WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

APO06 Manage Budget Budget and Costs Audit/Assurance Audit/Assurance Program ISACA® With more than 115,000 115,000 constituents in 180 countries, ISACA (www.isaca.org ( www.isaca.org )) helps business and IT leaders build trust in, and value rom, inormation and inormation s!stems" #stablished in 1$%$, ISACA is the trusted source o &no'lede, standards, net'or&in, and career development or inormation s!stems audit, assurance, securit!, securit!, ris&, privac! and overnance proessionals" ISACA oers oers the C!bersecurit! e*us+, a comprehensive set o resources or c!bersecurit! proessionals, and C-IT ., a business rame'or& that helps enterprises overn and manae their inormation and technolo!" technolo!" ISACA also advances and validates business/critical s&ills and &no'lede throuh the loball! respected Certiied Inormation S!stems Auditor . (CISA.), Certiied Inormation Securit! anaer . (CIS.), Certiied in the overnance o #nterprise IT . (C#IT .) and Certiied in 2is& and Inormation S!stems Control+ (C2ISC+) credentials" The association has more than 300 chapters 'orld'ide" Disclaimer ISACA has desined and created APO06 created APO06 Manage Budget Budget and Costs Audit/Assurance Audit/Assurance Program (the Program (the 4Wor&) primaril! as an educational resource or assurance proessionals" ISACA ISACA ma&es no claim that use o an! o the Wor& 'ill assure a successul outcome" The Wor& should not be considered inclusive o all proper inormation, procedures and tests or e*clusive o other inormation, procedures and tests that are reasonabl! directed to obtainin the same results" In determinin the propriet! o an! speciic inormation, procedure or test, assurance proessionals should appl! their o'n proessional 6udement to the speciic circumstances presented b! the particular s!stems or inormation technolo! environment" Reservation of Rights 7 301 ISACA" All rihts reserved" 9or usae uidelines, see www.isaca.org/COBITuse " ISACA :;01 AlonSA ?hone@ 1"8;"35:"155 9a*@ 1"8;"35:"1: #mail@ [email protected] Web site@ www.isaca.org ?rovide eedbac&@ http//ww http//www.isaca. w.isaca.org/!now"edge#Center/ org/!now"edge#Center/$esearch/$esearc $esearch/$esearch%e"i&era'"es/Pag h%e"i&era'"es/Pages/A"ign#P"an#and#Or es/A"ign#P"an#and#Organise.asp( ganise.asp( ?articipate in the ISACA Bno'lede Center@ www.isaca.org/)now"edge#center 9ollo' ISACA on T'itter@ https//twitter.com/I*ACA+ews oin ISACA on =in&edIn@ ISACA (icial) , http//"in)d.in/I*ACAOfficia" =i&e ISACA on 9aceboo&@ www.face'oo).com/I*ACA,-

APO06 Manage Budget and Costs Audit/Assurance Program

ISACA wishes to recognize: Development Team Steanie ri6p, ?'C, -elium -art ?eeters, CISA, ?'C, -elium Dir& Steuperaert, CISA, C#IT, C2ISC, IT In -alance -E-A, -elium Sven Ean Foorebeec&, ?'C, -elium

Expert Reviewers Steven De Faes, >niversit! o Ant'erp / Ant'erp anaement School, -elium ohn #" asins&i, CISA, C#IT, IS30B, ITI= #*pert, SS--, >SA oanna BarcGe's&a, CISA, ?oland ?atricia ?randini, CISA, C2ISC, >niversidad de -uenos Aires, Arentina Abdul 2ae<, CISA, C#IT, CIA, 9CA, Wincer Inotech =imited, India Claus 2osenSA David A" Williams, C2ISC, ??, cean9irst -an&, >SA i&olaos Hacharopoulos, CISA, CISS?, erc&roup, erman! Daniel Himerman, CISA, C2ISC, CISS?, C#?T, CIF, CIF, I Solutions, >SA Tichaona Hororo, CISA, CIS, C#IT, C2ISC, CIA, C2A, #IT I #nterprise overnance o IT (?t!) =td", South Arica

ISACA Boar of Directors 2obert # Stroud, C#IT, C2ISC, CA, >SA, International ?resident Steven A" -abb, C#IT, C2ISC, ITI=, Eodaone, >B, Eice ?resident arr! " -arnes, CISA, CIS, C#IT, C2ISC, -A# S!stems Detica, Australia, Eice ?resident 2obert A" Cl!de, CIS, Adaptive Computin, >SA, Eice ?resident 2amses alleo, CIS, C#IT, CCSB, CISS?, SC?, Si* Sima -lac& -elt, Dell, Spain, Eice ?resident Theresa raenstine, CISA, C#IT, C2ISC, CA?, CA, CIA, C?A, >S Fouse o 2epresentatives, >SA, Eice ?resident Eittal 2" 2a6, CISA, CIS, C#IT, C2ISC, C9#, CIA, CISS?, 9CA, Bumar J 2a6, India, Eice ?resident Ton! Fa!es, C#IT, A9CFS#, CF#, 9ACS, 9C?A, 9IIA, ueensland overnment, Australia, ?ast International ?resident reor! T" rochols&i, CISA, The Do' Chemical Co", >SA, ?ast International ?resident Debbie A" =e', CISA, C2ISC, #rnst J Koun ==?, >SA, Director 9ran& B"" Kam, CISA, CIA, 9FBCS, 9FBIoD, 9ocus Strateic roup Inc", Fon Bon, Director Ale*ander Hapata =enis, CISA, C#IT, C2ISC, ITI=, ??, rupo C!nthus S"A" de C"E", e*ico, Director


