APO06 Manage Budget Budget and Costs Audit/Assurance Audit/Assurance Program ISACA® With more than 115,000 115,000 constituents in 180 countries, ISACA (www.isaca.org ( www.isaca.org )) helps business and IT leaders build trust in, and value rom, inormation and inormation s!stems" #stablished in 1$%$, ISACA is the trusted source o &no'lede, standards, net'or&in, and career development or inormation s!stems audit, assurance, securit!, securit!, ris&, privac! and overnance proessionals" ISACA oers oers the C!bersecurit! e*us+, a comprehensive set o resources or c!bersecurit! proessionals, and C-IT ., a business rame'or& that helps enterprises overn and manae their inormation and technolo!" technolo!" ISACA also advances and validates business/critical s&ills and &no'lede throuh the loball! respected Certiied Inormation S!stems Auditor . (CISA.), Certiied Inormation Securit! anaer . (CIS.), Certiied in the overnance o #nterprise IT . (C#IT .) and Certiied in 2is& and Inormation S!stems Control+ (C2ISC+) credentials" The association has more than 300 chapters 'orld'ide" Disclaimer ISACA has desined and created APO06 created APO06 Manage Budget Budget and Costs Audit/Assurance Audit/Assurance Program (the Program (the 4Wor&) primaril! as an educational resource or assurance proessionals" ISACA ISACA ma&es no claim that use o an! o the Wor& 'ill assure a successul outcome" The Wor& should not be considered inclusive o all proper inormation, procedures and tests or e*clusive o other inormation, procedures and tests that are reasonabl! directed to obtainin the same results" In determinin the propriet! o an! speciic inormation, procedure or test, assurance proessionals should appl! their o'n proessional 6udement to the speciic circumstances presented b! the particular s!stems or inormation technolo! environment" Reservation of Rights 7 301 ISACA" All rihts reserved" 9or usae uidelines, see www.isaca.org/COBITuse " ISACA :;01 Alon
SA ?hone@ 1"8;"35:"155 9a*@ 1"8;"35:"1: #mail@ [email protected] Web site@ www.isaca.org ?rovide eedbac&@ http//ww http//www.isaca. w.isaca.org/!now"edge#Center/ org/!now"edge#Center/$esearch/$esearc $esearch/$esearch%e"i&era'"es/Pag h%e"i&era'"es/Pages/A"ign#P"an#and#Or es/A"ign#P"an#and#Organise.asp( ganise.asp( ?articipate in the ISACA Bno'lede Center@ www.isaca.org/)now"edge#center 9ollo' ISACA on T'itter@ https//twitter.com/I*ACA+ews oin ISACA on =in&edIn@ ISACA (icial) , http//"in)d.in/I*ACAOfficia" =i&e ISACA on 9aceboo&@ www.face'oo).com/I*ACA,-
APO06 Manage Budget and Costs Audit/Assurance Program
ISACA wishes to recognize: Development Team Steanie ri6p, ?'C, -elium -art ?eeters, CISA, ?'C, -elium Dir& Steuperaert, CISA, C#IT, C2ISC, IT In -alance -E-A, -elium Sven Ean Foorebeec&, ?'C, -elium
Expert Reviewers Steven De Faes, >niversit! o Ant'erp / Ant'erp anaement School, -elium ohn #" asins&i, CISA, C#IT, IS30B, ITI= #*pert, SS--, >SA oanna BarcGe's&a, CISA, ?oland ?atricia ?randini, CISA, C2ISC, >niversidad de -uenos Aires, Arentina Abdul 2ae<, CISA, C#IT, CIA, 9CA, Wincer Inotech =imited, India Claus 2osenSA David A" Williams, C2ISC, ??, cean9irst -an&, >SA i&olaos Hacharopoulos, CISA, CISS?, erc&roup, erman! Daniel Himerman, CISA, C2ISC, CISS?, C#?T, CIF, CIF, I Solutions, >SA Tichaona Hororo, CISA, CIS, C#IT, C2ISC, CIA, C2A, #IT I #nterprise overnance o IT (?t!) =td", South Arica
ISACA Boar of Directors 2obert # Stroud, C#IT, C2ISC, CA, >SA, International ?resident Steven A" -abb, C#IT, C2ISC, ITI=, Eodaone, >B, Eice ?resident arr! " -arnes, CISA, CIS, C#IT, C2ISC, -A# S!stems Detica, Australia, Eice ?resident 2obert A" Cl!de, CIS, Adaptive Computin, >SA, Eice ?resident 2amses alleo, CIS, C#IT, CCSB, CISS?, SC?, Si* Sima -lac& -elt, Dell, Spain, Eice ?resident Theresa raenstine, CISA, C#IT, C2ISC, CA?, CA, CIA, C?A, >S Fouse o 2epresentatives, >SA, Eice ?resident Eittal 2" 2a6, CISA, CIS, C#IT, C2ISC, C9#, CIA, CISS?, 9CA, Bumar J 2a6, India, Eice ?resident Ton! Fa!es, C#IT, A9CFS#, CF#, 9ACS, 9C?A, 9IIA, ueensland overnment, Australia, ?ast International ?resident reor! T" rochols&i, CISA, The Do' Chemical Co", >SA, ?ast International ?resident Debbie A" =e', CISA, C2ISC, #rnst J Koun ==?, >SA, Director 9ran& B"" Kam, CISA, CIA, 9FBCS, 9FBIoD, 9ocus Strateic roup Inc", Fon Bon, Director Ale*ander Hapata =enis, CISA, C#IT, C2ISC, ITI=, ??, rupo C!nthus S"A" de C"E", e*ico, Director
APO06 Manage Budget and Costs Audit/Assurance Program
Ta%le of Contents ?ae Introduction"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5 Assurance #naement Approach -ased on C-IT 5""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5 eneric AuditLAssurance ?roram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" % CustomiGation o the AuditLAssurance ?roram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""% About the #*ample AuditLAssurance ?roram@ A?0% """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""% Assurance #naement@ anae -udet and Costs"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""; Assurance Topic""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ; oal o the 2evie'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ; Scopin"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """ ; C-IT 5/based Assurance #naement Approach"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""; ?hase AMDetermine Scope o the Assurance Initiative""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 8 ?hase -M>nderstand #nablers, Set Suitable Assessment Criteria and ?erorm the Assessment"""""""""""""""""""""13 ?hase CMCommunicate the 2esults o the Assessments"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3$
