WAPO02 Manage Strategy Audit Assurance Program - Icq - Eng - 0814

APO02 Manage Strategy
Audit/Assurance Program
ISACA®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value
from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking,
and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA
offers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity professionals, and COBIT®, a business
framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates
business-critical skills and knowledge through the globally respected Certified Information Systems Auditor ® (CISA®), Certified
Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information
Systems Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide.
Disclaimer
ISACA has designed and created APO02 Manage Strategy Audit/Assurance Program (the ‘Work’) primarily as an educational
resource for assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The
Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures
and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information,
procedure or test, assurance professionals should apply their own professional judgement to the specific circumstances presented
by the particular systems or information technology environment.
Reservation of Rights
© 2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse .
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Align-Plan-and-Organise.aspx

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
ISBN 978-1-60420-568-8
APO02 Manage Strategy Audit/Assurance Program
© ISACA 2014 All rights reserved. 2

Acknowledgements
ISACA wishes to recognize:
Development Team
Stefanie Grijp, PwC, Belgium
Bart Peeters, CISA, PwC, Belgium
Dirk Steuperaert, CISA, CGEIT, CRISC, IT In Balance BVBA, Belgium
Sven Van Hoorebeeck, PwC, Belgium
Expert Reviewers
Steven De Haes, University of Antwerp - Antwerp Management School, Belgium
John E. Jasinski, CISA, CGEIT, ISO20K, ITIL Expert, SSBB, ITSMBP, USA
Joanna Karczewska, CISA, Poland
Patricia Prandini, CISA, CRISC, Universidad de Buenos Aires, Argentina
Abdul Rafeq, CISA, CGEIT, CIA, FCA, Wincer Infotech Limited, India
Claus Rosenquist, CISA, CISSP, Nets Holding, Denmark
Lily Shue, CISA, CISM, CGEIT, CRISC, LMS Associates LLC, USA
David A. Williams, CRISC, PMP, OceanFirst Bank, USA
Nikolaos Zacharopoulos, CISA, CISSP, MerckGroup, Germany
Daniel Zimerman, CISA, CRISC, CISSP, CEPT, CIH, GCIH, IQ Solutions, USA
Tichaona Zororo, CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT I Enterprise Governance of IT (Pty) Ltd., South Africa
ISACA Board of Directors

Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Adaptive Computing, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director
Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, ISO 27001 LA, CISSP, DHL Global Forwarding & Freight, Germany
Guidance and Practices Committee

Philip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
John Jasinski, CISA, CGEIT, ISO20K, ITIL Expert, SSBB, ITSMBP, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Brazil
Jotham Nyamari, CISA, Deloitte, USA
James Seaman, CISM, CRISC, A.Inst.IISP, CCP, QSA, RandomStorm Ltd, UK
Gurvinder Singh, CISA, CISM, CRISC, Australia
Siang Jun Julia Yeo, CISA, CRISC, CPA (Australia), MasterCard Asia/Pacific Pte. Ltd., Singapore
Nikolaos Zacharopoulos, CISA, CISSP, MerckGroup, Germany

Table of Contents
Page
Introduction.................................................................................................................................................................... 5
Assurance Engagement Approach Based on COBIT 5.................................................................................................5
Generic Audit/Assurance Program................................................................................................................................ 6
Customization of the Audit/Assurance Program.....................................................................................................6
About the Example Audit/Assurance Program: APO02 ...............................................................................................6
Assurance Engagement: Manage Strategy..................................................................................................................7
Assurance Topic..................................................................................................................................................... 7
Goal of the Review................................................................................................................................................. 7
Scoping................................................................................................................................................................... 7
COBIT 5-based Assurance Engagement Approach......................................................................................................7
Phase A—Determine Scope of the Assurance Initiative........................................................................................8
Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment.....................13
Phase C—Communicate the Results of the Assessments...................................................................................32

Introduction
This document contains an example audit/assurance program for a COBIT 5 process, based on the generic structure
developed in section 2B of COBIT 5 for Assurance1.
Figure 1—Generic COBIT 5-based Assurance Engagement Approach
Important Note
The engagement approach is based on, but differs slightly from the generic approach described in COBIT 5 for
Assurance:
 The order in which the enablers are discussed is different: the engagement approach described here is a
process audit/assurance program; consequently the Process enabler is discussed first.
 The remaining six enablers are also included in the program, because they are relevant for a process assurance
engagement as well. They have been grouped together to make the program more compact.
Assurance Engagement Approach Based on COBIT 5

The COBIT 5 framework explains that the enablers are interconnected, e.g., processes use Organisational Structures
as well as Information items (inputs [I] and outputs [O]). When developing the audit/assurance program, it will become
clear that when all possible entities of all enablers are included in the scope and reviewed in detail, there is potential
for duplication.
In the development of this audit/assurance program, care has been taken to avoid or minimize duplication, meaning
that:
1
See www.isaca.org/COBIT/Pages/Assurance-product-page.aspx for more information on COBIT 5 for Assurance.