Ta%le of Contents ?ae Introduction"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5 Assurance #naement Approach -ased on C-IT 5""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5 eneric AuditLAssurance ?roram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" % CustomiGation o the AuditLAssurance ?roram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""% About the #*ample AuditLAssurance ?roram@ A?0% """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""% Assurance #naement@ anae -udet and Costs"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""; Assurance Topic""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ; oal o the 2evie'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ; Scopin"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """ ; C-IT 5/based Assurance #naement Approach"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""; ?hase AMDetermine Scope o the Assurance Initiative""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 8 ?hase -M>nderstand #nablers, Set Suitable Assessment Criteria and ?erorm the Assessment"""""""""""""""""""""13 ?hase CMCommunicate the 2esults o the Assessments"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3$


Intro#ction This document contains an e*ample auditLassurance proram or a C-IT 5 process, %ase on the eneric structure developed in section 3- o COBIT  for Assurance1" &ig#re '("eneric C)BIT *+%ase Ass#rance Engagement Approach


•

•

Some aspects o a process also relate to another enabler and are assessed there, e"", inputs and outputs can also be classiied under the Inormation enabler headin and covered in detail there" Some aspects relatin to S&ills and Competencies are to a lare e*tent covered b ! process A?0; Manage human resources"

In practice, assurance proessionals 'ill have to use their o'n proessional 6udment 'hen developin their o 'n customiGed auditLassurance prorams, to avoid duplication o 'or&" In addition, 'hile auditLassurance prorams 'ill be available or each process, in practice, a roup o processes are oten selected or audit" Thereore, a relevant set o auditLassurance prorams o the applicable processes 'ill need to be selected or conductin assurance"

"eneric A#it,Ass#rance $rogram The assurance approach depicted in fig#re ' is described in more detail and developed into a generic a#it,ass#rance programMincludin uidance on ho' to proceed durin each stepMin section 3- o COBIT  for Assurance" This auditLassurance proram is@ 9ull! alined 'ith C-IT 5@ It e*plicitl! reerences all seven enablers" In other 'ords, it is no loner e*clusivel! process/ocusedP it also uses the dierent dimensions o the enabler model to cover all aspects contributin to the perormance o the enablers" It reerences the C-IT 5 oals cascade to ensure that detailed ob6ectives o the assurance enaement can be put into the enterprise and IT conte*t, and concurrentl! it enables lin&ae o the assurance ob6ectives to enterprise and IT ris& and beneits" Comprehensive !et le*ible" The eneric proram is comprehensive because it contains assurance steps coverin all enablers in
•

•


•

T'o additional columns are included, in 'hich the assurance proessional can identi! and cross/reerence issues and record comments"

Ass#rance Engagement: 5anage %#get an costs Ass#rance Topic The topic covered b! this document is process A$)34 Manage budget and costs.

"oal of the Review The oal o the revie' is to provide assurance over the A?0%6 process that ensures@ There is a partnership bet'een IT and enterprise sta&eholders to enable the eective and eicient use o IT/ related resources There is transparenc! and accountabilit! o the cost and business value o solutions and services" The enterprise is enabled to ma&e inormed decisions reardin the use o IT solutions and services" •

• •

Scoping The scope o the assurance enaement is e*pressed as a unction o the seven C-IT 5 enablers, 'ith a ocus on the ?rocess enabler" The process content is ta&en directl! rom the detailed process descriptions in COBIT  na'"ing Processes, i"e", these are standard C-IT 5 processes" ther enablers are also directl! based on the same process descriptions, e"", the ranisational Structures and Inormation items" ther enablers are described in a more eneric 'a! and ma! re
C)BIT *+%ase Ass#rance Engagement Approach The auditLassurance proram is divided into three sections@ $hase A(Determine Scope of the Ass#rance InitiativeMIn phase A o the assurance 'or&lo', the auditor •


$hase A(Determine Scope of the Ass#rance Initiative Ref0 A+' A/1"1

A/1"3

A+6

A/3"1 A/3"3 A/3": A/3"

Ass#rance Step Determine the sta1eholers o the assurance initiative and their sta1e0 Identi! the intended user(s) o the assurance report and their sta&e in the assurance enaement" This is the assurance ob6ective" Identi! the interested parties, accountable and responsible or the sub6ect matter over 'hich assurance needs to be provided"

Determine the assurance o%2ectives based on assessment o the internal and e*ternal environmentLconte*t and o the relevant ris1 and related opport#nities (i"e", not achievin the enterprise oals)"

>nderstand the enterprise strate! and priorities" >nderstand the internal conte*t o the enterprise" >nderstand the e*ternal conte*t o the enterprise" iven the overall assurance ob6ective, translate the identiied strateic priorities into concrete ob6ectives or the assurance enaement"

"#iance

Intene #ser9s of the ass#rance report

%escri'e the users of the assurance report and their sta)es.

Acco#nta%le an responsi%le parties for the s#%2ect matter

%escri'e the accounta'"e and responsi'"e parties for the su'ect matter o&er which assurance is to 'e pro&ided1 COBIT  inc"udes a summar2 description of a comprehensi&e set of ro"es that can 'e used as starting point for this audit step 3COBIT  framewor)4 appendi( 64 p.56 1 C-IT 5 or Assurance a"so pro&ides a summar2 description of a comprehensi&e set of assurance ro"es4 see section 7A4 chapter 84 p.95. Assurance ob6ectives are essentiall! a more detailed and tanible e*pression o those enterprise ob6ectives relevant to the sub6ect o the assurance enaement" #nterprise ob6ectives can be ormulated in terms o the eneric enterprise oals (C-IT 5 rame'or&) or the! can be e*pressed more speciicall!" )%2ectives of the ass#rance engagement can %e expresse #sing the C)BIT * enterprise goals8 the IT+relate goals 9which relate more to technolog/8 information goals or an/ other set of specific goals0 In:uire with e(ecuti&e management or through a&ai"a'"e documentation 3corporate strateg24 annua" report; a'out the enterprise strateg2 and priorities for the coming period4 and document them to the e(tent the process under re&iew is re"e&ant. Identif2 a"" interna" en&ironmenta" factors that cou"d inf"uence the performance of the process under review. Identif2 a"" e(terna" en&ironmenta" factors that cou"d inf"uence the performance of the process under review . The ollo'in oals can be retained as &e! oals to be supported, in relection o enterprise strate! and priorities": !e/ goals #nterprise oals@ #13 ptimisation o business process costs •

