EDM03 Ensure Risk Optimisation Audit Assurance Program - Icq - Eng - 0214

Classification: Internal
EDM03 Ensure Risk Optimisation

Audit/Assurance Program
ISACA®
With more than 110,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders maximize value and
manage risk related to information and technology. Founded in 1969, the nonprofit, independent ISACA is an advocate for
professionals involved in information security, assurance, risk management and governance. These professionals rely on ISACA as
the trusted source for information and technology knowledge, community, standards and certification. The association, which has
200 chapters worldwide, advances and validates business-critical skills and knowledge through the globally respected Certified
Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise
IT® (CGEIT®) and Certified in Risk and Information Systems Control TM (CRISCTM) credentials. ISACA also developed and continually
updates COBIT®, a business framework that helps enterprises in all industries and geographies govern and manage their information
and technology.
Disclaimer
ISACA has designed and created EDM03 Ensure Risk Optimisation Audit/Assurance Program (the ”Work”) primarily as an
educational resource for assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful
outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other
information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, assurance professionals should apply their own professional judgment to the specific
circumstances presented by the particular systems or information technology environment.
Reservation of Rights
© 2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback: www.isaca.org/EDM-APs

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
ISBN 978-1-60420-495-7
EDM03 Ensure Risk Optimisation Audit/Assurance Program
© ISACA 2014 All rights reserved. 2

Acknowledgments
ISACA wishes to recognize:
Development Team
Stefanie Grijp, PwC, Belgium
Bart Peeters, CISA, PwC, Belgium
Dirk Steuperaert, CISA, CGEIT, CRISC, IT In Balance BVBA, Belgium
Sven Van Hoorebeeck, PwC, Belgium
Expert Reviewers
Steven De Haes, University of Antwerp - Antwerp Management School, Belgium
John E. Jasinski, CISA, CGEIT, ISO20K, ITIL Expert, SSBB, ITSMBP, USA
Joanna Karczewska, CISA, Poland
Patricia Prandini, CISA, CRISC, Universidad de Buenos Aires, Argentina
Abdul Rafeq, CISA, CGEIT, CIA, FCA, Wincer Infotech Limited, India
Claus Rosenquist, CISA, CISSP, Nets Holding, Denmark
Lily Shue, CISA, CISM, CGEIT, CRISC, LMS Associates LLC, USA
Nikolaos Zacharopoulos, CISA, CISSP, DeutschePost-DHL, Germany
Daniel Zimerman, CISA, CRISC, CISSP, CEPT, CIH, GCIH, IQ Solutions, USA
Tichaona Zororo, CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT I Enterprise Governance of IT (Pty) Ltd., South Africa
ISACA Board of Directors

Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice President
Juan Luis Carselle, CISA, CGEIT, CRISC, RadioShack Mexico, Mexico, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal Raj, CISA, CISM, CGEIT, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Director
Krysten McCabe, CISA, The Home Depot, USA, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director
Knowledge Board
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Steven A. Babb, CGEIT, CRISC, Vodafone, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Philip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Guidance and Practices Committee

Philip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
John Jasinski, CISA, CGEIT, ISO20K, ITIL Expert, SSBB, ITSMBP, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Brazil
Jotham Nyamari, CISA, Deloitte, USA
James Seaman, CISM, CRISC, A.Inst.IISP, CCP, QSA, RandomStorm Ltd, UK
Gurvinder Singh, CISA, CISM, CRISC, Australia
Siang Jun Julia Yeo, CISA, CRISC, CPA (Australia), MasterCard Asia/Pacific Pte. Ltd., Singapore
Nikolaos Zacharopoulos, CISA, CISSP, DeutschePost–DHL, Germany

Table of Contents
Page
Introduction........................................................................................................................................................... 5
Assurance Engagement Approach Based on COBIT 5........................................................................................5
Generic Audit/Assurance Program....................................................................................................................... 6
Customization of the Audit/Assurance Program............................................................................................6
About the Example Audit/Assurance Program: EDM03 .....................................................................................6
Assurance Engagement: Ensure Risk Optimisation............................................................................................7
Assurance Topic............................................................................................................................................ 7
Goal of the Review........................................................................................................................................ 7
Scoping.......................................................................................................................................................... 7
COBIT 5-based Assurance Engagement Approach.............................................................................................7
Phase A—Determine Scope of the Assurance Initiative...............................................................................8
Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment...........12
Phase C—Communicate the Results of the Assessments..........................................................................28

Introduction
This document contains an example audit/assurance program for a COBIT 5 process, based on the generic structure
developed in section 2B of COBIT 5 for Assurance.1
Figure 1—Generic COBIT 5-based Assurance Engagement Approach
Important Note
The engagement approach is based on, but differs slightly from the generic approach described in COBIT 5 for
Assurance:
 The order in which the enablers are discussed is different: the engagement approach described here is a
process audit/assurance program; consequently the Process enabler is discussed first.
 The remaining six enablers are also included in the program, because they are relevant for a proc.ess assurance
engagement as well. They have been grouped together to make the program more compact.
Assurance Engagement Approach Based on COBIT 5

The COBIT 5 framework explains that the enablers are interconnected, e.g., processes use Organisational Structures
as well as Information items (inputs [I] and outputs [O]). When developing the audit/assurance program, it will become
clear that when all possible entities of all enablers are included in the scope and reviewed in detail, there is potential
for duplication.
In the development of this audit/assurance program, care has been taken to avoid or minimize duplication, meaning
that:
1
See www.isaca.org/COBIT/Pages/Assurance-product-page.aspx for more information on COBIT 5 for Assurance.

• Some aspects of a process also relate to another enabler and are assessed there, e.g., inputs and outputs can
also be classified under the Information enabler heading and covered in detail there.
• Some aspects relating to Skills and Competencies are to a large extent covered by process APO07 Manage
human resources.
In practice, assurance professionals will have to use their own professional judgment when developing their own
customized audit/assurance programs, to avoid duplication of work.
In addition, while audit/assurance programs will be available for each process, in practice, a group of processes are
often selected for audit. Therefore, a relevant set of audit/assurance programs of the applicable processes will need to
be selected for conducting assurance.
Generic Audit/Assurance Program

