, and
chapter 5, Assurance Initiative Execution, addresses all of the execution steps. 
Chapter 6, Assurance Guidelines for COBIT Processes and Controls, explains the structure of the assurance guidance provided 
for the COBIT processes and control objectives. Chapter 7 explains how COBIT components support IT assurance activities.
Appendices I-VI provide the actual assurance tests.
HOW TO USE THIS GUIDE
Even though COBIT has a wide potential audience and can be used by many within an organisation, this guide is particularly
intended for internal and external assurance professionals. 
INTRODUCTION
15© 2007 IT Governance Institute. All rights reserved. www.itgi.org
Figure 6—Linking General and Specific Advice to Classes of IT Assurance
ASSURANCE
Testing the Testing Control Documenting 
Control Design Process Outcome Control Weaknesses
The generic control practices In addition or as an alternative As an alternative or in addition
are translated into assurance to testing the control design, to the specific advice, some 
steps based on a standard set the outcome of a control standard approaches to 
of assurance methods. objective can be tested. Some documenting and putting
Generic standard approaches to looking control weaknesses in context
for evidence are provided that are provided, largely focused
apply to any process. on identifying comparative data
(e.g., benchmarks,
measurements, cases).
The specific control practices For each process, a number of For each process, specific
are also translated into assurance steps are provided to advice is provided on how to
assurance steps. Combined with test the outcome of the control document control weaknesses,
Specific the generic practices assurance objectives of the process. The relating to the goals, metrics,
steps, they provide a complete generic advice can be used as activities and control objectives
test of the control design of an alternative or to complement of the process.
the objective. the specific advice.
A major benefit of this guide is that users can rely on the consistency of the COBIT framework and its related products. The COBIT
framework is increasingly being used as an IT governance framework, helping align business and IT management and providing a
basis for improving IT’s performance. If assurance professionals base their reviews on the same framework as business and IT
managers who are improving IT governance and IT performance, everyone involved will be using a common language and it will
be easier to agree and implement any necessary control improvements.
This guide can be used by the assurance professional for many different purposes, including:
• Obtaining a view on current good practices on assurance and testing principles
• Learning how using different COBIT components and related concepts can help in planning and scoping assurance initiatives
• Having available a comprehensive reference of all COBIT control objectives and supporting control practices and how they can be
tested to obtain assurance that they are effective
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org16
I T A S S U R A N C E P R I N C I P L E S
A N D C O N T E X T IT
 A
SSU
R
A
N
C
E
P
R
IN
C
IP
L
E
S
A
N
D
C
O
N
T
E
X
T
IT ASSURANCE PRINCIPLES AND CONTEXT
17© 2007 IT Governance Institute. All rights reserved. www.itgi.org
2. IT ASSURANCE PRINCIPLES AND CONTEXT
INTRODUCTION
This section describes the overall principles, components and context of IT assurance and explores the IT assurance road map,
providing a high-level description of the major steps involved.
The objective of IT Assurance Guide is not to provide detailed assurance guidelines. Instead, the objective is to provide high-level
guidance on conducting assurance initiatives, and explain briefly a number of fundamental principles for understanding assurance
and some related techniques and contributory activities. 
Formal standards such as the International Auditing and Assurance Standards Board’s (IAASB’s) International Framework for
Assurance Engagements (IAASB Assurance Framework) may be referenced. However, in this manual, ‘assurance’ is the term used
consistently, as it is broader than the term ‘audit’. Assurance also covers evaluation activities not governed by internal and/or
external audit standards.
To be called an assurance initiative, five components must be present, as prescribed in the IAASB Assurance Framework and as
listed in figure 7.
The objective of an assurance initiativeis for an assurance professional to measure or evaluate a subject matter that is the
responsibility of another party. For IT assurance initiatives, there is generally also a stakeholder involved who uses the subject matter
but who has delegated operation and custodianship of the subject matter to the responsible party. Hence, the stakeholder is the end
customer of the evaluation and can approve the criteria of the evaluation with the responsible party and the assurance professional.
The conclusion of the evaluation provides an opinion as to whether the subject matter meets the needs of the stakeholder. Figure 8
summarises the relationships in an assurance initiative.
1 2 3 4 5
A three-party
relationship involving
a responsible party
for the subject matter,
an assurance professional,
and an intended user of
the assurance report
A subject matter
over which the
 assurance is to
 be provided 
(i.e., data, systems,
processes)
Suitable criteria
against which the
 subject matter
 will be assessed
 (i.e., standards, 
 benchmarks,
legislation)
A process
 that the
 assurance
 professional will
undertake
A conclusion
 issued by
 the assurance
professional
Figure 7—The Five Components of an Assurance Initiative
Stakeholder
accepts
accepts
accepts
manages
manages
uses
relies on
uses
reviews
against
criteria
reports
Su
ita
bl
e 
cr
ite
ria
 fo
r t
he
as
su
ra
nc
e 
in
iti
at
iv
e
Responsible
Party
Assurance
Professional
ConclusionSubjectMatter
Business
Process
Assurance
Process
Figure 8—Relationships in the Assurance Initiative
ASSURANCE APPROACH AND ROAD MAP 
IT Assurance Road Map
To provide assurance, it is important to follow a consistent methodology or approach. Whilst the specific approach may be unique to
each organisation and type of initiative, for the purposes of this guide a fairly common approach is used. It is based on three stages:
planning, scoping and execution, with the final stage broken down into six steps. The stages and steps of the road map are presented
in figure 9.
For more significant assurance initiatives, additional information on breaking down the initiative into objectives, actions and
deliverables can be found in appendix VIII, IT Scoping. This breakdown provides more detailed guidance that can be applied to IT
assurance activity scoping and IT control scoping.
PLANNING
The establishment of the IT assurance universe for the assurance assignment serves as the beginning of every assurance initiative. To
create a comprehensive plan, the assurance professional needs to combine an understanding of the IT assurance universe and the
selection of an appropriate IT control framework, such as COBIT. The aggregation of these two allows for risk-based planning of the
assurance initiative. To set the correct assurance objectives, first a high-level assessment needs to be performed. The end deliverable
of this stage is the IT assurance plan (usually annual).
SCOPING
The scoping process can be performed in three different ways:
• The most detailed scoping approach starts from defining business and IT goals for the environment under review and identifying a
set of IT processes and resources (i.e., assurance universe) required to support those goals. The goals that are subject to the IT
assurance initiative can be scoped down to a lower granularity (i.e., key control objectives customised for the organisation).
• A high-level scoping approach may start from benchmarking research executed by ITGI, providing generic guidelines on the
relationship of business goals, IT goals and IT processes, as described in COBIT. This generic cascade of goals and processes can
be used as a basis for more detailed scoping, as required for the specific environment being assessed. 
• A hybrid scoping approach combines the detailed and high-level methods. This approach starts from the generic cascade of goals
and processes, but is adapted and modified to the specific environment before continuing the scoping to more detailed levels. 
The end deliverables of this stage are the scope and objectives of the different IT assurance initiatives.
EXECUTION
The third stage of the IT assurance road map is the execution stage. Figure 10 describes an approach that assurance professionals
can follow as they execute a particular assurance initiative. These steps cover the core testing activities that the assurance
professional executes. Chapter 5, Assurance Initiative Execution, describes each of the steps in more detail. The end deliverable of
this stage is the conclusion of the individual IT assurance initiative.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org18
Business goals
 IT goals
 Key IT processes and key IT resources
 Key control objectives
 Customised key control objectives
• Establish the IT assurance universe.
• Select an IT control framework.
• Perform risk-based IT assurance planning.
• Perform high-level assessments.
• Scope and define the high-level objectives for the initiative.
Refine the
 understanding
 of the IT
 assurance
subject.
Refine scope
 of key control
 objectives
 for the IT
 assurance
subject.
Test the
 effectiveness
 of the control
 design of the
 key control
objectives.
Alternatively/
 additionally
 test the 
 outcome of
 the key
 control
objectives.
Document the
 impact of
 control
weaknesses.
Develop and
 communicate
 overall
 conclusion and
 recommen-
dations.
SCOPING
PLANNING
EXECUTING
ASSURANCE
CONCLUSION
DETAILED SCOPE
AND OBJECTIVES
IT ASSURANCE
PLANS
Figure 9—IT Assurance Road Map
IT ASSURANCE PRINCIPLES AND CONTEXT
19© 2007 IT Governance Institute. All rights reserved. www.itgi.org
IT Assurance Activities
The approach presented in the previous section, IT Assurance Road Map, describes the stages and steps for providing assurance
services and provides the structure for this guide. Some of the typical IT assurance activities that may be performed under each of
these assurance approach stages are listed in figure 11.
Figure 11 introduces the typical assurance activities that can be used—and for which advice is provided—in the different stages and
steps of the IT assurance road map. Sometimes the step is the activity; sometimes an activity can be leveraged in several steps.
Whilst most of the advice in this guide focuses on the execution stage of the road map in figure 12 and Chapter 7, How COBIT
Components Support IT Assurance Activities, additional advice is provided for the assurance activities listed, by identifying the
COBIT components that can provide a particular benefit for each of these activities. All IT assurance initiatives include most of
these activities; therefore, most of the COBIT components can be leveraged in all types of IT-related assurance initiatives. 
Figure 12 demonstrates a linkage between assurance activities and where COBIT components can provide a particular benefit. 
In addition, chapter 7, How COBIT Components Support IT Assurance Activities, provides suggestions on how the different
COBIT components can be leveraged to improve the effectiveness and/or efficiency of different IT assurance activities.
Refine the
 understanding
 of the IT
 assurance
subject.
Refine scope
 of key control
 objectives
 for the IT
 assurance
subject.
Test the
 effectiveness
 of the control
 design of the
 key control
objectives.
Alternatively/
 additionally
 test the
 outcome of
 the key control
objectives.
Document the
 impact of
 control
weaknesses.
Develop and
 communicate
 overall
 conclusion and
 recommen-
dations.
Figure 10—Execution Road Map
Figure 11—IT Assurance Activities
• Plan:
– Perform a quick risk assessment.
– Assess threat, vulnerability and business impact.
– Diagnose operational and project risk.
– Plan risk-based assurance initiatives.
– Identify critical IT processes based on valuedrivers.
– Assess process maturity.
• Scope:
– Scope and plan assurance initiatives.
– Select the control objectives for critical processes.
– Customise control objectives.
• Execute:
1. Refine the understanding of the IT assurance subject:
– Identify/confirm critical IT processes.
– Self-assess process maturity.
2. Refine the scope of the key control objectives for the IT assurance subject:
– Update the control objective selection.
– Customise control objectives.
– Build a detailed audit programme.
3. Test the effectiveness of the control design of the key control objectives:
– Test and evaluate controls.
– Update/assess process maturity.
4. Test the outcome of the key control objectives:
– Self-assess controls.
– Test and evaluate controls.
5. Document the impact of control weaknesses:
– Diagnose residual operational and/or project risk.
– Substantiate risk.
6. Develop and communicate overall conclusion and recommendations:
– Report assurance conclusions.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org20
F
ig
u
re
 1
2—
A
ss
u
ra
n
ce
 A
ct
iv
it
ie
s 
L
in
ke
d
 t
o
 C
O
B
IT
C
o
m
p
o
n
en
ts
IT
As
su
ra
nc
e 
Ac
tiv
iti
es
Pe
rfo
rm
 a
 q
ui
ck
 ri
sk
 a
ss
es
sm
en
t.
�
�
�
�
�
�
�
�
�
As
se
ss
 th
re
at
, v
ul
ne
ra
bi
lit
y 
an
d 
�
�
�
�
�
�
bu
si
ne
ss
 im
pa
ct
.
Di
ag
no
se
 o
pe
ra
tio
na
l a
nd
/o
r
�
�
�
�
�
�
�
pr
oj
ec
t r
is
k.
Pl
an
 ri
sk
-b
as
ed
 a
ss
ur
an
ce
 in
iti
at
iv
es
.
�
�
�
�
�
�
�
�
�
�
�
�
Id
en
tif
y 
cr
iti
ca
l I
T
pr
oc
es
se
s 
ba
se
d
�
�
�
�
�
�
�
�
�
�
�
on
 v
al
ue
 d
riv
er
s.
As
se
ss
 p
ro
ce
ss
 m
at
ur
ity
.
�
�
�
�
�
�
�
�
�
Sc
op
e 
an
d 
pl
an
 a
ss
ur
an
ce
 in
iti
at
iv
es
.
�
�
�
�
�
�
�
Se
le
ct
 th
e 
co
nt
ro
l o
bj
ec
tiv
es
 fo
r 
�
�
�
�
�
�
cr
iti
ca
l p
ro
ce
ss
es
.
Cu
st
om
is
e 
co
nt
ro
l o
bj
ec
tiv
es
.
�
�
�
�
�
�
�
�
Bu
ild
 a
 d
et
ai
le
d 
as
su
ra
nc
e 
pr
og
ra
m
m
e.
�
�
�
�
�
�
�
�
Te
st
 a
nd
 e
va
lu
at
e 
co
nt
ro
ls
.
�
�
�
�
�
�
�
�
Su
bs
ta
nt
ia
te
 ri
sk
.
�
�
�
�
�
�
�
�
�
�
�
�
Re
po
rt 
as
su
ra
nc
e 
co
nc
lu
si
on
s.
�
�
�
�
�
�
�
�
�
�
�
�
�
Se
lf-
as
se
ss
 p
ro
ce
ss
 m
at
ur
ity
.
�
�
�
�
�
�
�
�
�
Se
lf-
as
se
ss
 c
on
tro
ls
.
�
�
�
�
�
�
�
�
Control Objectives
COBIT Control Practices
Value and Risk Statement
Maturity Model
Maturity Model Attributes
RACI (Key Activities and
Responsibilities)
Goals and Outcome
Measures
Performance Drivers
Management Awareness Tool
Information Criteria
Process List
Board Briefing on IT
Governance,2
nd
Edition
ITRisk and Control
Diagnostics
COBITQuickstart
COBIT Online—Searching and
Browsing
COBIT Online—
Benchmarking
IT Control Objectives for
Sarbanes-Oxley,2
nd
Edition
CO
BI
T 
Co
m
po
ne
nt
s
Reference to Other Assurance Models
Assurance professionals may be familiar with the standards set by organisations, such as IAASB within the International Federation
of Accountants (IFAC). IAASB has defined within its International Standards on Auditing stages of conducting an assurance
engagement in the context of the financial statement audit. Whilst these stages are specifically defined for the purposes of financial
statement audits, they are consistent with the suggested IT assurance processes in this guide. This is illustrated in figure 13.
IT ASSURANCE PRINCIPLES AND CONTEXT
21© 2007 IT Governance Institute. All rights reserved. www.itgi.org
De
te
rm
in
e 
th
e 
re
sp
on
si
bl
e
pa
rt
y 
an
d 
in
te
nd
ed
 u
se
r 
of
as
su
ra
nc
e 
ou
tp
ut
.
De
te
rm
in
e 
th
e 
na
tu
re
 o
f t
he
su
bj
ec
t m
at
te
r.
De
fin
e 
an
d 
ag
re
e 
on
 
ev
al
ua
tio
n 
cr
ite
ria
.
Co
lle
ct
 e
vi
de
nc
e.
As
se
ss
 e
vi
de
nc
e.
M
ak
e 
ju
dg
em
en
t.
Re
po
rt
 a
nd
 c
on
cl
ud
e.
Assurance Stages (IAASB)
Planning � � �
Scoping �
Refine the understanding of the IT assurance subject. � � �
Refine the scope of key control objectives. �
Test the effectiveness of the control design. � �
Test outcomes of key control objectives. � �
Document the impact of control weaknesses. � �
Develop and communicate the overall conclusion and recommendations. � �
Ex
ec
ut
io
n
St
ag
es
 in
 th
e 
Ro
ad
 M
ap
The first two steps of the execution stage refine the analysis of the planning and scoping stages and, therefore, map in the same
manner to the IAASB standard. For internal assurance, the planning activity is considered to be the annual plan activity and
‘refining the plan’ refers to planning aspects of individual assignments; whereas, for external audit, these two levels of planning may
happen at the same time. 
The suggested approach for IT assurance is to make a clear distinction amongst:
• Testing the design of a control objective
• Testing the outcome of a control objective
• Documenting the impact of the weaknesses identified
Each of these three steps deals with collecting and assessing evidence, but in a different manner.
Type of Assurance Advice Provided
For the testing steps of the execution stage, this guide provides generic guidance as well as more specific advice to assist the IT
assurance professional, as shown in figure 14. The graphic summarises relationships amongst the key COBIT components (process,
control objective and control practice) with the steps in the IT assurance road map.
Generic advice means that it can be applied to any process, control objective or control practice depending on the type of advice.
Specific advice refers to advice provided for a specific process, control objective or control practice.
The Historical Context—Statutory Audit (Financial Statement Audit)
It is important to understand that, historically, IT assurance started in support of financial statement audits. This class of assurance is
still of great relevance, especially in light of the US Sarbanes-Oxley Act and similar regulations internationally.
The purpose of a financial audit is, typically, to express an opinion on financial statements, notably in respect of the following
assertions:
• Existence or occurrence of the assets/liabilities/transactions reflected in the financial statements
• Completeness of all financial information presented
• Rights, obligations and relevant commitments appropriately presented in the financial statements
• Valuation or allocation of the value of financial statement captions on a fair and consistent basis
• Presentation and disclosure of values in the appropriate captions of the financial statements and relevant accounting principles or
additional information to help ensure correct interpretation
Figure 13—Correlation of IT Assurance and Assurance Stages
Together, these assertions, when met, allow the auditor to form and report an opinion on the financial condition of the related entity.
RELEVANT GENERAL STANDARDS AND GUIDANCE 
Current recognised guidelines for the external financial statement audit process are embodied in the International Standards on
Auditing (ISA).1
ISA 315 sets out the requirements of the assurance professional to obtain an understanding of internal control relevant to the audit,
which includes the following components: 
• The control environment 
• The entity’s risk assessment process 
• The information system, including the related business processes relevant to financial reporting, and communication 
• Control activities 
• Monitoring of controls 
The ISA recognises that, generally speaking, IT provides potential benefits of effectiveness and efficiency for an entity’s internal
control, but also that it poses specific risks. 
With respect to IT, the financial statement assertions can be translated into the following information processing objectives: 
• Completeness
• Accuracy 
• Validity 
• Restricted access
The minimum requirement for the assurance professional isto understand the information systems underpinning business processes
relevant for financial reporting and how the entity has responded to risks arising from IT. Since the use of IT affects the way control
activities are implemented in the business and related financial reporting, the assurance professional needs to consider whether the
entity has responded adequately to the risks arising from IT by establishing effective general IT controls and application controls.
The ISA define general IT controls as policies and procedures that relate to many applications and support the effective functioning
of application controls by helping to ensure the continued proper operation of information systems. General IT controls are
categorised in the ISA as follows: 
• Data centre and network operations 
• System software acquisition, change and maintenance
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org22
Generic ( ) and Specific ( ) Advice in the Assurance Guide
Documented
Control
Weaknesses
improved
with
assessed
with
derived
by
assessed
with
implemented
with
derived
from
controlled
by
Testing the
Control Objective
Outcome
Control
Objectives
Testing the
Control Design
of the
Control Objectives
Control
Practices
IT
Processes
Figure 14—Types of Advice Provided in This Guide
1 International Standards on Auditing (ISA) are professional standards for the performance of financial audit of financial information. These standards are issued by
International Federation of Accountants (IFAC) and cover respective responsibilities, audit planning, internal control, audit evidence, using work of other experts,
audit conclusions and audit report, and specialised areas.
IT ASSURANCE PRINCIPLES AND CONTEXT
23© 2007 IT Governance Institute. All rights reserved. www.itgi.org
• Access security 
• Application system acquisition, development and maintenance 
ISA 330 gives guidance on the nature, timing and extent of audit procedures to be adopted in response to identified risks. Some
specific requirements are set out in the ISA in relation to internal controls validation, including the following:
• When the assurance professional’s assessment of risks of material misstatement at the assertion level includes an expectation that
controls are operating effectively, the assurance professional should perform tests of controls to obtain sufficient appropriate audit
evidence that the controls were operating effectively at relevant times during the period under audit. 
• When the assurance professional has determined that it is not possible or practicable to reduce the risks of material misstatement at
the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, the assurance
professional should perform tests of relevant controls to obtain audit evidence about their operating effectiveness.
The ISA also specify on the type of procedures to be carried out, stating that, ‘the assurance professional should perform other audit
procedures in combination with inquiry to test the operating effectiveness of controls’.
RELEVANCE FOR IT ASSURANCE
Specifically in relation to IT, the ISA state that the assurance professional considers the need to obtain audit evidence supporting the
effective operation of controls directly related to the assertions, as well as other indirect controls on which these controls depend,
such as underlying general IT controls. For that purpose, the COBIT framework provides abundant guidance, and this guide provides
an assurance approach that is in line with ISA guidance. 
Because of the inherent consistency of IT processing, audit evidence about the implementation of an automated application control,
when considered in combination with assurance evidence obtained regarding the operating effectiveness of the entity’s general
controls (and in particular system development life cycle controls, including change controls) may provide substantial assurance
evidence about its operating effectiveness during the relevant period. More guidance on these aspects is provided in chapter 6,
Assurance Guidance for COBIT Processes and Controls.
Materiality
When conducting or supporting financial statement audits, assurance professionals ordinarily measure materiality in monetary
terms, since what they are auditing is also measured and reported in monetary terms. IT assurance professionals may conduct
assurance on non-financial items and, therefore, alternative measures are required. With respect to a specific control objective, a
material control is a control or group of controls without which control procedures do not provide reasonable assurance that the
control objective will be met.
ISACA IS Auditing Guideline G6 (www.isaca.org/standard/guideline.htm) specifies that where the IT assurance objective relates to
systems or operations processing financial transactions, the value of the assets controlled by the system(s) or the value of
transactions processed per day/week/month/year should be considered in assessing materiality. 
For systems and operations not affecting financial transactions, the following are examples of measures that should be considered to
assess materiality:
• Criticality of the business processes supported by the system or operation
• Cost of the system or operation (i.e., hardware, software, staff, third-party services, overheads, a combination of these)
• Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable development costs, cost of publicity required
for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high wastage, etc.)
• Number of accesses/transactions/inquiries processed per period
• Nature, timing and extent of reports prepared and files maintained
• Nature and quantities of materials handled (e.g., where inventory movements are recorded without values)
• Service level agreement (SLA) requirements and cost of potential penalties
• Penalties for failure to comply with legal and contractual requirements
Assurance Risk
Assurance risk is the risk that an incorrect opinion is reported by the assurance professional in the presence of material misstatement
of the subject matter. Assurance risk is a function of the risk of material error and the risk that the assurance professional will not
detect associated errors or control failures. 
The risk of material error has two components:
• Inherent risk—The susceptibility of an assertion by the responsible party to a misstatement that could be material, individually or
when aggregated with other misstatements, assuming that there were no related internal controls2
• Control risk—The risk that a misstatement that could occur in an assertion and that could be material, individually or when
aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal control
Detective risk is the risk that the assurance professional’s procedures will not detect a misstatement that exists in an assertion that
could be material, individually or when aggregated with other misstatements. It is important when planning an assurance initiative to
assess assurance risk and design an approach to ensure that the assurance objectives are met.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org24
2 These definitions are drawn from the International Accounting and Assurance Standards Board.
A S S U R A N C E P L A N N I N G
A
SSU
R
A
N
C
E
P
L
A
N
N
IN
G
ASSURANCE PLANNING
25© 2007 IT Governance Institute. All rights reserved. www.itgi.org
3. ASSURANCE PLANNING
INTRODUCTION
The first phase of the IT assurance framework (illustrated in figure 9) is the planning phase. Before beginning an assurance
initiative, the work of the IT assurance professional should be planned in a manner appropriate for meeting the assurance objectives.
For an internalassurance function, the assurance plan should be developed/updated/reviewed at least annually. The plan should act
as a framework for assurance activities and serve to address responsibilities set by the assurance charter. For an external IT
assurance initiative, a plan should normally be prepared for each initiative. Each type of assurance plan should clearly document the
objectives of the initiative and reflect the intended user’s strategy and priorities. 
As part of the planning process, IT assurance professionals should obtain a good understanding of the assurance universe and the
organisation’s business goals for IT, IT goals, and how they are planned to be realised through IT processes and IT resources. The
extent of the knowledge required is determined by the nature of the organisation, its environment, risks and the objectives of the
assurance initiative. To execute the assurance initiative and assurance planning work according to a standardised and structured
approach, the IT assurance professional should also identify appropriate control frameworks that could be useful for the assurance
initiatives (e.g., COSO, COBIT) or IT management frameworks or standards (e.g., ITIL, ISO/IEC 27000). 
IT ASSURANCE UNIVERSE
The IT assurance universe defines the area of responsibility of the IT assurance provider; it is usually based on a high-level structure
that classifies and relates IT processes, resources, risks and controls, allowing for a risk-based selection of discrete IT assurance
initiatives. The assurance universe needs to be defined at the enterprise level and must be composed of subjects, units, processes,
procedures, systems, etc., that are capable of being defined and evaluated. The building blocks of the assurance universe are units
under which assurance can be conducted. For the purpose of IT Assurance Guide, COBIT provides a structure to define the IT
assurance universe built around the four types of IT resources and 34 IT processes categorised into four domains. The four domains
cover the traditional responsibilities in IT of plan, build, run and monitor.
The IT resources identified in COBIT are defined as follows:
• Applications—The automated user systems and manual procedures that process the information
• Information—The data input, processed and output by the information systems, in whatever form is used by the business
• Infrastructure—The technology and facilities (i.e., hardware, operating systems, database management systems, networking,
multimedia, etc., and the environment that houses and supports them) that enable the processing of the applications
• People—The personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information
systems and services. They may be internal, outsourced or contracted as required.
The four domains defined by COBIT are Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor and
Evaluate. As shown in figure 15, IT processes deliver information to the business, run the applications, and need infrastructure and
people. Together, they constitute the enterprise architecture for IT.
deliver
runIT Processes(including goals and
responsibilities)
Information
Applications
Infrastructure
and Peopleneed
Figure 15–Enterprise Architecture for IT
The portfolio of assurance activities within the assurance universe needs to be prioritised by risk level, technological complexity,
time since the most recent assurance initiative, strategic importance, age in technology, known control weaknesses, etc. By doing so,
assurance resources can be assigned to the units carrying the highest risk for the organisation. The prioritisation is driven by
business and governance objectives (regarding functionality, agility, return, compliance and comfort), implying specific value and
risk drivers, as illustrated in figure 16. This figure also illustrates that it helps to think in terms of IT resources for translating
business goals into IT goals (i.e., in terms of the services and information required) and in terms of the infrastructure and people
resources required to provide and support the services and information needed. COBIT provides tables of generically applicable
enterprise and IT goals that can—after adaptation to the situation at hand—help in determining the subjects in the assurance
universe that need the most attention.
The assurance universe resulting from the analysis work described previously results in most cases in a two-dimensional matrix,
with one dimension describing the relevant elements from the enterprise architecture for IT and the other dimension indicating the
possible control objectives, as shown in the left part of figure 17.
Because the recommended framework is COBIT, with its process structure, a first step in scoping the assurance initiative can consist
of selecting the processes, thereby reducing the control objectives in scope on the horizontal dimension. This also allows for
simplifying the vertical dimension by concentrating on the IT resources because the processes have been dealt with in the horizontal
control objective dimension. This then produces the right side of figure 17. If other control frameworks are used that are not
process-oriented, the processes need to be retained in the vertical dimension. But even then, most frameworks can be mapped to
COBIT (see www.isaca.org/cobit) so that after mapping the simplified version can be used.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org26
Business Governance
Enterprise Goals for IT
Applications
Inform
ation
Infrastructure
People
Functionality Agility Return Compliance Comfort
IT Goals
IT Processes
Figure 16–Business and IT Goals as Drivers for Assurance Planning
IT Process Selection
IT
 R
es
ou
rc
es
Control Objectives Selection
En
te
rp
ris
e 
Ar
ch
ite
ct
ur
e 
fo
r I
T Control Objectives
Figure 17–Linking the Enterprise Architecture and Control Objectives
ASSURANCE PLANNING
27© 2007 IT Governance Institute. All rights reserved. www.itgi.org
Other forms of representing the assurance universe are possible. Whatever representation is chosen, balance between completeness,
consistency and manageability has to be preserved. Through the proposed technique, all relevant units can be identified and
described. Some examples are:
• Applications can either be grouped (in line with the major business processes they support, e.g., sales, logistics, administration,
manufacturing, human resources) or listed individually; one can then identify a subset of the IT processes and control objectives to
the applications to identify (e.g., an assurance initiative on applications) the development cycle or portfolio management. Projects,
which are very often reviewed through project assurance initiatives, can be considered as applications in the making.
• People and the way they are organised (i.e., organisational units) are part of the assurance universe horizontal dimension, allowing,
for example, assurance on organisational entities.
• Infrastructure elements (e.g., data centre, networks, IT platforms) are another horizontal dimension, allowing identification of, for
example, security reviews of operating systems and networks, or physical reviews of data centres.
• Information includes databases, master files and transaction logs.
Specific topics currently high on the agenda of many IT departments include outsourcing projects and a variety of compliance
requirements. Through the process dimension of the assurance universe, the assurance professional can identify the relevant IT
processes that manage outsourced IT services, for example, DS1 Define and manage service levels and DS2 Manage third-party
services. By doing so, this specific topic can be included in the overall assurance universe.
RISK-BASED ASSURANCE PLANNING
The assurance professional should use an appropriate risk assessment technique or approach in developing the overall plan for theeffective allocation of IT assurance resources. Risk assessment is a technique used to examine units in the assurance universe and
select those areas for review that have the greatest risk exposure. The risks associated with each IT layer cannot be determined by
reviewing the IT-related risks in isolation, but must be considered in conjunction with the organisation’s processes and objectives.
Risk has two major attributes (probability and impact) and has a complex relationship amongst the attributes of the objects involved,
which are:
• Asset—Something of value (tangible or intangible) worth protecting
• Threat—Any situation or event that has the potential to harm a system 
• Threat agent—Methods and things used to exploit a vulnerability (e.g., determination, capability, motive, resources) 
• Threat event—An instance of a threat acting upon a system vulnerability in which the system is adversely affected
• Vulnerability—A weakness that could be exploited by a threat (e.g., an open firewall port, a password that is never changed, a
flammable carpet). A missing control is also considered a vulnerability.
• Countermeasure—A synonym for control. The term ‘countermeasure’ can be used to refer to any type of control, but it is most
often used when referring to measures that increase resilience, fault tolerance or reliability of an IT service.
• Risk—The potential that a given threat will exploit vulnerabilities of an asset to cause loss or damage to the asset
• Residual risk—The risk associated with an event when the control is in place to reduce the effect or likelihood of that event being
taken into account
Figure 18 provides the relationship amongst the different components and the major attributes of each. These attributes are essential
to analyse the contribution of each component to the risk analysis process. A suggested approach for this process is provided in
figure 19.
The suggested risk analysis approach starts from the valuation of assets, which in the COBIT framework consists of the information
that has the required criteria to help achieve the business objectives (including all the resources necessary to produce that
information). The next step is the vulnerability analysis, which identifies the vulnerabilities that apply to the assets (e.g., a business
process that needs to comply with data privacy, a business product that deals with financial transactions or infrastructure elements)
that determine the availability of many information services. The next phase identifies significant threats that may be able to exploit
a given vulnerability (e.g., unintentional events such as errors, omissions and accidents; intentional actions such as fraud, hacking or
theft). The probability of the threat, the degree of vulnerability and the severity of the impact are combined to develop
threat/vulnerability scenarios and assess their risk. This is followed by the selection of countermeasures (controls) and an evaluation
of their cost and effectiveness. After considering the impact of implementing selected controls, residual risk can be determined. The
conclusion is an action plan after which the cycle can start again.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org28
Owners
Countermeasures
Risks
Threat Agents Threats Vulnerabilities Assets
Threat/Vulnerability
Scenarios
prevent
and
detect
from
avoid or
mitigate
are
concerned
about
have
exploit
give rise to
impose
reduce
Figure 18–Relationship and Attributes of the Risk Analysis Components
Identify
significant
threats. 
Define relevant 
threat/
vulnerability
scenarios. 
Assess risk
(applicability,
probability and 
materiality of 
impact).
Evaluate
control cost and 
effectiveness. 
Inventory
useful
countermeasures.
Determine
residual risk. 
Identify
applicable
vulnerabilities. 
Identify critical 
assets and
estimate their 
value.
Develop a risk
mitigation
action plan. 
Figure 19—A Risk Analysis Approach Leveraging the Risk Components and Their Attributes
ASSURANCE PLANNING
29© 2007 IT Governance Institute. All rights reserved. www.itgi.org
HIGH-LEVEL ASSESSMENTS
High-level assessment can provide support in assurance planning by identifying processes where the maturity/control gap between
as-is and to-be is the most significant. Several assessment techniques exist (covering the evaluation against performance and risk
attributes, process maturity attributes, control objectives and maturity attributes) resulting in, for example, process compliance
profiles as shown in figure 21.
The results of such high-level assessment can be used to prioritise the IT assurance work. Specific benefits of such high-level
assessments are: 
• Making members of IT management aware of their accountability for controlling IT and gaining their buy-in
• High-level checking of compliance with established IT control requirements
• Optimising and prioritising IT assurance resources 
• Bridging to IT governance 
DEFINE THE SCOPE AND OBJECTIVES OF THE ASSURANCE INITIATIVE
IT assurance professionals should also clearly define the scope and objectives of the assurance work and perform a preliminary
assessment of internal control/maturity of the function/activities being reviewed to provide reasonable assurance that all material
items will be adequately covered during the assurance initiative. 
To execute high-level planning assessments, COBIT Quickstart can provide hands-on support (see www.isaca.org/cobit). Figures 20
through 22 also demonstrate other possible templates that can be used for high-level control and maturity assessments. The first
template, shown in figure 20, is a management awareness diagnostic that evaluates processes against some performance and risk
attributes. Completing this template for specific IT processes provides a quick insight into the risks associated (importance and
performance), the responsibility (who does it), the formality (documentation), the assurance history and the accountability. 
The next two templates provide examples of how to execute a process maturity assessment, using the maturity description or
maturity attributes. The first template in figure 21 starts from the process maturity description, which needs to be broken down into
several maturity statements. For each of the statements, a compliance value needs to be defined, which enables the IT assurance
professional to calculate a ‘compliance profile’. 
Another approach in assessing process maturity is to leverage the maturity attributes (COBIT maturity models as explained in the
COBIT framework). The maturity of a process can be assessed against six maturity attributes: 
• Awareness and communication
• Policies, plans and procedures
• Tools and automation
• Skills and expertise
• Responsibility and accountability
• Goal setting and measurement
Risk
Who Is
Accountable?
Im
po
rt
an
ce
Pe
rf
or
m
an
ce
IT Ot
he
r
Ou
ts
id
e
Do
 N
ot
 K
no
w
Au
di
te
d?
Fo
rm
al
ity
Who Does It?
PO1 Define a strategic IT plan.
PO10 Manage projects.
AI6 Manage changes.
DS2 Manage third-party services.
DS5 Ensure systems security.
ME1 Monitor and evaluate IT performance.
Importance = How important for the organisation on a
 scale from 1 (not at all) to 5 (very)
Performance = How well it is done from 1 (very well)
 to 5 (do not know or badly)
Formality = Is there a contract, an SLA or a clearly
 documented procedure (Y, N or ?)
Audited? = Y, N or ?
Accountable = Name or ‘do not know’
COBIT Processes
Figure 20—Management Awareness Diagnostic
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org30
Assessment of these attributes on a template, as shown in figure 22, provides the IT assurance professional with a ‘rising star
scheme’, indicating significant gaps between as is and to-be, areas as where attention is needed, and potential quick wins. 
.50
.45
.40
.35
.30
.25
.20
.15
.10
.05
0
Level 1 Level 2 Level 3Level 4 Level 5
AI6—ManageChange
Maturity level 3, moving into level 4
Process
Name
Process
ID
No. Statement Weight
Maturity Level
Total Weight Compliance
0.00 0.33 0.66 1.00
compliance value
N
ot
 a
t 
al
l
A
 li
tt
le
To
 s
om
e 
de
gr
ee
C
om
pl
et
el
y
VA
LU
E
Figure 21—Assessing the Process Maturity Compliance Profile
Awareness and Policies, Plans Tools and Skills and Responsibility and Goal Setting
Communication and Procedures Automation Expertise Accountability and Measurement
5 There is advanced, External best practices and Standardised tool sets are The organisation formally Process owners are There is an integrated
forward-looking standards are applied. used across the enterprise. encourages continuous empowered to make performance measurement
understanding of improvement of skills, based decisions and take action. system linking IT performance
requirements. Process documentation is Tools are fully integrated on clearly defined personal The acceptance of to business goals by global
evolved to automated with other related tools to and organisational goals. responsibility has been application of the IT balanced
Proactive communication workflows. Processes, policies enable end-to-end cascaded down throughout scorecard. Exceptions are
of issues based on trends and procedures are support of the processes. Training and education support the organisation in a globally and consistently 
exists, mature standardised and integrated external best practices consistent fashion. noted by management and 
are applied, and integrated management and support improvement of the concepts and techniques. root cause analysis is applied.
communication techniques to enable end-to-end Tools are being used to and use of leading-edge Continuous improvement is
communication tools are improvement. process and automatically Knowledge sharing is an a way of life.
in use. detect control exceptions. enterprise culture, and 
knowledge-based systems
are being deployed.
External experts and industry
leaders are used for guidance.
4 There is understanding The process is sound and Tools are implemented Skill requirements are routinely Process responsibility and Efficiency and effectiveness
of the full requirements. complete; internal best according to a updated for all areas, accountability are accepted are measured and
practices are applied. standardised plan, and proficiency is ensured for all and working in a way that communicated and linked to
Mature communication some have been critical areas, and certification enables a process owner to business goals and the IT
techniques are applied and All aspects of the process integrated with other is encouraged. fully discharge his/her strategic plan. The IT balanced
standard communication are documented and repeatable. related tools. responsibilities. A reward scorecard is implemented
tools are in use. Policies have been approved Mature training techniques culture is in place that in some areas with exceptions
and signed off on by Tools are being used in main are applied according to the motivates positive action. noted by management and
management. Standards for areas to automate management training plan, and knowledge root cause analysis is being
developing and maintaining the of the process and monitor sharing is encouraged. All standardised. Continuous
processes and procedures are critical activities and controls. internal domain experts are improvement is emerging.
adopted and followed. involved, and the effectiveness
of the training plan is assessed.
3 There is understanding Usage of good practices A plan has been defined Skill requirements are defined Process responsibility and Some effectiveness goals and
of the need to act. emerges. for use and standardisation and documented for all areas. accountability are defined measures are set, but are not
of tools to automate the and process owners have communicated, and there is a
Management is more formal The process, policies and process. A formal training plan has been identified. The process clear link to business goals.
and structured in its procedures are defined and been developed, but formal owner is unlikely to have Measurement processes 
communication. documented for all key Tools are being used for their training is still based on the full authority to exercise emerge, but are not 
activities. basic purposes, but may not all individual initiatives. the responsibilities. consistently applied.
be in accordance with the IT balanced scorecard areas 
agreed plan, and may not be are being adopted, as is
integrated with one another. occasional intuitive 
application of root cause
analysis.
2 There is awareness of the Similar and common Common approaches to Minimum skill requirements An individual assumes his/her Some goal setting occurs;
need to act. processes emerge, but are use of tools exist but are are identified for critical responsibility and is usually some financial measures are
largely intuitive because of based on solutions areas. held accountable, even if this established but are known 
Management communicates individual expertise. developed by key individuals. is not formally agreed. There only by senior management.
the overall issues. Training is provided in is confusion about There is inconsistent 
Some aspects of the process Vendor tools may have been response to needs, rather responsibility when problems monitoring in isolated areas.
are repeatable because of acquired, but are probably not than on the basis of an occur, and a culture of 
individual expertise, and some applied correctly, and may agreed plan, and informal blame tends to exist.
documentation and informal even be shelfware. training on the job occurs.
understanding of policy and 
procedures may exist.
1 Recognition of the need for There are ad hoc approaches Some tools may exist; Skills required for the There is no definition of Goals are not clear and no
the process is emerging. to processes and practices. usage is based on standard process are not identified. accountability and measurement takes place.
desktop tools. responsibility. People take
There is sporadic The process and policies A training plan does not ownership of issues based
communication of the are undefined. There is no planned exist and no formal training on their own initiative on a
issues. approach to the tool usage. occurs. reactive basis.
Figure 22—Assessing Process Maturity Attributes
I T R E S O U R C E A N D
C O N T R O L S C O P I N G
IT
R
E
SO
U
R
C
E
A
N
D
C
O
N
T
R
O
L
S
C
O
P
IN
G
IT RESOURCE AND CONTROL SCOPING
31© 2007 IT Governance Institute. All rights reserved. www.itgi.org
4. IT RESOURCE AND CONTROL SCOPING
INTRODUCTION
The second stage of the IT assurance framework (illustrated in figure 23) is the scoping stage. This stage determines which 
IT resources and control objectives are covered within a given IT control framework in the execution stage of the initiative. 
Scoping consists of linking applicable IT resources (e.g., applications, information, infrastructure, people) to applicable IT control
objectives and then assessing the materiality of the impact of not achieving a specific control objective. Figure 23 illustrates the
eight-step scoping process. 
Setting the scope for the initiative too narrowly may result in material factors not being considered. Setting the scope for the
initiative too broadly may result in inefficiencies and incorrect conclusions because of limited resources and time. Appendix VIII,
IT Scoping, sets out a generic scoping methodology that can be applied to IT assurance initiatives and a variety of other 
IT governance programmes.
STEPS IN SCOPING IT RESOURCES AND CONTROL OBJECTIVES
Figure 24 describes the eight steps within the scoping phase of conducting the IT assurance initiative. These steps are described in
more detail as follows.
Step 1—Establish Drivers for the Assurance Initiative
In the first step, the drivers for the assurance initiative and the corresponding assurance objectiveare identified. As noted in chapter
1, there are many possible drivers for assurance, including process improvement and meeting compliance needs in support of the
financial statement audit. Verifying the drivers for the assurance initiative can be accomplished by activities such as interviewing
key stakeholders or inspecting assurance plans or charters.
A. Framework Criteria
• A common language
 for IT activities and key
 management practices
• Business focus
• Governance
 expectations
• IT tasks and activities
 organised into
 discrete processes
• Consistent with
 generally accepted
 IT good practices and
 corporate governance
 standards
• Select
• Weigh
• Cut off
• Customise
B. Deciding What Is In
2 Document the enterprise
architecture for IT
(clarify through interviews
with key IT staff members).
1 Establish drivers for the
assurance initiative
(clarify through interviews
with stakeholders).
4 Select the IT process [B]
(document and validate the
link amongst business goal, 
IT goal and IT process).
3 Choose an IT control
framework [A]
(verify that it responds to
minimum criteria).
7 Select initial 
control objectives [B]
(leverage control
framework mappings).
8 Refine control
objectives selection
with risk analysis[B]
(linking significant threats to
applicable vulnerabilities
to material impact).
5 Select IT component [B]
(record the important activities
and resources for the
processes selected).
6 Refine component
selection with
cause/effect analysis[B]
(use the goals and metrics
chain: business-
IT process-activity).
Figure 23—IT Scoping Road Map
More specifically, the boundaries of the entity under review need to be unambiguously described, together with the current roles and
responsibilities and the resources required by IT to support the defined business needs of the entity under review. 
The assurance professional needs to interview appropriate management and staff members to obtain an understanding of:
• Business requirements and associated risks
• Organisation structure
• Roles and responsibilities
• Policies and procedures
• Laws and regulations
• Control measures in place
• Management reporting (status, performance, actions)
• Past issues and corrective actions taken
• Current issues and concerns
• What management hopes to obtain as a result of the assurance initiative
Step 2—Document Enterprise IT Architecture
In the second step, the enterprise IT architecture is documented. The concept and elements of the architecture are set out in 
chapter 3. The enterprise IT architecture can also be validated by interviews with key IT staff members.
Step 3—Select Control Frameworks
Appropriate control frameworks are selected in the third step. Typically this will be COBIT, but for some initiatives it may be COSO,
similar entity-level control frameworks, or more detailed frameworks or standards, such as one of the relevant ISO standards.
Step 4—Identify IT Processes
After the appropriate control framework is chosen, the appropriate IT processes are selected and linked to appropriate IT resources
in the next step. IT processes in scope can be identified through analysis of the relationship amongst business goals, IT goals
and IT processes.
Step 5—Select IT Components
Step five is described in chapter 2. IT resources are made up of:
• Applications 
• Information
• Infrastructure
• People
A number of inputs can be used to determine the IT resources that are relevant to the initiative. The priority here should be on
completeness because the subsequent risk analysis determines items that can be excluded from the scope of the initiative. However,
efficiency needs to be taken into account as well, to keep the matrix to a reasonable/workable size. The different inputs are:
• Drivers for the initiative—The drivers for the assurance initiative are the most important factors for determining the IT
components and the control objectives to review. Typical examples are major service breakdown, organisational change and
regulatory compliance.
• Business control requirements—Given the focus of this guide on IT assurance, it is assumed that the analysis of the required
and applicable business controls has occurred so that the scoping of IT controls is limited to how IT supports automated
business controls. 
• Enterprise architecture for IT—The enterprise architecture encompasses the processes involved to deliver the information
services, the portfolio of applications and systems in use by the organisation, the technology used to run them, and the people
needed to plan, build, operate and support the applications. The relevant IT resources or groups of IT resources can be deduced
from the architecture.
Step 6—Refine IT Component Selection
In the initial linking of processes to resources, the assurance professional may derive a rather large portfolio, perhaps broader than
can be cost-effectively reviewed within the terms of the assurance initiative. In the sixth step, the assurance professional should
refine the selection of IT resources by ensuring that the resources have a direct relationship to the processes relevant to the initiative.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org32
IT RESOURCE AND CONTROL SCOPING
33© 2007 IT Governance Institute. All rights reserved. www.itgi.org
Step 7—Select Control Objectives
The assurance professional makes a first selection of the COBIT control objectives that are relevant for the IT processes that are in
scope for the assurance initiative. Often the control objectives need to be customised for the realities of the particular enterprise
situation. For most initiatives, scoping IT resources does not require substantial analysis, because it starts from a specific enterprise
situation. Conversely, scoping the control objectives needs more analysis because it starts from one or more generic frameworks.
COBIT provides material that can support the latter step, by describing a ‘risk and value’ statement for each of the control objectives,
demonstrating why specific controls are needed. Some mapping is required as well as customisation of the selected control
objectives to the enterprise environment and the objective of the assurance initiative.
Step 8—Refine Control Objectives Selection
Finally, in the eighth step, the assurance professional links the refined portfolio of IT resources set out in step six to the first cut of
control objectives selected in the seventh step. In an iterative process, the professional refines and often reduces the list of control
objectives that are relevant for this particular assurance initiative. The process of linking IT resources to control objectives is
illustrated in figure 24.
In this step, the assurance professional should analyse the risk of not achieving the selected control objectives for the selected IT
resources, and retain only the IT resources and control objectives that have a material effect if the control objective is not achieved.
The assurance professional should: 
• Review the horizontal lines of the matrix (figure 24) to determine if there is sufficient risk to keep the IT resource in scope and to
identify the resources with high risk that may require more in-depth review and testing
• Review the vertical lines of the matrix (figure 24) to remove the control objectives that are low risk and to identify objectives that
require enterprisewide solutions as opposed to point solutions
The critical conclusion of this step, illustrated in figure 24, is to answer the question, ‘Will not achieving this control objective for
this class of IT resource be material for this particular assurance initiative?’ Only the cells for which the answer is ‘yes’ should be
retained in the final IT control scope.
IT-RELATED BUSINESS GOALS AND IT GOALS
To assist the IT assurance professionals in assurance planning, COBIT provides a detailed cascade from IT-related business goals to
IT goals to IT processes. COBIT defines 17 generic business goals,which encompass business drivers and services that directly
impact IT. These are translated into supporting IT goals that, in turn, are linked to IT process goals (see appendix 1 in COBIT 4.1).
This cascade of business, IT and process goals is particularly useful when analysing the assurance initiative drivers and how they
impact the assurance universe.
IT Process Selection
Sc
op
in
g 
IT
 R
es
ou
rc
es
Scoping Control Objectives
Business
Control
Requirements
Business
Control
Requirements
Enterprise
Architecture
for IT
Assurance
Initiative
Drivers
Enterprise
Architecture
for IT
Assurance
Initiative
Drivers
IT Control
Framework
Will not achieving this
control objective for this
IT resource be material?
Figure 24—Risk-based IT Resource and Control Scoping
This cascade of goals can help guide the assurance planning work. As shown in figure 25, if the assurance work focuses on a
specific business function, IT-related business goals and IT goals can be valuable input for the assurance planning work. Assurance
work that focuses on a specific organisational component (e.g., a process) can use IT goals and IT process goals as a source of
information for assurance planning.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org34
Major
Application
Important
Infrastructure
Component
Organisational
Component
Major
Change
Business
Function
Business Goals
IT Process Goals
(P=primary, S=secondary)
IT Goals
P
S
S
S
P
S
P
S
S
P
P
S
ASSURANCE SUBJECT
GO
AL
IN
FO
RM
AT
IO
N
Figure 25—IT-related Business, IT and IT Process Goals for IT Assurance Planning
A S S U R A N C E I N I T I A T I V E
E X E C U T I O N
A
SSU
R
A
N
C
E
IN
IT
IA
T
IV
E
E
X
E
C
U
T
IO
N
ASSURANCE INITIATIVE EXECUTION
35© 2007 IT Governance Institute. All rights reserved. www.itgi.org
5. ASSURANCE INITIATIVE EXECUTION
INTRODUCTION
The third stage of the IT assurance framework (previously illustrated in figure 10) is the execution stage. Figure 10 describes a
road map that assurance professionals can follow as they execute a particular assurance initiative. The remainder of this section will
analyse the road map in detail. 
STEP 1—REFINE UNDERSTANDING
The assurance steps to be performed document the activities underlying the control objectives and identify the stated control
measures/procedures in place.
The first step of the execution stage is refining an understanding of the environment in which the testing is performed. This implies
understanding the organisation to select the correct assurance scope and objectives. The assurance scope and objectives need to be
communicated to and agreed upon by all stakeholders.
The output from this step consists of documented evidence regarding: 
• Who performs the task(s), where the task is performed and when the task is performed
• The inputs required to perform the task and the outputs generated by the task
• The stated procedures for performing the task
The assurance professional can structure this step along the following lines:
• Interview and use activity lists and RACI charts.
• Collect and read process description, policies, input/output, issues, meeting minutes, past assurance reports, past assurance
recommendations, business reports, etc.
• Prepare the scoping task (objective of process, goals and metrics of process to be reviewed).
• Build an understanding of enterprise IT architecture. 
STEP 2—REFINE SCOPE
The assurance steps to be performed determine the scope of the assurance project.
Based on the current and detailed understanding of the IT environment, any revisions that may have been made to the business
and/or assurance objectives, and whilst planning a cost-effective testing plan, it may be appropriate to adjust the scope.
The scoping phase performed earlier may, therefore, need to be refined to determine a finalised subset of the assurance universe
(e.g., process, system, application) and a set of controls to be reviewed.
Analyse Business and IT Goals
The assurance objectives and approach to the current business objectives should be realigned, and the understanding of business
processes, the business goals, and the relevance of IT to the processes and objectives should be updated. The IT goals may need to
be adjusted, bearing in mind the latest assurance requirements and the IT organisation.
Refine the
 understanding
 of the IT
 assurance
subject.
Refine scope
 of key control
 objectives
 for the IT
 assurance
subject.
Test the
 effectiveness
 of the control
 design of the
 key control
objectives.
Alternatively/
 additionally
 test the
 outcome of
 the key control
objectives.
Document the
 impact of
 control
weaknesses.
Develop and
 communicate
 overall
 conclusion and
 recommen-
dations.
Figure 10—Execution Road Map
Select Processes and Controls
The selection of the in-scope IT processes, IT control objectives and IT resources (i.e., applications, information, infrastructure,
people) should be refined to establish the assurance boundaries. The selection of the processes, objectives and related resources is
performed by assessing if it is likely that non-achievement of the control objective for the IT component will have a material effect.
Analyse Risks
The scope may need to be further adjusted, based on an assessment of the inherent risk of material control objections not being met.
This risk-adjusted scope determines the amount of assurance review and testing required. 
Finalise Scope
The assurance strategy should be set, and the scope and focus of the assurance approach should be finalised based on the latest
understanding of objectives, optimum testing approach and assessed risk, as described previously. The IT processes, IT resources
and IT control objectives selection should be adjusted as required by the strategy defined. The documentation required and the
testing approach should be determined to ensure the most effective and efficient coverage of assurance objectives.
STEP 3—TEST THE CONTROL DESIGN
This section lists the different techniques that will be used in the detailed assurance steps.
Testing is performed, covering the following main test objectives (also to be found in SAS 703 and SysTrust™4 assurance):
• Evaluate the design of the controls.
• Confirm that controls are placed in operation.
• Assess the operational effectiveness of the controls.
In addition, control efficiency may also be tested.
In the testing phase, different types of testing can be applied. Five generic testing methods include:
• Enquire and confirm: 
– Search for exceptions/deviations and examine them.
– Investigate unusual or non-routine transactions/events.
– Check/determine whether something has (not) occurred (sample).
– Corroborate management statements from independent sources.
– Interview staff members and assess their knowledge and awareness.
– Reconcile transactions (e.g., reconciling transactions to bank statements).
– Ask management questions and obtain answers to confirm findings.
• Inspect:
– Review plans, policies and procedures.
– Search audit trails, problem logs, etc.
– Trace transactions through the process/system.
– Physically inspect presence (documentation, assets, etc.).
– Walk through installations, plans, etc.
– Perform a design or code walk-through.
– Compare actual with expected findings.
• Observe:
– Observe and describe the processes.
– Observe and describe the procedures.
– Compare actual with expected behaviour.
• Reperform and/or recalculate:
– Independently develop and estimate the expected outcome.
– Attempt what is prevented.
– Reperform what is detected by detective controls.
– Reperform transactions, control procedures, etc.
– Recalculate independently.
– Compare expected value with actual value.
– Compare actual with expected behaviour.
– Trace transactions through the process/system.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org363 Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognised auditing standard developed by the American Institute of
Certified Public Accountants (AICPA).
4 SysTrust is an assurance service developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA).
ASSURANCE INITIATIVE EXECUTION
37© 2007 IT Governance Institute. All rights reserved. www.itgi.org
• Review automated evidenced collection:
– Collect sample data.
– Use embedded audit modules.
– Analyse data using computer-assisted audit techniques (CAATs). 
– Extract exceptions or key transactions.
The assurance steps to be performed assess the adequacy of the design of controls. The following three assurance steps should be
performed:
• Observe/inspect and review the control approach, and test the design for completeness, relevancy, timeliness and measurability.
• Enquire whether and confirm that the responsibilities for the control practices and overall accountability have been assigned. Test
whether accountability and responsibilities are understood and accepted. Verify that the right skills and the necessary resources are
available.
• Enquire through interviews with key staff members involved whether the control mechanism, its purpose, and the accountability
and responsibilities are understood.
In summary, the assurance professional must determine whether:
• Documented control processes exist
• Appropriate evidence of control processes exists
• Responsibility and accountability are clear and effective
• Compensating controls exist, where necessary
Additionally and specifically in internal audit assignments, the cost-effectiveness of the control design should be verified with the
following assurance steps:
• If the design of the control practice set is effective, investigate whether it can be made more efficient by optimising steps, looking
for synergies with other control mechanisms and reconsidering the balance of prevention vs. detection and correction. Consider the
effort spent in maintaining the control practices.
• If the control practice set is operating effectively, investigate whether it can be made more cost-effective. Consider analysing
performance metrics of the activities associated with this control practice set, automation opportunities and/or skill level.
STEP 4—TEST THE OUTCOME OF THE CONTROL OBJECTIVES
The assurance steps to be performed ensure that the control measures established are working as prescribed, consistently and
continuously, and conclude on the appropriateness of the control environment.
To test the outcome or effectiveness of the control, the assurance professional needs to look for direct and indirect evidence of the
control’s impact on the quality of the process outputs. This implies the direct and indirect substantiation of measurable contribution
of the control to the IT, process and activity goals, thereby recording direct and indirect evidence of actually achieving the outcomes
as documented in COBIT.
The assurance professional should obtain direct or indirect evidence for selected items/periods to ensure that the control under
review is working effectively by applying a selection of testing techniques as presented in step three. The assurance professional
should also perform a limited review of the adequacy of the process deliverables and determine the level of substantive testing and
additional work needed to provide assurance that the IT process is adequate.
STEP 5—DOCUMENT THE IMPACT OF CONTROL WEAKNESSES 
The assurance steps to be performed substantiate the risk of the control objective not being met by using analytical techniques
and/or consulting alternative sources. 
When control weaknesses are found, they have to be properly documented, taking into account their often sensitive and confidential
nature. In addition, particular care is required to correctly analyse and assess the severity of the observed weaknesses and the
potential business impact they may have. 
The objective of this step is to conduct the necessary testing to provide management with assurance (or non-assurance) about the
achievement of a given business process and its related control objectives. More detailed analysis should occur when:
• No control measures are in place
• Controls are not working as expected
• Controls are not consistently applied
This should result in a thorough understanding of the control weaknesses and the resulting threats and vulnerabilities, and an
understanding of the potential impact of the control weaknesses.
The following assurance steps can be performed to document the impact of not achieving the control objective:
• Relate the impact of not achieving the control objective to actual cases in the same industry and leverage industry benchmarks.
• Link known performance indicators to known outcomes and, in their absence, link the cause to its effect (cause/effect analysis).
• Illustrate what the impact would affect (e.g., business goals and objectives, enterprise architecture elements, capabilities,
resources).
• Illustrate the impact of control weaknesses with numbers and scenarios of errors, inefficiencies and misuse.
• Clarify vulnerabilities and threats that are more likely with controls not operating effectively.
• Document the impact of actual control weaknesses in terms of bottom-line impact, integrity of financial reporting, hours lost in
staff time, loss of sales, ability to manage and react to the market, customer and shareholder requirements, etc.
• Point out the consequence of non-compliance with regulatory requirements and contractual agreements.
• Measure the actual impact of disruptions and outages on business processes and objectives, and on customers (e.g., number, effort,
downtime, customer satisfaction, cost).
• Document the cost (i.e., customer and financial impact) of errors that could have been caught by effective controls.
• Measure and document the cost of rework (e.g., ratio of rework to normal work) as an efficiency measure affected by control weaknesses.
• Measure the actual business benefits and illustrate cost savings of effective controls after the fact.
• Use benchmarking and survey results to compare the enterprise performance with others.
• Use extensive graphics to illustrate the issues.
COBIT provides support in the following ways:
• The business, IT and process goals and the information criteria in the process descriptions indicate what business values are at risk
if controls are not implemented properly. 
• For each control objective, there are value and risk driver statements that indicate the benefits to be gained and the risks to be
avoided by improving controls.
• The RACI charts demonstrate which roles might be affected by the risk and, therefore, should be informed of the substantive
testing outcome.
• Maturity models can be leveraged to benchmark internally and against other industries or competitors in an easy, accessible and
understandable manner, helping to influence management. Benchmarking data are available in COBIT Online. 
STEP 6—DEVELOP AND REPORT OVERALL CONCLUSION 
AND RECOMMENDATIONS 
The assurance steps to be performed communicate the substantiated risk of the control weaknesses to the different stakeholders of
the assurance initiative. 
The assurance professional should document any identified control weaknesses and resulting threats and vulnerabilities, and identify
and document the actual and potential impact (e.g., through root cause analysis). In addition, the assurance professional may provide
comparative information (e.g., through benchmarks) to establish a reference framework in which the test results ought to be
evaluated. As potential guidance to this, a generic maturity model for internal control is provided in chapter 7, Maturity Model for
Internal Control, showing the status of the internal control environment and the establishment of internal controls in an enterprise. It
shows how the management of internal control, and an awareness ofthe need to establish better internal controls, typically develops
from an ad hoc to an optimised level. 
The objective is to identify items of significance to be able to articulate to the stakeholder the recommended actions and reasons for
taking action. This phase includes aggregating the results of the previous phases, developing a conclusion concerning the identified
control weaknesses and communicating:
• Recommended actions to mitigate the impact of the control weaknesses
• Performance comparison to standards and best practices for a relative view on the results
• The risk position regarding the process
The formulated conclusion and recommendations should allow the responsible party to take further steps and remedial actions.
When the assurance initiative is performed within an assurance context, the assurance professional needs to be thoughtful of formal
assurance communication and compliant with assurance reporting standards and guidelines (available at www.isaca.org).
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org38
A S S U R A N C E G U I D A N C E
F O R C O B I T P R O C E S S E S
A N D C O N T R O L S
A
SSU
R
A
N
C
E
G
U
ID
A
N
C
E
F
O
R
C
O
B
IT
 P
R
O
C
E
SSE
S
A
N
D
C
O
N
T
R
O
L
S
ASSURANCE GUIDANCE FOR COBIT PROCESSES AND CONTROLS
39© 2007 IT Governance Institute. All rights reserved. www.itgi.org
6. ASSURANCE GUIDANCE FOR COBIT PROCESSES AND CONTROLS
INTRODUCTION
This section describes the structure of the detailed testing guidance based on COBIT, covering six generic controls applicable to all
IT processes, IT general controls based on the 34 COBIT IT processes and six application controls. 
Guidance is provided for testing control design, testing control outcome and documenting the impact in appendices I through VI,
according to the layout in figure 26.
GENERIC PROCESS CONTROLS
Each COBIT process has generic control requirements that are identified by generic process controls within the Process Control (PC)
domain (see appendix I). These are applicable for all COBIT processes and should be considered together with the detailed COBIT
control objectives to have a complete view of control requirements.
The six generic process controls, detailed in appendix I, Process Control, are:
• PC1 Process goals and objectives
• PC2 Process ownership
• PC3 Process repeatability
• PC4 Roles and responsibilities
• PC5 Policy, plans and procedures
• PC6 Process performance improvement
GENERIC CONTROL PRACTICES 
Three generic control practices and, consequently, three generic assurance steps are defined. They are: 
• Approach
• Accountability and responsibility
• Communication and understanding
The complete set of generic and specific control practices provides one consistent control approach necessary and sufficient for
achieving the stated control objectives. Other control approaches with different sets of practices may exist; hence, there is a need to
always verify the appropriateness of the control design at the outset of control implementation or at the outset of assurance activities.
Approach
The generic approach control practice consists of:
• Generic control practice—Designs the control approach for achieving this control objective, and defines and maintains the
control practices that implement this design
• Assurance step—Enquires whether and confirms that a set of practices has been defined to achieve the objective;
observes/inspects and reviews the control approach, and tests the design for completeness, relevancy, timeliness and measurability
Control Objective
Assurance Steps for Testing Control Design
Assurance Steps for Testing the Outcome of the Control Objectives
Assurance Steps for Documenting the Impact of Control Weaknesses
Value Statements Risk Statements
Figure 26—Structure of the Detailed Assurance Advice in Appendices I to VI
Accountability and Responsibility
The generic accountability and responsibility control practice consists of:
• Generic control practice—Defines and assigns accountability and responsibility for the control objective as a whole, and
responsibility for the different control practices (see RACI charts in COBIT); makes sure personnel have the right skills and
necessary resources to execute these responsibilities
• Assurance step—Enquires whether and confirms that responsibilities for the control practices as well as overall accountability
have been assigned in a cost-effective and efficient manner; tests whether accountability and responsibilities are understood and
accepted; verifies that the right skills and necessary resources are available
Communication and Understanding
The generic communication and understanding control practice consists of:
• Generic control practices—Ensures the control practices, as implemented, address the control objectives and are communicated
and understood
• Assurance step—Enquires through interviews with key staff members involved whether the control mechanism, its purpose, and
the accountability and responsibilities have been communicated and are understood
IT GENERAL CONTROLS
General controls relate to the environment within which automated application systems are developed, maintained and operated and
which are, therefore, applicable to all the applications. They ensure the proper development, implementation and maintenance of all
automated applications, and the integrity of program and data files and of computer operations.
Guidance is provided on how to test COBIT’s 34 IT processes, organised into four appendices (see appendices II-V) based on
COBIT’s four domains. 
APPLICATION CONTROLS 
Application controls relate to the transactions and standing data pertaining to each automated application system and are specific to
each such application. They ensure the completeness and accuracy of the records and the validity of the entries made in the
transactions and standing data resulting from both manual and automated processing. They are defined further in the Application
Control (AC) domain in appendix VI.
Relative to IT assurance, a distinction is made between application and general controls. General controls are controls embedded in
the IT organisation, its processes and services. Examples include:
• Systems development
• Change management
• Security
• Computer operations
Controls embedded in business process applications, on the other hand, are commonly referred to as application controls. 
Examples include:
• Completeness
• Accuracy
• Validity
• Authorisation
• Segregation of duties
Therefore, the objectives of application controls generally involve ensuring that:
• Data prepared for entry are complete, valid and reliable
• Data are converted to an automated form and entered into the application accurately, completely, and on time
• Data are processed by the application completely and on time, and in accordance with established requirements
• Output is protected from unauthorised modification or damage and distributed in accordance with prescribed policies
COBIT assumes the design and implementation of automated application controls to be the responsibility of IT, covered in the
Acquire and Implement (AI) domain, based on business requirements defined using COBIT’s information criteria. The operational
management and control responsibility for application controls is not with IT, but with the business process owner. IT delivers and
supports the applications’ services and the supporting information databases and infrastructures. Therefore, the COBIT IT processes
cover general IT controls but not application controls, because these are the responsibility of business process owners and, as
described previously, are integrated into business processes.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org40
ASSURANCE GUIDANCE FOR COBIT PROCESSES AND CONTROLS
41© 2007 IT Governance Institute. All rights reserved. www.itgi.org
Business controls are not in thescope of COBIT and IT Assurance Guide. Figure 27 sets the boundaries of IT general controls and
application controls, delineating at the same time the extent to which COBIT handles business controls. 
For automated services, the business is responsible for defining functional, as well as control, requirements to be included in all
business processes supported by applications. Subsequently, IT responsibilities include automation of the business functional and
control requirements and establishment of controls to maintain the integrity of the business applications.
Just as for the IT general controls and generic process controls, guidance is provided for testing the design and outcome and
documenting impact for each of the six COBIT application controls, detailed in appendix VI, Application Control:
• AC1 Source document preparation and authorisation
• AC2 Source document collection and data entry
• AC3 Accuracy, completeness and authenticity checks
• AC4 Data processing integrity and validity
• AC5 Output review, reconciliation and error handling
• AC6 Transaction authentication and integrity
Application control weaknesses may have an impact on the entity’s ability to process business transactions through the impacted
business processes and applications. Application controls are a subcomponent of the entity’s business controls. Weaknesses in
application controls may be mitigated by compensating manual business and organisational control activities. The impact of
application control weaknesses should be considered in the context of the underlying business process nature and related
transactions and the impact of other business process controls and, as such, should be considered in consultation with the business
process assurance provider.
EXAMPLES OF THE USE OF DETAILED ASSURANCE STEPS
Some illustrative examples of how the assurance testing steps could be applied follow.
Example 1—Testing of Control Design
SITUATION
General computer controls are reviewed in a transaction processing organisation with assessment of the process AI6 Manage
changes, control objective AI6.2 Impact assessment, prioritisation and authorisation.
OBSERVATIONS
For the selected systems (e.g., application, platform, network), the assurance professional inventoried the types of changes that can
be implemented, the procedures (formal or informal) currently in place, all parties involved in the change management process,
tools used, etc. This was done through interviews with involved persons and inquiries for documented procedures. The result of this
work was a comprehensive and correct flowchart of the change management process.
Plan and Organise
IT General Controls
Acquire
and
Implement
Deliver
and
Support
Monitor and Evaluate
Application Controls
Business Functional
Requirements
Business’s responsibility
to properly define
functional and control
requirements
Business’s responsibility
to properly use
automated services
Business
Controls
IT’s responsibility to
• Automate and implement business functional
 and control requirements
• Establish controls to maintain the integrity
 of application controls
Automated
ServicesBusiness Control
Requirements
Implement
and
Business
Controls
Figure 27—IT General Controls and Application Controls
The assurance professional reviewed the identified process flow to determine whether there was a step defined in the procedure to assess
the impact of a change by a competent person or group of persons. The assurance professional observed that the template for requesting
and approving changes included a section on impact assessment. However, the change management procedure did not mention that this
information is mandatory, and the absence of this information did not lead to a rejection of the change request. In addition, the procedure
did not mention any documentation standards or required verification and approval steps for the impact assessment. 
CONCLUSION
The design of this control is flawed because a fundamental component of the control (i.e., impact assessment) is incomplete at best.
It is possible that changes have been implemented without proper risk assessment, which can lead to unplanned and difficult-to-
contain operational disruptions or malfunctions. 
Example 2—Testing for the Effectiveness of the Control 
SITUATION
General computer controls are reviewed in a transaction processing organisation with assessment of the process AI6 Manage
changes, control objective AI6.3 Emergency changes.
OBSERVATIONS
As part of the evaluation of the control design, the assurance professional identified that, for all relevant change management
procedures, there is a control defined to help ensure that emergency change requests are reintroduced into the normal change
management cycle. In addition, the assurance professional found that there is a procedure that ensures that all emergency changes
are appropriately logged in a change management tool.
As part of the control effectiveness testing, a sample of emergency change requests was selected from the change management tool
and traced to its reintroduction as normal changes. This tracing included verification of whether the emergency change was actually
introduced again as a normal change and whether it was processed following the normal change management procedure.
The assurance professional observed that from the sample of 25 emergency changes selected, three of them were not subsequently
reprocessed as normal changes. In addition, the assurance professional found that from the 22 emergency changes that had been
duly reintroduced, only 10 were discussed at the change management board—or at least that there was a trace available that
indicated that the 10 changes were discussed (trace included information stored in the change management tool).
CONCLUSION
The emergency change procedure is not effective for two reasons:
• Not all emergency changes are reintroduced in the system, leading to a risk of losing emergency changes from sight and not
learning from them.
• Emergency changes that have been reintroduced are most likely inadequately discussed and documented, leading to the same risk.
Example 3—Documenting the Impact of Control Weaknesses
SITUATION
General computer controls are reviewed in a transaction processing organisation with assessment of the process AI6 Manage
changes, control objective AI6.3 Emergency changes.
OBSERVATIONS
Using the situation as described, the assurance professional needed to gain additional information and perform further analysis to
assess and document the impact of the control weaknesses. For the aforementioned examples, the assurance professional needed to
consider the types and numbers of changes affected by the control weaknesses. 
Some of the required information might/should already be gathered at the planning stage. This information should be used to
evaluate the materiality of the weaknesses noted. Notably, the changes affected should be mapped back to the relevant infrastructure
components and the applications/information they support/process. In addition, SLA penalties might apply. Furthermore, analysis of
problems noted in the past can help establish the real potential impact of the weaknesses noted.
In this case, it turns out that, after discussion with the responsible change manager and confirmation with other change management board
members, the missing emergency changes relate to non-critical systems and the missing documentation was only a documentation issue,
whereas the actual change, its cause and consequences had indeed been discussed but were not formally documented.
CONCLUSION
Although the control weaknesses remain as they have been observed, further analysis and documentation showed that the
weaknesses were of a lesser importance than originally assessed.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org42
H
O
W
C
O
B
IT
 C
O
M
P
O
N
E
N
T
S
S
U
P
P
O
R
T
IT
A
SSU
R
A
N
C
E
A
C
T
IV
IT
IE
SH O W C O B I T C O M P O N E N T S
S U P P O R T I T A S S U R A N C E
A C T I V I T I E S
HOW COBIT COMPONENTS SUPPORT IT ASSURANCE ACTIVITIES
43© 2007 IT Governance Institute. All rights reserved. www.itgi.org
7. HOW COBIT COMPONENTS SUPPORT IT ASSURANCE ACTIVITIES
INTRODUCTION
Figure 28 links the list of typical IT assurance activities to the COBIT components that can be leveraged to make the activities more
efficient and effective. It demonstrates how COBIT can support specific assurance-related activities, often performed as stand-alone
tasks, in addition to how COBIT has provided support to the suggested IT assurance road map, described in the previous sections.
Links have been indicated only where there is specific and strong support for an IT assurance activity. There are some key
components, however, that support all activities. In practice, users of COBIT adapt and tailor the COBIT resources for their specific
purposes and discover how COBIT can add value to a particular task. The table is, therefore, only a guide.
Two of the most useful components are the goals and outcome measures and the RACI charts (key activities and responsibilities).
They capture the essence of IT, its processes, activities and objectives and, hence, support all aspects of planning, scoping and
assurance execution. Another important component for IT assurance activities is COBIT Online—its searching and browsing
functions enable easier access to all the main COBIT content as well as useful benchmarking data. Those COBIT components
important for assurance activities are shaded in figure 28.
The following sections summarise the most important relationships in figure 28, first from the components point of view and 
then from the activities point of view. To conclude, the strongest links between activities and components are circled in figure 28.
COBIT COMPONENTS
Control objectives and practices are mostly useful for testing related activities, although since the control objectives are high-level
and similar to key management practices, they can be considered during planning activities. Both are also helpful for the selection
and customisation of control objectives for an assurance initiative.
Figure 28—Linking IT Assurance Activities and COBIT Components
IT Assurance Activities
Perform a quick risk assessment. � � � � � � � � �
Assess threat, vulnerability and � � � � � �
business impact.
Diagnose operational and project risk. � � � � � � �
Plan risk-based assurance initiatives. � � � � � � � � � � � �
Identify critical IT processes based � � � � � � � � � � �
on value drivers.
Assess process maturity. � � � � � � � � �
Scope and plan assurance initiatives. � � � � � � �
Select the control objectives for � � � � � �
critical processes.
Customise control objectives. � � � � � � � �
Build a detailed assurance programme. � � � � � � � �
Test and evaluate controls. � � � � � � � �
Substantiate risk. � � � � � � � � � � � �
Report assurance conclusions. � � � � � � � � � � � � �
Self-assess process maturity. � � � � � � � � �
Self-assess controls. � � � � � � � �
CO
BI
T 
Co
nt
ro
l P
ra
ct
ic
es
Co
nt
ro
l O
bj
ec
tiv
es
Va
lu
e 
an
d 
Ri
sk
 S
ta
te
m
en
ts
M
at
ur
ity
 M
od
el
M
at
ur
ity
 M
od
el
 A
ttr
ib
ut
es
Go
al
s 
an
d 
Ou
tc
om
e
M
ea
su
re
s
RA
CI
 (K
ey
 A
ct
iv
iti
es
 a
nd
Re
sp
on
si
bi
lit
ie
s)
Pe
rf
or
m
an
ce
 D
riv
er
s
M
an
ag
em
en
t 
Aw
ar
en
es
s 
To
ol
In
fo
rm
at
io
n 
Cr
ite
ria
Pr
oc
es
s 
Li
st
IT
Ri
sk
 a
nd
 C
on
tr
ol
Di
ag
no
st
ic
s
Bo
ar
d 
Br
ie
fin
g 
on
 IT
Go
ve
rn
an
ce
,2
nd
Ed
iti
on
CO
BI
T
Qu
ic
ks
ta
rt
CO
BI
T 
On
lin
e—
Se
ar
ch
in
g
an
d 
Br
ow
si
ng
C O
BI
T 
On
lin
e—
Be
nc
hm
ar
ki
ng
IT
 C
on
tr
ol
 O
bj
ec
tiv
es
 fo
r
Sa
rb
an
es
-O
xl
ey
,2
nd
Ed
iti
on
COBIT Components
The list of COBIT processes and the domains provide a responsibility structure for IT and help ensure the completeness of the
assurance coverage. The list is useful in the planning phase and also when summarising the conclusions of an assurance initiative.
Similarly, information criteria provide a generic and simple high-level structure of the objectives of IT processes and are equally
useful for structuring assurance plans and conclusions.
Maturity models are very useful tools for high-level assessments of processes, identification of key processes, planning which processes
need most attention in the assurance programme and also when summarising the assurance conclusions. The maturity attributes provide
more details for process maturity assessment, and because they are generic for all processes, they are also an alternative to the specific
process maturity descriptions provided for each COBIT process. Because maturity models describe how processes are managed, the
detailed attributes can be used to further customise control objectives, which usually describe only what needs to be done. Maturity
models are increasingly being used by IT management for self-assessment and can, therefore, provide a common approach for both the
assurance and IT professionals to understand and agree upon priorities and areas on which to focus attention. 
Whereas performance drivers play an important role for assurance activities in the planning and reporting phases of an IT assurance
road map, they are also a good source for customising control objectives because they imply that certain actions need to happen or
conditions need to exist that will increase the probability of successfully achieving the process’s objectives and goals.
Value and risk statements provide the arguments to justify controls but are also primary inputs when performing high-level or
detailed risk assessments. They are also starting points when identifying critical processes and IT components.
The management awareness and diagnostic tools are provided in Supplemental Tools and Materials, available online and on 
CD-ROM with the IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition. They are tools to perform initial 
high-level assessments of process importance, significant risks and the state of process controls, typically done in the early stages of
the IT assurance initiative.
The assessment form presentation of COBIT Quickstart lends itself easily for quick or high-level assessments as well as for efficient
self-assessments.
Benchmarking data and functionality as provided in COBIT Online are useful to portray how the entity compares on process
management and controls with other enterprises in the same industry, geography or size segment. The comparison is supported with
pie chart and spider diagrams. Such benchmarks lend a lot of credibility to the conclusions of assurance activities but can also be
used earlier in the assurance life cycle (e.g., to identify processes that need early or in-depth assurance coverage because of gaps
with the rest of the industry).
IT ASSURANCE ACTIVITIES
To gain insight into the entity where the IT assurance activities are to be performed, the COBIT components that provide the best
support for the assurance professional are the process structure, maturity models, goals, outcome measures and performance drivers.
Risk-based IT assurance planning has become common practice and is well supported by COBIT’s maturity modelling and COBIT
Online’s benchmarking to identify where the highest potential risks are. The risk and value statements of the control objectives
provide additional support if more detailed risk assessment is required to drive the assurance plan. Quickstart as well as the
awareness and diagnostic tools are aids to perform high-level assessments quickly and efficiently.
Planning and reporting—and scoping to a lesser extent—use most of the COBIT components but usually only as input or reference.
On the other hand, detailed planning and scoping, as well as testing, are activities that use fewer of the COBIT components but they
tend to use them more intensely.Planning, scoping and testing are also the IT assurance activities that extensively use the material
that is at the ‘heart’ of COBIT: the control objectives.
THE STRONGEST LINKS
Some of the strongest links between COBIT components and IT assurance activities (i.e., where activities can benefit the most from
the COBIT materials) are as follows:
• Goals and outcome measures with planning risk-based assurance initiatives
• Risk and value statements with risk assessments and risk substantiation 
• Key activities and RACI charts with detailed assurance planning
• Control objectives and practices with testing and evaluating controls
• Maturity models and attributes with process maturity and other high-level assessments
The ITGI publication IT Control Objectives for Sarbanes-Oxley, 2nd Edition, also provides strong links between COBIT components
and IT assurance activities.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org44
A
P
P
E
N
D
IX
I—
P
R
O
C
E
SS
C
O
N
T
R
O
L
(P
C
)
APPENDIX I—PROCESS CONTROL (PC)
PC1 Process Goals and Objectives
PC2 Process Objectives
PC3 Process Repeatability
PC4 Roles and Responsibilities
PC5 Policy, Plans and Procedures
PC6 Process Performance Improvement
APPENDIX I
45© 2007 IT Governance Institute. All rights reserved. www.itgi.org
A
PP
E
N
D
IX
I—
PR
O
C
E
SS
C
O
N
T
R
O
L
(P
C
)
P
R
O
C
ES
S 
A
SS
U
R
A
N
C
E 
ST
EP
S
D
ef
in
e 
an
d 
co
m
m
un
ic
at
e 
sp
ec
if
ic
, m
ea
su
ra
bl
e,
 a
ct
io
na
bl
e,
 r
ea
lis
tic
, 
re
su
lts
-o
ri
en
te
d 
an
d 
tim
el
y 
(S
M
A
R
R
T
) 
pr
oc
es
s 
go
al
s 
an
d 
ob
je
ct
iv
es
 f
or
 th
e
ef
fe
ct
iv
e 
ex
ec
ut
io
n 
of
 e
ac
h 
IT
 p
ro
ce
ss
. E
ns
ur
e 
th
at
 th
ey
 a
re
 li
nk
ed
 to
 th
e
bu
si
ne
ss
 g
oa
ls
 a
nd
 s
up
po
rt
ed
 b
y 
su
ita
bl
e 
m
et
ri
cs
.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
ns
ur
e 
th
at
 a
 f
or
m
al
 p
ro
ce
ss
 e
xi
st
s 
fo
r 
co
m
m
un
ic
at
in
g 
go
al
s 
an
d 
ob
je
ct
iv
es
 a
nd
 th
at
, w
he
n 
up
da
te
d,
 s
uc
h 
co
m
m
un
ic
at
io
n 
is
 r
ep
ea
te
d.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 p
ro
ce
ss
 g
oa
ls
 a
nd
 o
bj
ec
tiv
es
 h
av
e 
be
en
 d
ef
in
ed
. V
er
if
y 
th
at
 p
ro
ce
ss
 s
ta
ke
ho
ld
er
s 
un
de
rs
ta
nd
 th
es
e 
go
al
s.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
IT
 p
ro
ce
ss
 g
oa
ls
 li
nk
 b
ac
k 
to
 b
us
in
es
s 
go
al
s.
 