IT/related oals@ IT05 2ealised beneits rom IT/enabled investments and services portolio •

A/3" Cont"

•

Aitional goals

IT0% Transparenc! o IT costs, beneits and ris&

#nterprise oals@ #01 Sta&eholder value o business investments #03 ?ortolio o competitive products and services #05 9inancial transparenc! #10 ptimisation o service deliver! costs • • • •

Iss#e Cross+ reference

Comment


$hase A(Determine Scope of the Ass#rance Initiative Ref0

Ass#rance Step

"#iance


Comment

IT0: Commitment o e*ecutive manaement or ma&in IT/ related decisions IT0 anaed IT/related business ris& IT0; Deliver! o IT services in line 'ith business re
• •

•

• •

A/3"5

A+;

Deine the oraniGational boundaries o the assurance initiative" Determine the ena%lers in scope and the instance(s) o the enablers in scope"

A/:"1

Deine the $rocess in scope o the revie'"

A/:"3

Deine the related enablers" 2elated enablers include@ ?rinciples, ?olicies and 9rame'or&s ranisational Structures Culture, #thics and -ehaviour Inormation Services, Inrastructure and Applications ?eoples, S&ills and Competencies • • • • •

•

•

)rganisational Str#ct#res: -ased on the process under revie', the ollo'in ranisational Structures and unctions are considered to be in scope o this assurance enaement, and available resources 'ill determine 'hich ones 'ill be revie'ed in detail@ 5 Chie inancial oicer (C9) Ealue manaement oice Chie inormation oice (CI) Fead IT administration • • • •

C#It#re8 Ethics an Behavio#r: In the conte*t o this process revie', the ollo'in enterprise'ide -ehaviours are in scope@ Q"ist here the most re"e&ant Beha&iour e"ementsR •

3

4

The suested set o enterprise oals can and should var! 'ith enterprise strate! and priorities" Fo'ever, in this eneric proram the ollo'in loic 'as applied@ irst the mappin table bet'een IT processes and IT/related oals (COBIT  na'"ing Processes, appendi* -, p"33;/33$) 'as used" The mappins bet'een the process at hand and the IT oals listed as 4? are retained as &e! IT/related oals" The mappins listed as 4S are retained as additional IT/related oals" e*t, the mappin  table bet'een enterprise oals and IT/related oals C ( OBIT  na'"ing Processes, appendi* -, p"33%) is used" The p reviousl! selected &e! IT/related oals are loo &ed up, and those enterpr ise oals that support hal o r more o the IT/related oals as 4? are retaine d as &e! enterprise oals" The remainin enterprise oals listed as 4? are retained as additional enterprise oals" Again8 after application of the logic escri%e here8 the res#lting set of goals sho#l %e reviewe an tailore if necessar/0 The loic applied here is the ollo'in@ i there are an! ?olicies or 9rame'or&s identiied as inputs or outputs o an! o the process practices o the process under revie', the! 'ill be included



Ass#rance Step

"#iance Information items: -ased on the process under revie', the ollo'in Inormation items are considered to be in scope o this assurance enaement, and available resources 'ill determine 'hich ones 'ill be revie'ed in detail"% A?0%"01@ Asset reister (I) Accountin processes () IT costs classiication scheme () 9inancial plannin practices () • • • •

A?0%"03@ #valuation o investments and services portolios (I) Prioritisation and ran)ing of IT initiati&es 3O Actions to improve value deliver! (I) ?roo/o/concept scope and outline business case (I) Investment return e*pectations (I) -usiness case assessments (I) ?roramme business case (I) -udet allocations () • • • • •

A/:"3 Cont"

• • •

A?0%"0:@ IT 'udget and p"an 3O -udet communications () • •

A?0%"0@ Cateorised IT costs () Cost a""ocation mode" 3O Cost allocation communications () perational procedures () • • • •

A?0%"05@ 9eedbac& on portolio and proramme perormance (I) Cost data collection method () ?roramme beneit realisation plan (I) Cost consolidation method () ?roramme budet and beneits reister (I) 2esults o beneit realisation monitorin (I) Cost optimisation opportunities () • • • • • • •

Services8 Infrastr#ct#re an Applications@ In the conte*t o this process revie', and ta&in into account the oals identiied in A/3", the ollo'in Services and related Inrastructure or Applications could be considered in scope o the revie'@


Comment



Ass#rance Step

"#iance •

Q"ist here the most re"e&ant *er&ices4 Infrastructure and App"ications components in scopeR

$eople8 S1ills an Competencies: In the conte*t o this process revie', ta&in into account &e! processes and &e! roles, the ollo'in S&ill sets are included in scope: Bno'lede o inancial manaement ther re"e&ant S&ill sets re

Comment



$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0 B+' -/1"1


Ass#rance Steps an "#iance Agree on metrics an criteria for enterprise goals an IT+relate goals0 Assess enterprise goals an IT+relate goals0 btain (and aree on) metrics or enterprise oals and e*pected values o the metrics and assess 'hether enterprise oals in scope are achieved" >e&erage the "ist of suggested metrics for the enterprise goa"s to define4 discuss and agree on a set of re"e&ant4 customi
•