 Some aspects of a process also relate to another enabler and are assessed there, e.g., inputs and outputs can
also be classified under the Information enabler heading and covered in detail there.
 Some aspects relating to Skills and Competencies are to a large extent covered by process APO07 Manage
human resources.
In practice, assurance professionals will have to use their own professional judgment when developing their own
customized audit/assurance programs, to avoid duplication of work.
In addition, while audit/assurance programs will be available for each process, in practice, a group of processes are
often selected for audit. Therefore, a relevant set of audit/assurance programs of the applicable processes will need to
be selected for conducting assurance.
Generic Audit/Assurance Program

The assurance approach depicted in figure 1 is described in more detail and developed into a generic
audit/assurance program—including guidance on how to proceed during each step—in section 2B of COBIT 5 for
Assurance. This audit/assurance program is:
 Fully aligned with COBIT 5:
It explicitly references all seven enablers. In other words, it is no longer exclusively process-focused; it also
uses the different dimensions of the enabler model to cover all aspects contributing to the performance of the
enablers.
It references the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement
can be put into the enterprise and IT context, and concurrently it enables linkage of the assurance objectives
to enterprise and IT risk and benefits.
 Comprehensive yet flexible. The generic program is comprehensive because it contains assurance steps
covering all enablers in quite some detail, yet it is also flexible because this detailed structure enables clear and
well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set
of enablers or some enabler instances and, while the decision will reduce the scope and related assurance
engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement
user.
 Easy to understand, follow and apply because of its clear structure:
The table follows the flow described in figure 1, but splits each phase into different steps and substeps.
For each step, a short description is included, as is guidance for the assurance professional on how to
proceed with the step (text in italics).
Additional guidance on how to use other IT assurance-related standards for performing assurance can be found in
section 3 of COBIT 5 for Assurance.
Customization of the Audit/Assurance Program
Customization and completion of the example audit/assurance program in this document is required, and consists of
refining the scope by selecting goals and enabler instances—the lists included in the example are comprehensive, yet
still are examples (i.e., different strategic priorities of the enterprise may dictate a different scope). The lists can also
be considered prohibitive by some, as they can lead to a very broad scope, and therefore a very expensive assurance
engagement; selection and prioritization will be required. The assurance professional will need to consider the
following steps:
 Determine the stakeholders of the assurance initiative and their stake.
 Determine the assurance objectives based on assessment of the internal and external environment/context,
including the strategic objectives, goals (figures 40 and 41 of COBIT 5 for Assurance) and priorities of the
enterprise.
 Determine the enablers in scope and the instance(s) of the enablers in scope.
About the Example Audit/Assurance Program: APO02

In the next section, the assurance topic at hand—process APO02 Manage strategy—is fully addressed based on the
generic audit/assurance program. The detailed program contains the following additional information:
 In the Guidance column, the shaded text is specific to the example and provides practical guidance, e.g.,
examples of the Organisational Structures to include in scope, setting assessment criteria for the different
enablers and actually assessing the different enablers.
 Two additional columns are included, in which the assurance professional can identify and cross-reference issues
and record comments.

Assurance Engagement: Manage Strategy
Assurance Topic
The topic covered by this document is process APO02 Manage strategy.
Goal of the Review
The goal of the review is to provide assurance over the APO022 process that ensures:
 The strategic IT plans are aligned with business objectives.
 The objectives and associated accountabilities are clearly communicated so that they are understood by all.
 The IT strategic options are identified, structured and integrated with the business plans.
Scoping
The scope of the assurance engagement is expressed as a function of the seven COBIT 5 enablers, with a focus on
the Process enabler. The process content is taken directly from the detailed process descriptions in COBIT 5:
Enabling Processes, i.e., these are standard COBIT 5 processes. Other enablers are also directly based on the same
process descriptions, e.g., the Organisational Structures and Information items.
Other enablers are described in a more generic way and may require customization before the audit/assurance
program can be applied.
COBIT 5-based Assurance Engagement Approach

The audit/assurance program is divided into three sections:
 Phase A—Determine Scope of the Assurance Initiative—In phase A of the assurance workflow, the auditor
scopes the assurance engagement. This process defines the scope in the COBIT 5 terms of enterprise goals, IT-
related goals and enablers.
 Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment—In phase
B of the assurance workflow, the auditor:
– Builds an understanding of the subject matter over which assurance needs to be provided. The subject
matter is expressed in terms of COBIT 5 enablers.
– Obtains agreement over the assessment criteria that will be used during the assurance engagement.
– Assesses the design and outcomes of the enablers.
 Phase C—Communicate the Results of the Assessments—In phase C of the assurance workflow, the auditor
communicates the observations to the initiative stakeholders. This includes carefully documenting all weaknesses
or exceptions found and communicating them to stakeholders effectively and efficiently, with a view to initiating
the appropriate response.
2
Additional related guidance for APO02 can be found in COBIT 5: Enabling Processes, p. 67.

Phase A—Determine Scope of the Assurance Initiative

Issue Cross-
Ref. Assurance Step Guidance Comment
reference
Determine the stakeholders of the
A-1
assurance initiative and their stake.
A-1.1 Identify the intended user(s) of the Intended user(s) of Describe the users of the assurance report and their stakes.
assurance report and their stake in the the assurance report
assurance engagement. This is the
assurance objective.
A-1.2 Identify the interested parties, Accountable and Describe the accountable and responsible parties for the
accountable and responsible for the responsible parties subject matter over which assurance is to be provided; COBIT
subject matter over which assurance for the subject matter 5 includes a summary description of a comprehensive set of
needs to be provided. roles that can be used as starting point for this audit step
(COBIT 5 framework, appendix 6, p.76); COBIT 5 for
Assurance also provides a summary description of a
comprehensive set of assurance roles; see section 2A,
chapter 4, p.37.
Determine the assurance objectives Assurance objectives are essentially a more detailed and tangible expression of those
based on assessment of the internal and enterprise objectives relevant to the subject of the assurance engagement.
external environment/context and of the
relevant risk and related opportunities Enterprise objectives can be formulated in terms of the generic enterprise goals (COBIT 5
A-2 (i.e., not achieving the enterprise goals). framework) or they can be expressed more specifically.
Objectives of the assurance engagement can be expressed using the COBIT 5