APO06 Manage Budget and Costs Audit/Assurance Program
Intro#ction This document contains an e*ample auditLassurance proram or a C-IT 5 process, %ase on the eneric structure developed in section 3- o COBIT for Assurance1" &ig#re '("eneric C)BIT *+%ase Ass#rance Engagement Approach
APO06 Manage Budget and Costs Audit/Assurance Program
•
•
Some aspects o a process also relate to another enabler and are assessed there, e"", inputs and outputs can also be classiied under the Inormation enabler headin and covered in detail there" Some aspects relatin to S&ills and Competencies are to a lare e*tent covered b ! process A?0; Manage human resources"
In practice, assurance proessionals 'ill have to use their o'n proessional 6udment 'hen developin their o 'n customiGed auditLassurance prorams, to avoid duplication o 'or&" In addition, 'hile auditLassurance prorams 'ill be available or each process, in practice, a roup o processes are oten selected or audit" Thereore, a relevant set o auditLassurance prorams o the applicable processes 'ill need to be selected or conductin assurance"
"eneric A#it,Ass#rance $rogram The assurance approach depicted in fig#re ' is described in more detail and developed into a generic a#it,ass#rance programMincludin uidance on ho' to proceed durin each stepMin section 3- o COBIT for Assurance" This auditLassurance proram is@ 9ull! alined 'ith C-IT 5@ It e*plicitl! reerences all seven enablers" In other 'ords, it is no loner e*clusivel! process/ocusedP it also uses the dierent dimensions o the enabler model to cover all aspects contributin to the perormance o the enablers" It reerences the C-IT 5 oals cascade to ensure that detailed ob6ectives o the assurance enaement can be put into the enterprise and IT conte*t, and concurrentl! it enables lin&ae o the assurance ob6ectives to enterprise and IT ris& and beneits" Comprehensive !et le*ible" The eneric proram is comprehensive because it contains assurance steps coverin all enablers in
•
•
APO06 Manage Budget and Costs Audit/Assurance Program
•
T'o additional columns are included, in 'hich the assurance proessional can identi! and cross/reerence issues and record comments"
Ass#rance Engagement: 5anage %#get an costs Ass#rance Topic The topic covered b! this document is process A$)34 Manage budget and costs.
"oal of the Review The oal o the revie' is to provide assurance over the A?0%6 process that ensures@ There is a partnership bet'een IT and enterprise sta&eholders to enable the eective and eicient use o IT/ related resources There is transparenc! and accountabilit! o the cost and business value o solutions and services" The enterprise is enabled to ma&e inormed decisions reardin the use o IT solutions and services" •
• •
Scoping The scope o the assurance enaement is e*pressed as a unction o the seven C-IT 5 enablers, 'ith a ocus on the ?rocess enabler" The process content is ta&en directl! rom the detailed process descriptions in COBIT na'"ing Processes, i"e", these are standard C-IT 5 processes" ther enablers are also directl! based on the same process descriptions, e"", the ranisational Structures and Inormation items" ther enablers are described in a more eneric 'a! and ma! re
C)BIT *+%ase Ass#rance Engagement Approach The auditLassurance proram is divided into three sections@ $hase A(Determine Scope of the Ass#rance InitiativeMIn phase A o the assurance 'or&lo', the auditor •
APO06 Manage Budget and Costs Audit/Assurance Program
$hase A(Determine Scope of the Ass#rance Initiative Ref0 A+' A/1"1
A/1"3
A+6
A/3"1 A/3"3 A/3": A/3"
Ass#rance Step Determine the sta1eholers o the assurance initiative and their sta1e0 Identi! the intended user(s) o the assurance report and their sta&e in the assurance enaement" This is the assurance ob6ective" Identi! the interested parties, accountable and responsible or the sub6ect matter over 'hich assurance needs to be provided"
Determine the assurance o%2ectives based on assessment o the internal and e*ternal environmentLconte*t and o the relevant ris1 and related opport#nities (i"e", not achievin the enterprise oals)"
>nderstand the enterprise strate! and priorities" >nderstand the internal conte*t o the enterprise" >nderstand the e*ternal conte*t o the enterprise" iven the overall assurance ob6ective, translate the identiied strateic priorities into concrete ob6ectives or the assurance enaement"
"#iance
Intene #ser9s of the ass#rance report
%escri'e the users of the assurance report and their sta)es.
