wapo06 manage budget and costs audit assurance program icq eng 0814

Upload: mlce26

Post on 02-Jun-2018

222 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    1/29

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    2/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    ISACA With more than 115,000 constituents in 180 countries, ISACA ( www.isaca.org ) helps business and IT leaders build trust in, and value

    rom, in ormation and in ormation s!stems" #stablished in 1$%$, ISACA is the trusted source o &no'led e, standards, net'or&in ,

    and career development or in ormation s!stems audit, assurance, securit!, ris&, privac! and overnance pro essionals" ISACA o ersthe C!bersecurit! e*us+, a comprehensive set o resources or c!bersecurit! pro essionals, and C -IT . , a business rame'or&that helps enterprises overn and mana e their in ormation and technolo !" ISACA also advances and validates business/criticals&ills and &no'led e throu h the loball! respected Certi ied In ormation S!stems Auditor . (CISA . ), Certi ied In ormation Securit!

    ana er . (CIS . ), Certi ied in the overnance o #nterprise IT . (C #IT . ) and Certi ied in 2is& and In ormation S!stems Control+(C2ISC+) credentials" The association has more than 300 chapters 'orld'ide"

    Disclaimer ISACA has desi ned and created APO06 Manage Budget and Costs Audit/Assurance Program (the 4Wor& ) primaril! as aneducational resource or assurance pro essionals" ISACA ma&es no claim that use o an! o the Wor& 'ill assure a success uloutcome" The Wor& should not be considered inclusive o all proper in ormation, procedures and tests or e*clusive o otherin ormation, procedures and tests that are reasonabl! directed to obtainin the same results" In determinin the propriet! o an!

    speci ic in ormation, procedure or test, assurance pro essionals should appl! their o'n pro essional 6ud ement to the speci iccircumstances presented b! the particular s!stems or in ormation technolo ! environment"

    Reservation of Rights7 301 ISACA" All ri hts reserved" 9or usa e uidelines, see www.isaca.org/COBITuse "

    ISACA:;01 Al on

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    3/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    ISACA wishes to recognize:

    Development TeamSte anie ri6p, ?'C, -el ium-art ?eeters, CISA, ?'C, -el iumDir& Steuperaert, CISA, C #IT, C2ISC, IT In -alance -E-A, -el iumSven Ean Foorebeec&, ?'C, -el ium

    Expert ReviewersSteven De Faes, >niversit! o Ant'erp / Ant'erp ana ement School, -el ium

    ohn #" asins&i, CISA, C #IT, IS 30B, ITI= #*pert, SS--, >SAoanna BarcGe's&a, CISA, ?oland

    ?atricia ?randini, CISA, C2ISC, >niversidad de -uenos Aires, Ar entina Abdul 2a eSA, International ?residentSteven A" -abb, C #IT, C2ISC, ITI=, Eoda one, >B, Eice ?resident

    arr! " -arnes, CISA, CIS , C #IT, C2ISC, -A# S!stems Detica, Australia, Eice ?resident2obert A" Cl!de, CIS , Adaptive Computin , >SA, Eice ?resident2amses alle o, CIS , C #IT, CCSB, CISS?, SC? , Si* Si ma -lac& -elt, Dell, Spain, Eice ?residentTheresa ra enstine, CISA, C #IT, C2ISC, C A?, C A, CIA, C?A, >S Fouse o 2epresentatives, >SA, Eice ?residentEittal 2" 2a6, CISA, CIS , C #IT, C2ISC, C9#, CIA, CISS?, 9CA, Bumar J 2a6, India, Eice ?residentTon! Fa!es, C #IT, A9CFS#, CF#, 9ACS, 9C?A, 9IIA, ueensland overnment, Australia, ?ast International ?resident

    re or! T" rochols&i, CISA, The Do' Chemical Co", >SA, ?ast International ?residentDebbie A" =e', CISA, C2ISC, #rnst J Koun ==?, >SA, Director 9ran& B" " Kam, CISA, CIA, 9FBCS, 9FBIoD, 9ocus Strate ic roup Inc", Fon Bon , Director