enterprise goals, the IT-related goals (which relate more to technology),
information goals or any other set of specific goals.
Understand the enterprise strategy and Inquire with executive management or through available documentation (corporate
A-2.1 priorities. strategy, annual report, etc.) about the enterprise strategy and priorities for the coming
period, and document them to the extent the process under review is relevant.
A-2.2 Understand the internal context of the Identify all internal environmental factors that could influence the performance of the
enterprise. process under review.
A-2.3 Understand the external context of the Identify all external environmental factors that could influence the performance of the
enterprise. process under review.
A-2.4 Given the overall assurance objective, The following goals can be retained as key goals to be supported, in reflection of
translate the identified strategic priorities enterprise strategy and priorities.3
into concrete objectives for the assurance Key goals
engagement. Enterprise Goals
 EG01 – Stakeholder value of business investments
 EG02 – Portfolio of competitive products and services
 EG06 – Customer-oriented service culture
 EG08 – Agile responses to a changing business environment
 EG11 – Optimisation of business process functionality
IT Related Goals:
 ITG01 – Alignment of IT and business strategy
 ITG07 – Delivery of IT services in line with business
requirements
 ITG17 – Knowledge, expertise and initiatives for business
innovation


Issue Cross-
reference
Additional goals Enterprise goals:
 EG09 – Information-based strategic decision making
 EG13 – Managed business change programmes
 EG17 – Product and business innovation culture
A-2.4 IT-related goals:

Cont.  ITG03 – Commitment of executive management for making IT-
related decisions
 ITG04 –Managed IT-related business risk
 ITG05 – Realised benefits from IT-enabled investments and
services portfolio
 ITG08 – Adequate use of applications, information and
technology solutions
 ITG09 – IT agility
 ITG11– Optimisation of IT assets, resources and
 capabilities
 ITG12 – Enablement and support of business processes by
integrating applications and technology into business
processes
 ITG13 – Delivery of programmes delivering benefits on time, on
budget, and meeting requirements and quality standards
 ITG14 – Availability of reliable and useful information for
decision making
 ITG15 – IT compliance with internal policies
 ITG16 – Competent and motivated business and IT personnel
A-2.5 Define the organizational boundaries of Describe the organizational boundaries of the assurance engagement, i.e., to which
the assurance initiative. organizational entities the review is limited. All other aspects of scope limitation are
identified during phase A-3.
The scope of this assurance engagement is a process. Nevertheless, as per the COBIT 5
Determine the enablers in scope and the
A-3 enabler model, all related enablers will have to be considered for inclusion in the scope
instance(s) of the enablers in scope.
as well.
A-3.1 Define the Process in scope of the The following process as defined in COBIT 5: Enabling Processes is in scope of this
review. assurance engagement: APO02 Manage strategy.
3
The suggested set of enterprise goals can and should vary with enterprise strategy and priorities. However, in this generic program the following logic was applied: first the mapping table between
IT processes and IT-related goals (COBIT 5: Enabling Processes, appendix B, p.227-229) was used. The mappings between the process at hand and the IT goals listed as ‘P’ are retained as key
IT-related goals. The mappings listed as ‘S’ are retained as additional IT-related goals. Next, the mapping table between enterprise goals and IT-related goals (COBIT 5: Enabling Processes,
appendix B, p.226) is used. The previously selected key IT-related goals are looked up, and those enterprise goals that support half or more of the IT-related goals as ‘P’ are retained as key
enterprise goals. The remaining enterprise goals listed as ‘P’ are retained as additional enterprise goals. Again, after application of the logic described here, the resulting set of goals should
be reviewed and tailored if necessary.

Issue Cross-
reference
A-3.2 Define the related enablers. Principles, Policies and Frameworks: In the context of this process review, and taking
into account the goals identified in A-2.4, the following Principles, Policies and
Frameworks could be considered in scope of the review4:
Related enablers include:
 Guiding principles for allocation of resources and capabilities
 Principles, Policies and Frameworks
 Other relevant Principles, Policies and Framework elements
 Organisational Structures
 Culture, Ethics and Behaviour Organisational Structures: Based on the process under review, the following
 Information Organisational Structures and functions are considered to be in scope of this assurance
 Services, Infrastructure and engagement, and available resources will determine which ones will be reviewed in
Applications detail5:
 Peoples, Skills and Competencies  CEO (Chief executive officer)
 Business executives
 Business process owners
 Strategy executive committee
 Project management office
 Compliance
 Audit
 CIO (Chief information officer)
 Head architect
 Head of development
 Head IT operations
 Head IT administration
 Service manager
 Information security manager
 Business continuity manager
CuIture, Ethics and Behaviour: In the context of this process review, the following
enterprisewide Behaviours are in scope:
 <list here the most relevant Behaviour elements>
Information items: Based on the process under review, the following Information items
are considered to be in scope of this assurance engagement, and available resources will
determine which ones will be reviewed in detail.6
APO02.01:
 Guiding principles for allocation of resources and capabilities (I)
A-3.2  Sources and priorities for changes (O)
Cont.  Innovation opportunities linked to business drivers (I)
 Enterprise strategy and enterprise strengths, weaknesses, opportunities, threats
(SWOT) analysis (I)
4
The logic applied here is the following: if there are any Policies or Frameworks identified as inputs or outputs of any of the process practices of the process under review, they will be included
here.
5
Only those roles that have an ‘A’ or ‘R’ in the RACI chart of the process are included here. Roles are taken from the RACI charts in COBIT 5: Enabling Processes; some more specific roles may
be taken from COBIT 5 for Assurance, COBIT 5 for Risk or COBIT 5 for Information Security.
6
Leverage the inputs and outputs (also referred to as work products) described for each process practice in COBIT 5: Enabling Processes to identify the most relevant or important information
items. All inputs and outputs are listed here, with those work products written in italic font to be dealt with (in more detail) as part of the Information enabler.

