Professional Documents
Culture Documents
for
IT Audit and Assurance
COBIT is a registered trademark of the Information Systems Audit and Control Association
Disclaimer:
1. The presentation has been prepared from reference material from ISACA and APMG Vanilla Material for ATO. All
copyrights for the material reserved with APMG
2. This material is only prepared purely for this workshop and only for knowledge transfer purpose and not for any
commercial or training purpose.
3. COBIT 5 is a registered trademark of the Information Systems Audit and Control Association
Introduction to COBIT 5
Governance of Enterprise IT
Evolution of scope
IT Governance
Val IT 2.0
Management (2008)
Control
Risk IT
(2009)
Audit
Simplified
COBIT 5 directly addresses the needs of the viewer from different
perspectives
Development continues with specific practitioner guides
COBIT 5 is initially in 3 volumes:
1. The Framework Free Download
2. Process Reference Guide Free to Members
3. Implementation Guide - Free to Members
COBIT 5 is based on:
5 principles and
7 enablers
COBIT is a registered trademark of the Information Systems Audit and Control Association
Primary Transition
COBIT 5 builds on previous versions of COBIT (and Val IT and Risk IT) and so
enterprises can also build on what they have developed using earlier versions.
COBIT 5 clarifies management level processes and integrated COBIT 4.1, Val IT
and Risk IT content into one process reference model.
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
Criteria
Applications
Information
Infrastructure
COBIT 4.1 People
CUBE
IT Resources
Domains
IT Processes
Processes
Activities
Control Objectives
Governance &
Management
Practices
Val IT & Risk IT
Processes
Control Practices
Activities
Practices in Risk IT
& Val IT
COBIT is a registered trademark of the Information Systems Audit and Control Association
2013 Protiviti Member Firm (Middle East Region)
31
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
What is A Process Assessment?
ISO/IEC 15504-4 identifies process assessment as an
activity that can be performed either as part of a
process improvement initiative or as part of a
capability determination approach
The purpose of process improvement is to
continually improve the enterprises
effectiveness and efficiency
The purpose of process capability determination
is to identify the strengths, weaknesses and risk
of selected processes
The COBIT PAM adapts the existing COBIT 4.1 content into
an ISO 15504 compliant process assessment model
But dont we already have maturity models for COBIT 4.1 processes?
The new COBIT assessment programme is:
A robust assessment process based on ISO 15504
An alignment of COBITs maturity model scale with the international
standard
A new capability-based assessment model which includes:
Specific process requirements derived from COBIT 4.1
Ability to achieve process attributes based on ISO 15504
Evidence requirements
Assessor qualifications and experiential requirements
Results in a more robust, objective and repeatable assessment
Assessment results will likely vary from existing COBIT maturity models!
2013 Protiviti Member Firm (Middle East Region)
34
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Differences to COBIT Maturity Model
The COBIT 4.1 PAM uses a measurement framework that is similar in terminology to the existing
maturity models in COBIT 4.1
While the words are similar the scales are NOT the same:
The COBIT PAM uses the capability scale from ISO/IEC 15504, whereas the existing COBIT
maturity models uses a scale derived from SEI\CMM
A PAM level 3 is NOT the same as a CMM level 3
Assessments done under the PAM are likely to result in lower scores
PAM assessments are based on more fully defined and defensible attributes
COBIT 4.1 Process ISO/IEC 15504 Process
Maturity Level Capability Level Attribute
5 Optimised 5 Optimizing PA 5.1 Process innovation
PA 5.2 Process optimization
4 Managed and 4 Predictable PA 4.1 Process measurement
measurable PA 4.2 Process control
3 Defined 3 Established PA 3.1 Process definition
PA 3.2 Process deployment
2 Repeatable but 2 Managed PA 2.1Performance management
intuitive PA 2.2 Work product management
1 Initial/ad hoc 1 Performed PA 1.1 Process performance
35 0 Protiviti
2013 Non-existent
Member Firm (Middle East Region) 0 Incomplete
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Assessment Overview
Process Assessment
Model
Assessment Process
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
2013 Protiviti Member Firm (Middle East Region)
41
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Process Capability Levels
Established
A defined process is used based on a Level 3 Established process
standard process PA 3.1 Process definition attribute
PA 3.2 Process deployment attribute
Incomplete
Level 0 Incomplete process The process is not implemented or fails to
achieve its purpose
2013 Protiviti Member Firm (Middle East Region)
42
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Measurement Framework
COBIT assessment process measures the extent to which a given process
achieves specific attributes relative to that process process attributes
COBIT assessment process defines 9 process attributes (based on ISO/IEC
15504-2)
PA 1.1 Process performance
PA 2.1 Performance management
PA 2.2 Work product management
PA 3.1 Process definition
PA 3.2 Process deployment
PA 4.1 Process measurement
PA 4.2 Process control
PA 5.1 Process innovation
PA 5.2 Continuous optimization
2013 Protiviti Member Firm (Middle East Region)
43
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Process Attribute Rating Scale
PA 4.2 Control L F
Level 4 - Predictable /
PA 4.1 Measurement F
PA 3.2 Deployment L F F
Level 3 - Established /
PA 3.1 Definition F
L F F F F
Level 1 - Performed PA 1.1 Process performance /
F
Level 0 - Incomplete L/F = Largely or Fully F= Fully
2013 Protiviti Member Firm (Middle East Region)
45
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
COBIT Assessment Process Overview
This figure is reproduced from ISO 15504-2:2003 with the permission of ISO at www.iso.org. Copyright remains with ISO.
2013 Protiviti Member Firm (Middle East Region)
46
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Process Attributes and Capability Levels
Optimizing
Predictable
Performed
Incomplete
COBIT
The process achieves its defined BP 1.1.1 Achieve the process Work products are produced that
outcomes. outcomes. There is evidence that the provide evidence of process outcomes,
intent of base practice is being as outlined in section 3.
performed.
P Partially achieved > 15 % to 50 % achievement
L Largely achieved > 50 % to 85 % achievement
F Fully achieved > 85 % to 100 % achievement.
2013 Protiviti Member Firm (Middle East Region)
53
CONFIDENTIAL: This document is for internal use only and may not be copied nor distributed.
Assessing Process Capability
PA 3.2 Deployment
PA 3.1 Definition
PA 4.1 Measurement
PA 4.2 Control
PA 5.1 Innovation
PA 5.2 Optimisation
1 Initiation
3 Briefing
4 Data Collection
5 Data Validation
Assessed
Assessed
Assessed