• 
C
on
fi
rm
 th
ro
ug
h 
in
te
rv
ie
w
s 
w
ith
 p
ro
ce
ss
 s
ta
ke
ho
ld
er
s 
th
at
 th
e 
IT
 p
ro
ce
ss
 g
oa
ls
 a
re
 S
M
A
R
R
T.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 o
ut
pu
ts
 a
nd
 a
ss
oc
ia
te
d 
qu
al
ity
 ta
rg
et
s 
ar
e 
de
fi
ne
d 
fo
r 
ea
ch
 I
T
 p
ro
ce
ss
. 
• 
W
al
k 
th
ro
ug
h 
th
e 
pr
oc
es
s 
de
si
gn
 w
ith
 s
el
ec
te
d 
pr
oc
es
s 
st
ak
eh
ol
de
rs
 a
nd
 v
er
if
y 
w
he
th
er
 th
e 
pr
oc
es
s 
is
 u
nd
er
st
oo
d 
an
d 
lik
el
y 
to
 a
ch
ie
ve
 it
s 
ob
je
ct
iv
es
. 
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
K
ey
 p
ro
ce
ss
es
 m
ea
su
re
d 
ef
fi
ci
en
tly
an
d 
ef
fe
ct
iv
el
y
• 
Pr
oc
es
se
s 
in
 li
ne
 w
ith
 b
us
in
es
s
ob
je
ct
iv
es
R
is
k 
D
riv
er
s
• 
Pr
oc
es
s 
ef
fe
ct
iv
en
es
s 
di
ff
ic
ul
t t
o
m
ea
su
re
• 
B
us
in
es
s 
ob
je
ct
iv
es
 n
ot
 s
up
po
rt
ed
 b
y
pr
oc
es
se
s
P
C
1
 P
ro
c
e
s
s
 G
o
a
ls
 a
n
d
 O
b
je
c
ti
ve
s
 
Te
st
 t
he
 O
ut
co
m
e 
of
 t
he
 C
on
tr
ol
 O
bj
ec
ti
ve
• 
A
na
ly
se
 p
ro
ce
ss
 m
et
ri
cs
, t
ar
ge
ts
 a
nd
 p
er
fo
rm
an
ce
 r
ep
or
ts
 to
 v
er
if
y 
th
at
 p
ro
ce
ss
 g
oa
ls
 h
av
e 
SM
A
R
R
T
 c
ha
ra
ct
er
is
tic
s 
an
d 
ar
e 
be
in
g 
m
ea
su
re
d 
ef
fe
ct
iv
el
y 
an
d 
ef
fi
ci
en
tly
.
• A
ss
es
s 
th
e 
ef
fe
ct
iv
en
es
s 
of
 c
om
m
un
ic
at
in
g 
th
e 
pr
oc
es
s 
go
al
s 
an
d 
ob
je
ct
iv
es
 th
ro
ug
h 
di
sc
us
si
on
s 
w
ith
 p
er
so
nn
el
 a
t v
ar
io
us
 le
ve
ls
 a
nd
 e
xa
m
in
at
io
n 
of
 tr
ai
ni
ng
 m
at
er
ia
ls
,
m
em
os
 a
nd
 o
th
er
 d
oc
um
en
ta
tio
n.
• 
Te
st
 th
e 
ap
pr
op
ri
at
en
es
s 
of
 th
e 
fr
eq
ue
nc
y 
of
 c
om
m
un
ic
at
io
n 
of
 g
oa
ls
 a
nd
 o
bj
ec
tiv
es
.
• 
E
ns
ur
e 
th
at
 b
us
in
es
s 
go
al
s 
ar
e 
su
pp
or
te
d 
by
 I
T
 p
ro
ce
ss
es
 b
y 
tr
ac
in
g 
be
tw
ee
n 
th
e 
tw
o 
an
d 
id
en
tif
yi
ng
 u
ns
up
po
rt
ed
 b
us
in
es
se
s 
go
al
s.
D
oc
um
en
t 
th
e 
Im
pa
ct
 o
f 
C
on
tr
ol
 W
ea
kn
es
se
s
• 
D
et
er
m
in
e 
th
e 
bu
si
ne
ss
 im
pa
ct
 if
 p
ro
ce
ss
 g
oa
ls
 a
nd
 o
bj
ec
tiv
es
 a
re
 n
ot
 li
nk
ed
 to
 th
e 
bu
si
ne
ss
 g
oa
ls
.
• 
A
ss
es
s 
th
e 
im
pa
ct
 o
n 
bu
si
ne
ss
 p
ro
ce
ss
in
g 
in
 th
e 
ev
en
t t
ha
t p
ro
ce
ss
 g
oa
ls
 a
re
 n
ot
 d
ef
in
ed
 in
 a
 S
M
A
R
R
T
 m
an
ne
r.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org46
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
n 
ow
ne
r 
ex
is
ts
 f
or
 e
ac
h 
IT
 p
ro
ce
ss
. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 r
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s 
ha
ve
 b
ee
n 
de
fi
ne
d.
 V
er
if
y 
th
at
 th
e 
ow
ne
rs
 u
nd
er
st
an
d 
an
d 
ac
ce
pt
 th
es
e 
re
sp
on
si
bi
lit
ie
s.
• 
C
on
fi
rm
 w
ith
 th
e 
pr
oc
es
s 
ow
ne
r 
an
d 
di
re
ct
 s
up
er
vi
so
r 
th
at
 s
uf
fi
ci
en
t a
ut
ho
ri
ty
 h
as
 b
ee
n 
pr
ov
id
ed
 to
 s
up
po
rt
 th
e 
ro
le
 a
nd
 r
es
po
ns
ib
ili
tie
s.
• 
E
ns
ur
e 
th
at
 p
ro
ce
ss
es
 a
re
 in
 p
la
ce
 to
 a
ss
ig
n 
ow
ne
rs
hi
p 
an
d 
ac
co
un
ta
bi
lit
y 
fo
r 
pr
oc
es
se
s 
an
d 
de
liv
er
ab
le
s,
 in
cl
ud
in
g 
co
m
m
un
ic
at
io
ns
.
Te
st
 t
he
 O
ut
co
m
e 
of
 t
he
 C
on
tr
ol
 O
bj
ec
ti
ve
• 
R
ev
ie
w
 jo
b 
de
sc
ri
pt
io
ns
 a
nd
 p
er
fo
rm
an
ce
 a
pp
ra
is
al
s 
of
 th
e 
pr
oc
es
s 
ow
ne
r 
to
 v
er
if
y 
as
si
gn
m
en
t, 
un
de
rs
ta
nd
in
g 
an
d 
ac
ce
pt
an
ce
 o
f 
ow
ne
rs
hi
p.
• 
R
ev
ie
w
 th
e 
ro
le
s 
an
d 
re
sp
on
si
bi
lit
ie
s 
to
 e
ns
ur
e 
th
at
 th
ey
 a
re
 c
om
pl
et
e 
an
d 
ap
pr
op
ri
at
e.
• 
R
ev
ie
w
 o
rg
an
is
at
io
n 
ch
ar
ts
 a
nd
 r
ep
or
tin
g 
lin
es
 to
 v
er
if
y 
ac
tu
al
 a
ut
ho
ri
ty
.
• 
V
er
if
y 
th
at
 p
ro
ce
ss
es
 a
re
 in
te
ra
ct
in
g 
w
ith
 e
ac
h 
ot
he
r 
ef
fe
ct
iv
el
y.
• 
V
er
if
y 
th
at
 p
ro
ce
ss
 o
w
ne
rs
 a
re
 d
ri
vi
ng
 c
on
tin
uo
us
 im
pr
ov
em
en
t.
D
oc
um
en
t 
th
e 
Im
pa
ct
 o
f 
C
on
tr
ol
 W
ea
kn
es
se
s
A
ss
es
s 
w
he
th
er
 th
e 
pr
oc
es
s 
ow
ne
rs
hi
p 
su
ff
ic
ie
nt
ly
 s
up
po
rt
s 
ac
hi
ev
in
g 
bu
si
ne
ss
 p
ro
ce
ss
in
g 
se
rv
ic
es
 to
 m
ee
t s
ho
rt
- 
an
d 
lo
ng
-r
an
ge
 o
rg
an
is
at
io
na
l o
bj
ec
tiv
es
.
A
ss
ig
n 
an
 o
w
ne
r 
fo
r 
ea
ch
 I
T
 p
ro
ce
ss
, a
nd
 c
le
ar
ly
 d
ef
in
e 
th
e 
ro
le
 a
nd
re
sp
on
si
bi
lit
ie
s 
of
 th
e 
pr
oc
es
s 
ow
ne
r. 
In
cl
ud
e,
 f
or
 e
xa
m
pl
e,
 r
es
po
ns
ib
ili
ty
 f
or
pr
oc
es
s 
de
si
gn
, i
nt
er
ac
tio
n 
w
ith
 o
th
er
 p
ro
ce
ss
es
, a
cc
ou
nt
ab
ili
ty
 f
or
 th
e 
en
d
re
su
lts
, m
ea
su
re
m
en
t o
f 
pr
oc
es
s 
pe
rf
or
m
an
ce
 a
nd
 th
e 
id
en
tif
ic
at
io
n 
of
im
pr
ov
em
en
t o
pp
or
tu
ni
tie
s.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Pr
oc
es
se
s 
op
er
at
in
g 
sm
oo
th
ly
 and
re
lia
bl
y
• 
Pr
oc
es
se
s 
in
te
ra
ct
in
g 
w
ith
 e
ac
h 
ot
he
r
ef
fe
ct
iv
el
y
• 
Pr
oc
es
s 
pr
ob
le
m
s 
an
d 
is
su
es
 id
en
tif
ie
d
an
d 
re
so
lv
ed
• 
Pr
oc
es
se
s 
co
nt
in
ua
lly
 im
pr
ov
ed
R
is
k 
D
riv
er
s
• 
Pr
oc
es
se
s 
pe
rf
or
m
in
g 
un
re
lia
bl
y
• 
Pr
oc
es
se
s 
no
t w
or
ki
ng
 to
ge
th
er
ef
fe
ct
iv
el
y
• 
G
ap
s 
in
 p
ro
ce
ss
 c
ov
er
ag
e 
lik
el
y
• 
Pr
oc
es
s 
er
ro
rs
 n
ot
 r
ec
tif
ie
d
P
C
2
 P
ro
c
e
s
s
 O
w
n
e
rs
h
ip
 
APPENDIX I
47© 2007 IT Governance Institute. All rights reserved. www.itgi.org
D
es
ig
n 
an
d 
es
ta
bl
is
h 
ea
ch
 k
ey
 I
T
 p
ro
ce
ss
 s
uc
h 
th
at
 it
 is
 r
ep
ea
ta
bl
e 
an
d
co
ns
is
te
nt
ly
 p
ro
du
ce
s 
th
e 
ex
pe
ct
ed
 r
es
ul
ts
. P
ro
vi
de
 f
or
 a
 lo
gi
ca
l b
ut
 f
le
xi
bl
e 
an
d
sc
al
ab
le
 s
eq
ue
nc
e 
of
 a
ct
iv
iti
es
 th
at
 w
ill
 le
ad
 to
 th
e 
de
si
re
d 
re
su
lts
 a
nd
 is
 a
gi
le
en
ou
gh
 to
 d
ea
l w
ith
 e
xc
ep
tio
ns
 a
nd
 e
m
er
ge
nc
ie
s.
 U
se
 c
on
si
st
en
t p
ro
ce
ss
es
,
w
he
re
 p
os
si
bl
e,
 a
nd
 ta
ilo
r 
on
ly
 w
he
n 
un
av
oi
da
bl
e.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
In
cr
ea
se
d 
ef
fi
ci
en
cy
 a
nd
 e
ff
ec
tiv
en
es
s
of
 r
ec
ur
ri
ng
 a
ct
iv
iti
es
• 
E
as
e 
of
 p
ro
ce
ss
 m
ai
nt
en
an
ce
• A
bi
lit
y 
to
 d
em
on
st
ra
te
 p
ro
ce
ss
ef
fe
ct
iv
en
es
s 
to
 a
ud
ito
rs
 a
nd
re
gu
la
to
rs
• 
Pr
oc
es
se
s 
su
pp
or
tin
g 
th
e 
ov
er
al
l I
T
or
ga
ni
sa
tio
n 
go
al
s 
an
d 
en
ha
nc
in
g 
IT
va
lu
e 
de
liv
er
y
R
is
k 
D
riv
er
s
• 
In
co
ns
is
te
nt
 p
ro
ce
ss
 r
es
ul
ts
 a
nd
lik
el
ih
oo
d 
of
 p
ro
ce
ss
 e
rr
or
s
• 
H
ig
h 
re
lia
nc
e 
on
 p
ro
ce
ss
 s
pe
ci
al
is
ts
• 
Pr
oc
es
se
s 
un
ab
le
 to
 r
ea
ct
 to
 p
ro
bl
em
s
an
d 
ne
w
 r
eq
ui
re
m
en
ts
P
C
3
 P
ro
c
e
s
s
 R
e
p
e
a
ta
b
il
it
y 
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 p
ro
ce
ss
 r
ep
ea
ta
bi
lit
y 
is
 a
 m
an
ag
em
en
t o
bj
ec
tiv
e.
• 
Fo
r 
im
po
rt
an
t a
nd
 h
ig
h-
ri
sk
 p
ro
ce
ss
es
, r
ev
ie
w
 th
e 
pr
oc
es
s 
st
ep
s 
in
 d
et
ai
l a
nd
 e
ns
ur
e 
th
at
 th
ey
 p
ro
vi
de
 f
or
 e
vi
de
nc
e 
of
 m
an
ag
em
en
t r
ev
ie
w
.
• 
C
on
fi
rm
 w
hi
ch
 g
oo
d 
pr
ac
tic
es
 a
nd
 in
du
st
ry
 s
ta
nd
ar
ds
 w
er
e 
us
ed
 w
he
n 
de
fi
ni
ng
 th
e 
IT
 p
ro
ce
ss
es
. 
• 
In
te
rv
ie
w
 s
el
ec
te
d 
pr
oc
es
s 
st
ak
eh
ol
de
rs
 a
nd
 d
et
er
m
in
e 
ad
he
re
nc
e 
to
 th
e 
pr
oc
es
s.
 
• 
E
ns
ur
e 
th
at
 s
ys
te
m
s 
ar
e 
de
si
gn
ed
 f
or
 s
ca
la
bi
lit
y 
an
d 
fl
ex
ib
ili
ty
.
Te
st
 t
he
 O
ut
co
m
e 
of
 t
he
 C
on
tr
ol
 O
bj
ec
ti
ve
• 
W
al
k 
th
ro
ug
h 
th
e 
pr
oc
es
s 
de
si
gn
 w
ith
 th
e 
pr
oc
es
s 
ow
ne
r, 
an
d 
ve
ri
fy
 w
he
th
er
 th
e 
st
ep
s 
ar
e 
lo
gi
ca
l a
nd
 li
ke
ly
 to
 c
on
tr
ib
ut
e 
to
 th
e 
en
d 
re
su
lt.
• 
R
ev
ie
w
 p
ro
ce
ss
 d
oc
um
en
ta
tio
n 
to
 v
er
if
y 
th
e 
ad
op
tio
n 
of
 a
pp
lic
ab
le
 p
ro
ce
ss
 s
ta
nd
ar
ds
 a
nd
 d
eg
re
e 
of
 c
us
to
m
is
at
io
n.
• 
A
ss
es
s 
th
e 
m
at
ur
ity
 a
nd
 le
ve
l o
f 
in
te
gr
at
io
n 
of
 s
up
po
rt
in
g 
to
ol
s 
us
ed
 f
or
 th
e 
pr
oc
es
s.
D
oc
um
en
t 
th
e 
Im
pa
ct
 o
f 
C
on
tr
ol
 W
ea
kn
es
se
s
Se
le
ct
 d
at
a 
ab
ou
t p
ro
ce
ss
 r
es
ul
ts
 n
ot
 m
ee
tin
g 
ob
je
ct
iv
es
, a
nd
 a
na
ly
se
 w
he
th
er
 th
e 
ca
us
es
 r
el
at
e 
to
 p
ro
ce
ss
 d
es
ig
n,
 o
w
ne
rs
hi
p,
 r
es
po
ns
ib
ili
tie
s 
or
 in
co
ns
is
te
nt
 a
pp
lic
at
io
n.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org48
D
ef
in
e 
th
e 
ke
y 
ac
tiv
iti
es
 a
nd
 e
nd
 d
el
iv
er
ab
le
s 
of
 th
e 
pr
oc
es
s.
 A
ss
ig
n 
an
d
co
m
m
un
ic
at
e 
un
am
bi
gu
ou
s 
ro
le
s 
an
d 
re
sp
on
si
bi
lit
ie
s 
fo
r 
ef
fe
ct
iv
e 
an
d 
ef
fi
ci
en
t
ex
ec
ut
io
n 
of
 th
e 
ke
y 
ac
tiv
iti
es
 a
nd
 th
ei
r 
do
cu
m
en
ta
tio
n 
as
 w
el
l a
s 
ac
co
un
ta
bi
lit
y
fo
r 
th
e 
pr
oc
es
s’
s 
en
d 
de
liv
er
ab
le
s.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
In
cr
ea
se
d 
ef
fi
ci
en
cy
 a
nd
 e
ff
ec
tiv
en
es
s
of
 r
ec
ur
ri
ng
 a
ct
iv
iti
es
• 
St
af
f 
m
em
be
rs
 k
no
w
in
g 
w
ha
t t
o 
do
an
d 
w
hy
, i
m
pr
ov
in
g 
m
or
al
e 
an
d 
jo
b
sa
tis
fa
ct
io
n
R
is
k 
D
riv
er
s
• 
U
nc
on
tr
ol
le
d,
 u
nr
el
ia
bl
e 
pr
oc
es
se
s
• 
Pr
oc
es
se
s 
no
t s
up
po
rt
in
g 
th
e 
bu
si
ne
ss
ob
je
ct
iv
es
• 
Pr
oc
es
se
s 
no
t p
er
fo
rm
ed
 a
s 
in
te
nd
ed
• 
Pr
ob
le
m
s 
an
d 
er
ro
rs
 li
ke
ly
 to
 r
em
ai
n
un
re
so
lv
ed
• 
Pr
oc
es
s 
pe
rf
or
m
an
ce
 li
ke
ly
 to
 b
e
va
ri
ab
le
 a
nd
 u
nr
el
ia
bl
e
P
C
4
 R
o
le
s
 a
n
d
 R
e
s
p
o
n
s
ib
il
it
ie
s
 
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
ns
ur
e 
th
at
 a
 p
ro
ce
ss
 is
 in
 p
la
ce
 to
 d
ef
in
e 
an
d 
m
ai
nt
ai
n 
in
fo
rm
at
io
n 
ab
ou
t t
he
 k
ey
 a
ct
iv
iti
es
 a
nd
 d
el
iv
er
ab
le
s.
 E
ns
ur
e 
th
at
 th
e 
pr
oc
es
s 
in
cl
ud
es
 th
e 
de
ve
lo
pm
en
t o
f
su
pp
or
tin
g 
po
lic
ie
s,
 p
ro
ce
du
re
s 
an
d 
gu
id
an
ce
.
• 
E
ns
ur
e 
th
at
 p
ro
ce
ss
es
 a
re
 d
es
ig
ne
d 
to
 c
ap
tu
re
 a
cc
om
pl
is
hm
en
ts
 a
nd
 in
cl
ud
e 
th
em
 in
 e
m
pl
oy
ee
 p
er
fo
rm
an
ce
 in
fo
rm
at
io
n.
Te
st
 t
he
 O
ut
co
m
e 
of
 t
he
 C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
on
fi
rm
 th
ro
ug
h 
in
te
rv
ie
w
s 
an
d 
do
cu
m
en
ta
tio
n 
re
vi
ew
 th
at
 k
ey
 a
ct
iv
iti
es
 a
nd
 e
nd
 d
el
iv
er
ab
le
s 
fo
r 
th
e 
pr
oc
es
s 
ha
ve
 b
ee
n 
id
en
tif
ie
d 
an
d 
re
co
rd
ed
. 
• 
R
ev
ie
w
 jo
b 
de
sc
ri
pt
io
ns
, a
nd
 v
er
if
y 
th
at
 r
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s 
fo
r 
ke
y 
ac
tiv
iti
es
 a
nd
 p
ro
ce
ss
 d
oc
um
en
ta
tio
n 
ar
e 
re
co
rd
ed
 a
nd
 c
om
m
un
ic
at
ed
. 
• 
V
er
if
y 
th
ro
ug
h 
in
te
rv
ie
w
s 
w
ith
 o
w
ne
rs
, m
an
ag
em
en
t a
nd
 s
ta
ff
 m
em
be
rs
 th
at
 a
cc
ou
nt
ab
ili
ty
 f
or
 th
e 
pr
oc
es
s 
an
d 
its
 o
ut
pu
ts
 a
re
 a
ss
ig
ne
d,
 c
om
m
un
ic
at
ed
, u
nd
er
st
oo
d 
an
d
ac
ce
pt
ed
. C
or
ro
bo
ra
te
 in
te
rv
ie
w
 f
in
di
ng
s 
th
ro
ug
h 
an
al
ys
is
 o
f 
th
e 
re
so
lu
tio
n 
to
 s
ig
ni
fi
ca
nt
 p
ro
ce
ss
 in
ci
de
nt
s 
an
d 
re
vi
ew
 o
f 
a 
sa
m
pl
e 
of
 jo
b 
pe
rf
or
m
an
ce
 a
pp
ra
is
al
s.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 r
eg
ul
ar
 jo
b 
pe
rf
or
m
an
ce
 a
pp
ra
is
al
 is
 p
er
fo
rm
ed
 to
 a
ss
es
s 
ac
tu
al
 p
er
fo
rm
an
ce
 a
ga
in
st
 p
ro
ce
ss
 r
es
po
ns
ib
ili
tie
s,
 s
uc
h 
as
:
– 
E
xe
cu
tin
g 
ro
le
s 
an
d 
re
sp
on
si
bi
lit
ie
s 
as
 d
ef
in
ed
– 
Pe
rf
or
m
in
g 
pr
oc
es
s-
re
la
te
d 
ac
tiv
iti
es
 in
 li
ne
 w
ith
 g
oa
ls
 a
nd
 o
bj
ec
tiv
es
– 
C
on
tr
ib
ut
in
g 
to
 th
e 
qu
al
ity
 o
f 
th
e 
pr
oc
es
s 
en
d 
de
liv
er
ab
le
s 
• 
R
ev
ie
w
 th
e 
re
so
lu
tio
n 
to
 s
ig
ni
fi
ca
nt
 p
ro
ce
ss
 in
ci
de
nt
s,
 a
nd
 r
ev
ie
w
 a
 s
am
pl
e 
of
 jo
b 
pe
rf
or
m
an
ce
 a
pp
ra
is
al
s 
to
 v
er
if
y 
w
he
th
er
 r
es
po
ns
ib
ili
tie
s 
an
d 
ac
co
un
ta
bi
lit
ie
s 
ar
e
en
fo
rc
ed
.
• 
R
ev
ie
w
 r
ol
es
 a
nd
 r
es
po
ns
ib
ilitie
s 
w
ith
 v
ar
io
us
 s
ta
ff
 m
em
be
rs
 a
nd
 a
sc
er
ta
in
 th
ei
r 
un
de
rs
ta
nd
in
g,
 w
he
th
er
 th
e 
al
lo
ca
tio
ns
 a
re
 a
pp
ro
pr
ia
te
 a
nd
 w
he
th
er
 th
e 
re
po
rt
in
g
re
la
tio
ns
hi
ps
 a
re
 e
ff
ec
tiv
e.
• 
A
ss
es
s 
w
he
th
er
 th
e 
ro
le
s 
an
d 
re
sp
on
si
bi
lit
ie
s 
ar
e 
de
si
gn
ed
 to
 s
up
po
rt
 c
om
pl
ia
nc
e 
w
ith
 v
ar
io
us
 a
ct
iv
iti
es
 w
ith
in
 th
e 
ro
le
s.
D
oc
um
en
t 
th
e 
Im
pa
ct
 o
f 
C
on
tr
ol
 W
ea
kn
es
se
s
A
ss
es
s 
w
he
th
er
 th
e 
ro
le
s 
an
d 
re
sp
on
si
bi
lit
ie
s 
su
ff
ic
ie
nt
ly
 s
up
po
rt
 th
e 
ac
hi
ev
em
en
t o
f 
bu
si
ne
ss
 p
ro
ce
ss
in
g 
se
rv
ic
es
 to
 m
ee
t s
ho
rt
- 
an
d 
lo
ng
-r
an
ge
 o
rg
an
is
at
io
na
l o
bj
ec
tiv
es
.
APPENDIX I
49© 2007 IT Governance Institute. All rights reserved. www.itgi.org
D
ef
in
e 
an
d 
co
m
m
un
ic
at
e 
ho
w
 a
ll 
po
lic
ie
s,
 p
la
ns
 a
nd
 p
ro
ce
du
re
s 
th
at
 d
ri
ve
 a
n 
IT
 p
ro
ce
ss
 a
re
 d
oc
um
en
te
d,
 r
ev
ie
w
ed
, m
ai
nt
ai
ne
d,
 a
pp
ro
ve
d,
 s
to
re
d,
co
m
m
un
ic
at
ed
 a
nd
 u
se
d 
fo
r 
tr
ai
ni
ng
. A
ss
ig
n 
re
sp
on
si
bi
lit
ie
s 
fo
r 
ea
ch
 o
f 
th
es
e
ac
tiv
iti
es
 a
nd
, a
t a
pp
ro
pr
ia
te
 ti
m
es
, r
ev
ie
w
 w
he
th
er
 th
ey
 a
re
 e
xe
cu
te
d 
co
rr
ec
tly
.
E
ns
ur
e 
th
at
 th
e 
po
lic
ie
s,
 p
la
ns
 a
nd
 p
ro
ce
du
re
s 
ar
e 
ac
ce
ss
ib
le
, c
or
re
ct
, u
nd
er
st
oo
d
an
d 
up
 to
 d
at
e.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
In
cr
ea
se
d 
st
af
f 
aw
ar
en
es
s 
of
 w
ha
t t
o
do
 a
nd
 w
hy
• 
D
ec
re
as
in
g 
nu
m
be
r 
of
 in
ci
de
nt
s 
fr
om
 p
ol
ic
y 
vi
ol
at
io
ns
• 
Po
lic
ie
s 
an
d 
as
so
ci
at
ed
 p
ro
ce
du
re
s
re
m
ai
ni
ng
 c
ur
re
nt
 a
nd
 e
ff
ec
tiv
e
R
is
k 
D
riv
er
s
• 
Pr
oc
es
se
s 
no
t a
lig
ne
d 
w
ith
 b
us
in
es
s
ob
je
ct
iv
es
• 
St
af
f 
m
em
be
rs
 n
ot
 k
no
w
in
g 
ho
w
 to
pe
rf
or
m
 c
ri
tic
al
 ta
sk
s
• 
Po
lic
y 
vi
ol
at
io
ns
P
C
5
 P
o
li
c
y,
 P
la
n
s
 a
n
d
 P
ro
c
e
d
u
re
s
 
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 s
uc
h 
ru
le
s 
ex
is
t a
nd
 a
re
 c
om
m
un
ic
at
ed
, k
no
w
n 
an
d 
ap
pl
ie
d 
to
 h
ow
 a
ll 
IT
 p
ro
ce
ss
-r
el
at
ed
 d
oc
um
en
ta
tio
n 
(e
.g
., 
po
lic
ie
s,
 p
la
ns
,
pr
oc
ed
ur
es
, g
ui
de
lin
es
, i
ns
tr
uc
tio
ns
, m
et
ho
do
lo
gi
es
) 
th
at
 d
ri
ve
s 
an
 I
T
 p
ro
ce
ss
 w
ill
 b
e 
de
ve
lo
pe
d,
 d
oc
um
en
te
d,
 r
ev
ie
w
ed
, m
ai
nt
ai
ne
d,
 a
pp
ro
ve
d,
 s
to
re
d,
 u
se
d 
fo
r 
tr
ai
ni
ng
an
d 
co
m
m
un
ic
at
ed
. 
• 
In
sp
ec
t s
el
ec
te
d 
po
lic
ie
s,
 p
la
ns
 a
nd
 p
ro
ce
du
re
s 
to
 v
er
if
y 
if
 th
ey
 w
er
e 
cr
ea
te
d 
fo
llo
w
in
g 
th
e 
ru
le
s 
an
d 
ar
e 
ke
pt
 u
p 
to
 d
at
e.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 r
es
po
ns
ib
ili
tie
s 
ar
e 
de
fi
ne
d 
fo
r 
de
ve
lo
pi
ng
, m
ai
nt
ai
ni
ng
, s
to
ri
ng
 a
nd
 c
om
m
un
ic
at
in
g 
pr
oc
es
s-
re
la
te
d 
do
cu
m
en
ta
tio
n.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
er
e 
ar
e 
do
cu
m
en
te
d 
pr
oc
es
se
s 
un
de
r 
w
hi
ch
 p
ol
ic
ie
s 
an
d 
pr
oc
ed
ur
es
 a
re
 id
en
tif
ie
d,
 d
ev
el
op
ed
, a
pp
ro
ve
d,
 r
ev
ie
w
ed
 a
nd
 m
ai
nt
ai
ne
d 
to
pr
ov
id
e 
co
ns
is
te
nt
 g
ui
da
nc
e.
Te
st
 t
he
 O
ut
co
m
e 
of
 t
he
 C
on
tr
ol
 O
bj
ec
ti
ve
• 
V
er
if
y 
th
at
 th
os
e 
w
ho
 p
er
fo
rm
 th
e 
ac
tiv
iti
es
 u
nd
er
st
an
d 
th
ei
r 
re
sp
on
si
bi
lit
y.
 
• 
In
sp
ec
t s
el
ec
te
d 
do
cu
m
en
ts
 to
 v
er
if
y 
th
at
 th
ey
 a
re
 u
p 
to
 d
at
e 
an
d 
un
de
rs
to
od
.
• 
R
ev
ie
w
 I
T
 p
ro
ce
ss
-r
el
at
ed
 d
oc
um
en
ta
tio
n 
an
d 
ve
ri
fy
 if
 s
ig
n-
of
f 
is
 d
on
e 
at
 th
e 
ap
pr
op
ri
at
e 
le
ve
l.
• 
R
ev
ie
w
 if
 I
T
 p
ro
ce
ss
-r
el
at
ed
 d
oc
um
en
ta
tio
n 
is
 a
cc
es
si
bl
e,
 c
or
re
ct
, u
nd
er
st
oo
d 
an
d 
up
 to
 d
at
e.
 
• 
E
ns
ur
e 
th
at
 p
ol
ic
ie
s 
ar
e 
ef
fe
ct
iv
el
y 
pr
om
ul
ga
te
d 
th
ro
ug
h 
aw
ar
en
es
s 
an
d 
tr
ai
ni
ng
.
• 
A
ss
es
s,
 th
ro
ug
h 
in
te
rv
ie
w
s 
at
 a
ll 
st
af
f 
le
ve
ls
, w
he
th
er
 th
e 
po
lic
ie
s 
an
d 
pr
oc
ed
ur
es
 a
re
 c
le
ar
ly
 u
nd
er
st
oo
d 
an
d 
su
pp
or
t t
he
 b
us
in
es
s 
ob
je
ct
iv
es
.
D
oc
um
en
t 
th
e 
Im
pa
ct
 o
f 
C
on
tr
ol
 W
ea
kn
es
se
s
A
ss
es
s 
w
he
th
er
 a
ll 
po
lic
ie
s,
 p
la
ns
 a
nd
 p
ro
ce
du
re
s 
su
ff
ic
ie
nt
ly
 s
up
po
rt
 a
ch
ie
vi
ng
 b
us
in
es
s 
pr
oc
es
si
ng
 s
er
vi
ce
s 
to
 m
ee
t s
ho
rt
- 
an
d 
lo
ng
-r
an
ge
 o
rg
an
is
at
io
na
l o
bj
ec
tiv
es
.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org50
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 is
 in
 p
la
ce
 to
 e
st
ab
lis
h 
ke
y 
m
et
ri
cs
 d
es
ig
ne
d 
to
 p
ro
vi
de
 a
 h
ig
h 
le
ve
l o
f 
in
si
gh
t i
nt
o 
th
e 
op
er
at
io
ns
 w
ith
 li
m
ite
d 
ef
fo
rt
. 
• 
V
er
if
y 
th
at
 th
e 
de
si
gn
 o
f 
th
e 
m
et
ri
cs
 e
na
bl
es
 m
ea
su
re
m
en
t o
f 
ac
hi
ev
em
en
t o
f 
th
e 
pr
oc
es
s 
go
al
s,
 r
es
ou
rc
e 
ut
ili
sa
tio
n,
 o
ut
pu
t q
ua
lit
y 
an
d 
th
ro
ug
hp
ut
 ti
m
e 
to
 s
up
po
rt
im
pr
ov
em
en
t o
f 
th
e 
pr
oc
es
s 
pe
rf
or
m
an
ce
 a
nd
 o
ut
co
m
e.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 r
el
at
io
ns
hi
ps
 b
et
w
ee
n 
ou
tc
om
e 
an
d 
pe
rf
or
m
an
ce
 m
et
ri
cs
 h
av
e 
be
en
 d
ef
in
ed
 a
nd
 in
te
gr
at
ed
 in
to
 th
e 
en
te
rp
ri
se
’s
 p
er
fo
rm
an
ce
m
an
ag
em
en
t s
ys
te
m
 (
e.
g.
, b
al
an
ce
d 
sc
or
ec
ar
d)
 w
he
re
 a
pp
ro
pr
ia
te
.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 p
ro
ce
du
re
s 
ha
ve
 b
ee
n 
de
si
gn
ed
 to
 id
en
tif
y 
sp
ec
if
ic
 ta
rg
et
s 
fo
r 
pr
oc
es
s 
go
al
s 
an
d 
pe
rf
or
m
an
ce
 d
ri
ve
rs
. T
he
 p
ro
ce
du
re
s 
sh
ou
ld
 d
ef
in
e
ho
w
 th
e 
da
ta
 w
ill
 b
e 
ob
ta
in
ed
, i
nc
lu
di
ng
 m
ec
ha
ni
sm
s 
to
 f
ac
ili
ta
te
 p
ro
ce
ss
 m
ea
su
re
m
en
t (
e.
g.
, a
ut
om
at
ed
 a
nd
 in
te
gr
at
ed
 to
ol
s,
 te
m
pl
at
es
).
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 p
ro
ce
ss
es
 e
xi
st
 to
 o
bt
ai
n 
an
d 
co
m
pa
re
 a
ct
ua
l r
es
ul
ts
 to
 e
st
ab
lis
he
d 
in
te
rn
al
 a
nd
 e
xt
er
na
l b
en
ch
m
ar
ks
 a
nd
 g
oa
ls
. V
er
if
y 
th
at
 f
or
 k
ey
pr
oc
es
se
s,
 m
an
ag
em
en
t c
om
pa
re
s 
pr
oc
es
s 
pe
rf
or
m
an
ce
 a
nd
 p
ro
ce
ss
 o
ut
co
m
es
 a
ga
in
st
 in
te
rn
al
 a
nd
 e
xt
er
na
l b
en
ch
m
ar
ks
 a
nd
 c
on
si
de
rs
 th
e 
re
su
lt 
of
 th
e 
an
al
ys
is
 f
or
pr
oc
es
s 
im
pr
ov
em
en
t.
Te
st
 t
he
 O
ut
co
m
e 
of
 t
he
 C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
pp
ro
pr
ia
te
 m
et
ri
cs
 a
re
 d
ef
in
ed
 to
 a
ss
es
s 
pr
oc
es
s 
pe
rf
or
m
an
ce
 a
nd
 a
ch
ie
ve
m
en
t o
f 
th
e 
pr
oc
es
s 
go
al
s.
 