•

-/1"3

e*ecutive manaement 'ith business processin costs btain (and aree on) metrics or IT/related oals and e*pected values o the metrics and assess 'hether IT/related oals in scope are achieved" The ollo'in metrics and e*pected values are areed on or the &e! IT/related oals deined in Step A/3"" IT+relate "oal 5etric Expecte )#tcome 9Ex Assessment Step IT05 2ealised beneits Agree on the e(pected In this step4 the re"ated metrics for each ?ercent o IT/enabled rom IT/enabled &a"ues for the IT#re"ated goa" wi"" 'e re&iewed and an assessment investments 'here beneit investments and goa" metrics4 i.e.4 the wi"" 'e made whether the defined criteria realisation is monitored throuh services portolio &a"ues against which the are achie&ed. ull economic lie c!cle assessment wi"" ta)e ?ercent o IT services 'here p"ace. e*pected beneits are realised •

•

?ercent o IT/enabled investments 'here claimed beneits are met or e*ceeded IT0% Transparenc! o Agree on the e(pected ?ercent o investment business IT costs, beneits and &a"ues for the IT#re"ated cases 'ith clearl! deined and ris& goa" metrics4 i.e.4 the approved e*pected IT/related &a"ues against which the costs and beneits assessment wi"" ta)e ?ercent o IT services 'ith p"ace. clearl! deined and approved operational costs and e*pected beneits Satisaction surve! o &e! sta&eholders reardin the transparenc!, understandin and accurac! o IT inancial inormation )%tain #nerstaning of the $rocess in scope an se t s#ita%le assessment criteria0 •

•

•

•

In this step4 the re"ated metrics for each goa" wi"" 'e re&iewed and an assessment wi"" 'e made whether the defined criteria are achie&ed.

Comment


$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0

-/3"3

Ass#rance Steps an "#iance The purpose o process A$)34 is as per the standard C-IT 5 process statement@ 49oster partnership bet'een IT and enterprise sta&eholders to enable the eective and eicient use o IT/related resources and provide transparenc! and accountabilit! o the cost and business value o solutions and services" #nable the enterprise to ma&e inormed decisions reardin the use o IT solutions and services" >nderstand the $rocess goals and related metrics and deine e*pected values (criteria), and assess 'hether the ?rocess oals (outcomes) are achieved, i"e", assess the eectiveness o the ?rocess" The process A$)34 Manage budget and costs has our standard deined process oals, as described in COBIT  na'"ing Processes, chapter 5, p" ;$" -ased on these oals and their related metrics, the subset o ollo'in oals and associated metrics are deined or this process" $rocess "oal Relate 5etric Criteria,Expecte =al#e Assessment Step A transparent and Agree on the e(pected In this step4 the re"ated metrics for each umber o budet chanes due complete budet or IT &a"ues for the Process goa" wi"" 'e re&iewed and an assessment to omissions and errors accuratel! relects goa" metrics4 i.e.4 the wi"" 'e made whether the defined criteria umbers o deviations bet'een planned e*penditures" &a"ues against which the are achie&ed. e*pected and actual budet assessment wi"" ta)e cateories p"ace. The allocation o IT Agree on the e(pected In this step4 the re"ated metrics for each ?ercent o alinment o IT resources or IT &a"ues for the Process goa" wi"" 'e re&iewed and an assessment resources 'ith hih/priorit! initiatives is prioritised goa" metrics4 i.e.4 the wi"" 'e made whether the defined criteria initiatives based on enterprise &a"ues against which the are achie&ed. umber o resource allocation needs" assessment wi"" ta)e issues escalated p"ace. Costs or services are Agree on the e(pected In this step4 the re"ated metrics for each ?ercent o overall IT costs that allocated in an e
•

•

•

•

•

•

-/3"3 Cont"

•


Comment



Ass#rance Steps an "#iance A?00%"01 anae inance and accountin"

Assess b! appl!in appropriate audit techni
3" :" " 5"

Deine processes, inputs and outputs, and responsibilities in alinment 'ith the enterprise budetin and cost accountin policies and approach to s!stematicall! drive IT budetin and costinP enable air, transparent, repeatable and comparable estimation o IT costs and beneits or input to the portolio o IT/ enabled business prorammesP and ensure that budets and costs are maintained in the IT asset and services portolios" Deine a classiication scheme to identi! all IT/related cost elements, ho' the! are allocated across budets and services, and ho' the! are captured" >se inancial and portolio inormation to provide input to business cases or ne' investments in IT assets and services" Deine ho' to anal!se, report (to 'hom and ho'), and use the budet control and beneit manaement processes" #stablish and maintain practices or inancial plannin, investment manaement and decision ma&in, and the optimisation o recurrin operational costs to deliver ma*imum value to the enterprise or the least e*penditure"

Compare the 2ACI chart as included in the reerence process in COBIT  na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the oran isation" Assess b! appl!in appropriate audit techni
A?00%"03 ?rioritise resource allocation"

1"

3"

:"

"

#stablish a decision/ma&in bod! or prioritisin business and IT resources, includin use o e*ternal service providers 'ithin the hih/level budet allocations or IT/enabled prorammes, IT services and IT assets as established b! the strateic and tactical plans" Consider the options or bu!in or developin capitalised assets and services vs" e*ternall! utilised assets and services on a pa!/or/use basis" 2an& all IT initiatives based on business cases and strateic and tactical plans, and establish procedures to determine budet allocations and cut/o" #stablish a procedure to communicate budet decisions and revie' them 'ith the business unit budet holders" Identi!, communicate and resolve siniicant impacts o budet decisions on business cases, portolios and strate! plans (e"", 'hen budets ma! re
Compare the 2ACI chart as included in the reerence process in COBIT  na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the oran isation Assess b! appl!in appropriate audit techni
-/3"3 Cont"