The assurance approach depicted in figure 1 is described in more detail and developed into a generic
audit/assurance program—including guidance on how to proceed during each step—in section 2B of COBIT 5 for
Assurance. This audit/assurance program is:
• Fully aligned with COBIT 5:
It explicitly references all seven enablers. In other words, it is no longer exclusively process-focused; it also
uses the different dimensions of the enabler model to cover all aspects contributing to the performance of the
enablers.
It references the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement
can be put into the enterprise and IT context, and concurrently it enables linkage of the assurance objectives
to enterprise and IT risk and benefits.
• Comprehensive yet flexible. The generic program is comprehensive because it contains assurance steps
covering all enablers in quite some detail, yet it is also flexible because this detailed structure enables clear and
well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set
of enablers or some enabler instances and, while the decision will reduce the scope and related assurance
engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement
user.
• Easy to understand, follow and apply because of its clear structure
The table follows the flow described in figure 1, but splits each phase into different steps and substeps.
For each step, a short description is included, as is guidance for the assurance professional on how to
proceed with the step (text in italics).
Additional guidance on how to use other IT assurance-related standards for performing assurance can be found in
section 3 of COBIT 5 for Assurance.
Customization of the Audit/Assurance Program
Customization and completion of the example audit/assurance program in this document is required, and consists of
refining the scope by selecting goals and enabler instances—the lists included in the example are comprehensive, yet
still are examples (i.e., different strategic priorities of the enterprise may dictate a different scope). The lists can also
be considered prohibitive by some, as they can lead to a very broad scope, and therefore a very expensive assurance
engagement; selection and prioritization will be required. The assurance professional will need to consider the
following steps:
• Determine the stakeholders of the assurance initiative and their stake.
• Determine the assurance objectives based on assessment of the internal and external environment/context,
including the strategic objectives, goals (figures 40 and 41 of COBIT 5 for Assurance) and priorities of the
enterprise.
• Determine the enablers in scope and the instance(s) of the enablers in scope.
About the Example Audit/Assurance Program: EDM03

In the next section, the assurance topic at hand—process EDM03 Ensure Risk Optimisation—is fully addressed
based on the generic audit/assurance program. The detailed program contains the following additional information:
• In the Guidance column, the shaded text is specific to the example and provides practical guidance, e.g.,
examples of the organisational structures to include in scope, setting assessment criteria for the different
enablers and actually assessing the different enablers.
• Two additional columns are included, in which the assurance professional can identify and cross-reference issues
and record comments.

Assurance Engagement: Ensure Risk Optimisation
Assurance Topic
The topic covered by this document is process EDM03 Ensure risk optimisation.
Goal of the Review
The goal of the review is to provide assurance over the EDM032 process that ensures:
 IT-related enterprise risk does not exceed risk appetite and risk tolerance.
 The impact of IT risk to enterprise value is identified and managed.
 The potential for compliance failures is minimized.
Scoping
The scope of the assurance engagement is expressed as a function of the seven COBIT 5 enablers, with a focus on
the process enabler. The process content is taken directly from the detailed process descriptions in COBIT 5:
Enabling Processes, i.e., these are standard COBIT 5 processes. Other enablers are also directly based on the same
process descriptions, e.g., the Organisational Structures and Information items.
Other enablers are described in a more generic way and may require customization before the audit/assurance
program can be applied.
COBIT 5-based Assurance Engagement Approach

The audit/assurance program is divided into three sections:
 Phase A—Determine Scope of the Assurance Initiative—In phase A of the assurance workflow, the auditor
scopes the assurance engagement. This process defines the scope in the COBIT 5 terms of enterprise goals, IT-
related goals and enablers.
 Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment—In phase
B of the assurance workflow, the auditor:
– Builds an understanding of the subject matter over which assurance needs to be provided. The subject
matter is expressed in terms of COBIT 5 enablers.
– Obtains agreement over the assessment criteria that will be used during the assurance engagement.
– Assesses the design and outcomes of the enablers.
 Phase C—Communicate the Results of the Assessments—In phase C of the assurance workflow, the auditor
communicates the observations to the initiative stakeholders. This includes carefully documenting all weaknesses
or exceptions found and communicating them to stakeholders effectively and efficiently, with a view to initiating
the appropriate response.
2
Additional related guidance for EDM03 can be found in COBIT 5: Enabling Processes, p. 41.

Phase A—Determine Scope of the Assurance Initiative

Issue Cross- Comment
Ref. Assurance Step Guidance
reference
Determine the stakeholders of the
A-1
assurance initiative and their stake.
A-1.1 Identify the Intended user(s) of the Intended user(s) of Describe the users of the assurance report and their stakes.
assurance report and their stake in the the assurance report
assurance engagement. This is the
assurance objective.
A-1.2 Identify the interested parties, accountable Accountable and Describe the accountable and responsible parties for the subject
and responsible for the subject matter over responsible parties matter over which assurance is to be provided; COBIT 5 includes
which assurance needs to be provided. for the subject matter a summary description of a comprehensive set of roles that can be
used as starting point for this audit step (COBIT 5 framework,
appendix 6, p.76); COBIT 5 for Assurance also provides a
summary description of a comprehensive set of assurance roles;
see Section 2A, chapter 4, p. 37.
Assurance objectives are essentially a more detailed and tangible expression of those
enterprise objectives relevant to the subject of the assurance engagement.
Determine the assurance objectives based
on assessment of the internal and external Enterprise objectives can be formulated in terms of the generic Enterprise Goals (COBIT 5
A-2 environment/context and of the relevant risk framework) or they can be expressed more specifically.
and related opportunities (i.e., not
achieving the enterprise goals). Objectives of the assurance engagement can be expressed using the COBIT 5
enterprise goals, the IT-related goals (which relate more to technology), Information
goals or any other set of specific goals.
Inquire with executive management or through available documentation (corporate strategy,
Understand the enterprise strategy and
A-2.1 annual report, etc.) about the enterprise strategy and priorities for the coming period, and
priorities.
document them to the extent the process under review is relevant.
A-2.2 Understand the internal context of the Identify all internal environmental factors that could influence the performance of the
enterprise. process under review.
A-2.3 Understand the external context of the Identify all external environmental factors that could influence the performance of the
enterprise. process under review.
A-2.4 Given the overall assurance objective, The following goals can be retained as key goals to be supported, in reflection of enterprise
translate the identified strategic priorities into strategy and priorities.3
concrete objectives for the assurance Key goals Enterprise goals:
engagement.  EG03 Managed business risk (safeguarding of assets)
 EG07 Business service continuity and availability
 EG10 Optimisation of service delivery costs
 EG15 Compliance with internal policies
A-2.4 IT-related goals:
Cont.
 ITG04 Managed IT-related business risk
3
The suggested set of enterprise goals can and should vary with enterprise strategy and priorities. However, in this generic program the following logic was applied: first the mapping table between IT processes
and IT-related goals (COBIT 5: Enabling Processes, appendix B, p.227-229) was used. The mappings between the process at hand and the IT goals listed as ‘P’ are retained as key IT-related goals. The
mappings listed as ‘S’ are retained as additional IT-related goals. Next, the mapping table between enterprise goals and IT-related goals (COBIT 5: Enabling Processes, appendix B, p.226) is used. The
previously selected key IT-related goals are looked up, and those enterprise goals that support half or more of the IT-related goals as ‘P’ are retained as key enterprise goals. The remaining enterprise goals listed
as ‘P’ are retained as additional enterprise goals. Again, after application of the logic described here, the resulting set of goals should be reviewed and tailored if necessary.