• 
A
na
ly
se
 s
om
e 
of
 th
e 
ke
y 
m
et
ri
cs
 a
nd
 c
or
ro
bo
ra
te
, v
ia
 o
th
er
 m
ea
ns
, w
he
th
er
 th
ey
 p
ro
vi
de
 s
uf
fi
ci
en
t i
ns
ig
ht
 in
to
 g
oa
ls
.
• 
E
nq
ui
re
 w
he
th
er
 a
ndc
on
fi
rm
 th
at
 ta
rg
et
s 
ha
ve
 b
ee
n 
de
fi
ne
d 
fo
r 
pr
oc
es
s 
go
al
s 
an
d 
pe
rf
or
m
an
ce
 d
ri
ve
rs
. R
ev
ie
w
 ta
rg
et
s 
an
d 
as
se
ss
 w
he
th
er
 th
ey
 a
lig
n 
to
 th
e 
go
al
s 
an
d
en
ab
le
 e
ff
ic
ie
nt
 a
nd
 a
pp
ro
pr
ia
te
 id
en
tif
ic
at
io
n 
of
 c
or
re
ct
iv
e 
ac
tio
n.
• 
R
ev
ie
w
 th
e 
pr
oc
ed
ur
es
 f
or
 c
ol
le
ct
in
g 
da
ta
 a
nd
 m
ea
su
re
m
en
t t
o 
as
ce
rt
ai
n 
th
e 
ef
fe
ct
iv
en
es
s 
an
d 
ef
fi
ci
en
cy
 o
f 
m
on
ito
ri
ng
.
• 
In
te
rv
ie
w
 p
ro
ce
ss
 o
w
ne
rs
 a
nd
 s
ta
ke
ho
ld
er
s 
to
 a
ss
es
s 
th
e 
ap
pr
op
ri
at
en
es
s 
of
 th
e 
m
ea
su
re
m
en
t m
et
ho
d 
an
d 
m
ec
ha
ni
sm
s.
• 
Fo
r 
si
gn
if
ic
an
t g
oa
ls
 o
f 
im
po
rt
an
t p
ro
ce
ss
es
, r
ep
er
fo
rm
 d
at
a 
co
lle
ct
io
n 
an
d 
m
ea
su
re
m
en
t o
f 
ta
rg
et
s.
• 
In
sp
ec
t a
 s
am
pl
e 
of
 p
ro
ce
ss
 m
et
ri
cs
 to
 a
ss
es
s 
th
e 
ap
pr
op
ri
at
en
es
s 
of
 r
el
at
io
ns
hi
ps
 b
et
w
ee
n 
m
et
ri
cs
 (
i.e
., 
w
he
th
er
 a
 p
er
fo
rm
an
ce
 m
et
ri
c 
pr
ov
id
es
 in
si
gh
t i
nt
o 
th
e 
lik
el
y
ac
hi
ev
em
en
t o
f 
th
e 
pr
oc
es
s 
ou
tc
om
e)
.
• 
O
bt
ai
n 
an
d 
re
vi
ew
 m
aj
or
 d
ev
ia
tio
ns
 a
ga
in
st
 ta
rg
et
s 
an
d 
co
nf
ir
m
 th
at
 a
ct
io
n 
w
as
 ta
ke
n.
 I
ns
pe
ct
 th
e 
lis
t o
f 
ac
tio
ns
 ta
ke
n 
as
 a
 r
es
ul
t o
f 
m
ea
su
re
m
en
t, 
an
d 
ve
ri
fy
 w
he
th
er
 th
ey
ha
ve
 le
d 
to
 a
ct
ua
l i
m
pr
ov
em
en
ts
.
• 
E
nq
ui
re
 if
 in
te
rn
al
 a
nd
 e
xt
er
na
l b
en
ch
m
ar
ks
 a
re
 u
se
d 
an
d,
 if
 s
o,
 a
ss
es
s 
th
ei
r 
re
le
va
nc
e 
an
d 
id
en
tif
y 
if
 a
pp
ro
pr
ia
te
 a
ct
io
n 
is
 ta
ke
n 
on
 s
ig
ni
fi
ca
nt
 d
ev
ia
tio
ns
 a
ga
in
st
 th
e
be
nc
hm
ar
ks
.
D
oc
um
en
t 
th
e 
Im
pa
ct
 o
f 
C
on
tr
ol
 W
ea
kn
es
se
s
D
et
er
m
in
e 
th
e 
bu
si
ne
ss
 im
pa
ct
 if
 a
 s
et
 o
f 
ke
y 
m
et
ri
cs
 is
 n
ot
 a
va
ila
bl
e 
to
 m
ea
su
re
 th
e 
ac
hi
ev
em
en
t o
f 
th
e 
pr
oc
es
s 
go
al
s,
 r
es
ou
rc
e 
ut
ili
sa
tio
n,
 o
ut
pu
t q
ua
lit
y 
an
d 
th
ro
ug
hp
ut
tim
e 
to
 s
up
po
rt
 im
pr
ov
em
en
t o
f 
th
e 
pr
oc
es
s 
pe
rf
or
m
an
ce
 a
nd
 o
ut
co
m
e.
Id
en
tif
y 
a 
se
t o
f 
m
et
ri
cs
 th
at
 p
ro
vi
de
s 
in
si
gh
t i
nt
o 
th
e 
ou
tc
om
es
 a
nd
 p
er
fo
rm
an
ce
of
 th
e 
pr
oc
es
s.
 E
st
ab
lis
h 
ta
rg
et
s 
th
at
 r
ef
le
ct
 o
n 
th
e 
pr
oc
es
s 
go
al
s 
an
d 
th
e
pe
rf
or
m
an
ce
 d
ri
ve
rs
 th
at
 e
na
bl
e 
th
e 
ac
hi
ev
em
en
t o
f 
pr
oc
es
s 
go
al
s.
 D
ef
in
e 
ho
w
th
e 
da
ta
 a
re
 to
 b
e 
ob
ta
in
ed
. C
om
pa
re
 a
ct
ua
l m
ea
su
re
m
en
t t
o 
th
e 
ta
rg
et
 a
nd
 ta
ke
ac
tio
n 
up
on
 d
ev
ia
tio
ns
, w
he
re
 n
ec
es
sa
ry
. A
lig
n 
m
et
ri
cs
, t
ar
ge
ts
 a
nd
 m
et
ho
ds
 w
ith
IT
’s
 o
ve
ra
ll 
pe
rf
or
m
an
ce
 m
on
ito
ri
ng
 a
pp
ro
ac
h.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Pr
oc
es
s 
co
st
s 
op
tim
is
ed
• 
Pr
oc
es
se
s 
ni
m
bl
e 
an
d 
re
sp
on
si
ve
 to
bu
si
ne
ss
 n
ee
ds
R
is
k 
D
riv
er
s
• 
Pr
oc
es
s 
ou
tc
om
es
 a
nd
 d
el
iv
er
ab
le
s 
no
t
in
 li
ne
 w
ith
 o
ve
ra
ll 
IT
 a
nd
 b
us
in
es
s
ob
je
ct
iv
es
• 
Pr
oc
es
se
s 
to
o 
co
st
ly
• 
Pr
oc
es
se
s 
sl
ow
 to
 r
ea
ct
 to
 b
us
in
es
s
ne
ed
s
P
C
6
 P
ro
c
e
s
s
 P
e
rf
o
rm
a
n
c
e
 I
m
p
ro
ve
m
e
n
t 
A
P
P
E
N
D
IX
II—
P
L
A
N
A
N
D
O
R
G
A
N
ISE
(P
O
)A P P E N D I X I I —
P L A N A N D O R G A N I S E ( P O )
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organisation and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
51© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
A
PP
E
N
D
IX
II
—
PL
A
N
A
N
D
O
R
G
A
N
IS
E
(P
O
)
P
R
O
C
ES
S 
A
SS
U
R
A
N
C
E 
ST
EP
S
P
O
1
 D
e
fi
n
e
 a
 S
tr
a
te
g
ic
 I
T
 P
la
n
IT
 s
tr
at
eg
ic
 p
la
nn
in
g 
is
 r
eq
ui
re
d 
to
 m
an
ag
e 
an
d 
di
re
ct
 a
ll 
IT
 r
es
ou
rc
es
 in
 li
ne
 w
ith
 th
e 
bu
si
ne
ss
 s
tr
at
eg
y 
an
d 
pr
io
ri
tie
s.
 T
he
 I
T
 f
un
ct
io
n 
an
d 
bu
si
ne
ss
 s
ta
ke
ho
ld
er
s 
ar
e
re
sp
on
si
bl
e 
fo
r 
en
su
ri
ng
 th
at
 o
pt
im
al
 v
al
ue
 is
 r
ea
lis
ed
 f
ro
m
 p
ro
je
ct
 a
nd
 s
er
vi
ce
 p
or
tf
ol
io
s.
 T
he
 s
tr
at
eg
ic
 p
la
n 
sh
ou
ld
 im
pr
ov
e 
ke
y 
st
ak
eh
ol
de
rs
’u
nd
er
st
an
di
ng
 o
f 
IT
op
po
rt
un
iti
es
 a
nd
 li
m
ita
tio
ns
, a
ss
es
s 
cu
rr
en
t p
er
fo
rm
an
ce
 a
nd
 c
la
ri
fy
 th
e 
le
ve
l o
f 
in
ve
st
m
en
t r
eq
ui
re
d.
 T
he
 b
us
in
es
s 
st
ra
te
gy
 a
nd
 p
ri
or
iti
es
 a
re
 to
 b
e 
re
fl
ec
te
d 
in
 p
or
tf
ol
io
s 
an
d
ex
ec
ut
ed
 b
y 
th
e 
IT
 ta
ct
ic
al
 p
la
n(
s)
, w
hi
ch
 e
st
ab
lis
he
s 
co
nc
is
e 
ob
je
ct
iv
es
, p
la
ns
 a
nd
 ta
sk
s 
un
de
rs
to
od
 a
nd
 a
cc
ep
te
d 
by
 b
ot
h 
bu
si
ne
ss
 a
nd
 I
T.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
pr
oc
es
s 
fo
r 
pr
ep
ar
in
g 
a 
bu
si
ne
ss
 c
as
e 
ex
is
ts
 (
e.
g.
, t
he
 p
ro
ce
ss
 w
ill
 g
ui
de
 e
nt
ry
/e
xi
t c
ri
te
ri
a 
fo
r 
bu
si
ne
ss
 c
as
e 
de
ve
lo
pm
en
t, 
th
e
re
vi
ew
 p
ro
ce
ss
, m
ea
su
re
m
en
ts
, t
he
 c
ha
ng
e 
m
an
ag
em
en
t p
ro
ce
ss
 f
or
 th
e 
bu
si
ne
ss
 c
as
e)
.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
m
on
ito
ri
ng
 p
ro
ce
ss
 f
or
 th
e 
bu
si
ne
ss
 c
as
e 
is
 b
as
ed
 u
po
n 
es
ta
bl
is
he
d 
be
nc
hm
ar
ks
, s
uc
h 
as
 th
os
e 
in
 o
rg
an
is
at
io
na
l S
L
A
s 
or
 in
du
st
ry
an
d 
te
ch
ni
ca
l s
ta
nd
ar
ds
.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
su
cc
es
se
s 
an
d 
fa
ilu
re
s 
of
 I
T
 in
ve
st
m
en
t p
ro
gr
am
m
es
 a
re
 r
ev
ie
w
ed
 a
nd
 th
e 
bu
si
ne
ss
 c
as
e 
an
al
ys
is
 p
ro
ce
ss
 is
 e
nh
an
ce
d 
as
 r
eq
ui
re
d
(e
.g
., 
hi
st
or
ic
al
 d
at
a 
sh
ou
ld
 b
e 
an
al
ys
ed
, a
nd
 im
pr
ov
em
en
ts
, l
es
so
ns
 le
ar
ne
d 
an
d 
be
st
 p
ra
ct
ic
es
 s
ho
ul
d 
be
 r
ef
er
en
ce
d)
.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
P
O
1.
1 
IT
 V
al
ue
 M
an
ag
em
en
t 
W
or
k 
w
ith
 th
e 
bu
si
ne
ss
 to
 e
ns
ur
e 
th
at
 th
e 
en
te
rp
ri
se
 p
or
tf
ol
io
 o
f 
IT
-e
na
bl
ed
in
ve
st
m
en
ts
 c
on
ta
in
s 
pr
og
ra
m
m
es
 th
at
 h
av
e 
so
lid
 b
us
in
es
s 
ca
se
s.
 R
ec
og
ni
se
 th
at
th
er
e 
ar
e 
m
an
da
to
ry
, s
us
ta
in
in
g 
an
d 
di
sc
re
tio
na
ry
 in
ve
st
m
en
ts
 th
at
 d
if
fe
r 
in
co
m
pl
ex
ity
 a
nd
 d
eg
re
e 
of
 f
re
ed
om
 in
 a
llo
ca
tin
g 
fu
nd
s.
 I
T
 p
ro
ce
ss
es
 s
ho
ul
d
pr
ov
id
e 
ef
fe
ct
iv
e 
an
d 
ef
fi
ci
en
t d
el
iv
er
y 
of
 th
e 
IT
 c
om
po
ne
nt
s 
of
 p
ro
gr
am
m
es
 a
nd
ea
rl
y 
w
ar
ni
ng
 o
f 
an
y 
de
vi
at
io
ns
 f
ro
m
 p
la
n,
 in
cl
ud
in
g 
co
st
, s
ch
ed
ul
e 
or
fu
nc
tio
na
lit
y,
 th
at
 m
ig
ht
 im
pa
ct
 th
e 
ex
pe
ct
ed
 o
ut
co
m
es
 o
f 
th
e 
pr
og
ra
m
m
es
. I
T
se
rv
ic
es
 s
ho
ul
d 
be
 e
xe
cu
te
d 
ag
ai
ns
t e
qu
ita
bl
e 
an
d 
en
fo
rc
ea
bl
e 
SL
A
s.
A
cc
ou
nt
ab
ili
ty
 f
or
 a
ch
ie
vi
ng
 the 
be
ne
fi
ts
 a
nd
 c
on
tr
ol
lin
g 
th
e 
co
st
s 
sh
ou
ld
 b
e
cl
ea
rl
y 
as
si
gn
ed
 a
nd
 m
on
ito
re
d.
 E
st
ab
lis
h 
fa
ir
, t
ra
ns
pa
re
nt
, r
ep
ea
ta
bl
e 
an
d
co
m
pa
ra
bl
e 
ev
al
ua
tio
n 
of
 b
us
in
es
s 
ca
se
s,
 in
cl
ud
in
g 
fi
na
nc
ia
l w
or
th
, t
he
 r
is
k 
of
no
t d
el
iv
er
in
g 
a 
ca
pa
bi
lit
y 
an
d 
th
e 
ri
sk
 o
f 
no
t r
ea
lis
in
g 
th
e 
ex
pe
ct
ed
 b
en
ef
its
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
IT
 in
ve
st
m
en
ts
’b
en
ef
it 
tr
an
sp
ar
en
t
an
d 
ef
fe
ct
iv
e 
to
 th
e 
en
te
rp
ri
se
• A
n 
ef
fe
ct
iv
e 
de
ci
si
on
-m
ak
in
g 
pr
oc
es
s
to
 e
ns
ur
e 
th
at
 in
ve
st
m
en
ts
 in
 I
T
de
liv
er
 ta
ng
ib
le
 b
us
in
es
s 
be
ne
fi
t 
• 
IT
 in
ve
st
m
en
ts
 in
 li
ne
 w
ith
 th
e
bu
si
ne
ss
 o
bj
ec
tiv
es
• 
Sh
ar
ed
 u
nd
er
st
an
di
ng
 r
eg
ar
di
ng
 c
os
t,
ri
sk
 a
nd
 b
en
ef
its
 o
f 
IT
-e
na
bl
ed
bu
si
ne
ss
 in
iti
at
iv
es
• 
D
ir
ec
t r
el
at
io
ns
hi
p 
be
tw
ee
n 
bu
si
ne
ss
go
al
s 
an
d 
us
e 
of
 r
es
ou
rc
es
 f
or
 I
T
R
is
k 
D
riv
er
s
• 
In
ef
fe
ct
iv
e 
de
ci
si
on
 m
ak
in
g 
le
ad
in
g 
to
in
ve
st
m
en
ts
 in
 I
T
 th
at
 h
av
e
in
su
ff
ic
ie
nt
 r
et
ur
n 
or
 a
 n
eg
at
iv
e
im
pa
ct
 o
n 
th
e 
or
ga
ni
sa
tio
n
• 
IT
 n
ot
 a
lig
ne
d 
w
ith
 th
e 
bu
si
ne
ss
• 
IT
 v
al
ue
 m
an
ag
em
en
t l
ac
ki
ng
 th
e
su
pp
or
t a
nd
 c
om
m
itm
en
t o
f 
se
ni
or
m
an
ag
em
en
t
• 
U
nd
ef
in
ed
 o
r 
co
nf
us
in
g 
ac
co
un
ta
bi
lit
y
an
d 
re
sp
on
si
bi
lit
y
• 
C
os
ts
, b
en
ef
its
 a
nd
 r
is
ks
 o
f 
IT
-e
na
bl
ed
bu
si
ne
ss
 in
iti
at
iv
es
 u
nc
le
ar
 o
r
m
is
un
de
rs
to
od
• 
IT
 n
ot
 c
om
pl
ia
nt
 w
ith
 g
ov
er
na
nc
e
re
qu
ir
em
en
ts
, p
ot
en
tia
lly
 im
pa
ct
in
g
m
an
ag
em
en
t’s
 a
nd
 th
e 
bo
ar
d’
s 
pu
bl
ic
re
sp
on
si
bi
lit
y
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org52
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
C
on
fi
rm
 th
at
 th
e 
pr
oc
es
s 
fo
r 
co
m
m
un
ic
at
in
g 
bu
si
ne
ss
 o
pp
or
tu
ni
tie
s 
w
ith
 I
T
 m
an
ag
em
en
t i
s 
re
vi
ew
ed
 a
nd
 th
e 
im
po
rt
an
ce
 o
f 
th
e 
pr
oc
es
s 
is
 c
om
m
un
ic
at
ed
 to
 th
e 
bu
si
ne
ss
an
d 
IT
. C
on
si
de
r 
th
e 
up
da
te
 f
re
qu
en
cy
 o
f 
th
os
e 
pr
oc
es
se
s.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
ro
ug
h 
in
te
rv
ie
w
s 
w
ith
 m
em
be
rs
 o
f 
IT
 m
an
ag
em
en
t t
ha
t t
he
y 
he
lp
ed
 d
ef
in
e 
en
te
rp
ri
se
 g
oa
ls
. A
sk
 th
em
 a
bo
ut
 th
ei
r 
ac
co
un
ta
bi
lit
y 
fo
r
ac
hi
ev
in
g 
en
te
rp
ri
se
 g
oa
ls
, d
et
er
m
in
e 
if
 th
ey
 u
nd
er
to
ok
 w
ha
t-
if
 a
na
ly
se
s 
an
d 
co
nf
ir
m
 th
ei
r 
co
m
m
itm
en
t t
o 
th
e 
go
al
s.
• 
E
nq
ui
re
 w
ith
 b
us
in
es
s 
m
an
ag
em
en
t a
nd
 I
T
 m
an
ag
em
en
t t
o 
id
en
tif
y 
bu
si
ne
ss
 p
ro
ce
ss
es
 th
at
 a
re
 d
ep
en
de
nt
 o
n 
IT
. C
on
si
de
r 
w
he
th
er
 t
he
 b
us
in
es
s 
an
d 
IT
 s
ha
re
 th
e 
sa
m
e
vi
ew
 o
f 
sy
st
em
s,
 in
cl
ud
in
g 
th
ei
r 
cr
iti
ca
lit
y,
 u
sa
ge
 a
nd
 r
ep
or
tin
g.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
R
is
k 
D
riv
er
s
P
O
1.
2 
B
us
in
es
s-
IT
 A
lig
nm
en
t 
E
st
ab
lis
h 
pr
oc
es
se
s 
of
 b
i-
di
re
ct
io
na
l e
du
ca
tio
n 
an
d 
re
ci
pr
oc
al
 in
vo
lv
em
en
t i
n
st
ra
te
gi
c 
pl
an
ni
ng
 to
 a
ch
ie
ve
 b
us
in
es
s 
an
d 
IT
 a
lig
nm
en
t a
nd
 in
te
gr
at
io
n.
 M
ed
ia
te
be
tw
ee
n 
bu
si
ne
ss
 a
nd
 I
T
 im
pe
ra
tiv
es
 s
o 
pr
io
ri
tie
s 
ca
n 
be
 m
ut
ua
lly
 a
gr
ee
d.
• 
IT
 a
lig
ne
d 
w
ith
 th
e 
or
ga
ni
sa
tio
n’
s
m
is
si
on
 a
nd
 g
oa
ls
• 
IT
 e
na
bl
in
g 
th
e 
ac
hi
ev
em
en
t o
f 
th
e
st
ra
te
gi
c 
bu
si
ne
ss
 o
bj
ec
tiv
es
• 
O
pt
im
is
ed
 r
et
ur
n 
on
 I
T
 in
ve
st
m
en
t 
• 
O
pp
or
tu
ni
tie
s 
fo
r 
in
no
va
tio
n 
id
en
tif
ie
d
an
d 
ex
pl
oi
te
d
• 
IT
 s
ee
n 
as
 a
 c
os
t f
ac
to
r
• 
T
he
 e
nt
er
pr
is
e’
s 
m
is
si
on
 n
ot
 b
ei
ng
su
pp
or
te
d 
by
 it
s 
IT
• 
IT
 m
an
ag
em
en
t d
ec
is
io
ns
 n
ot
fo
llo
w
in
g 
th
e 
bu
si
ne
ss
 d
ir
ec
tio
n
• 
L
ac
k 
of
 c
om
m
on
 u
nd
er
st
an
di
ng
 o
f
bu
si
ne
ss
 a
nd
 I
T
 p
ri
or
iti
es
, l
ea
di
ng
 to
co
nf
lic
ts
 a
bo
ut
 a
llo
ca
tio
n 
of
 r
es
ou
rc
es
an
d 
pr
io
ri
tie
s
• 
M
is
se
d 
op
po
rt
un
iti
es
 to
 e
xp
lo
it 
ne
w
IT
 c
ap
ab
ili
tie
s
P
O
1
 D
e
fi
n
e
 a
 S
tr
a
te
g
ic
 I
T
P
la
n
 (
c
o
n
t.
)
53© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
C
on
fi
rm
 th
at
 a
pp
ro
pr
ia
te
 c
ri
te
ri
a,
 s
ta
nd
ar
ds
 a
nd
 p
er
fo
rm
an
ce
 in
di
ca
to
rs
 h
av
e 
be
en
 e
st
ab
lis
he
d 
an
d 
us
ed
 to
 a
ss
es
s 
an
d 
re
po
rt
 p
er
fo
rm
an
ce
 to
 m
an
ag
em
en
t a
nd
 k
ey
st
ak
eh
ol
de
rs
. A
n 
ac
tio
n 
pl
an
 f
or
 v
ar
ia
tio
ns
 a
nd
 a
 d
ev
ia
tio
n 
pr
oc
es
s 
sh
ou
ld
 e
xi
st
.
• 
R
ev
ie
w
 th
e 
pe
rf
or
m
an
ce
 in
di
ca
to
rs
 e
st
ab
lis
he
d 
fo
r 
ke
y 
sy
st
em
s 
an
d 
pr
oc
es
se
s 
(e
.g
., 
st
re
ng
th
s 
an
d 
w
ea
kn
es
se
s,
 f
un
ct
io
na
lit
y,
 d
eg
re
e 
of
 b
us
in
es
s 
au
to
m
at
io
n,
 s
ta
bi
lit
y,
co
m
pl
ex
ity
, d
ev
el
op
m
en
t r
eq
ui
re
m
en
ts
, t
ec
hn
ol
og
y 
al
ig
nm
en
t a
nd
 d
ir
ec
tio
n,
 s
up
po
rt
 a
nd
 m
ai
nt
en
an
ce
 r
eq
ui
re
m
en
ts
, c
os
ts
, e
xt
er
na
l p
ar
tie
s’
in
pu
t)
. 
• 
C
on
fi
rm
 th
at
 r
ev
ie
w
s 
ex
is
t w
ith
 r
eg
ar
d 
to
 th
e 
ac
hi
ev
em
en
t o
f 
ag
re
ed
-u
po
n 
ta
rg
et
s 
de
fi
ne
d 
w
ith
in
 th
e 
pr
ev
io
us
 ta
ct
ic
al
 I
T
 p
la
n.
• 
C
on
fi
rm
 th
at
 a
 c
om
pa
ri
so
n 
ag
ai
ns
t w
el
l-
un
de
rs
to
od
 a
nd
 r
el
ia
bl
e 
in
du
st
ry
, t
ec
hn
ol
og
y 
or
 o
th
er
 r
el
ev
an
t b
en
ch
m
ar
ks
 is
 p
er
fo
rm
ed
 to
 h
el
p 
as
se
ss
 e
xi
st
in
g 
sy
st
em
s 
an
d
ca
pa
bi
lit
ie
s.
C
on
tr
ol
 O
bj
ec
ti
ve
R
is
k 
D
riv
er
s
Va
lu
e 
D
riv
er
s
P
O
1.
3 
A
ss
es
sm
en
t 
of
 C
ur
re
nt
 C
ap
ab
ili
ty
 a
nd
 P
er
fo
rm
an
ce
 
A
ss
es
s 
th
e 
cu
rr
en
t c
ap
ab
ili
ty
 a
nd
 p
er
fo
rm
an
ce
 o
f 
so
lu
tio
n 
an
d 
se
rv
ic
e 
de
liv
er
y 
to
es
ta
bl
is
h 
a 
ba
se
lin
e 
ag
ai
ns
t w
hi
ch
 f
ut
ur
e 
re
qu
ir
em
en
ts
 c
an
 b
e 
co
m
pa
re
d.
 D
ef
in
e
pe
rf
or
m
an
ce
 in
 te
rm
s 
of
 I
T
’s
 c
on
tr
ib
ut
io
n 
to
 b
us
in
es
s 
ob
je
ct
iv
es
, f
un
ct
io
na
lit
y,
st
ab
ili
ty
, c
om
pl
ex
ity
, c
os
ts
, s
tr
en
gt
hs
 a
nd
 w
ea
kn
es
se
s.
• 
IT
 p
la
ns
 c
on
tr
ib
ut
in
g 
tr
an
sp
ar
en
tly
 to
th
e 
or
ga
ni
sa
tio
n’
s 
m
is
si
on
 a
nd
 g
oa
ls
• 
C
la
ri
ty
 o
f 
co
st
s,
 b
en
ef
its
 a
nd
 r
is
ks
 o
f
IT
’s
 c
ur
re
nt
 p
er
fo
rm
an
ce
• 
Te
ch
no
lo
gi
ca
l o
pp
or
tu
ni
tie
s 
id
en
tif
ie
d
an
d 
ca
pa
bi
lit
ie
s 
le
ve
ra
ge
d
• 
IT
ca
pa
bi
lit
ie
s 
kn
ow
n 
an
d
op
er
at
io
na
lis
ed
 e
ff
ec
tiv
el
y 
an
d
ef
fi
ci
en
tly
 to
 d
el
iv
er
 th
e 
re
qu
ir
ed
so
lu
tio
ns
 a
nd
 s
er
vi
ce
s
• 
IT
 c
ap
ab
ili
tie
s 
no
t c
on
tr
ib
ut
in
g 
to
 th
e
or
ga
ni
sa
tio
n’
s 
m
is
si
on
 a
nd
 g
oa
ls
• 
In
ve
st
m
en
t d
ec
is
io
ns
 ta
ke
n 
to
o 
la
te
• 
O
pp
ortu
ni
tie
s 
an
d 
ca
pa
bi
lit
ie
s 
no
t
le
ve
ra
ge
d
• 
In
ef
fe
ct
iv
e 
us
e 
of
 e
xi
st
in
g 
re
so
ur
ce
s
• 
In
ab
ili
ty
 to
 id
en
tif
y 
ba
se
lin
es
 f
or
cu
rr
en
t, 
an
d 
re
qu
ir
em
en
ts
 f
or
 f
ut
ur
e,
sy
st
em
 c
ap
ab
ili
ty
 a
nd
 p
er
fo
rm
an
ce
P
O
1
 D
e
fi
n
e
 a
 S
tr
a
te
g
ic
 I
T
P
la
n
 (
c
o
n
t.
)
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org54
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 w
as
 f
ol
lo
w
ed
 to
 d
oc
um
en
t I
T
’s
 g
oa
ls
 a
nd
 o
bj
ec
tiv
es
 n
ec
es
sa
ry
 to
 p
er
fo
rm
 it
s 
ta
sk
s.
 T
he
y 
sh
ou
ld
 b
e 
de
fi
ne
d,
 d
oc
um
en
te
d 
an
d
co
m
m
un
ic
at
ed
, i
nc
lu
di
ng
 th
e:
– 
A
ch
ie
ve
m
en
t o
f 
th
e 
be
ne
fi
ts
 a
nd
 m
an
ag
em
en
t o
f 
th
e 
ri
sk
s 
of
 th
e 
IT
 c
ap
ab
ili
tie
s
– 
E
st
ab
lis
hm
en
t o
f 
th
e 
cu
rr
en
t a
nd
 f
ut
ur
e 
pe
rf
or
m
an
ce
 r
eq
ui
re
d 
to
 r
es
po
nd
 to
 b
us
in
es
s 
ex
pe
ct
at
io
ns
– 
Pr
ov
is
io
n 
of
 in
fo
rm
at
io
n 
on
 tr
an
sp
ar
en
cy
 a
nd
 h
ow
 I
T
 d
el
iv
er
s 
va
lu
e 
to
 th
e 
bu
si
ne
ss
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
er
e 
is
 a
 ti
m
e 
fr
am
e 
fo
r 
th
e 
de
ve
lo
pm
en
t a
nd
 e
xe
cu
tio
n 
of
 th
e 
st
ra
te
gi
c 
an
d 
ta
ct
ic
al
 p
la
ns
. T
hi
s 
tim
e 
fr
am
e 
sh
ou
ld
 in
cl
ud
e 
th
e
in
te
rr
el
at
io
ns
hi
ps
 a
nd
 d
ep
en
de
nc
ie
s 
of
 th
e 
ex
ec
ut
io
n 
of
 th
e 
ta
ct
ic
al
 p
la
ns
. T
he
 ti
m
e 
fr
am
e 
co
ul
d 
va
ry
 b
as
ed
 o
n 
sc
op
e,
 f
un
di
ng
 a
nd
 p
ri
or
iti
sa
tio
n.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 to
 c
ap
tu
re
 o
ut
co
m
e 
m
ea
su
re
s,
 r
ep
re
se
nt
ed
 b
y 
m
et
ri
cs
 (
w
ha
t)
 a
nd
 ta
rg
et
s 
(h
ow
 m
uc
h)
, o
f 
IT
 o
bj
ec
tiv
es
 e
xi
st
s 
an
d 
th
at
 th
e
m
ea
su
re
s 
re
la
te
 to
 b
us
in
es
s-
id
en
tif
ie
d 
be
ne
fi
ts
 a
nd
 th
e 
st
ra
te
gy
’s
 d
ir
ec
tio
n.
 
• 
C
on
fi
rm
 a
nd
 r
ev
ie
w
 th
e 
po
lic
ie
s 
an
d 
pr
oc
ed
ur
es
 s
up
po
rt
in
g 
th
e 
st
ru
ct
ur
ed
 p
la
nn
in
g 
ap
pr
oa
ch
 to
 d
et
er
m
in
e 
if
 th
ey
 e
ff
ec
tiv
el
y 
su
pp
or
t t
he
 p
ro
ce
ss
 f
or
 c
re
at
in
g 
an
 I
T
 
st
ra
te
gi
c 
pl
an
.
P
O
1.
4 
IT
 S
tr
at
eg
ic
 P
la
n 
C
re
at
e 
a 
st
ra
te
gi
c 
pl
an
 th
at
 d
ef
in
es
, i
n 
co
-o
pe
ra
tio
n 
w
ith
 r
el
ev
an
t s
ta
ke
ho
ld
er
s,
ho
w
 I
T
 g
oa
ls
 w
ill
 c
on
tr
ib
ut
e 
to
 th
e 
en
te
rp
ri
se
’s
 s
tr
at
eg
ic
 o
bj
ec
tiv
es
 a
nd
 r
el
at
ed
co
st
s 
an
d 
ri
sk
s.
 I
t s
ho
ul
d 
in
cl
ud
e 
ho
w
 I
T
 w
ill
 s
up
po
rt
 I
T-
en
ab
le
d 
in
ve
st
m
en
t
pr
og
ra
m
m
es
, I
T
 s
er
vi
ce
s 
an
d 
IT
 a
ss
et
s.
 I
T
 s
ho
ul
d 
de
fi
ne
 h
ow
 th
e 
ob
je
ct
iv
es
 w
ill
be
 m
et
, t
he
 m
ea
su
re
m
en
ts
 to
 b
e 
us
ed
 a
nd
 th
e 
pr
oc
ed
ur
es
 to
 o
bt
ai
n 
fo
rm
al
 s
ig
n-
of
f 
fr
om
 th
e 
st
ak
eh
ol
de
rs
. T
he
 I
T
 s
tr
at
eg
ic
 p
la
n 
sh
ou
ld
 c
ov
er
in
ve
st
m
en
t/o
pe
ra
tio
na
l b
ud
ge
t, 
fu
nd
in
g 
so
ur
ce
s,
 s
ou
rc
in
g 
st
ra
te
gy
, a
cq
ui
si
tio
n
st
ra
te
gy
, a
nd
 le
ga
l a
nd
 r
eg
ul
at
or
y 
re
qu
ir
em
en
ts
. T
he
 s
tr
at
eg
ic
 p
la
n 
sh
ou
ld
 b
e
su
ff
ic
ie
nt
ly
 d
et
ai
le
d 
to
 a
llo
w
 f
or
 th
e 
de
fi
ni
tio
n 
of
 ta
ct
ic
al
 I
T
 p
la
ns
.
• 
St
ra
te
gi
c 
IT
 p
la
ns
 c
on
si
st
en
t w
ith
bu
si
ne
ss
 o
bj
ec
tiv
es
• 
St
ra
te
gi
c 
ob
je
ct
iv
es
 a
nd
 a
ss
oc
ia
te
d
ac
co
un
ta
bi
lit
ie
s 
cl
ea
r 
an
d 
un
de
rs
to
od
by
 a
ll
• 
IT
 s
tr
at
eg
ic
 o
pt
io
ns
 id
en
tif
ie
d 
an
d
st
ru
ct
ur
ed
, a
nd
 in
te
gr
at
ed
 w
ith
 th
e
bu
si
ne
ss
 p
la
ns
• 
R
ed
uc
ed
 li
ke
lih
oo
d 
of
 u
nn
ec
es
sa
ry
 I
T
in
iti
at
iv
es
• 
St
ra
te
gi
c 
IT
 p
la
ns
 c
om
pl
et
e 
an
d 
us
ab
le
• 
B
us
in
es
s 
re
qu
ir
em
en
ts
 n
ot
 u
nd
er
st
oo
d
or
 a
dd
re
ss
ed
 b
y 
IT
 m
an
ag
em
en
t
• 
N
o 
re
gu
la
r 
an
d 
fo
rm
al
 c
on
su
lta
tio
n
be
tw
ee
n 
IT
 m
an
ag
em
en
t a
nd
 b
us
in
es
s
an
d 
se
ni
or
 m
an
ag
em
en
t
• 
IT
 p
la
ns
 n
ot
 a
lig
ne
d 
w
ith
 b
us
in
es
s
ne
ed
s
• 
U
nn
ec
es
sa
ry
 I
T
 in
iti
at
iv
es
 a
nd
in
ve
st
m
en
ts
• 
IT
 p
la
ns
 in
co
ns
is
te
nt
 w
ith
 th
e
or
ga
ni
sa
tio
n’
s 
ex
pe
ct
at
io
ns
 o
r
re
qu
ir
em
en
ts
• 
IT
 n
ot
 f
oc
us
ed
 o
n 
th
e 
ri
gh
t p
ri
or
iti
es
P
O
1
 D
e
fi
n
e
 a
 S
tr
a
te
g
ic
 I
T
P
la
n
 (
c
o
n
t.
)
R
is
k 
D
riv
er
s
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
55© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 ta
ct
ic
al
 I
T
 p
la
ns
 e
xi
st
 a
nd
 th
at
 th
ey
 h
av
e 
be
en
 b
as
ed
 o
n 
th
e 
IT
 s
tr
at
eg
ic
 p
la
n.
 
• 
C
on
fi
rm
 th
at
 th
is
 is
 d
on
e 
in
 a
 s
tr
uc
tu
re
d 
m
an
ne
r 
in
 a
cc
or
da
nc
e 
w
ith
 e
st
ab
lis
he
d 
pr
oc
es
se
s 
an
d 
th
at
 th
er
e 
is
 n
o 
un
du
e 
de
la
y 
be
tw
ee
n 
up
da
te
s 
of
 th
e 
st
ra
te
gi
c 
pl
an
 a
nd
 th
e
su
bs
eq
ue
nt
 u
pd
at
e 
of
 th
e 
ta
ct
ic
al
 p
la
ns
. 
• 
V
al
id
at
e 
th
at
 th
e 
co
nt
en
ts
 o
f 
th
e 
IT
 ta
ct
ic
al
 p
la
n 
ar
e 
ad
eq
ua
te
 a
nd
 th
at
 it
 c
on
ta
in
s 
pr
op
er
 p
ro
je
ct
 d
ef
in
iti
on
s,
 p
la
nn
in
g 
in
fo
rm
at
io
n,
 d
el
iv
er
ab
le
s 
an
d 
qu
an
tif
ie
d 
es
tim
at
ed
be
ne
fi
ts
. 
• 
R
ev
ie
w
 w
he
th
er
 th
e 
ta
ct
ic
al
 p
la
n 
ad
dr
es
se
s 
IT
-r
el
at
ed
 r
is
k.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 is
 in
 p
la
ce
 th
at
 e
na
bl
es
 id
en
tif
ic
at
io
n 
an
d 
pr
io
ri
tis
at
io
n 
(b
as
ed
 o
n 
bu
si
ne
ss
 b
en
ef
its
) 
of
 I
T
 p
ro
gr
am
m
es
 a
nd
 p
ro
je
ct
s
su
pp
or
tin
g 
th
e 
IT
 ta
ct
ic
al
 p
la
n.
 
• 
C
on
fi
rm
 th
at
 th
is
 p
ro
ce
ss
 o
f 
po
rt
fo
lio
 m
an
ag
em
en
t u
se
s 
ap
pr
op
ri
at
e 
cr
ite
ri
a 
to
 d
ef
in
e 
an
d 
pr
io
ri
tis
e 
th
e 
di
ff
er
en
t p
ro
je
ct
s 
an
d 
pr
og
ra
m
m
es
. 
• 
V
er
if
y 
w
he
th
er
 b
us
in
es
s 
go
al
s 
an
d 
ex
pe
ct
ed
 b
us
in
es
s 
ou
tc
om
es
 a
re
 d
oc
um
en
te
d 
an
d 
re
as
on
ab
le
, a
nd
 w
he
th
er
 s
uf
fi
ci
en
t i
nf
or
m
at
io
n 
re
la
te
d 
to
 b
ud
ge
t a
nd
 e
ff
or
t i
s 
pr
es
en
t. 
• 
C
on
fi
rm
 th
at
 th
e 
pr
og
ra
m
m
e/
pr
oj
ec
t o
ut
co
m
es
 a
re
 d
ul
y 
co
m
m
un
ic
at
ed
 to
 a
ll 
st
ak
eh
ol
de
rs
.
P
O
1.
5 
IT
 T
ac
ti
ca
l P
la
ns
 
C
re
at
e 
a 
po
rt
fo
lio
 o
f 
ta
ct
ic
al
 I
T
 p
la
ns
 th
at
 a
re
 d
er
iv
ed
 f
ro
m
 th
e 
IT
 s
tr
at
eg
ic
 p
la
n.
T
he
 ta
ct
ic
al
 p
la
ns
 s
ho
ul
d 
ad
dr
es
s 
IT
-e
na
bl
ed
 p
ro
gr
am
m
e 
in
ve
st
m
en
ts
, I
T
 s
er
vi
ce
s
an
d 
IT
 a
ss
et
s.
 T
he
 ta
ct
ic
al
 p
la
ns
 s
ho
ul
d 
de
sc
ri
be
 r
eq
ui
re
d 
IT
 in
iti
at
iv
es
, r
es
ou
rc
e
re
qu
ir
em
en
ts
, a
nd
 h
ow
 th
e 
us
e 
of
 r
es
ou
rc
es
 a
nd
 a
ch
ie
ve
m
en
t o
f 
be
ne
fi
ts
 w
ill
 b
e
m
on
ito
re
d 
an
d 
m
an
ag
ed
. T
he
 ta
ct
ic
al
 p
la
ns
 s
ho
ul
d 
be
 s
uf
fi
ci
en
tly
 det
ai
le
d 
to
al
lo
w
 th
e 
de
fi
ni
tio
n 
of
 p
ro
je
ct
 p
la
ns
. A
ct
iv
el
y 
m
an
ag
e 
th
e 
se
t o
f 
ta
ct
ic
al
 I
T
 p
la
ns
an
d 
in
iti
at
iv
es
 th
ro
ug
h 
an
al
ys
is
 o
f 
pr
oj
ec
t a
nd
 s
er
vi
ce
 p
or
tf
ol
io
s.
 
• 
L
on
g-
ra
ng
e 
st
ra
te
gi
c 
IT
 p
la
ns
 c
ap
ab
le
of
 b
ei
ng
 o
pe
ra
tio
na
lis
ed
 b
y 
sh
or
t-
ra
ng
e 
ta
ct
ic
al
 I
T
 p
la
ns
• 
E
ff
ec
tiv
e 
IT
 r
es
ou
rc
e 
al
lo
ca
tio
n
• 
IT
 p
la
ns
 c
ap
ab
le
 o
f 
be
in
g
co
nt
in
uo
us
ly
 m
on
ito
re
d 
an
d 
ev
al
ua
te
d
• 
D
ay
-t
o-
da
y 
pe
rf
or
m
an
ce
 a
nd
 r
es
ou
rc
e
us
ag
e 
ca
pa
bl
e 
of
 b
ei
ng
 m
on
ito
re
d
ag
ai
ns
t s
tr
at
eg
ic
 ta
rg
et
s
• 
Fo
cu
s 
pr
ov
id
ed
 f
or
 I
T
 d
ep
ar
tm
en
t 
an
d 
st
af
f
• 
IT
 lo
ng
-r
an
ge
 p
la
ns
 n
ot
 a
ch
ie
ve
d
• A
va
ila
bl
e 
IT
 r
es
ou
rc
es
 n
ot
 le
ve
ra
ge
d
fo
r 
bu
si
ne
ss
 b
en
ef
its
• 
D
ev
ia
tio
ns
 in
 I
T
 p
la
ns
 n
ot
 id
en
tif
ie
d
• 
IT
’s
 p
ri
or
iti
es
 m
is
un
de
rs
to
od
 a
nd
su
bj
ec
t t
o 
ch
an
ge
• 
In
fo
rm
at
io
n 
to
 m
on
ito
r 
IT
’s
pe
rf
or
m
an
ce
 n
ot
 a
va
ila
bl
e
P
O
1
 D
e
fi
n
e
 a
 S
tr
a
te
g
ic
 I
T
P
la
n
 (
c
o
n
t.
)
R
is
k 
D
riv
er
s
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
P
O
1.
6 
IT
 P
or
tf
ol
io
 M
an
ag
em
en
t 
A
ct
iv
el
y 
m
an
ag
e 
w
ith
 th
e 
bu
si
ne
ss
 th
e 
po
rt
fo
lio
 o
f 
IT
-e
na
bl
ed
 in
ve
st
m
en
t
pr
og
ra
m
m
es
 r
eq
ui
re
d 
to
 a
ch
ie
ve
 s
pe
ci
fi
c 
st
ra
te
gi
c 
bu
si
ne
ss
 o
bj
ec
tiv
es
 b
y
id
en
tif
yi
ng
, d
ef
in
in
g,
 e
va
lu
at
in
g,
 p
ri
or
iti
si
ng
, s
el
ec
tin
g,
 in
iti
at
in
g,
 m
an
ag
in
g 
an
d
co
nt
ro
lli
ng
 p
ro
gr
am
m
es
. T
hi
s 
sh
ou
ld
 in
cl
ud
e 
cl
ar
if
yi
ng
 d
es
ir
ed
 b
us
in
es
s
ou
tc
om
es
, e
ns
ur
in
g 
th
at
 p
ro
gr
am
m
e 
ob
je
ct
iv
es
 s
up
po
rt
 a
ch
ie
ve
m
en
t o
f 
th
e
ou
tc
om
es
, u
nd
er
st
an
di
ng
 th
e 
fu
ll 
sc
op
e 
of
 e
ff
or
t r
eq
ui
re
d 
to
 a
ch
ie
ve
 th
e
ou
tc
om
es
, a
ss
ig
ni
ng
 c
le
ar
 a
cc
ou
nt
ab
ili
ty
 w
ith
 s
up
po
rt
in
g 
m
ea
su
re
s,
 d
ef
in
in
g
pr
oj
ec
ts
 w
ith
in
 th
e 
pr
og
ra
m
m
e,
 a
llo
ca
tin
g 
re
so
ur
ce
s 
an
d 
fu
nd
in
g,
 d
el
eg
at
in
g
au
th
or
ity
, a
nd
 c
om
m
is
si
on
in
g 
re
qu
ir
ed
 p
ro
je
ct
s 
at
 p
ro
gr
am
m
e 
la
un
ch
.
• 
E
ff
ic
ie
nt
 I
T
 r
es
ou
rc
e 
m
an
ag
em
en
t
• 
IT
 in
iti
at
iv
es
 c
on
tin
uo
us
ly
 m
on
ito
re
d
an
d 
ev
al
ua
te
d
• 
T
he
 r
ig
ht
 m
ix
 o
f 
IT
 in
iti
at
iv
es
 f
or
 a
po
si
tiv
e 
an
d 
ri
sk
-a
dj
us
te
d 
re
tu
rn
 o
n
in
ve
st
m
en
t (
R
O
I)
• 
Pe
rf
or
m
an
ce
 a
nd
 r
es
ou
rc
e
re
qu
ir
em
en
ts
 o
f 
IT
 in
iti
at
iv
es
m
on
ito
re
d 
ag
ai
ns
t d
ef
in
ed
 ta
rg
et
s
• 
M
is
se
d 
bu
si
ne
ss
 o
pp
or
tu
ni
tie
s 
du
e 
to
 a
to
o-
co
ns
er
va
tiv
e 
po
rt
fo
lio
• 
L
ow
 R
O
I 
du
e 
to
 a
 to
o-
ag
gr
es
si
ve
po
rt
fo
lio
• A
va
ila
bl
e 
IT
 r
es
ou
rc
es
 n
ot
 le
ve
ra
ge
d
• 
D
ev
ia
tio
ns
 in
 I
T
 p
la
ns
 n
ot
 id
en
tif
ie
d
R
is
k 
D
riv
er
s
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org56
Take the following steps to test the outcome of the control objectives:
• Confirm through interviews with steering committee members and other sources that the steering committee members are
appropriately represented by IT and business unit leadership (e.g., awareness of roles, responsibility, decision matrix and their
ownership).
• Review the approved steering committee charter and assess for relevance (e.g., roles, responsibility, authority, accountability, scope
and objectives are communicated and understood by all members of the committee).
• Inspect business cases to determine that the documentation has appropriate content (e.g., scope, objectives, cost-benefit analysis,
high-level road map, measures for success, roles and responsibilities, impact of existing IT investment programmes) 
and that the business cases were developed and approved in a timely manner. Confirm through interviews whether 
IT-enabled investment programmes, IT services and IT assets are evaluated against the prioritisation criteria (review the
documented prioritisation criteria).
• Confirm through interviews with members of IT management that they are informed of future business directions and goals, long-
term and short-terms goals, mission, and values.
• Enquire whether and confirm that enterprisewide goals and objectives are incorporated into IT strategic and tactical planning
processes and that the strategic planning process includes all business and support activities.
• Confirm by examining documentation, such as meeting minutes or correspondence, that business and IT are both involved in
leveraging current technology to create new business opportunities.
• Confirm that a report on current information systems (including feedback on the system, use of the system improvements of
changes done on the system) is maintained on regular basis.
• Review the achievement of agreed-upon targets defined within the previous tactical IT plan (e.g., outcome of the performance
evaluation could include, but may not be restricted to, current requirements, current delivery compared with requirements, barriers
to achieving requirements, and the steps and costs required to achieve agreed-upon business goals and performance requirements).
• Enquire whether and confirm that the risk and cost implications of the required IT capabilities have been documented in the IT
strategic plan.
• Confirm that the outcome measures that relate to business-identified benefits have been signed off on by the stakeholders and that
the feedback from stakeholders has been taken into consideration.
• Enquire whether and confirm that the approved IT strategic plan is communicated and that there is a process to determine that the
plan is clearly understood.
• Confirm through interviews, meeting minutes, presentations and correspondence that the IT strategic plan has been approved by
the IT steering committee and the board. Enquire whether and confirm that a formal approval process was followed.
• Enquire whether and confirm that tactical plans are aligned to strategic plans and regularly updated. Confirm through interviews
that tactical plans are used as the basis for identifying and planning the projects, acquiring and scheduling resources, and
implementing monitoring techniques. 
• Enquire whether and confirm that the content of the tactical plans includes clearly stated project definitions, project time frames
and deliverables, the required resources and the business benefits to be monitored, performance indicator goals, mitigation plan,
contingency plan, communication protocol, roles, and responsibilities.
• Confirm that the selected portfolio/project has been translated into the required effort, resources, finding, achievement, etc., and is
approved by business (e.g., meeting minutes, senior management review records).
• Confirm that the required authority to launch the approved projects within the selected programmes has been obtained (meeting
minutes, formal approval process, communication of approved project) from business and IT.
• Confirm that projects that have been delayed or postponed or that have not proceeded are communicated to business owners and
involved IT staff members. 
Take the following steps to document the impact of the control weaknesses:
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to the improper allocation of 
IT investment.
• Assess theadditional cost due to the return on investment (ROI) not being maximised in terms of business goals.
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to the IT investments not being properly
aligned with the overall business strategy.
• Assess the impact of the business investing in self-contained IT systems to meet its requirements.
• Assess the possibility of business dissatisfaction with IT service delivery.
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to the inability to execute IT strategic plans.
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to projects being started and then failing or
incurring unnecessary expenditure.
• Assess the additional cost due to the implementation of a suboptimal solution.
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) due to business outcomes not being understood
and, hence, being less effective.
57© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
P
O
2
 D
e
fi
n
e
 t
h
e
 I
n
fo
rm
a
ti
o
n
 A
rc
h
it
e
c
tu
re
T
he
 in
fo
rm
at
io
n 
sy
st
em
s 
fu
nc
tio
n 
cr
ea
te
s 
an
d 
re
gu
la
rl
y 
up
da
te
s 
a 
bu
si
ne
ss
 in
fo
rm
at
io
n 
m
od
el
 a
nd
 d
ef
in
es
 th
e 
ap
pr
op
ri
at
e 
sy
st
em
s 
to
 o
pt
im
is
e 
th
e 
us
e 
of
 th
is
 in
fo
rm
at
io
n.
T
hi
s 
en
co
m
pa
ss
es
 th
e 
de
ve
lo
pm
en
t o
f 
a 
co
rp
or
at
e 
da
ta
 d
ic
tio
na
ry
 w
ith
 th
e 
or
ga
ni
sa
tio
n’
s 
da
ta
 s
yn
ta
x 
ru
le
s,
 d
at
a 
cl
as
si
fi
ca
tio
n 
sc
he
m
e 
an
d 
se
cu
ri
ty
 le
ve
ls
. T
hi
s 
pr
oc
es
s
im
pr
ov
es
 th
e 
qu
al
ity
 o
f 
m
an
ag
em
en
t d
ec
is
io
n 
m
ak
in
g 
by
 m
ak
in
g 
su
re
 th
at
 r
el
ia
bl
e 
an
d 
se
cu
re
 in
fo
rm
at
io
n 
is
 p
ro
vi
de
d,
 a
nd
 it
 e
na
bl
es
 r
at
io
na
lis
in
g 
in
fo
rm
at
io
n 
sy
st
em
s
re
so
ur
ce
s 
to
 a
pp
ro
pr
ia
te
ly
 m
at
ch
 b
us
in
es
s 
st
ra
te
gi
es
. T
hi
s 
IT
 p
ro
ce
ss
 is
 a
ls
o 
ne
ed
ed
 to
 in
cr
ea
se
 a
cc
ou
nt
ab
ili
ty
 f
or
 th
e 
in
te
gr
ity
 a
nd
 s
ec
ur
ity
 o
f 
da
ta
 a
nd
 to
 e
nh
an
ce
 th
e
ef
fe
ct
iv
en
es
s 
an
d 
co
nt
ro
l o
f 
sh
ar
in
g 
in
fo
rm
at
io
n 
ac
ro
ss
 a
pp
lic
at
io
ns
 a
nd
 e
nt
iti
es
. 
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
V
er
if
y 
w
he
th
er
 a
n 
en
te
rp
ri
se
 in
fo
rm
at
io
n 
m
od
el
 e
xi
st
s,
 b
as
ed
 o
n 
w
el
l-
ac
ce
pt
ed
 s
ta
nd
ar
ds
, a
nd
 w
he
th
er
 it
 is
 k
no
w
n 
by
 a
pp
ro
pr
ia
te
 b
us
in
es
s 
an
d 
IT
 s
ta
ke
ho
ld
er
s.
 
• 
V
er
if
y 
w
he
th
er
 th
e 
m
od
el
 is
 e
ff
ec
tiv
el
y 
us
ed
 a
nd
 m
ai
nt
ai
ne
d 
in
 p
ar
al
le
l w
ith
 th
e 
pr
oc
es
s 
th
at
 tr
an
sl
at
es
 I
T
 s
tr
at
eg
y 
in
to
 I
T
 ta
ct
ic
al
 p
la
ns
 a
nd
 ta
ct
ic
al
 p
la
ns
 
in
to
 p
ro
je
ct
s.
 