Issue Cross-
reference
APO02.02:
 Cost optimisation opportunities (I)
 Baseline of current capabilities (O)
 Definition of potential improvement projects (I)
 Gaps and risk related to current capabilities (O)
 Identified gaps in IT services to the business (I)
 Capability SWOT analysis (O)
 Improvement action plans and remediations (I)
 Emerging risk issues and factors (I)
 Risk analysis results (I)
 Aggregated risk profile, including status of risk management actions (I)
 Project proposals for reducing risk (I)
 Performance and capacity plans (I)
 Prioritised improvements (I)
 Corrective actions (I)
 Results of fit-for-purpose reviews (I)
 Opportunities to reduce asset costs or increase value (I)
 Results of cost optimisation reviews (I)
APO02.03:
 Analysis of rejected initiatives (I)
 Results and recommendations from proof-of-concept initiatives (I)
 High-level IT-related goals (O)
 Required business and IT capabilities (O)
 Proposed enterprise architecture changes (O)
APO02.04:
 Evaluation of strategic alignment (I)
 Gaps and changes required to realise target capability (O)
 Assessment of using innovative approaches (I)
 Value benefit statement for target environment (O)
 Investment return expectations (I)
 Results of programme goal achievement monitoring (I)
 Stage-gate review results (I)
 Post-implementation review results (I)
APO02.05:
 Approved resources plan (I)
 Definition of strategic initiatives (O)
 Feedback on allocation and effectiveness of resources and capabilities (I)
 Remedial actions to address resource management deviations (I)
A-3.2  Risk assessment (O)
Cont.  Defined scope of architecture (I)
 Architecture concept business case and value proposition (I)
 Strategic road map (O)


Issue Cross-
reference
 Information architecture model (I)
 Transition architectures (I)
 High-level implementation and migration strategy (I)
 Feedback on strategy and goals (I)
 Funding options (I)
 Budget allocations (I)
 IT budget and plan (I)
 Budget communications (I)
 Information security business cases (I)
 Action plan to adjust license numbers and allocations (I)
 Approved strategic options (I)
APO02.06:
 Communication of resourcing strategies (I)
 Communication plan (O)
 Communication package (O)
Services, Infrastructure and Applications: In the context of this process review, and
taking into account the goals identified in A-2.4, the following Services and related
Infrastructure or Applications could be considered in scope of the review:
 <list here the most relevant Services, Infrastructure and Applications components in
scope>
People, Skills and Competencies: In the context of this process review, taking into
account key processes and key roles, the following Skill sets are included in scope:
 Knowledge of IT strategy definition
 Other relevant Skill sets required


Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment
Issue Cross-
Ref. Assurance Steps and Guidance Comment
reference
B-1 Agree on metrics and criteria for enterprise goals and IT-related goals.
Assess enterprise goals and IT-related goals.
B-1.1 Obtain (and agree on) metrics for enterprise goals and expected values of the metrics and assess whether enterprise goals in scope are
achieved.
Leverage the list of suggested metrics for the enterprise goals to define, discuss and agree on a set of relevant, customized metrics for
the enterprise goals, taking care that the suggested metrics are driven by the performance of the topic of this assurance initiative.
Next, agree on the expected values for these metrics, i.e., the values against which the assessment will take place.
The following metrics and expected values are agreed on for the key enterprise goals defined in step A-2.4.
Enterprise Goal Metric Expected Outcome (Ex) Assessment Step
EG01 Stakeholder  Percent of investments where Agree on the expected In this step, the related metrics for
value of business value delivered meets values for these metrics, each goal will be reviewed and an
investments stakeholder expectations i.e., the values against assessment will be made whether
 Percent of products and which the assessment will the defined criteria are achieved.
services where expected take place.
benefits are realized
 Percent of investments where
claimed benefits are met or
exceeded
EG02 Portfolio of  Percent of products and Agree on the expected In this step, the related metrics for
competitive products services that meet or exceed values for these metrics, each goal will be reviewed and an
and services targets in revenues and/or i.e., the values against assessment will be made whether
market share which the assessment will the defined criteria are achieved.
 Ratio of products and services take place.
per life cycle phase
 Percent of products and
services that meet or exceed
customer satisfaction targets
 Percent of products and
services that provide
competitive advantage
EG06 Customer-  Number of customer service Agree on the expected In this step, the related metrics for
oriented service disruptions due to IT service- values for these metrics, each goal will be reviewed and an
culture related incidents (reliability) i.e., the values against assessment will be made whether
 Percent of business which the assessment will the defined criteria are achieved.
stakeholders satisfied that take place.
customer service delivery
meets agreed-on levels
 Number of customer
complaints
 Trend of customer satisfaction
survey results
EG08 Agile responses  Level of board satisfaction with Agree on the expected In this step, the related metrics for
to a changing business enterprise responsiveness to values for these metrics, each goal will be reviewed and an
environment new requirements i.e., the values against assessment will be made whether
B-1.1  Number of critical products and which the assessment will the defined criteria are achieved.
services supported by up-to- take place.