A?00%"0: Create and maintain budets"

1"

Implement a ormal IT budet, includin all e*pected IT costs o IT/enabled prorammes, IT services and


Comment



Ass#rance Steps an "#iance Alinment 'ith the business Alinment 'ith the sourcin strate! Authorised sources o undin Internal resource costs, includin personnel, inormation assets and accommodations Third/part! costs, includin outsourcin contracts, consultants and service providers Capital and operational e*penses Cost elements that depend on the 'or&load Document the rationale to 6usti! continencies and revie' them reularl!" Instruct process, service and proramme o'ners, as 'ell as pro6ect and asset manaers, to plan budets" 2evie' the budet plans and ma&e decisions about budet allocations" Compile and ad6ust the budet based on chanin enterprise needs and inancial considerations" 2ecord, maintain and communicate the current IT budet, includin committed e*penditures and current e*penditures, considerin IT pro6ects recorded in the IT/enabled investment portolios and operation and maintenance o asset and service portolios" onitor the eectiveness o the dierent aspects o budetin and use the results to implement improvements to ensure that uture budets are more accurate, reliable and cost/eective" • • • • • • •

:" " 5" %"

;"

Compare the 2ACI chart as included in the reerence process in COBIT  na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the oran isation" • •

A?00%"0 odel and allocate costs"

Assess b! appl!in appropriate audit techni
Cateorise all IT costs appropriatel!, includin those relatin to service providers, accordin to the enterprise manaement accountin rame'or&" Inspect service deinition cataloues to identi! services sub6ect to user charebac& and those that are shared services" Deine and aree on a model that@ Supports the calculation o charebac& rates per service Deines ho' IT costs 'ill be calculatedLchared Is dierentiated, 'here and 'hen appropriate Is alined 'ith the IT budet Desin the cost model to be transparent enouh to allo' users to identi! their actual usae and chares, and to better enable predictabilit! o IT costs and eicient and eective utilisation o IT resources" Ater revie' 'ith user departments, obtain approval and communicate the IT costin model inputs and outputs to the manaement o user departments" Communicate chanes in the costLcharebac& model 'ith enterprise process o'ners" • • • •

" 5" %"

Compare the 2ACI chart as included in the reerence process in COBIT  na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the oran isation" • •

-/3"3


Comment



Ass#rance Steps an "#iance 1" 3" :"

#nsure proper authorit! and independence bet'een IT budet holders and the individuals 'ho capture, anal!se and report inancial inormation" #stablish time scales or the operation o the cost manaement process in line 'ith budetin and accountin re
– – –

•

"

5"

%" ;" 8" $"

Compare the 2ACI chart as included in the reerence process in COBIT  na'"ing Processes 'ith the actual accountabilit! and responsibilit! or this practice and assess 'hether@ Accountabilit! and responsibilit! are assined and assumed" Accountabilit! and responsibilit! are assined at the appropriate level in the orani sation"

• •

-/3":

Aree on the $rocess wor1 pro#cts (inputs and outputs as deined in the process practices description) that are e*pected to be present (process desin)" Assess the e*tent to 'hich the process 'or& products are available" The ?rocess A$)34 identiies a set o inputs and outputs or the dierent manaement Criteria@ All listed 'or& products should practices" The most relevant o these 'or& products (and those not assessed as Inormation demonstrabl! e*ist and be used" items in scope in section A/:"3) are identiied as ollo's, as 'ell as the criteria aainst 'hich the! 'ill be assessed, i"e", e*istence and usae" $rocess $ractice >or1 $ro#ct? Assessment Step A?0%"01 Asset reister (I) Accountin processes () IT costs classiication scheme () 9inancial plannin practices () •

• •

-/3": Cont"

•

A?0%"03

• •

#valuation o investments and services portolios (I) Actions to improve value deliver! (I)


Comment




Ass#rance Steps an "#iance

•

Investment return e*pectations (I) -usiness case assessments (I) ?roramme business case (I) -udet allocations ()

A?0%"0:

•

-udet communications ()

A?0%"0

•

• • •

• •

A?0%"05

• • • • • •

determine or each 'or& product@ #*istence o the 'or& product Appropriate use o the 'or& product • •

Cateorised IT costs () Cost allocation communications () perational procedures () 9eedbac& on portolio and proramme perormance (I) Cost data collection method () ?roramme beneit realisation plan (I) Cost consolidation method () ?roramme budet and beneits reister (I) 2esults o beneit realisation monitorin (I)

-/3"

Aree on the $rocess capa%ilit/ level to be achieved b! the process" ?rocess A?0% isMiven the strateic prioritiesMimportant, and 'ill renderstand the ?rinciples, ?olicies and 9rame'or&s conte*t" O'tain understanding of the o&era"" s2stem of interna" contro" and the associated Princip"es4 Po"icies and =ramewor)s. -/:"3 >nderstand the sta&eholders o the ?rinciples, ?olicies and 9rame'or&s ?nderstand the sta)eho"ders in the po"icies. The sta)eho"ders for the po"icies inc"ude those setting the po"icies and those who need to 'e in comp"iance with the po"icies. -/:": >nderstand the oals or the ?rinciples, ?olicies and 9rame'or&s, and the related metrics, and aree on e*pected values" Assess 'hether the ?rinciples, ?olicies and 9rame'or&s oals (outcomes) are achieved, i"e", assess the eectiveness o the ?rinciples, ?olicies and 9rame'or&s" "oal Criteria Assessment Step Comprehensiveness The set o policies is comprehensive Eeri! that the set o policies is comprehensive in its coverae" in its coverae" Currenc! The set o policies is up to date" This Eeri! that the set o policies is up to date" This at least re
•

•

•

Comment



Ass#rance Steps an "#iance Availabilit!