• A
ss
es
s 
w
he
th
er
 th
e 
m
od
el
 c
on
si
de
rs
 f
le
xi
bi
lit
y,
 f
un
ct
io
na
lit
y,
 c
os
t-
ef
fe
ct
iv
en
es
s,
 s
ec
ur
ity
, f
ai
lu
re
 r
es
ili
en
cy
, c
om
pl
ia
nc
e,
 e
tc
.
P
O
2.
1 
E
nt
er
pr
is
e 
In
fo
rm
at
io
n 
A
rc
hi
te
ct
ur
e 
M
od
el
 
E
st
ab
lis
h 
an
d 
m
ai
nt
ai
n 
an
 e
nt
er
pr
is
e 
in
fo
rm
at
io
n 
m
od
el
 to
 e
na
bl
e 
ap
pl
ic
at
io
ns
de
ve
lo
pm
en
t a
nd
 d
ec
is
io
n-
su
pp
or
tin
g 
ac
tiv
iti
es
, c
on
si
st
en
t w
ith
 I
T
 p
la
ns
 a
s
de
sc
ri
be
d 
in
 P
O
1.
 T
he
 m
od
el
 s
ho
ul
d 
fa
ci
lit
at
e 
th
e 
op
tim
al
 c
re
at
io
n,
 u
se
 a
nd
sh
ar
in
g 
of
 in
fo
rm
at
io
n 
by
 th
e 
bu
si
ne
ss
 in
 a
 w
ay
 th
at
 m
ai
nt
ai
ns
 in
te
gr
ity
 a
nd
 is
fl
ex
ib
le
, f
un
ct
io
na
l, 
co
st
-e
ff
ec
tiv
e,
 ti
m
el
y,
 s
ec
ur
e 
an
d 
re
si
lie
nt
 to
 f
ai
lu
re
.
• 
Im
pr
ov
ed
 d
ec
is
io
n 
m
ak
in
g 
ba
se
d 
on
re
le
va
nt
, r
el
ia
bl
e 
an
d 
us
ab
le
in
fo
rm
at
io
n
• 
Im
pr
ov
ed
 I
T
 a
gi
lit
y 
an
d
re
sp
on
si
ve
ne
ss
 to
 b
us
in
es
s
re
qu
ir
em
en
ts
• 
Su
pp
or
t f
or
 b
us
in
es
s 
fu
nc
tio
ns
th
ro
ug
h 
ac
cu
ra
te
, c
om
pl
et
e 
an
d 
va
lid
 d
at
a
• 
E
ff
ic
ie
nt
 d
at
a 
m
an
ag
em
en
t a
nd
re
du
ce
d 
re
du
nd
an
cy
 a
nd
 d
up
lic
at
io
n
• 
Im
pr
ov
ed
 d
at
a 
in
te
gr
ity
• 
M
ee
tin
g 
fi
du
ci
ar
y 
re
qu
ir
em
en
ts
re
ga
rd
in
g 
co
m
pl
ia
nc
e 
re
po
rt
in
g,
se
cu
ri
ty
 a
nd
 p
ri
va
cy
 o
f 
da
ta
• 
In
ad
eq
ua
te
 in
fo
rm
at
io
n 
fo
r 
bu
si
ne
ss
fu
nc
tio
ns
• 
In
co
ns
is
te
nc
y 
be
tw
ee
n 
in
fo
rm
at
io
n
re
qu
ir
em
en
ts
 a
nd
 a
pp
lic
at
io
n
de
ve
lo
pm
en
ts
• 
D
at
a 
in
co
ns
is
te
nc
y 
be
tw
ee
n 
th
e
or
ga
ni
sa
tio
n 
an
d 
sy
st
em
s
• 
H
ig
h 
ef
fo
rt
 r
eq
ui
re
d 
or
 in
ab
ili
ty
 to
co
m
pl
y 
w
ith
 f
id
uc
ia
ry
 o
bl
ig
at
io
ns
(e
.g
., 
co
m
pl
ia
nc
e 
re
po
rt
in
g,
 s
ec
ur
ity
,
pr
iv
ac
y)
• 
In
ef
fi
ci
en
t p
la
nn
in
g 
of
 I
T-
en
ab
le
d
in
ve
st
m
en
t p
ro
gr
am
m
es
 d
ue
 to
 la
ck
 
of
 in
fo
rm
at
io
n
• A
cc
um
ul
at
io
n 
of
 d
at
a 
th
at
 a
re
 n
ot
re
le
va
nt
, c
on
si
st
en
t o
r 
us
ab
le
 in
 a
n
ec
on
om
ic
al
 m
an
ne
r
R
is
k 
D
riv
er
s
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org58
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 d
at
a 
sy
nt
ax
 g
ui
de
lin
es
 a
re
 m
ai
nt
ai
ne
d.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
da
ta
 d
ic
tio
na
ry
 is
 d
ef
in
ed
 to
 id
en
tif
y 
re
du
nd
an
cy
 a
nd
 in
co
m
pa
tib
ili
ty
 o
f 
da
ta
 a
nd
 th
at
 th
e 
im
pa
ct
 o
f 
an
y 
m
od
if
ic
at
io
ns
 to
 th
e 
da
ta
di
ct
io
na
ry
 a
nd
 c
ha
ng
es
 m
ad
e 
to
 th
e 
da
ta
 d
ic
tio
na
ry
 a
re
 e
ff
ec
tiv
el
y 
co
m
m
un
ic
at
ed
. 
• 
R
ev
ie
w
 v
ar
io
us
 a
pp
lic
at
io
n 
sy
st
em
s 
an
d 
de
ve
lo
pm
en
t p
ro
je
ct
s 
to
 v
er
if
y 
th
at
 th
e 
da
ta
 d
ic
tio
na
ry
 is
 u
se
d 
fo
r 
da
ta
 d
ef
in
iti
on
s.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 s
en
io
r 
m
an
ag
er
s 
ag
re
e 
up
on
 th
e 
pr
oc
es
s 
fo
r 
de
fi
ni
ng
 d
at
a 
sy
nt
ax
 r
ul
es
, d
at
a 
va
lid
at
io
n 
ru
le
s 
an
d 
bu
si
ne
ss
 r
ul
es
 (
e.
g.
, c
on
si
st
en
cy
,
in
te
gr
ity
, q
ua
lit
y)
.
• 
In
sp
ec
t t
he
 d
at
a 
qu
al
ity
 p
ro
gr
am
m
e’
s 
pl
an
s,
 p
ol
ic
ie
s 
an
d 
pr
oc
ed
ur
es
 to
 e
va
lu
at
e 
its
 e
ff
ec
tiv
en
es
s.
P
O
2.
2 
E
nt
er
pr
is
e 
D
at
a 
D
ic
ti
on
ar
y 
an
d 
D
at
a 
Sy
nt
ax
 R
ul
es
 
M
ai
nt
ai
n 
an
 e
nt
er
pr
is
e 
da
ta
 d
ic
tio
na
ry
 th
at
 in
co
rp
or
at
es
 th
e 
or
ga
ni
sa
tio
n’
s 
da
ta
sy
nt
ax
 r
ul
es
. T
hi
s 
di
ct
io
na
ry
 s
ho
ul
d 
en
ab
le
 th
e 
sh
ar
in
g 
of
 d
at
a 
el
em
en
ts
 a
m
on
gs
t
ap
pl
ic
at
io
ns
 a
nd
 s
ys
te
m
s,
 p
ro
m
ot
e 
a 
co
m
m
on
 u
nd
er
st
an
di
ng
 o
f 
da
ta
 a
m
on
gs
t I
T
an
d 
bu
si
ne
ss
 u
se
rs
, a
nd
 p
re
ve
nt
 in
co
m
pa
tib
le
 d
at
a 
el
em
en
ts
 f
ro
m
 b
ei
ng
 c
re
at
ed
.
• 
C
om
m
on
 u
nd
er
st
an
di
ng
 o
f 
bu
si
ne
ss
da
ta
 a
cr
os
s 
th
e 
en
te
rp
ri
se
• 
Fa
ci
lit
at
ed
 s
ha
ri
ng
 o
f 
da
ta
 a
m
on
gs
t a
ll
ap
pl
ic
at
io
ns
, s
ys
te
m
s 
an
d 
en
tit
ie
s
• 
R
ed
uc
ed
 c
os
ts
 f
or
 a
pp
lic
at
io
n
de
ve
lo
pm
en
ta
nd
 m
ai
nt
en
an
ce
• 
Im
pr
ov
ed
 d
at
a 
in
te
gr
ity
• 
C
om
pr
om
is
ed
 in
fo
rm
at
io
n 
in
te
gr
ity
• 
In
co
m
pa
tib
le
 a
nd
 in
co
ns
is
te
nt
 d
at
a
• 
In
ef
fe
ct
iv
e 
ap
pl
ic
at
io
n 
co
nt
ro
ls
P
O
2
 D
e
fi
n
e
 t
h
e
 I
n
fo
rm
a
ti
o
n
 A
rc
h
it
e
c
tu
re
 (
c
o
n
t.
)
Va
lu
e 
D
riv
er
s
R
is
k 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
59© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
R
ev
ie
w
 th
e 
da
ta
 c
la
ss
if
ic
at
io
n 
sc
he
m
e 
an
d 
ve
ri
fy
 th
at
 a
ll 
si
gn
if
ic
an
t c
om
po
ne
nt
s 
ar
e 
co
ve
re
d 
an
d 
co
m
pl
et
ed
, a
nd
 th
at
 th
e 
sc
he
m
e 
is
 r
ea
so
na
bl
e 
in
 b
al
an
ci
ng
 c
os
t v
s.
 r
is
k.
T
hi
s 
in
cl
ud
es
 d
at
a 
ow
ne
rs
hi
p 
w
ith
 b
us
in
es
s 
ow
ne
rs
 a
nd
 d
ef
in
iti
on
 o
f 
ap
pr
op
ri
at
e 
se
cu
ri
ty
 m
ea
su
re
s 
re
la
te
d 
to
 c
la
ss
if
ic
at
io
n 
le
ve
ls
.
• 
V
er
if
y 
th
at
 s
ec
ur
ity
 c
la
ss
if
ic
at
io
ns
 h
av
e 
be
en
 c
ha
lle
ng
ed
 a
nd
 c
on
fi
rm
ed
 w
ith
 th
e 
bu
si
ne
ss
 o
w
ne
rs
 a
t r
eg
ul
ar
 in
te
rv
al
s.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 in
te
gr
ity
 a
nd
 c
on
si
st
en
cy
 c
ri
te
ri
a 
fo
r 
al
l i
nf
or
m
at
io
n 
ar
e 
de
fi
ne
d 
in
 c
ol
la
bo
ra
tio
n 
w
ith
 b
us
in
es
s 
m
an
ag
em
en
t. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 p
ro
ce
du
re
s 
ar
e 
im
pl
em
en
te
d 
to
 m
an
ag
e 
an
d 
m
ai
nt
ai
n 
da
ta
 in
te
gr
ity
 a
nd
 c
on
si
st
en
cy
 th
ro
ug
ho
ut
 th
e 
co
m
pl
et
e 
da
ta
 p
ro
ce
ss
 a
nd
 
lif
e 
cy
cl
e.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 d
at
a 
qu
al
ity
 p
ro
gr
am
m
e 
is
 im
pl
em
en
te
d 
to
 v
al
id
at
e 
an
d 
en
su
re
 d
at
a 
in
te
gr
ity
 a
nd
 c
on
si
st
en
cy
 o
n 
a 
re
gu
la
r 
ba
si
s.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
R
is
k 
D
riv
er
s
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
P
O
2.
3 
D
at
a 
C
la
ss
if
ic
at
io
n 
Sc
he
m
e 
E
st
ab
lis
h 
a 
cl
as
si
fi
ca
tio
n 
sc
he
m
e 
th
at
 a
pp
lie
s 
th
ro
ug
ho
ut
 th
e 
en
te
rp
ri
se
, b
as
ed
 o
n
th
e 
cr
iti
ca
lit
y 
an
d 
se
ns
iti
vi
ty
 (
e.
g.
, p
ub
lic
, c
on
fi
de
nt
ia
l, 
to
p 
se
cr
et
) 
of
 e
nt
er
pr
is
e
da
ta
. T
hi
s 
sc
he
m
e 
sh
ou
ld
 in
cl
ud
e 
de
ta
ils
 a
bo
ut
 d
at
a 
ow
ne
rs
hi
p;
 d
ef
in
iti
on
 o
f
ap
pr
op
ri
at
e 
se
cu
ri
ty
 le
ve
ls
 a
nd
 p
ro
te
ct
io
n 
co
nt
ro
ls
; a
nd
 a
 b
ri
ef
 d
es
cr
ip
tio
n 
of
 
da
ta
 r
et
en
tio
n 
an
d 
de
st
ru
ct
io
n 
re
qu
ir
em
en
ts
, c
ri
tic
al
ity
 a
nd
 s
en
si
tiv
ity
. I
t s
ho
ul
d
be
 u
se
d 
as
 th
e 
ba
si
s 
fo
r 
ap
pl
yi
ng
 c
on
tr
ol
s 
su
ch
 a
s 
ac
ce
ss
 c
on
tr
ol
s,
 a
rc
hi
vi
ng
 
or
 e
nc
ry
pt
io
n.
• 
E
ns
ur
ed
 a
va
ila
bi
lit
y 
of
 in
fo
rm
at
io
n
th
at
 s
up
po
rt
s 
de
ci
si
on
 m
ak
in
g 
• 
T
he
 f
oc
us
 o
f 
se
cu
ri
ty
 in
ve
st
m
en
ts
ba
se
d 
on
 c
ri
tic
al
ity
• 
D
ef
in
ed
 a
cc
ou
nt
ab
ili
ty
 f
or
in
fo
rm
at
io
n 
in
te
gr
ity
, a
va
ila
bi
lit
y 
an
d
se
cu
ri
ty
• 
D
at
a 
ac
ce
ss
 c
on
si
st
en
tly
 p
er
m
itt
ed
ba
se
d 
on
 d
ef
in
ed
 s
ec
ur
ity
 le
ve
ls
• 
In
ap
pr
op
ri
at
e 
se
cu
ri
ty
 r
eq
ui
re
m
en
ts
 
• 
In
ad
eq
ua
te
 o
r 
ex
ce
ss
iv
e 
in
ve
st
m
en
ts
 in
se
cu
ri
ty
 c
on
tr
ol
s
• 
O
cc
ur
re
nc
e 
of
 p
ri
va
cy
, d
at
a
co
nf
id
en
tia
lit
y,
 in
te
gr
ity
 a
nd
av
ai
la
bi
lit
y 
in
ci
de
nt
s
• 
N
on
-c
om
pl
ia
nc
e 
w
ith
 r
eg
ul
at
or
y 
or
th
ir
d-
pa
rt
y 
re
qu
ir
em
en
ts
• 
In
ef
fi
ci
en
t o
r 
in
co
ns
is
te
nt
 in
fo
rm
at
io
n
fo
r 
de
ci
si
on
 m
ak
in
g
P
O
2
 D
e
fi
n
e
 t
h
e
 I
n
fo
rm
a
ti
o
n
 A
rc
h
it
e
c
tu
re
 (
c
o
n
t.
)
P
O
2.
4 
In
te
gr
it
y 
M
an
ag
em
en
t 
D
ef
in
e 
an
d 
im
pl
em
en
t p
ro
ce
du
re
s 
to
 e
ns
ur
e 
th
e 
in
te
gr
ity
 a
nd
 c
on
si
st
en
cy
 o
f 
al
l
da
ta
 s
to
re
d 
in
 e
le
ct
ro
ni
c 
fo
rm
, s
uc
h 
as
 d
at
ab
as
es
, d
at
a 
w
ar
eh
ou
se
s 
an
d 
da
ta
ar
ch
iv
es
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
on
si
st
en
cy
 o
f 
da
ta
 in
te
gr
ity
 a
cr
os
s 
al
l
da
ta
 s
to
re
d
• 
Im
pr
ov
ed
 d
at
a 
in
te
gr
ity
R
is
k 
D
riv
er
s
• 
D
at
a 
in
te
gr
ity
 e
rr
or
s 
an
d 
in
ci
de
nt
s
• 
U
nr
el
ia
bl
e 
da
ta
 o
n 
w
hi
ch
 to
 b
as
e
bu
si
ne
ss
 d
ec
is
io
ns
• 
N
on
-c
om
pl
ia
nc
e 
w
ith
 r
eg
ul
at
or
y 
or
th
ir
d-
pa
rt
y 
re
qu
ir
em
en
ts
• 
U
nr
el
ia
bl
e 
ex
te
rn
al
 r
ep
or
ts
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org60
Take the following steps to test the outcome of the control objectives:
• Review documentation of the information architecture model to determine whether it addresses all significant applications and
their interfaces and relationships.
• Review information architecture documentation to verify that it is consistent with the organisation’s strategy and strategic and
tactical IT plans. 
• Ensure that changes made to the information architecture model reflect those in the IT strategic and tactical plans and that
associated costs and risks are identified.
• Enquire whether and confirm that business management and IT understand relevant parts of the information architecture model
(e.g., data ownership, accountability, data governance).
• Enquire whether and confirm that the information architecture model is regularly checked for adequacy, flexibility, integrity and
security and that it is subject to frequent user reviews (e.g., impact of information system changes).
• Enquire whether and confirm that data administration controls exist, and co-ordinate the definitions and usage of reliable and
relevant data consistent with the enterprise information model.
• Review the data dictionary and verify that all significant data elements are described properly as per the defined process.
• Verify defined data syntax rules, data validation rules and business rules as per the defined process.
• Enquire whether and confirm that metadata in data dictionaries are sufficiently detailed to communicate syntax in an integrated
manner across applications and that they include data attributes and security levels for each data item.
• Enquire whether and confirm that data dictionary management is implemented, maintained and reviewed periodically to manage
the organisation’s data dictionary and data syntax rules.
• Verify whether the system covers all relevant data elements by comparing a list of data with actual implementation in the tool.
• Enquire whether and confirm that a data quality programme is implemented to increase data integrity, standardisation, consistency,
one-time data entry and storage (e.g., use automated evidence collection when possible to test data integrity, standardisation,
consistency, one-time data-entry and storage from sample data, embedded audit modules, data analysis using audit software or
other integration tools). Use automated tools (e.g., computer-assisted audit techniques [CAATs]) to verify data integrity.
• Enquire whether and confirm that a data classification scheme is defined and approved (e.g, security levels, access levels and
defaults are appropriate).
• Enquire whether and confirm that data classification levels are defined based on organisation needs for information protection and
the business impact of unprotected information.
• Verify that business owners review the actual classification of information and areaware of their roles, responsibilities and
accountability for data.
• Enquire whether and confirm that components inherit the classification of the original assets.
• Verify that all deviations from the data classification inheritance policy have been approved by the data owner.
• Enquire whether and confirm that information and data (including hard copies of data) are labelled, handled, protected and
otherwise secured in a manner consistent with the data classification categories. 
• Inspect evidence that the required integrity and consistency criteria for data are defined and implemented (e.g., data stored in
databases and data warehouses are consistent).
• Enquire whether and confirm that a data quality programme is implemented to validate and ensure data integrity and consistency
on a regular basis.
Take the following steps to document the impact of the control weaknesses:
• Assess the impact of inconsistency amongst IT plans described in strategic planning and the enterprise information 
architecture model.
• Assess the impact of ineffective interface between business and IT decision making. 
• Assess the vulnerability to disclosure of sensitive information. 
61© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
P
O
3
 D
e
te
rm
in
e
 T
e
c
h
n
o
lo
g
ic
a
l 
D
ir
e
c
ti
o
n
T
he
 in
fo
rm
at
io
n 
se
rv
ic
es
 f
un
ct
io
n 
de
te
rm
in
es
 th
e 
te
ch
no
lo
gy
 d
ir
ec
tio
n 
to
 s
up
po
rt
 th
e 
bu
si
ne
ss
. T
hi
s 
re
qu
ir
es
 th
e 
cr
ea
tio
n 
of
 a
 te
ch
no
lo
gi
ca
l i
nf
ra
st
ru
ct
ur
e 
pl
an
 a
nd
 a
n
ar
ch
ite
ct
ur
e 
bo
ar
d 
th
at
 s
et
s 
an
d 
m
an
ag
es
 c
le
ar
 a
nd
 r
ea
lis
tic
 e
xp
ec
ta
tio
ns
 o
f 
w
ha
t t
ec
hn
ol
og
y 
ca
n 
of
fe
r 
in
 te
rm
s 
of
 p
ro
du
ct
s,
 s
er
vi
ce
s 
an
d 
de
liv
er
y 
m
ec
ha
ni
sm
s.
 T
he
 p
la
n 
is
re
gu
la
rl
y 
up
da
te
d 
an
d 
en
co
m
pa
ss
es
 a
sp
ec
ts
 s
uc
h 
as
 s
ys
te
m
s 
ar
ch
ite
ct
ur
e,
 te
ch
no
lo
gi
ca
l d
ir
ec
tio
n,
 a
cq
ui
si
tio
n 
pl
an
s,
 s
ta
nd
ar
ds
, m
ig
ra
tio
n 
st
ra
te
gi
es
 a
nd
 c
on
tin
ge
nc
y.
 T
hi
s
en
ab
le
s 
tim
el
y 
re
sp
on
se
s 
to
 c
ha
ng
es
 in
 th
e 
co
m
pe
tit
iv
e 
en
vi
ro
nm
en
t, 
ec
on
om
ie
s 
of
 s
ca
le
 f
or
 in
fo
rm
at
io
n 
sy
st
em
s 
st
af
fi
ng
 a
nd
 in
ve
st
m
en
ts
, a
s 
w
el
l a
s 
im
pr
ov
ed
in
te
ro
pe
ra
bi
lit
y 
of
 p
la
tf
or
m
s 
an
d 
ap
pl
ic
at
io
ns
.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
R
ev
ie
w
 th
e 
pr
oc
es
s 
of
 s
tr
en
gt
hs
, w
ea
kn
es
se
s,
 o
pp
or
tu
ni
tie
s 
an
d 
th
re
at
s 
(S
W
O
T
) 
an
al
ys
is
 p
er
fo
rm
an
ce
 to
 e
ns
ur
e 
ef
fe
ct
iv
en
es
s 
of
 p
ro
ce
ss
 (
e.
g.
, c
he
ck
 f
or
 m
ea
su
re
m
en
ts
 o
f
th
e 
pr
oc
es
s 
an
d 
ch
an
ge
s 
m
ad
e 
to
 th
e 
pr
oc
es
s 
as
 a
 r
es
ul
t o
f 
im
pr
ov
em
en
t)
. 
• 
C
on
fi
rm
 th
ro
ug
h 
in
te
rv
ie
w
s 
w
ith
 th
e 
C
IO
 a
nd
 o
th
er
 m
em
be
rs
 o
f 
se
ni
or
 m
an
ag
em
en
t t
ha
t a
n 
ap
pr
op
ri
at
e 
te
ch
no
lo
gi
ca
l r
is
k 
ap
pe
tit
e 
ha
s 
be
en
 e
st
ab
lis
he
d 
ba
se
d 
on
 th
e
bu
si
ne
ss
 s
tr
at
eg
y.
P
O
3.
1 
T
ec
hn
ol
og
ic
al
 D
ir
ec
ti
on
 P
la
nn
in
g 
A
na
ly
se
 e
xi
st
in
g 
an
d 
em
er
gi
ng
 te
ch
no
lo
gi
es
, a
nd
 p
la
n 
w
hi
ch
 te
ch
no
lo
gi
ca
l
di
re
ct
io
n 
is
 a
pp
ro
pr
ia
te
 to
 r
ea
lis
e 
th
e 
IT
 s
tr
at
eg
y 
an
d 
th
e 
bu
si
ne
ss
 s
ys
te
m
s
ar
ch
ite
ct
ur
e.
 A
ls
o 
id
en
tif
y 
in
 th
e 
pl
an
 w
hi
ch
 te
ch
no
lo
gi
es
 h
av
e 
th
e 
po
te
nt
ia
l t
o
cr
ea
te
 b
us
in
es
s 
op
po
rt
un
iti
es
. T
he
 p
la
n 
sh
ou
ld
 a
dd
re
ss
 s
ys
te
m
s 
ar
ch
ite
ct
ur
e,
te
ch
no
lo
gi
ca
l d
ir
ec
tio
n,
 m
ig
ra
tio
n 
st
ra
te
gi
es
 a
nd
 c
on
tin
ge
nc
y 
as
pe
ct
s 
of
in
fr
as
tr
uc
tu
re
 c
om
po
ne
nt
s.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Im
pr
ov
ed
 le
ve
ra
gi
ng
 o
f 
te
ch
no
lo
gy
 f
or
bu
si
ne
ss
 o
pp
or
tu
ni
tie
s
• 
Im
pr
ov
ed
 in
te
gr
at
io
n 
of
 in
fr
as
tr
uc
tu
re
an
d 
ap
pl
ic
at
io
ns
 v
ia
 d
ef
in
ed
 s
ta
nd
ar
ds
fo
r 
te
ch
ni
ca
l d
ir
ec
tio
n
• 
Im
pr
ov
ed
 u
se
 o
f 
re
so
ur
ce
s 
an
d
ca
pa
bi
lit
ie
s
• 
R
ed
uc
ed
 c
os
ts
 f
or
 te
ch
no
lo
gi
ca
l
ac
qu
is
iti
on
s 
th
ro
ug
h 
re
du
ce
d
pl
at
fo
rm
s 
an
d 
in
cr
em
en
ta
lly
 m
an
ag
ed
in
ve
st
m
en
ts
R
is
k 
D
riv
er
s
• 
Te
ch
no
lo
gi
ca
l a
cq
ui
si
tio
ns
in
co
ns
is
te
nt
 w
ith
 s
tr
at
eg
ic
 p
la
ns
• 
IT
 in
fr
as
tr
uc
tu
re
 in
ap
pr
op
ri
at
e 
fo
r
or
ga
ni
sa
tio
na
l r
eq
ui
re
m
en
ts
• 
D
ev
ia
tio
ns
 f
ro
m
 th
e 
ap
pr
ov
ed
te
ch
no
lo
gi
ca
l d
ir
ec
tio
n
• 
In
cr
ea
se
d 
co
st
s 
du
e 
to
 u
nc
o-
or
di
na
te
d
an
d 
un
st
ru
ct
ur
ed
 a
cq
ui
si
tio
n 
pl
an
s
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org62
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
D
et
er
m
in
e 
w
he
th
er
, b
y 
w
ho
m
 a
nd
 h
ow
 c
ur
re
nt
 a
nd
 f
ut
ur
e 
tr
en
ds
 a
nd
 r
eg
ul
at
io
ns
 a
re
 m
on
ito
re
d 
(e
.g
., 
te
ch
no
lo
gi
ca
l d
ev
el
op
m
en
ts
, c
om
pe
tit
or
 a
ct
iv
iti
es
, i
nf
ra
st
ru
ct
ur
e
is
su
es
, l
eg
al
 r
eq
ui
re
m
en
ts
 a
nd
 r
eg
ul
at
or
y 
en
vi
ro
nm
en
t c
ha
ng
es
, t
hi
rd
-p
ar
ty
 e
xp
er
ts
) 
an
d 
w
he
th
er
 r
el
at
ed
 r
is
ks
 o
r 
re
la
te
d 
op
po
rt
un
iti
es
 f
or
 v
al
ue
 c
re
at
io
n 
ar
e 
pr
op
er
ly
as
se
ss
ed
.
• 
V
er
if
y 
w
he
th
er
 th
e 
re
su
lt 
of
 th
e 
m
on
ito
ri
ng
 is
 c
on
si
st
en
tly
 p
as
se
d 
on
 to
 th
e 
ap
pr
op
ri
at
e 
bo
di
es
 (
e.
g.
, I
T
 s
te
er
in
g 
co
m
m
itt
ee
) 
an
d 
to
 th
e 
IT
 ta
ct
ic
al
 a
nd
 in
fr
as
tr
uc
tu
re
pl
an
ni
ng
 p
ro
ce
ss
es
 f
or
 a
ct
io
n.
P
O
3.
3 
M
on
it
or
 F
ut
ur
e 
T
re
nd
s 
an
d 
R
eg
ul
at
io
ns
 
E
st
ab
lis
h 
a 
pr
oc
es
s 
to
 m
on
ito
r 
th
e 
bu
si
ne
ss
 s
ec
to
r, 
in
du
st
ry
, t
ec
hn
ol
og
y,
in
fr
as
tr
uc
tu
re
, l
eg
al
 a
nd
 r
eg
ul
at
or
y 
en
vi
ro
nm
en
t t
re
nd
s.
 I
nc
or
po
ra
te
 th
e
co
ns
eq
ue
nc
es
 o
f 
th
es
e 
tr
en
ds
 in
to
 th
e 
de
ve
lo
pm
en
t o
f 
th
e 
IT
 te
ch
no
lo
gy
in
fr
as
tr
uc
tu
re
 p
la
n.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Im
pr
ov
ed
 a
w
ar
en
es
s 
of
 te
ch
no
lo
gi
ca
l
op
po
rt
un
iti
es
 a
nd
 im
pr
ov
ed
 s
er
vi
ce
s
• 
Im
pr
ov
ed
 a
w
ar
en
es
s 
of
 te
ch
ni
ca
l a
nd
re
gu
la
to
ry
 r
is
ks
• 
Im
pr
ov
ed
 e
va
lu
at
io
n 
of
 te
ch
no
lo
gi
ca
l
ch
an
ge
s 
in
 li
ne
 w
ith
 th
e 
bu
si
ne
ss
 p
la
n
R
is
k 
D
riv
er
s
• 
N
on
-c
om
pl
ia
nc
e 
w
ith
 r
eg
ul
at
or
y
re
qu
ir
em
en
ts
• 
H
ig
h 
ef
fo
rt
 r
eq
ui
re
d 
to
 a
ch
ie
ve
co
m
pl
ia
nc
e 
be
ca
us
e 
of
 w
ro
ng
 o
r 
la
te
de
ci
si
on
s
• 
Te
ch
ni
ca
l i
nc
om
pa
tib
ili
tie
s 
or
m
ai
nt
en
an
ce
 is
su
es
 w
ith
in
 th
e 
IT
in
fr
as
tr
uc
tu
re
• 
O
rg
an
is
at
io
na
l f
ai
lu
re
 to
 m
ax
im
is
e 
th
e
us
e 
of
 e
m
er
gi
ng
 te
ch
no
lo
gi
ca
l
op
po
rt
un
iti
es
 to
 im
pr
ov
e 
bu
si
ne
ss
 a
nd
IT
 c
ap
ab
ili
ty
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
C
on
fi
rm
 w
ith
 k
ey
 s
ta
ff
 m
em
be
rs
 th
at
 a
 te
ch
no
lo
gy
 in
fr
as
tr
uc
tu
re
 p
la
n 
ba
se
d 
on
 th
e 
IT
 s
tr
at
eg
ic
 a
nd
 ta
ct
ic
al
 p
la
ns
 is
 c
re
at
ed
.
• 
R
ev
ie
w
 th
e 
pl
an
 to
 c
on
fi
rm
 th
at
 it
 incl
ud
es
 f
ac
to
rs
 s
uc
h 
as
 c
on
si
st
en
t i
nt
eg
ra
te
d 
te
ch
no
lo
gi
es
, b
us
in
es
s 
sy
st
em
s 
ar
ch
ite
ct
ur
e 
an
d 
co
nt
in
ge
nc
y 
as
pe
ct
s 
of
 in
fr
as
tr
uc
tu
re
co
m
po
ne
nt
s,
 tr
an
si
tio
na
l a
nd
 o
th
er
 c
os
ts
, c
om
pl
ex
ity
, t
ec
hn
ic
al
 r
is
ks
, f
ut
ur
e 
fl
ex
ib
ili
ty
 v
al
ue
, a
nd
 p
ro
du
ct
/v
en
do
r 
su
st
ai
na
bi
lit
y 
an
d 
di
re
ct
io
ns
 f
or
 a
cq
ui
si
tio
n 
of
 I
T
 a
ss
et
s.
 
• 
E
nq
ui
re
 w
ith
 k
ey
 s
ta
ff
 m
em
be
rs
 a
nd
 in
sp
ec
t t
he
 te
ch
no
lo
gy
 in
fr
as
tr
uc
tu
re
 p
la
n 
to
 c
on
fi
rm
 th
at
 c
ha
ng
es
 in
 th
e 
co
m
pe
tit
iv
e 
en
vi
ro
nm
en
t, 
ec
on
om
ie
s 
of
 s
ca
le
 f
or
in
fo
rm
at
io
n 
sy
st
em
s 
st
af
fi
ng
 a
nd
 in
ve
st
m
en
ts
, a
nd
 im
pr
ov
ed
 in
te
ro
pe
ra
bi
lit
y 
of
 p
la
tf
or
m
s 
an
d 
ap
pl
ic
at
io
ns
 a
re
 id
en
tif
ie
d.
P
O
3
 D
e
te
rm
in
e
 T
e
c
h
n
o
lo
g
ic
a
l 
D
ir
e
c
ti
o
n
 (
c
o
n
t.
)
P
O
3.
2 
T
ec
hn
ol
og
y 
In
fr
as
tr
uc
tu
re
 P
la
n 
C
re
at
e 
an
d 
m
ai
nt
ai
n 
a 
te
ch
no
lo
gy
 in
fr
as
tr
uc
tu
re
 p
la
n 
th
at
 is
 in
 a
cc
or
da
nc
e 
w
ith
th
e 
IT
 s
tr
at
eg
ic
 a
nd
 ta
ct
ic
al
 p
la
ns
. T
he
 p
la
n 
sh
ou
ld
 b
e 
ba
se
d 
on
 th
e 
te
ch
no
lo
gi
ca
l
di
re
ct
io
n 
an
d 
in
cl
ud
e 
co
nt
in
ge
nc
y 
ar
ra
ng
em
en
ts
 a
nd
 d
ir
ec
tio
n 
fo
r 
ac
qu
is
iti
on
 o
f
te
ch
no
lo
gy
 r
es
ou
rc
es
. I
t s
ho
ul
d 
co
ns
id
er
 c
ha
ng
es
 in
 th
e 
co
m
pe
tit
iv
e
en
vi
ro
nm
en
t, 
ec
on
om
ie
s 
of
 s
ca
le
 f
or
 in
fo
rm
at
io
n 
sy
st
em
s 
st
af
fi
ng
 a
nd
in
ve
st
m
en
ts
, a
nd
 im
pr
ov
ed
 in
te
ro
pe
ra
bi
lit
y 
of
 p
la
tf
or
m
s 
an
d 
ap
pl
ic
at
io
ns
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Im
pr
ov
ed
 in
te
ro
pe
ra
bi
lit
y
• 
Im
pr
ov
ed
 e
co
no
m
ie
s 
of
 s
ca
le
 f
or
in
ve
st
m
en
ts
 a
nd
 s
up
po
rt
 s
ta
ff
in
g
• A
 te
ch
no
lo
gy
 p
la
n 
w
ith
 g
oo
d 
ba
la
nc
e
in
 c
os
t, 
re
qu
ir
em
en
ts
 a
gi
lit
y 
an
d 
ri
sk
s
• 
Su
ff
ic
ie
nt
, s
ta
bl
e 
an
d 
fl
ex
ib
le
te
ch
no
lo
gi
ca
l i
nf
ra
st
ru
ct
ur
e 
to
 r
es
po
nd
to
 in
fo
rm
at
io
n 
re
qu
ir
em
en
ts
R
is
k 
D
riv
er
s
• 
In
co
ns
is
te
nt
 s
ys
te
m
 im
pl
em
en
ta
tio
ns
• 
D
ev
ia
tio
ns
 f
ro
m
 th
e 
ap
pr
ov
ed
te
ch
no
lo
gi
ca
l d
ir
ec
tio
n
• 
In
cr
ea
se
d 
co
st
s 
du
e 
to
 u
nc
o-
or
di
na
te
d
an
d 
un
st
ru
ct
ur
ed
 a
cq
ui
si
tio
n 
pl
an
s
• 
O
rg
an
is
at
io
na
l f
ai
lu
re
 to
 m
ax
im
is
e 
th
e
us
e 
of
 e
m
er
gi
ng
 te
ch
no
lo
gi
ca
l
op
po
rt
un
iti
es
 to
 im
pr
ov
e 
bu
si
ne
ss
 a
nd
IT
 c
ap
ab
ili
ty
63© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
V
er
if
y 
th
at
 th
e 
co
rp
or
at
e 
te
ch
no
lo
gy
 s
ta
nd
ar
ds
 a
re
 b
ei
ng
 a
pp
ro
ve
d 
by
 th
e 
IT
 a
rc
hi
te
ct
ur
e 
bo
ar
d.
 A
ss
es
s 
th
e 
ef
fe
ct
iv
en
es
s 
of
 th
e 
pr
oc
es
s 
fo
r 
co
m
m
un
ic
at
io
n 
of
 te
ch
ni
ca
l
st
an
da
rd
s 
to
 I
T
 s
ta
ff
 m
em
be
rs
 (
e.
g.
, p
ro
je
ct
 m
an
ag
er
s,
 in
fo
rm
at
io
n 
ar
ch
ite
ct
s)
. I
nt
er
vi
ew
 r
el
ev
an
t I
T
 p
er
so
nn
el
 to
 d
et
er
m
in
e 
th
ei
r 
un
de
rs
ta
nd
in
g 
of
 te
ch
ni
ca
l s
ta
nd
ar
ds
.
• 
A
sc
er
ta
in
 f
ro
m
 I
T
 m
an
ag
em
en
t t
ha
t m
on
ito
ri
ng
 a
nd
 b
en
ch
m
ar
ki
ng
 p
ro
ce
ss
es
 a
re
 p
ut
 in
 p
la
ce
 to
 c
on
fi
rm
 c
om
pl
ia
nc
e 
to
 e
st
ab
lis
he
d 
te
ch
no
lo
gy
 s
ta
nd
ar
ds
 a
nd
 g
ui
de
lin
es
.
• 
E
va
lu
at
e 
te
ch
ni
ca
l f
ea
si
bi
lit
y 
an
al
ys
is
 d
oc
um
en
ta
tio
n 
fo
r 
se
le
ct
ed
 p
ro
je
ct
s 
to
 a
ss
es
s 
co
m
pl
ia
nc
e 
w
ith
 c
or
po
ra
te
 te
ch
no
lo
gy
 s
ta
nd
ar
ds
.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
R
ev
ie
w
 th
e 
gu
id
el
in
es
, p
la
ns
, p
ro
ce
ss
es
 a
nd
 m
ee
tin
g 
m
in
ut
es
 o
f 
th
e 
ar
ch
ite
ct
ur
e 
bo
ar
d.
 V
er
if
y 
w
he
th
er
 th
ey
 p
ro
vi
de
 a
rc
hi
te
ct
ur
e 
gu
id
el
in
es
 a
nd
 r
el
at
ed
 a
dv
ic
e 
in
 li
ne
 w
ith
th
e 
bu
si
ne
ss
 s
tr
at
eg
y 
an
d 
es
ta
bl
is
he
d 
in
fo
rm
at
io
n 
ar
ch
ite
ct
ur
e.
 
• 
V
er
if
y 
w
he
th
er
 th
e 
ar
ch
ite
ct
ur
e 
bo
ar
d 
ha
s 
co
ns
id
er
ed
 r
eg
ul
at
or
y 
co
m
pl
ia
nc
e 
an
d 
bu
si
ne
ss
 c
on
tin
ui
ty
 in
 it
s 
de
ci
si
on
s.
 
• 
V
er
if
y 
th
at
 m
ec
ha
ni
sm
s 
ar
e 
in
 p
la
ce
 th
at
 e
ns
ur
e 
de
te
ct
io
n 
of
 n
on
-c
om
pl
ia
nc
e 
w
ith
 th
e 
st
an
da
rd
s 
an
d 
gu
id
el
in
es
 o
f 
th
e 
ar
ch
ite
ct
ur
e 
bo
ar
d 
w
ith
in
 th
e 
pr
oj
ec
t m
an
ag
em
en
t
pr
oc
es
s.
• A
ss
es
s 
th
e 
ro
le
 o
f 
th
e 
ar
ch
ite
ct
ur
e 
bo
ar
d 
in
 f
ol
lo
w
in
g 
th
ro
ug
h 
on
 r
eq
ui
re
d 
co
rr
ec
tio
ns
 a
ri
si
ng
 f
ro
m
 n
on
-c
om
pl
ia
nc
e 
w
ith
 s
ta
nd
ar
ds
 in
 th
e 
pr
oj
ec
t m
an
ag
em
en
t p
ro
ce
ss
.
P
O
3.
4 
T
ec
hn
ol
og
y 
St
an
da
rd
s 
To
 p
ro
vi
de
 c
on
si
st
en
t, 
ef
fe
ct
iv
e 
an
d 
se
cu
re
 te
ch
no
lo
gi
ca
l s
ol
ut
io
ns
en
te
rp
ri
se
w
id
e,
 e
st
ab
lis
h 
a 
te
ch
no
lo
gy
 f
or
um
 to
 p
ro
vi
de
 te
ch
no
lo
gy
 g
ui
de
lin
es
,
ad
vi
ce
 o
n 
in
fr
as
tr
uc
tu
re
 p
ro
du
ct
s 
an
d 
gu
id
an
ce
 o
n 
th
e 
se
le
ct
io
n 
of
 te
ch
no
lo
gy
,
an
d 
m
ea
su
re
 c
om
pl
ia
nc
e 
w
ith
 th
es
e 
st
an
da
rd
s 
an
d 
gu
id
el
in
es
. T
hi
s 
fo
ru
m
 s
ho
ul
d
di
re
ct
 te
ch
no
lo
gy
 s
ta
nd
ar
ds
 a
nd
 p
ra
ct
ic
es
 b
as
ed
 o
n 
th
ei
r 
bu
si
ne
ss
 r
el
ev
an
ce
, r
is
ks
an
d 
co
m
pl
ia
nc
e 
w
ith
 e
xt
er
na
l r
eq
ui
re
m
en
ts
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
In
cr
ea
se
d 
co
nt
ro
l o
ve
r 
in
fo
rm
at
io
n
sy
st
em
s 
as
se
t a
cq
ui
si
tio
ns
, c
ha
ng
es
an
d 
di
sp
os
al
s
• 
St
an
da
rd
is
ed
 a
cq
ui
si
tio
ns
 s
up
po
rt
in
g
th
e 
te
ch
no
lo
gi
ca
l d
ir
ec
tio
n,
 in
cr
ea
si
ng
al
ig
nm
en
t a
nd
 r
ed
uc
in
g 
ri
sk
s
• 
Sc
al
ab
le
 in
fo
rm
at
io
n 
sy
st
em
s 
re
du
ci
ng
re
pl
ac
em
en
t c
os
ts
• 
C
on
si
st
en
cy
 in
 te
ch
no
lo
gy
 th
ro
ug
ho
ut
th
e 
en
te
rp
ri
se
, i
m
pr
ov
in
g 
ef
fi
ci
en
cy
an
d 
re
du
ci
ng
 s
up
po
rt
, l
ic
en
si
ng
 a
nd
m
ai
nt
en
an
ce
 c
os
ts
R
is
k 
D
riv
er
s
• 
In
co
m
pa
tib
ili
tie
s 
be
tw
ee
n 
te
ch
no
lo
gy
pl
at
fo
rm
s 
an
d 
ap
pl
ic
at
io
ns
• 
D
ev
ia
tio
ns
 f
ro
m
 th
e 
ap
pr
ov
ed
te
ch
no
lo
gi
ca
l d
ir
ec
tio
n
• 
L
ic
en
si
ng
 v
io
la
tio
ns
• 
In
cr
ea
se
d 
su
pp
or
t, 
re
pl
ac
em
en
t a
nd
m
ai
nt
en
an
ce
 c
os
ts
• 
In
ab
ili
ty
 to
 a
cc
es
s 
hi
st
or
ic
al
 d
at
a 
on
un
su
pp
or
te
d 
te
ch
no
lo
gy
 
P
O
3
 D
e
te
rm
in
e
 T
e
c
h
n
o
lo
g
ic
a
l 
D
ir
e
c
ti
o
n
 (
c
o
n
t.
)
P
O
3.
5 
IT
 A
rc
hi
te
ct
ur
e 
B
oa
rd
 
E
st
ab
lis
h 
an
 I
T
 a
rc
hi
te
ct
ur
e 
bo
ar
d 
to
 p
ro
vi
de
 a
rc
hi
te
ct
ur
e 
gu
id
el
in
es
 a
nd
 a
dv
ic
e
on
 th
ei
r 
ap
pl
ic
at
io
n,
 a
nd
 to
 v
er
if
y 
co
m
pl
ia
nc
e.
 T
hi
s 
en
tit
y 
sh
ou
ld
 d
ir
ec
t I
T
ar
ch
ite
ct
ur
e 
de
si
gn
, e
ns
ur
in
g 
th
at
 it
 e
na
bl
es
 th
e 
bu
si
ne
ss
 s
tr
at
eg
y 
an
d 
co
ns
id
er
s
re
gu
la
to
ry
 c
om
pl
ia
nc
e 
an
d 
co
nt
in
ui
ty
 r
eq
ui
re
m
en
ts. T
hi
s 
is
 r
el
at
ed
/li
nk
ed
 to
 
P
O
2
D
ef
in
e 
th
e 
in
fo
rm
at
io
n 
ar
ch
it
ec
tu
re
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
In
cr
ea
se
d 
ac
co
un
ta
bi
lit
y 
an
d
re
sp
on
si
bi
lit
y 
fo
r 
ar
ch
ite
ct
ur
al
de
ci
si
on
s
• 
In
cr
ea
se
d 
al
ig
nm
en
t b
et
w
ee
n 
bu
si
ne
ss
st
ra
te
gy
 a
nd
 te
ch
ni
ca
l I
T
 d
ir
ec
tio
n
• 
C
on
si
st
en
t u
nd
er
st
an
di
ng
 o
f
te
ch
no
lo
gy
 a
rc
hi
te
ct
ur
e 
th
ro
ug
ho
ut
 th
e
en
te
rp
ri
se
R
is
k 
D
riv
er
s
• 
In
co
m
pa
tib
ili
tie
s 
be
tw
ee
n 
te
ch
no
lo
gy
pl
at
fo
rm
s 
an
d 
ap
pl
ic
at
io
ns
• 
D
ev
ia
tio
ns
 f
ro
m
 th
e 
ap
pr
ov
ed
te
ch
no
lo
gi
ca
l d
ir
ec
tio
n
• 
U
nc
on
tr
ol
le
d 
ac
qu
is
iti
on
, u
se
 a
nd
po
ss
ib
le
 p
ro
lif
er
at
io
n 
of
 in
fo
rm
at
io
n
sy
st
em
s 
as
se
ts
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org64
Take the following steps to test the outcome of the control objectives:
• Review the result of the SWOT analysis to verify that business systems architecture, technological direction, migration strategies
and contingency aspects are included in the technological direction and infrastructure plans. 
• Review appropriate documents to confirm whether market evolutions, legal and regulatory conditions, and emerging technologies
(e.g., technological developments, competitor activities, infrastructure issues, legal requirements and regulatory environment
changes, third-party experts) are being monitored (e.g., review the output and results of the monitoring activity and verify the
action taken based on the analysis).
• Review the IT strategy and IT technological infrastructure plan to ensure that it is aligned with the latest developments in IT that
have the potential to impact the success of the business.
• Confirm with the chief architect that ongoing assessments of current status vs. planned infrastructure are taking place. Review the
corrective actions identified and executed, and compare these against the approved technology infrastructure plans.
• Inspect the technology infrastructure plan to confirm that changes in the competitive environment, economies of scale for
information systems staffing and investments, and improved interoperability of platforms and applications are identified.
• Enquire whether the technology research budget is used in an effective and efficient manner (e.g., number of improvements based
on research, improvement in services).
• Inspect technology guidelines to determine that they appropriately support the technological solutions, accurately represent the
organisation’s technological direction and provide sufficient direction for a wide range of problems.
• Enquire whether and confirm that an IT architecture board has been established and roles, responsibility and accountability have
been formally defined.
• Confirm with members of the IT architecture board that meetings are held frequently (e.g., periodic/event basis).
• Determine that all agreed-upon actions from IT architecture board meetings are appropriately recorded, tracked and implemented.
Take the following steps to document the impact of the control weaknesses:
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that the organisation may not select appropriate
technologies that achieve business goals or create new business opportunities (e.g., market leadership).
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that the technology plans may not consider
changes in the competitive environment.
• Assess the impact of economies of scale for information systems staffing and investments that are not achieved.
• Assess the opportunity cost of not realising opportunities to integrate platforms and applications. 
• Assess the opportunity cost that potential business opportunities may not be realised.
• Assess the opportunity cost that technology trends may not be taken into account in the development of the IT technology
infrastructure plan.
• Assess the risk of non-compliance to legal and regulatory regulations.
65© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
A
n 
IT
 o
rg
an
is
at
io
n 
is
 d
ef
in
ed
 b
y 
co
ns
id
er
in
g 
re
qu
ir
em
en
ts
 f
or
 s
ta
ff
, s
ki
lls
, f
un
ct
io
ns
, a
cc
ou
nt
ab
ili
ty
, a
ut
ho
ri
ty
, r
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s,
 a
nd
 s
up
er
vi
si
on
. T
hi
s 
or
ga
ni
sa
tio
n 
is
em
be
dd
ed
 in
to
 a
n 
IT
 p
ro
ce
ss
 f
ra
m
ew
or
k 
th
at
 e
ns
ur
es
 tr
an
sp
ar
en
cy
 a
nd
 c
on
tr
ol
 a
s 
w
el
l a
s 
th
e 
in
vo
lv
em
en
t o
f 
se
ni
or
 e
xe
cu
tiv
es
 a
nd
 b
us
in
es
s 
m
an
ag
em
en
t. 
A
 s
tr
at
eg
y 
co
m
m
itt
ee
en
su
re
s 
bo
ar
d 
ov
er
si
gh
t o
f 
IT
, a
nd
 o
ne
 o
r 
m
or
e 
st
ee
ri
ng
 c
om
m
itt
ee
s 
in
 w
hi
ch
 b
us
in
es
s 
an
d 
IT
 p
ar
tic
ip
at
e 
de
te
rm
in
e 
th
e 
pr
io
ri
tis
at
io
n 
of
 I
T
 r
es
ou
rc
es
 in
 li
ne
 w
ith
 b
us
in
es
s 
ne
ed
s.
Pr
oc
es
se
s,
 a
dm
in
is
tr
at
iv
e 
po
lic
ie
s 
an
d 
pr
oc
ed
ur
es
 a
re
 in
 p
la
ce
 f
or
 a
ll 
fu
nc
tio
ns
, w
ith
 s
pe
ci
fi
c 
at
te
nt
io
n 
to
 c
on
tr
ol
, q
ua
lit
y 
as
su
ra
nc
e,
 r
is
k 
m
an
ag
em
en
t, 
in
fo
rm
at
io
n 
se
cu
ri
ty
, d
at
a
an
d 
sy
st
em
s 
ow
ne
rs
hi
p,
 a
nd
 s
eg
re
ga
tio
n 
of
 d
ut
ie
s.
 T
o 
en
su
re
 ti
m
el
y 
su
pp
or
t o
f 
bu
si
ne
ss
 r
eq
ui
re
m
en
ts
, I
T
 is
 to
 b
e 
in
vo
lv
ed
 in
 r
el
ev
an
t d
ec
is
io
n 
pr
oc
es
se
s.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
:
– 
T
he
 I
T
 p
ro
ce
ss
es
 r
eq
ui
re
d 
to
 r
ea
lis
e 
th
e 
IT
 s
tr
at
eg
ic
 p
la
n 
ha
ve
 b
ee
n 
id
en
tif
ie
d 
an
d 
co
m
m
un
ic
at
ed
– 
A
 f
ra
m
ew
or
k 
to
 e
na
bl
e 
th
e 
de
fi
ni
tio
n 
an
d 
fo
llo
w
-u
p 
of
 p
ro
ce
ss
 g
oa
ls
, m
ea
su
re
s,
 c
on
tr
ol
s 
an
d 
m
at
ur
ity
 h
as
 b
ee
n 
de
fi
ne
d 
an
d 
im
pl
em
en
te
d
– 
R
el
at
io
ns
hi
ps
 a
nd
 to
uc
hp
oi
nt
s 
(e
.g
., 
in
pu
ts
/o
ut
pu
ts
, a
nd
 a
m
on
gs
t t
he
 I
T
 p
ro
ce
ss
es
, e
nt
er
pr
is
e 
po
rt
fo
lio
 m
an
ag
em
en
t a
nd
 b
us
in
es
s 
pr
oc
es
se
s)
 h
av
e 
be
en
 d
ef
in
ed
.
P
O
4.
1 
IT
 P
ro
ce
ss
 F
ra
m
ew
or
k 
D
ef
in
e 
an
 I
T
 p
ro
ce
ss
 f
ra
m
ew
or
k 
to
 e
xe
cu
te
 th
e 
IT
 s
tr
at
eg
ic
 p
la
n.
 T
hi
s 
fr
am
ew
or
k
sh
ou
ld
 in
cl
ud
e 
an
 I
T
 p
ro
ce
ss
 s
tr
uc
tu
re
 a
nd
 r
el
at
io
ns
hi
ps
 (
e.
g.
, t
o 
m
an
ag
e 
pr
oc
es
s
ga
ps
 a
nd
 o
ve
rl
ap
s)
, o
w
ne
rs
hi
p,
 m
at
ur
ity
, p
er
fo
rm
an
ce
 m
ea
su
re
m
en
t,
im
pr
ov
em
en
t, 
co
m
pl
ia
nc
e,
 q
ua
lit
y 
ta
rg
et
s 
an
d 
pl
an
s 
to
 a
ch
ie
ve
 th
em
. I
t s
ho
ul
d
pr
ov
id
e 
in
te
gr
at
io
n 
am
on
gs
t t
he
 p
ro
ce
ss
es
 th
at
 a
re
 s
pe
ci
fi
c 
to
 I
T,
 e
nt
er
pr
is
e
po
rt
fo
lio
 m
an
ag
em
en
t, 
bu
si
ne
ss
 p
ro
ce
ss
es
 a
nd
 b
us
in
es
s 
ch
an
ge
 p
ro
ce
ss
es
. T
he
IT
 p
ro
ce
ss
 f
ra
m
ew
or
k 
sh
ou
ld
 b
e 
in
te
gr
at
ed
 in
to
 a
 q
ua
lit
y 
m
an
ag
em
en
t s
ys
te
m
(Q
M
S)
 a
nd
 th
e 
in
te
rn
al
 c
on
tr
ol
 f
ra
m
ew
or
k.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
on
si
st
en
t a
pp
ro
ac
h 
fo
r 
th
e 
de
fi
ni
tio
n
of
 I
T
 p
ro
ce
ss
es
• 
O
rg
an
is
at
io
n 
of
 k
ey
 a
ct
iv
iti
es
 in
to
lo
gi
ca
l, 
in
te
rd
ep
en
de
ntp
ro
ce
ss
es
• 
C
le
ar
 d
ef
in
iti
on
 o
f 
ow
ne
rs
hi
p 
of
 a
nd
re
sp
on
si
bi
lit
y 
fo
r 
pr
oc
es
se
s 
an
d 
ke
y
ac
tiv
iti
es
• 
R
el
ia
bl
e 
an
d 
re
pe
at
ab
le
 e
xe
cu
tio
n 
of
ke
y 
ac
tiv
iti
es
• 
Fl
ex
ib
le
 a
nd
 r
es
po
ns
iv
e 
IT
 p
ro
ce
ss
es
R
is
k 
D
riv
er
s
• 
Fr
am
ew
or
k 
no
t b
ei
ng
 a
cc
ep
te
d 
by
 th
e
bu
si
ne
ss
 a
nd
 I
T
 p
ro
ce
ss
es
 n
ot
 b
ei
ng
re
la
te
d 
to
 b
us
in
es
s 
re
qu
ir
em
en
ts
• 
In
co
m
pl
et
e 
fr
am
ew
or
k 
of
 I
T
 p
ro
ce
ss
es
• 
C
on
fl
ic
ts
 a
nd
 u
nc
le
ar
in
te
rd
ep
en
de
nc
ie
s 
am
on
gs
t p
ro
ce
ss
es
• 
O
ve
rl
ap
s 
be
tw
ee
n 
ac
tiv
iti
es
• 
In
fl
ex
ib
le
 I
T
 o
rg
an
is
at
io
n
• 
G
ap
s 
be
tw
ee
n 
pr
oc
es
se
s
• 
D
up
lic
at
io
n 
of
 p
ro
ce
ss
es
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org66
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e:
– 
C
ha
rt
er
, s
co
pe
, o
bj
ec
tiv
es
, m
em
be
rs
hi
p,
 r
ol
es
, r
es
po
ns
ib
ili
tie
s,
 e
tc
., 
of
 th
e 
IT
 s
tr
at
eg
y 
co
m
m
itt
ee
 h
av
e 
be
en
 d
ef
in
ed
 in
 a
 m
an
ne
r 
th
at
 w
ill
 e
ns
ur
e 
co
m
pl
ia
nc
e 
w
ith
st
ra
te
gi
c 
di
re
ct
io
ns
 o
f 
th
e 
en
te
rp
ri
se
– 
IT
 s
tr
at
eg
y 
co
m
m
itt
ee
 is
 c
om
po
se
d 
of
 b
oa
rd
 a
nd
 n
on
-b
oa
rd
 m
em
be
rs
 w
ith
 a
pp
ro
pr
ia
te
 e
xp
er
tis
e 
on
 th
e 
or
ga
ni
sa
tio
n’
s 
de
pe
nd
en
cy
 o
n 
IT
 a
nd
 o
pp
or
tu
ni
tie
s 
pr
ov
id
ed
 