reference
 ITG06 Transparency of IT costs, benefits and risk
 ITG10 Security of information, processing infrastructure and
applications
 ITG15 IT compliance with internal policies
Additional Enterprise goals:
Goals  EG04 Compliance with external laws and regulations
 EG05 Financial transparency
 EG12 Optimisation of business process costs
IT-related goals:
 ITG01 Alignment of IT and business strategy
 ITG02 IT compliance and support for business compliance with
external laws and regulations
 ITG03 Commitment of executive management for making IT-related
decisions
 ITG07 Delivery of IT services in line with business requirements
 ITG08 Adequate use of applications, information and technology
solutions
 ITG13 Delivery of programmes delivering benefits, on time, on
budget, and meeting requirements and quality standards
 ITG14 Availability of reliable and useful information for decision
making
 ITG16 Competent and motivated business and IT personnel
 ITG17 Knowledge, expertise and initiatives for business innovation
A-2.5 Define the organizational boundaries of the Describe the organizational boundaries of the assurance engagement, i.e., to which
assurance initiative. organizational entities the review is limited. All other aspects of scope limitation are identified
during phase A-3.
The scope of this assurance engagement is a process. Nevertheless, as per the COBIT 5
Determine the enablers in scope and the
A-3 enabler model, all related enablers will have to be considered for inclusion in the scope as
instance(s) of the enablers in scope.
well.
A-3.1 Define the Processes in scope of the The following process as defined in COBIT 5: Enabling Processes is in scope of this
review. assurance engagement: EDM03 Ensure risk optimisation.
A-3.2 Define the related enablers. Principles, Policies and Frameworks: In the context of this process review, and taking into
Related Enablers include: account the goals identified in A-2.4, the following Principles, Policies and Frameworks could
 Principles, Policies and be considered in scope of the review4:
Frameworks  Enterprise risk management principles
 Organisational Structures  Risk management policies
 Culture, Ethics and Behaviour  Other relevant Principles, Policies and Frameworks
 Information
 Services, Infrastructure and Organisational Structures: Based on the process under review, the following
Applications Organisational Structures and functions are considered to be in scope of this assurance
 Peoples, Skills and Competencies engagement, and available resources will determine which ones will be reviewed in detail: 5
4
The logic applied here is the following: if there are any Policies or Frameworks identified as inputs or outputs of any of the process practices of the process under review, they will be included here.

reference
 Board
 Chief executive officer (CEO)
 Business executives
 Strategy executive committee
 Chief risk officer (CRO)
 Chief information security officer (CISO)
 Chief information officer (CIO)
CuIture, Ethics and Behaviour: In the context of this process review , the following
enterprisewide Behaviours are in scope:
 <list here the most relevant Behaviour elements>
Information Items: Based on the process under review, the following information items are
considered to be in scope of this assurance engagement, and available resources will
determine which ones will be reviewed in detail.6
EDM03.01:
 Emerging risk issues and factors (I)
 Risk appetite guidance (O)
 Approved risk tolerance levels (O)
 Enterprise risk management principles (I)
 Evaluation of risk management activities (O)
A-3.2
Cont.
EDM03.02:
 Aggregated risk profile, including status of risk management actions (I)
 Risk management policies (O)
 Key objectives to be monitored for risk management (O)
 Enterprise risk management (ERM) profiles and mitigation plans (I)
 Approved process for measuring risk management (O)
EDM03.03:
 Risk analysis results (I)
 Remedial actions to address risk management deviations (O)
 Opportunities for acceptance of greater risk (I)
 Risk management issues for the board (O)
 Results of third-party risk assessments (I)
 Risk analysis and risk profile reports for stakeholders (I)
5
Only those roles that have an ‘A’ or ‘R’ in the RACI chart of the process are included here. Roles are taken from the RACI charts in COBIT 5: Enabling Processes; some more specific roles may be taken from
COBIT 5 for Assurance, COBIT 5 for Risk or COBIT 5 for Information Security.
6
Leverage the inputs and outputs (also referred to as work products) described for each process practice in COBIT 5: Enabling Processes to identify the most relevant or important information items. All inputs
and outputs are listed here, with those work products written in italic font to be dealt with (in more detail) as part of the Information enabler.

reference
Services, Infrastructure and Applications: In the context of this process review, and taking
into account the goals identified in A-2.4, the following Services and related Infrastructure or
Applications could be considered in scope of the review:
 <list here the most relevant Services, Infrastructure and Applications components in
scope>
People, Skills and Competencies: In the context of this process review, taking into account
key processes and key roles, the following Skill sets are included in scope:
 <list here the most relevant Skill sets required>


Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment
Issue Cross-
Ref. Assurance Steps and Guidance Comment
Reference
B-1 Agree on metrics and criteria for enterprise goals and IT-related goals.
Assess enterprise goals and IT-related goals.
B-1.1 Obtain (and agree on) metrics for enterprise goals and expected values of the metrics and assess whether enterprise goals in scope are achieved.
Leverage the list of suggested metrics for the enterprise goals to define, discuss and agree on a set of relevant, customized metrics for the
enterprise goals, taking care that the suggested metrics are driven by the performance of the topic of this assurance initiative.
Next, agree on the expected values for these metrics, i.e., the values against which the assessment will take place.
The following metrics and expected values are agreed on for the key enterprise goals defined in Step A-2.4.
Enterprise Goal Metric Expected Outcome Assessment Step
EG03 Managed  Percent of critical business Agree on the expected In this step, the related metrics for each goal
business risk objectives and services covered by values for these metrics, will be reviewed and an assessment will be
(safeguarding of assets) risk assessment i.e., the values against made whether the defined criteria are
 Ratio of significant incidents that which the assessment will achieved.
were not identified in risk take place.
assessments vs. total incidents
 Frequency of update of risk profile
EG07 Business service  Number of customer service Agree on the expected In this step, the related metrics for each goal
continuity and interruptions causing significant values for these metrics, will be reviewed and an assessment will be
availability incidents i.e., the values against made whether the defined criteria are
 Business cost of incidents which the assessment will achieved.
 Number of business processing take place.
hours lost due to unplanned
service interruptions
 Percent of complaints as a function
of committed service availability
targets
EG10 Optimisation of  Frequency of service delivery cost Agree on the expected In this step, the related metrics for each goal
service delivery costs optimisation assessments values for these metrics, will be reviewed and an assessment will be
 Trend of cost assessment vs. i.e., the values against made whether the defined criteria are
service level results which the assessment will achieved.
 Satisfaction levels of board and take place.
executive management with
service delivery costs
EG15 Compliance with  Level of stakeholder satisfaction Agree on the expected In this step, the related metrics for each goal
internal policies with staff expertise and skills values for these metrics, will be reviewed and an assessment will be
 Percent of staff whose skills are i.e., the values against made whether the defined criteria are
insufficient for the competency which the assessment will achieved.
required for their role take place.
 Percent of satisfied staff
B-1.2 Obtain (and agree on) metrics for IT-related goals and expected values of the metrics, and assess whether IT-related goals in scope are achieved.
The following metrics and expected values are agreed on for the key IT-related goals defined in Step A-2.4.
IT-related Goal Metric Expected Outcome (Ex) Assessment Step