Acco#nta%le an responsi%le parties for the s#%2ect matter
%escri'e the accounta'"e and responsi'"e parties for the su'ect matter o&er which assurance is to 'e pro&ided1 COBIT inc"udes a summar2 description of a comprehensi&e set of ro"es that can 'e used as starting point for this audit step 3COBIT framewor)4 appendi( 64 p.56 1 C-IT 5 or Assurance a"so pro&ides a summar2 description of a comprehensi&e set of assurance ro"es4 see section 7A4 chapter 84 p.95. Assurance ob6ectives are essentiall! a more detailed and tanible e*pression o those enterprise ob6ectives relevant to the sub6ect o the assurance enaement" #nterprise ob6ectives can be ormulated in terms o the eneric enterprise oals (C-IT 5 rame'or&) or the! can be e*pressed more speciicall!" )%2ectives of the ass#rance engagement can %e expresse #sing the C)BIT * enterprise goals8 the IT+relate goals 9which relate more to technolog/8 information goals or an/ other set of specific goals0 In:uire with e(ecuti&e management or through a&ai"a'"e documentation 3corporate strateg24 annua" report; a'out the enterprise strateg2 and priorities for the coming period4 and document them to the e(tent the process under re&iew is re"e&ant. Identif2 a"" interna" en&ironmenta" factors that cou"d inf"uence the performance of the process under review. Identif2 a"" e(terna" en&ironmenta" factors that cou"d inf"uence the performance of the process under review . The ollo'in oals can be retained as &e! oals to be supported, in relection o enterprise strate! and priorities": !e/ goals #nterprise oals@ #13 ptimisation o business process costs •
IT/related oals@ IT05 2ealised beneits rom IT/enabled investments and services portolio •
A/3" Cont"
•
Aitional goals
IT0% Transparenc! o IT costs, beneits and ris&
#nterprise oals@ #01 Sta&eholder value o business investments #03 ?ortolio o competitive products and services #05 9inancial transparenc! #10 ptimisation o service deliver! costs • • • •
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase A(Determine Scope of the Ass#rance Initiative Ref0
Ass#rance Step
"#iance
Iss#e Cross+ reference
Comment
IT0: Commitment o e*ecutive manaement or ma&in IT/ related decisions IT0 anaed IT/related business ris& IT0; Deliver! o IT services in line 'ith business re
• •
•
• •
A/3"5
A+;
Deine the oraniGational boundaries o the assurance initiative" Determine the ena%lers in scope and the instance(s) o the enablers in scope"
A/:"1
Deine the $rocess in scope o the revie'"
A/:"3
Deine the related enablers" 2elated enablers include@ ?rinciples, ?olicies and 9rame'or&s ranisational Structures Culture, #thics and -ehaviour Inormation Services, Inrastructure and Applications ?eoples, S&ills and Competencies • • • • •
•
•
)rganisational Str#ct#res: -ased on the process under revie', the ollo'in ranisational Structures and unctions are considered to be in scope o this assurance enaement, and available resources 'ill determine 'hich ones 'ill be revie'ed in detail@ 5 Chie inancial oicer (C9) Ealue manaement oice Chie inormation oice (CI) Fead IT administration • • • •
C#It#re8 Ethics an Behavio#r: In the conte*t o this process revie', the ollo'in enterprise'ide -ehaviours are in scope@ Q"ist here the most re"e&ant Beha&iour e"ementsR •
3
4
The suested set o enterprise oals can and should var! 'ith enterprise strate! and priorities" Fo'ever, in this eneric proram the ollo'in loic 'as applied@ irst the mappin table bet'een IT processes and IT/related oals (COBIT na'"ing Processes, appendi* -, p"33;/33$) 'as used" The mappins bet'een the process at hand and the IT oals listed as 4? are retained as &e! IT/related oals" The mappins listed as 4S are retained as additional IT/related oals" e*t, the mappin table bet'een enterprise oals and IT/related oals C ( OBIT na'"ing Processes, appendi* -, p"33%) is used" The p reviousl! selected &e! IT/related oals are loo &ed up, and those enterpr ise oals that support hal o r more o the IT/related oals as 4? are retaine d as &e! enterprise oals" The remainin enterprise oals listed as 4? are retained as additional enterprise oals" Again8 after application of the logic escri%e here8 the res#lting set of goals sho#l %e reviewe an tailore if necessar/0 The loic applied here is the ollo'in@ i there are an! ?olicies or 9rame'or&s identiied as inputs or outputs o an! o the process practices o the process under revie', the! 'ill be included
APO06 Manage Budget and Costs Audit/Assurance Program
$hase A(Determine Scope of the Ass#rance Initiative Ref0
Ass#rance Step
"#iance Information items: -ased on the process under revie', the ollo'in Inormation items are considered to be in scope o this assurance enaement, and available resources 'ill determine 'hich ones 'ill be revie'ed in detail"% A?0%"01@ Asset reister (I) Accountin processes () IT costs classiication scheme () 9inancial plannin practices () • • • •
A?0%"03@ #valuation o investments and services portolios (I) Prioritisation and ran)ing of IT initiati&es 3O Actions to improve value deliver! (I) ?roo/o/concept scope and outline business case (I) Investment return e*pectations (I) -usiness case assessments (I) ?roramme business case (I) -udet allocations () • • • • •
A/:"3 Cont"
• • •
A?0%"0:@ IT 'udget and p"an 3O -udet communications () • •
A?0%"0@ Cateorised IT costs () Cost a""ocation mode" 3O Cost allocation communications () perational procedures () • • • •
A?0%"05@ 9eedbac& on portolio and proramme perormance (I) Cost data collection method () ?roramme beneit realisation plan (I) Cost consolidation method () ?roramme budet and beneits reister (I) 2esults o beneit realisation monitorin (I) Cost optimisation opportunities () • • • • • • •
Services8 Infrastr#ct#re an Applications@ In the conte*t o this process revie', and ta&in into account the oals identiied in A/3", the ollo'in Services and related Inrastructure or Applications could be considered in scope o the revie'@
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase A(Determine Scope of the Ass#rance Initiative Ref0
Ass#rance Step
"#iance •
Q"ist here the most re"e&ant *er&ices4 Infrastructure and App"ications components in scopeR
$eople8 S1ills an Competencies: In the conte*t o this process revie', ta&in into account &e! processes and &e! roles, the ollo'in S&ill sets are included in scope: Bno'lede o inancial manaement ther re"e&ant S&ill sets re