by
 I
T
• 
R
ev
ie
w
 a
ge
nd
as
, p
ap
er
s 
an
d 
m
in
ut
es
 o
f 
th
e 
IT
 s
tr
at
eg
y 
co
m
m
itt
ee
 to
:
– 
E
ns
ur
e 
th
at
 th
e 
co
m
m
itt
ee
 m
ee
ts
 o
n 
a 
re
gu
la
r 
ba
si
s 
to
 a
dd
re
ss
 s
tr
at
eg
ic
 is
su
es
, i
nc
lu
di
ng
 m
aj
or
 in
ve
st
m
en
t d
ec
is
io
ns
, r
ai
se
d 
by
 th
e 
bo
ar
d 
of
 d
ir
ec
to
rs
 o
r 
th
e 
or
ga
ni
sa
tio
n
– 
A
ss
es
s 
th
at
 th
e 
co
m
m
itt
ee
 is
 g
iv
in
g 
ap
pr
op
ri
at
e 
gu
id
an
ce
 to
 th
e 
bo
ar
d 
of
 d
ir
ec
to
rs
 o
n 
IT
go
ve
rn
an
ce
 a
nd
 I
T
 s
tr
at
eg
ic
 is
su
es
P
O
4.
2 
IT
 S
tr
at
eg
y 
C
om
m
it
te
e 
E
st
ab
lis
h 
an
 I
T
 s
tr
at
eg
y 
co
m
m
itt
ee
 a
t t
he
 b
oa
rd
 le
ve
l. 
T
hi
s 
co
m
m
itt
ee
 s
ho
ul
d
en
su
re
 th
at
 I
T
 g
ov
er
na
nc
e,
 a
s 
pa
rt
 o
f 
en
te
rp
ri
se
 g
ov
er
na
nc
e,
 is
 a
de
qu
at
el
y
ad
dr
es
se
d;
 a
dv
is
e 
on
 s
tr
at
eg
ic
 d
ir
ec
tio
n;
 a
nd
 r
ev
ie
w
 m
aj
or
 in
ve
st
m
en
ts
 o
n 
be
ha
lf
of
 th
e 
fu
ll 
bo
ar
d.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Su
pp
or
t o
f 
th
e 
bo
ar
d
• 
B
oa
rd
 in
si
gh
t i
nt
o 
IT
 v
al
ue
 a
nd
 r
is
ks
• 
Fa
st
er
 d
ec
is
io
ns
 o
n 
im
po
rt
an
t
in
ve
st
m
en
ts
• 
C
le
ar
 r
es
po
ns
ib
ili
ty
 a
nd
 a
cc
ou
nt
ab
ili
ty
fo
r 
st
ra
te
gi
c 
de
ci
si
on
s
• 
IT
 g
ov
er
na
nc
e 
in
te
gr
at
ed
 in
to
co
rp
or
at
e 
go
ve
rn
an
ce
• 
W
el
l-
go
ve
rn
ed
 I
T
 f
un
ct
io
n
R
is
k 
D
riv
er
s
• 
L
ac
k 
of
 r
ep
re
se
nt
at
io
n 
of
 I
T
 o
n 
th
e 
bo
ar
d 
ag
en
da
• 
IT
-r
el
at
ed
 r
is
ks
 a
nd
 v
al
ue
 u
nk
no
w
n 
at
th
e 
bo
ar
d 
le
ve
l
• 
D
ec
is
io
ns
 o
n 
in
ve
st
m
en
ts
 a
nd
pr
io
ri
tie
s 
no
t b
as
ed
 o
n 
jo
in
t (
bu
si
ne
ss
an
d 
IT
) 
pr
io
ri
tie
s
• 
IT
 g
ov
er
na
nc
e 
se
pa
ra
te
 f
ro
m
 c
or
po
ra
te
go
ve
rn
an
ce
• 
IT
no
t c
om
pl
ia
nt
 w
ith
 g
ov
er
na
nc
e
re
qu
ir
em
en
ts
, p
ot
en
tia
lly
 im
pa
ct
in
g
m
an
ag
em
en
t’s
 a
nd
 th
e 
bo
ar
d’
s 
pu
bl
ic
ac
co
un
ta
bi
lit
y
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
67© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
ch
ar
te
r, 
sc
op
e,
 o
bj
ec
tiv
es
, m
em
be
rs
hi
ps
, r
ol
es
, r
es
po
ns
ib
ili
tie
s,
 e
tc
., 
of
 th
e 
IT
 s
te
er
in
g 
co
m
m
itt
ee
 r
es
ul
t i
n 
ap
pr
op
ri
at
e
im
pl
em
en
ta
tio
n 
of
 th
e 
IT
 s
tr
at
eg
ic
 d
ir
ec
tio
ns
 o
f 
th
e 
en
te
rp
ri
se
.
• 
In
sp
ec
t d
oc
um
en
ts
 s
uc
h 
as
 m
ee
tin
g 
m
in
ut
es
 a
nd
 th
e 
IT
 s
te
er
in
g 
co
m
m
itt
ee
 c
ha
rt
er
 to
 id
en
tif
y 
th
e 
pa
rt
ic
ip
an
ts
 in
vo
lv
ed
 in
 th
e 
co
m
m
itt
ee
, t
he
ir
 r
es
pe
ct
iv
e 
jo
b 
fu
nc
tio
ns
an
d 
th
e 
re
po
rt
in
g 
re
la
tio
ns
hi
p 
of
 th
e 
co
m
m
itt
ee
 to
 e
xe
cu
tiv
e 
m
an
ag
em
en
t (
e.
g.
, d
et
er
m
in
e 
pr
io
ri
tis
at
io
n 
of
 I
T-
en
ab
le
d 
in
ve
st
m
en
t p
ro
gr
am
m
es
, t
ra
ck
 s
ta
tu
s 
of
 p
ro
je
ct
s,
an
d 
m
on
ito
r 
se
rv
ic
e 
le
ve
ls
 a
nd
 s
er
vi
ce
 im
pr
ov
em
en
ts
).
• 
E
nq
ui
re
 a
nd
 c
on
fi
rm
 w
ith
 b
us
in
es
s 
m
an
ag
em
en
t t
o 
en
su
re
 th
at
 th
e 
bu
si
ne
ss
 ta
ke
s 
an
 a
ct
iv
e 
ro
le
 in
 th
e 
w
or
k 
of
 th
e 
IT
 s
te
er
in
g 
co
m
m
itt
ee
 a
nd
 m
an
ag
em
en
t i
s
ap
pr
op
ri
at
el
y 
co
ns
ul
te
d.
P
O
4.
3 
IT
 S
te
er
in
g 
C
om
m
it
te
e 
E
st
ab
lis
h 
an
 I
T
 s
te
er
in
g 
co
m
m
itt
ee
 (
or
 e
qu
iv
al
en
t)
 c
om
po
se
d 
of
 e
xe
cu
tiv
e,
bu
si
ne
ss
 a
nd
 I
T
 m
an
ag
em
en
t t
o:
• 
D
et
er
m
in
e 
pr
io
ri
tis
at
io
n 
of
 I
T-
en
ab
le
d 
in
ve
st
m
en
t p
ro
gr
am
m
es
 in
 li
ne
 w
ith
 th
e
en
te
rp
ri
se
’s
 b
us
in
es
s 
st
ra
te
gy
 a
nd
 p
ri
or
iti
es
• 
T
ra
ck
 s
ta
tu
s 
of
 p
ro
je
ct
s 
an
d 
re
so
lv
e 
re
so
ur
ce
 c
on
fl
ic
t
• 
M
on
ito
r 
se
rv
ic
e 
le
ve
ls
 a
nd
 s
er
vi
ce
 im
pr
ov
em
en
ts
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
IT
 s
tr
at
eg
y 
in
 li
ne
 w
ith
 th
e
or
ga
ni
sa
tio
n’
s 
st
ra
te
gy
• 
IT
-e
na
bl
ed
 in
ve
st
m
en
t p
ro
gr
am
m
es
 in
lin
e 
w
ith
 th
e 
or
ga
ni
sa
tio
n’
s 
st
ra
te
gy
• 
B
us
in
es
s 
an
d 
IT
 in
vo
lv
em
en
t i
n 
th
e
pr
io
ri
tis
at
io
n 
pr
oc
es
s
• 
B
us
in
es
s 
an
d 
IT
 in
vo
lv
em
en
t i
n
co
nf
lic
t r
es
ol
ut
io
n
• 
B
us
in
es
s 
an
d 
IT
 in
vo
lv
em
en
t i
n
m
on
ito
ri
ng
 p
er
fo
rm
an
ce
R
is
k 
D
riv
er
s
• 
IT
 s
tr
at
eg
y 
no
t i
n 
lin
e 
w
ith
 th
e
or
ga
ni
sa
tio
n’
s 
st
ra
te
gy
• 
IT
-e
na
bl
ed
 in
ve
st
m
en
t p
ro
gr
am
m
es
no
t i
n 
su
pp
or
t o
f 
th
e 
or
ga
ni
sa
tio
na
l
go
al
s 
an
d 
ob
je
ct
iv
es
• 
In
su
ff
ic
ie
nt
 s
up
po
rt
 a
nd
 in
vo
lv
em
en
t
of
 I
T
 a
nd
 s
en
io
r 
or
ga
ni
sa
tio
na
l
m
an
ag
em
en
t i
n 
ke
y 
de
ci
si
on
-m
ak
in
g
pr
oc
es
se
s
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org68
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
IT
 f
un
ct
io
n 
is
:
– 
H
ea
de
d 
by
 a
 C
IO
 o
r 
si
m
ila
r 
fu
nc
tio
n,
 o
f 
w
hi
ch
 th
e 
au
th
or
ity
, r
es
po
ns
ib
ili
ty
, a
cc
ou
nt
ab
ili
ty
 a
nd
 r
ep
or
tin
g 
lin
e 
ar
e 
co
m
m
en
su
ra
te
 w
ith
 th
e 
im
po
rt
an
ce
 o
f 
IT
 w
ith
in
 
th
e 
en
te
rp
ri
se
– 
D
ef
in
ed
 a
nd
 f
un
de
d 
in
 s
uc
h 
a 
w
ay
 th
at
 in
di
vi
du
al
 u
se
r 
gr
ou
ps
/dep
ar
tm
en
ts
 c
an
no
t e
xe
rt
 u
nd
ue
 in
fl
ue
nc
e 
ov
er
 th
e 
IT
 f
un
ct
io
n 
an
d 
un
de
rm
in
e 
th
e 
pr
io
ri
tie
s 
ag
re
ed
 u
po
n
by
 th
e 
IT
 s
tr
at
eg
y 
co
m
m
itt
ee
 a
nd
 I
T
 s
te
er
in
g 
co
m
m
itt
ee
– 
A
pp
ro
pr
ia
te
ly
 r
es
ou
rc
ed
 (
e.
g.
, s
ta
ff
in
g,
 c
on
tin
ge
nt
 w
or
ke
rs
, b
ud
ge
t)
 to
 e
na
bl
e 
th
e 
im
pl
em
en
ta
tio
n 
an
d 
m
an
ag
em
en
t o
f 
ap
pr
op
ri
at
e 
IT
 s
ol
ut
io
ns
 a
nd
 s
er
vi
ce
s 
to
 s
up
po
rt
th
e 
bu
si
ne
ss
 a
nd
 to
 e
na
bl
e 
re
la
tio
ns
hi
ps
 w
ith
 th
e 
bu
si
ne
ss
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
:
– 
Pe
ri
od
ic
 r
ev
ie
w
s 
ar
e 
pe
rf
or
m
ed
 o
ve
r 
th
e 
im
pa
ct
 o
f 
or
ga
ni
sa
tio
na
l c
ha
ng
es
 a
s 
th
ey
 a
ff
ec
t t
he
 o
ve
ra
ll 
or
ga
ni
sa
tio
n 
an
d 
th
e 
st
ru
ct
ur
e 
of
 th
e 
IT
 f
un
ct
io
n 
its
el
f
– 
T
he
 I
T
 o
rg
an
is
at
io
n 
ha
s 
fl
ex
ib
le
 r
es
ou
rc
e 
ar
ra
ng
em
en
ts
, s
uc
h 
as
 th
e 
us
e 
of
 e
xt
er
na
l c
on
tr
ac
to
rs
 a
nd
 f
le
xi
bl
e 
th
ir
d-
pa
rt
y 
se
rv
ic
e 
ar
ra
ng
em
en
ts
, t
o 
su
pp
or
t c
ha
ng
in
g
bu
si
ne
ss
 n
ee
ds
P
O
4.
4 
O
rg
an
is
at
io
na
l P
la
ce
m
en
t 
of
 t
he
 I
T
 F
un
ct
io
n 
Pl
ac
e 
th
e 
IT
 f
un
ct
io
n 
in
 th
e 
ov
er
al
l o
rg
an
is
at
io
na
l s
tr
uc
tu
re
 w
ith
 a
 b
us
in
es
s
m
od
el
 c
on
tin
ge
nt
 o
n 
th
e 
im
po
rt
an
ce
 o
f 
IT
 w
ith
in
 th
e 
en
te
rp
ri
se
, s
pe
ci
fi
ca
lly
 it
s
cr
iti
ca
lit
y 
to
 b
us
in
es
s 
st
ra
te
gy
 a
nd
 th
e 
le
ve
l o
f 
op
er
at
io
na
l d
ep
en
de
nc
e 
on
 I
T.
 
T
he
 r
ep
or
tin
g 
lin
e 
of
 th
e 
ch
ie
f 
in
fo
rm
at
io
n 
of
fi
ce
r 
(C
IO
) 
sh
ou
ld
 b
e
co
m
m
en
su
ra
te
 w
ith
 th
e 
im
po
rt
an
ce
 o
f 
IT
 w
ith
in
 th
e 
en
te
rp
ri
se
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
IT
 r
es
ou
rc
es
 a
lig
ne
d 
to
 th
e 
st
ra
te
gi
c
pr
io
ri
tie
s
• 
E
ff
ec
tiv
e 
m
an
ag
em
en
t o
f 
IT
su
pp
or
tin
g 
th
e 
bu
si
ne
ss
 o
bj
ec
tiv
es
• 
Se
ni
or
 m
an
ag
em
en
t c
om
m
itm
en
t i
n 
IT
de
ci
si
on
 m
ak
in
g 
at
 th
e 
ap
pr
op
ri
at
e
le
ve
l
• 
B
us
in
es
s/
IT
 a
lig
nm
en
t a
t t
he
or
ga
ni
sa
tio
na
l l
ev
el
R
is
k 
D
riv
er
s
• 
In
su
ff
ic
ie
nt
 c
om
m
itm
en
t f
ro
m
 s
en
io
r
or
ga
ni
sa
tio
na
l m
an
ag
em
en
t
• 
IT
 r
es
ou
rc
es
 n
ot
 e
ff
ec
tiv
el
y 
su
pp
or
tin
g
th
e 
bu
si
ne
ss
• 
IT
 n
ot
 g
iv
en
 s
uf
fi
ci
en
t s
tr
at
eg
ic
im
po
rt
an
ce
• 
IT
 r
eg
ar
de
d 
as
 s
ep
ar
at
e 
fr
om
 th
e
bu
si
ne
ss
 a
nd
 v
ic
e 
ve
rs
a
• 
L
ac
k 
of
 b
us
in
es
s 
di
re
ct
io
n 
an
d
co
m
m
un
ic
at
io
n 
of
 b
us
in
es
s 
in
iti
at
iv
es
P
O
4.
5 
IT
 O
rg
an
is
at
io
na
l S
tr
uc
tu
re
 
E
st
ab
lis
h 
an
 in
te
rn
al
 a
nd
 e
xt
er
na
l I
T
 o
rg
an
is
at
io
na
l s
tr
uc
tu
re
 th
at
 r
ef
le
ct
s
bu
si
ne
ss
 n
ee
ds
. I
n 
ad
di
tio
n,
 p
ut
 a
 p
ro
ce
ss
 in
 p
la
ce
 f
or
 p
er
io
di
ca
lly
 r
ev
ie
w
in
g 
th
e
IT
 o
rg
an
is
at
io
na
l s
tr
uc
tu
re
 to
 a
dj
us
t s
ta
ff
in
g 
re
qu
ir
em
en
ts
 a
nd
 s
ou
rc
in
g 
st
ra
te
gi
es
to
 m
ee
t e
xp
ec
te
d 
bu
si
ne
ss
 o
bj
ec
tiv
es
 a
nd
 c
ha
ng
in
g 
ci
rc
um
st
an
ce
s.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ec
tiv
e 
an
d 
ef
fi
ci
en
t s
up
po
rt
 f
or
 th
e
bu
si
ne
ss
• 
St
af
fi
ng
 r
eq
ui
re
m
en
ts
 a
nd
 s
ou
rc
in
g
st
ra
te
gi
es
 th
at
 s
up
po
rt
 s
tr
at
eg
ic
bu
si
ne
ss
 g
oa
ls
• 
Fl
ex
ib
le
 a
nd
 r
es
po
ns
iv
e 
IT
or
ga
ni
sa
tio
na
l s
tr
uc
tu
re
• 
B
us
in
es
s/
IT
 a
lig
nm
en
t a
t t
he
or
ga
ni
sa
tio
na
l l
ev
el
R
is
k 
D
riv
er
s
• 
In
su
ff
ic
ie
nt
 b
us
in
es
s 
su
pp
or
t
• 
In
su
ff
ic
ie
nt
 s
ta
ff
in
g 
re
qu
ir
em
en
ts
• 
In
ap
pr
op
ri
at
e 
so
ur
ci
ng
 s
tr
at
eg
ie
s
• 
In
fl
ex
ib
ili
ty
 o
f 
IT
 to
 c
ha
ng
es
 in
bu
si
ne
ss
 n
ee
ds
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
69© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
:
– 
E
ac
h 
IT
 ta
sk
 h
as
 b
ee
n 
fo
rm
al
is
ed
 b
y 
re
vi
ew
in
g 
do
cu
m
en
ta
tio
n 
an
d 
de
te
rm
in
in
g 
w
he
th
er
 I
T
 ta
sk
 d
es
cr
ip
tio
ns
 a
re
 a
pp
ro
pr
ia
te
 a
nd
 u
pd
at
ed
 a
s 
re
qu
ir
ed
– 
A
 r
ol
e 
ha
s 
be
en
 a
ss
ig
ne
d 
to
 I
T
 p
er
so
nn
el
 w
ith
 c
or
re
sp
on
di
ng
 I
T
 ta
sk
s.
 A
ss
es
s 
w
he
th
er
 p
er
so
nn
el
 u
nd
er
st
an
d 
th
e 
ro
le
 a
nd
 ta
sk
s 
th
at
 h
av
e 
be
en
 a
ss
ig
ne
d,
 a
nd
 th
at
 th
e
ta
sk
s 
ar
e 
be
in
g 
pe
rf
or
m
ed
.
– 
A
cc
ou
nt
ab
ili
tie
s 
an
d 
re
sp
on
si
bi
lit
ie
s 
ha
ve
 b
ee
n 
as
si
gn
ed
 to
 r
ol
es
. V
er
if
y 
by
 in
sp
ec
tio
n 
of
 jo
b 
de
sc
ri
pt
io
ns
, c
ha
rt
er
s,
 e
tc
., 
th
at
 e
ac
h 
ro
le
 h
as
 th
e 
ne
ce
ss
ar
y 
ac
co
un
ta
bi
lit
ie
s
an
d 
re
sp
on
si
bi
lit
ie
s 
to
 e
xe
cu
te
 th
e 
ro
le
.
– 
IT
 p
er
so
nn
el
 h
av
e 
be
en
 in
fo
rm
ed
 o
f 
th
ei
r 
ro
le
s.
 A
ss
es
s 
w
he
th
er
 c
ha
ng
es
 a
re
 c
om
m
un
ic
at
ed
 to
 I
T
 p
er
so
nn
el
 a
nd
 w
he
th
er
 th
e 
ch
an
ge
s 
ar
e 
be
in
g 
im
pl
em
en
te
d.
– 
M
an
ag
er
s 
pe
ri
od
ic
al
ly
 c
on
fi
rm
 th
e 
ac
cu
ra
cy
 o
f 
th
e 
ro
le
 d
es
cr
ip
tio
ns
. R
ev
ie
w
 r
ol
e 
de
sc
ri
pt
io
ns
 to
 d
et
er
m
in
e 
w
he
th
er
 th
ey
 a
cc
ur
at
el
y 
re
fl
ec
t t
he
 r
ol
es
 o
f 
te
am
 m
em
be
rs
.
– 
R
ol
e 
de
sc
ri
pt
io
ns
 o
ut
lin
e 
ke
y 
go
al
s 
an
d 
ob
je
ct
iv
es
 a
nd
 in
cl
ud
e 
SM
A
R
R
T
 m
ea
su
re
s
– 
SM
A
R
R
T
 m
ea
su
re
s 
ar
e 
us
ed
 in
 s
ta
ff
 p
er
fo
rm
an
ce
 e
va
lu
at
io
ns
– 
A
ll 
ro
le
 d
es
cr
ip
tio
ns
 in
 th
e 
or
ga
ni
sa
tio
n 
in
cl
ud
e 
re
sp
on
si
bi
lit
ie
s 
re
ga
rd
in
g 
in
fo
rm
at
io
n 
sy
st
em
s,
 in
te
rn
al
 c
on
tr
ol
 a
nd
 s
ec
ur
ity
– 
M
an
ag
em
en
t t
ra
in
s 
st
af
f 
m
em
be
rs
 r
eg
ul
ar
ly
 o
n 
th
ei
r 
ro
le
s.
 I
nt
er
vi
ew
 s
ta
ff
 m
em
be
rs
 to
 d
et
er
m
in
e 
w
he
th
er
 a
 k
no
w
le
dg
e 
of
 th
e 
ro
le
 h
as
 b
ee
n 
co
m
m
un
ic
at
ed
 
an
d 
un
de
rs
to
od
.
• 
To
 d
et
er
m
in
e 
w
he
th
er
 e
m
pl
oy
ee
s 
ar
e 
pr
ov
id
ed
 w
ith
 e
nt
er
pr
is
ew
id
e 
an
d 
de
pa
rt
m
en
ta
l p
ol
ic
ie
s 
an
d 
pr
oc
ed
ur
es
, r
ev
ie
w
 th
e:
– 
A
nn
ua
l p
ol
ic
y 
ac
kn
ow
le
dg
em
en
t
– 
H
R
 r
ec
or
ds
 in
di
ca
tin
g 
w
he
th
er
 e
m
pl
oy
ee
s 
w
er
e 
pr
ov
id
ed
 w
ith
 p
ol
ic
y 
do
cu
m
en
ta
tio
n 
du
ri
ng
 n
ew
 h
ir
e 
or
ie
nt
at
io
n
– 
E
m
pl
oy
ee
 tr
ai
ni
ng
 r
ec
or
ds
P
O
4.
6 
E
st
ab
lis
hm
en
t 
of
 R
ol
es
 a
nd
 R
es
po
ns
ib
ili
ti
es
 
E
st
ab
lis
h 
an
d 
co
m
m
un
ic
at
e 
ro
le
s 
an
d 
re
sp
on
si
bi
lit
ie
s 
fo
r 
IT
 p
er
so
nn
el
 a
nd
 e
nd
us
er
s 
th
at
 d
el
in
ea
te
 b
et
w
ee
n 
IT
 p
er
so
nn
el
 a
nd
 e
nd
-u
se
r 
au
th
or
ity
, r
es
po
ns
ib
ili
tie
s
an
d 
ac
co
un
ta
bi
lit
y 
fo
r 
m
ee
tin
g 
th
eor
ga
ni
sa
tio
n’
s 
ne
ed
s.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ec
tiv
e 
in
di
vi
du
al
 p
er
fo
rm
an
ce
 
• A
ct
iv
iti
es
 a
llo
ca
te
d 
to
 s
pe
ci
fi
c
po
si
tio
ns
• 
E
ff
ic
ie
nt
 r
ec
ru
itm
en
t o
f 
ap
pr
op
ri
at
el
y
sk
ill
ed
 a
nd
 e
xp
er
ie
nc
ed
 I
T
 s
ta
ff
• 
E
ff
ec
tiv
e 
st
af
f 
pe
rf
or
m
an
ce
R
is
k 
D
riv
er
s
• 
N
on
-c
om
pl
ia
nc
e 
w
ith
 r
eg
ul
at
io
ns
• 
C
om
pr
om
is
ed
 in
fo
rm
at
io
n 
• 
R
ec
ru
itm
en
t o
f 
st
af
f 
no
t w
or
ki
ng
 a
s
in
te
nd
ed
• 
Fr
au
du
le
nt
 s
ys
te
m
 u
sa
ge
• 
N
on
-r
es
po
ns
iv
e 
IT
 o
rg
an
is
at
io
n
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org70
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
Q
A
 f
un
ct
io
n 
in
cl
ud
es
:
– 
A
 r
ep
or
tin
g 
lin
e 
su
ch
 th
at
 it
 c
an
 o
pe
ra
te
 w
ith
 a
de
qu
at
e 
in
de
pe
nd
en
ce
 a
nd
 r
ep
or
t i
ts
 f
in
di
ng
s 
ob
je
ct
iv
el
y
– 
M
on
ito
ri
ng
 p
ro
ce
ss
es
 to
 e
ns
ur
e 
co
m
pl
ia
nc
e 
w
ith
 th
e 
or
ga
ni
sa
tio
n’
s 
Q
A
-r
el
at
ed
 p
ol
ic
ie
s,
 s
ta
nd
ar
ds
 a
nd
 p
ro
ce
du
re
s 
(e
.g
., 
co
m
pl
ia
nc
e 
w
ith
 th
e 
or
ga
ni
sa
tio
n’
s 
de
ve
lo
pm
en
t m
et
ho
do
lo
gy
)
– 
A
ct
in
g 
as
 a
 c
en
tr
e 
of
 e
xp
er
tis
e 
fo
r 
th
e 
de
ve
lo
pm
en
t o
f 
Q
A
-r
el
at
ed
 p
ol
ic
ie
s 
(e
.g
., 
Q
A
 r
eq
ui
re
m
en
ts
 in
 a
 s
ys
te
m
s 
de
ve
lo
pm
en
t l
if
e 
cy
cl
e)
, s
ta
nd
ar
ds
 a
nd
 p
ro
ce
du
re
s
– 
A
 p
ro
ce
ss
 a
do
pt
ed
 a
nd
 a
lig
ne
d 
w
ith
 Q
A
 b
es
t p
ra
ct
ic
es
 a
nd
 s
ta
nd
ar
ds
– 
St
af
f 
le
ve
ls
 a
nd
 s
ki
lls
 c
om
m
en
su
ra
te
 w
ith
 th
e 
si
ze
 o
f 
th
e 
or
ga
ni
sa
tio
n 
an
d 
th
e 
Q
A
 f
un
ct
io
n’
s 
re
sp
on
si
bi
lit
ie
s.
 A
ss
es
s 
th
e 
sk
ill
s 
to
 v
er
if
y 
th
at
 th
ey
 in
cl
ud
e 
qu
al
ity
as
su
ra
nc
e,
 I
T,
 c
on
tr
ol
s,
 p
ro
ce
ss
es
 a
nd
 c
om
m
un
ic
at
io
n.
– 
A
ct
iv
e 
su
pp
or
t f
ro
m
 s
en
io
r 
m
an
ag
em
en
t s
po
ns
or
s
– 
A
 d
ef
in
ed
 a
nd
 d
oc
um
en
te
d 
pr
oc
es
s 
fo
r 
id
en
tif
yi
ng
, e
sc
al
at
in
g 
an
d 
re
so
lv
in
g 
is
su
es
 id
en
tif
ie
d 
to
 th
e 
Q
A
 p
ro
ce
ss
– 
A
 p
ro
ce
ss
 to
 r
ep
or
t p
er
io
di
ca
lly
 o
n 
its
 f
in
di
ng
s 
an
d 
re
co
m
m
en
da
tio
ns
P
O
4.
7 
R
es
po
ns
ib
ili
ty
 f
or
 I
T
 Q
ua
lit
y 
A
ss
ur
an
ce
 
A
ss
ig
n 
re
sp
on
si
bi
lit
y 
fo
r 
th
e 
pe
rf
or
m
an
ce
 o
f 
th
e 
qu
al
ity
 a
ss
ur
an
ce
 (
Q
A
) 
fu
nc
tio
n 
an
d 
pr
ov
id
e 
th
e 
Q
A
 g
ro
up
 w
ith
 a
pp
ro
pr
ia
te
 Q
A
 s
ys
te
m
s,
 c
on
tr
ol
s 
an
d
co
m
m
un
ic
at
io
ns
 e
xp
er
tis
e.
 E
ns
ur
e 
th
at
 th
e 
or
ga
ni
sa
tio
na
l p
la
ce
m
en
t a
nd
 th
e
re
sp
on
si
bi
lit
ie
s 
an
d 
si
ze
 o
f 
th
e 
Q
A
 g
ro
up
 s
at
is
fy
 th
e 
re
qu
ir
em
en
ts
 o
f 
th
e
or
ga
ni
sa
tio
n.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Q
ua
lit
y 
as
su
ra
nc
e 
as
 a
n 
in
te
gr
al
 p
ar
t
of
 I
T
’s
 r
es
po
ns
ib
ili
tie
s
• 
Pr
oc
es
se
s 
in
 li
ne
 w
ith
 th
e
or
ga
ni
sa
tio
n’
s 
qu
al
ity
 e
xp
ec
ta
tio
ns
• 
Pr
oa
ct
iv
e 
id
en
tif
ic
at
io
n 
of
im
pr
ov
em
en
ts
 to
 I
T
 f
un
ct
io
na
lit
y 
an
d
bu
si
ne
ss
 p
ro
ce
ss
es
• 
Pr
oa
ct
iv
e 
id
en
tif
ic
at
io
n 
of
 q
ua
lit
y
is
su
es
 a
nd
 b
us
in
es
s 
ri
sk
s
R
is
k 
D
riv
er
s
• 
R
ep
ut
at
io
na
l d
am
ag
e
• 
U
nd
et
ec
te
d 
qu
al
ity
-r
el
at
ed
 r
is
ks
 th
at
im
pa
ct
 th
e 
ov
er
al
l b
us
in
es
s
• 
In
cr
ea
se
d 
co
st
s 
an
d 
tim
e 
de
la
ys
 d
ue
 to
po
or
 q
ua
lit
y 
co
nt
ro
l
• 
Q
ua
lit
y 
as
su
ra
nc
e 
no
t a
pp
lie
d
co
ns
is
te
nt
ly
 o
r 
ef
fe
ct
iv
el
y
• 
In
co
ns
is
te
nc
ie
s 
in
 q
ua
lit
y 
ac
ro
ss
 th
e
or
ga
ni
sa
tio
n
• 
R
ed
uc
ed
 b
us
in
es
s 
pe
rf
or
m
an
ce
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
71© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
:
– 
Se
ni
or
 m
an
ag
em
en
t h
as
 e
st
ab
lis
he
d 
an
 o
rg
an
is
at
io
nw
id
e,
 a
de
qu
at
el
y 
st
af
fe
d 
ri
sk
 m
an
ag
em
en
t a
nd
 in
fo
rm
at
io
n 
se
cu
ri
ty
 f
un
ct
io
n 
w
ith
 o
ve
ra
ll 
ac
co
un
ta
bi
lit
y 
fo
r 
ri
sk
m
an
ag
em
en
t a
nd
 in
fo
rm
at
io
n 
se
cu
ri
ty
. V
er
if
y 
by
 in
te
rv
ie
w
in
g 
ke
y 
pe
rs
on
ne
l t
ha
t t
he
 r
ep
or
tin
g 
lin
e 
of
 th
e 
ri
sk
 m
an
ag
em
en
t a
nd
 in
fo
rm
at
io
n 
se
cu
ri
ty
 f
un
ct
io
n 
is
 s
uc
h
th
at
 it
 c
an
 e
ff
ec
tiv
el
y 
de
si
gn
, i
m
pl
em
en
t a
nd
, i
n 
co
nj
un
ct
io
n 
w
ith
 li
ne
 m
an
ag
em
en
t, 
en
fo
rc
e 
co
m
pl
ia
nc
e 
w
ith
 th
e 
or
ga
ni
sa
tio
n’
s 
ri
sk
 m
an
ag
em
en
t a
nd
 in
fo
rm
at
io
n
se
cu
ri
ty
 p
ol
ic
ie
s,
 s
ta
nd
ar
ds
 a
nd
 p
ro
ce
du
re
s.
– 
R
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s 
fo
r 
th
e 
ri
sk
 m
an
ag
em
en
t a
nd
 in
fo
rm
at
io
n 
se
cu
ri
ty
 f
un
ct
io
n 
ha
ve
 b
ee
n 
fo
rm
al
is
ed
 a
nd
 d
oc
um
en
te
d
– 
R
es
po
ns
ib
ili
tie
s 
ha
ve
 b
ee
n 
al
lo
ca
te
d 
to
 a
pp
ro
pr
ia
te
ly
 s
ki
lle
d 
an
d 
ex
pe
ri
en
ce
d 
st
af
f 
m
em
be
rs
 a
nd
, i
n 
th
e 
ca
se
 o
f 
in
fo
rm
at
io
n 
se
cu
ri
ty
, u
nd
er
 th
e 
di
re
ct
io
n 
of
 a
n
in
fo
rm
at
io
n 
se
cu
ri
ty
 o
ff
ic
er
– 
T
he
 r
es
ou
rc
e 
re
qu
ir
em
en
ts
 in
 r
el
at
io
n 
to
 r
is
k 
m
an
ag
em
en
t a
nd
 in
fo
rm
at
io
n 
se
cu
ri
ty
 h
av
e 
be
en
 r
eg
ul
ar
ly
 a
ss
es
se
d 
by
 m
an
ag
em
en
t t
o 
en
su
re
 th
at
 a
pp
ro
pr
ia
te
 r
es
ou
rc
es
ar
e 
pr
ov
id
ed
 to
 m
ee
t t
he
 n
ee
ds
 o
f 
th
e 
bu
si
ne
ss
– 
A
 p
ro
ce
ss
 is
 in
 p
la
ce
 to
 o
bt
ai
n 
se
ni
or
 m
an
ag
em
en
t g
ui
da
nc
e 
co
nc
er
ni
ng
 th
e 
ri
sk
 p
ro
fi
le
 a
nd
 a
cc
ep
ta
nc
e 
of
 s
ig
ni
fi
ca
nt
 r
es
id
ua
l r
is
ks
. V
er
if
y 
th
at
 it
 f
un
ct
io
ns
 p
ro
pe
rl
y 
by
ex
am
in
in
g 
re
ce
nt
 s
itu
at
io
ns
.
P
O
4.
8 
R
es
po
ns
ib
ili
ty
 f
or
 R
is
k,
Se
cu
ri
ty
 a
nd
 C
om
pl
ia
nc
e 
E
m
be
d 
ow
ne
rs
hi
p 
an
d 
re
sp
on
si
bi
lit
y 
fo
r 
IT
-r
el
at
ed
 r
is
ks
 w
ith
in
 th
e 
bu
si
ne
ss
 a
t a
n
ap
pr
op
ri
at
e 
se
ni
or
 le
ve
l. 
D
ef
in
e 
an
d 
as
si
gn
 r
ol
es
 c
ri
tic
al
 f
or
 m
an
ag
in
g 
IT
 r
is
ks
,
in
cl
ud
in
g 
th
e 
sp
ec
if
ic
 r
es
po
ns
ib
ili
ty
 f
or
 in
fo
rm
at
io
n 
se
cu
ri
ty
, p
hy
si
ca
l s
ec
ur
ity
an
d 
co
m
pl
ia
nc
e.
 E
st
ab
lis
h 
ri
sk
 a
nd
 s
ec
ur
ity
 m
an
ag
em
en
t r
es
po
ns
ib
ili
ty
 a
t t
he
en
te
rp
ri
se
 le
ve
l t
o 
de
al
 w
ith
 o
rg
an
is
at
io
nw
id
e 
is
su
es
. A
dd
iti
on
al
 s
ec
ur
ity
m
an
ag
em
en
t r
es
po
ns
ib
ili
tie
s 
m
ay
 n
ee
d 
to
 b
e 
as
si
gn
ed
 a
t a
 s
ys
te
m
-s
pe
ci
fi
c 
le
ve
l
to
 d
ea
l w
ith
 r
el
at
ed
 s
ec
ur
ity
 is
su
es
. O
bt
ai
n 
di
re
ct
io
n 
fr
om
 s
en
io
r 
m
an
ag
em
en
t o
n
th
e 
ap
pe
tit
e 
fo
r 
IT
 r
is
k 
an
d 
ap
pr
ov
al
 o
f 
an
y 
re
si
du
alI
T
 r
is
ks
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Im
pr
ov
ed
 p
ro
te
ct
io
n 
an
d 
in
te
gr
ity
 o
f
in
fo
rm
at
io
n 
as
se
ts
• 
R
is
k,
 s
ec
ur
ity
 a
nd
 c
om
pl
ia
nc
e
re
sp
on
si
bi
lit
ie
s 
em
be
dd
ed
 a
t s
en
io
r
m
an
ag
em
en
t l
ev
el
• 
Se
ni
or
 m
an
ag
em
en
t s
up
po
rt
 in
 r
is
k,
se
cu
ri
ty
 a
nd
 c
om
pl
ia
nc
e 
is
su
es
• 
Se
cu
ri
ty
 m
ec
ha
ni
sm
s 
as
 e
ff
ec
tiv
e 
an
d
ef
fi
ci
en
t c
ou
nt
er
m
ea
su
re
s 
fo
r 
th
e
or
ga
ni
sa
tio
n’
s 
th
re
at
s
• 
Pr
oa
ct
iv
e 
id
en
tif
ic
at
io
n 
an
d 
re
so
lu
tio
n
of
 r
is
k,
 s
ec
ur
ity
 a
nd
 c
om
pl
ia
nc
e 
is
su
es
R
is
k 
D
riv
er
s
• 
Im
pr
op
er
 p
ro
te
ct
io
n 
of
 in
fo
rm
at
io
n
as
se
ts
• 
L
os
s 
of
 c
on
fi
de
nt
ia
l i
nf
or
m
at
io
n
• 
Fi
na
nc
ia
l l
os
se
s
• 
L
ac
k 
of
 m
an
ag
em
en
t c
om
m
itm
en
t f
or
or
ga
ni
sa
tio
nw
id
e 
se
cu
ri
ty
• 
N
on
-c
om
pl
ia
nc
e 
ri
sk
• 
U
nc
le
ar
 u
nd
er
st
an
di
ng
 o
f 
th
e
or
ga
ni
sa
tio
n’
s 
IT
 r
is
k 
ap
pe
tit
e
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org72
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ol
ic
y 
fo
r 
da
ta
 c
la
ss
if
ic
at
io
n 
an
d 
sy
st
em
 o
w
ne
rs
hi
p 
ha
s 
be
en
 d
ev
el
op
ed
 a
nd
 c
om
m
un
ic
at
ed
. 
• 
V
al
id
at
e 
th
at
 th
e 
po
lic
y 
ha
s 
be
en
 a
pp
lie
d 
to
 m
aj
or
 a
pp
lic
at
io
n 
sy
st
em
s 
an
d 
en
te
rp
ri
se
 a
rc
hi
te
ct
ur
e 
an
d 
in
te
rn
al
 a
nd
 e
xt
er
na
l d
at
a 
co
m
m
un
ic
at
io
n.
• 
V
er
if
y 
th
at
 th
e 
po
lic
y 
fo
r 
da
ta
 c
la
ss
if
ic
at
io
n 
an
d 
sy
st
em
 o
w
ne
rs
hi
p 
su
pp
or
ts
 th
e 
pr
ot
ec
tio
n 
of
 in
fo
rm
at
io
n 
as
se
ts
, e
na
bl
es
 e
ff
ic
ie
nt
 d
el
iv
er
y 
an
d 
us
e 
of
 b
us
in
es
s
ap
pl
ic
at
io
ns
, a
nd
 f
ac
ili
ta
te
s 
ef
fe
ct
iv
e 
se
cu
ri
ty
 d
ec
is
io
n 
m
ak
in
g.
 
• 
O
bs
er
ve
 th
e 
pr
oc
es
s 
to
 r
eg
is
te
r 
an
d 
m
ai
nt
ai
n 
sy
st
em
 o
w
ne
rs
hi
p 
an
d 
da
ta
 c
la
ss
if
ic
at
io
n,
 a
nd
 a
ss
es
s 
w
he
th
er
 th
e 
pr
oc
es
s 
is
 b
ei
ng
 c
on
si
st
en
tly
 a
pp
lie
d.
P
O
4.
9 
D
at
a 
an
d 
Sy
st
em
 O
w
ne
rs
hi
p 
Pr
ov
id
e 
th
e 
bu
si
ne
ss
 w
ith
 p
ro
ce
du
re
s 
an
d 
to
ol
s,
 e
na
bl
in
g 
it 
to
 a
dd
re
ss
 it
s
re
sp
on
si
bi
lit
ie
s 
fo
r 
ow
ne
rs
hi
p 
of
 d
at
a 
an
d 
in
fo
rm
at
io
n 
sy
st
em
s.
 O
w
ne
rs
 s
ho
ul
d
m
ak
e 
de
ci
si
on
s 
ab
ou
t c
la
ss
if
yi
ng
 in
fo
rm
at
io
n 
an
d 
sy
st
em
s 
an
d 
pr
ot
ec
tin
g 
th
em
in
 li
ne
 w
ith
 th
is
 c
la
ss
if
ic
at
io
n.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
U
se
rs
 c
on
tr
ol
lin
g 
th
ei
r 
da
ta
 a
nd
sy
st
em
s
• 
D
ef
in
ed
 a
cc
ou
nt
ab
ili
ty
 f
or
 th
e
m
ai
nt
en
an
ce
 o
f 
da
ta
 a
nd
 s
ys
te
m
se
cu
ri
ty
 m
ea
su
re
s
• 
E
ff
ec
tiv
e 
an
d 
tim
el
y 
in
fo
rm
at
io
n
m
an
ag
em
en
t p
ro
ce
ss
es
• 
R
ed
uc
ed
 f
in
an
ci
al
 lo
ss
es
 c
au
se
d 
by
th
ef
t o
f 
as
se
ts
R
is
k 
D
riv
er
s
• 
Im
pr
op
er
ly
 s
ec
ur
ed
 b
us
in
es
s 
da
ta
• 
Im
pr
op
er
 p
ro
te
ct
io
n 
of
 in
fo
rm
at
io
n
as
se
ts
• 
R
eq
ui
re
m
en
ts
 f
or
 p
ro
te
ct
in
g 
bu
si
ne
ss
da
ta
 n
ot
 in
 li
ne
 w
ith
 th
e 
bu
si
ne
ss
re
qu
ir
em
en
ts
• 
In
ad
eq
ua
te
 s
ec
ur
ity
 m
ea
su
re
s 
fo
r 
da
ta
an
d 
sy
st
em
s
• 
B
us
in
es
s 
pr
oc
es
s 
ow
ne
rs
 n
ot
 ta
ki
ng
re
sp
on
si
bi
lit
y 
fo
r 
da
ta
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
C
on
fi
rm
 th
ro
ug
h 
in
te
rv
ie
w
s 
th
at
 s
up
er
vi
so
ry
 p
ra
ct
ic
es
 h
av
e 
be
en
 e
st
ab
lis
he
d,
 in
cl
ud
in
g 
gu
id
an
ce
 a
nd
 tr
ai
ni
ng
 f
or
 p
er
fo
rm
an
ce
 r
ev
ie
w
s.
 
• 
R
ev
ie
w
 r
ec
or
ds
 to
 a
ss
es
s 
th
e 
fr
eq
ue
nc
y 
an
d 
ex
te
nt
 o
f 
su
pe
rv
is
or
y 
re
vi
ew
s 
an
d 
st
af
f 
ap
pr
ai
sa
ls
. 
• A
ss
es
s 
w
he
th
er
 r
ev
ie
w
s 
ha
ve
 a
 s
ou
nd
 s
et
 o
f 
pe
rf
or
m
an
ce
 e
xp
ec
ta
tio
ns
 a
nd
 p
er
fo
rm
an
ce
 c
ri
te
ri
a.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 f
in
di
ng
s 
fr
om
 s
up
er
vi
so
ry
 r
ev
ie
w
s 
an
d 
st
af
f 
ap
pr
ai
sa
ls
 a
re
 p
ro
pe
rl
y 
es
ca
la
te
d,
 c
om
m
un
ic
at
ed
 a
nd
 f
ol
lo
w
ed
 u
p.
P
O
4.
10
 S
up
er
vi
si
on
 
Im
pl
em
en
t a
de
qu
at
e 
su
pe
rv
is
or
y 
pr
ac
tic
es
 in
 th
e 
IT
 f
un
ct
io
n 
to
 e
ns
ur
e 
th
at
 r
ol
es
an
d 
re
sp
on
si
bi
lit
ie
s 
ar
e 
pr
op
er
ly
 e
xe
rc
is
ed
, t
o 
as
se
ss
 w
he
th
er
 a
ll 
pe
rs
on
ne
l h
av
e
su
ff
ic
ie
nt
 a
ut
ho
ri
ty
 a
nd
 r
es
ou
rc
es
 to
 e
xe
cu
te
 th
ei
r 
ro
le
s 
an
d 
re
sp
on
si
bi
lit
ie
s,
 a
nd
to
 g
en
er
al
ly
 r
ev
ie
w
 k
ey
 p
er
fo
rm
an
ce
 in
di
ca
to
rs
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ec
tiv
e 
an
d 
ef
fi
ci
en
t e
xe
cu
tio
n 
of
IT
’s
 r
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s
• A
pp
ro
pr
ia
te
 c
on
tr
ol
s 
ov
er
 I
T
 f
un
ct
io
ns
• 
Pr
om
pt
 id
en
tif
ic
at
io
n 
of
 r
es
ou
rc
in
g
is
su
es
• 
Pr
om
pt
 id
en
tif
ic
at
io
n 
of
 p
er
fo
rm
an
ce
is
su
es
R
is
k 
D
riv
er
s
• 
O
rg
an
is
at
io
n’
s 
go
al
s 
an
d 
ob
je
ct
iv
es
no
t m
et
• 
R
es
ou
rc
in
g 
an
d 
pe
rf
or
m
an
ce
 is
su
es
no
t i
de
nt
if
ie
d 
an
d 
re
so
lv
ed
 
• 
M
al
fu
nc
tio
n 
of
 I
T
 a
nd
 b
us
in
es
s
pr
oc
es
se
s
• 
In
ad
eq
ua
te
 m
on
ito
ri
ng
 o
f 
co
nt
ro
ls
 a
nd
ob
je
ct
iv
es
• 
K
ey
 r
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s 
no
t
ex
er
ci
se
d
73© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
va
ila
bl
e 
an
d 
re
qu
ir
ed
 I
T
 s
ki
lls
 a
nd
 c
om
pe
te
nc
ie
s 
ar
e 
re
gu
la
rl
y 
re
vi
ew
ed
 a
nd
 th
ei
r 
im
pa
ct
 o
n 
IT
 s
ta
ff
in
g 
is
 a
na
ly
se
d,
 e
sc
al
at
ed
 a
nd
ac
te
d 
up
on
, a
s 
ne
ed
ed
. 
• 
R
ev
ie
w
 m
aj
or
 b
us
in
es
s 
an
d 
op
er
at
io
na
l c
ha
ng
es
, a
nd
 a
ss
es
s 
w
he
th
er
 th
ei
r 
im
pa
ct
 o
n 
sk
ill
s,
 c
om
pe
te
nc
ie
s 
an
d 
st
af
fi
ng
 r
eq
ui
re
m
en
ts
 a
re
 a
ss
es
se
d 
an
d 
fo
llo
w
ed
 u
p.
 
• A
ss
es
s 
th
e 
so
ur
ci
ng
 s
tr
at
eg
ie
s 
an
d 
ve
ri
fy
 th
at
 th
ey
 s
up
po
rt
 th
e 
sk
ill
 a
nd
 c
om
pe
te
nc
y 
re
qu
ir
em
en
ts
.
P
O
4.
12
 I
T
 S
ta
ff
in
g 
E
va
lu
at
e 
st
af
fi
ng
 r
eq
ui
re
m
en
ts
 o
n 
a 
re
gu
la
r 
ba
si
s 
or
 u
po
n 
m
aj
or
 c
ha
ng
es
 to
 th
e
bu
si
ne
ss
, o
pe
ra
tio
na
l o
r 
IT
 e
nv
ir
on
m
en
ts
 to
 e
ns
ur
e 
th
at
 th
e 
IT
 f
un
ct
io
n 
ha
s
su
ff
ic
ie
nt
 r
es
ou
rc
es
 to
 a
de
qu
at
el
y 
an
d 
ap
pr
op
ri
at
el
y 
su
pp
or
t t
he
 b
us
in
es
s 
go
al
s
an
d 
ob
je
ct
iv
es
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• A
bi
lit
y 
of
 I
T
 s
ta
ff
 to
 s
up
po
rt
 b
us
in
es
s
ne
ed
s
• 
C
os
t c
on
tr
ol
• A
pp
ro
pr
ia
te
 s
iz
e 
of
 th
e 
IT
 d
ep
ar
tm
en
t
• A
pp
ro
pr
ia
te
 s
ki
lls
 in
 th
e 
IT
de
pa
rt
m
en
t
R
is
k 
D
riv
er
s
• 
IT
 s
ta
ff
 r
es
ou
rc
es
 u
na
bl
e 
to
 m
ee
t
bu
sine
ss
 n
ee
ds
• 
E
xc
es
si
ve
 I
T
 in
te
rn
al
 a
nd
/o
r 
ex
te
rn
al
st
af
fi
ng
 c
os
ts
• 
U
nd
er
- 
or
 o
ve
rr
es
ou
rc
ed
 I
T
de
pa
rt
m
en
t
• 
L
ac
k 
of
 a
pp
ro
pr
ia
te
 s
ki
lls
 in
 th
e 
IT
de
pa
rt
m
en
t
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 s
ta
nd
ar
ds
 h
av
e 
be
en
 e
st
ab
lis
he
d 
to
 e
nf
or
ce
 a
nd
 e
ns
ur
e 
ap
pr
op
ri
at
e 
se
gr
eg
at
io
n 
of
 d
ut
ie
s 
an
d 
th
at
 th
es
e 
st
an
da
rd
s 
ar
e 
re
vi
ew
ed
 a
nd
ch
an
ge
d 
as
 n
ee
de
d.
 
• A
ss
es
s 
w
he
th
er
 s
ta
nd
ar
ds
 h
av
e 
be
en
 im
pl
em
en
te
d 
in
 a
ss
ig
ni
ng
 r
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 e
xi
st
s 
to
 id
en
tif
y 
cr
iti
ca
l p
os
iti
on
s 
an
d 
pr
oc
es
se
s 
th
at
 m
us
t b
e 
su
bj
ec
t t
o 
se
gr
eg
at
io
n 
of
 d
ut
ie
s.
P
O
4.
11
 S
eg
re
ga
ti
on
 o
f 
D
ut
ie
s 
Im
pl
em
en
t a
 d
iv
is
io
n 
of
 r
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s 
th
at
 r
ed
uc
es
 th
e 
po
ss
ib
ili
ty
 f
or
a 
si
ng
le
 in
di
vi
du
al
 to
 c
om
pr
om
is
e 
a 
cr
iti
ca
l p
ro
ce
ss
. M
ak
e 
su
re
 th
at
 p
er
so
nn
el
ar
e 
pe
rf
or
m
in
g 
on
ly
 a
ut
ho
ri
se
d 
du
tie
s 
re
le
va
nt
 to
 th
ei
r 
re
sp
ec
tiv
e 
jo
bs
 a
nd
po
si
tio
ns
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ec
tiv
e 
an
d 
ef
fi
ci
en
t f
un
ct
io
ni
ng
 o
f
bu
si
ne
ss
-c
ri
tic
al
 s
ys
te
m
s 
an
d
pr
oc
es
se
s
• 
Pr
op
er
 p
ro
te
ct
io
n 
of
 in
fo
rm
at
io
n
as
se
ts
• 
R
ed
uc
ed
 r
is
k 
of
 f
in
an
ci
al
 lo
ss
 a
nd
re
pu
ta
tio
na
l d
am
ag
e
R
is
k 
D
riv
er
s
• 
In
ap
pr
op
ri
at
e 
su
bv
er
si
on
 o
f 
cr
iti
ca
l
pr
oc
es
se
s
• 
Fi
na
nc
ia
l l
os
s 
an
d 
re
pu
ta
tio
na
l
da
m
ag
e
• 
M
al
ic
io
us
 o
r 
un
in
te
nt
io
na
l d
am
ag
es
• 
N
on
-c
om
pl
ia
nc
e 
w
ith
 e
xt
er
na
l
re
qu
ir
em
en
ts
 f
or
 s
eg
re
ga
tio
n 
of
m
at
er
ia
lly
 s
ig
ni
fi
ca
nt
 s
ys
te
m
s 
an
d
bu
si
ne
ss
 p
ro
ce
ss
es
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org74
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 m
an
ag
em
en
t h
as
 f
or
m
al
 p
ro
ce
du
re
s 
fo
r 
co
ns
id
er
in
g 
th
e 
st
af
fi
ng
 c
ov
er
ag
e 
fo
r 
ke
y 
pr
oc
es
se
s 
w
he
n 
ap
pr
ov
in
g 
or
 b
ei
ng
 n
ot
if
ie
d 
of
 a
bs
en
ce
s.
 
• A
ss
es
s 
w
he
th
er
 m
an
ag
em
en
t r
ev
ie
w
s 
its
 d
ep
en
de
nc
y 
on
 k
ey
 s
ta
ff
 m
em
be
rs
 a
nd
 h
as
 c
on
si
de
re
d 
co
nt
in
ge
nc
y 
ac
tio
ns
 s
uc
h 
as
 a
lte
rn
at
iv
e 
so
ur
ci
ng
, d
oc
um
en
tin
g 
ke
y
kn
ow
le
dg
e,
 tr
ai
ni
ng
 o
f 
ot
he
r 
st
af
f 
m
em
be
rs
, a
nd
 tr
an
sf
er
ri
ng
 r
es
po
ns
ib
ili
tie
s 
fr
om
 k
ey
 s
ta
ff
 m
em
be
rs
 to
 o
th
er
s.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
In
sp
ec
t t
he
 p
ol
ic
ie
s 
an
d 
pr
oc
ed
ur
es
 d
es
cr
ib
in
g 
w
he
n,
 h
ow
 a
nd
 w
ha
t t
yp
e 
of
 w
or
k 
ca
n 
be
 o
ut
so
ur
ce
d,
 a
nd
 d
et
er
m
in
e 
w
he
th
er
 th
ey
 a
re
 b
ei
ng
 im
pl
em
en
te
d.
 