    Ale*ander Hapata =enis, CISA, C #IT, C2ISC, ITI=, ? ?, rupo C!nthus S"A" de C"E", e*ico, Director

    !nowle ge BoarSte en A" abb C #IT C2ISC ITI Eoda one >B Chairman

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    4/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    Ta%le of Contents?a e

    Introduction""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Assurance #n a ement Approach -ased on C -IT 5"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""5

    eneric AuditLAssurance ?ro ram""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""CustomiGation o the AuditLAssurance ?ro ram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""%

    About the #*ample AuditLAssurance ?ro ram@ A? 0% """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""% Assurance #n a ement@ ana e -ud et and Costs""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""";

    Assurance Topic""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""oal o the 2evie'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

    Scopin """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""C -IT 5/based Assurance #n a ement Approach""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""";

    ?hase AMDetermine Scope o the Assurance Initiative"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""8

    ?hase -M>nderstand #nablers, Set Suitable Assessment Criteria and ?er orm the Assessment"""""""""""""""""""""13?hase CMCommunicate the 2esults o the Assessments"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3$

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    5/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    Intro #ction

    This document contains an e*ample auditLassurance pro ram or a C -IT 5 process, %ase on the eneric structuredeveloped in section 3- o COBIT for Assurance 1"

    &ig#re '("eneric C)BIT *+%ase Ass#rance Engagement Approach

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    6/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    Some aspects o a process also relate to another enabler and are assessed there, e" ", inputs and outputs canalso be classi ied under the In ormation enabler headin and covered in detail there"

    Some aspects relatin to S&ills and Competencies are to a lar e e*tent covered b! process A? 0; Managehuman resources "

    In practice, assurance pro essionals 'ill have to use their o'n pro essional 6ud ment 'hen developin their o 'ncustomiGed auditLassurance pro rams, to avoid duplication o 'or&"

    In addition, 'hile auditLassurance pro rams 'ill be available or each process, in practice, a roup o processes areo ten selected or audit" There ore, a relevant set o auditLassurance pro rams o the applicable processes 'ill need tobe selected or conductin assurance"

    "eneric A# it,Ass#rance $rogram

    The assurance approach depicted in fig#re ' is described in more detail and developed into a generica# it,ass#rance program Mincludin uidance on ho' to proceed durin each stepMin section 3- o COBIT for

    Assurance " This auditLassurance pro ram is@ 9ull! ali ned 'ith C -IT 5@

    It e*plicitl! re erences all seven enablers" In other 'ords, it is no lon er e*clusivel! process/ ocusedP it alsouses the di erent dimensions o the enabler model to cover all aspects contributin to the per ormance o theenablers"It re erences the C -IT 5 oals cascade to ensure that detailed ob6ectives o the assurance en a ementcan be put into the enterprise and IT conte*t, and concurrentl! it enables lin&a e o the assurance ob6ectives

    to enterprise and IT ris& and bene its" Comprehensive !et le*ible" The eneric pro ram is comprehensive because it contains assurance steps

    coverin all enablers in

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    7/29

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    8/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase A(Determine Scope of the Ass#rance Initiative

    Ref0 Ass#rance Step "#i ance Iss#e Cross+reference Comment

    A+' Determine the sta1ehol ers o theassurance initiative and their sta1e0 A/1"1 Identi ! the intended user(s) o the assurance

    report and their sta&e in the assuranceen a ement" This is the assurance ob6ective"

    Inten e #ser9s of

    the ass#rance report

    %escri'e the users of the assurance report and their sta)es.