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0 B+' -/1"1
Iss#e Cross+ reference
Ass#rance Steps an "#iance Agree on metrics an criteria for enterprise goals an IT+relate goals0 Assess enterprise goals an IT+relate goals0 btain (and aree on) metrics or enterprise oals and e*pected values o the metrics and assess 'hether enterprise oals in scope are achieved" >e&erage the "ist of suggested metrics for the enterprise goa"s to define4 discuss and agree on a set of re"e&ant4 customi
•
•
-/1"3
e*ecutive manaement 'ith business processin costs btain (and aree on) metrics or IT/related oals and e*pected values o the metrics and assess 'hether IT/related oals in scope are achieved" The ollo'in metrics and e*pected values are areed on or the &e! IT/related oals deined in Step A/3"" IT+relate "oal 5etric Expecte )#tcome 9Ex Assessment Step IT05 2ealised beneits Agree on the e(pected In this step4 the re"ated metrics for each ?ercent o IT/enabled rom IT/enabled &a"ues for the IT#re"ated goa" wi"" 'e re&iewed and an assessment investments 'here beneit investments and goa" metrics4 i.e.4 the wi"" 'e made whether the defined criteria realisation is monitored throuh services portolio &a"ues against which the are achie&ed. ull economic lie c!cle assessment wi"" ta)e ?ercent o IT services 'here p"ace. e*pected beneits are realised •
•
?ercent o IT/enabled investments 'here claimed beneits are met or e*ceeded IT0% Transparenc! o Agree on the e(pected ?ercent o investment business IT costs, beneits and &a"ues for the IT#re"ated cases 'ith clearl! deined and ris& goa" metrics4 i.e.4 the approved e*pected IT/related &a"ues against which the costs and beneits assessment wi"" ta)e ?ercent o IT services 'ith p"ace. clearl! deined and approved operational costs and e*pected beneits Satisaction surve! o &e! sta&eholders reardin the transparenc!, understandin and accurac! o IT inancial inormation )%tain #nerstaning of the $rocess in scope an se t s#ita%le assessment criteria0 •
•
•
•
In this step4 the re"ated metrics for each goa" wi"" 'e re&iewed and an assessment wi"" 'e made whether the defined criteria are achie&ed.
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
-/3"3
Ass#rance Steps an "#iance The purpose o process A$)34 is as per the standard C-IT 5 process statement@ 49oster partnership bet'een IT and enterprise sta&eholders to enable the eective and eicient use o IT/related resources and provide transparenc! and accountabilit! o the cost and business value o solutions and services" #nable the enterprise to ma&e inormed decisions reardin the use o IT solutions and services" >nderstand the $rocess goals and related metrics and deine e*pected values (criteria), and assess 'hether the ?rocess oals (outcomes) are achieved, i"e", assess the eectiveness o the ?rocess" The process A$)34 Manage budget and costs has our standard deined process oals, as described in COBIT na'"ing Processes, chapter 5, p" ;$" -ased on these oals and their related metrics, the subset o ollo'in oals and associated metrics are deined or this process" $rocess "oal Relate 5etric Criteria,Expecte =al#e Assessment Step A transparent and Agree on the e(pected In this step4 the re"ated metrics for each umber o budet chanes due complete budet or IT &a"ues for the Process goa" wi"" 'e re&iewed and an assessment to omissions and errors accuratel! relects goa" metrics4 i.e.4 the wi"" 'e made whether the defined criteria umbers o deviations bet'een planned e*penditures" &a"ues against which the are achie&ed. e*pected and actual budet assessment wi"" ta)e cateories p"ace. The allocation o IT Agree on the e(pected In this step4 the re"ated metrics for each ?ercent o alinment o IT resources or IT &a"ues for the Process goa" wi"" 'e re&iewed and an assessment resources 'ith hih/priorit! initiatives is prioritised goa" metrics4 i.e.4 the wi"" 'e made whether the defined criteria initiatives based on enterprise &a"ues against which the are achie&ed. umber o resource allocation needs" assessment wi"" ta)e issues escalated p"ace. Costs or services are Agree on the e(pected In this step4 the re"ated metrics for each ?ercent o overall IT costs that allocated in an e
•
•
•
•
•
•
-/3"3 Cont"
•
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Ass#rance Steps an "#iance A?00%"01 anae inance and accountin"
Assess b! appl!in appropriate audit techni
3" :" " 5"
Deine processes, inputs and outputs, and responsibilities in alinment 'ith the enterprise budetin and cost accountin policies and approach to s!stematicall! drive IT budetin and costinP enable air, transparent, repeatable and comparable estimation o IT costs and beneits or input to the portolio o IT/ enabled business prorammesP and ensure that budets and costs are maintained in the IT asset and services portolios" Deine a classiication scheme to identi! all IT/related cost elements, ho' the! are allocated across budets and services, and ho' the! are captured" >se inancial and portolio inormation to provide input to business cases or ne' investments in IT assets and services" Deine ho' to anal!se, report (to 'hom and ho'), and use the budet control and beneit manaement processes" #stablish and maintain practices or inancial plannin, investment manaement and decision ma&in, and the optimisation o recurrin operational costs to deliver ma*imum value to the enterprise or the least e*penditure"
Compare the 2ACI chart as included in the reerence process in COBIT na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the oran isation" Assess b! appl!in appropriate audit techni
A?00%"03 ?rioritise resource allocation"
1"
3"
:"
"
#stablish a decision/ma&in bod! or prioritisin business and IT resources, includin use o e*ternal service providers 'ithin the hih/level budet allocations or IT/enabled prorammes, IT services and IT assets as established b! the strateic and tactical plans" Consider the options or bu!in or developin capitalised assets and services vs" e*ternall! utilised assets and services on a pa!/or/use basis" 2an& all IT initiatives based on business cases and strateic and tactical plans, and establish procedures to determine budet allocations and cut/o" #stablish a procedure to communicate budet decisions and revie' them 'ith the business unit budet holders" Identi!, communicate and resolve siniicant impacts o budet decisions on business cases, portolios and strate! plans (e"", 'hen budets ma! re