Issue Cross-
Reference
ITG04 Managed IT- 
Percent of critical business Agree on the expected In this step, the related metrics for each goal
B-1.2 related business risk processes, IT services and IT- values for the IT-related will be reviewed and an assessment will be
Cont. enabled business programmes goal metrics, i.e., the made whether the defined criteria are
covered by risk assessment values against which the achieved.
 Number of significant IT-related assessment will take place.
incidents that were not identified in
risk assessment
 Percent of enterprise risk
assessments including IT-related
risk
 Frequency of update of risk profile
ITG06 Transparency of  Percent of investment business Agree on the expected In this step, the related metrics for each goal
IT costs, benefits and cases with clearly defined and values for the IT-related will be reviewed and an assessment will be
risk approved expected IT-related costs goal metrics, i.e., the made whether the defined criteria are
and benefits values against which the achieved.
 Percent of IT services with clearly assessment will take place.
defined and approved operational
costs and expected benefits
 Satisfaction survey of key
stakeholders regarding the
transparency, understanding and
accuracy of IT financial information
ITG10 Security of  Number of security incidents Agree on the expected In this step, the related metrics for each goal
information, processing causing financial loss, business values for the IT-related will be reviewed and an assessment will be
infrastructure disruption or public embarrassment goal metrics, i.e., the made whether the defined criteria are
and applications  Number of IT services with values against which the achieved.
outstanding security requirements assessment will take place.
 Time to grant, change and remove
access privileges, compared to
agreed-on service levels
 Frequency of security assessment
against latest standards and
guidelines
ITG15 IT compliance  Number of incidents related to non- Agree on the expected In this step, the related metrics for each goal
with internal policies compliance to policy values for the IT-related will be reviewed and an assessment will be
 Percent of stakeholders who goal metrics, i.e., the made whether the defined criteria are
understand policies values against which the achieved.
 Percent of policies supported by assessment will take place.
effective standards and working
practices
 Frequency of policies review and
update
Obtain understanding of the Process in scope and set suitable assessment criteria.
B-2
Assess the Process in scope. 7
B-2.1 Understand the Process purpose.

Issue Cross-
Reference
The purpose of process EDM03 is as per the standard COBIT 5 process purpose statement: ‘Ensure that IT-related enterprise risk does not
exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures
is minimised’.8
B-2.2 Understand the Process Goals and related metrics and define expected values (criteria) and assess whether the process goals (outcomes) are
achieved, i.e., assess the effectiveness of the Process.
The process EDM03 Ensure risk optimisation has three standard defined process goals, as
described in COBIT 5: Enabling Processes, chapter 5, p. 39. Based on these goals and their
related metrics, the subset of following goals and associated metrics are defined for this process:
Process Goal Related Metric Criteria/Expected Value Assessment Step
Risk thresholds are  Level of alignment between IT risk Agree on the expected In this step, the related metrics for each goal
defined and and enterprise risk values for the Process goal will be reviewed and an assessment will be
communicated and key  Number of potential IT risks metrics, i.e., the values made whether the defined criteria are
IT-related risk is known. identified and managed against which the achieved.
 Refreshment rate of risk factor assessment will take place.
evaluation
The enterprise is  Percent of enterprise projects that Agree on the expected In this step, the related metrics for each goal
managing critical IT- consider IT risk values for the Process goal will be reviewed and an assessment will be
related enterprise risk  Percent of IT risk action plans metrics, i.e., the values made whether the defined criteria are
effectively and executed on time against which the achieved.
efficiently.  Percent of critical risk that has assessment will take place.
been effectively mitigated
IT-related enterprise risk  Level of unexpected enterprise risk Agree on the expected In this step, the related metrics for each goal
does not exceed risk  Percent of IT risk that exceeds values for the Process goal will be reviewed and an assessment will be
appetite and the impact enterprise risk tolerance metrics, i.e., the values made whether the defined criteria are
of IT risk to enterprise against which the achieved.
value is identified and assessment will take place.
managed.
The process EDM03 Ensure risk optimisation is described in Each practice is typically implemented through a number of activities, and a
COBIT 5: Enabling Processes. well-designed process will implement all these practices and activities.
The process required a number of management practices to be
implemented, as described in the process description in the same
guide. These are:
 A sound process design
 The reference against which the process will be assessed in
phase C, with the criteria as mentioned, i.e., all management
practices are expected to be fully implemented.
B-2.2 Reference
Assessment Step
Cont. Process Practices
EDM03.01 Evaluate risk Continually examine and make judgement on the effect of risk on the current and future use of IT in the enterprise.
management. Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is
identified and managed.
7
Because this is a process audit/assurance program, several of the assurance steps from COBIT 5 for Assurance have been combined or removed.
8
For definitions of risk terminology, see COBIT 5 for Risk.
Issue Cross-
Reference
1. Determine the level of IT-related risk that the enterprise is willing to take to meet its objectives (risk appetite).
2. Evaluate and approve proposed IT risk tolerance thresholds against enterprise’s acceptable risk and opportunity
levels.
3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy.
4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-
aware enterprise decisions are made.
5. Determine that IT use is subject to appropriate risk assessment and evaluation, as described in relevant
international and national standards.
6. Evaluate risk management activities to ensure alignment with the enterprise’s capacity for IT-related loss and
leadership’s tolerance of it.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with the actual
accountability and responsibility for this practice and assess whether:
 Accountability and responsibility are assigned and assumed.
 Accountability and responsibility are assigned at the appropriate level in the organisation.
EDM03.02 Direct risk Direct the establishment of risk management practices to provide reasonable assurance that IT risk management
management. practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and
potential business impacts.
2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and
operations.
3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action
plans.
4. Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately
to appropriate levels of management, supported by agreed-on principles of escalation (what to report, when,
where and how).
5. Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk
should be managed in accordance with published policies and procedures and escalated to the relevant decision
makers.
6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the
approaches, methods, techniques and processes for capturing and reporting the measurement information.
EDM03.03 Monitor risk Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be
management. identified, tracked and reported for remediation.
1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds.
B-2.2 2. Monitor key goals and metrics of risk governance and management processes against targets, analyse the cause
Cont. of any deviations, and initiate remedial actions to address the underlying causes.
3. Enable key stakeholders’ review of the enterprise’s progress towards identified goals.
4. Report any risk management issues to the board or executive committee.