    A/1"3 Identi ! the interested parties, accountableand responsible or the sub6ect matter over'hich assurance needs to be provided"

    Acco#nta%le anresponsi%le partiesfor the s#%2ect matter

    %escri'e the accounta'"e and responsi'"e parties for thesu' ect matter o&er which assurance is to 'e pro&ided1COBIT inc"udes a summar2 description of a comprehensi&eset of ro"es that can 'e used as starting point for this auditstep 3COBIT framewor)4 appendi( 64 p.56 1 C -IT 5 or

    Assurance a"so pro&ides a summar2 description of acomprehensi&e set of assurance ro"es4 see section 7A4chapter 84 p.95.

    A+6

    Determine the assurance o%2ectives basedon assessment o the internal and e*ternalenvironmentLconte*t and o the relevant ris1 and related opport#nities (i"e", not achievinthe enterprise oals)"

    Assurance ob6ectives are essentiall! a more detailed and tan ible e*pression o thoseenterprise ob6ectives relevant to the sub6ect o the assurance en a ement"

    #nterprise ob6ectives can be ormulated in terms o the eneric enterprise oals (C -IT5 rame'or&) or the! can be e*pressed more speci icall!"

    )%2ectives of the ass#rance engagement can %e expresse #sing the C)BIT *enterprise goals8 the IT+relate goals 9which relate more to technolog/ 8information goals or an/ other set of specific goals0

    A/3"1>nderstand the enterprise strate ! andpriorities"

    In:uire with e(ecuti&e management or through a&ai"a'"e documentation 3corporatestrateg24 annua" report; a'out the enterprise strateg2 and priorities for the coming

    period4 and document them to the e(tent the process under re&iew is re"e&ant. A/3"3 >nderstand the internal conte*t o the

    enterprise"Identif2 a"" interna" en&ironmenta" factors that cou"d inf"uence the performance of the

    process under review. A/3": >nderstand the e*ternal conte*t o the

    enterprise"Identif2 a"" e(terna" en&ironmenta" factors that cou"d inf"uence the performance of the

    process under review . A/3"

    A/3"Cont"

    iven the overall assurance ob6ective,translate the identi ied strate ic priorities intoconcrete ob6ectives or the assurance

    en a ement"

    The ollo'in oals can be retained as &e! oals to be supported, in re lection oenterprise strate ! and priorities" :

    !e/ goals #nterprise oals@ # 13 ptimisation o business process costs

    IT/related oals@ IT 05 2ealised bene its rom IT/enabled investments and

    services port olio IT 0% Transparenc! o IT costs, bene its and ris&

    A itional goals #nterprise oals@ # 01 Sta&eholder value o business investments # 03 ?ort olio o competitive products and services # 05 9inancial transparenc! # 10 ptimisation o service deliver! costs

    IT/related oals@ IT 01 Ali nment o IT and business strate !

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    9/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase A(Determine Scope of the Ass#rance Initiative

    Ref0 Ass#rance Step "#i ance Iss#e Cross+reference Comment

    IT 0: Commitment o e*ecutive mana ement or ma&in IT/related decisions

    IT 0 ana ed IT/related business ris& IT 0; Deliver! o IT services in line 'ith business

    re

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    10/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase A(Determine Scope of the Ass#rance Initiative

    Ref0 Ass#rance Step "#i ance Iss#e Cross+reference Comment

    A/:"3Cont"

    Information items: -ased on the process under revie', the ollo'in In ormation itemsare considered to be in scope o this assurance en a ement, and available resources

    'ill determine 'hich ones 'ill be revie'ed in detail "%

    A? 0%"01@ Asset re ister (I) Accountin processes ( ) IT costs classi ication scheme ( ) 9inancial plannin practices ( )

    A? 0%"03@ #valuation o investments and services port olios (I) Prioritisation and ran)ing of IT initiati&es 3O Actions to improve value deliver! (I) ?roo /o /concept scope and outline business case (I) Investment return e*pectations (I)

    -usiness case assessments (I) ?ro ramme business case (I) -ud et allocations ( )

    A? 0%"0:@ IT 'udget and p"an 3O -ud et communications ( )