Compare the 2ACI chart as included in the reerence process in COBIT na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the oran isation Assess b! appl!in appropriate audit techni
-/3"3 Cont"
A?00%"0: Create and maintain budets"
1"
Implement a ormal IT budet, includin all e*pected IT costs o IT/enabled prorammes, IT services and
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Ass#rance Steps an "#iance Alinment 'ith the business Alinment 'ith the sourcin strate! Authorised sources o undin Internal resource costs, includin personnel, inormation assets and accommodations Third/part! costs, includin outsourcin contracts, consultants and service providers Capital and operational e*penses Cost elements that depend on the 'or&load Document the rationale to 6usti! continencies and revie' them reularl!" Instruct process, service and proramme o'ners, as 'ell as pro6ect and asset manaers, to plan budets" 2evie' the budet plans and ma&e decisions about budet allocations" Compile and ad6ust the budet based on chanin enterprise needs and inancial considerations" 2ecord, maintain and communicate the current IT budet, includin committed e*penditures and current e*penditures, considerin IT pro6ects recorded in the IT/enabled investment portolios and operation and maintenance o asset and service portolios" onitor the eectiveness o the dierent aspects o budetin and use the results to implement improvements to ensure that uture budets are more accurate, reliable and cost/eective" • • • • • • •
:" " 5" %"
;"
Compare the 2ACI chart as included in the reerence process in COBIT na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the oran isation" • •
A?00%"0 odel and allocate costs"
Assess b! appl!in appropriate audit techni
Cateorise all IT costs appropriatel!, includin those relatin to service providers, accordin to the enterprise manaement accountin rame'or&" Inspect service deinition cataloues to identi! services sub6ect to user charebac& and those that are shared services" Deine and aree on a model that@ Supports the calculation o charebac& rates per service Deines ho' IT costs 'ill be calculatedLchared Is dierentiated, 'here and 'hen appropriate Is alined 'ith the IT budet Desin the cost model to be transparent enouh to allo' users to identi! their actual usae and chares, and to better enable predictabilit! o IT costs and eicient and eective utilisation o IT resources" Ater revie' 'ith user departments, obtain approval and communicate the IT costin model inputs and outputs to the manaement o user departments" Communicate chanes in the costLcharebac& model 'ith enterprise process o'ners" • • • •
" 5" %"
Compare the 2ACI chart as included in the reerence process in COBIT na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the oran isation" • •
-/3"3
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Ass#rance Steps an "#iance 1" 3" :"
#nsure proper authorit! and independence bet'een IT budet holders and the individuals 'ho capture, anal!se and report inancial inormation" #stablish time scales or the operation o the cost manaement process in line 'ith budetin and accountin re
– – –
•
"
5"
%" ;" 8" $"
Compare the 2ACI chart as included in the reerence process in COBIT na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the orani sation"
• •
-/3":
Aree on the $rocess wor1 pro#cts (inputs and outputs as deined in the process practices description) that are e*pected to be present (process desin)" Assess the e*tent to 'hich the process 'or& products are available" The ?rocess A$)34 identiies a set o inputs and outputs or the dierent manaement Criteria@ All listed 'or& products should practices" The most relevant o these 'or& products (and those not assessed as Inormation demonstrabl! e*ist and be used" items in scope in section A/:"3) are identiied as ollo's, as 'ell as the criteria aainst 'hich the! 'ill be assessed, i"e", e*istence and usae" $rocess $ractice >or1 $ro#ct? Assessment Step A?0%"01 Asset reister (I) Accountin processes () IT costs classiication scheme () 9inancial plannin practices () •
• •
-/3": Cont"
•
A?0%"03
• •
#valuation o investments and services portolios (I) Actions to improve value deliver! (I)
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Iss#e Cross+ reference
Ass#rance Steps an "#iance
•
Investment return e*pectations (I) -usiness case assessments (I) ?roramme business case (I) -udet allocations ()
A?0%"0:
•
-udet communications ()
A?0%"0
•
• • •
• •
A?0%"05
• • • • • •
determine or each 'or& product@ #*istence o the 'or& product Appropriate use o the 'or& product • •
Cateorised IT costs () Cost allocation communications () perational procedures () 9eedbac& on portolio and proramme perormance (I) Cost data collection method () ?roramme beneit realisation plan (I) Cost consolidation method () ?roramme budet and beneits reister (I) 2esults o beneit realisation monitorin (I)
-/3"
Aree on the $rocess capa%ilit/ level to be achieved b! the process" ?rocess A?0% isMiven the strateic prioritiesMimportant, and 'ill renderstand the ?rinciples, ?olicies and 9rame'or&s conte*t" O'tain understanding of the o&era"" s2stem of interna" contro" and the associated Princip"es4 Po"icies and =ramewor)s. -/:"3 >nderstand the sta&eholders o the ?rinciples, ?olicies and 9rame'or&s ?nderstand the sta)eho"ders in the po"icies. The sta)eho"ders for the po"icies inc"ude those setting the po"icies and those who need to 'e in comp"iance with the po"icies. -/:": >nderstand the oals or the ?rinciples, ?olicies and 9rame'or&s, and the related metrics, and aree on e*pected values" Assess 'hether the ?rinciples, ?olicies and 9rame'or&s oals (outcomes) are achieved, i"e", assess the eectiveness o the ?rinciples, ?olicies and 9rame'or&s" "oal Criteria Assessment Step Comprehensiveness The set o policies is comprehensive Eeri! that the set o policies is comprehensive in its coverae" in its coverae" Currenc! The set o policies is up to date" This Eeri! that the set o policies is up to date" This at least re
•
•
•
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Ass#rance Steps an "#iance Availabilit!