?olicies are available to all Eeri! that policies are available to all sta&eholders" sta&eholders" Eeri! that policies are eas! to naviate and have a loical and ?olicies are eas! to naviate and hierarchical structure" have a loical and hierarchical structure" >nderstand the lie c!cle staes o the ?rinciples, ?olicies and 9rame'or&s, and aree on the relevant criteria" Assess to 'hat e*tent the ?rinciples, ?olicies and 9rame'or&s lie c!cle is manaed" The "ife c2c"e of the IT#re"ated po"icies is managed '2 the Process APO0. The re&iew of this "ife c2c"e is therefore e:ui&a"ent to a process re&iew of process APO0 anae the IT manaement rame'or&. >nderstand ood practices r elated to the ?rinciples, ?olicies and 9ram e'or&s and e*pected values" Assess the ?rinciples, ?olicies and 9rame'or&s desin, i"e", assess the e*tent to 'hich e*pected ood practices are applied" The assurance professiona" wi""4 '2 using appropriate auditing techni:ues assess the fo""owing aspects. "oo $ractice Criteria Assessment Step S co pe an d v al id it ! T he sco pe is de scr ib ed an d th e Eeri! that the scope o the rame'or& is described and the validit! validit! date is indicated" date is indicated" #*ception and The e*ception and escalation Eeri! that the e*ception and escalation procedure is described, escalation procedure is e*plained and e*plained and commonl! &no'n" commonl! &no'n" Throuh observation o a representative sample, veri! that the • •

• •

•

-/:"

-/:"5

•

•

The e*ception and escalation e*ception and escalation procedure has not become de facto procedure has not become de standard procedure" -/:"5 facto standard procedure" Cont" Compliance The compliance chec&in mechanism Eeri! that the compliance chec&in mechanism and non/compliance and non/compliance consenderstand the ranisational Structure conte*t" Identif2 and document a"" e"ements that can he"p to understand the conte(t in which the Organisationa" *tructure/ro"e has to operate4 inc"uding The o&era"" organisation Management/process framewor) ,istor2 of the ro"e/structure Contri'ution of the Organisationa" *tructure to achie&ement of goa"s -/"3 >nderstand all sta&eholders o the ranisational StructureLunction" %etermine through documentation re&iew 3po"icies4 management communications4 etc. the )e2 sta)eho"ders of the ro"e4 i.e. Incum'ent of the ro"e and/or mem'ers of the Organisationa" *tructure Other )e2 sta)eho"ders affected '2 the decisions of the Organisationa" *tructure/ro"e -/": >nderstand the oals o the ranisational Structure, the related metrics and aree on e*pected values" >nderstand ho' these oals contribute to the achievement o the enterprise oals and IT/related oals" )rganisational Str#ct#re "oal Assessment Step Determine throuh intervie's 'ith &e! sta&eholders and This step onl! applies i speciic oals are deined" In that case, the documentation revie' the oals o the ranisational Structures, assurance proessional 'ill use appropriate auditin techni
• • • •

• •


Comment



Ass#rance Steps an "#iance ma&in decisionsMare alread! described b! some o the process communicated" practices andLor process activities in COBIT  na'"ing #valuate the decisions b!, assessin 'hether@ Processes" Thereore, the! 'ill be part o the process revie' and The! have contributed to the achievement o the IT/related should not be repeated here" nl! 'hen ver! speciic decisions and enterprise oals as anticipated" 'ould be renderstand the lie c!cle and aree on e*pected values" Assess the e*tent to 'hich the )rganisational Str#ct#re life c/cle is manaed" ife C/cle Element Criteria Assessment Steps andate The ranisational Structure is Eeri! throuh intervie's and observations that the ormall! established" ranisational Structure is ormall! established" •

-/"

•

•

•

•

•

•

-/" Cont"

-/"5

•

•

•

•

•

•

•

•

•

•

•

•

•

The ranisational Structure has a clear, documented and 'ell/

•

Eeri! throuh intervie's and observations that the ranisational Structure has a clear, documented and 'ell/


Comment





understood mandate" understood mandate" The perormance o the Eeri! 'hether the perormance o the ranisational Structure ranisational Structure and its and its members is reularl! monitored and evaluated b! members should be reularl! competent and independent assessors" monitored and evaluated b! Eeri! 'hether the reular evaluations have resulted in competent and independent improvements to the ranisational Structure, in its composition, assessors" mandate or an! other parameter" The reular evaluations should result in the renderstand the Culture, #thics and -ehaviour conte*t" ?nderstand the conte(t of the Cu"ture/thics/Beha&iour4 i.e. hat the o&era"" corporate Cu"ture is "i)e ?nderstand the interconnection with other ena'"ers in scope Identif2 ro"es and structures that cou"d 'e affected '2 the Cu"ture. Identif2 processes that cou"d 'e affected '2 Cu"ture4 thics and Beha&iour4 inc"uding an2 p rocesses in scope of the re&ie w. -/5"3 >nderstand the ma6or sta&eholders o the Culture, #thics and -ehaviour" ?nderstand to whom the 'eha&iour re:uirements wi"" app"24 i.e.4 understand who em'odies the ro"es/structures e(pected to demonstrate the correct set of Beha&iours. This is usua""2 "in)ed to the ro"es and Organisationa" *tructures identified in scope. -/5": >nderstand the oals or the Culture, #thics and -ehaviour, and the related metrics and aree on e*pected values" Assess 'hether the C#lt#re8 Ethics an Behavio#r goals (outcomes) are achieved, i"e", assess the eectiveness o the Culture, #thics and -ehaviour" Deine 'hat constitutes desired and undesirable -ehaviours and Culture and especiall! -ehaviours are associated to individuals and 'h! the! are so classiied, i"e", relate -ehaviours to the the ranisational Structures o 'hich the! are a part, thereore, b! oranisational ethics and values b! 'hich the enterprise 'ants to usin appropriate auditin techni
•