    A? 0%"0 @ Cate orised IT costs ( ) Cost a""ocation mode" 3O Cost allocation communications ( ) perational procedures ( )

    A? 0%"05@ 9eedbac& on port olio and pro ramme per ormance (I) Cost data collection method ( ) ?ro ramme bene it realisation plan (I) Cost consolidation method ( ) ?ro ramme bud et and bene its re ister (I) 2esults o bene it realisation monitorin (I) Cost optimisation opportunities ( )

    Services8 Infrastr#ct#re an Applications @ In the conte*t o this process revie', andta&in into account the oals identi ied in A/3" , the ollo'in Services and relatedIn rastructure or Applications could be considered in scope o the revie'@

    6 =evera e the inputs and outputs (also re erred to as 'or& products) described or each process practice in COBIT na'"ing Processes to identi ! the most relevant or important in ormation

    it " All i t d t t li t d h 'ith th ' & d t ' itt i it "i t t b d lt 'ith (i d t il) t th I ti bl "

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    11/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase A(Determine Scope of the Ass#rance Initiative

    Ref0 Ass#rance Step "#i ance Iss#e Cross+reference Comment

    Q"ist here the most re"e&ant *er&ices4 Infrastructure and App"ications components inscope R

    $eople8 S1ills an Competencies: In the conte*t o this process revie', ta&in intoaccount &e! processes and &e! roles, the ollo'in S&ill sets are included in scope : Bno'led e o inancial mana ement ther re"e&ant S&ill sets re

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    12/29

    APO06 Manage Budget and Costs Audit/Assurance Program

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    13/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    B+' Agree on metrics an criteria for enterprise goals an IT+relate goals0Assess enterprise goals an IT+relate goals0

    -/1"1 btain (and a ree on) metrics or enterprise oals and e*pected values o the metrics and assess 'hether enterprise oals in scope are

    achieved ">e&erage the "ist of suggested metrics for the enterprise goa"s to define4 discuss and agree on a set of re"e&ant4 custominderstand the $rocess p#rpose0

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    14/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    The purpose o process A$)34 is as per the standard C -IT 5 process statement@ 49oster partnership bet'een IT and enterprisesta&eholders to enable the e ective and e icient use o IT/related resources and provide transparenc! and accountabilit! o the cost andbusiness value o solutions and services" #nable the enterprise to ma&e in ormed decisions re ardin the use o IT solutions and services "

    -/3"3

    -/3"3Cont"

    >nderstand the $rocess goals and related metrics and de ine e*pected values (criteria), and assess 'hether the ?rocess oals(outcomes) are achieved, i"e", assess the e ectiveness o the ?rocess"The process A$)34 Manage budget and costs has our standard de ined process oals, asdescribed in COBIT na'"ing Processes , chapter 5, p" ;$" -ased on these oals and theirrelated metrics, the subset o ollo'in oals and associated metrics are de ined or thisprocess"

    $rocess "oal Relate 5etric Criteria,Expecte =al#e Assessment Step A transparent andcomplete bud et or ITaccuratel! re lectsplanned e*penditures"

    umber o bud et chan es dueto omissions and errors

    umbers o deviations bet'eene*pected and actual bud etcate ories

    Agree on the e(pected&a"ues for the Processgoa" metrics4 i.e.4 the&a"ues against which theassessment wi"" ta)e

    p"ace.

    In this step4 the re"ated metrics for eachgoa" wi"" 'e re&iewed and an assessment wi"" 'e made whether the defined criteriaare achie&ed.

    The allocation o ITresources or ITinitiatives is prioritisedbased on enterpriseneeds"

    ?ercent o ali nment o ITresources 'ith hi h/priorit!initiatives

    umber o resource allocationissues escalated

    Agree on the e(pected&a"ues for the Processgoa" metrics4 i.e.4 the&a"ues against which theassessment wi"" ta)e

    p"ace.