?olicies are available to all Eeri! that policies are available to all sta&eholders" sta&eholders" Eeri! that policies are eas! to naviate and have a loical and ?olicies are eas! to naviate and hierarchical structure" have a loical and hierarchical structure" >nderstand the lie c!cle staes o the ?rinciples, ?olicies and 9rame'or&s, and aree on the relevant criteria" Assess to 'hat e*tent the ?rinciples, ?olicies and 9rame'or&s lie c!cle is manaed" The "ife c2c"e of the IT#re"ated po"icies is managed '2 the Process APO0. The re&iew of this "ife c2c"e is therefore e:ui&a"ent to a process re&iew of process APO0 anae the IT manaement rame'or&. >nderstand ood practices r elated to the ?rinciples, ?olicies and 9ram e'or&s and e*pected values" Assess the ?rinciples, ?olicies and 9rame'or&s desin, i"e", assess the e*tent to 'hich e*pected ood practices are applied" The assurance professiona" wi""4 '2 using appropriate auditing techni:ues assess the fo""owing aspects. "oo $ractice Criteria Assessment Step S co pe an d v al id it ! T he sco pe is de scr ib ed an d th e Eeri! that the scope o the rame'or& is described and the validit! validit! date is indicated" date is indicated" #*ception and The e*ception and escalation Eeri! that the e*ception and escalation procedure is described, escalation procedure is e*plained and e*plained and commonl! &no'n" commonl! &no'n" Throuh observation o a representative sample, veri! that the • •
• •
•
-/:"
-/:"5
•
•
The e*ception and escalation e*ception and escalation procedure has not become de facto procedure has not become de standard procedure" -/:"5 facto standard procedure" Cont" Compliance The compliance chec&in mechanism Eeri! that the compliance chec&in mechanism and non/compliance and non/compliance consenderstand the ranisational Structure conte*t" Identif2 and document a"" e"ements that can he"p to understand the conte(t in which the Organisationa" *tructure/ro"e has to operate4 inc"uding The o&era"" organisation Management/process framewor) ,istor2 of the ro"e/structure Contri'ution of the Organisationa" *tructure to achie&ement of goa"s -/"3 >nderstand all sta&eholders o the ranisational StructureLunction" %etermine through documentation re&iew 3po"icies4 management communications4 etc. the )e2 sta)eho"ders of the ro"e4 i.e. Incum'ent of the ro"e and/or mem'ers of the Organisationa" *tructure Other )e2 sta)eho"ders affected '2 the decisions of the Organisationa" *tructure/ro"e -/": >nderstand the oals o the ranisational Structure, the related metrics and aree on e*pected values" >nderstand ho' these oals contribute to the achievement o the enterprise oals and IT/related oals" )rganisational Str#ct#re "oal Assessment Step Determine throuh intervie's 'ith &e! sta&eholders and This step onl! applies i speciic oals are deined" In that case, the documentation revie' the oals o the ranisational Structures, assurance proessional 'ill use appropriate auditin techni
• • • •
• •
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Ass#rance Steps an "#iance ma&in decisionsMare alread! described b! some o the process communicated" practices andLor process activities in COBIT na'"ing #valuate the decisions b!, assessin 'hether@ Processes" Thereore, the! 'ill be part o the process revie' and The! have contributed to the achievement o the IT/related should not be repeated here" nl! 'hen ver! speciic decisions and enterprise oals as anticipated" 'ould be renderstand the lie c!cle and aree on e*pected values" Assess the e*tent to 'hich the )rganisational Str#ct#re life c/cle is manaed" ife C/cle Element Criteria Assessment Steps andate The ranisational Structure is Eeri! throuh intervie's and observations that the ormall! established" ranisational Structure is ormall! established" •
-/"
•
•
•
•
•
•
-/" Cont"
-/"5
•
•
•
•
•
•
•
•
•
•
•
•
•
The ranisational Structure has a clear, documented and 'ell/
•
Eeri! throuh intervie's and observations that the ranisational Structure has a clear, documented and 'ell/
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Iss#e Cross+ reference
Ass#rance Steps an "#iance
understood mandate" understood mandate" The perormance o the Eeri! 'hether the perormance o the ranisational Structure ranisational Structure and its and its members is reularl! monitored and evaluated b! members should be reularl! competent and independent assessors" monitored and evaluated b! Eeri! 'hether the reular evaluations have resulted in competent and independent improvements to the ranisational Structure, in its composition, assessors" mandate or an! other parameter" The reular evaluations should result in the renderstand the Culture, #thics and -ehaviour conte*t" ?nderstand the conte(t of the Cu"ture/thics/Beha&iour4 i.e. hat the o&era"" corporate Cu"ture is "i)e ?nderstand the interconnection with other ena'"ers in scope Identif2 ro"es and structures that cou"d 'e affected '2 the Cu"ture. Identif2 processes that cou"d 'e affected '2 Cu"ture4 thics and Beha&iour4 inc"uding an2 p rocesses in scope of the re&ie w. -/5"3 >nderstand the ma6or sta&eholders o the Culture, #thics and -ehaviour" ?nderstand to whom the 'eha&iour re:uirements wi"" app"24 i.e.4 understand who em'odies the ro"es/structures e(pected to demonstrate the correct set of Beha&iours. This is usua""2 "in)ed to the ro"es and Organisationa" *tructures identified in scope. -/5": >nderstand the oals or the Culture, #thics and -ehaviour, and the related metrics and aree on e*pected values" Assess 'hether the C#lt#re8 Ethics an Behavio#r goals (outcomes) are achieved, i"e", assess the eectiveness o the Culture, #thics and -ehaviour" Deine 'hat constitutes desired and undesirable -ehaviours and Culture and especiall! -ehaviours are associated to individuals and 'h! the! are so classiied, i"e", relate -ehaviours to the the ranisational Structures o 'hich the! are a part, thereore, b! oranisational ethics and values b! 'hich the enterprise 'ants to usin appropriate auditin techni
•
•
•
•
• •
•
• • •
Desire Behavio#r 9C#lt#re8 Ethics an Behavio#r "oal
-/5"