Issue Cross-
reference
Cont. date business processes
 Average time to turn strategic
enterprise objectives into an
agreed on and approved
initiative
EG11 Optimisation of  Frequency of business process Agree on the expected In this step, the related metrics for
business process capability maturity assessments values for these metrics, each goal will be reviewed and an
functionality  Trend of assessment results i.e., the values against assessment will be made whether
 Satisfaction levels of board and which the assessment will the defined criteria are achieved.
executives with business take place.
process capabilities
B-1.2 Obtain (and agree on) metrics for IT-related goals and expected values of the metrics and assess whether IT-related goals in scope are
achieved.
The following metrics and expected values are agreed on for the key IT-related goals defined in Step A-2.4.
IT-related Goal Metric Expected Outcome (Ex) Assessment Step
ITG01 Alignment of IT  Percent of enterprise strategic Agree on the expected In this step, the related metrics for
and business strategy goals and requirements values for the IT-related each goal will be reviewed and an
supported by IT strategic goals goal metrics, i.e., the assessment will be made whether
 Level of stakeholder values against which the the defined criteria are achieved.
satisfaction with scope of the assessment will take place.
planned portfolio of
programmes and services
 Percent of IT value drivers
mapped to business value
drivers
ITG07 Delivery of IT  Number of business disruptions Agree on the expected In this step, the related metrics for
services in line with due to IT service incidents values for the IT-related each goal will be reviewed and an
business requirements  Percent of business goal metrics, i.e., the assessment will be made whether
stakeholders satisfied that IT values against which the the defined criteria are achieved.
service delivery meets agreed- assessment will take place.
on service levels
 Percent of users satisfied with
the quality of IT service delivery
ITG17 Knowledge,  Level of business executive Agree on the expected In this step, the related metrics for
expertise and initiatives awareness and understanding values for the IT-related each goal will be reviewed and an
for business innovation of IT innovation possibilities goal metrics, i.e., the assessment will be made whether
 Level of stakeholder values against which the the defined criteria are achieved.
satisfaction with levels of IT assessment will take place.
innovation expertise and ideas
 Number of approved initiatives
resulting from innovative IT
ideas
Obtain understanding of the Process in scope and set suitable assessment criteria.
B-2
Assess the Process. 7
B-2.1 Understand the Process purpose.
7
Because this is a process audit/assurance program, several of the assurance steps from COBIT 5 for Assurance have been combined or removed.
Issue Cross-
reference
The purpose of process APO02 is as per the standard COBIT 5 process statement: ‘Align strategic IT plans with business objectives.
Clearly communicate the objectives and associated accountabilities so they are understood by all, with the IT strategic options identified,
structured and integrated with the business plans’.
B-2.2 Understand the Process goals and related metrics and define expected values (criteria), and assess whether the Process goals
(outcomes) are achieved, i.e., assess the effectiveness of the Process.
The process APO02 Manage strategy has five standard defined process goals, as described
in COBIT 5: Enabling Processes, chapter 5, p. 57. Based on these goals and their related
metrics, the subset of following goals and associated metrics are defined for this process.
Process Goal Related Metric Criteria/Expected Value Assessment Step
All aspects of the IT  Percent of objectives in the IT Agree on the expected In this step, the related metrics for
strategy are aligned with strategy that support the values for the Process goal each goal will be reviewed and an
the enterprise strategy. enterprise strategy metrics, i.e., the values assessment will be made whether
 Percent of enterprise objectives against which the the defined criteria are achieved.
addressed in the IT strategy assessment will take place.
The IT strategy is cost-  Percent of initiatives in the IT Agree on the expected In this step, the related metrics for
effective, appropriate, strategy that are self-funding values for the Process goal each goal will be reviewed and an
realistic, achievable, (financial benefits in excess of metrics, i.e., the values assessment will be made whether
enterprise-focussed and costs) against which the the defined criteria are achieved.
balanced.  Trends in return on investment assessment will take place.
(ROI) of initiatives in the IT
strategy
 Level of enterprise stakeholder
satisfaction survey feedback on
the IT strategy
Clear and concrete  Percent of projects in the IT Agree on the expected In this step, the related metrics for
short-term goals can be project portfolio that can be values for the Process goal each goal will be reviewed and an
derived from, and traced directly traced back to the IT metrics, i.e., the values assessment will be made whether
back to, specific long- strategy against which the the defined criteria are achieved.
term initiatives, and can assessment will take place.
then be translated into
operational plans.
IT is a value driver for  Percent of strategic enterprise Agree on the expected In this step, the related metrics for
the enterprise. objectives obtained as a result values for the Process goal each goal will be reviewed and an
of strategic IT initiatives metrics, i.e., the values assessment will be made whether
 Number of new enterprise against which the the defined criteria are achieved.
opportunities realised as a assessment will take place.
direct results of IT
developments
 Percent of IT initiatives/projects
championed by business
owners
B-2.2
Cont. There is awareness of  Achievements of measurable IT Agree on the expected In this step, the related metrics for
the IT strategy and a strategy outcomes part of staff values for the Process goal each goal will be reviewed and an
clear assignment of performance goals metrics, i.e., the values assessment will be made whether
accountability for  Frequency of updates to the IT against which the the defined criteria are achieved.
delivery. strategy communication plan assessment will take place.
 Percent of strategic initiatives