•

•

•

• •

•

• • •

Desire Behavio#r 9C#lt#re8 Ethics an Behavio#r "oal

-/5"

-/5"5

Assessment Step

>nderstand the lie c!cle staes o the Culture, #thics and -ehaviour, and aree on the relevant criteria" Assess the e*tent to 'hich the Culture, #thics and -ehaviour lie c!cle is manaed" (This aspect is alread! covered b! the assessment o the ood practices, so no additional assurance steps are deined here") >nderstand ood practice 'hen dealin 'ith Culture, #thics and -ehaviour, and aree on relevant criteria"

Comment



Ass#rance Steps an "#iance enorcement and rules Incentives and re'ards A'areness

communication #*istence and application o appropriate re'ards and incentives A'areness o desired -ehaviours

practice is ade

Comment





B+4

)%tain #nerstaning of the Information items in scope0 Assess Information items0 2epeat steps -/%"1 throuh -/%"5 or each Inormation item deined in scope in A/:"3" -/%"1 >nderstand the Inormation item conte*t@ here and when is it used =or what purpose is it used ?nderstand the connection with other ena'"ers in scope4 e.g. ?sed '2 which processes hich Organisationa" *tructures are in&o"&ed 3see a"so B#8.7 hich ser&ices/app"ications are in&o"&ed -/%"3 >nderstand the ma6or sta&eholders o the Inormation item" ?nderstand the sta)eho"ders for the Information item4 i.e.4 identif2 the Information producer Information custodian Information consumer *ta)eho"ders shou"d 'e at the appropriate organisationa" "e&e". -/%": >nderstand the ma6or
• • •

ar& the nderstandabilit! anipulation

Assessment Step

Comment


$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0 -/%": Cont" -/%"


Ass#rance Steps an "#iance Availabilit! 2estricted access >nderstand the lie c!cle staes o the Inormation item, and aree on the relevant criteria" Assess to 'hat e*tent the Information item life c/cle is manaed" The lie c!cle o an! Inormation item is manaed throuh several business and IT/related processes" The scope o this revie' alread! includes a revie' o (IT/related) processes so this aspect does not need to be duplicated here" When the Inormation item is interna l to IT, the process revie' 'ill have covered the lie c!cle aspects suicientl!" When the Inormation item also involves other sta&eholders outside IT or other non/IT processes, some o the lie c!cle aspects need to be assessed" • •

-/%"5

ar& the lie c!cle staes 'ith a 4  that are deemed most important (&e! criteria), and b! conseseLoperate #valuateLmonitor >pdateLdispose >nderstand important attributes o the Inormation item and e*pected values" Assess the Information item esign, i"e", assess the e*tent to 'hich e*pected goo practices are applied" ood practices or Inormation items are deined as a series o attributes or the Inormation item1:" The assurance proessional 'ill, b! usin appropriate audit techni
!e/ Criteria

Description

Assessment Step

Comment





Comment

B+<

)%tain #nerstaning of the Services8 Infrastr#ct#re an Applications in scope0 Assess the Services8 Infrastr#ct#re an Applications0 2epeat steps -/;"1 throuh -/;"5 or each Service, Inrastructure and Applications element in scope" -/;"1 >nderstand the Servic es, Inrastructure and Applications conte*t" ?nderstand the organisationa" and techno"ogica" conte(t of this ser&ice. $efer to step A#7.7 and A#7.9 and re#use that information to understand the significance of this *er&ice4 Infrastructure and App"ication. -/;"3 >nderstand the ma6or sta&eholders o the Servic es, Inrastructure and Applications" ?nderstand who wi"" 'e the maor sta)eho"ders of the ser&ice4 i.e.4 the sponsor4 pro&ider and users. *ta)eho"ders wi"" inc"ude a num'er of organisationa" ro"es 'ut cou"d a"so "in) to Processes. -/;": >nderstand the ma6or oals or the Services, Inrastructure and Applications, the related metrics and aree on e*pected values" Assess 'hether the Services, Inrastructure and Applications oals (outcomes) are achieved, i"e", assess the eectiveness o the Services, Inrastructure and Applications" "oal Criteria Assessment Step Service description The Service is clearl! described" Eeri! that the Service e*ists and is clearl! described" The Service is available to all Assess the nderstand the lie c!cle staes o the Services, Inrastructure and Applications, and aree on the relevant criteria" Assess the e*tent to 'hich the Services8 Infrastr#ct#re an Applications life c/cle is manaed"1 -/;"5 >nderstand ood practice related to the Services, Inrastructure and Applications and e*pected values" Assess the Services8 Infrastr#ct#re an Applications esign, i"e", assess to 'hat e*tent e*pected ood practices are applied" >e&erage the description of *er&ices4 Infrastructure and App"ications in the COBIT  framewor)  to identif2 good practices re"ated to *er&ices4 Infrastructure And App"ications. In genera" the fo""owing practices need to 'e imp"emented Bu2/'ui"d decision needs to 'e ta)en. ?se of the *er&ice needs to ' e c"ear. "oo $ractice Criteria Assessment Step Sourcin (bu!Lbuild) A ormal decisionMbased on a business Eeri! that a ormal decisionMbased on a business caseM'as ta&en caseMneeds to be ta&en reardin the reardin the sourcin o the Service" sourcin o the Service" Eeri! the validit! and se The use o the Service needs to be Eeri! that the use o the Service is clear, i"e", it is &no'n 'hen and b! clear@ 'hom the service needs to be used" •