    In this step4 the re"ated metrics for eachgoa" wi"" 'e re&iewed and an assessment wi"" 'e made whether the defined criteriaare achie&ed.

    Costs or services areallocated in an e

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    15/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    -/3"3Cont"

    A?00%"01 ana einance and accountin "

    Assess b! appl!in appropriate audit technise inancial and port olio in ormation to provide input to business cases or ne' investments in IT assetsand services"

    " De ine ho' to anal!se, report (to 'hom and ho'), and use the bud et control and bene it mana ementprocesses"

    5" #stablish and maintain practices or inancial plannin , investment mana ement and decision ma&in , andthe optimisation o recurrin operational costs to deliver ma*imum value to the enterprise or the leaste*penditure"

    Compare the 2ACI chart as included in the re erence process in COBIT na'"ing Processes 'ith the actualaccountabilit! and responsibilit! or this practice and assess 'hether@

    Accountabilit! and responsibilit! are assi ned and assumed" Accountabilit! and responsibilit! are assi ned at the appropriate level in the or an isation"

    A?00%"03 ?rioritiseresource allocation"

    Assess b! appl!in appropriate audit techni

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    16/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    -/3"3Cont"

    Ali nment 'ith the business Ali nment 'ith the sourcin strate ! Authorised sources o undin

    Internal resource costs, includin personnel, in ormation assets and accommodations Third/part! costs, includin outsourcin contracts, consultants and service providers Capital and operational e*penses Cost elements that depend on the 'or&load

    :" Document the rationale to 6usti ! contin encies and revie' them re ularl!"" Instruct process, service and pro ramme o'ners, as 'ell as pro6ect and asset mana ers, to plan bud ets"

    5" 2evie' the bud et plans and ma&e decisions about bud et allocations" Compile and ad6ust the bud etbased on chan in enterprise needs and inancial considerations"

    %" 2ecord, maintain and communicate the current IT bud et, includin committed e*penditures and currente*penditures, considerin IT pro6ects recorded in the IT/enabled investment port olios and operation andmaintenance o asset and service port olios"

    ;" onitor the e ectiveness o the di erent aspects o bud etin and use the results to implementimprovements to ensure that uture bud ets are more accurate, reliable and cost/e ective"

    Compare the 2ACI chart as included in the re erence process in COBIT na'"ing Processes 'ith the actualaccountabilit! and responsibilit! or this practice and assess 'hether@

    Accountabilit! and responsibilit! are assi ned and assumed" Accountabilit! and responsibilit! are assi ned at the appropriate level in the or an isation"

    A?00%"0 odel andallocate costs"

    Assess b! appl!in appropriate audit techni

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    17/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    1" #nsure proper authorit! and independence bet'een IT bud et holders and the individuals 'ho capture,anal!se and report inancial in ormation"

    3" #stablish time scales or the operation o the cost mana ement process in line 'ith bud etin andaccountin re

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    18/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    Investment return e*pectations (I) -usiness case assessments (I) ?ro ramme business case (I)

    -ud et allocations ( )

    determine or each 'or& product@ #*istence o the 'or& product Appropriate use o the 'or& product

    A? 0%"0: -ud et communications ( ) A? 0%"0 Cate orised IT costs ( )

    Cost allocation communications ( ) perational procedures ( )

    A? 0%"05 9eedbac& on port olio and pro ramme per ormance (I) Cost data collection method ( ) ?ro ramme bene it realisation plan (I) Cost consolidation method ( ) ?ro ramme bud et and bene its re ister (I) 2esults o bene it realisation monitorin (I)

    -/3" A ree on the $rocess capa%ilit/ level to be achieved b! the process"?rocess A? 0% isM iven the strate ic prioritiesMimportant, and 'ill re

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    19/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    Availabilit! ?olicies are available to allsta&eholders"

    ?olicies are eas! to navi ate and

    have a lo ical and hierarchicalstructure"

    Eeri ! that policies are available to all sta&eholders" Eeri ! that policies are eas! to navi ate and have a lo ical and

    hierarchical structure"

    -/:" >nderstand the li e c!cle sta es o the ?rinciples, ?olicies and 9rame'or&s, and a ree on the relevant criteria" Assess to 'hat e*tent the?rinciples, ?olicies and 9rame'or&s li e c!cle is mana ed"The "ife c2c"e of the IT#re"ated po"icies is managed '2 the Process APO0 . The re&iew of this "ife c2c"e is therefore e:ui&a"ent to a processre&iew of process APO0 ana e the IT mana ement rame'or& .