Issue Cross-
Reference
B-2.3 Agree on the Process work products (inputs and outputs as defined in the process practices description) that are expected to be present
(process design).
Assess the extent to which the process work products are available.
The process EDM03 Ensure Risk Optimisation identifies a set of inputs and outputs for the Criteria: All listed work products should
different management practices. The most relevant of these work products (and those not demonstrably exist and be used.
assessed as Information items in scope in section A-3.2) are identified as follows, as well as the
criteria against which they will be assessed, i.e., existence and usage.
Process Practice Work Product9 Assessment Step
EDM03.01  Risk appetite guidance (O)
 Enterprise risk management principles (I)

EDM03.02  Risk management policies (O)
Apply appropriate auditing techniques to
 Key objectives to be monitored for risk management (O)
determine for each work product:
 Enterprise risk management (ERM) profiles and mitigation plans  Existence of the work product
(I)  Appropriate use of the work product
 Approved process for measuring risk management (O)
EDM03.03  Risk analysis results (I)
 Results of third-party risk assessments (I)
 Risk analysis and risk profile reports for stakeholders (I)
B-2.4 Agree on the Process capability level to be achieved by the process.
Process EDM03 Ensure risk optimisation is—given the strategic priorities—important, and will require the following Process capability level and
attributes, which is equivalent to achieving a Process capability level _____ 10
B-3 Obtain understanding of the Principles, Policies and Frameworks in scope.
Assess Principles, Policies and Frameworks.
Principles, Policies and Frameworks: Repeat steps B-3.1 through B-3.5 or all Principles, Policies and Frameworks in scope.
B-3.1 Understand the Principles, Policies and Frameworks context.
Obtain understanding of the overall system of internal control and the associated Principles, Policies and Frameworks.
B-3.2 Understand the stakeholders of the Principles, Policies and Frameworks.
Understand the stakeholders to the policies. The stakeholders for the policies include those setting the policies and those who need to be in
compliance with the policies.
B-3.3 Understand the goals for the Principles, Policies and Frameworks, and the related metrics and agree expected values.
Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the Principles, Policies
and Frameworks.
Goal Criteria Assessment Step
Comprehensiveness The set of policies is comprehensive in Verify that the set of policies is comprehensive in its coverage.
9
Only the work products not already dealt with (in more detail) as part of the Information enabler are listed here.
10
This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which no reference
practices, work products or outcomes are approved, cannot use this assessment method; therefore, the concept capability level does not apply.
Issue Cross-
Reference
its coverage.
Currency The set of policies is up to date. This at Verify that the set of policies is up to date. This at least requires:
least requires:  A regular validation of all policies whether they are still up to date
 A regular validation of all policies’  An indication of the policies expiration date or date of last update
whether they are still up to date
 An indication of the policies expiration
date or date of last update
Flexibility The set of policies is flexible. It is Verify the flexibility of the set of policies, i.e., that it is structured in such a
structured in such a way that it is easy way that it is easy to add or update policies as circumstances require.
to add or update policies as
circumstances require.
Availability  Policies are available to all  Verify that policies are available to all stakeholders.
stakeholders.  Verify that policies are easy to navigate and have a logical and
 Policies are easy to navigate and hierarchical structure.
have a logical and hierarchical
structure.
B-3.4 Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria. Assess to what extent the
Principles, Policies and Frameworks life cycle is managed.
The life cycle of the IT-related policies is managed by the Process APO01. The review of this life cycle is therefore equivalent to a process review
of process APO01 Manage the IT management framework.
B-3.5 Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies and
Frameworks design, i.e., assess the extent to which expected good practices are applied.
The assurance professional will, by using appropriate auditing techniques assess the following aspects.
Good Practice Criteria Assessment Step
Scope and validity The scope is described and the validity Verify that the scope of the framework is described and the validity date is
date is indicated. indicated.
Exception and  The exception and escalation  Verify that the exception and escalation procedure is described,
escalation procedure is explained and explained and commonly known.
commonly known.  Through observation of a representative sample, verify that the
 The exception and escalation exception and escalation procedure has not become de facto
procedure has not become de standard procedure.
B-3.5 facto standard procedure.
Cont. Compliance The compliance checking mechanism Verify that the compliance checking mechanism and non-compliance
and non-compliance consequences are consequences are clearly described and enforced.
clearly described and enforced.
B-4 Obtain understanding of the Organisational Structures in scope.
Assess the Organisational Structures.
Repeat steps B-4.1 through B-4.5 for each Organisational Structure in scope, as determined in step A-3.2.
B-4.1 Understand the Organisational Structure context.
Identify and document all elements that can help to understand the context in which the Organisational Structure/role has to operate, including:
 The overall organisation
 Management/process framework
 History of the role/structure
 Contribution of the Organisational Structure to achievement of goals