• 
In
sp
ec
t t
he
 p
ol
ic
ie
s 
an
d 
pr
oc
ed
ur
es
 f
or
 in
fo
rm
at
io
n 
se
cu
ri
ty
 r
es
po
ns
ib
ili
tie
s 
of
 c
on
tr
ac
to
rs
, a
nd
 a
ss
es
s 
th
ro
ug
h 
en
qu
ir
y 
w
he
th
er
 th
ey
 a
re
 b
ei
ng
 f
ol
lo
w
ed
 (
e.
g.
, b
ac
kg
ro
un
d
ch
ec
ks
 a
re
 c
on
du
ct
ed
, p
hy
si
ca
l a
nd
 lo
gi
ca
l a
cc
es
s 
co
nt
ro
l r
eq
ui
re
m
en
ts
 a
re
 f
ol
lo
w
ed
, p
er
so
na
l i
de
nt
if
ic
at
io
n 
is
 s
ec
ur
e,
 a
nd
 c
on
tr
ac
to
rs
 a
re
 a
dv
is
ed
 th
at
 m
an
ag
em
en
t
re
se
rv
es
 th
e 
ri
gh
t t
o 
m
on
ito
r 
an
d 
in
sp
ec
t a
ll 
us
ag
e 
of
 I
T
 r
es
ou
rc
es
, i
nc
lu
di
ng
 e
-m
ai
l, 
vo
ic
e 
co
m
m
un
ic
at
io
ns
, a
nd
 a
ll 
pr
og
ra
m
s 
an
d 
da
ta
 f
ile
s)
. 
• 
R
ev
ie
w
 th
e 
po
lic
ie
s 
an
d 
pr
oc
ed
ur
es
 f
or
 s
el
ec
tin
g 
a 
co
nt
ra
ct
or
, a
nd
 a
ss
es
s 
w
he
th
er
 th
ey
 a
re
 b
ei
ng
 im
pl
em
en
te
d.
P
O
4.
13
 K
ey
 I
T
 P
er
so
nn
el
 
D
ef
in
e 
an
d 
id
en
tif
y 
ke
y 
IT
 p
er
so
nn
el
 (
e.
g.
, r
ep
la
ce
m
en
ts
/b
ac
ku
p 
pe
rs
on
ne
l)
, a
nd
m
in
im
is
e 
re
lia
nc
e 
on
 a
 s
in
gl
e 
in
di
vi
du
al
 p
er
fo
rm
in
g 
a 
cr
iti
ca
l j
ob
 f
un
ct
io
n.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Pr
op
er
ly
 tr
ai
ne
d 
ke
y 
IT
 p
er
so
nn
el
• 
R
ed
uc
ed
 d
ep
en
de
nc
y 
on
 in
di
vi
du
al
ke
y 
IT
 p
er
so
nn
el
 
• 
K
no
w
le
dg
e 
sh
ar
in
g
• 
C
on
tin
ui
ty
 o
f 
IT
 s
er
vi
ce
s
• 
C
ri
tic
al
 I
T
 r
ol
es
 r
el
ia
bl
y 
su
pp
or
te
d
• 
Su
cc
es
si
on
 p
la
nn
in
g
R
is
k 
D
riv
er
s
• 
In
su
ff
ic
ie
nt
 s
ki
lls
 o
f 
ke
y 
IT
 p
er
so
nn
el
• 
R
el
ia
nc
e 
on
 s
in
gl
e 
kn
ow
le
dg
e 
ex
pe
rt
s
• 
In
ad
eq
ua
te
 k
no
w
le
dg
e 
sh
ar
in
g 
or
su
cc
es
si
on
 p
la
nn
in
g
• 
C
ri
tic
al
 ta
sk
s 
an
d 
ro
le
s 
no
t p
er
fo
rm
ed
P
O
4.
14
 C
on
tr
ac
te
d 
St
af
f 
P
ol
ic
ie
s 
an
d 
P
ro
ce
du
re
s 
E
ns
ur
e 
th
at
 c
on
su
lta
nt
s 
an
d 
co
nt
ra
ct
 p
er
so
nn
el
 w
ho
 s
up
po
rt
 th
e 
IT
 f
un
ct
io
n
kn
ow
 a
nd
 c
om
pl
y 
w
ith
 th
e 
or
ga
ni
sa
tio
n’
s 
po
lic
ie
s 
fo
r 
th
e 
pr
ot
ec
tio
n 
of
 th
e
or
ga
ni
sa
tio
n’
s 
in
fo
rm
at
io
n 
as
se
ts
 s
uc
h 
th
at
 th
ey
 m
ee
t a
gr
ee
d-
up
on
 c
on
tr
ac
tu
al
re
qu
ir
em
en
ts
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
on
tr
ac
te
d 
st
af
f 
su
pp
or
tin
g 
th
e 
ne
ed
s
of
 th
e 
bu
si
ne
ss
• 
K
no
w
le
dg
e 
sh
ar
in
g 
an
d 
re
te
nt
io
n
w
ith
in
 th
e 
or
ga
ni
sa
tio
n
• 
Pr
ot
ec
tio
n 
of
 th
e 
in
fo
rm
at
io
n 
as
se
ts
• 
C
on
tr
ol
 o
ve
r 
th
e 
co
nt
ra
ct
ed
pe
rs
on
ne
l’s
 a
ct
iv
iti
es
R
is
k 
D
riv
er
s
• 
In
cr
ea
se
d 
de
pe
nd
en
ce
 o
n 
ke
y
(c
on
tr
ac
te
d)
 in
di
vi
du
al
s
• 
G
ap
s 
be
tw
ee
n 
ex
pe
ct
at
io
ns
 a
nd
 th
e
ca
pa
bi
lit
y 
of
 c
on
tr
ac
te
d 
pe
rs
on
ne
l
• 
W
or
k 
pe
rf
or
m
ed
 n
ot
 a
lig
ne
d 
w
ith
bu
si
ne
ss
 r
eq
ui
re
m
en
ts
• 
N
o 
kn
ow
le
dg
e 
ca
pt
ur
e 
or
 s
ki
lls
tr
an
sf
er
 f
ro
m
 c
on
tr
ac
te
d 
pe
rs
on
ne
l
• 
In
ef
fi
ci
en
t a
nd
 in
ef
fe
ct
iv
e 
us
e 
of
co
nt
ra
ct
ed
 s
ta
ff
• 
Fa
ilu
re
 o
f 
co
nt
ra
ct
ed
 s
ta
ff
 to
 a
dh
er
e 
to
or
ga
ni
sa
tio
na
l p
ol
ic
ie
s 
fo
r 
th
e
pr
ot
ec
tio
n 
of
 in
fo
rm
at
io
n 
as
se
ts
• 
L
iti
ga
tio
n 
co
st
s 
fr
om
 d
is
ag
re
em
en
ts
ov
er
 e
xp
ec
ta
tio
ns
 f
or
 r
es
po
ns
ib
ili
ty
an
d 
ac
co
un
ta
bi
lit
y
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
75© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 f
or
 id
en
tif
yi
ng
 s
ta
ke
ho
ld
er
s 
ha
s 
be
en
 d
ef
in
ed
 a
nd
 th
at
 a
 c
om
m
un
ca
tio
ns
 c
ha
nn
el
 a
nd
 c
om
m
un
ic
at
io
n 
pl
an
 h
av
e 
be
en
es
ta
bl
is
he
d 
fo
r 
ea
ch
. 
• 
V
er
if
y 
thro
ug
h 
in
te
rv
ie
w
s 
w
ith
 k
ey
 s
ta
ke
ho
ld
er
s 
th
ei
r 
sa
tis
fa
ct
io
n 
w
ith
 I
T
’s
 c
om
m
un
ic
at
io
ns
, t
he
 e
ff
ec
tiv
en
es
s 
of
 I
T
’s
 c
om
m
un
ic
at
io
ns
 a
nd
 th
e 
ad
eq
ua
cy
 w
ith
 w
hi
ch
fe
ed
ba
ck
 f
ro
m
 s
ta
ke
ho
ld
er
s 
is
 b
ei
ng
 d
ea
lt.
P
O
4.
15
 R
el
at
io
ns
hi
ps
 
E
st
ab
lis
h 
an
d 
m
ai
nt
ai
n 
an
 o
pt
im
al
 c
o-
or
di
na
tio
n,
 c
om
m
un
ic
at
io
n 
an
d 
lia
is
on
st
ru
ct
ur
e 
be
tw
ee
n 
th
e 
IT
 f
un
ct
io
n 
an
d 
va
ri
ou
s 
ot
he
r 
in
te
re
st
s 
in
si
de
 a
nd
 o
ut
si
de
th
e 
IT
 f
un
ct
io
n,
 s
uc
h 
as
 th
e 
bo
ar
d,
 e
xe
cu
tiv
es
, b
us
in
es
s 
un
its
, i
nd
iv
id
ua
l u
se
rs
,
su
pp
lie
rs
, s
ec
ur
ity
 o
ff
ic
er
s,
 r
is
k 
m
an
ag
er
s,
 th
e 
co
rp
or
at
e 
co
m
pl
ia
nc
e 
gr
ou
p,
ou
ts
ou
rc
er
s 
an
d 
of
fs
ite
 m
an
ag
em
en
t.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ic
ie
nt
 id
en
tif
ic
at
io
n 
an
d 
re
so
lu
tio
n
of
 is
su
es
• A
lig
nm
en
t o
f 
go
al
s 
an
d 
ap
pr
oa
ch
es
w
ith
 b
us
in
es
s 
ob
je
ct
iv
es
 a
nd
m
et
ho
do
lo
gi
es
• 
Po
si
tiv
e 
in
vo
lv
em
en
t o
f 
st
ak
eh
ol
de
rs
• 
C
le
ar
ly
 d
ef
in
ed
 o
w
ne
rs
hi
p 
an
d
ac
co
un
ta
bi
lit
y 
fo
r 
re
la
tio
ns
hi
p
m
an
ag
em
en
t
R
is
k 
D
riv
er
s
• 
E
xt
en
de
d 
ga
ps
 b
et
w
ee
n 
th
e
id
en
tif
ic
at
io
n 
an
d 
re
so
lu
tio
n 
of
 is
su
es
• 
In
ad
eq
ua
te
 id
en
tif
ic
at
io
n 
of
im
pr
ov
em
en
ts
• 
G
ap
s 
be
tw
ee
n 
bu
si
ne
ss
 o
bj
ec
tiv
es
 a
nd
IT
 p
ol
ic
ie
s,
 g
ui
de
lin
es
 a
nd
m
et
ho
do
lo
gi
es
P
O
4
 D
e
fi
n
e
 t
h
e
 I
T
 P
ro
c
e
s
s
e
s
, 
O
rg
a
n
is
a
ti
o
n
 a
n
d
 R
e
la
ti
o
n
s
h
ip
s
 (
c
o
n
t.
)
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org76
Take the following steps to test the outcome of the control objectives:
• Review the IT process framework and determine if it supports the IT strategic plan and integrates with the business process, IT
processes and enterprise portfolio management.
• Enquire through interviews whether this framework is being communicated, executed and understood by business and IT.
• Enquire whether and confirm that the IT process framework has been integrated with the quality management system and internal
control framework.
• Enquire whether and confirm that the scope, membership, responsibilities, etc., of the IT strategy committee are defined, that the
committee is composed of board and non-board members, and that each has appropriate expertise.
• Confirm through interviews, meeting minutes and reports to the board of directors that the IT strategy committee reports to the
board on governance and IT strategic issues.
• Enquire whether and confirm that senior IT management understands which processes are used to monitor, measure and report on
IT function performance.
• Confirm the existence of an IT steering committee with representation from the executive level, key business operations areas, IT
and key business support areas. 
• Enquire whether and confirm that formal documentation of the role and authority of the IT steering committee includes key
sponsorship at the executive level.
• Inspect documents such as meeting minutes and an IT steering committee charter to identify the participants involved in the
committee, their respective job functions and the reporting relationship of the committee to executive management.
• Enquire whether and confirm that IT is headed by a CIO or similar function and the reporting line is commensurate with the
importance of IT.
• Confirm through interviews and organisational chart reviews that no individual user groups/departments can exert undue influence
over the IT function (e.g., reporting relationship of the IT function and its independence from a single business unit or department,
and identifying how projects are funded).
• Confirm through interviews and documentation reviews that the IT function is adequately resourced and funded to support the
business function (e.g., review the business case, IT strategy and IT tactical plan for resource requirements).
• Enquire whether and confirm that periodic reviews of the IT organisational structure occur, with the aim of ensuring that they
reflect business needs.
• Confirm with the head of IT administration that access to external resources is available as needed.
• Confirm through interviews with IT personnel that a role has been assigned to each with corresponding IT tasks (e.g., assess
whether personnel understand the role and tasks that have been assigned and the tasks are being performed).
• Enquire whether and confirm that responsibilities have been assigned to roles (e.g., verify that each role has the necessary
responsibilities to execute the role).
• Enquire whether and confirm that role descriptions have been created, and delineate authority and responsibilities.
• Enquire whether and confirm that a QA function exists. 
• Determine the role of the QA functions (e.g., monitoring processes to ensure compliance with the organisation’s QA-related
policies, standards and procedures; and acting as a centre of expertise for the development of QA-related policies, standards and
procedures).
• Enquire whether and confirm that the QA function is adequately staffed with the appropriate skills.
• Enquire whether and confirm that members of senior management have established risk management and information security
functions that are accountable for the respective areas.
• Enquire whether and confirm that the reporting line of the risk management and security function allows it to effectively design,
implement and, in conjunction with line management, enforce compliance with the organisation’s policies and procedures.
• Enquire whether and confirm that a process is in place to obtain senior management guidance on the acceptable level of risk
associated with IT.
• Enquire whether and confirm that roles and responsibilities for the risk management and information security function have been
formalised and documented and that responsibilities have been appropriately allocated. Review the documentation and determine
whether roles and responsibilities are being fulfiled as outlined.
• Enquire whether and confirm that resource requirements are assessed regularly and are provided as needed. Assess whether the
staffing levels are appropriate based on the the results of the resource requirement assessments.
• Confirm through interview and documentation reviews that an inventory of information assets has been created, tracked and
maintained.
• Confirm through interviews that supervisors have the required skill set to perform supervisory functions (e.g., tracking of critical
tasks, key performance indicators, staff performance appraisals and risk assessment).
• Review the escalation procedure and verify that it has been implemented and is being applied consistently (e.g., issues are
recorded, tracked and analysed periodically).
• Enquire whether and confirm during periodic employee reviews that supervisory skills are assessed and required actions are taken
to ensure competency.
• Enquire whether and confirm that there is a process to identify conflicting functions.
• Enquire whether and confirm that conflicting functions have been remediated.
• Enquire whether and confirm that procedures address how appropriate segregation is maintained during periods when typical
personnel are unavailable.
77© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
• Enquire whether segregation of duties is reviewed when job roles and responsibilities are created or updated and whether
responsibilities are reassigned where necessary. Determine whether the changes are implemented (e.g., job descriptions clearly
delineateauthority and responsibility).
• Enquire whether and confirm that compensating controls have been designed and implemented as necessary (e.g., confirm with
senior IT management or supervisors on the effectiveness of the compensating controls). Enquire whether and confirm that
management periodically reviews staffing requirements in consideration of business/IT environment and strategy, and identifies
skills and resource gaps.
• Enquire whether and confirm that management is evaluating sourcing strategies (e.g., business/IT staff co-location, cross-
functional training and job rotation) in conjunction with reviewing staffing requirements.
• Enquire whether and confirm that management periodically identifies key processes, skills required to support the processes and
key areas that lack job redundancy (e.g., determine the availability of individuals with relevant skills, experience and knowledge to
fulfil the critical roles, and inspect documentation that lists the key processes and the designated individuals who support them).
• Enquire whether and confirm that management has considered outsourcing or other support arrangements to provide job
redundancy for key processes (e.g., inspect available contracts with third parties to identify the existence of outsourcing
provisions).
• Confirm the existence and maintenance of key contact lists and their availability to the appropriate personnel in a timely manner.
Confirm that backup personnel are cross-trained.
• Enquire whether and confirm that the policies, procedures, rules and responsibilities are being communicated to the contractor and
that the contractor understands that management reserves the right to monitor and inspect all usage of IT resources.
• Enquire whether and confirm that an appropriate individual has responsibility for reviewing the contractor’s work and approval
of payments.
• Enquire whether and confirm that IT management has defined the key stakeholders and relationships and that roles and
responsibilities are communicated with stakeholders (e.g., users, suppliers, security officers, risk managers, regulators).
• Confirm with management that appropriately skilled IT personnel are assigned to manage the relationship (e.g., inspect documents
that list the IT contact for each key stakeholder).
• Enquire whether and confirm that feedback is obtained from the key stakeholders (e.g., issues, action items, reports), and assess
whether the feedback is being properly used to drive continuous improvement.
Take the following steps to document the impact of the control weaknesses:
• Assess the risk (e.g., threats, potential vulnerabilities, security, internal controls) that a road map to achieve the strategic goals will
not be established. 
• Assess the risk and additional cost due to IT not being organised optimally to achieve strategic goals. 
• Assess the risk (e.g., threats, potential vulnerabilities, security, internal controls) that an IT strategic plan may not be effectively
executed.
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) of overreliance on key IT personnel.
• Assess the additional cost of staffing requirements and sourcing strategies not being adjusted to meet expected business objectives
and changing circumstances.
• Assess the additional cost of personnel performing unauthorised duties relevant to their respective jobs and positions.
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that uncontrolled activities of external personnel
may compromise the organisation’s information assets.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org78
P
O
5
 M
a
n
a
g
e
 t
h
e
 I
T
 I
n
ve
s
tm
e
n
t
A
 f
ra
m
ew
or
k 
is
 e
st
ab
lis
he
d 
an
d 
m
ai
nt
ai
ne
d 
to
 m
an
ag
e 
IT
-e
na
bl
ed
 in
ve
st
m
en
t p
ro
gr
am
m
es
 a
nd
 th
at
 e
nc
om
pa
ss
es
 c
os
t, 
be
ne
fi
ts
, p
ri
or
iti
sa
tio
n 
w
ith
in
 b
ud
ge
t, 
a 
fo
rm
al
bu
dg
et
in
g 
pr
oc
es
s 
an
d 
m
an
ag
em
en
t a
ga
in
st
 th
e 
bu
dg
et
. S
ta
ke
ho
ld
er
s 
ar
e 
co
ns
ul
te
d 
to
 id
en
tif
y 
an
d 
co
nt
ro
l t
he
 to
ta
l c
os
ts
 a
nd
 b
en
ef
its
 w
ith
in
 th
e 
co
nt
ex
t o
f 
th
e 
IT
 s
tr
at
eg
ic
an
d 
ta
ct
ic
al
 p
la
ns
, a
nd
 in
iti
at
e 
co
rr
ec
tiv
e 
ac
tio
n 
w
he
re
 n
ee
de
d.
 T
he
 p
ro
ce
ss
 f
os
te
rs
 p
ar
tn
er
sh
ip
 b
et
w
ee
n 
IT
 a
nd
 b
us
in
es
s 
st
ak
eh
ol
de
rs
; e
na
bl
es
 th
e 
ef
fe
ct
iv
e 
an
d 
ef
fi
ci
en
t u
se
 o
f
IT
 r
es
ou
rc
es
; a
nd
 p
ro
vi
de
s 
tr
an
sp
ar
en
cy
 a
nd
 a
cc
ou
nt
ab
ili
ty
 in
to
 th
e 
to
ta
l c
os
t o
f 
ow
ne
rs
hi
p,
 th
e 
re
al
is
at
io
n 
of
 b
us
in
es
s 
be
ne
fi
ts
 a
nd
 th
e 
R
O
I 
of
 I
T-
en
ab
le
d 
in
ve
st
m
en
ts
.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
V
er
if
y 
th
at
 a
 f
in
an
ci
al
 m
an
ag
em
en
t f
ra
m
ew
or
k 
ex
is
ts
, i
nc
lu
di
ng
 p
ro
ce
ss
es
 a
nd
 r
es
po
ns
ib
ili
tie
s,
 a
s 
a 
ba
si
s 
fo
r 
co
st
, b
en
ef
it 
an
d 
bu
dg
et
 m
an
ag
em
en
t. 
E
nq
ui
re
 w
he
th
er
 a
nd
co
nf
ir
m
 th
at
 in
pu
ts
 a
nd
 o
ut
pu
ts
 o
f 
th
e 
fi
na
nc
ia
l f
ra
m
ew
or
k 
ha
ve
 b
ee
n 
de
fi
ne
d 
an
d 
th
at
 m
an
ag
em
en
t m
ak
es
 r
eg
ul
ar
 im
pr
ov
em
en
ts
 to
 th
e 
fr
am
ew
or
k 
ba
se
d 
on
 a
va
ila
bl
e
fi
na
nc
ia
l i
nf
or
m
at
io
n.
 
• 
V
er
if
y 
th
at
 a
 p
or
tf
ol
io
 o
f 
in
ve
st
m
en
t p
ro
gr
am
m
es
, s
er
vi
ce
s 
an
d 
as
se
ts
 h
as
 b
ee
n 
cr
ea
te
d 
an
d 
m
ai
nt
ai
ne
d.
 P
er
fo
rm
 a
 h
ig
h-
le
ve
l r
ev
ie
w
 o
f 
th
e 
po
rt
fo
lio
 to
 c
he
ck
 f
or
co
m
pl
et
en
es
s 
an
d 
al
ig
nm
en
t w
ith
 th
e 
st
ra
te
gi
c 
an
d 
ta
ct
ic
al
 I
T
 p
la
ns
. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 e
xi
st
s 
to
 c
om
m
un
ic
at
e 
re
le
va
nt
 c
os
t a
nd
 b
en
ef
it 
as
pe
ct
s 
of
 th
e 
po
rt
fo
lio
 to
 th
e 
ap
pr
op
ri
at
e 
bu
dg
et
 p
ri
or
iti
sa
tio
n 
(b
us
in
es
s
ca
se
s)
, c
os
t m
an
ag
em
en
t a
nd
 b
en
ef
it 
m
an
ag
em
en
t p
ro
ce
ss
es
. 
• 
C
on
fi
rm
 th
at
 th
e 
co
m
m
un
ic
at
ed
 c
os
t a
nd
 b
en
ef
it 
in
pu
ts
 a
re
 c
om
pa
ra
bl
e 
an
d 
co
ns
is
te
nt
. 
• 
V
er
if
y 
th
at
 th
e 
cr
ea
te
d 
IT
 b
ud
ge
t i
nc
lu
de
s 
pr
oj
ec
ts
, a
ss
et
s 
an
d 
se
rv
ic
es
.
P
O
5.
1 
F
in
an
ci
al
 M
an
ag
em
en
t 
F
ra
m
ew
or
k 
E
st
ab
lis
h 
an
d 
m
ai
nt
ai
n 
a 
fi
na
nc
ia
l f
ra
m
ew
or
k 
to
 m
an
ag
e 
th
e 
in
ve
st
m
en
t a
nd
 c
os
t
of
 I
T
 a
ss
et
s 
an
d 
se
rv
ic
es
 th
ro
ug
h 
po
rt
fo
lio
s 
of
 I
T-
en
ab
le
d 
in
ve
st
m
en
ts
, b
us
in
es
s
ca
se
s 
an
d 
IT
 b
ud
ge
ts
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
In
si
gh
t i
nt
o 
th
e 
va
lu
e 
of
 I
T
’s
co
nt
ri
bu
tio
n 
to
 th
e 
bu
si
ne
ss
, b
y 
us
in
g
st
an
da
rd
is
ed
 in
ve
st
m
en
t c
ri
te
ri
a
• 
IT
 p
ri
or
iti
es
 b
as
ed
 o
n 
IT
 v
al
ue
co
nt
ri
bu
tio
n
• 
C
le
ar
 a
nd
 a
gr
ee
d-
up
on
 b
ud
ge
ts
• 
Im
pr
ov
ed
 a
bi
lit
y 
to
 a
ss
ig
n 
pr
io
ri
tie
s
ba
se
d 
on
 b
us
in
es
s 
ca
se
s
R
is
k 
D
riv
er
s
• 
U
nc
le
ar
 p
ri
or
iti
es
 f
or
 I
T
 p
ro
je
ct
s
• 
In
ef
fi
ci
en
t p
ro
ce
ss
 f
or
 f
in
an
ci
al
m
an
ag
em
en
t
• 
IT
 b
ud
ge
t n
ot
 r
ef
le
ct
in
g 
bu
si
ne
ss
ne
ed
s
• 
W
ea
k 
co
nt
ro
l o
ve
r 
IT
 b
ud
ge
ts
• 
Fa
ilu
re
 o
f 
se
ni
or
 m
an
ag
em
en
t t
o
ap
pr
ov
e 
th
e 
IT
 b
ud
ge
ts
• 
L
ac
k 
of
 s
en
io
r 
m
an
ag
em
en
t s
up
po
rt
79© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIXII
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 a
nd
 d
ec
is
io
n-
m
ak
in
g 
co
m
m
itt
ee
 f
or
 th
e 
pr
io
ri
tis
at
io
n 
of
 I
T
 in
iti
at
iv
es
 a
nd
 r
es
ou
rc
es
 h
as
 b
ee
n 
cr
ea
te
d.
 V
er
if
y 
th
at
 th
e
co
m
m
itt
ee
’s
 r
es
po
ns
ib
ili
tie
s 
ha
ve
 b
ee
n 
de
fi
ne
d 
in
 r
el
at
io
n 
to
 o
th
er
 c
om
m
itt
ee
s.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
ll 
IT
 in
iti
at
iv
es
 a
re
 p
ri
or
iti
se
d 
w
ith
in
 p
or
tf
ol
io
s 
ba
se
d 
on
 b
us
in
es
s 
ca
se
s 
an
d 
st
ra
te
gi
c 
an
d 
ta
ct
ic
al
 p
la
ns
. 
• 
R
ev
ie
w
 th
e 
al
lo
ca
te
d 
bu
dg
et
s 
an
d 
cu
t-
of
fs
 f
or
 c
on
si
st
en
cy
 a
nd
 a
cc
ur
ac
y.
 
• 
V
er
if
y 
th
ro
ug
h 
in
sp
ec
tio
n 
of
 m
ee
tin
g 
m
in
ut
es
 w
he
th
er
 th
e 
pr
io
rt
is
ia
tio
n 
de
ci
si
on
s 
ha
ve
 b
ee
n 
co
m
m
un
ic
at
ed
, a
nd
 e
nq
ui
re
 th
ro
ug
h 
in
te
rv
ie
w
s 
w
he
th
er
 th
e 
de
ci
si
on
s 
ar
e
re
vi
ew
ed
 b
y 
th
e 
bu
dg
et
 s
ta
ke
ho
ld
er
. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 e
xi
st
s 
to
 id
en
tif
y,
 c
om
m
un
ic
at
e 
an
d 
re
so
lv
e 
si
gn
if
ic
an
t b
ud
ge
t d
ec
is
io
ns
 th
at
 im
pa
ct
 th
e 
bu
si
ne
ss
 c
as
e,
 p
or
tf
ol
io
 o
r 
st
ra
te
gi
c 
pl
an
s.
 
• 
V
er
if
y 
th
at
 th
e 
IT
st
ra
te
gy
 c
om
m
itt
ee
 a
nd
 e
xe
cu
tiv
e 
co
m
m
itt
ee
 h
av
e 
ra
tif
ie
d 
ch
an
ge
s 
to
 th
e 
ov
er
al
l I
T
 b
ud
ge
t f
or
 it
em
s 
th
at
 n
eg
at
iv
el
y 
im
pa
ct
 th
e 
en
tit
y’
s 
st
ra
te
gi
c 
or
ta
ct
ic
al
 p
la
ns
 a
nd
 h
av
e 
su
gg
es
te
d 
ac
tio
ns
 to
 r
es
ol
ve
 th
es
e 
im
pa
ct
s.
P
O
5.
2 
P
ri
or
it
is
at
io
n 
W
it
hi
n 
IT
 B
ud
ge
t 
Im
pl
em
en
t a
 d
ec
is
io
n-
m
ak
in
g 
pr
oc
es
s 
to
 p
ri
or
iti
se
 th
e 
al
lo
ca
tio
n 
of
 I
T
 r
es
ou
rc
es
fo
r 
op
er
at
io
ns
, p
ro
je
ct
s 
an
d 
m
ai
nt
en
an
ce
 to
 m
ax
im
is
e 
IT
’s
 c
on
tr
ib
ut
io
n 
to
op
tim
is
in
g 
th
e 
re
tu
rn
 o
n 
th
e 
en
te
rp
ri
se
’s
 p
or
tf
ol
io
 o
f 
IT
-e
na
bl
ed
 in
ve
st
m
en
t
pr
og
ra
m
m
es
 a
nd
 o
th
er
 I
T
 s
er
vi
ce
s 
an
d 
as
se
ts
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Pr
io
ri
tie
s 
th
at
 r
ef
le
ct
 I
T
 g
oa
ls
 a
nd
re
qu
ir
em
en
ts
 o
f 
th
e 
bu
si
ne
ss
 a
nd
 a
re
tr
an
sp
ar
en
t t
o 
al
l s
ta
ke
ho
ld
er
s
• 
Fo
cu
se
d 
us
e 
of
 r
es
ou
rc
es
• A
pp
ro
pr
ia
te
 d
ec
is
io
n 
m
ak
in
g,
 b
al
an
ci
ng
co
st
, c
on
tin
uo
us
 im
pr
ov
em
en
t, 
qu
al
ity
an
d 
re
ad
in
es
s 
fo
r 
th
e 
fu
tu
re
R
is
k 
D
riv
er
s
• 
In
ef
fi
ci
en
t r
es
ou
rc
e 
m
an
ag
em
en
t
• 
In
ab
ili
ty
 to
 o
pt
im
is
e 
go
al
s 
an
d
ob
je
ct
iv
es
• 
C
on
fu
si
on
, d
em
ot
iv
at
io
n 
an
d 
lo
ss
 o
f
ag
ili
ty
 d
ue
 to
 u
nc
le
ar
 p
ri
or
iti
es
• 
IT
 b
ud
ge
t n
ot
 in
 li
ne
 w
ith
 th
e 
IT
st
ra
te
gy
 a
nd
 in
ve
st
m
en
t d
ec
is
io
ns
P
O
5
 M
a
n
a
g
e
 t
h
e
 I
T
In
ve
s
tm
e
n
t 
(c
o
n
t.
)
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org80
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 m
et
ho
do
lo
gy
 h
as
 b
ee
n 
im
pl
em
en
te
d 
to
 e
st
ab
lis
h,
 c
ha
ng
e,
 a
pp
ro
ve
 a
nd
 c
om
m
un
ic
at
e 
a 
fo
rm
al
 I
T
 b
ud
ge
t. 
• 
R
ev
ie
w
 th
e 
IT
 b
ud
ge
t t
o 
ve
ri
fy
 w
he
th
er
 r
el
ev
an
t e
le
m
en
ts
 (
e.
g.
, a
ut
ho
ri
se
d 
so
ur
ce
s 
of
 f
un
di
ng
, i
nt
er
na
l r
es
ou
rc
e 
co
st
s,
 th
ir
d-
pa
rt
y 
co
st
s,
 c
ap
ita
l a
nd
 o
pe
ra
tio
na
l e
xp
en
se
s)
ar
e 
ta
ke
n 
in
to
 a
cc
ou
nt
 w
he
n 
cr
ea
tin
g 
th
e 
bu
dg
et
. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 b
ud
ge
t c
on
tin
ge
nc
ie
s 
ha
ve
 b
ee
n 
id
en
tif
ie
d 
an
d 
a 
ra
tio
na
le
 f
or
 th
es
e 
co
nt
in
ge
nc
ie
s 
ha
s 
be
en
 a
pp
ro
ve
d.
 
• 
V
er
if
y 
th
at
 th
e 
ef
fe
ct
iv
en
es
s 
of
 th
e 
bu
dg
et
in
g 
pr
oc
es
s 
is
 m
on
ito
re
d 
(c
os
t a
llo
ca
tio
n,
 s
er
vi
ce
 c
os
t a
llo
ca
tio
n 
an
d 
bu
dg
et
 v
ar
ia
nc
e 
an
al
ys
is
),
 a
nd
 r
ev
ie
w
 r
ep
or
ts
 to
 v
er
if
y 
th
at
le
ss
on
s 
le
ar
ne
d 
ar
e 
re
co
rd
ed
 to
 m
ak
e 
fu
tu
re
 b
ud
ge
tin
g 
m
or
e 
ac
cu
ra
te
 a
nd
 r
el
ia
bl
e.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
pe
op
le
 in
vo
lv
ed
 in
 th
e 
bu
dg
et
in
g 
pr
oc
es
s 
(e
.g
., 
pr
oc
es
s,
 s
er
vi
ce
 a
nd
 p
ro
gr
am
m
e 
ow
ne
rs
, a
ss
et
 m
an
ag
er
s)
 a
re
 p
ro
pe
rl
y 
in
st
ru
ct
ed
. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
er
e 
is
 a
n 
ap
pr
ov
ed
 a
nd
 c
on
si
st
en
t b
ud
ge
t c
re
at
io
n 
pr
oc
es
s 
(e
.g
., 
re
vi
ew
 th
e 
bu
dg
et
 p
la
ns
, m
ak
e 
de
ci
si
on
s 
ab
ou
t b
ud
ge
t a
llo
ca
tio
ns
,
an
d 
co
m
pi
le
 a
nd
 c
om
m
un
ic
at
e 
th
e 
ov
er
al
l I
T
 b
ud
ge
ts
, p
ro
je
ct
 c
os
t a
llo
ca
tio
n,
 s
er
vi
ce
 c
os
t a
llo
ca
tio
n 
an
d 
bu
dg
et
 v
ar
ia
nc
e 
an
al
ys
is
).
P
O
5.
3 
IT
 B
ud
ge
ti
ng
E
st
ab
lis
h 
an
d 
im
pl
em
en
t p
ra
ct
ic
es
 to
 p
re
pa
re
 a
 b
ud
ge
t r
ef
le
ct
in
g 
th
e 
pr
io
ri
tie
s
es
ta
bl
is
he
d 
by
 th
e 
en
te
rp
ri
se
’s
 p
or
tf
ol
io
 o
f 
IT
-e
na
bl
ed
 in
ve
st
m
en
t p
ro
gr
am
m
es
,
an
d 
in
cl
ud
in
g 
th
e 
on
go
in
g 
co
st
s 
of
 o
pe
ra
tin
g 
an
d 
m
ai
nt
ai
ni
ng
 th
e 
cu
rr
en
t
in
fr
as
tr
uc
tu
re
. T
he
 p
ra
ct
ic
es
 s
ho
ul
d 
su
pp
or
t d
ev
el
op
m
en
t o
f 
an
 o
ve
ra
ll 
IT
 b
ud
ge
t
as
 w
el
l a
s 
de
ve
lo
pm
en
t o
f 
bu
dg
et
s 
fo
r 
in
di
vi
du
al
 p
ro
gr
am
m
es
, w
ith
 s
pe
ci
fi
c
em
ph
as
is
 o
n 
th
e 
IT
 c
om
po
ne
nt
s 
of
 th
os
e 
pr
og
ra
m
m
es
. T
he
 p
ra
ct
ic
es
 s
ho
ul
d
al
lo
w
 f
or
 o
ng
oi
ng
 r
ev
ie
w
, r
ef
in
em
en
t a
nd
 a
pp
ro
va
l o
f 
th
e 
ov
er
al
l b
ud
ge
t a
nd
 th
e
bu
dg
et
s 
fo
r 
in
di
vi
du
al
 p
ro
gr
am
m
es
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• A
n 
ef
fe
ct
iv
e 
de
ci
si
on
-m
ak
in
g 
pr
oc
es
s
fo
r 
bu
dg
et
 f
or
ec
as
tin
g 
an
d 
al
lo
ca
tio
n
• 
Fo
rm
al
ly
 d
ef
in
ed
 s
pe
ct
ru
m
 o
f 
fu
nd
in
g
op
tio
ns
 f
or
 I
T
 o
pe
ra
tio
ns
• 
Id
en
tif
ie
d 
an
d 
cl
as
si
fi
ed
 I
T
 c
os
ts
• 
C
le
ar
 a
cc
ou
nt
ab
ili
ty
 f
or
 s
pe
nd
in
g
R
is
k 
D
riv
er
s
• 
R
es
ou
rc
e 
co
nf
lic
ts
• 
In
ap
pr
op
ri
at
e 
al
lo
ca
tio
n 
of
 f
in
an
ci
al
re
so
ur
ce
s 
of
 I
T
 o
pe
ra
tio
ns
• 
Fi
na
nc
ia
l r
es
ou
rc
es
 n
ot
 a
lig
ne
d 
w
ith
th
e 
or
ga
ni
sa
tio
n’
s 
go
al
s
• 
L
ac
k 
of
 e
m
po
w
er
m
en
t, 
le
ad
in
g 
to
 lo
ss
of
 a
gi
lit
y
• 
L
ac
k 
of
 s
en
io
r 
m
an
ag
em
en
t s
up
po
rt
fo
r 
th
e 
IT
 b
ud
ge
t
P
O
5
 M
a
n
a
g
e
 t
h
e
 I
T
In
ve
s
tm
e
n
t 
(c
o
n
t.
)
81© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 f
ra
m
ew
or
k 
ha
s 
be
en
 d
ef
in
ed
 to
 m
an
ag
e 
IT
-r
el
at
ed
 c
os
ts
 a
nd
 th
at
 I
T
 e
xp
en
di
tu
re
 c
at
eg
or
ie
s 
ar
e 
co
m
pr
eh
en
si
ve
, a
pp
ro
pr
ia
te
 a
nd
pr
op
er
ly
 c
la
ss
if
ie
d.
•C
on
fi
rm
 th
at
 th
er
e 
is
 a
pp
ro
pr
ia
te
 in
de
pe
nd
en
ce
 b
et
w
ee
n 
in
di
vi
du
al
s 
w
ho
 c
ap
tu
re
, a
na
ly
se
 a
nd
 r
ep
or
t f
in
an
ci
al
 in
fo
rm
at
io
n,
 a
nd
 th
e 
IT
 b
ud
ge
t h
ol
de
rs
. 
• 
R
ev
ie
w
 e
st
ab
lis
he
d 
tim
es
ca
le
s 
to
 d
et
er
m
in
e 
w
he
th
er
 th
ey
 a
re
 a
lig
ne
d 
w
ith
 b
ud
ge
tin
g 
an
d 
ac
co
un
tin
g 
re
qu
ir
em
en
ts
 a
nd
, w
ith
in
 I
T
 p
ro
je
ct
s,
 w
he
th
er
 th
ey
 a
re
 s
tr
uc
tu
re
d
ac
co
rd
in
g 
to
 th
e 
de
liv
er
ab
le
s 
tim
et
ab
le
. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 m
et
ho
d 
ha
s 
be
en
 d
ef
in
ed
 th
at
 c
ol
le
ct
s 
da
ta
 to
 id
en
tif
y 
sp
ec
if
ie
d 
de
vi
at
io
ns
. 
• 
V
er
if
y 
th
at
 s
ys
te
m
s 
fr
om
 w
hi
ch
 d
at
a 
ar
e 
co
lle
ct
ed
 h
av
e 
be
en
 id
en
tif
ie
d.
 
• 
D
et
er
m
in
e 
w
he
th
er
 th
e 
in
fo
rm
at
io
n 
pr
ov
id
ed
 b
y 
th
e 
sy
st
em
s 
is
 c
om
pl
et
e,
 a
cc
ur
at
e 
an
d 
co
ns
is
te
nt
. 
• 
D
et
er
m
in
e 
ho
w
 c
os
t-
re
la
te
d 
in
fo
rm
at
io
n 
is
 c
on
so
lid
at
ed
, h
ow
 it
 is
 p
re
se
nt
ed
 a
t v
ar
io
us
 le
ve
ls
 in
 th
e 
or
ga
ni
sa
tio
n 
an
d 
to
 s
ta
ke
ho
ld
er
s,
 a
nd
 w
he
th
er
 it
 h
el
ps
 e
na
bl
e 
th
e
tim
el
y 
id
en
tif
ic
at
io
n 
of
 r
eq
ui
re
d 
co
rr
ec
tiv
e 
ac
tio
ns
.
P
O
5.
4 
C
os
t 
M
an
ag
em
en
t 
Im
pl
em
en
t a
 c
os
t m
an
ag
em
en
t p
ro
ce
ss
 c
om
pa
ri
ng
 a
ct
ua
l c
os
ts
 to
 b
ud
ge
ts
. C
os
ts
sh
ou
ld
 b
e 
m
on
ito
re
d 
an
d 
re
po
rt
ed
. W
he
re
 th
er
e 
ar
e 
de
vi
at
io
ns
, t
he
se
 s
ho
ul
d 
be
id
en
tif
ie
d 
in
 a
 ti
m
el
y 
m
an
ne
r 
an
d 
th
e 
im
pa
ct
 o
f 
th
os
e 
de
vi
at
io
ns
 o
n 
pr
og
ra
m
m
es
sh
ou
ld
 b
e 
as
se
ss
ed
. T
og
et
he
r 
w
ith
 th
e 
bu
si
ne
ss
 s
po
ns
or
 o
f 
th
os
e 
pr
og
ra
m
m
es
,
ap
pr
op
ri
at
e 
re
m
ed
ia
l a
ct
io
n 
sh
ou
ld
 b
e 
ta
ke
n 
an
d,
 if
 n
ec
es
sa
ry
, t
he
 p
ro
gr
am
m
e
bu
si
ne
ss
 c
as
e 
sh
ou
ld
 b
e 
up
da
te
d.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• A
cc
ur
at
e 
an
d 
tim
el
y 
id
en
tif
ic
at
io
n 
of
bu
dg
et
 v
ar
ia
nc
es
• 
M
ax
im
is
ed
 a
nd
 c
os
t-
ef
fi
ci
en
t
ut
ili
sa
tio
n 
of
 I
T
 r
es
ou
rc
es
• 
C
on
si
st
en
tly
 p
ri
ce
d 
se
rv
ic
e 
de
liv
er
y
• 
T
ra
ns
pa
re
nt
 I
T
 v
al
ue
 c
on
tr
ib
ut
io
n
• 
B
us
in
es
s 
un
de
rs
ta
nd
in
g 
of
 a
ct
ua
l c
os
t
an
d 
be
ne
fi
t o
f 
IT
R
is
k 
D
riv
er
s
• 
M
is
sp
en
di
ng
 o
f 
IT
 in
ve
st
m
en
ts
• 
In
ap
pr
op
ri
at
e 
se
rv
ic
e 
pr
ic
in
g
• 
IT
 v
al
ue
 c
on
tr
ib
ut
io
n 
no
t t
ra
ns
pa
re
nt
P
O
5
 M
a
n
a
g
e
 t
h
e
 I
T
In
ve
s
tm
e
n
t 
(c
o
n
t.
)
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org82
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
co
st
 m
an
ag
em
en
t p
ro
ce
ss
 p
ro
vi
de
s 
su
ff
ic
ie
nt
 in
fo
rm
at
io
n 
to
 id
en
tif
y,
 q
ua
nt
if
y 
an
d 
qu
al
if
y 
be
ne
fi
ts
 o
f 
de
liv
er
in
g 
IT
 s
ol
ut
io
ns
,
pr
ov
id
in
g 
IT
 s
er
vi
ce
s 
an
d 
m
an
ag
in
g 
IT
 a
ss
et
s.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
al
lo
ca
tio
n 
of
 b
en
ef
its
 a
cr
os
s 
tim
e 
al
lo
w
s 
fo
r 
m
ea
ni
ng
fu
l a
na
ly
si
s 
of
 b
en
ef
its
.
• 
R
ev
ie
w
 th
e 
pr
oc
es
s 
fo
r 
de
ve
lo
pi
ng
 m
et
ri
cs
 f
or
 m
ea
su
ri
ng
 b
en
ef
its
 (
e.
g.
, o
bt
ai
ni
ng
 g
ui
da
nc
e 
fr
om
 e
xt
er
na
l e
xp
er
ts
, i
nd
us
tr
y 
le
ad
er
s 
an
d 
co
m
pa
ra
tiv
e 
be
nc
hm
ar
ki
ng
 d
at
a)
. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
er
e 
is
 a
 r
em
ed
ia
tio
n 
pr
oc
es
s 
fo
r 
id
en
tif
ie
d 
be
ne
fi
t d
ev
ia
tio
ns
.
P
O
5.
5 
B
en
ef
it
 M
an
ag
em
en
t 
Im
pl
em
en
t a
 p
ro
ce
ss
 to
 m
on
ito
r 
th
e 
be
ne
fi
ts
 f
ro
m
 p
ro
vi
di
ng
 a
nd
 m
ai
nt
ai
ni
ng
ap
pr
op
ri
at
e 
IT
 c
ap
ab
ili
tie
s.
 I
T
’s
 c
on
tr
ib
ut
io
n 
to
 th
e 
bu
si
ne
ss
, e
ith
er
 a
s 
a
co
m
po
ne
nt
 o
f 
IT
-e
na
bl
ed
 in
ve
st
m
en
t p
ro
gr
am
m
es
 o
r 
as
 p
ar
t o
f 
re
gu
la
r
op
er
at
io
na
l s
up
po
rt
, s
ho
ul
d 
be
 id
en
tif
ie
d 
an
d 
do
cu
m
en
te
d 
in
 a
 b
us
in
es
s 
ca
se
,
ag
re
ed
 to
, m
on
ito
re
d 
an
d 
re
po
rt
ed
. R
ep
or
ts
 s
ho
ul
d 
be
 r
ev
ie
w
ed
 a
nd
, w
he
re
 th
er
e
ar
e 
op
po
rt
un
iti
es
 to
 im
pr
ov
e 
IT
’s
 c
on
tr
ib
ut
io
n,
 a
pp
ro
pr
ia
te
 a
ct
io
ns
 s
ho
ul
d 
be
de
fi
ne
d 
an
d 
ta
ke
n.
 W
he
re
 c
ha
ng
es
 in
 I
T
’s
 c
on
tr
ib
ut
io
n 
im
pa
ct
 th
e 
pr
og
ra
m
m
e,
 o
r
w
he
re
 c
ha
ng
es
 to
 o
th
er
 r
el
at
ed
 p
ro
je
ct
s 
im
pa
ct
 th
e 
pr
og
ra
m
m
e,
 th
e 
pr
og
ra
m
m
e
bu
si
ne
ss
 c
as
e 
sh
ou
ld
 b
e 
up
da
te
d.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• A
cc
ur
at
e 
id
en
tif
ic
at
io
n 
of
 b
en
ef
it
va
ri
an
ce
s 
du
ri
ng
 a
nd
 a
ft
er
im
pl
em
en
ta
tio
n
• A
cc
ur
at
e 
in
fo
rm
at
io
n 
fo
r 
po
rt
fo
lio
de
ci
si
on
s,
 i.
e.
, c
on
tin
ue
, a
dj
us
t o
r
re
tir
e 
pr
og
ra
m
m
es
• 
Pr
op
er
ly
 p
ri
ce
d 
se
rv
ic
e 
de
liv
er
y
• 
T
ra
ns
pa
re
nc
y 
of
 I
T
’s
 c
on
tr
ib
ut
io
n 
to
th
e 
bu
si
ne
ss
• 
B
us
in
es
s 
un
de
rs
ta
nd
in
g 
of
 a
ct
ua
l c
os
t
an
d 
be
ne
fi
t o
f 
IT
R
is
k 
D
riv
er
s
• 
M
is
sp
en
di
ng
 o
f 
IT
 in
ve
st
m
en
ts
• 
In
ap
pr
op
ri
at
e 
se
rv
ic
e 
pr
ic
in
g
• 
IT
 v
al
ue
 c
on
tr
ib
ut
io
n 
no
t t
ra
ns
pa
re
nt
• 
In
co
rr
ec
t p
er
ce
pt
io
n 
of
 I
T
 v
al
ue
co
nt
ri
bu
tio
n
P
O
5
 M
a
n
a
g
e
 t
h
e
 I
T
In
ve
s
tm
e
n
t 
(c
o
n
t.
)
83© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Take the following steps to test the outcome of the control objectives:
• Enquire whether and confirm that a financial management framework, processes and responsibilities have been defined and
maintained to enable fair, transparent, repeatable and comparable estimation of IT costs and benefits for input to the portfolio of
IT-enabled business programmes. 
• Assess whether the financial management framework provides information to enable effective and efficient IT investment and
portfolio decisions, enables estimation of IT costs and benefits, and provides input into the maintenance of IT asset and services
portfolios. Determine whether the financial management framework and processes provide sufficient financial information to
assist in the development of business cases and facilitate the budget process.
• Verify that investments, IT assets and services are being taken into account in preparing IT budgets.
• Enquire whether and confirm that the current IT budget is tracked against actual costs and that variations are analysed.
• Enquire whether and confirm that information provided by the budgeting process is sufficient to track project costs and assist in
the allocation of IT resources.
• Enquire whether and confirm that an effective decision-making process is implemented to prioritise all IT initiatives and allocate
budgets accordingly.
• Enquire whether and confirm that a methodology has been implemented to establish, maintain and communicate for change and
approval of a formal IT budget.
• Enquire whether and confirm that process, service and programme owners as well as project and asset managers have been
instructed in how to capture budget requirements andplan budgets.
• Confirm that there is a budgeting process and that this process is reviewed/improved on a periodic basis.
• Review the cost management framework and verify that it defines all IT-related costs. Verify that the tools used to monitor costs
are effective and used properly (i.e., how costs are allocated across budgets and projects, how costs are captured and analysed, and
to whom and how they are reported).
• Enquire whether and confirm that the allocation of the budget across time is aligned with IT projects and support activities to
allow for meaningful analysis of budget variances.
• Enquire whether and confirm that IT financial management members have been instructed in how to capture, consolidate and
report the cost data.
• Enquire whether and confirm that the appropriate level of management reviews the results of cost analysis and approves 
corrective actions.
• Enquire whether and confirm that responsibility and accountability for achieving benefits as recorded in the business case have 
been assigned. 
• Enquire whether and confirm that the metrics for monitoring IT’s and the business’s contribution to the business case are collected,
reported and analysed at regular intervals.
• Enquire whether and confirm that the identified budget deviations are approved by business and IT management.
Take the following steps to document the impact of the control weaknesses:
• Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that:
– Input into business cases may not take into account current IT asset and service portfolios
– New investment and maintenance may not influence the future IT budget
– Cost/benefit aspects of projects may not be communicated to the budget prioritisation, cost management and benefit
management processes
– The allocation of IT resources may not be prioritised as a result of IT’s contribution to optimising ROI
– Ongoing review, refinement and approval of the overall budget and the budgets for individual programmes may not occur
– Cost deviations may not be identified in a timely manner and the impact of those deviations may not be assessed 
– Opportunities to improve IT’s contribution to business solutions may not be considered
– Not all benefits may be identified in a cost-benefits analysis, resulting in poor prioritisation of projects and projects that could
have been considered may be rejected
P
O
6
 C
o
m
m
u
n
ic
a
te
 M
a
n
a
g
e
m
e
n
t 
A
im
s
 a
n
d
 D
ir
e
c
ti
o
n
M
an
ag
em
en
t d
ev
el
op
s 
an
 e
nt
er
pr
is
e 
IT
 c
on
tr
ol
 f
ra
m
ew
or
k 
an
d 
de
fi
ne
s 
an
d 
co
m
m
un
ic
at
es
 p
ol
ic
ie
s.
 A
n 
on
go
in
g 
co
m
m
un
ic
at
io
n 
pr
og
ra
m
m
e 
is
 im
pl
em
en
te
d 
to
 a
rt
ic
ul
at
e 
th
e
m
is
si
on
, s
er
vi
ce
 o
bj
ec
tiv
es
, p
ol
ic
ie
s 
an
d 
pr
oc
ed
ur
es
, e
tc
., 
ap
pr
ov
ed
 a
nd
 s
up
po
rt
ed
 b
y 
m
an
ag
em
en
t. 
T
he
 c
om
m
un
ic
at
io
n 
su
pp
or
ts
 a
ch
ie
ve
m
en
t o
f 
IT
 o
bj
ec
tiv
es
 a
nd
 e
ns
ur
es
aw
ar
en
es
s 
an
d 
un
de
rs
ta
nd
in
g 
of
 b
us
in
es
s 
an
d 
IT
 r
is
ks
, o
bj
ec
tiv
es
 a
nd
 d
ir
ec
tio
n.
 T
he
 p
ro
ce
ss
 e
ns
ur
es
 c
om
pl
ia
nc
e 
w
ith
 r
el
ev
an
t l
aw
s 
an
d 
re
gu
la
tio
ns
.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org84
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
e 
ex
is
te
nc
e 
of
 f
or
m
al
 ‘
to
ne
 a
t t
he
 to
p’
co
m
m
un
ic
at
io
n 
(e
.g
., 
C
IO
 n
ew
sl
et
te
r 
or
 in
tr
an
et
 p
ag
e,
 p
er
io
di
c 
e-
m
ai
ls
, I
T
 v
is
io
n 
or
 g
ui
di
ng
pr
in
ci
pl
es
) 
de
si
gn
ed
 to
 d
ef
in
e 
an
d 
m
an
ag
e 
th
e 
IT
 r
is
k 
an
d 
co
nt
ro
l e
nv
ir
on
m
en
t a
nd
 e
ns
ur
e 
th
at
 it
 a
lig
ns
 w
ith
 th
e 
or
ga
ni
sa
tio
n’
s 
ge
ne
ra
l r
is
k 
an
d 
co
nt
ro
l e
nv
ir
on
m
en
t. 
• 
D
et
er
m
in
e 
w
he
th
er
 a
cc
ou
nt
ab
ili
ty
 a
nd
 r
es
po
ns
ib
ili
ty
 h
av
e 
be
en
 a
ss
ig
ne
d 
to
 in
di
vi
du
al
s 
fo
r 
es
ta
bl
is
hi
ng
 a
nd
 r
ei
nf
or
ci
ng
 th
e 
co
m
m
un
ic
at
io
ns
 o
f 
th
e 
co
nt
ro
l c
ul
tu
re
. 
• 
C
on
fi
rm
 th
e 
ex
is
te
nc
e 
of
 p
ol
ic
ie
s 
an
d 
pr
ac
tic
es
 to
 s
up
po
rt
 th
e 
co
nt
ro
l e
nv
ir
on
m
en
t (
e.
g.
, a
cc
ep
ta
bl
e 
us
e 
po
lic
ie
s,
 b
ac
kg
ro
un
d 
ch
ec
ks
).
 
• 
In
sp
ec
t f
or
 e
vi
de
nc
e 
of
 p
er
io
di
c 
aw
ar
en
es
s 
tr
ai
ni
ng
 o
n 
th
es
e 
po
lic
ie
s 
an
d 
pr
ac
tic
es
. 
• 
D
et
er
m
in
e 
if
 a
 p
ro
ce
ss
 e
xi
st
s 
to
 p
er
io
di
ca
lly
 (
at
 le
as
t a
nn
ua
lly
) 
re
as
se
ss
 th
e 
ad
eq
ua
cy
 o
f 
th
e 
co
nt
ro
l e
nv
ir
on
m
en
t a
nd
 r
is
k 
ap
pe
tit
e 
to
 e
ns
ur
e 
th
at
 it
 is
 a
lig
ne
d 
w
ith
 th
e
or
ga
ni
sa
tio
n’
s 
ch
an
gi
ng
 e
nv
ir
on
m
en
t. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 H
R
 p
ol
ic
ie
s 
(e
.g
., 
ba
ck
gr
ou
nd
 c
he
ck
s 
on
 jo
b 
ap
pl
ic
an
ts
, a
w
ar
en
es
s 
tr
ai
ni
ng
 f
or
 n
ew
 h
ir
es
, s
ig
ne
d 
co
de
 o
f 
co
nd
uc
t d
oc
um
en
ta
tio
n,
ap
pr
op
ri
at
e 
co
ns
eq
ue
nc
es
 f
or
 u
ne
th
ic
al
 b
eh
av
io
ur
) 
su
pp
or
t t
he
 I
T
 c
on
tr
ol
 e
nv
ir
on
m
en
t.
P
O
6.
1 
IT
 P
ol
ic
y 
an
d 
C
on
tr
ol
 E
nv
ir
on
m
en
t 
D
ef
in
e 
th
e 
el
em
en
ts
 o
f 
a 
co
nt
ro
l e
nv
ir
on
m
en
t f
or
 I
T,
 a
lig
ne
d 
w
ith
 th
e 
en
te
rp
ri
se
’s
m
an
ag
em
en
t p
hi
lo
so
ph
y 
an
d 
op
er
at
in
g 
st
yl
e.
 T
he
se
 e
le
m
en
ts
 s
ho
ul
d 
in
cl
ud
e
ex
pe
ct
at
io
ns
/r
eq
ui
re
m
en
ts
 r
eg
ar
di
ng
 d
el
iv
er
y 
of
 v
al
ue
 f
ro
m
 I
T
 in
ve
st
m
en
ts
,
ap
pe
tit
e 
fo
r 
ri
sk
, i
nt
eg
ri
ty
, e
th
ic
al
 v
al
ue
s,
 s
ta
ff
 c
om
pe
te
nc
e,
 a
cc
ou
nt
ab
ili
ty
 a
nd
re
sp
on
si
bi
lit
y.
 T
he
 c
on
tr
ol
 e
nv
ir
on
m
en
t s
ho
ul
d 
be
 b
as
ed
 o
n 
a 
cu
ltu
re
 th
at
su
pp
or
ts
 v
al
ue
 d
el
iv
er
y 
w
hi
ls
t m
an
ag
in
g 
si
gn
if
ic
an
t r
is
ks
, e
nc
ou
ra
ge
s 
cr
os
s-
di
vi
si
on
al
 c
o-
op
er
at
io
n 
an
d 
te
am
w
or
k,
 p
ro
m
ot
es
 c
om
pl
ia
nc
e 
an
d 
co
nt
in
uo
us
pr
oc
es
s 
im
pr
ov
em
en
t, 
an
d 
ha
nd
le
s 
pr
oc
es
s 
de
vi
at
io
ns
 (
in
cl
ud
in
g 
fa
ilu
re
) 
w
el
l.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
om
pr
eh
en
si
ve
 I
T
 c
on
tr
ol
en
vi
ro
nm
en
t
• 
C
om
pr
eh
en
si
ve
 s
et
 o
f 
IT
 p
ol
ic
ie
s
• 
In
cr
ea
se
d 
aw
ar
en
es
s 
of
 th
e
or
ga
ni
sa
tio
n’
s 
m
is
si
on
• 
Pr
op
er
 u
se
 o
f 
ap
pl
ic
at
io
ns
 a
nd
 I
T
se
rv
ic
es
R
is
k 
D
riv
er
s
• 
M
is
co
m
m
un
ic
at
io
ns
 a
bo
ut
or
ga
ni
sa
tio
na
l m
is
si
on
 
• 
M
an
ag
em
en
t’s
 p
hi
lo
so
ph
y
m
is
in
te
rp
re
te
d
• A
ct
io
ns
 n
ot
 a
lig
ne
d 
w
ith
 th
e
or
ga
ni
sa
tio
n’
s 
bu
si
ne
ss
 o
bj
ec
tiv
es
• 
N
o 
tr
an
sp
ar
en
t I
T
 c
on
tr
ol
 e
nv
ir
on
m
en
t
• 
C
om
pl
ia
nc
e 
an
d 
se
cu
ri
ty
 is
su
es
85© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 f
or
m
al
 I
T
 r
is
k 
an
d 
co
nt
ro
l f
ra
m
ew
or
k 
ex
is
ts
 b
as
ed
 o
n 
ac
kn
ow
le
dg
ed
 in
du
st
ry
 s
ta
nd
ar
ds
/le
ad
in
g 
pr
ac
tic
es
 (
e.
g.
, C
O
SO
, C
O
SO
-E
R
M
, 
C
O
B
IT
).
• A
ss
es
s 
w
he
th
er
 th
e 
IT
 r
is
k 
an
d 
co
nt
ro
l f
ra
m
ew
or
k 
is
 a
lig
ne
d 
w
ith
 th
e 
or
ga
ni
sa
tio
n’
s 
en
te
rp
ri
se
 r
is
k 
an
d 
co
nt
ro
l f
ra
m
ew
ork 
an
d 
co
ns
id
er
s 
th
e 
en
te
rp
ri
se
 r
is
k 
to
le
ra
nc
e 
le
ve
l. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
IT
 r
is
k 
an
d 
co
nt
ro
l f
ra
m
ew
or
k 
sp
ec
if
ie
s 
its
 s
co
pe
 a
nd
 p
ur
po
se
 a
nd
 o
ut
lin
es
 m
an
ag
em
en
t’s
 e
xp
ec
ta
tio
ns
 o
f 
w
ha
t n
ee
ds
 
to
 b
e 
co
nt
ro
lle
d.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
st
ru
ct
ur
e 
of
 th
e 
IT
 r
is
k 
an
d 
co
nt
ro
l f
ra
m
ew
or
k 
is
 w
el
l d
ef
in
ed
 a
nd
 r
es
po
ns
ib
ili
tie
s 
ha
ve
 b
ee
n 
cl
ea
rl
y 
st
at
ed
 a
nd
 a
ss
ig
ne
d 
to
ap
pr
op
ri
at
e 
in
di
vi
du
al
s.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 is
 in
 p
la
ce
 to
 p
er
io
di
ca
lly
 r
ev
ie
w
 (
pr
ef
er
ab
ly
 a
nn
ua
lly
) 
th
e 
IT
 r
is
k 
an
d 
co
nt
ro
l f
ra
m
ew
or
k 
to
 m
ai
nt
ai
n 
its
 a
de
qu
ac
y 
an
d 
re
le
va
nc
y.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 h
ie
ra
rc
hi
ca
l s
et
 o
f 
po
lic
ie
s,
 s
ta
nd
ar
ds
 a
nd
 p
ro
ce
du
re
s 
ha
ve
 b
ee
n 
cr
ea
te
d 
an
d 
al
ig
n 
w
ith
 th
e 
IT
 s
tr
at
eg
y 
an
d 
co
nt
ro
l e
nv
ir
on
m
en
t. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 s
pe
ci
fi
c 
po
lic
ie
s 
ex
is
t o
n 
re
le
va
nt
 k
ey
 to
pi
cs
, s
uc
h 
as
 q
ua
lit
y,
 s
ec
ur
ity
, c
on
fi
de
nt
ia
lit
y,
 in
te
rn
al
 c
on
tr
ol
s,
 e
th
ic
s 
an
d 
in
te
lle
ct
ua
l 
pr
op
er
ty
 r
ig
ht
s.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ol
ic
y 
up
da
te
 p
ro
ce
ss
 h
as
 b
ee
n 
de
fi
ne
d 
th
at
 r
eq
ui
re
s,
 a
t m
in
im
um
, a
nn
ua
l r
ev
ie
w
s.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 p
ro
ce
du
re
s 
ar
e 
in
 p
la
ce
 to
 tr
ac
k 
co
m
pl
ia
nc
e 
an
d 
de
fi
ne
 c
on
se
qu
en
ce
s 
of
 n
on
-c
om
pl
ia
nc
e.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
cc
ou
nt
ab
ili
ty
 h
as
 b
ee
n 
de
fi
ne
d 
an
d 
do
cu
m
en
te
d 
fo
r 
fo
rm
ul
at
in
g,
 d
ev
el
op
in
g,
 d
oc
um
en
tin
g,
 r
at
if
yi
ng
, d
is
se
m
in
at
in
g 
an
d 
co
nt
ro
lli
ng
po
lic
ie
s 
to
 e
ns
ur
e 
th
at
 a
ll 
el
em
en
ts
 o
f 
th
e 
po
lic
y 
m
an
ag
em
en
t p
ro
ce
ss
 h
av
e 
be
en
 a
ss
ig
ne
d 
to
 a
cc
ou
nt
ab
le
 in
di
vi
du
al
s.
P
O
6.
2 
E
nt
er
pr
is
e 
IT
 R
is
k 
an
d 
C
on
tr
ol
 F
ra
m
ew
or
k 
D
ev
el
op
 a
nd
 m
ai
nt
ai
n 
a 
fr
am
ew
or
k 
th
at
 d
ef
in
es
 th
e 
en
te
rp
ri
se
’s
 o
ve
ra
ll 
ap
pr
oa
ch
to
 I
T
 r
is
k 
an
d 
co
nt
ro
l a
nd
 th
at
 a
lig
ns
 w
ith
 th
e 
IT
 p
ol
ic
y 
an
d 
co
nt
ro
l e
nv
ir
on
m
en
t
an
d 
th
e 
en
te
rp
ri
se
 r
is
k 
an
d 
co
nt
ro
l f
ra
m
ew
or
k.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
om
pr
eh
en
si
ve
 I
T
 c
on
tr
ol
 a
nd
 r
is
k
fr
am
ew
or
k 
• 
IT
 r
is
k 
an
d 
co
nt
ro
l a
w
ar
en
es
s 
an
d
un
de
rs
ta
nd
in
g
• 
R
ed
uc
tio
n 
of
 n
eg
at
iv
e 
bu
si
ne
ss
 im
pa
ct
w
he
n 
pl
an
ne
d 
an
d 
un
pl
an
ne
d 
is
su
es
oc
cu
r
R
is
k 
D
riv
er
s
• 
Se
ns
iti
ve
 c
or
po
ra
te
 in
fo
rm
at
io
n
di
sc
lo
se
d
• 
Ir
re
gu
la
ri
tie
s 
no
t i
de
nt
if
ie
d
• 
Fi
na
nc
ia
l l
os
se
s
• 
C
om
pl
ia
nc
e 
an
d 
se
cu
ri
ty
 is
su
es
P
O
6
 C
o
m
m
u
n
ic
a
te
 M
a
n
a
g
e
m
e
n
t 
A
im
s
 a
n
d
 D
ir
e
c
ti
o
n
 (
c
o
n
t.
)
P
O
6.
3 
IT
 P
ol
ic
ie
s 
M
an
ag
em
en
t 
D
ev
el
op
 a
nd
 m
ai
nt
ai
n 
a 
se
t o
f 
po
lic
ie
s 
to
 s
up
po
rt
 I
T
 s
tr
at
eg
y.
 T
he
se
 p
ol
ic
ie
s
sh
ou
ld
 in
cl
ud
e 
po
lic
y 
in
te
nt
; r
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s;
 e
xc
ep
tio
n 
pr
oc
es
s;
co
m
pl
ia
nc
e 
ap
pr
oa
ch
; a
nd
 r
ef
er
en
ce
s 
to
 p
ro
ce
du
re
s,
 s
ta
nd
ar
ds
 a
nd
 g
ui
de
lin
es
.
T
he
ir
 r
el
ev
an
ce
 s
ho
ul
d 
be
 c
on
fi
rm
ed
 a
nd
 a
pp
ro
ve
d 
re
gu
la
rl
y.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• A
pp
ro
pr
ia
te
 p
ol
ic
ie
s 
an
d 
pr
oc
ed
ur
es
fo
r 
th
e 
or
ga
ni
sa
tio
n
• 
Q
ua
lit
y 
w
ith
in
 th
e 
or
ga
ni
sa
tio
n
• 
Pr
op
er
 u
se
 o
f 
ap
pl
ic
at
io
ns
 a
nd
 I
T
se
rv
ic
es
• 
T
ra
ns
pa
re
nc
y 
an
d 
un
de
rs
ta
nd
in
g 
of
 I
T
co
st
s,
 b
en
ef
its
, s
tr
at
eg
y 
an
d 
se
cu
ri
ty
le
ve
ls
R
is
k 
D
riv
er
s
• 
G
re
at
er
 n
um
be
r 
an
d 
im
pa
ct
 o
f 
se
cu
ri
ty
br
ea
ch
es
• 
U
na
cc
ep
te
d 
or
 u
nk
no
w
n 
po
lic
ie
s
• 
M
is
un
de
rs
ta
nd
in
g 
of
 m
an
ag
em
en
t’s
ai
m
s 
an
d 
di
re
ct
io
ns
• 
O
ut
-o
f-
da
te
 o
r 
in
co
m
pl
et
e 
po
lic
ie
s
• 
Po
or
 o
rg
an
is
at
io
na
l s
ec
ur
ity
 c
ul
tu
re
• 
L
ac
k 
of
 tr
an
sp
ar
en
cy
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org86
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 is
 in
 p
la
ce
 to
 tr
an
sl
at
e 
IT
 p
ol
ic
ie
s 
an
d 
st
an
da
rd
s 
in
to
 o
pe
ra
tio
na
l p
ro
ce
du
re
s.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 e
m
pl
oy
m
en
t c
on
tr
ac
ts
 a
nd
 in
ce
nt
iv
e 
m
ec
ha
ni
sm
s 
ar
e 
al
ig
ne
d 
w
ith
 p
ol
ic
ie
s.
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 p
ro
ce
ss
 is
 in
 p
la
ce
 to
 r
eq
ui
re
 u
se
rs
 to
 e
xp
lic
itl
y 
ac
kn
ow
le
dg
e 
th
at
 th
ey
 r
ec
ei
ve
d,
 u
nd
er
st
an
d 
an
d 
ac
ce
pt
 r
el
ev
an
t I
T
 p
ol
ic
ie
s,
 s
ta
nd
ar
ds
an
d 
pr
oc
ed
ur
es
. T
he
 a
ck
no
w
le
dg
em
en
t s
ho
ul
d 
be
 p
er
io
di
ca
lly
 r
ef
re
sh
ed
 (
e.
g.
, b
ia
nn
ua
lly
).
 