    -/:"5

    -/:"5Cont"

    >nderstand ood practices r elated to the ?rinciples, ?olicies and 9ram e'or&s and e*pected values" Assess the ?rinciples, ?olicies and9rame'or&s desi n, i"e", assess the e*tent to 'hich e*pected ood practices are applied"The assurance professiona" wi""4 '2 using appropriate auditing techni:ues assess the fo""owing aspects.

    "oo $ractice Criteria Assessment StepScope and val id it ! The scope is descr ibed and the

    validit! date is indicated"Eeri ! that the scope o the rame'or& is described and the validit!date is indicated"

    #*ception andescalation

    The e*ception and escalationprocedure is e*plained andcommonl! &no'n"

    The e*ception and escalationprocedure has not become defacto standard procedure"

    Eeri ! that the e*ception and escalation procedure is described,e*plained and commonl! &no'n"

    Throu h observation o a representative sample, veri ! that thee*ception and escalation procedure has not become de facto standard procedure"

    Compliance The compliance chec&in mechanismand non/compliance consenderstand the oals o the r anisational Structure, the related metrics and a ree on e*pected values" >nderstand ho' these oalscontribute to the achievement o the enterprise oals and IT/related oals"

    )rganisational Str#ct#re "oal Assessment StepDetermine throu h intervie's 'ith &e! sta&eholders anddocumentation revie' the oals o the r anisational Structures,i"e", the ecisions for which the/ are acco#nta%le '38'' "

    ote@ Eer! o ten, the oals o an r anisational StructureM

    This step onl! applies i speci ic oals are de ined" In that case, theassurance pro essional 'ill use appropriate auditin techni

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    20/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    ma&in decisionsMare alread! described b! some o the processpractices andLor process activities in COBIT na'"ingProcesses " There ore, the! 'ill be part o the process revie' andshould not be repeated here" nl! 'hen ver! speci ic decisions'ould be re

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    21/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    understood mandate" understood mandate"onitorin The per ormance o the

    r anisational Structure and its

    members should be re ularl!monitored and evaluated b!competent and independentassessors"

    The re ular evaluations shouldresult in the renderstand the ma6or sta&eholders o the Culture, #thics and -ehaviour"?nderstand to whom the 'eha&iour re:uirements wi"" app"24 i.e.4 understand who em'odies the ro"es/structures e(pected to demonstratethe correct set of Beha&iours. This is usua""2 "in)ed to the ro"es and Organisationa" *tructures identified in scope.

    -/5": >nderstand the oals or the Culture, #thics and -ehaviour, and the related metrics and a ree on e*pected values" Assess 'hether the C#lt#re8 Ethics an Behavio#r goals (outcomes) are achieved, i"e", assess the e ectiveness o the Culture, #thicsand -ehaviour"De ine 'hat constitutes desired and undesirable -ehaviours and'h! the! are so classi ied, i"e", relate -ehaviours to theor anisational ethics and values b! 'hich the enterprise 'ants tolive in support o enterprise oals"

    Culture and especiall! -ehaviours are associated to individuals andthe r anisational Structures o 'hich the! are a part, there ore, b!usin appropriate auditin techni

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    22/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    en orcement and rules communication practice is ade

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    23/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    B+4 )%tain #n erstan ing of the Information items in scope0Assess Information items0

    2epeat steps -/%"1 throu h -/%"5 or each In ormation item de ined in scope in A/:"3"-/%"1 >nderstand the In ormation i tem conte*t@

    here and when is it used =or what purpose is it used ?nderstand the connection with other ena'"ers in scope4 e.g.