Issue Cross-
reference
with accountability assigned
The process APO02 Manage strategy is described in COBIT 5: Each practice is typically implemented through a number of
Enabling Processes. activities, and a well-designed process will implement all these
The Process requires a number of management practices to be practices and activities.
implemented, as described in the process description in the
same guide. These are:
 A sound process design
 The reference against which the process will be assessed
in phase C, with the criteria as mentioned, i.e., all
management practices are expected to be fully
implemented.
Reference Assessment Step
Process Practice
AP002.01 Understand Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
enterprise direction. practice is effectively implemented through the following typical (control) activities:
1. Develop and maintain an understanding of enterprise strategy and objectives, as well as the current
enterprise operational environment and challenges.
2. Develop and maintain an understanding of the external environment of the enterprise.
3. Identify key stakeholders and obtain insight on their requirements.
4. Identify and analyse sources of change in the enterprise and external environments.
5. Ascertain priorities for strategic change.
6. Understand the current enterprise architecture and work with the enterprise architecture process to
determine any potential architectural gaps.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with the
actual accountability and responsibility for this practice and assess whether:
 Accountability and responsibility are assigned and assumed.
 Accountability and responsibility are assigned at the appropriate level in the organisation.
AP002.02 Assess the Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
current environment, practice is effectively implemented through the following typical (control) activities:
capabilities and
performance. 1. Develop a baseline of the current business and IT environment, capabilities and services against which
future requirements can be compared. Include the relevant high-level detail of the current enterprise
architecture (business, information, data, applications and technology domains), business processes,
IT processes and procedures, the IT organisation structure, external service provision, governance of
IT, and enterprise wide IT related skills and competencies.
2. Identify risk from current, potential and declining technologies.
3. Identify gaps between current business and IT capabilities and services and reference standards and
good practices, competitor business and IT capabilities, and comparative benchmarks of good practice
B-2.2
and emerging IT service provision.
Cont.
4. Identify issues, strengths, opportunities and threats in the current environment, capabilities and
services to understand current performance. Identify areas for improvement in terms of IT’s
contribution to enterprise objectives.

Issue Cross-
reference
AP002.03 Define the Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
target IT capabilities. practice is effectively implemented through the following typical (control) activities:
1. Consider validated emerging technology or innovation ideas.

2. Identify threats from declining, current and newly acquired technologies.
3. Define high-level IT objectives/goals and how they will contribute to the enterprise’s business
objectives.
4. Define required and desired business process and IT capabilities and IT services and describe the
high-level changes in the enterprise architecture (business, information, data, applications and
technology domains), business and IT processes and procedures, the IT organisation structure, IT
service providers, governance of IT, and IT skills and competencies.
5. Align and agree with the enterprise architect on proposed enterprise architecture changes.
6. Demonstrate traceability to the enterprise strategy and requirements.
AP002.04 Conduct a Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
gap analysis. practice is effectively implemented through the following typical (control) activities:
1. Identify all gaps and changes required to realise the target environment.
2. Consider the high-level implications of all gaps. Consider the value of potential changes to business
and IT capabilities, IT services and enterprise architecture, and the implications if no changes are
realised.
3. Assess the impact of potential changes on the business and IT operating models, IT research and
development capabilities, and IT investment programmes.
4. Refine the target environment definition and prepare a value statement with the benefits of the target
environment.
AP002.05 Define the Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
strategic plan and road practice is effectively implemented through the following typical (control) activities:
map.
1. Define the initiatives required to close gaps and migrate from the current to the target environment,
B-2.2 including investment/operational budget, funding sources, sourcing strategy and acquisition strategy.
Cont. 2. Identify and adequately address risk, costs and implications of organisational changes, technology
evolution, regulatory requirements, business process re-engineering, staffing, insourcing and
outsourcing opportunities, etc., in the planning process.
3. Determine dependencies, overlaps, synergies and impacts amongst initiatives, and prioritise the
initiatives.
4. Identify resource requirements, schedule and investment/operational budgets for each of the initiatives.
5. Create a road map indicating the relative scheduling and interdependencies of the initiatives.