Issue Cross-
Reference
B-4.2 Understand all stakeholders of the Organisational Structure/function.
Determine through documentation review (policies, management communications, etc.) the key stakeholders of the role, i.e.,:
 Incumbent of the role and/or members of the Organisational Structure
Other key stakeholders affected by the decisions of the Organisational Structure/role
B-4.3 Understand the goals of the Organisational Structure, the related metrics and agree on expected values. Understand how these goals contribute to
the achievement of the enterprise goals and IT-related goals.
Organisational Structure Goal Assessment Step
Determine through interviews with key stakeholders and This step only applies if specific goals are defined. In that case, the
documentation review the goals of the organisational structures, i.e., assurance professional will use appropriate auditing techniques to:
the decisions for which they are accountable11,12.  Identify the decisions made by the Organisational Structure
Note: Very often, the goals of an organisational structure—making  Assess whether decisions are appropriately documented and
decisions—are already described by some of the process practices communicated
and/or process activities in COBIT 5: Enabling Processes.  Evaluate the decisions by assessing whether:
Therefore, they will be part of the process review and should not be – They have contributed to the achievement of the IT-related and
repeated here. Only when very specific decisions would be required enterprise goals as anticipated.
is there a need to list them explicitly in this step. – Decisions are duly executed on a timely basis.
B-4.4 Agree on the expected good practices for the Organisational Structure against which it will be assessed.
Assess the Organisational Structure design, i.e., assess the extent to which expected good practices are applied.
Operating principles  Operating principles are documented.  Verify whether operating principles are appropriately
 Regular meetings take place as defined in documented.
operating principles.  Verify that regular meetings take place as defined in the
 Meeting reports/minutes are available and operating principles.
are meaningful.  Verify that meeting reports/minutes are available and are
meaningful.
Composition The Organisational Structure’s composition is Assess whether the Organisational Structure’s composition is
balanced and complete, i.e., all required balanced and complete, i.e., all required stakeholders are
stakeholders are sufficiently represented. sufficiently represented.
Span of control  The span of control of the organisational  Verify whether the span of control of the Organisational
structure is defined. Structure is defined.
B-4.4  The span of control is adequate, i.e., the  Assess whether the span of control is adequate, i.e., the
Cont. Organisational Structure has the right to Organisational Structure has the right to make all decisions it
make all decisions it should. should.
 The span of control is in line with the  Verify and assess whether the span of control is in line with
overall enterprise governance the overall enterprise governance arrangements.
arrangements.
Level of authority/  Decision rights of the Organisation  Verify that decision rights of the Organisational Structure are
decision rights Structure are defined and documented. defined and documented.
 Decision rights of the Organisational  Verify whether decision rights of the Organisational Structure
Structure are respected and complied with are complied with and respected.
(also a culture/behaviour issue).
11
The RACI charts in COBIT 5: Enabling Processes can be leveraged as a starting point for the expected goals of a role or Organisational Structure.
12
The Organisational Structure/role as described may not exist under the same name in the enterprise; in that case, the closest Organisational Structure assuming the same responsibilities and accountability
should be considered.
Issue Cross-
Reference
Delegation of authority Delegation of authority is implemented in a Verify whether delegation of authority is implemented in a
meaningful way. meaningful way.
Escalation procedures Escalation procedures are defined and applied. Verify the existence and application of escalation procedures.
B-4.5 Understand the life cycle and agree on expected values.
Assess the extent to which the organisational structure life cycle is managed.
Life Cycle Element Criteria Assessment Step
Mandate  The Organisational Structure is  Verify through interviews and observations that the Organisational
formally established. Structure is formally established
 The Organisational Structure has a  Verify through interviews and observations that The Organisational
clear, documented and well- Structure has a clear, documented and well understood mandate
understood mandate.
Monitoring  The performance of the  Verify whether the performance of the Organisational Structure and its
Organisational Structure and its members is regularly monitored and evaluated by competent and
members should be regularly independent assessors
monitored and evaluated by  Verify whether the regular evaluations have resulted in improvements
competent and independent to the Organisational Structure, in its composition, mandate or any
assessors. other parameter.
 The regular evaluations should
result in the required continuous
improvements to the
Organisational Structure, either in
its composition, mandate or any
other parameter.
B-5 Obtain understanding of the Culture, Ethics and Behaviour in scope.
Assess Culture, Ethics and Behaviour.
Repeat steps B-5.1 through B-5.5 for each Culture, Ethics and Behaviour aspect in scope.
B-5.1 Understand the Culture, Ethics and Behaviour context.
Understand the context of the Culture/Ethics/Behaviour, i.e.,:
 What the overall corporate culture is like
 Understand the interconnection with other enablers in scope:
Identify roles and structures that could be affected by the Culture
Identify processes that could be affected by Culture, Ethics and Behaviour, including any processes in scope of the review
B-5.2 Understand the major stakeholders of the Culture, Ethics and Behaviour.
Understand to whom the behaviour requirements will apply, i.e., understand who embodies the roles/structures expected to demonstrate the
correct set of Behaviours. This is usually linked to the roles and Organisational Structures identified in scope.
B-5.3 Understand the goals for the Culture, Ethics and Behaviour, and the related metrics and agree expected values.
Assess whether the Culture, Ethics and Behaviour goals (outcomes) are achieved, i.e., assess the effectiveness of the Culture, Ethics and
Behaviour.
Define what constitutes desired and undesirable Behaviours and Culture and especially Behaviours are associated to individuals and the
why they are so classified, i.e., relate Behaviours to the Organisational Structures of which they are a part, therefore, by using
organisational ethics and values by which the enterprise wants to appropriate audit techniques, the assurance professional will:
live in support of enterprise goals.  Identify individuals who must comply with the Behaviours under
review.
 Identify the Organisational Structures involved.
 Assess whether desired Behaviours can be observed.

Issue Cross-
Reference
 Assess whether undesirable Behaviours are absent.
Desired Behaviour (Culture, Ethics and Behaviour Goal) Assessment Step
B-5.4 Understand the life cycle stages of the Culture, Ethics and Behaviour, and agree on the relevant criteria.
Assess the extent to which the Culture, Ethics and Behaviour life cycle is managed.
(This aspect is already covered by the assessment of the good practices, so no additional assurance steps are defined here.)
B-5.5 Understand good practice when dealing with Culture, Ethics and Behaviour, and agree on relevant criteria.
Assess the Culture, Ethics and Behaviour design, i.e., assess to what extent expected good practices are applied.
Communication, Existence and quality of the Apply appropriate auditing techniques to assess whether the good practice
enforcement and rules communication is adequately applied, i.e., assessment criteria are met.
Incentives and rewards Existence and application of appropriate
rewards and incentives
Awareness Awareness of desired Behaviours