    ?sed '2 which processeshich Organisationa" *tructures are in&o"&ed 3see a"so B#8.7hich ser&ices/app"ications are in&o"&ed

    -/%"3 >nderstand the ma6or sta&eholders o the In ormation item"?nderstand the sta)eho"ders for the Information item4 i.e.4 identif2 the

    Information producer Information custodian Information consumer *ta)eho"ders shou"d 'e at the appropriate organisationa" "e&e".

    -/%": >nderstand the ma6or

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    24/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    -/%":Cont"

    Availabilit!2estricted access

    -/%" >nderstand the li e c!cle sta es o the In ormation item, and a ree on the relevant criteria" Assess to 'hat e*tent the Information item life c/cle is mana ed"

    The li e c!cle o an! In ormation item is mana ed throu h several business and IT/related processes" The scope o this revie' alread! includes arevie' o (IT/related) processes so this aspect does not need to be duplicated here" When the In ormation item is interna l to IT, the process revie' 'ill have covered the li e c!cle aspects su icientl!" When the In ormation item also involves other sta&eholders outside IT or other non/IT processes, some o the li e c!cle aspects need to be

    assessed"

    ar& the li e c!cle sta es 'ith a 4 that are deemed most important (&e! criteria), and b! conse

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    25/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    B+< )%tain #n erstan ing of the Services8 Infrastr#ct#re an Applications in scope0Assess the Services8 Infrastr#ct#re an Applications0

    2epeat steps -/;"1 throu h -/;"5 or each Service, In rastructure and Applications element in scope"-/;"1 >nderstand the Services, In rastructure and Applications conte*t"

    ?nderstand the organisationa" and techno"ogica" conte(t of this ser&ice. $efer to step A#7.7 and A#7.9 and re#use that information to understandthe significance of this *er&ice4 Infrastructure and App"ication.

    -/;"3 >nderstand the ma6or sta&eholders o the Services, In rastructure and Applications"?nderstand who wi"" 'e the ma or sta)eho"ders of the ser&ice4 i.e.4 the sponsor4 pro&ider and users. *ta)eho"ders wi"" inc"ude a num'er oforganisationa" ro"es 'ut cou"d a"so "in) to Processes.

    -/;": >nderstand the ma6or oals or the Services, In rastructure and Applications, the related metrics and a ree on e*pected values" Assess 'hether the Services, In rastructure and Applications oals (outcomes) are achieved, i"e", assess the e ectiveness o the Services,In rastructure and Applications"

    "oal Criteria Assessment StepService description The Service is clearl! described"

    The Service is available to allpotential sta&eholders

    Eeri ! that the Service e*ists and is clearl! described" Assess the nderstand the li e c!cle sta es o the Services, In rastructure and Applications, and a ree on the relevant criteria" Assess the e*tent to 'hich the Services8 Infrastr#ct#re an Applications life c/cle is mana ed" 1

    -/;"5 >nderstand ood practice related to the Services, In rastructure and Applications and e*pected values" Assess the Services8 Infrastr#ct#re an Applications esign , i"e", assess to 'hat e*tent e*pected ood practices are applied">e&erage the description of *er&ices4 Infrastructure and App"ications in the COBIT framewor) to identif2 good practices re"ated to *er&ices4Infrastructure And App"ications. In genera" the fo""owing practices need to 'e imp"emented Bu2/'ui"d decision needs to 'e ta)en. ?se of the *er&ice needs to ' e c"ear.