Issue Cross-
reference
6. Translate the objectives into outcome measures represented by metrics (what) and targets (how much)
that can be related to enterprise benefits.
7. Formally obtain support from stakeholders and obtain approval for the plan.
AP002.06 Communicate Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
the IT strategy and practice is effectively implemented through the following typical (control) activities:
direction.
1. Develop and maintain a network for endorsing, supporting and driving the IT strategy.
2. Develop a communication plan covering the required messages, target audiences, communication
mechanisms/channels and schedules.
3. Prepare a communication package that delivers the plan effectively using available media and
technologies.
4. Obtain feedback and update the communication plan and delivery as required.
B-2.3 Agree on the Process work products (inputs and outputs as defined in the process practices description) that are expected to be
present (process design).
Assess the extent to which the process work products are available.
The Process APO02 identifies a set of inputs and outputs for the different management Criteria: All listed work products
practices. The most relevant of these work products (and those not assessed as Information should demonstrably exist and be
items in scope in section A-3.2) are identified as follows, as well as the criteria against which used.
they will be assessed, i.e., existence and usage.
Process Practice Work Product8 Assessment Step
APO02.01  Guiding principles for allocation of resources and capabilities
(I)
 Sources and priorities for changes (O) Apply appropriate auditing
 Innovation opportunities linked to business drivers (I) techniques to determine for each
 Enterprise strategy and enterprise strengths, weaknesses, work product:
opportunities, threats (SWOT) analysis (I)  Existence of the work product
APO02.02  Cost optimisation opportunities (I)  Appropriate use of the work
 Baseline of current capabilities (O) product
B-2.3  Definition of potential improvement projects (I)
Cont.  Identified gaps in IT services to the business (I)
 Capability SWOT analysis (O)
 Improvement action plans and remediations (I)
 Emerging risk issues and factors (I)
 Risk analysis results (I)
 Aggregated risk profile, including status of risk management
8
Only the work products not already dealt with (in more detail) as part of the Information enabler are listed here.
Issue Cross-
reference
actions (I)
 Project proposals for reducing risk (I)
 Performance and capacity plans (I)
 Prioritised improvements (I)
 Corrective actions (I)
 Results of fit-for-purpose reviews (I)
 Opportunities to reduce asset costs or increase value (I)
 Results of cost optimisation reviews (I)
APO02.03  Analysis of rejected initiatives (I)
 Results and recommendations from proof-of-concept initiatives
(I)
APO02.04  Evaluation of strategic alignment (I)
 Assessment of using innovative approaches (I)
 Value benefit statement for target environment (O)
 Investment return expectations (I)
 Results of programme goal achievement monitoring (I)
 Stage-gate review results (I)
 Post-implementation review results (I)
APO02.05  Approved resources plan (I)
 Feedback on allocation and effectiveness of resources and
capabilities (I)
 Remedial actions to address resource management deviations
(I)
 Defined scope of architecture (I)
 Architecture concept business case and value proposition (I)
 Information architecture model (I)
 Transition architectures (I)
 High-level implementation and migration strategy (I)
 Feedback on strategy and goals (I)
 Funding options (I)
 Budget allocations (I)
 IT budget and plan (I)
 Budget communications (I)
 Information security business cases (I)
 Action plan to adjust license numbers and allocations (I)
 Approved strategic options (I)
APO02.06  Communication of resourcing strategies (I)
 Communication plan (O)
 Communication package (O)
B-2.4 Agree on the Process capability level to be achieved by the process.
Process APO02 is—given the strategic priorities—important, and will require the following Process capability level and attributes, which
is equivalent to achieving a Process capability level _____.9
B-3 Obtain understanding of the Principles, Policies and Frameworks in scope.
9
This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for
which no reference practices, work products or outcomes are approved, cannot use this assessment method, therefore the concept capability level does not apply.
Issue Cross-
reference
Assess Principles, Policies and Frameworks.
Repeat steps B-3.1 through B-3.5 for all Principles, Policies and Frameworks in scope.
B-3.1 Understand the Principles, Policies and Frameworks context.
Obtain understanding of the overall system of internal control and the associated Principles, Policies and Frameworks.
B-3.2 Understand the stakeholders of the Principles, Policies and Frameworks
Understand the stakeholders in the policies. The stakeholders for the policies include those setting the policies and those who need to
be in compliance with the policies.
B-3.3 Understand the goals for the Principles, Policies and Frameworks, and the related metrics, and agree on expected values.
Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the Principles,
Policies and Frameworks.
Goal Criteria Assessment Step
Comprehensiveness The set of policies is comprehensive Verify that the set of policies is comprehensive in its coverage.
in its coverage.
Currency The set of policies is up to date. This Verify that the set of policies is up to date. This at least requires:
at least requires:  A regular validation of all policies whether they are still up to
 A regular validation of all policies date
whether they are still up to date  An indication of the policies’ expiration date or date of last
 An indication of the policies’ update
expiration date or date of last
update
Flexibility The set of policies is flexible. It is Verify the flexibility of the set of policies, i.e., that it is structured in
structured in such a way that it is such a way that it is easy to add or update policies as
easy to add or update policies as circumstances require.
circumstances require.
Availability  Policies are available to all  Verify that policies are available to all stakeholders.
stakeholders.  Verify that policies are easy to navigate and have a logical and
 Policies are easy to navigate and hierarchical structure.
have a logical and hierarchical
structure.
B-3.4 Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria. Assess to what extent
the Principles, Policies and Frameworks life cycle is managed.
The life cycle of the IT-related policies is managed by the Process APO01. The review of this life cycle is therefore equivalent to a
process review of process APO01 Manage the IT management framework.
B-3.5 Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies and
Frameworks design, i.e., assess the extent to which expected good practices are applied.
The assurance professional will, by using appropriate auditing techniques assess the following aspects.
Good Practice Criteria Assessment Step
Scope and validity The scope is described and the Verify that the scope of the framework is described and the validity
validity date is indicated. date is indicated.
Exception and  The exception and escalation  Verify that the exception and escalation procedure is
escalation procedure is explained and described, explained and commonly known.
commonly known.  Through observation of a representative sample, verify that the
 The exception and escalation exception and escalation procedure has not become de facto
procedure has not become de standard procedure.
B-3.5 facto standard procedure.
Cont. Compliance The compliance checking Verify that the compliance checking mechanism and non-