Issue Cross-
Reference
B-6 Obtain understanding of the Information items in scope.
Assess Information.
Repeat steps B-6.1 through B-6.4 for each Information Item defined in scope in A-3.2.
B-6.1 Understand the Information item context:
 Where and when is it used?
 For what purpose is it used?
 Understand the connection with other enablers in scope, e.g.:
– Used by which processes?
– Which Organisational Structures are involved? (See also B-4.1.)
– Which services/applications are involved?
B-6.2 Understand the major stakeholders of the Information item.
Understand the stakeholders for the Information item, i.e., identify the:
 Information producer
 Information custodian
 Information consumer
Stakeholders should be at the appropriate organisational level.
B-6.3 Understand the major quality criteria for the Information item, the related metrics and agree expected values.
Assess whether the Information item quality criteria (outcomes) are achieved, i.e., assess the effectiveness of the Information item.
Leverage the COBIT 5 Information enabler model13 focusing on the quality goals description to The assurance professional will, by using
select the most relevant Information quality criteria for the Information item at hand. Document appropriate auditing techniques, verify all
expectations regarding information criteria. The COBIT 5 Information enabler model identifies 15 quality criteria in scope and assess whether
different quality criteria—although all of them are relevant, it is nonetheless possible and the criteria are met.
recommended to focus on a subset of the most important criteria for the Information item at hand.
Mark the quality dimensions with a ‘’ that are deemed most important (key criteria), and by
consequence will be assessed against the described criteria.
Quality Dimension Key Criteria Description Assessment Step
Accuracy
Objectivity
Believability
Reputation
Relevancy
Completeness
Currency
Amount of information
Concise representation
Consistent
representation
Interpretability
Understandability
B-6.3
Manipulation
13
COBIT 5 framework, Appendix G, p.81-84
Issue Cross-
Reference
Cont. Availability
Restricted access
B-6.4 Understand the life cycle stages of the Information item, and agree on the relevant criteria.
Assess to what extent the Information item life cycle is managed.
The life cycle of any Information item is managed through several business and IT-related processes. The scope of this review already includes a
review of (IT-related) processes so this aspect does not need to be duplicated here.
 When the information item is internal to IT, the process review will have covered the life cycle aspects sufficiently.
 When the Information item also involves other stakeholders outside IT or other non-IT processes, some of the life cycle aspects need to be
assessed.
Mark the life cycle stages with a ‘’ that are deemed most important (key criteria), and by consequence will be assessed against the described
criteria.
Life Cycle Stage Key Criteria Description Assessment Step
Plan
Design
Build/acquire
Use/operate
Evaluate/monitor
Update/dispose
B-6.5 Understand important attributes of the information item and expected values.
Assess the Information item design, i.e., assess the extent to which expected good practices are applied.
Good practices for Information items are defined as a series of attributes for the Information item14. The assurance professional will, by using
appropriate auditing techniques, verify all attributes in scope and assess whether the attributes are adequately defined.
Mark the attributes with a ‘’ that are deemed most important (key criteria), and by consequence will be assessed against the described criteria.
Attribute Key Criteria Description Assessment Step
Physical
Empirical
Syntactic
Semantic
Pragmatic
Social
14
COBIT 5 framework, appendix G, p. 81-84

Issue Cross-
Reference
B-7 Obtain understanding of the Services, Infrastructure and Applications in scope.
Assess the Services, Infrastructure and Applications.
Repeat steps B-7.1 through B-7.5 for each Services, Infrastructure and Applications element in scope
B-7.1 Understand the Services, Infrastructure and Applications context.
Understand the organisational and technological context of this service. Refer to step A-2.2 and A-2.3 and re-use that information to understand
the significance of the Services, Infrastructure and Applications.
B-7.2 Understand the major stakeholders of the Services, Infrastructure and Applications.
Understand who will be the major stakeholders of the service, i.e., the sponsor, provider and users. Stakeholders will include a number of
organisational roles but could also link to processes.
B-7.3 Understand the major goals for the Services, Infrastructure and Applications, the related metrics and agree on expected values.
Assess whether the Services, Infrastructure and Applications goals (outcomes) are achieved, i.e., assess the effectiveness of the Services,
Infrastructure and Applications.
Goals Criteria Assessment Step
Service description  The Service is clearly described.  Verify that the Service exists and is clearly described.
 The Service is available to all  Assess the quality of the Service description and of the Service
potential stakeholders. offered.
 Verify the accessibility of the Service to all potential stakeholders.

Service level Service levels are defined for:  Verify that the following aspects are dealt with in the Service level
 Quality of the service deliverables definitions:
 Cost – Quality of the Service deliverables
 Timeliness – Cost
– Timeliness
 Verify to what extent service levels are achieved.
Contribution to enabler, The Service contributes to the Assess to what extent the Service contributes to the achievement of IT-
IT-related and enterprise achievement of enabler and IT-related related goals and enterprise goals.
goals goals.
B-7.4 Understand the life cycle stages of the Services, Infrastructure and Applications, and agree on the relevant criteria.
Assess the extent to which the Services, Infrastructure and Applications life cycle is managed. 15
B-7.5 Understand good practice related to the Services, Infrastructure and Applications and expected values. Assess the Services, Infrastructure and
Applications design, i.e., assess to what extent expected good practices are applied.
Leverage the description of Services, Infrastructure and Applications in the COBIT 5 framework 16 to identify good practices related to Services,
Infrastructure and Applications. In general the following practices need to be implemented:
 Buy/build decision needs to be taken.
 Use of the Service needs to be clear.
Sourcing (buy/build) A formal decision—based on a business  Verify that a formal decision—based on a business case—was taken
case—needs to be taken regarding the regarding the sourcing of the Service.
sourcing of the Service  Verify the validity and quality of the business case.
B-7.5
 Verify that the sourcing decision has been duly executed.
15
The life cycle of a service will be governed and managed by numerous of the COBIT 5 processes. As a consequence, a subset of the BAI and APO processes may have to be added to the scope of the
assurance engagement should it be required.
16
COBIT 5 framework, appendix G, p.85-86
Issue Cross-
Reference
Cont. Use The use of the Service needs to be clear:  Verify that the use of the Service is clear, i.e., it is known when and by
 When it needs to be used and by whom the service needs to be used.
whom  Verify that actual use is in line with requirement above.
 The required compliance levels  Verify that the actual Service output is adequately used.
with the Service’s output  Verify that Service levels are monitored and achieved.

B-8 Obtain understanding of the People, Skills and Competencies in scope.
Assess People, Skills and Competencies.
Repeat steps B-8.1 through B-8.5 for each People, Skills and Competency aspect in scope.
B-8.1 Understand the People, Skills and Competencies context.
Understand the context of the Skill/Competency, i.e.
 Where and when is it used?
 For what purpose is it used?
 Understand the connection with other enablers in scope, e.g.:
– In which roles and structures is the Skill/Competency used? (See also B-4.1.)
– Which behaviours are associated with the Skill/Competency?
B-8.2 Understand the major stakeholders for People, Skills and Competencies.
Identify to whom in the organisation the skill requirement applies.
B-8.3 Understand the major goals for the People, Skills And Competencies, the related metrics and agree on expected values.
Assess whether the People, Skills and Competencies goals (outcomes) are achieved, i.e., assess the effectiveness of the People, Skills and
Competencies.
For the People, Skills and Competencies at hand, the following goals and associated criteria can be addressed.
Goal Criteria Assessment Step
Experience Apply appropriate audit techniques to assess whether the People, Skills
and Competencies goals are adequately achieved, i.e., that assessment
criteria are met.
Education
Qualification
Knowledge
Technical skills
Behavioural skills
Number of people with
appropriate skill level
B-8.4 Understand the life cycle stages of the People, Skills and Competencies, and agree on the relevant criteria.
Assess to what extent the People, Skills and Competencies life cycle is managed.
For the People, Skills and Competencies at hand, the life cycle phases and associated criteria can For the People, Skills and Competencies at
be expressed in function of the process APO07. hand the assurance professional will perform
the following assessment steps.
Life Cycle Stage Criteria Assessment Step
Plan Practice APO07.03, activity 1 (Define the required and currently Assess whether practice APO07.03 activity 1
available skills and competencies of internal and external resources to is implemented in relation to this skill.
achieve enterprise, IT and process goals.) is implemented in relation to
this skill.
Design
Practice APO07.03 activity 2 (Provide formal career planning and Assess whether practice APO07.03 activity 2
professional development to encourage competency development, is implemented in relation to this skill.
opportunities for personal advancement and reduced dependence on
key individuals.) is implemented in relation to this skill.
Assess whether practice APO07.03 activity 3
Practice APO07.03 activity 3 (Provide access to knowledge is implemented in relation to this skill.