-/5"5
Assessment Step
>nderstand the lie c!cle staes o the Culture, #thics and -ehaviour, and aree on the relevant criteria" Assess the e*tent to 'hich the Culture, #thics and -ehaviour lie c!cle is manaed" (This aspect is alread! covered b! the assessment o the ood practices, so no additional assurance steps are deined here") >nderstand ood practice 'hen dealin 'ith Culture, #thics and -ehaviour, and aree on relevant criteria"
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Ass#rance Steps an "#iance enorcement and rules Incentives and re'ards A'areness
communication #*istence and application o appropriate re'ards and incentives A'areness o desired -ehaviours
practice is ade
Iss#e Cross+ reference
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Iss#e Cross+ reference
Ass#rance Steps an "#iance
B+4
)%tain #nerstaning of the Information items in scope0 Assess Information items0 2epeat steps -/%"1 throuh -/%"5 or each Inormation item deined in scope in A/:"3" -/%"1 >nderstand the Inormation item conte*t@ here and when is it used =or what purpose is it used ?nderstand the connection with other ena'"ers in scope4 e.g. ?sed '2 which processes hich Organisationa" *tructures are in&o"&ed 3see a"so B#8.7 hich ser&ices/app"ications are in&o"&ed -/%"3 >nderstand the ma6or sta&eholders o the Inormation item" ?nderstand the sta)eho"ders for the Information item4 i.e.4 identif2 the Information producer Information custodian Information consumer *ta)eho"ders shou"d 'e at the appropriate organisationa" "e&e". -/%": >nderstand the ma6or
• • •
ar& the nderstandabilit! anipulation
Assessment Step
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0 -/%": Cont" -/%"
Iss#e Cross+ reference
Ass#rance Steps an "#iance Availabilit! 2estricted access >nderstand the lie c!cle staes o the Inormation item, and aree on the relevant criteria" Assess to 'hat e*tent the Information item life c/cle is manaed" The lie c!cle o an! Inormation item is manaed throuh several business and IT/related processes" The scope o this revie' alread! includes a revie' o (IT/related) processes so this aspect does not need to be duplicated here" When the Inormation item is interna l to IT, the process revie' 'ill have covered the lie c!cle aspects suicientl!" When the Inormation item also involves other sta&eholders outside IT or other non/IT processes, some o the lie c!cle aspects need to be assessed" • •
-/%"5
ar& the lie c!cle staes 'ith a 4 that are deemed most important (&e! criteria), and b! conseseLoperate #valuateLmonitor >pdateLdispose >nderstand important attributes o the Inormation item and e*pected values" Assess the Information item esign, i"e", assess the e*tent to 'hich e*pected goo practices are applied" ood practices or Inormation items are deined as a series o attributes or the Inormation item1:" The assurance proessional 'ill, b! usin appropriate audit techni
!e/ Criteria
Description
Assessment Step
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Iss#e Cross+ reference
Ass#rance Steps an "#iance
Comment
B+<
)%tain #nerstaning of the Services8 Infrastr#ct#re an Applications in scope0 Assess the Services8 Infrastr#ct#re an Applications0 2epeat steps -/;"1 throuh -/;"5 or each Service, Inrastructure and Applications element in scope" -/;"1 >nderstand the Servic es, Inrastructure and Applications conte*t" ?nderstand the organisationa" and techno"ogica" conte(t of this ser&ice. $efer to step A#7.7 and A#7.9 and re#use that information to understand the significance of this *er&ice4 Infrastructure and App"ication. -/;"3 >nderstand the ma6or sta&eholders o the Servic es, Inrastructure and Applications" ?nderstand who wi"" 'e the maor sta)eho"ders of the ser&ice4 i.e.4 the sponsor4 pro&ider and users. *ta)eho"ders wi"" inc"ude a num'er of organisationa" ro"es 'ut cou"d a"so "in) to Processes. -/;": >nderstand the ma6or oals or the Services, Inrastructure and Applications, the related metrics and aree on e*pected values" Assess 'hether the Services, Inrastructure and Applications oals (outcomes) are achieved, i"e", assess the eectiveness o the Services, Inrastructure and Applications" "oal Criteria Assessment Step Service description The Service is clearl! described" Eeri! that the Service e*ists and is clearl! described" The Service is available to all Assess the nderstand the lie c!cle staes o the Services, Inrastructure and Applications, and aree on the relevant criteria" Assess the e*tent to 'hich the Services8 Infrastr#ct#re an Applications life c/cle is manaed"1 -/;"5 >nderstand ood practice related to the Services, Inrastructure and Applications and e*pected values" Assess the Services8 Infrastr#ct#re an Applications esign, i"e", assess to 'hat e*tent e*pected ood practices are applied" >e&erage the description of *er&ices4 Infrastructure and App"ications in the COBIT framewor) to identif2 good practices re"ated to *er&ices4 Infrastructure And App"ications. In genera" the fo""owing practices need to 'e imp"emented Bu2/'ui"d decision needs to 'e ta)en. ?se of the *er&ice needs to ' e c"ear. "oo $ractice Criteria Assessment Step Sourcin (bu!Lbuild) A ormal decisionMbased on a business Eeri! that a ormal decisionMbased on a business caseM'as ta&en caseMneeds to be ta&en reardin the reardin the sourcin o the Service" sourcin o the Service" Eeri! the validit! and se The use o the Service needs to be Eeri! that the use o the Service is clear, i"e", it is &no'n 'hen and b! clear@ 'hom the service needs to be used" •
•
•
•
• •
• • •
•
• •
•
• • •
14
The lie c!cle o a service 'ill be overned and manaed b! numerous o the C-IT 5 processes" As a conse
7 ISACA 301
All rihts reserved"
35
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0 •
-/;"5 Cont"
15
Iss#e Cross+ reference
Ass#rance Steps an "#iance
•
When it needs to be used and b! 'hom The re
• • •
Eeri! that actual use is in line 'ith re
C-IT 5 rame'or&, appendi* , p"85/8%
7 ISACA 301
All rihts reserved"
3%
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
Iss#e Cross+ reference
Ass#rance Steps an "#iance
B+?