• 
E
nq
ui
re
 w
he
th
er
 s
uf
fi
ci
en
t a
nd
 s
ki
lle
d 
re
so
ur
ce
s 
ar
e 
av
ai
la
bl
e 
to
 s
up
po
rt
 p
ol
ic
y 
ro
llo
ut
.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
er
e 
ar
e 
m
an
ag
em
en
t p
ro
ce
ss
es
 to
 r
eg
ul
ar
ly
 c
om
m
un
ic
at
e 
IT
 o
bj
ec
tiv
es
 a
nd
 d
ir
ec
tio
n.
 
• 
V
er
if
y 
w
ith
 a
 r
ep
re
se
nt
at
iv
e 
sa
m
pl
e 
of
 s
ta
ff
 m
em
be
rs
 a
t d
if
fe
re
nt
 le
ve
ls
 th
at
 I
T
 o
bj
ec
tiv
es
 h
av
e 
be
en
 c
le
ar
ly
 c
om
m
un
ic
at
ed
 a
nd
 u
nd
er
st
oo
d.
 
• 
R
ev
ie
w
 p
as
t c
om
m
un
ic
at
io
ns
 a
nd
 v
er
if
y 
th
at
 th
ey
 c
ov
er
 th
e 
m
is
si
on
, s
er
vi
ce
 o
bj
ec
tiv
es
, s
ec
ur
ity
, i
nt
er
na
l c
on
tr
ol
s,
 q
ua
lit
y,
 c
od
e 
of
 e
th
ic
s/
co
nd
uc
t, 
po
lic
ie
s 
an
d
pr
oc
ed
ur
es
, e
tc
.
P
O
6.
4 
P
ol
ic
y,
St
an
da
rd
 a
nd
 P
ro
ce
du
re
s 
R
ol
lo
ut
 
R
ol
l o
ut
 a
nd
 e
nf
or
ce
 I
T
 p
ol
ic
ie
s 
to
 a
ll 
re
le
va
nt
 s
ta
ff
, s
o 
th
ey
 a
re
 b
ui
lt 
in
to
 a
nd
 a
re
an
 in
te
gr
al
 p
ar
t o
f 
en
te
rp
ri
se
 o
pe
ra
tio
ns
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• A
pp
ro
pr
ia
te
 p
ro
te
ct
io
n 
of
 th
e
or
ga
ni
sa
tio
n’
s 
as
se
ts
• 
D
ec
is
io
ns
 a
lig
ne
d 
w
ith
 th
e
or
ga
ni
sa
tio
n’
s 
bu
si
ne
ss
 o
bj
ec
tiv
es
• 
E
ff
ic
ie
nt
 m
an
ag
em
en
t o
f 
th
e
or
ga
ni
sa
tio
n’
s 
as
se
ts
• 
Pr
op
er
 u
se
 o
f 
IT
 r
es
ou
rc
es
 a
nd
 I
T
se
rv
ic
es
R
is
k 
D
riv
er
s
• 
O
rg
an
is
at
io
n’
s 
po
lic
ie
s,
 s
ta
nd
ar
ds
 a
nd
pr
oc
ed
ur
es
 u
nk
no
w
n 
or
 n
ot
 a
cc
ep
te
d
• 
L
ac
k 
of
 c
om
m
un
ic
at
io
n 
of
m
an
ag
em
en
t’s
 a
im
s 
and 
di
re
ct
io
ns
• 
C
on
tr
ol
 c
ul
tu
re
 n
ot
 a
lig
ne
d 
w
ith
m
an
ag
em
en
t’s
 a
im
s
• 
Po
lic
ie
s 
m
is
un
de
rs
to
od
 o
r 
no
t
ac
ce
pt
ed
• 
B
us
in
es
s 
ri
sk
 o
f 
po
lic
ie
s 
an
d
pr
oc
ed
ur
es
 n
ot
 f
ol
lo
w
ed
P
O
6
 C
o
m
m
u
n
ic
a
te
 M
a
n
a
g
e
m
e
n
t 
A
im
s
 a
n
d
 D
ir
e
c
ti
o
n
 (
c
o
n
t.
)
P
O
6.
5 
C
om
m
un
ic
at
io
n 
of
 I
T
 O
bj
ec
ti
ve
s 
an
d 
D
ir
ec
ti
on
 
C
om
m
un
ic
at
e 
aw
ar
en
es
s 
an
d 
un
de
rs
ta
nd
in
g 
of
 b
us
in
es
s 
an
d 
IT
 o
bj
ec
tiv
es
 a
nd
di
re
ct
io
n 
to
 a
pp
ro
pr
ia
te
 s
ta
ke
ho
ld
er
s 
an
d 
us
er
s 
th
ro
ug
ho
ut
 th
e 
en
te
rp
ri
se
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
le
ar
ly
 c
om
m
un
ic
at
ed
 m
an
ag
em
en
t
ph
ilo
so
ph
y
• 
In
cr
ea
se
d 
aw
ar
en
es
s 
of
 th
e
or
ga
ni
sa
tio
n’
s 
m
is
si
on
• A
w
ar
en
es
s 
an
d 
un
de
rs
ta
nd
in
g 
of
 r
is
ks
,
se
cu
ri
ty
, o
bj
ec
tiv
es
, e
tc
., 
w
ith
in
 th
e
or
ga
ni
sa
tio
n
• 
D
ec
is
io
ns
 a
lig
ne
d 
w
ith
 th
e
or
ga
ni
sa
tio
n’
s 
bu
si
ne
ss
 o
bj
ec
tiv
es
R
is
k 
D
riv
er
s
• 
IT
 o
bj
ec
tiv
es
 n
ot
 a
ch
ie
ve
d
• 
Po
or
 a
cc
ep
ta
nc
e 
or
 u
nd
er
st
an
di
ng
 o
f
th
e 
or
ga
ni
sa
tio
na
l p
ol
ic
y
• 
B
us
in
es
s 
th
re
at
s 
no
t i
de
nt
if
ie
d 
in
 a
tim
el
y 
m
an
ne
r
• 
L
ac
k 
of
 u
nd
er
st
an
di
ng
 o
f
m
an
ag
em
en
t’s
 a
im
s 
an
d 
di
re
ct
io
ns
• 
L
ac
k 
of
 c
on
fi
de
nc
e 
an
d 
tr
us
t i
n 
IT
’s
m
is
si
on
• 
B
re
ak
do
w
n 
in
 c
on
tr
ol
 a
nd
 s
ec
ur
ity
cu
ltu
re
87© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Take the following steps to test the outcome of the control objectives:
• Assess the frequency, format and content of the communication of the ‘tone at the top’ messages to determine if it will effectively
define and reinforce the control culture, risk appetite, ethical values, code of conduct and requirements of 
management integrity. 
• Inspect for evidence of periodic awareness training on policies and practices that are relevant to support the control environment
(e.g., annual code of conduct or ethics training, periodic acknowledgement of acceptable use policies). Assess employees’
understanding of IT management’s philosophy and risk appetite to determine the extent to which it is aligned with management.
Assess through inquiry and observation whether there is a general understanding of key risks and regulatory requirements that
affect the IT control environment, or a general understanding of the importance of adhering to IT policies and procedures. 
• Determine whether there is an IT risk and control framework that defines the enterprise’s overall approach to IT risk and control
and that aligns the IT policy and control environment to the enterprise risk and control framework.
• Determine whether the responsibilities associated with implementing and maintaining the IT risk and control framework are being
adequately carried out by qualified individuals. Inspect defined risks and controls to determine their adequacy in controlling the
confidentiality, integrity and availability of information systems and networks.
• Review IT policies to determine the frequency of updates and whether a re-evaluation has occurred at least annually. Make
necessary adjustments and amendments, and determine whether updated IT policies are appropriately communicated across 
the enterprise.
• Confirm through interviews that resources have been allocated to those who perform appropriate roles and responsibilities for
formulating, developing, documenting, ratifying, disseminating and controlling IT policies.
• Verify that sufficient and skilled resources have been allocated to support the rollout process, including monitoring and enforcing
compliance. Examine and verify through interviews that operational procedures that support the IT policies and standards have
been communicated, understood and accepted by appropriate staff.
• Inspect documentation of acknowledgement and acceptance of IT policies for a sample of employees to determine that it is being
consistently administered and periodically refreshed. 
• Inspect evidence to ensure that communication takes place to articulate IT objectives and direction and that management
support is visible. 
• Enquire whether and confirm that the communication process has the necessary resources and skills for effective communication.
Take the following steps to document the impact of the control weaknesses:
• Determine whether lack of appropriate IT policy management has resulted in lack of adequate control over IT resources and lack
of achievement of business objectives.
• Determine whether lack of adequate communication, monitoring, and enforcement of IT policies and standards has resulted in a
lack of compliance with those standards and the associated non-achievement of business goals.
• Determine whether lack of awareness of IT objectives and direction has resulted in the lack of achievement of business goals.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org88
P
O
7
 M
a
n
a
g
e
 I
T
 H
u
m
a
n
 R
e
s
o
u
rc
e
s
A
 c
om
pe
te
nt
 w
or
kf
or
ce
 is
 a
cq
ui
re
d 
an
d 
m
ai
nt
ai
ne
d 
fo
r 
th
e 
cr
ea
tio
n 
an
d 
de
liv
er
y 
of
 I
T
 s
er
vi
ce
s 
to
 th
e 
bu
si
ne
ss
. T
hi
s 
is
 a
ch
ie
ve
d 
by
 f
ol
lo
w
in
g 
de
fi
ne
d 
an
d 
ag
re
ed
-u
po
n
pr
ac
tic
es
 s
up
po
rt
in
g 
re
cr
ui
tin
g,
 tr
ai
ni
ng
, e
va
lu
at
in
g 
pe
rf
or
m
an
ce
, p
ro
m
ot
in
g 
an
d 
te
rm
in
at
in
g.
 T
hi
s 
pr
oc
es
s 
is
 c
ri
tic
al
, a
s 
pe
op
le
 a
re
 im
po
rt
an
t a
ss
et
s,
 a
nd
 g
ov
er
na
nc
e 
an
d 
th
e
in
te
rn
al
 c
on
tr
ol
 e
nv
ir
on
m
en
t a
re
 h
ea
vi
ly
 d
ep
en
de
nt
 o
n 
th
e 
m
ot
iv
at
io
n 
an
d 
co
m
pe
te
nc
e 
of
 p
er
so
nn
el
.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
n 
IT
 H
R
 m
an
ag
em
en
t p
la
n 
ex
is
ts
 th
at
 r
ef
le
ct
s 
th
e 
de
fi
ni
tio
n 
of
 s
ki
ll 
re
qu
ir
em
en
ts
 a
nd
 p
re
fe
rr
ed
 p
ro
fe
ss
io
na
l q
ua
lif
ic
at
io
ns
 to
 m
ee
t
ta
ct
ic
al
 a
nd
 s
tr
at
eg
ic
 I
T
 n
ee
ds
 o
f 
th
e 
or
ga
ni
sa
tio
n.
 T
he
 p
la
n 
sh
ou
ld
 b
e 
up
da
te
d 
at
 le
as
t a
nn
ua
lly
 a
nd
 s
ho
ul
d 
in
cl
ud
e 
sp
ec
if
ic
 r
ec
ru
itm
en
t a
nd
 r
et
en
tio
n 
ac
tio
n 
pl
an
s 
to
ad
dr
es
s 
cu
rr
en
t a
nd
 f
ut
ur
e 
re
qu
ir
em
en
ts
. I
t s
ho
ul
d 
al
so
 in
cl
ud
e 
po
lic
ie
s 
fo
r 
th
e 
en
fo
rc
em
en
t o
f 
un
in
te
rr
up
te
d 
ho
lid
ay
 p
ol
ic
y 
pr
oc
ed
ur
es
, a
s 
ap
pl
ic
ab
le
.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 d
oc
um
en
te
d 
pr
oc
es
s 
fo
r 
th
e 
re
cr
ui
tm
en
t a
nd
 r
et
en
tio
n 
of
 I
T
 p
er
so
nn
el
 is
 in
 p
la
ce
 a
nd
 r
ef
le
ct
s 
th
e 
ne
ed
s 
id
en
tif
ie
d 
in
 th
e 
IT
 H
R
 p
la
n.
 
• 
C
on
fi
rm
 th
at
 H
R
 p
ro
fe
ss
io
na
ls
 r
eg
ul
ar
ly
 r
ev
ie
w
 a
nd
 a
pp
ro
ve
 th
e 
IT
 r
ec
ru
itm
en
t a
nd
 r
et
en
tio
n 
pr
oc
es
s 
to
 e
ns
ur
e 
al
ig
nm
en
t w
ith
 o
rg
an
is
at
io
na
l p
ol
ic
ie
s.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
In
sp
ec
t a
 s
am
pl
e 
of
 jo
b 
de
sc
ri
pt
io
ns
 f
or
 a
 c
om
pl
et
e 
an
d 
ap
pr
op
ri
at
e 
de
sc
ri
pt
io
n 
of
 r
eq
ui
re
d 
sk
ill
s,
 c
om
pe
te
nc
ie
s 
an
d 
qu
al
if
ic
at
io
ns
.
• 
V
er
if
y 
th
at
 p
ro
ce
ss
es
 e
xi
st
 a
nd
 a
re
 c
on
du
ct
ed
 o
n 
a 
re
gu
la
r 
ba
si
s 
to
 r
ev
ie
w
 a
nd
 r
ef
re
sh
 jo
b 
de
sc
ri
pt
ions
. 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 m
an
ag
em
en
t h
as
 id
en
tif
ie
d 
sk
ill
 n
ee
ds
, i
nc
lu
di
ng
 a
pp
ro
pr
ia
te
 e
du
ca
tio
n,
 c
ro
ss
-t
ra
in
in
g 
an
d 
ce
rt
if
ic
at
io
n 
re
qu
ir
em
en
ts
 to
 a
dd
re
ss
sp
ec
if
ic
 r
eq
ui
re
m
en
ts
 o
f 
th
e 
or
ga
ni
sa
tio
n.
P
O
7.
1 
P
er
so
nn
el
 R
ec
ru
it
m
en
t 
an
d 
R
et
en
ti
on
 
M
ai
nt
ai
n 
IT
 p
er
so
nn
el
 r
ec
ru
itm
en
t p
ro
ce
ss
es
 in
 li
ne
 w
ith
 th
e 
ov
er
al
l
or
ga
ni
sa
tio
n’
s 
pe
rs
on
ne
l p
ol
ic
ie
s 
an
d 
pr
oc
ed
ur
es
 (
e.
g.
, h
ir
in
g,
 p
os
iti
ve
 w
or
k
en
vi
ro
nm
en
t, 
or
ie
nt
in
g)
. I
m
pl
em
en
t p
ro
ce
ss
es
 to
 e
ns
ur
e 
th
at
 th
e 
or
ga
ni
sa
tio
n 
ha
s
an
 a
pp
ro
pr
ia
te
ly
 d
ep
lo
ye
d 
IT
 w
or
kf
or
ce
 w
ith
 th
e 
sk
ill
s 
ne
ce
ss
ar
y 
to
 a
ch
ie
ve
or
ga
ni
sa
tio
na
l g
oa
ls
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
IT
 s
ki
lls
 o
pt
im
is
ed
 a
nd
 a
lig
ne
d 
w
ith
or
ga
ni
sa
tio
na
l g
oa
ls
• 
Im
pr
ov
ed
 r
ec
ru
itm
en
t a
nd
 r
et
en
tio
n 
of
th
e 
ri
gh
t I
T
 s
ki
lls
 to
 s
up
po
rt
 f
ut
ur
e
bu
si
ne
ss
 r
eq
ui
re
m
en
ts
R
is
k 
D
riv
er
s
• 
IT
 s
er
vi
ce
s 
fo
r 
bu
si
ne
ss
-c
ri
tic
al
pr
oc
es
se
s 
no
t s
up
po
rt
ed
 a
de
qu
at
el
y
• 
In
ef
fe
ct
iv
e 
IT
 s
ol
ut
io
ns
• 
L
ac
k 
of
 a
pp
ro
pr
ia
te
 I
T
 s
ki
lls
 d
ue
 to
 I
T
hu
m
an
 r
es
ou
rc
es
 m
an
ag
em
en
t n
ot
be
in
g 
in
 li
ne
 w
ith
 m
ar
ke
t c
on
di
tio
ns
P
O
7.
2 
P
er
so
nn
el
 C
om
pe
te
nc
ie
s 
R
eg
ul
ar
ly
 v
er
if
y 
th
at
 p
er
so
nn
el
 h
av
e 
th
e 
co
m
pe
te
nc
ie
s 
to
 f
ul
fi
l t
he
ir
 r
ol
es
 o
n 
th
e
ba
si
s 
of
 th
ei
r 
ed
uc
at
io
n,
 tr
ai
ni
ng
 a
nd
/o
r 
ex
pe
ri
en
ce
. D
ef
in
e 
co
re
 I
T
 c
om
pe
te
nc
y
re
qu
ir
em
en
ts
 a
nd
 v
er
if
y 
th
at
 th
ey
 a
re
 b
ei
ng
 m
ai
nt
ai
ne
d,
 u
si
ng
 q
ua
lif
ic
at
io
n 
an
d
ce
rt
if
ic
at
io
n 
pr
og
ra
m
m
es
 w
he
re
 a
pp
ro
pr
ia
te
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• A
pp
ro
pr
ia
te
ly
 q
ua
lif
ie
d 
an
d
ex
pe
ri
en
ce
d 
st
af
f 
fo
r 
sp
ec
if
ic
 jo
b
re
sp
on
si
bi
lit
ie
s
• 
Im
pr
ov
ed
 p
er
so
na
l c
ar
ee
r
de
ve
lo
pm
en
t, 
co
nt
ri
bu
tio
n 
an
d 
jo
b
sa
tis
fa
ct
io
n 
• 
C
on
tin
uo
us
 d
ev
el
op
m
en
t o
f 
sk
ill
s 
in
lin
e 
w
ith
 b
us
in
es
s 
ne
ed
s
R
is
k 
D
riv
er
s
• 
IT
 s
ta
ff
 n
ot
 s
ki
lle
d 
as
 r
eq
ui
re
d 
fo
r
bu
si
ne
ss
 c
ri
tic
al
 r
eq
ui
re
m
en
ts
• 
IT
 s
ta
ff
 d
is
sa
tis
fi
ed
 w
ith
 c
ar
ee
r
pr
og
re
ss
io
n
• 
M
or
e 
in
ci
de
nt
s 
an
d 
er
ro
rs
 w
ith
 
gr
ea
te
r 
im
pa
ct
89© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
In
sp
ec
t a
 s
am
pl
e 
of
 r
ol
e 
de
sc
ri
pt
io
ns
 to
 e
ns
ur
e 
in
cl
us
io
n 
of
 a
n 
ad
eq
ua
te
 d
ef
in
iti
on
 o
f 
re
sp
on
si
bi
lit
ie
s,
 c
om
pe
te
nc
ie
s,
 a
nd
 s
en
si
tiv
e 
se
cu
ri
ty
 a
nd
 c
om
pl
ia
nc
e 
re
qu
ir
em
en
ts
. 
• 
In
sp
ec
t a
 s
am
pl
e 
of
 a
ck
no
w
le
dg
em
en
ts
 f
or
 a
cc
ep
ta
nc
e 
of
 r
ol
e 
de
sc
ri
pt
io
ns
 a
nd
 r
es
po
ns
ib
ili
tie
s 
fo
r 
IT
 p
er
so
nn
el
. 
• 
R
ev
ie
w
 te
rm
s 
an
d 
co
nd
iti
on
s 
of
 e
m
pl
oy
m
en
t f
or
 e
xi
st
en
ce
 o
f 
no
n-
di
sc
lo
su
re
, i
nt
el
le
ct
ua
l p
ro
pe
rt
y 
ri
gh
ts
, r
es
po
ns
ib
ili
ty
 f
or
 in
fo
rm
at
io
n 
se
cu
ri
ty
, i
nt
er
na
l c
on
tr
ol
,
ap
pl
ic
ab
le
 la
w
s 
an
d 
re
qu
ir
em
en
ts
. T
he
se
 s
ho
ul
d 
al
ig
n 
w
ith
 th
e 
or
ga
ni
sa
tio
n’
s 
re
qu
ir
em
en
ts
 f
or
 n
on
-d
is
cl
os
ur
e 
of
 c
on
fi
de
nt
ia
l i
nf
or
m
at
io
n.
 
• 
In
sp
ec
t t
he
 s
am
pl
e 
of
 jo
b 
de
sc
ri
pt
io
ns
 f
or
 h
ig
h-
ri
sk
 p
os
iti
on
s 
to
 d
et
er
m
in
e 
w
he
th
er
 th
e 
sp
an
 o
f 
co
nt
ro
l a
nd
 r
eq
ui
re
d 
su
pe
rv
is
io
n 
is
 a
pp
ro
pr
ia
te
 f
or
 e
ac
h 
ro
le
. 
P
O
7.
3 
St
af
fi
ng
 o
f 
R
ol
es
D
ef
in
e,
 m
on
ito
r 
an
d 
su
pe
rv
is
e 
ro
le
s,
 r
es
po
ns
ib
ili
tie
s 
an
d 
co
m
pe
ns
at
io
n
fr
am
ew
or
ks
 f
or
 p
er
so
nn
el
, i
nc
lu
di
ng
 th
e 
re
qu
ir
em
en
t t
o 
ad
he
re
 to
 m
an
ag
em
en
t
po
lic
ie
s 
an
d 
pr
oc
ed
ur
es
, t
he
 c
od
e 
of
 e
th
ic
s,
 a
nd
 p
ro
fe
ss
io
na
l p
ra
ct
ic
es
. T
he
 le
ve
l
of
 s
up
er
vi
si
on
 s
ho
ul
d 
be
 in
 li
ne
 w
ith
 th
e 
se
ns
iti
vi
ty
 o
f 
th
e 
po
si
tio
n 
an
d 
ex
te
nt
 o
f
re
sp
on
si
bi
lit
ie
s 
as
si
gn
ed
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
om
m
un
ic
at
io
n 
of
 a
nd
 a
dh
er
en
ce
 
to
 o
rg
an
is
at
io
n 
po
lic
ie
s,
 p
ra
ct
ic
es
 
an
d 
et
hi
cs
• 
C
le
ar
 a
cc
ou
nt
ab
ili
ty
 a
nd
 r
es
po
ns
ib
ili
ty
fo
r 
ke
y 
fu
nc
tio
ns
• 
Im
pr
ov
ed
 a
lig
nm
en
t o
f 
st
af
f
co
nt
ri
bu
tio
n 
to
 b
us
in
es
s 
go
al
s
R
is
k 
D
riv
er
s
• 
In
co
rr
ec
t a
ct
io
ns
 a
nd
 d
ec
is
io
ns
 b
as
ed
on
 u
nc
le
ar
 d
ir
ec
tio
n 
se
tti
ng
• 
In
cr
ea
se
d 
er
ro
rs
 a
nd
 in
ci
de
nt
s 
ca
us
ed
by
 la
ck
 o
f 
su
pe
rv
is
io
n
• 
St
af
f 
di
ss
at
is
fa
ct
io
n 
th
ro
ug
h 
po
or
m
an
ag
em
en
t a
nd
 o
ve
rs
ig
ht
P
O
7
 M
a
n
a
g
e
 I
T
H
u
m
a
n
 R
e
s
o
u
rc
e
s
 (
c
o
n
t.
)
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
W
al
k 
th
ro
ug
h 
th
e 
tr
ai
ni
ng
 e
ff
ec
tiv
en
es
s 
m
ea
su
re
m
en
t p
ro
ce
ss
 to
 c
on
fi
rm
 th
at
 th
e 
cr
iti
ca
l t
ra
in
in
g 
an
d 
aw
ar
en
es
s 
re
qu
ir
em
en
ts
 a
re
 in
cl
ud
ed
. 
• 
In
sp
ec
t t
ra
in
in
g 
pr
og
ra
m
m
e 
co
nt
en
t f
or
 c
om
pl
et
en
es
s 
an
d 
ap
pr
op
ri
at
en
es
s.
 I
ns
pe
ct
 d
el
iv
er
y 
m
ec
ha
ni
sm
s 
to
 d
et
er
m
in
e 
w
he
th
er
 th
e 
in
fo
rm
at
io
n 
is
 d
el
iv
er
ed
 to
 a
ll 
us
er
s 
of
IT
 r
es
ou
rc
es
, i
nc
lu
di
ng
 c
on
su
lta
nt
s,
 c
on
tr
ac
to
rs
, t
em
po
ra
ry
 s
ta
ff
 m
em
be
rs
 a
nd
, w
he
re
 a
pp
lic
ab
le
, c
us
to
m
er
s 
an
d 
su
pp
lie
rs
.
• 
In
sp
ec
t t
ra
in
in
g 
pr
og
ra
m
m
e 
co
nt
en
t t
o 
de
te
rm
in
e 
if
 a
ll 
in
te
rn
al
 c
on
tr
ol
 f
ra
m
ew
or
ks
 a
nd
 s
ec
ur
ity
 r
eq
ui
re
m
en
ts
 a
re
 in
cl
ud
ed
 b
as
ed
 o
n 
th
e 
or
ga
ni
sa
tio
n’
s 
se
cu
ri
ty
 p
ol
ic
ie
s
an
d 
in
te
rn
al
 c
on
tr
ol
s 
(e
.g
., 
im
pa
ct
 o
f 
no
n-
ad
he
re
nc
e 
to
 s
ec
ur
ity
 r
eq
ui
re
m
en
ts
, a
pp
ro
pr
ia
te
 u
se
 o
f 
co
m
pa
ny
 r
es
ou
rc
es
 a
nd
 f
ac
ili
tie
s,
 in
ci
de
nt
 h
an
dl
in
g,
 e
m
pl
oy
ee
re
sp
on
si
bi
lit
y 
fo
r 
in
fo
rm
at
io
n 
se
cu
ri
ty
).
 
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 tr
ai
ni
ng
 m
at
er
ia
ls
 a
nd
 p
ro
gr
am
m
es
 h
av
e 
be
en
 r
ev
ie
w
ed
 r
eg
ul
ar
ly
 f
or
 a
de
qu
ac
y.
• 
In
sp
ec
t t
he
 p
ol
ic
y 
fo
r 
de
te
rm
in
in
g 
tr
ai
ni
ng
 r
eq
ui
re
m
en
ts
. C
on
fi
rm
 th
at
 th
e 
tr
ai
ni
ng
 r
eq
ui
re
m
en
t’s
 p
ol
ic
y 
en
su
re
s 
th
at
 th
e 
or
ga
ni
sa
tio
n’
s 
cr
iti
ca
l r
eq
ui
re
m
en
ts
 a
re
 r
ef
le
ct
ed
in
 tr
ai
ni
ng
 a
nd
 a
w
ar
en
es
s 
pr
og
ra
m
m
es
.
P
O
7.
4 
P
er
so
nn
el
 T
ra
in
in
g 
Pr
ov
id
e 
IT
 e
m
pl
oy
ee
s 
w
ith
 a
pp
ro
pr
ia
te
 o
ri
en
ta
tio
n 
w
he
n 
hi
re
d 
an
d 
on
go
in
g
tr
ai
ni
ng
 to
 m
ai
nt
ai
n 
th
ei
r 
know
le
dg
e,
 s
ki
lls
, a
bi
lit
ie
s,
 in
te
rn
al
 c
on
tr
ol
s 
an
d
se
cu
ri
ty
 a
w
ar
en
es
s 
at
 th
e 
le
ve
l r
eq
ui
re
d 
to
 a
ch
ie
ve
 o
rg
an
is
at
io
na
l g
oa
ls
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
nh
an
ce
d 
pe
rs
on
al
 c
on
tr
ib
ut
io
n 
an
d
pe
rf
or
m
an
ce
 to
w
ar
d 
or
ga
ni
sa
tio
na
l
su
cc
es
s
• 
E
ff
ec
tiv
e 
an
d 
ef
fi
ci
en
t d
el
iv
er
y 
of
ea
ch
 e
m
pl
oy
ee
’s
 r
ol
e
• 
Su
pp
or
t o
f 
te
ch
ni
ca
l a
nd
 m
an
ag
em
en
t
de
ve
lo
pm
en
t, 
in
cr
ea
si
ng
 p
er
so
nn
el
re
te
nt
io
n
• 
In
cr
ea
se
 in
 e
m
pl
oy
ee
s’
va
lu
e 
to
 
th
e 
en
te
rp
ri
se
R
is
k 
D
riv
er
s
• 
In
su
ff
ic
ie
nt
 s
ec
ur
ity
 a
w
ar
en
es
s,
ca
us
in
g 
er
ro
rs
 o
r 
in
ci
de
nt
s
• 
K
no
w
le
dg
e 
ga
ps
 r
eg
ar
di
ng
 p
ro
du
ct
s,
se
rv
ic
es
 a
nd
 p
ra
ct
ic
es
• 
In
su
ff
ic
ie
nt
 s
ki
lls
, l
ea
di
ng
 to
 s
er
vi
ce
de
gr
ad
at
io
n 
an
d 
in
cr
ea
se
d 
er
ro
rs
 a
nd
in
ci
de
nt
s
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
In
sp
ec
t d
oc
um
en
ta
tio
n 
on
 k
ey
 r
ol
e 
pe
rs
on
ne
l f
or
 r
el
ia
nc
e 
on
 s
in
gl
e 
in
di
vi
du
al
s 
fo
r 
cr
iti
ca
l p
ro
ce
ss
es
 w
ith
in
 th
e 
IT
 o
rg
an
is
at
io
n.
• 
E
nq
ui
re
 w
he
th
er
 tr
ai
ni
ng
 p
ro
gr
am
m
es
 in
co
rp
or
at
e 
te
ch
ni
qu
es
 to
 m
iti
ga
te
 th
e 
ri
sk
 o
f 
ov
er
de
pe
nd
en
ce
 o
n 
ke
y 
re
so
ur
ce
s.
 P
ro
gr
am
m
es
 s
ho
ul
d 
in
cl
ud
e 
cr
os
s-
tr
ai
ni
ng
,
do
cu
m
en
ta
tio
n 
of
 k
ey
 ta
sk
s,
 jo
b 
ro
ta
tio
n,
 k
no
w
le
dg
e 
sh
ar
in
g 
an
d 
su
cc
es
si
on
 p
la
nn
in
g 
fo
r 
cr
iti
ca
l r
ol
es
 w
ith
in
 th
e 
or
ga
ni
sa
tio
n.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
In
sp
ec
t s
el
ec
tio
n 
cr
ite
ri
a 
fo
r 
pe
rf
or
m
an
ce
 o
f 
se
cu
ri
ty
 c
le
ar
an
ce
 b
ac
kg
ro
un
d 
ch
ec
ks
. 
• 
R
ev
ie
w
 f
or
 a
pp
ro
pr
ia
te
 d
ef
in
iti
on
 o
f 
cr
iti
ca
l r
ol
es
, f
or
 w
hi
ch
 s
ec
ur
ity
 c
le
ar
an
ce
 c
he
ck
s 
ar
e 
re
qu
ir
ed
. T
hi
s 
sh
ou
ld
 a
pp
ly
 to
 e
m
pl
oy
ee
s,
 c
on
tr
ac
to
rs
 a
nd
 v
en
do
rs
.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 h
ir
in
g 
pr
oc
es
se
s 
in
cl
ud
e 
cl
ea
ra
nc
e 
ba
ck
gr
ou
nd
 c
he
ck
s.
 I
ns
pe
ct
 h
ir
in
g 
do
cu
m
en
ta
tio
n 
fo
r 
a 
re
pr
es
en
ta
tiv
e 
sa
m
pl
e 
of
 I
T
 s
ta
ff
 m
em
be
rs
 to
ev
al
ua
te
 w
he
th
er
 b
ac
kg
ro
un
d 
ch
ec
ks
 h
av
e 
be
en
 c
om
pl
et
ed
 a
nd
 e
va
lu
at
ed
.
P
O
7.
5 
D
ep
en
de
nc
e 
U
po
n 
In
di
vi
du
al
s 
M
in
im
is
e 
th
e 
ex
po
su
re
 to
 c
ri
tic
al
 d
ep
en
de
nc
y 
on
 k
ey
 in
di
vi
du
al
s 
th
ro
ug
h
kn
ow
le
dg
e 
ca
pt
ur
e 
(d
oc
um
en
ta
tio
n)
, k
no
w
le
dg
e 
sh
ar
in
g,
 s
uc
ce
ss
io
n 
pl
an
ni
ng
an
d 
st
af
f 
ba
ck
up
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• A
de
qu
at
el
y 
su
pp
or
te
d 
cr
iti
ca
l I
T
ac
tiv
iti
es
 th
at
 c
on
tin
ua
lly
 m
ee
t
ob
je
ct
iv
es
• 
C
on
tin
ge
nc
y 
in
 p
la
ce
 f
or
 n
on
-
av
ai
la
bi
lit
y 
of
 k
ey
 p
er
so
nn
el
• 
R
ed
uc
ed
 r
is
k 
of
 in
ci
de
nt
s 
by
 in
te
rn
al
IT
 s
ta
ff
R
is
k 
D
riv
er
s
• 
In
cr
ea
se
d 
nu
m
be
r 
an
d 
im
pa
ct
 o
f
in
ci
de
nt
s 
ca
us
ed
 b
y 
un
av
ai
la
bi
lit
y 
of
es
se
nt
ia
l s
ki
lls
 to
 p
er
fo
rm
 a
 c
ri
tic
al
ro
le
• 
St
af
f 
di
ss
at
is
fa
ct
io
n 
du
e 
to
 la
ck
 o
f
su
cc
es
si
on
 p
la
nn
in
g 
an
d 
jo
b
ad
va
nc
em
en
t o
pp
or
tu
ni
tie
s
• 
In
ab
ili
ty
 to
 p
er
fo
rm
 c
ri
tic
al
 I
T
ac
tiv
iti
es
P
O
7
 M
a
n
a
g
e
 I
T
H
u
m
a
n
 R
e
s
o
u
rc
e
s
 (
c
o
n
t.
)
P
O
7.
6 
P
er
so
nn
el
 C
le
ar
an
ce
 P
ro
ce
du
re
s 
In
cl
ud
e 
ba
ck
gr
ou
nd
 c
he
ck
s 
in
 th
e 
IT
 r
ec
ru
itm
en
t p
ro
ce
ss
. T
he
 e
xt
en
t a
nd
fr
eq
ue
nc
y 
of
 p
er
io
di
c 
re
vi
ew
s 
of
 th
es
e 
ch
ec
ks
 s
ho
ul
d 
de
pe
nd
 o
n 
th
e 
se
ns
iti
vi
ty
an
d/
or
 c
ri
tic
al
ity
 o
f 
th
e 
fu
nc
tio
n 
an
d 
sh
ou
ld
 b
e 
ap
pl
ie
d 
fo
r 
em
pl
oy
ee
s,
co
nt
ra
ct
or
s 
an
d 
ve
nd
or
s.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
R
ec
ru
itm
en
t o
f 
ap
pr
op
ri
at
e 
pe
rs
on
ne
l
• 
Pr
oa
ct
iv
e 
pr
ev
en
tio
n 
of
 in
fo
rm
at
io
n
di
sc
lo
su
re
 a
nd
 c
on
fi
de
nt
ia
lit
y
st
an
da
rd
s
R
is
k 
D
riv
er
s
• 
In
cr
ea
se
d 
ri
sk
 o
f 
th
re
at
s 
oc
cu
rr
in
g
fr
om
 w
ith
in
 th
e 
IT
 o
rg
an
is
at
io
n 
• 
D
is
cl
os
ur
e 
of
 c
us
to
m
er
 o
r 
co
rp
or
at
e
in
fo
rm
at
io
n 
an
d 
in
cr
ea
se
d 
ex
po
su
re
 o
f
co
rp
or
at
e 
as
se
ts
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org90
91© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
In
sp
ec
t a
 r
ep
re
se
nt
at
iv
e 
sa
m
pl
e 
of
 e
m
pl
oy
ee
 jo
b 
pe
rf
or
m
an
ce
 e
va
lu
at
io
ns
 to
 d
et
er
m
in
e 
w
he
th
er
 c
ri
te
ri
a 
fo
r 
go
al
 s
et
tin
g 
in
cl
ud
es
 S
M
A
R
R
T
 o
bj
ec
tiv
es
. T
he
se
 s
ho
ul
d
re
fl
ec
t t
he
 c
or
e 
co
m
pe
te
nc
ie
s,
 c
om
pa
ny
 v
al
ue
s 
an
d 
sk
ill
s 
re
qu
ir
ed
 f
or
 e
ac
h 
ro
le
. W
al
k 
th
ro
ug
h 
th
e 
jo
b 
pe
rf
or
m
an
ce
 e
va
lu
at
io
n 
pr
oc
es
s 
to
 d
et
er
m
in
e 
w
he
th
er
 p
ol
ic
ie
s 
an
d
pr
oc
ed
ur
es
 f
or
 th
e 
us
e 
an
d 
st
or
ag
e 
of
 p
er
so
na
l i
nf
or
m
at
io
n 
ar
e 
cl
ea
r 
an
d 
co
m
pl
y 
w
ith
 th
e 
ap
pl
ic
ab
le
 le
gi
sl
at
io
n.
 
• 
In
sp
ec
t t
he
 r
em
un
er
at
io
n/
re
co
gn
iti
on
 p
ro
ce
ss
 to
 d
et
er
m
in
e 
if
 it
 is
 in
 li
ne
 w
ith
 p
er
fo
rm
an
ce
 g
oa
ls
 a
nd
 o
rg
an
is
at
io
na
l p
ol
ic
y.
 
• 
In
sp
ec
t p
er
fo
rm
an
ce
 im
pr
ov
em
en
t p
la
ns
 to
 d
et
er
m
in
e 
al
ig
nm
en
t w
ith
 o
rg
an
is
at
io
na
l p
ol
ic
ie
s 
an
d 
co
ns
is
te
nt
 a
pp
lic
at
io
n 
th
ro
ug
ho
ut
 th
e 
IT
 o
rg
an
is
at
io
n.
 P
er
fo
rm
an
ce
im
pr
ov
em
en
t p
la
ns
 s
ho
ul
d 
in
cl
ud
e 
sp
ec
if
ic
al
ly
 d
ef
in
ed
 g
oa
ls
, t
im
el
in
es
 f
or
 c
om
pl
et
io
n 
an
d 
an
 a
pp
ro
pr
ia
te
 le
ve
l o
f 
di
sc
ip
lin
ar
y 
ac
tio
n 
if
 im
pr
ov
em
en
ts
 a
re
 n
ot
 a
ch
ie
ve
d.
 
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 a
nd
 in
sp
ec
t w
he
th
er
 e
xi
t p
ro
ce
du
re
s 
fo
r 
vo
lu
nt
ar
y 
te
rm
in
at
io
n 
of
 e
m
pl
oy
m
en
t a
re
 d
oc
um
en
te
d 
an
d 
co
nt
ai
n 
al
l r
eq
ui
re
d 
el
em
en
ts
, s
uc
h 
as
 n
ec
es
sa
ry
 k
no
w
le
dg
e
tr
an
sf
er
, t
im
el
y 
se
cu
ri
ng
 o
f 
lo
gi
ca
l a
nd
 p
hy
si
ca
l a
cc
es
s,
 r
et
ur
n 
of
 th
e 
or
ga
ni
sa
tio
n’
s 
as
se
ts
, a
nd
 c
on
du
ct
in
g 
of
 e
xi
t i
nt
er
vi
ew
s.
• 
E
nq
ui
re
 w
he
th
er
 jo
b 
ch
an
ge
 p
ro
ce
du
re
s 
ar
e 
do
cu
m
en
te
d 
an
d 
co
nt
ai
n 
al
l r
eq
ui
re
d 
el
em
en
ts
 to
 m
in
im
is
e 
di
sr
up
tio
n 
of
 b
us
in
es
s 
pr
oc
es
se
s.
 E
xa
m
pl
es
 in
cl
ud
e 
th
e 
ne
ed
 f
or
jo
b 
m
en
to
ri
ng
, j
ob
 h
an
d-
ov
er
 s
te
ps
 a
nd
 p
re
pa
ra
to
ry
 f
or
m
al
 tr
ai
ni
ng
. I
ns
pe
ct
 jo
b 
ch
an
ge
 p
ro
ce
du
re
s 
to
 d
et
er
m
in
e 
if
 th
e 
pr
oc
ed
ur
es
 a
re
 c
on
si
st
en
tly
 f
ol
lo
w
ed
. 
• A
cq
ui
re
 th
ro
ug
h 
H
R
 a
 li
st
 o
f 
te
rm
in
at
ed
/tr
an
sf
er
re
d 
us
er
s 
(f
or
 th
e 
pa
sts
ix
 m
on
th
s 
to
 o
ne
 y
ea
r)
.
P
O
7.
7 
E
m
pl
oy
ee
 J
ob
 P
er
fo
rm
an
ce
 E
va
lu
at
io
n 
R
eq
ui
re
 a
 ti
m
el
y 
ev
al
ua
tio
n 
to
 b
e 
pe
rf
or
m
ed
 o
n 
a 
re
gu
la
r 
ba
si
s 
ag
ai
ns
t i
nd
iv
id
ua
l
ob
je
ct
iv
es
 d
er
iv
ed
 f
ro
m
 th
e 
or
ga
ni
sa
tio
n’
s 
go
al
s,
 e
st
ab
lis
he
d 
st
an
da
rd
s 
an
d
sp
ec
if
ic
 jo
b 
re
sp
on
si
bi
lit
ie
s.
 E
m
pl
oy
ee
s 
sh
ou
ld
 r
ec
ei
ve
 c
oa
ch
in
g 
on
 p
er
fo
rm
an
ce
an
d 
co
nd
uc
t w
he
ne
ve
r 
ap
pr
op
ri
at
e.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Im
pr
ov
ed
 in
di
vi
du
al
 a
nd
 c
ol
le
ct
iv
e
pe
rf
or
m
an
ce
 a
nd
 c
on
tr
ib
ut
io
n 
to
or
ga
ni
sa
tio
na
l g
oa
ls
• 
Im
pr
ov
ed
 s
ta
ff
 s
at
is
fa
ct
io
n
• 
Im
pr
ov
ed
 m
an
ag
em
en
t p
er
fo
rm
an
ce
fr
om
 s
ta
ff
 f
ee
db
ac
k 
an
d 
re
vi
ew
pr
oc
es
se
s
• 
E
ff
ec
tiv
e 
us
e 
of
 I
T
 s
ta
ff
R
is
k 
D
riv
er
s
• 
In
ab
ili
ty
 to
 id
en
tif
y 
in
ef
fi
ci
en
t
op
er
at
io
ns
• 
In
ef
fe
ct
iv
e 
tr
ai
ni
ng
 p
ro
gr
am
m
e
• 
D
is
sa
tis
fi
ed
 a
nd
 d
is
gr
un
tle
d 
st
af
f,
le
ad
in
g 
to
 r
et
en
tio
n 
pr
ob
le
m
s 
an
d
po
ss
ib
le
 in
ci
de
nt
s
• 
L
os
s 
of
 c
om
pe
te
nt
 s
ta
ff
 m
em
be
rs
 a
nd
re
la
te
d 
co
rp
or
at
e 
kn
ow
le
dg
e
P
O
7
 M
a
n
a
g
e
 I
T
H
u
m
a
n
 R
e
s
o
u
rc
e
s
 (
c
o
n
t.
)
P
O
7.
8 
Jo
b 
C
ha
ng
e 
an
d 
T
er
m
in
at
io
n 
Ta
ke
 e
xp
ed
ie
nt
 a
ct
io
ns
 r
eg
ar
di
ng
 jo
b 
ch
an
ge
s,
 e
sp
ec
ia
lly
 jo
b 
te
rm
in
at
io
ns
.
K
no
w
le
dg
e 
tr
an
sf
er
 s
ho
ul
d 
be
 a
rr
an
ge
d,
 r
es
po
ns
ib
ili
tie
s 
re
as
si
gn
ed
 a
nd
 a
cc
es
s
ri
gh
ts
 r
em
ov
ed
 s
uc
h 
th
at
 r
is
ks
 a
re
 m
in
im
is
ed
 a
nd
 c
on
tin
ui
ty
 o
f 
th
e 
fu
nc
tio
n 
is
gu
ar
an
te
ed
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ic
ie
nt
 a
nd
 e
ff
ec
tiv
e 
co
nt
in
ua
tio
n 
of
bu
si
ne
ss
-c
ri
tic
al
 o
pe
ra
tio
ns
 
• 
Im
pr
ov
ed
 s
ta
ff
 r
et
en
tio
n
• A
 m
or
e 
se
cu
re
 in
fo
rm
at
io
n
en
vi
ro
nm
en
t t
hr
ou
gh
 ti
m
el
y 
an
d
ap
pr
op
ri
at
e 
re
st
ri
ct
io
n 
of
 a
cc
es
s
R
is
k 
D
riv
er
s
• 
U
na
ut
ho
ri
se
d 
ac
ce
ss
 w
he
n 
em
pl
oy
ee
s
ar
e 
te
rm
in
at
ed
• 
L
ac
k 
of
 s
m
oo
th
 c
on
tin
ua
tio
n 
of
bu
si
ne
ss
-c
ri
tic
al
 o
pe
ra
tio
ns
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org92
Take the following steps to test the outcome of the control objectives:
• Inspect the IT human resource plan to verify that the IT needs of the organisation are defined. The IT human resource plan should
be based on organisational objectives and include strategic initiatives, applicable regulatory requirements and the associated IT
skills required. 
• Ensure that current and future needs are assessed against currently available skills and that gaps are translated into action plans. 
• Inspect the IT HR management plan and determine whether it addresses retention practices within the IT organisation, including
the identification of critical and scarce skills, consideration of personal evaluations, compensation and incentives, development
plans, and individual training needs. 
• Verify that job descriptions are periodically reviewed and that job descriptions include skill set competencies and qualifications of
current personnel. Compare the skill sets of current employees to job description requirements. Inspect professional development
plans from a sample of employees to determine the adequacy of career planning. Development plans should include encouragement
of competency development, opportunities for personal advancement and measures to reduce dependence on key individuals.
• Review job descriptions to ensure that each is current and relevant. Include the employee handbook/third-party agreements to
confirm that the obligations of employees and third-party personnel are clearly stated and appropriate for the given role. Inspect
for employee acknowledgement of conditions for employment, including responsibility for information security, internal control,
regulatory compliance, protection of intellectual property and non-disclosure of confidential information. Observe whether the
amount of supervision applied to high-risk roles is appropriate. Review procedures governing the activities of high-risk roles to
determine if supervisory approval is required and has been performed for critical decisions. 
• Determine whether appropriate benchmarking of human resource management activities has been performed against similar
organisations, appropriate international standards or industry best practices on a periodic basis. Confirm that the level of
supervision is appropriate for the sensitivity of the position and responsibilities assigned. 
• Inspect automation controls to track changes to privilege user permissions.
• Verify that the personnel training process is being delivered to all new users prior to granting access and is redelivered on an
annual basis. Inspect the personnel training programme content for completeness and appropriateness (such as education on the
organisation’s requirements for internal control and ethical conduct).
• Inspect delivery mechanisms to determine if information is delivered to all users of IT resources, including consultants, contractors
and temporary staff members. Where applicable, it should include customers and suppliers as well. 
• Verify that the personnel training programme includes certification and recertification processes for appropriate roles. 
• Enquire whether and confirm that training materials and programmes have been reviewed regularly for adequacy and include
impact on all necessary skills. 
• Confirm that a process exists to measure the completion and effectiveness of critical employee training and awareness programmes
and requirements. 
• Review documented strategies for the reduction of dependence on single individuals in critical roles. Verify the inclusion of
segregation of duties. Inspect the process to identify roles suitable for rotation, and confirm that rotation is occurring. Enquire of
employees to determine whether knowledge sharing is occurring.
• Inspect the compiled performance evaluation information to assess whether it was compiled completely and accurately. Validate
that the information is used in an appropriate manner. Enquire of employees whether management provides appropriate feedback
regarding performance during, and following, the performance evaluation. Determine that performance is evaluated against the
individual’s goals and performance criteria established for the position. Determine if the performance evaluation process is applied
consistently and is in line with performance goals and organisational policies. 
• Inspect exit procedures and processes for evidence of consistent application throughout the organisation. 
• Review the appropriateness of access rights (logical and physical access) related to job changes. Determine the effects on
segregation of duties and compensating controls if old access permissions are retained during a period of transition.
• Verify that user accounts have been disabled for terminated users and appropriate access has been applied for transferred users.
Take the following steps to document the impact of the control weaknesses:
• Assess the organisation’s dependency on key individuals to ensure that loss of capability and historical knowledge is not realised.
• Assess whether appropriate monitoring and supervision exist to ensure adherence to management policies and procedures, code of
ethics, professional practices, terms and conditions of employment, internal controls, information security policy and procedures,
and compliance withregulatory requirements. 
• Assess the level of awareness for security requirements to ensure compliance with regulatory requirements, protection of
intellectual property, organisational reputation and strategic position. 
• Determine the adequacy of personnel training programmes to ensure the organisation’s ability to attract and retain 
qualified personnel. 
• Assess dependence on key individuals and the IT organisation’s ability to provide continuous support of business processes in an
efficient and effective manner. Determine whether appropriate segregation of duties exist for key roles to ensure that critical
controls function as intended. 
• Assess the appropriateness of security-checking mechanisms for key employees to ensure that control over threats within the
organisation, such as theft, disclosure and compromise of sensitive corporate assets, is appropriately addressed. 
• Determine whether a well-defined, timely and consistently applied performance evaluation process exists and results in the
efficient and effective use of IT resources. 
• Assess the level of appropriateness and consistency applied to job change policies and procedures to ensure that disruptions of
business-critical operations and unauthorised access to secure environments and organisational assets do not occur. 
93© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
P
O
8
 M
a
n
a
g
e
 Q
u
a
li
ty
A
 q
ua
li
ty
 m
an
ag
em
en
t 
sy
st
em
 i
s 
de
ve
lo
pe
d 
an
d 
m
ai
nt
ai
ne
d 
th
at
 i
nc
lu
de
s 
pr
ov
en
 d
ev
el
op
m
en
t 
an
d 
ac
qu
is
it
io
n 
pr
oc
es
se
s 
an
d 
st
an
da
rd
s.
 T
hi
s 
is
 e
na
bl
ed
 b
y 
pl
an
ni
ng
,
im
pl
em
en
ti
ng
 a
nd
 m
ai
nt
ai
ni
ng
 t
he
 Q
M
S
 b
y 
pr
ov
id
in
g 
cl
ea
r 
qu
al
it
y 
re
qu
ir
em
en
ts
, p
ro
ce
du
re
s 
an
d 
po
li
ci
es
. Q
ua
li
ty
 r
eq
ui
re
m
en
ts
 a
re
 s
ta
te
d 
an
d 
co
m
m
un
ic
at
ed
 i
n
qu
an
ti
fi
ab
le
 a
nd
 a
ch
ie
va
bl
e 
in
di
ca
to
rs
. C
on
ti
nu
ou
s 
im
pr
ov
em
en
t 
is
 a
ch
ie
ve
d 
by
 o
ng
oi
ng
 m
on
it
or
in
g,
 a
na
ly
si
s 
an
d 
ac
ti
ng
 u
po
n 
de
vi
at
io
ns
, a
nd
 c
om
m
un
ic
at
in
g 
re
su
lt
s 
to
 s
ta
ke
ho
ld
er
s.
 Q
ua
li
ty
 m
an
ag
em
en
t 
is
 e
ss
en
ti
al
 t
o 
en
su
re
 t
ha
t 
IT
 i
s 
de
liv
er
in
g 
va
lu
e 
to
 t
he
 b
us
in
es
s,
 c
on
ti
nu
ou
s 
im
pr
ov
em
en
t 
an
d 
tr
an
sp
ar
en
cy
 f
or
 s
ta
ke
ho
ld
er
s.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 th
e 
Q
M
S 
w
as
 d
ev
el
op
ed
 w
ith
 in
pu
t f
ro
m
 I
T
 m
an
ag
em
en
t, 
ot
he
r 
st
ak
eh
ol
de
rs
 a
nd
 r
el
ev
an
t e
nt
er
pr
is
ew
id
e 
fr
am
ew
or
ks
.
• 
E
nq
ui
re
 w
he
th
er
 f
in
di
ng
s 
fr
om
 e
ac
h 
qu
al
ity
 r
ev
ie
w
 a
re
 c
om
m
un
ic
at
ed
 to
 I
T
 m
an
ag
em
en
t a
nd
 o
th
er
 s
ta
ke
ho
ld
er
s 
in
 a
 ti
m
el
y 
m
an
ne
r 
to
 e
na
bl
e 
re
m
ed
ia
l a
ct
io
n 
to
 b
e 
ta
ke
n.
 