B-8.4 repositories to support the development of skills and competencies.) is
Cont. implemented in relation to this skill.
Build Practice APO07.03 activity 4 (Identify gaps between required and Assess whether practice APO07.03 activity 4
available skills and develop action plans to address them on an is implemented in relation to this skill.
individual and collective basis, such as training [technical and
behavioural skills], recruitment, redeployment and changed sourcing
strategies.) is implemented in relation to this skill.
Operate Practice APO07.03 activity 5 (Develop and deliver training Assess whether practice APO07.03 activity 5
programmes based on organisational and process requirements, is implemented in relation to this skill.
including requirements for enterprise knowledge, internal control,
ethical conduct and security.) is implemented in relation to this skill.
Evaluate Practice APO07.03 activity 6 (Conduct regular reviews to assess the Assess whether practice APO07.03 activity 6
evolution of the skills and competencies of the internal and external is implemented in relation to this skill.
resources. Review succession planning.) is implemented in relation to
this skill.
Update/dispose Practice APO07.03 activity 7 (Review training materials and Assess whether practice APO07.03 activity 7
programmes on a regular basis to ensure adequacy with respect to is implemented in relation to this skill.
changing enterprise requirements and their impact on necessary
knowledge, skills and abilities.) is implemented in relation to this skill.
B-8.5 Understand good practice related to the People, Skills and Competencies and expected values.
Assess the People, Skills and Competencies design, i.e., assess to what extent expected good practices are applied.
Good Practice Assessment Step
Skill set and Competencies are defined.  Determine that an inventory of Skills and Competencies is maintained
by organisational unit, job function and individual.
 Evaluate the relevance and the contribution of the Skills and
Competencies to the achievement of the goals of the organisational
structure, and by consequence, IT-related goals and enterprise goals.
 Evaluate the gap analysis between necessary portfolio of Skills and
Competencies and current inventory of skills and capabilities.
Skill levels are defined.  Assess the flexibility and performance of meeting Skills development
to address identified gaps between necessary and current skill levels.
 Assess the process for 360-degree performance evaluations.

Phase C—Communicate the Results of the Assessment

C-1 Document exceptions and gaps.
C-1.1 Understand and document weaknesses and their impact on the • Illustrate the impact of enabler failures or weaknesses with numbers and scenarios of errors, inefficiencies and misuse.
achievement of process goals. • Clarify vulnerabilities, threats and missed opportunities that are more likely with enablers not performing effectively.
C-1.2 Understand and document weaknesses and their impact on enterprise • Illustrate what the weaknesses would affect (e.g., business goals and objectives, enterprise architecture elements,
goals. capabilities, resources). Relate the impact of not achieving the enabler goals to actual cases in the same industry and
leverage industry benchmarks.
• Document the impact of actual enabler weaknesses in terms of bottom-line impact, integrity of financial reporting, hours lost
in staff time, loss of sales, ability to manage and react to the market, customer and shareholder requirements, etc.
• Point out the consequence of non-compliance with regulatory requirements and contractual agreements.
• Measure the actual impact of disruptions and outages on business processes and objectives, and on customers (e.g.,
number, effort, downtime, customer satisfaction, cost).
C-2 Communicate the work performed and findings.
C-2.1 Communicate the work performed.  Communicate regularly to the stakeholders identified in A-1 on progress of the work performed.
C-2.2 Communicate preliminary findings to the assurance engagement • Document the impact (i.e., customer and financial impact) of errors that could have been caught by effective enablers.
stakeholders defined in A-1. • Measure and document the impact of rework (e.g., ratio of rework to normal work) as an efficiency measure affected by
enabler weaknesses.
• Measure the actual business benefits and illustrate cost savings of effective enablers after the fact.
• Use benchmarking and survey results to compare the enterprise performance with others.
• Use extensive graphics to illustrate the issues.
• Inform the person responsible for the assurance activity about the preliminary findings and verify his/her correct
understanding of those findings.
C-2.3 Deliver a report (aligned with the terms of reference, scope and agreed
reporting standards) that supports the results of the initiative and enables
a clear focus on key issues and important actions.


EDM03 Ensure Risk Optimisation Audit Assurance Program - Icq - Eng - 0214

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EDM03 Ensure Risk Optimisation Audit Assurance Program - Icq - Eng - 0214

Uploaded by

Copyright:

Available Formats

Classification: Internal

EDM03 Ensure Risk Optimisation

Provide feedback: www.isaca.org/EDM-APs

© ISACA 2014 All rights reserved. 2

ISACA wishes to recognize:

ISACA Board of Directors

Guidance and Practices Committee

© ISACA 2014 All rights reserved. 3

© ISACA 2014 All rights reserved. 4

Figure 1—Generic COBIT 5-based Assurance Engagement Approach

Assurance Engagement Approach Based on COBIT 5

© ISACA 2014 All rights reserved. 5

Generic Audit/Assurance Program

Customization of the Audit/Assurance Program

About the Example Audit/Assurance Program: EDM03

© ISACA 2014 All rights reserved. 6

Assurance Engagement: Ensure Risk Optimisation

Goal of the Review

COBIT 5-based Assurance Engagement Approach

© ISACA 2014 All rights reserved. 7

Phase A—Determine Scope of the Assurance Initiative

Phase A—Determine Scope of the Assurance Initiative

Phase A—Determine Scope of the Assurance Initiative

Phase A—Determine Scope of the Assurance Initiative

© ISACA 2014 All rights reserved. 11

© ISACA 2014 All rights reserved. 12

© ISACA 2014 All rights reserved. 13

© ISACA 2014 All rights reserved. 14

© ISACA 2014 All rights reserved. 16

© ISACA 2014 All rights reserved. 18

© ISACA 2014 All rights reserved. 20

© ISACA 2014 All rights reserved. 21

© ISACA 2014 All rights reserved. 24

© ISACA 2014 All rights reserved. 26

© ISACA 2014 All rights reserved. 27

© ISACA 2014 All rights reserved. 28

Phase C—Communicate the Results of the Assessment

Ref. Assurance Step Guidance

© ISACA 2014 All rights reserved. 29

You might also like