)%tain #nerstaning of the $eople8 S1ills an Competencies in scope0 Assess $eople8 S1ills an Competencies0 2epeat steps -/8"1 throuh -/8"5 or each ?eople, S&ill and Competenc! aspect in scope" -/8"1 >nderstand the ?eople, S&ills and Competencies conte*t" ?nderstand the conte(t of the *)i""/Competenc24 i.e. here and when is it used =or what purpose is it used ?nderstand the connection with other ena'"ers in scope4 e.g. In which ro"es and structures is the *)i""/Competenc2 used 3*ee a"so B#8.. hich 'eha&iours are associated with the *)i""/Competenc2 -/8"3 >nderstand the ma6or sta&eholders or ?eople, S&ill s and Competencies" Identif2 to whom in the organisation the s)i"" re:uirement app"ies. -/8": >nderstand the ma6or oals or the ?eople, S&ills and Competencies, the related metrics and aree on e*pected values" Assess 'hether the $eople8 S1ills an Competencies goals (outcomes) are achieved, i"e", assess the eectiveness o the ?eople, S&ills and Competencies" • • •
-/8"
9or the ?eople, S&ills and Competencies at hand, the ollo'in oals and associated criteria can be addressed" "oal Criteria Assessment Step #*perience Appl! appropriate auditin techninderstand the lie c!cle staes o the ?eople, S&ills and Competencies, and aree on the relevant criteria" Assess to 'hat e*tent the ?eople, S&ills and Competencies lie c!cle is manaed" 9or the ?eople, S&ills and Competencies at hand, the lie c!cle phases and associated criteria can 9or the ?eople, S&ills and Competencies at be e*pressed in unction o the process A?0;" hand the assurance proessional 'ill perorm the ollo'in assessment steps" ife C/cle Element Criteria Assessment Step ?lan ?ractice A?0;"0:, activit! 1 (Deine the re
7 ISACA 301
All rihts reserved"
3;
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0
-/8" Cont"
-/8"5
Iss#e Cross+ reference
Ass#rance Steps an "#iance ?ractice A?0;"0: activit! : (?rovide access to &no'lede repositories Assess 'hether practice A?0;"0: activit! to support the development o s&ills and competencies") is implemented : is implemented in relation to this s&ill" in relation to this s&ill" -uild ?ractice A?0;"0: activit! (Identi! aps bet'een repdateLdispose ?ractice A?0;"0: activit! ; (2evie' trainin materials and Assess 'hether practice A?0;"0: activit! prorammes on a reular basis to ensure adenderstand ood practice related to the $eople8 S1ills an Competencies and e*pected values" Assess the $eople8 S1ills an Competencies desin, i"e", assess to 'hat e*tent e*pected goo practices are applied" "oo $ractice Assessment Step S&ill set and Competencies are deined" Determine that an inventor! o S&ills and Competencies is maintained b! oranisational unit, 6ob unction and individual" #valuate the relevance and the contribution o the S&ills and Competencies to the achievement o the oals o the ranisational Structure, and b! conse
•
•
•
•
7 ISACA 301
All rihts reserved"
38
Comment
APO06 Manage Budget and Costs Audit/Assurance Program
$hase C(Comm#nicate the Res#lts of the Assessment Ref0 C+' C/1"1 C/1"3
Ass#rance Step Doc#ment exceptions an gaps0 >nderstand and document 'ea&nesses and their impact on the achievement o process oals" >nderstand and document 'ea&nesses and their impact on enterprise oals"
"#iance • • •
•
• •
C+6 C/3"1
Comm#nicate the wor1 performe an finings0 Communicate the 'or& perormed"
C/3"3
Communicate preliminar! indins to the assurance enaement sta&eholders deined in A/1"
• • •
• • • •
C/3":
Illustrate the impact o enabler ailures or 'ea&nesses 'ith numbers and scenarios o errors, ineiciencies and misuse" Clari! vulnerabilities, threats and missed opportunities that are li&el! to occur i enablers do not perorm eectivel!" Illustrate 'hat the 'ea&nesses 'ould aect (e"", business oals and ob6ectives, enterprise architecture elements, capabilities, resources)" 2elate the impact o not achievin the enabler oals to actual cases in the same industr! and leverae industr! benchmar&s" Document the impact o actual enabler 'ea&nesses in terms o bottom/line impact, interit! o inancial reportin, hours lost in sta time, loss o sales, abilit! to manae and react to the mar&et, customer and shareholder rese benchmar&in and surve! results to compare the enterprises perormance 'ith others" >se e*tensive raphics to illustrate the issues" Inorm the person responsible or the assurance activit! about the preliminar! indins and veri! hisLher correct understandin o those indins"
Deli ver a report (alined 'ith the terms o reerence, scope and areed/ on reportin standards) that supports the results o the initiative and enables a clear ocus on &e! issues and important actions"
7 ISACA 301
All rihts reserved"
3$