•

•

•

• •

• • •

•

• •

•

• • •

14

The lie c!cle o a service 'ill be overned and manaed b! numerous o the C-IT 5 processes" As a conse
7 ISACA 301

All rihts reserved"

35


$hase B(7nerstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment Ref0 •

-/;"5 Cont"

15



•

When it needs to be used and b! 'hom The re
• • •

Eeri! that actual use is in line 'ith re
C-IT 5 rame'or&, appendi* , p"85/8%

7 ISACA 301


3%

Comment





B+?

)%tain #nerstaning of the $eople8 S1ills an Competencies in scope0 Assess $eople8 S1ills an Competencies0 2epeat steps -/8"1 throuh -/8"5 or each ?eople, S&ill and Competenc! aspect in scope" -/8"1 >nderstand the ?eople, S&ills and Competencies conte*t" ?nderstand the conte(t of the *)i""/Competenc24 i.e. here and when is it used =or what purpose is it used ?nderstand the connection with other ena'"ers in scope4 e.g. In which ro"es and structures is the *)i""/Competenc2 used 3*ee a"so B#8.. hich 'eha&iours are associated with the *)i""/Competenc2 -/8"3 >nderstand the ma6or sta&eholders or ?eople, S&ill s and Competencies" Identif2 to whom in the organisation the s)i"" re:uirement app"ies. -/8": >nderstand the ma6or oals or the ?eople, S&ills and Competencies, the related metrics and aree on e*pected values" Assess 'hether the $eople8 S1ills an Competencies goals (outcomes) are achieved, i"e", assess the eectiveness o the ?eople, S&ills and Competencies" • • •

-/8"

9or the ?eople, S&ills and Competencies at hand, the ollo'in oals and associated criteria can be addressed" "oal Criteria Assessment Step #*perience Appl! appropriate auditin techninderstand the lie c!cle staes o the ?eople, S&ills and Competencies, and aree on the relevant criteria" Assess to 'hat e*tent the ?eople, S&ills and Competencies lie c!cle is manaed" 9or the ?eople, S&ills and Competencies at hand, the lie c!cle phases and associated criteria can 9or the ?eople, S&ills and Competencies at be e*pressed in unction o the process A?0;" hand the assurance proessional 'ill perorm the ollo'in assessment steps" ife C/cle Element Criteria Assessment Step ?lan ?ractice A?0;"0:, activit! 1 (Deine the re
7 ISACA 301


3;

Comment



-/8" Cont"

-/8"5


Ass#rance Steps an "#iance ?ractice A?0;"0: activit! : (?rovide access to &no'lede repositories Assess 'hether practice A?0;"0: activit! to support the development o s&ills and competencies") is implemented : is implemented in relation to this s&ill" in relation to this s&ill" -uild ?ractice A?0;"0: activit!  (Identi! aps bet'een repdateLdispose ?ractice A?0;"0: activit! ; (2evie' trainin materials and Assess 'hether practice A?0;"0: activit! prorammes on a reular basis to ensure adenderstand ood practice related to the $eople8 S1ills an Competencies and e*pected values" Assess the $eople8 S1ills an Competencies desin, i"e", assess to 'hat e*tent e*pected goo practices are applied" "oo $ractice Assessment Step S&ill set and Competencies are deined" Determine that an inventor! o S&ills and Competencies is maintained b! oranisational unit, 6ob unction and individual" #valuate the relevance and the contribution o the S&ills and Competencies to the achievement o the oals o the ranisational Structure, and b! conse
•

•

•

•

7 ISACA 301


38

Comment


$hase C(Comm#nicate the Res#lts of the Assessment Ref0 C+' C/1"1 C/1"3

Ass#rance Step Doc#ment exceptions an gaps0 >nderstand and document 'ea&nesses and their impact on the achievement o process oals" >nderstand and document 'ea&nesses and their impact on enterprise oals"

"#iance • • •

•

• •

C+6 C/3"1

Comm#nicate the wor1 performe an finings0 Communicate the 'or& perormed"

C/3"3

Communicate preliminar! indins to the assurance enaement sta&eholders deined in A/1"

• • •

• • • •

C/3":

Illustrate the impact o enabler ailures or 'ea&nesses 'ith numbers and scenarios o errors, ineiciencies and misuse" Clari! vulnerabilities, threats and missed opportunities that are li&el! to occur i enablers do not perorm eectivel!" Illustrate 'hat the 'ea&nesses 'ould aect (e"", business oals and ob6ectives, enterprise architecture elements, capabilities, resources)" 2elate the impact o not achievin the enabler oals to actual cases in the same industr! and leverae industr! benchmar&s" Document the impact o actual enabler 'ea&nesses in terms o bottom/line impact, interit! o inancial reportin, hours lost in sta time, loss o sales, abilit! to manae and react to the mar&et, customer and shareholder rese benchmar&in and surve! results to compare the enterprises perormance 'ith others" >se e*tensive raphics to illustrate the issues" Inorm the person responsible or the assurance activit! about the preliminar! indins and veri! hisLher correct understandin o those indins"

Deli ver a report (alined 'ith the terms o reerence, scope and areed/ on reportin standards) that supports the results o the initiative and enables a clear ocus on &e! issues and important actions"

7 ISACA 301


3$

WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

Recommend Documents