• 
D
et
er
m
in
e 
w
he
th
er
 I
T
 q
ua
lit
y 
pl
an
s 
ar
e 
al
ig
ne
d 
w
ith
 e
nt
er
pr
is
e 
qu
al
ity
 m
an
ag
em
en
t c
ri
te
ri
a 
an
d 
po
lic
ie
s.
 
P
O
8.
1 
Q
ua
lit
y 
M
an
ag
em
en
t 
Sy
st
em
 
E
st
ab
lis
h 
an
d 
m
ai
nt
ai
n 
a 
Q
M
S 
th
at
 p
ro
vi
de
s 
a 
st
an
da
rd
, f
or
m
al
 a
nd
 c
on
tin
uo
us
ap
pr
oa
ch
 r
eg
ar
di
ng
 q
ua
lit
y 
m
an
ag
em
en
t t
ha
t i
s 
al
ig
ne
d 
w
ith
 b
us
in
es
s
re
qu
ir
em
en
ts
. T
he
 Q
M
S 
sh
ou
ld
 id
en
tif
y 
qu
al
ity
 r
eq
ui
re
m
en
ts
 a
nd
 c
ri
te
ri
a;
 k
ey
 I
T
pr
oc
es
se
s 
an
d 
th
ei
r 
se
qu
en
ce
 a
nd
 in
te
ra
ct
io
n;
 a
nd
 th
e 
po
lic
ie
s,
 c
ri
te
ri
a 
an
d
m
et
ho
ds
 f
or
 d
ef
in
in
g,
 d
et
ec
tin
g,
 c
or
re
ct
in
g 
an
d 
pr
ev
en
tin
g 
no
n-
co
nf
or
m
ity
. T
he
Q
M
S 
sh
ou
ld
 d
ef
in
e 
th
e 
or
ga
ni
sa
tio
na
l s
tr
uc
tu
re
 f
or
 q
ua
lit
y 
m
an
ag
em
en
t,
co
ve
ri
ng
 th
e 
ro
le
s,
 ta
sk
s 
an
d 
re
sp
on
si
bi
lit
ie
s.
 A
ll 
ke
y 
ar
ea
s 
sh
ou
ld
 d
ev
el
op
 th
ei
r
qu
al
ity
 p
la
ns
 in
 li
ne
 w
ith
 c
ri
te
ri
a 
an
d 
po
lic
ie
s 
an
d 
re
co
rd
 q
ua
lit
y 
da
ta
. M
on
ito
r
an
d 
m
ea
su
re
 th
e 
ef
fe
ct
iv
en
es
s 
an
d 
ac
ce
pt
an
ce
 o
f 
th
e 
Q
M
S,
 a
nd
 im
pr
ov
e 
it 
w
he
n
ne
ed
ed
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• A
lig
nm
en
t w
ith
 a
nd
 a
ch
ie
ve
m
en
t o
f
bu
si
ne
ss
 r
eq
ui
re
m
en
ts
 f
or
 I
T
• 
St
ak
eh
ol
de
r 
sa
tis
fa
ct
io
n 
en
su
re
d
• 
C
on
si
st
en
t Q
A
 e
nv
ir
on
m
en
t
un
de
rs
to
od
 a
nd
 f
ol
lo
w
ed
 b
y 
al
l s
ta
ff
m
em
be
rs
• 
E
ff
ic
ie
nt
, e
ff
ec
tiv
e 
an
d 
st
an
da
rd
is
ed
op
er
at
io
n 
of
 I
T
 p
ro
ce
ss
es
R
is
k 
D
riv
er
s
• 
In
su
ff
ic
ie
nt
 q
ua
lit
y 
in
 s
er
vi
ce
s 
an
d
so
lu
tio
ns
, r
es
ul
tin
g 
in
 f
au
lts
, r
ew
or
k
an
d 
in
cr
ea
se
d 
co
st
s
•
A
d 
ho
c
an
d,
 th
er
ef
or
e,
 u
nr
el
ia
bl
e 
Q
A
ac
tiv
iti
es
• 
M
is
al
ig
nm
en
t w
ith
 in
du
st
ry
 g
oo
d
pr
ac
tic
es
 a
nd
 b
us
in
es
s 
ob
je
ct
iv
es
• A
m
bi
gu
ou
s 
re
sp
on
si
bi
lit
y 
fo
r 
qu
al
ity
,
le
ad
in
g 
to
 q
ua
lit
y 
re
du
ct
io
n
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org94
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
R
ev
ie
w
 I
T
 s
ta
nd
ar
ds
 a
nd
 f
ra
m
ew
or
ks
 to
 d
et
er
m
in
e 
if
 th
ey
 a
re
 a
pp
ro
pr
ia
te
 f
or
 th
e 
sy
st
em
s,
 d
at
a 
an
d 
in
fo
rm
at
io
n 
in
 th
e 
en
vi
ro
nm
en
t.
• 
In
sp
ec
t t
he
 a
ut
ho
ri
sa
tio
n 
of
 d
ev
ia
tio
ns
 to
 I
T
 s
ta
nd
ar
ds
 to
 v
al
id
at
e 
ad
he
re
nc
e 
to
 o
r 
no
n-
co
m
pl
ia
nc
e 
w
ith
 m
an
da
te
d 
or
 a
do
pt
ed
 s
ta
nd
ar
ds
.
• 
In
sp
ec
t m
aj
or
 m
ile
st
on
es
 in
 k
ey
 p
ro
je
ct
s 
to
 v
er
if
y 
th
at
 th
e 
Q
M
S 
ha
s 
be
en
 a
pp
lie
d.
• 
C
on
fi
rm
 th
e 
pr
oc
es
s 
fo
r 
ap
pl
yi
ng
 c
ha
ng
es
 in
 m
an
da
te
d 
or
 a
do
pt
ed
 s
ta
nd
ar
ds
 w
ith
in
 th
e 
or
ga
ni
sa
tio
n.
P
O
8
 M
a
n
a
g
e
 Q
u
a
li
ty
 (
c
o
n
t.
)
P
O
8.
2 
IT
 S
ta
nd
ar
ds
 a
nd
 Q
ua
lit
y 
P
ra
ct
ic
es
 
Id
en
tif
y 
an
d 
m
ai
nt
ai
n 
st
an
da
rd
s,
 p
ro
ce
du
re
s 
an
d 
pr
ac
tic
es
 f
or
 k
ey
 I
T
 p
ro
ce
ss
es
 to
gu
id
e 
th
e 
or
ga
ni
sa
tio
n 
in
 m
ee
tin
g 
th
e 
in
te
nt
 o
f 
th
e 
Q
M
S.
 U
se
 in
du
st
ry
 g
oo
d
pr
ac
tic
es
 f
or
 r
ef
er
en
ce
 w
he
n 
im
pr
ov
in
g 
an
d 
ta
ilo
ri
ng
 th
e 
or
ga
ni
sa
tio
n’
s 
qu
al
ity
pr
ac
tic
es
.
Va
lu
e 
D
riv
er
s
• A
lig
nm
en
t o
f 
th
e 
Q
M
S 
to
 b
us
in
es
s
re
qu
ir
em
en
ts
 a
nd
 p
ol
ic
ie
s
• 
C
on
si
st
en
cy
 a
nd
 r
el
ia
bi
lit
y 
of
 th
e
ge
ne
ra
l q
ua
lit
y 
pl
an
• 
E
ff
ec
tiv
e 
an
d 
ef
fi
ci
en
t o
pe
ra
tio
n 
of
 th
e 
Q
M
S
• 
In
cr
ea
se
d 
as
su
ra
nc
e 
fo
r 
en
te
rp
ri
se
w
id
e
m
an
ag
em
en
t t
ha
t I
T
 s
ta
nd
ar
ds
,
po
lic
ie
s,
 p
ro
ce
ss
es
, p
ra
ct
ic
es
 a
nd
 r
is
k
m
an
ag
em
en
t a
re
 e
ff
ec
tiv
e 
an
d
ef
fi
ci
en
t
R
is
k 
D
riv
er
s
• 
U
nd
ef
in
ed
 r
es
po
ns
ib
ili
tie
s 
w
ith
in
pr
oj
ec
ts
 a
nd
 s
er
vi
ce
s
• 
Q
ua
lit
y 
fa
ilu
re
s 
in
 k
ey
 I
T
 p
ro
ce
ss
es
• 
N
on
-c
om
pl
ia
nc
e 
w
ith
 d
ef
in
ed
st
an
da
rd
s 
an
d 
pr
oc
ed
ur
es
• 
IT
 p
ol
ic
ie
s,
 s
ta
nd
ar
ds
, p
ro
ce
ss
es
 a
nd
pr
ac
tic
es
 in
co
ns
is
te
nt
 w
ith
 c
ur
re
nt
go
od
 p
ra
ct
ic
es
• 
Fa
ilu
re
 o
f 
IT
 p
ol
ic
ie
s,
 s
ta
ndar
ds
,
pr
oc
es
se
s 
an
d 
pr
ac
tic
es
 to
 m
ee
t
en
te
rp
ri
se
 o
bj
ec
tiv
es
C
on
tr
ol
 O
bj
ec
ti
ve
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 d
ev
el
op
m
en
t a
nd
 a
cq
ui
si
tio
n 
st
an
da
rd
s 
fo
r 
ch
an
ge
s 
to
 e
xi
st
in
g 
IT
 r
es
ou
rc
es
 a
re
 a
pp
lie
d 
(e
.g
., 
se
cu
re
 c
od
in
g 
pr
ac
tic
es
; s
of
tw
ar
e 
co
di
ng
 s
ta
nd
ar
ds
; n
am
in
g
co
nv
en
tio
ns
; f
ile
 f
or
m
at
s;
 s
ch
em
a 
an
d 
da
ta
 d
ic
tio
na
ry
 d
es
ig
n 
st
an
da
rd
s;
 u
se
r 
in
te
rf
ac
e 
st
an
da
rd
s;
 in
te
ro
pe
ra
bi
lit
y;
 s
ys
te
m
 p
er
fo
rm
an
ce
 e
ff
ic
ie
nc
y;
 s
ca
la
bi
lit
y;
 s
ta
nd
ar
ds
fo
r 
de
ve
lo
pm
en
t a
nd
 te
st
in
g;
 v
al
id
at
io
n 
ag
ai
ns
t r
eq
ui
re
m
en
ts
; t
es
t p
la
ns
; u
ni
t, 
re
gr
es
si
on
 a
nd
 in
te
gr
at
io
n 
te
st
in
g)
.
• 
E
nq
ui
re
 o
r 
in
sp
ec
t w
he
th
er
 d
ev
el
op
m
en
t a
nd
 a
cq
ui
si
tio
n 
st
an
da
rd
s 
en
ab
le
 a
n 
ap
pr
op
ri
at
e 
le
ve
l o
f 
co
nt
ro
l f
or
 c
ha
ng
es
 to
 e
xi
st
in
g 
IT
 r
es
ou
rc
es
. 
• 
E
nq
ui
re
 w
he
th
er
 d
ev
el
op
m
en
t a
nd
 a
cq
ui
si
tio
n 
gu
id
an
ce
 is
 in
co
rp
or
at
ed
 in
to
 I
T
 s
ta
nd
ar
ds
 a
nd
 f
ra
m
ew
or
ks
. 
P
O
8.
3 
D
ev
el
op
m
en
t 
an
d 
A
cq
ui
si
ti
on
 S
ta
nd
ar
ds
 
A
do
pt
 a
nd
 m
ai
nt
ai
n 
st
an
da
rd
s 
fo
r 
al
l d
ev
el
op
m
en
t a
nd
 a
cq
ui
si
tio
n 
th
at
 f
ol
lo
w
 th
e
lif
e 
cy
cl
e 
of
 th
e 
ul
tim
at
e 
de
liv
er
ab
le
, a
nd
 in
cl
ud
e 
si
gn
-o
ff
 a
t k
ey
 m
ile
st
on
es
ba
se
d 
on
 a
gr
ee
d-
up
on
 s
ig
n-
of
f 
cr
ite
ri
a.
 C
on
si
de
r 
so
ft
w
ar
e 
co
di
ng
 s
ta
nd
ar
ds
;
na
m
in
g 
co
nv
en
tio
ns
; f
ile
 f
or
m
at
s;
 s
ch
em
a 
an
d 
da
ta
 d
ic
tio
na
ry
 d
es
ig
n 
st
an
da
rd
s;
us
er
 in
te
rf
ac
e 
st
an
da
rd
s;
 in
te
ro
pe
ra
bi
lit
y;
 s
ys
te
m
 p
er
fo
rm
an
ce
 e
ff
ic
ie
nc
y;
sc
al
ab
ili
ty
; s
ta
nd
ar
ds
 f
or
 d
ev
el
op
m
en
t a
nd
 te
st
in
g;
 v
al
id
at
io
n 
ag
ai
ns
t
re
qu
ir
em
en
ts
; t
es
t p
la
ns
; a
nd
 u
ni
t, 
re
gr
es
si
on
 a
nd
 in
te
gr
at
io
n 
te
st
in
g.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ic
ie
nt
 a
nd
 e
ff
ec
tiv
e 
us
e 
of
te
ch
no
lo
gy
 to
 e
na
bl
e 
tim
el
y
ac
hi
ev
em
en
t o
f 
bu
si
ne
ss
 o
bj
ec
tiv
es
• 
Pr
op
er
 id
en
tif
ic
at
io
n,
 d
oc
um
en
ta
tio
n
an
d 
ex
ec
ut
io
n 
of
 k
ey
 a
cq
ui
si
tio
n 
an
d
de
ve
lo
pm
en
t a
ct
iv
iti
es
• 
Fo
rm
al
ly
 d
ef
in
ed
, s
ta
nd
ar
di
se
d 
an
d
re
pe
at
ab
le
 a
pp
ro
ac
h 
fo
r 
m
an
ag
in
g
ac
qu
is
iti
on
s 
an
d 
de
ve
lo
pm
en
ts
R
is
k 
D
riv
er
s
• 
In
ac
cu
ra
te
 e
st
im
at
io
ns
 o
f 
pr
oj
ec
t
tim
es
ca
le
s 
an
d 
bu
dg
et
s
• 
U
nc
le
ar
 r
es
po
ns
ib
ili
tie
s 
w
ith
in
pr
oj
ec
ts
• 
D
ev
el
op
m
en
t a
nd
 im
pl
em
en
ta
tio
n
er
ro
rs
, c
au
si
ng
 d
el
ay
s,
 r
ew
or
k 
an
d
in
cr
ea
se
d 
co
st
s
• 
In
te
ro
pe
ra
bi
lit
y 
an
d 
in
te
gr
at
io
n
pr
ob
le
m
s
• 
Su
pp
or
t a
nd
 m
ai
nt
en
an
ce
 p
ro
bl
em
s
• 
U
ni
de
nt
if
ie
d 
er
ro
rs
 o
cc
ur
ri
ng
 in
pr
od
uc
tio
n
95© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 f
in
di
ng
s 
fr
om
 e
ac
h 
qu
al
ity
 r
ev
ie
w
 a
re
 c
om
m
un
ic
at
ed
 to
 I
T
 m
an
ag
em
en
t a
nd
 o
th
er
 s
ta
ke
ho
ld
er
s 
in
 a
 ti
m
el
y 
m
an
ne
r 
to
 e
na
bl
e 
re
m
ed
ia
l a
ct
io
n 
to
 b
e 
ta
ke
n.
 
• 
E
ns
ur
e 
th
e 
st
af
f 
tr
ai
ni
ng
 p
ro
gr
am
m
e 
in
cl
ud
es
 e
ff
ec
tiv
e 
co
nt
in
uo
us
 im
pr
ov
em
en
t m
et
ho
do
lo
gi
es
.
• 
E
va
lu
at
e 
w
he
th
er
 c
on
tin
uo
us
 im
pr
ov
em
en
t a
ct
iv
iti
es
 a
re
 a
ct
iv
el
y 
pr
om
ot
ed
, e
ff
ec
tiv
el
y 
m
an
ag
ed
 a
nd
 im
pl
em
en
te
d 
w
ith
in
 th
e 
qu
al
ity
 s
ta
nd
ar
ds
, p
ol
ic
ie
s,
 p
ra
ct
ic
es
 a
nd
pr
oc
ed
ur
es
.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
 q
ua
lit
y 
m
an
ag
em
en
t p
la
n 
is
 d
ef
in
ed
. I
ns
pe
ct
 th
e 
pl
an
 a
nd
 d
oc
um
en
ta
tio
n 
to
 v
al
id
at
e 
th
e 
ap
pr
op
ri
at
en
es
s 
of
 th
e 
le
ar
ni
ng
 a
nd
kn
ow
le
dg
e-
sh
ar
in
g 
pr
oc
es
s.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 c
us
to
m
er
 v
ie
w
s 
on
 th
e 
qu
al
ity
 m
an
ag
em
en
t p
ro
ce
ss
 a
re
 o
bt
ai
ne
d.
 R
ev
ie
w
 th
e 
pr
oc
es
s 
to
 v
er
if
y 
th
at
 v
ie
w
s 
ar
e 
ob
ta
in
ed
 p
er
io
di
ca
lly
.
• 
In
sp
ec
t f
or
 e
ff
ec
tiv
en
es
s 
th
e 
qu
es
tio
nn
ai
re
s,
 s
ur
ve
ys
, f
ee
db
ac
k 
fo
rm
s,
 in
te
rv
ie
w
s,
 e
tc
., 
fr
om
 c
us
to
m
er
s.
• 
E
nq
ui
re
 w
he
th
er
 c
us
to
m
er
 v
ie
w
s 
on
 th
e 
qu
al
ity
 m
an
ag
em
en
t p
ro
ce
ss
 a
re
 o
bt
ai
ne
d.
 R
ev
ie
w
 th
e 
pr
oc
es
s 
to
 v
er
if
y 
th
at
 v
ie
w
s 
ar
e 
ob
ta
in
ed
 p
er
io
di
ca
lly
.
• 
In
sp
ec
t t
he
 o
ut
pu
ts
 f
ro
m
 th
e 
fo
llo
w
-u
p 
pr
oc
es
s 
to
 d
et
er
m
in
e 
if
 th
e 
fe
ed
ba
ck
 is
 o
rg
an
is
ed
 a
nd
 u
se
fu
l f
or
 im
pr
ov
in
g 
th
e 
co
m
pl
ai
nt
-h
an
dl
in
g 
pr
oc
es
s.
• 
In
sp
ec
t t
he
 d
oc
um
en
ta
tio
n 
of
 r
ol
es
 a
nd
 r
es
po
ns
ib
ili
tie
s 
to
 d
et
er
m
in
e 
if
 th
ey
 a
llo
w
 f
or
 e
ff
ec
tiv
e 
co
nf
lic
t r
es
ol
ut
io
n 
of
 c
us
to
m
er
 c
om
pl
ai
nt
s.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 c
us
to
m
er
 in
te
ra
ct
io
n 
as
pe
ct
s 
ar
e 
in
cl
ud
ed
 in
 tr
ai
ni
ng
 p
ro
gr
am
m
es
.
P
O
8.
4 
C
us
to
m
er
 F
oc
us
 
Fo
cu
s 
qu
al
ity
 m
an
ag
em
en
t o
n 
cu
st
om
er
s 
by
 d
et
er
m
in
in
g 
th
ei
r 
re
qu
ir
em
en
ts
 a
nd
al
ig
ni
ng
 th
em
 to
 th
e 
IT
 s
ta
nd
ar
ds
 a
nd
 p
ra
ct
ic
es
. D
ef
in
e 
ro
le
s 
an
d 
re
sp
on
si
bi
lit
ie
s
co
nc
er
ni
ng
 c
on
fl
ic
t r
es
ol
ut
io
n 
be
tw
ee
n 
th
e 
us
er
/c
us
to
m
er
 a
nd
 th
e 
IT
or
ga
ni
sa
tio
n.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Im
pr
ov
ed
 c
us
to
m
er
 s
at
is
fa
ct
io
n
• 
Q
ua
lit
y 
m
an
ag
em
en
t a
lig
ne
d 
w
ith
cu
st
om
er
 e
xp
ec
ta
tio
ns
 
• 
C
la
ri
ty
 o
f 
ro
le
s 
an
d 
re
sp
on
si
bi
lit
ie
s
R
is
k 
D
riv
er
s
• 
G
ap
s 
be
tw
ee
n 
ex
pe
ct
at
io
ns
 a
nd
de
liv
er
y
• 
Fa
ilu
re
 to
 a
de
qu
at
el
y 
un
de
rs
ta
nd
cu
st
om
er
 e
xp
ec
ta
tio
ns
• 
Fa
ilu
re
 to
 a
de
qu
at
el
y 
re
sp
on
d 
to
cu
st
om
er
 d
is
pu
te
s 
an
d 
fe
ed
ba
ck
• 
In
ap
pr
op
ri
at
e 
or
 in
ef
fe
ct
iv
e 
cu
st
om
er
di
sp
ut
e 
re
so
lu
tio
n 
pr
oc
es
se
s
• 
In
ap
pr
op
ri
at
e 
pr
io
ri
ty
 g
iv
en
 to
di
ff
er
en
t s
er
vi
ce
s 
pr
ov
id
ed
• 
D
is
pu
te
s 
w
ith
 d
el
iv
er
ab
le
s 
an
d 
qu
al
ity
 d
ef
ec
ts
P
O
8
 M
a
n
a
g
e
 Q
u
a
li
ty
 (
c
o
n
t.
)
P
O
8.
5 
C
on
ti
nu
ou
s 
Im
pr
ov
em
en
t 
M
ai
nt
ai
n 
an
d 
re
gu
la
rl
y 
co
m
m
un
ic
at
e 
an
 o
ve
ra
ll 
qu
al
ity
 p
la
n 
th
at
 p
ro
m
ot
es
co
nt
in
uo
us
 im
pr
ov
em
en
t. 
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Im
pr
ov
ed
 q
ua
lit
y 
of
 s
er
vi
ce
s 
an
d 
so
lu
tio
ns
• 
Im
pr
ov
ed
 e
ff
ic
ie
nc
y 
an
d 
ef
fe
ct
iv
en
es
s
in
 d
el
iv
er
y
• 
Im
pr
ov
ed
 s
ta
ff
 m
or
al
e 
an
d 
jo
b
sa
tis
fa
ct
io
n
R
is
k 
D
riv
er
s
• 
U
nc
on
tr
ol
le
d 
and 
in
ef
fe
ct
iv
e 
se
rv
ic
e 
de
liv
er
y
• 
Se
rv
ic
e 
fa
ilu
re
s
• 
D
ev
el
op
m
en
t f
au
lts
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org96
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
R
ev
ie
w
 e
xe
cu
tiv
e-
le
ve
l r
ep
or
tin
g 
on
 q
ua
lit
y 
pe
rf
or
m
an
ce
 (
e.
g.
, d
as
hb
oa
rd
 r
ep
or
tin
g 
an
d/
or
 b
al
an
ce
d 
sc
or
ec
ar
d)
 to
 id
en
tif
y 
tr
en
ds
 o
f 
st
re
ng
th
s 
an
d 
w
ea
kn
es
se
s.
• 
In
sp
ec
t w
he
th
er
 th
e 
qu
al
ity
 m
et
ri
cs
 in
co
rp
or
at
e 
th
e 
ac
hi
ev
em
en
t o
f 
bu
si
ne
ss
 a
nd
 I
T
 s
tr
at
eg
y,
 f
in
an
ci
al
 c
os
t, 
ri
sk
 r
at
in
gs
 a
nd
 a
va
ila
bl
e 
in
du
st
ry
 d
at
a.
 R
ev
ie
w
 w
he
th
er
 th
e
m
on
ito
ri
ng
 p
ro
ce
ss
 e
na
bl
es
 c
or
re
ct
iv
e 
an
d 
pr
ev
en
tiv
e 
ac
tio
ns
 to
 ta
ke
 p
la
ce
.
• 
Pe
rf
or
m
 a
 w
al
k-
th
ro
ug
h 
of
 th
e 
qu
al
ity
 m
an
ag
em
en
t p
ro
ce
ss
 to
 v
er
if
y 
th
at
 it
 c
on
si
de
rs
 r
el
ev
an
ce
, a
pp
lic
ab
ili
ty
, l
at
es
t i
nd
us
tr
y 
da
ta
 a
nd
 th
e 
va
lu
e 
of
 c
on
tr
ib
ut
io
n 
to
co
nt
in
uo
us
 im
pr
ov
em
en
t p
ro
gr
am
m
es
 w
ith
in
 th
e 
or
ga
ni
sa
tio
n.
P
O
8.
6 
Q
ua
lit
y 
M
ea
su
re
m
en
t,
M
on
it
or
in
g 
an
d 
R
ev
ie
w
 
D
ef
in
e,
 p
la
n 
an
d 
im
pl
em
en
t m
ea
su
re
m
en
ts
 to
 m
on
ito
r 
co
nt
in
ui
ng
 c
om
pl
ia
nc
e 
to
th
e 
Q
M
S,
 a
s 
w
el
l a
s 
th
e 
va
lu
e 
th
e 
Q
M
S 
pr
ov
id
es
. M
ea
su
re
m
en
t, 
m
on
ito
ri
ng
 a
nd
re
co
rd
in
g 
of
 in
fo
rm
at
io
n 
sh
ou
ld
 b
e 
us
ed
 b
y 
th
e 
pr
oc
es
s 
ow
ne
r 
to
 ta
ke
ap
pr
op
ri
at
e 
co
rr
ec
tiv
e 
an
d 
pr
ev
en
tiv
e 
ac
tio
ns
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
St
af
f 
m
em
be
rs
 a
w
ar
e 
of
 q
ua
lit
y
pe
rf
or
m
an
ce
• 
C
on
si
st
en
t r
ep
or
tin
g
• 
Q
ua
lit
y 
re
po
rt
in
g 
in
te
gr
at
ed
 in
to
 a
nd
fa
ci
lit
at
in
g 
th
e 
or
ga
ni
sa
tio
n’
s 
Q
M
S
• 
M
ea
su
ra
bl
e 
an
d 
ta
ng
ib
le
 v
al
ue
 o
f 
th
e 
Q
M
S
• 
Fe
ed
ba
ck
 c
on
ce
rn
in
g 
co
m
pl
ia
nc
e 
w
ith
an
d 
us
ef
ul
ne
ss
 o
f 
th
e 
Q
M
S
R
is
k 
D
riv
er
s
• 
L
ac
k 
of
 c
le
ar
 a
nd
 c
on
si
st
en
t q
ua
lit
y
ob
je
ct
iv
es
• 
Pr
ev
en
tiv
e 
an
d 
co
rr
ec
tiv
e 
ac
tio
ns
un
id
en
tif
ie
d
• 
In
co
ns
is
te
nt
 q
ua
lit
y 
re
po
rt
in
g
• 
R
ep
or
ts
 f
ai
lin
g 
to
 c
on
tr
ib
ut
e 
to
 th
e
en
te
rp
ri
se
’s
 Q
M
S
• 
L
ac
k 
of
 c
la
ri
fi
ed
 o
bj
ec
tiv
es
• 
In
co
ns
is
te
nt
 q
ua
lit
y 
re
po
rt
in
g
• 
Fa
ilu
re
 o
f 
th
e 
Q
M
S 
to
 e
nh
an
ce
 th
e
or
ga
ni
sa
tio
n’
s 
ob
je
ct
iv
es
• 
Q
M
S 
no
t t
ak
en
 s
er
io
us
ly
 o
r 
co
m
pl
ie
d 
w
ith
 b
y 
th
e 
or
ga
ni
sa
tio
n
• 
W
ea
kn
es
se
s 
an
d 
st
re
ng
th
s 
w
ith
in
 th
e
Q
M
S 
no
t r
ec
og
ni
se
d
• 
N
on
-c
om
pl
ia
nc
e 
no
t i
de
nt
if
ie
d
• 
Pr
oj
ec
ts
 a
t r
is
k 
to
 b
e 
ov
er
 ti
m
e 
an
d
bu
dg
et
 a
nd
 d
el
iv
er
ed
 w
ith
 p
oo
r 
qu
al
ity
P
O
8
 M
a
n
a
g
e
 Q
u
a
li
ty
 (
c
o
n
t.
)
97© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Take the following steps to test the outcome of the control objectives:
• Inspect the QMS to verify that it provides a standard and continuous approach for quality management.
• Verify IT management’s approval of the QMS.
• Review the periodic performance reviews to determine whether the review programme includes all necessary elements. 
• Inspect the results of the periodic independent performance reviews of the QMS. 
• Inspect whether follow-up reviews in quality assurance plans exist where significant findings have arisen, and inspect the follow-
up reviews to verify that corrective action has been effective.
• Inspect QMS benchmark results to determine if appropriate industry guidelines, standards and enterprises were included in the
comparison.
• Inspect the authorisation of deviations to IT standards to validate adherence to or non-compliance with stakeholder requirements.
• Inspect major milestones to verify that the QMS is in operation.
• Inspect the customer quality standards and metric requirements for completeness (i.e., questionnaires, surveys, feedback forms,
interviews).
• Inspect the outputs from the QMS follow-up process to determine if the feedback is organised and useful for improving the
complaint-handling process. 
• Inspect the documentation of roles and responsibilities to determine if it allows for effective conflict resolution of customer
complaints.
• Inspect the training programme to verify the existence of customer care content.
• Walk through the periodic performance reviews to determine whether the review programme includes necessary QMS elements. 
• Inspect the results of the periodic independent performance reviews of the QMS. 
• Inspect whether the quality metrics incorporate the achievement of business and IT strategy, financial cost, risk ratings, and
available industry data. 
• Review whether the monitoring process enables corrective and preventive actions to take place.
• Perform a walk-through of the QMS process to verify that it considers relevance, applicability, latest industry data and the value of
contribution to the continuous improvement programme within the organisation.
• Determine the reliability of quality assurance activities by assessing alignment with industry best practices and gaps between
current procedures and business expectations.
Take the following steps to document the impact of the control weaknesses:
• Determine the level of compliance with organisational IT standards and quality practices to assess deviations that may result in
incompatible system architecture, leading to increased costs and the project not meeting goals and objectives. 
• Determine if development and acquisition standards include processes for accurate estimation of project timescales and budgets to
ensure efficient and effective use of IT and business resources and the attainment of strategic goals and objectives. 
• Confirm that quality management processes include mechanisms for conflict resolution and the determination of consistency of
understanding regarding customer expectations and product/process capability. 
• Assess whether customer requirements align with IT standards. 
• Determine whether the continuous improvement policy and procedures enable the organisation’s ability to maintain a 
competitive advantage.
• Assess whether quality measurement processes and reporting mechanisms enable corrective actions to be performed in a 
timely manner.
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org98
P
O
9
 A
s
s
e
s
s
 a
n
d
 M
a
n
a
g
e
 I
T
 R
is
k
s
A
 r
is
k 
m
an
ag
em
en
t f
ra
m
ew
or
k 
is
 c
re
at
ed
 a
nd
 m
ai
nt
ai
ne
d.
 T
he
 f
ra
m
ew
or
k 
do
cu
m
en
ts
 a
 c
om
m
on
 a
nd
 a
gr
ee
d-
up
on
 le
ve
l o
f 
IT
 r
is
ks
, m
iti
ga
tio
n 
st
ra
te
gi
es
 a
nd
 r
es
id
ua
l r
is
ks
.
A
ny
 p
ot
en
tia
l i
m
pa
ct
 o
n 
th
e 
go
al
s 
of
 th
e 
or
ga
ni
sa
tio
n 
ca
us
ed
 b
y 
an
 u
np
la
nn
ed
 e
ve
nt
 is
 id
en
tif
ie
d,
 a
na
ly
se
d 
an
d 
as
se
ss
ed
. R
is
k 
m
iti
ga
tio
n 
st
ra
te
gi
es
 a
re
 a
do
pt
ed
 to
 m
in
im
is
e
re
si
du
al
 r
is
k 
to
 a
n 
ac
ce
pt
ed
 le
ve
l. 
T
he
 r
es
ul
t o
f 
th
e 
as
se
ss
m
en
t i
s 
un
de
rs
ta
nd
ab
le
 to
 th
e 
st
ak
eh
ol
de
rs
 a
nd
 e
xp
re
ss
ed
 in
 f
in
an
ci
al
 te
rm
s,
 to
 e
na
bl
e 
st
ak
eh
ol
de
rs
 to
 a
lig
n 
ri
sk
 to
an
 a
cc
ep
ta
bl
e 
le
ve
l o
f 
to
le
ra
nc
e.
Te
st
 t
he
 Con
tr
ol
 D
es
ig
n
• 
In
sp
ec
t w
he
th
er
 th
e 
IT
 r
is
k 
m
an
ag
em
en
t f
ra
m
ew
or
k 
al
ig
ns
 w
ith
 th
e 
ri
sk
 m
an
ag
em
en
t f
ra
m
ew
or
k 
fo
r 
th
e 
or
ga
ni
sa
tio
n 
(e
nt
er
pr
is
e)
 a
nd
 in
cl
ud
es
 b
us
in
es
s-
dr
iv
en
co
m
po
ne
nt
s 
fo
r 
st
ra
te
gy
, p
ro
gr
am
m
es
, p
ro
je
ct
s 
an
d 
op
er
at
io
ns
. R
ev
ie
w
 th
e 
IT
 r
is
k 
cl
as
si
fi
ca
tio
ns
 to
 v
er
if
y 
th
at
 th
ey
 a
re
 b
as
ed
 o
n 
a 
co
m
m
on
 s
et
 o
f 
ch
ar
ac
te
ri
st
ic
s 
fr
om
 th
e
en
te
rp
ri
se
 r
is
k 
m
an
ag
em
en
t f
ra
m
ew
or
k.
 I
ns
pe
ct
 w
he
th
er
 I
T
 r
is
k 
m
ea
su
re
m
en
ts
 a
re
 s
ta
nd
ar
di
se
d 
an
d 
pr
io
ri
tis
ed
 a
nd
 w
he
th
er
 th
ey
 in
cl
ud
e 
im
pa
ct
, a
cc
ep
ta
nc
e 
of
 r
es
id
ua
l
ri
sk
 a
nd
 p
ro
ba
bi
lit
ie
s 
al
ig
ne
d 
w
ith
 th
e 
en
te
rp
ri
se
 r
is
k 
m
an
ag
em
en
t f
ra
m
ew
or
k.
 
• 
V
er
if
y 
w
he
th
er
 I
T
 r
is
ks
 a
re
 c
on
si
de
re
d 
in
 th
e 
de
ve
lo
pm
en
t a
nd
 r
ev
ie
w
 o
f 
IT
 s
tr
at
eg
ic
 p
la
ns
.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 a
n 
ap
pr
op
ri
at
e 
ri
sk
 c
on
te
xt
 h
as
 b
ee
n 
de
fi
ne
d 
in
 li
ne
 w
ith
 e
nt
er
pr
is
e 
ri
sk
 m
an
ag
em
en
t p
ol
ic
ie
s 
an
d 
pr
in
ci
pl
es
 a
nd
 in
cl
ud
es
 p
ro
ce
ss
es
,
su
ch
 a
s 
sy
st
em
s,
 p
ro
je
ct
 m
an
ag
em
en
t, 
ap
pl
ic
at
io
n 
so
ft
w
ar
e 
lif
e 
cy
cl
es
, m
an
ag
em
en
t o
f 
IT
 o
pe
ra
tio
ns
 a
nd
 s
er
vi
ce
s.
 I
nt
er
na
l a
nd
 e
xt
er
na
l r
is
k 
fa
ct
or
s 
sh
ou
ld
 b
e 
in
cl
ud
ed
. 
• 
D
et
er
m
in
e 
w
he
th
er
 th
e 
IT
 r
is
k 
co
nt
ex
t i
s 
co
m
m
un
ic
at
ed
 a
nd
 u
nd
er
st
oo
d.
P
O
9.
1 
IT
 R
is
k 
M
an
ag
em
en
t 
F
ra
m
ew
or
k 
E
st
ab
lis
h 
an
 I
T
 r
is
k 
m
an
ag
em
en
t f
ra
m
ew
or
k 
th
at
 is
 a
lig
ne
d 
to
 th
e 
or
ga
ni
sa
tio
n’
s
(e
nt
er
pr
is
e’
s)
 r
is
k 
m
an
ag
em
en
t f
ra
m
ew
or
k.
 
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
on
si
st
en
t a
pp
ro
ac
h 
fo
r 
IT
 r
is
k
m
an
ag
em
en
t
• 
E
ff
ec
tiv
e 
m
an
ag
em
en
t o
f 
IT
 r
is
ks
• 
C
on
tin
uo
us
 e
va
lu
at
io
n 
of
 c
ur
re
nt
 I
T
ri
sk
s 
an
d 
th
re
at
s 
to
 th
e 
or
ga
ni
sa
tio
n
• 
B
ro
ad
en
ed
 I
T
 r
is
k 
m
an
ag
em
en
t
ap
pr
oa
ch
R
is
k 
D
riv
er
s
• 
IT
 r
is
ks
 a
nd
 b
us
in
es
s 
ri
sk
s 
m
an
ag
ed
in
de
pe
nd
en
tly
• 
T
he
 im
pa
ct
 o
f 
an
 I
T
 r
is
k 
on
 th
e
bu
si
ne
ss
 u
nd
et
ec
te
d
• 
L
ac
k 
of
 c
os
t c
on
tr
ol
 f
or
 r
is
k
m
an
ag
em
en
t
• 
E
ac
h 
ri
sk
 s
ee
n 
as
 a
 s
in
gl
e 
th
re
at
 r
at
he
r
th
an
 in
 a
n 
ov
er
al
l c
on
te
xt
• 
In
ef
fe
ct
iv
e 
su
pp
or
t f
or
 r
is
k 
as
se
ss
m
en
t
by
 s
en
io
r 
m
an
ag
em
en
t
P
O
9.
2 
E
st
ab
lis
hm
en
t 
of
 R
is
k 
C
on
te
xt
 
E
st
ab
lis
h 
th
e 
co
nt
ex
t i
n 
w
hi
ch
 th
e 
ri
sk
 a
ss
es
sm
en
t f
ra
m
ew
or
k 
is
 a
pp
lie
d 
to
en
su
re
 a
pp
ro
pr
ia
te
 o
ut
co
m
es
. T
hi
s 
sh
ou
ld
 in
cl
ud
e 
de
te
rm
in
in
g 
th
e 
in
te
rn
al
 a
nd
ex
te
rn
al
 c
on
te
xt
 o
f 
ea
ch
 r
is
k 
as
se
ss
m
en
t, 
th
e 
go
al
 o
f 
th
e 
as
se
ss
m
en
t, 
an
d 
th
e
cr
ite
ri
a 
ag
ai
ns
t w
hi
ch
 r
is
ks
 a
re
 e
va
lu
at
ed
. 
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ec
tiv
e 
an
d 
ef
fi
ci
en
t u
se
 o
f 
re
so
ur
ce
s
fo
r 
m
an
ag
em
en
t o
f 
ri
sk
s
• A
lig
nm
en
t o
f 
ri
sk
 m
an
ag
em
en
t
pr
io
ri
tie
s 
to
 b
us
in
es
s 
ne
ed
s
• A
 f
oc
us
 o
n 
re
le
va
nt
 a
nd
 s
ig
ni
fi
ca
nt
 r
is
ks
• 
Pr
io
ri
tis
at
io
n 
of
 r
is
ks
R
is
k 
D
riv
er
s
• 
Ir
re
le
va
nt
 r
is
ks
 c
on
si
de
re
d 
im
po
rt
an
t
• 
Si
gn
if
ic
an
t r
is
ks
 n
ot
 g
iv
en
 a
pp
ro
pr
ia
te
at
te
nt
io
n
• 
In
ap
pr
op
ri
at
e 
ap
pr
oa
ch
 to
 r
is
k
as
se
ss
m
en
t
99© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
In
sp
ec
t t
he
 p
ro
ce
ss
 u
se
d 
to
 id
en
tif
y 
po
te
nt
ia
l e
ve
nt
s 
an
d 
de
te
rm
in
e 
if
 a
ll 
IT
 p
ro
ce
ss
es
 a
re
 in
cl
ud
ed
 in
 th
e 
an
al
ys
is
. T
he
 d
es
ig
n 
of
 th
e 
pr
oc
es
s 
sh
ou
ld
 c
ov
er
 in
te
rn
al
 a
nd
ex
te
rn
al
 e
ve
nt
s.
 I
de
nt
if
ic
at
io
n 
of
 p
ot
en
tia
l e
ve
nt
s 
m
ay
 in
cl
ud
e 
re
su
lts
 o
f 
fo
rm
er
 a
ud
its
, i
ns
pe
ct
io
ns
 a
nd
 id
en
tif
ie
d 
in
ci
de
nt
s,
 u
si
ng
 c
he
ck
lis
ts
, w
or
ks
ho
ps
 a
nd
 p
ro
ce
ss
 f
lo
w
an
al
ys
is
. T
ra
ce
 id
en
tif
ie
d 
im
pa
ct
s 
to
 th
e 
ri
sk
 r
eg
is
tr
y 
to
 d
et
er
m
in
e 
if
 th
e 
re
gi
st
ry
 is
 c
om
pl
et
e,
 c
ur
re
nt
 a
nd
 a
lig
ne
d 
w
ith
 th
e 
en
te
rp
ri
se
 r
is
k 
m
an
ag
em
en
t f
ra
m
ew
or
k
te
rm
in
ol
og
y.
 
• 
E
nq
ui
re
 w
he
th
er
 a
pp
ro
pr
ia
te
 c
ro
ss
-f
un
ct
io
na
l t
ea
m
s 
ar
e 
in
vo
lv
ed
 in
 th
e 
di
ff
er
en
t e
ve
nt
 a
nd
 im
pa
ct
 id
en
tif
ic
at
io
n 
ac
tiv
iti
es
. R
ev
ie
w
 a
 s
am
pl
e 
of
 th
e 
ri
sk
 r
eg
is
tr
y 
fo
r
re
le
va
nc
e 
of
 th
re
at
s,
 s
ig
ni
fi
ca
nc
e 
of
 v
ul
ne
ra
bi
lit
ie
s 
an
d 
im
po
rt
an
ce
 o
f 
im
pa
ct
, a
nd
 a
na
ly
se
 th
e 
ef
fe
ct
iv
en
es
s 
of
 th
e 
pr
oc
es
s 
to
 id
en
tif
y,
 r
ec
or
d 
an
d 
ju
dg
e 
ri
sk
s.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
W
al
k 
th
ro
ug
h 
th
e 
ri
sk
 m
an
ag
em
en
t p
ro
ce
ss
 to
 d
et
er
m
in
e 
if
 in
he
re
nt
 a
nd
 r
es
id
ua
l r
is
ks
 a
re
 d
ef
in
ed
 a
nd
 d
oc
um
en
te
d.
• 
E
nq
ui
re
 w
he
th
er
 a
nd
 c
on
fi
rm
 th
at
 th
e 
ri
sk
 m
an
ag
em
en
t p
ro
ce
ss
 a
ss
es
se
s 
id
en
tif
ie
d 
ri
sk
s 
qu
al
ita
tiv
el
y 
an
d/
or
 q
ua
nt
ita
tiv
el
y.
 
• 
In
sp
ec
t p
ro
je
ct
 a
nd
 o
th
er
 d
oc
um
en
ta
tio
n 
to
 a
ss
es
s 
th
e 
ap
pr
op
ri
at
en
es
s 
of
 q
ua
lit
at
iv
e 
or
 q
ua
nt
ita
tiv
e 
ri
sk
 a
ss
es
sm
en
t. 
• 
W
al
k 
th
ro
ug
h 
th
e 
pr
oc
es
s 
to
 d
et
er
m
in
e 
if
 th
e 
so
ur
ce
s 
of
 in
fo
rm
at
io
n 
us
ed
 in
 th
e 
an
al
ys
is
 a
re
 r
ea
so
na
bl
e.
 
• 
In
sp
ec
t t
he
 u
se
 o
f 
st
at
is
tic
al
 a
na
ly
si
s 
an
d 
pr
ob
ab
ili
ty
 d
et
er
m
in
at
io
ns
 to
 m
ea
su
re
 th
e 
lik
el
ih
oo
d 
qu
al
ita
tiv
el
y 
or
 q
ua
nt
ita
tiv
el
y.
 
• 
E
nq
ui
re
 o
r 
in
sp
ec
t w
he
th
er
 a
ny
 c
or
re
la
tio
n 
be
tw
ee
n 
ri
sk
s 
is
 id
en
tif
ie
d.
 R
ev
ie
w
 a
ny
 c
or
re
la
tio
n 
to
 v
er
if
y 
th
at
 it
 e
xp
os
es
 s
ig
ni
fi
ca
nt
ly
 d
if
fe
re
nt
 li
ke
lih
oo
d 
an
d 
im
pa
ct
 r
es
ul
ts
ar
is
in
g 
fr
om
 s
uc
h 
re
la
tio
ns
hi
p(
s)
.
P
O
9.
3 
E
ve
nt
 I
de
nt
if
ic
at
io
n 
Id
en
tif
y 
ev
en
ts
 (
an
 im
po
rt
an
t r
ea
lis
tic
 th
re
at
 th
at
 e
xp
lo
its
 a
 s
ig
ni
fi
ca
nt
 a
pp
lic
ab
le
vu
ln
er
ab
ili
ty
) 
w
ith
 a
 p
ot
en
tia
l n
eg
at
iv
e 
im
pa
ct
 o
n 
th
e 
go
al
s 
or
 o
pe
ra
tio
ns
 o
f 
th
e
en
te
rp
ri
se
, i
nc
lu
di
ng
 b
us
in
es
s,
 r
eg
ul
at
or
y,
 le
ga
l, 
te
ch
no
lo
gy
, t
ra
di
ng
 p
ar
tn
er
,
hu
m
an
 r
es
ou
rc
es
 a
nd
 o
pe
ra
tio
na
l a
sp
ec
ts
. D
et
er
m
in
e 
th
e 
na
tu
re
 o
f 
th
e 
im
pa
ct
an
d 
m
ai
nt
ai
n 
th
is
 in
fo
rm
at
io
n.
 R
ec
or
d 
an
d 
m
ai
nt
ai
n 
re
le
va
nt
 r
is
ks
 in
 a
 r
is
k
re
gi
st
ry
.
Va
lu
e 
Driv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
C
on
si
st
en
t a
pp
ro
ac
h 
to
 r
is
k 
ev
en
t
id
en
tif
ic
at
io
n
• 
Fo
cu
s 
on
 s
ig
ni
fi
ca
nt
 r
is
k 
ev
en
ts
R
is
k 
D
riv
er
s
• 
Ir
re
le
va
nt
 r
is
k 
ev
en
ts
 id
en
tif
ie
d 
an
d
fo
cu
se
d 
on
 w
hi
ls
t m
or
e 
im
po
rt
an
t
ev
en
ts
 a
re
 m
is
se
d
P
O
9
 A
s
s
e
s
s
 a
n
d
 M
a
n
a
g
e
 I
T
 R
is
k
s
 (
c
o
n
t.
)
P
O
9.
4 
R
is
k 
A
ss
es
sm
en
t 
A
ss
es
s 
on
 a
 r
ec
ur
re
nt
 b
as
is
 th
e 
lik
el
ih
oo
d 
an
d 
im
pa
ct
 o
f 
al
l i
de
nt
if
ie
d 
ri
sk
s,
us
in
g 
qu
al
ita
tiv
e 
an
d 
qu
an
tit
at
iv
e 
m
et
ho
ds
. T
he
 li
ke
lih
oo
d 
an
d 
im
pa
ct
 a
ss
oc
ia
te
d
w
ith
 in
he
re
nt
 a
nd
 r
es
id
ua
l r
is
k 
sh
ou
ld
 b
e 
de
te
rm
in
ed
 in
di
vi
du
al
ly
, b
y 
ca
te
go
ry
an
d 
on
 a
 p
or
tf
ol
io
 b
as
is
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
Im
pr
ov
ed
 p
la
nn
in
g 
an
d 
us
e 
of
 I
T
 r
is
k
m
an
ag
em
en
t s
ki
lls
 a
nd
 r
es
ou
rc
es
• 
O
rg
an
is
at
io
na
l c
re
di
bi
lit
y 
of
 I
T
 r
is
k
as
se
ss
m
en
t f
un
ct
io
n 
te
am
s
• 
K
no
w
le
dg
e 
tr
an
sf
er
 b
et
w
ee
n 
ri
sk
m
an
ag
er
s
• 
C
re
at
io
n 
of
 I
T
 a
ss
et
 v
al
ue
 a
w
ar
en
es
s
R
is
k 
D
riv
er
s
• 
Ir
re
le
va
nt
 r
is
ks
 c
on
si
de
re
d 
im
po
rt
an
t
• 
E
ac
h 
ri
sk
 s
ee
n 
as
 a
 s
in
gl
e 
ev
en
t r
at
he
r
th
an
 in
 a
n 
ov
er
al
l c
on
te
xt
• 
In
ab
ili
ty
 to
 e
xp
la
in
 s
ig
ni
fi
ca
nt
 r
is
ks
 to
m
an
ag
em
en
t
• 
Si
gn
if
ic
an
t r
is
ks
 p
os
si
bl
y 
m
is
se
d
• 
L
os
s 
of
 I
T
 a
ss
et
s
• 
C
on
fi
de
nt
ia
lit
y 
or
 in
te
gr
ity
 b
re
ac
h 
of
IT
 a
ss
et
s
IT ASSURANCE GUIDE: USING COBIT
© 2007 IT Governance Institute. All rights reserved. www.itgi.org100
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
In
sp
ec
t w
he
th
er
 r
is
k 
as
se
ss
m
en
t r
es
ul
ts
 w
er
e 
al
lo
ca
te
d 
to
 a
 m
iti
ga
tin
g 
re
sp
on
se
 to
 a
vo
id
, t
ra
ns
fe
r, 
re
du
ce
, s
ha
re
 o
r 
ac
ce
pt
 e
ac
h 
ri
sk
 a
nd
 a
lig
n 
w
ith
 th
e 
m
ec
ha
ni
sm
s 
us
ed
 to
m
an
ag
e 
ri
sk
 in
 th
e 
or
ga
ni
sa
tio
n.
Te
st
 t
he
 C
on
tr
ol
 D
es
ig
n
• 
E
nq
ui
re
 w
he
th
er
 a
cc
ep
te
d 
ri
sk
s 
ar
e 
fo
rm
al
ly
 r
ec
og
ni
se
d 
an
d 
re
co
rd
ed
 in
 a
 r
is
k 
ac
tio
n 
pl
an
. 
• A
ss
es
s 
th
e 
ap
pr
op
ri
at
en
es
s 
of
 th
e 
el
em
en
ts
 o
f 
th
e 
ri
sk
 m
an
ag
em
en
t p
la
n.
• 
E
nq
ui
re
 o
r 
in
sp
ec
t w
he
th
er
 e
xe
cu
tio
n,
 r
ep
or
t p
ro
gr
es
s 
an
d 
de
vi
at
io
ns
 a
re
 m
on
ito
re
d.
 
• 
In
sp
ec
t r
is
k 
re
sp
on
se
s 
fo
r 
ap
pr
op
ri
at
e 
ap
pr
ov
al
s.
 
• 
R
ev
ie
w
 a
ct
io
ns
 to
 v
er
if
y 
w
he
th
er
 o
w
ne
rs
hi
p 
is
 a
ss
ig
ne
d 
an
d 
do
cu
m
en
te
d.
 
• 
In
sp
ec
t w
he
th
er
 th
e 
ri
sk
 a
ct
io
n 
pl
an
 is
 e
ff
ec
tiv
el
y 
m
ai
nt
ai
ne
d 
an
d 
ad
ju
st
ed
.
P
O
9.
5 
R
is
k 
R
es
po
ns
e 
D
ev
el
op
 a
nd
 m
ai
nt
ai
n 
a 
ri
sk
 r
es
po
ns
e 
pr
oc
es
s 
de
si
gn
ed
 to
 e
ns
ur
e 
th
at
 c
os
t-
ef
fe
ct
iv
e 
co
nt
ro
ls
 m
iti
ga
te
 e
xp
os
ur
e 
to
 r
is
ks
 o
n 
a 
co
nt
in
ui
ng
 b
as
is
. T
he
 r
is
k
re
sp
on
se
 p
ro
ce
ss
 s
ho
ul
d 
id
en
tif
y 
ri
sk
 s
tr
at
eg
ie
s 
su
ch
 a
s 
av
oi
da
nc
e,
 r
ed
uc
tio
n,
sh
ar
in
g 
or
 a
cc
ep
ta
nc
e;
 d
et
er
m
in
e 
as
so
ci
at
ed
 r
es
po
ns
ib
ili
tie
s;
 a
nd
 c
on
si
de
r 
ri
sk
to
le
ra
nc
e 
le
ve
ls
.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ec
tiv
e 
m
an
ag
em
en
t o
f 
ri
sk
s
• 
C
on
si
st
en
t a
pp
ro
ac
h 
fo
r 
ri
sk
m
iti
ga
tio
n
• 
C
os
t-
ef
fe
ct
iv
e 
ri
sk
 r
es
po
ns
e
R
is
k 
D
riv
er
s
• 
R
is
k 
re
sp
on
se
s 
no
t e
ff
ec
tiv
e
• 
U
ni
de
nt
if
ie
d 
re
si
du
al
 b
us
in
es
s 
ri
sk
s
• 
In
ef
fe
ct
iv
e 
us
e 
of
 r
es
ou
rc
es
 to
 r
es
po
nd
to
 r
is
ks
• 
O
ve
rr
el
ia
nc
e 
on
 e
xi
st
in
g 
po
or
 c
on
tr
ol
s
P
O
9
 A
s
s
e
s
s
 a
n
d
 M
a
n
a
g
e
 I
T
 R
is
k
s
 (
c
o
n
t.
)
P
O
9.
6 
M
ai
nt
en
an
ce
 a
nd
 M
on
it
or
in
g 
of
 a
 R
is
k 
A
ct
io
n 
P
la
n 
Pr
io
ri
tis
e 
an
d 
pl
an
 th
e 
co
nt
ro
l a
ct
iv
iti
es
 a
t a
ll 
le
ve
ls
 to
 im
pl
em
en
t t
he
 r
is
k
re
sp
on
se
s 
id
en
tif
ie
d 
as
 n
ec
es
sa
ry
, i
nc
lu
di
ng
 id
en
tif
ic
at
io
n 
of
 c
os
ts
, b
en
ef
its
 a
nd
re
sp
on
si
bi
lit
y 
fo
r 
ex
ec
ut
io
n.
 O
bt
ai
n 
ap
pr
ov
al
 f
or
 r
ec
om
m
en
de
d 
ac
tio
ns
 a
nd
ac
ce
pt
an
ce
 o
f 
an
y 
re
si
du
al
 r
is
ks
, a
nd
 e
ns
ur
e 
th
at
 c
om
m
itt
ed
 a
ct
io
ns
 a
re
 o
w
ne
d 
by
th
e 
af
fe
ct
ed
 p
ro
ce
ss
 o
w
ne
r(
s)
. M
on
ito
r 
ex
ec
ut
io
n 
of
 th
e 
pl
an
s,
 a
nd
 r
ep
or
t o
n 
an
y
de
vi
at
io
ns
 to
 s
en
io
r 
m
an
ag
em
en
t.
Va
lu
e 
D
riv
er
s
C
on
tr
ol
 O
bj
ec
ti
ve
• 
E
ff
ec
tiv
e 
m
an
ag
em
en
t o
f 
ri
sk
s
• 
C
on
tin
uo
us
 e
va
lu
at
io
n 
of
 c
ur
re
nt
 r
is
ks
an
d 
th
re
at
s 
fo
r 
th
e 
or
ga
ni
sa
tio
n
R
is
k 
D
riv
er
s
• 
R
is
k 
m
iti
ga
tio
n 
co
nt
ro
ls
 th
at
 d
o 
no
t
op
er
at
e 
as
 in
te
nd
ed
• 
C
om
pe
ns
at
in
g 
co
nt
ro
ls
 th
at
 d
ev
ia
te
fr
om
 th
e 
id
en
tif
ie
d 
ri
sk
s
101© 2007 IT Governance Institute. All rights reserved. www.itgi.org
APPENDIX II
Take the following steps to test the outcome of the control objectives:
• Enquire whether the IT risk management tolerance levels are aligned with enterprise risk tolerance levels. Determine whether
organisational risk tolerance is used as input for both business and the IT strategy development. 
• Enquire whether a process exists to apply enterprise risk tolerance levels to IT risk management decisions. Consider whether
benchmarking of the risk assessment framework against similar organisations, appropriate international standards and industry best
practices has been performed. 
• Test whether risk-related accountability and responsibilities are understood and accepted. Verify that the right skills and necessary
resources are available for risk management.
• Enquire through interviews with key staff members involved whether the control mechanism and its purpose, accountability and
responsibilities are understood and applied. 
• Inspect whether the activities are effectively integrated into IT management processes. 
• Inspect whether the identified impacts are relevant and significant for the enterprise and whether they are either over- or under-
estimated. Determine whether cross-functional teams contribute to the event analysis process. Verify through interviews and
impact reports whether the members of the event identification work group are properly trained on the enterprise risk management
framework. Verify whether interdependencies and probabilities are accurately identified during impact assessment. Review any
correlation to verify that it exposes significantly different likelihood and impact results arising from such relationships.
• Inspect the risk management process to determine if the sources of information used in the analysis are reasonable. 
• Inspect the use of statistical analysis and probability determinations to measure the risk likelihood qualitatively or quantitatively. 
• Walk through the process to determine if inherent and residual risks are defined and documented. 
• Inspect the risk action plan to determine if it identifies the priorities, responsibilities, schedules, expected outcome, risk mitigation,
costs, benefits, performance measures and review process to be established.
• Inspect risk responses for