    "oo $ractice Criteria Assessment StepSourcin (bu!Lbuild) A ormal decisionMbased on a business

    caseMneeds to be ta&en re ardin thesourcin o the Service"

    Eeri ! that a ormal decisionMbased on a business caseM'as ta&enre ardin the sourcin o the Service"

    Eeri ! the validit! and se The use o the Service needs to beclear@

    Eeri ! that the use o the Service is clear, i"e", it is &no'n 'hen and b!'hom the service needs to be used"

    14 The li e c!cle o a service 'ill be overned and mana ed b! numerous o the C -IT 5 processes" As a conse

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    26/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    -/;"5Cont"

    When it needs to be used and b!'hom

    The re

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    27/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    B+? )%tain #n erstan ing of the $eople8 S1ills an Competencies in scope0Assess $eople8 S1ills an Competencies0

    2epeat steps -/8"1 throu h -/8"5 or each ?eople, S&ill and Competenc! aspect in scope"-/8"1 >nderstand the ?eople, S&ills and Competencies conte*t"

    ?nderstand the conte(t of the *)i""/Competenc24 i.e. here and when is it used =or what purpose is it used ?nderstand the connection with other ena'"ers in scope4 e.g.

    In which ro"es and structures is the *)i""/Competenc2 used 3*ee a"so B#8. .hich 'eha&iours are associated with the *)i""/Competenc2

    -/8"3 >nderstand the ma6or sta&eholders or ?eople, S&ills and Competencies"Identif2 to whom in the organisation the s)i"" re:uirement app"ies.

    -/8": >nderstand the ma6or oals or the ?eople, S&ills and Competencies, the related metrics and a ree on e*pected values" Assess 'hether the $eople8 S1ills an Competencies goals (outcomes) are achieved, i"e", assess the e ectiveness o the ?eople, S&ills andCompetencies"

    9or the ?eople, S&ills and Competencies at hand, the ollo'in oals and associated criteria can be addressed""oal Criteria Assessment Step

    #*perience Appl! appropriate auditin techni

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    28/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase B(7n erstan Ena%lers8 Set S#ita%le Assessment Criteria an $erform the Assessment

    Ref0 Ass#rance Steps an "#i ance Iss#e Cross+reference Comment

    -/8"Cont"

    ?ractice A? 0;"0: activit! : (?rovide access to &no'led e repositoriesto support the development o s&ills and competencies") is implementedin relation to this s&ill"

    Assess 'hether practice A? 0;"0: activit!: is implemented in relation to this s&ill"

    -uild ?ractice A? 0;"0: activit! (Identi ! aps bet'een re

  • 8/10/2019 WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

    29/29

    APO06 Manage Budget and Costs Audit/Assurance Program

    $hase C(Comm#nicate the Res#lts of the Assessment

    Ref0 Ass#rance Step "#i ance

    C+' Doc#ment exceptions an gaps0C/1"1 >nderstand and document 'ea&nesses and their impact on the

    achievement o process oals" Illustrate the impact o enabler ailures or 'ea&nesses 'ith numbers and scenarios o errors, ine iciencies and misuse" Clari ! vulnerabilities, threats and missed opportunities that are li&el! to occur i enablers do not per orm e ectivel!"

    C/1"3 >nderstand and document 'ea&nesses and their impact on enterpriseoals"

    Illustrate 'hat the 'ea&nesses 'ould a ect (e" ", business oals and ob6ectives, enterprise architecture elements,capabilities, resources)" 2elate the impact o not achievin the enabler oals to actual cases in the same industr! andlevera e industr! benchmar&s"

    Document the impact o actual enabler 'ea&nesses in terms o bottom/line impact, inte rit! o inancial reportin , hours lostin sta time, loss o sales, abilit! to mana e and react to the mar&et, customer and shareholder rese e*tensive raphics to illustrate the issues" In orm the person responsible or the assurance activit! about the preliminar! indin s and veri ! hisLher correct

    understandin o those indin s"C/3": Deliver a report (ali ned 'ith the terms o re erence, scope and a reed/

    on reportin standards) that supports the results o the initiative andenables a clear ocus on &e! issues and important actions"

    7 ISACA 301 All ri hts reserved" 3$