Issue Cross-
reference
mechanism and non-compliance compliance consequences are clearly described and enforced.
consequences are clearly described
and enforced.
B-4 Obtain understanding of the Organisational Structures in scope.
Assess the Organisational Structures.
Repeat steps B-4.1 through B-4.5 for each Organisational Structure in scope, as determined in step A-3.2.
B-4.1 Understand the Organisational Structure context.
Identify and document all elements that can help to understand the context in which the Organisational Structure/role has to operate,
including:
 The overall organisation
 Management/process framework
 History of the role/structure
 Contribution of the Organisational Structure to achievement of goals
B-4.2 Understand all stakeholders of the Organisational Structure/function.
Determine through documentation review (policies, management communications, etc.) the key stakeholders of the role, i.e.:
 Incumbent of the role and/or members of the Organisational Structure
 Other key stakeholders affected by the decisions of the Organisational Structure/role
B-4.3 Understand the goals of the Organisational Structure, the related metrics and agree on expected values. Understand how these goals
contribute to the achievement of the enterprise goals and IT-related goals.
Organisational Structure Goal Assessment Step
Determine through interviews with key stakeholders and This step only applies if specific goals are defined. In that case, the
documentation review the goals of the Organisational Structures, assurance professional will use appropriate auditing techniques to:
i.e., the decisions for which they are accountable 10,11.  Identify the decisions made by the Organisational Structure.
Note: Very often, the goals of an Organisational Structure—  Assess whether decisions are appropriately documented and
making decisions—are already described by some of the communicated.
process practices and/or process activities in COBIT 5:  Evaluate the decisions by, assessing whether:
Enabling Processes. Therefore, they will be part of the process They have contributed to the achievement of the IT-
review and should not be repeated here. Only when very specific related and enterprise goals as anticipated.
decisions would be required is there a need to list them explicitly Decisions are duly executed on a timely basis.
in this step.
B-4.4 Agree on the expected good practices for the Organisational Structure against which it will be assessed.
Assess the Organisational Structure design, i.e., assess the extent to which expected good practices are applied.
Operating principles  Operating principles are documented.  Verify whether operating principles are appropriately
 Regular meetings take place as defined documented.
in operating principles.  Verify that regular meetings take place as defined in
 Meeting reports/minutes are available the operating principles.
and are meaningful.  Verify that meeting reports/minutes are available and
are meaningful.
Composition The organisational structure’s composition is Assess whether the Organisational Structure’s composition
balanced and complete, i.e., all required is balanced and complete, i.e., all required stakeholders are
stakeholders are sufficiently represented. sufficiently represented.
10
The RACI charts in COBIT 5: Enabling Processes can be leveraged as a starting point for the expected goals of a role or Organisational Structure.
11
The Organisational Structure/role as described may not exist under the same name in the enterprise; in that case, the closest Organisational Structure assuming the same responsibilities and
accountability should be considered.
Issue Cross-
reference
Span of control  The span of control of The  Verify whether the span of control of the
Organisational Structure is defined. Organisational Structure is defined.
 The span of control is adequate, i.e.,  Assess whether the span of control is adequate, i.e.,
B-4.4 the Organisational Structure has the the Organisational Structure has the right to make all
Cont. right to make all decisions it should. decisions it should.
 The span of control is in line with the  Verify and assess whether the span of control is in line
overall enterprise governance with the overall enterprise governance arrangements.
arrangements.
Level of authority/  Decision rights of the Organisation  Verify that decision rights of the Organisation Structure
decision rights Structure are defined and documented. are defined and documented.
 Decision rights of the Organisational  Verify whether decision rights of the Organisational
Structure are respected and complied Structure are complied with and respected.
with (also a culture/behaviour issue).
Delegation of authority Delegation of authority is implemented in a Verify whether delegation of authority is implemented in a
meaningful way. meaningful way.
Escalation procedures Escalation procedures are defined and Verify the existence and application of escalation
applied. procedures.
B-4.5 Understand the life cycle and agree on expected values.
Assess the extent to which the Organisational Structure life cycle is managed.
Life Cycle Element Criteria Assessment Steps
Mandate  The Organisational Structure is  Verify through interviews and observations that the
formally established. Organisational Structure is formally established.
 The Organisational Structure  Verify through interviews and observations that the
has a clear, documented and Organisational Structure has a clear, documented and well-
well-understood mandate. understood mandate.
Monitoring  The performance of the  Verify whether the performance of the Organisational Structure
Organisational Structure and its and its members is regularly monitored and evaluated by
members should be regularly competent and independent assessors.
monitored and evaluated by  Verify whether the regular evaluations have resulted in
competent and independent improvements to the Organisational Structure, in its
assessors. composition, mandate or any other parameter.
 The regular evaluations should
result in the required
continuous improvements to
the Organisational Structure,
either in its composition,
mandate or any other
parameter.
B-5 Obtain understanding of the Culture, Ethics and Behaviour in scope.
Assess Culture, Ethics and Behaviour.
Repeat steps B-5.1 through B-5.5 for each Culture, Ethics, and Behaviour aspect in scope.
B-5.1 Understand the Culture, Ethics and Behaviour context.
Understand the context of the Culture/Ethics/Behaviour, i.e.:
 What the overall corporate Culture is like
 Understand the interconnection with other enablers in scope:
Identify roles and structures that could be affected by the Culture.
Identify processes that could be affected by Culture, Ethics and Behaviour, including any processes in scope of the review.

Issue Cross-
reference
B-5.2 Understand the major stakeholders of the Culture, Ethics and Behaviour.
Understand to whom the behaviour requirements will apply, i.e., understand who embodies the roles/structures expected to
demonstrate the correct set of Behaviours. This is usually linked to the roles and Organisational Structures identified in scope.
B-5.3 Understand the goals for the Culture, Ethics and Behaviour, and the related metrics and agree on expected values.
Assess whether the Culture, Ethics and Behaviour goals (outcomes) are achieved, i.e., assess the effectiveness of the Culture,
Ethics and Behaviour.
Define what constitutes desired and undesirable Behaviours and Culture and especially Behaviours are associated to individuals and
why they are so classified, i.e., relate Behaviours to the the Organisational Structures of which they are a part, therefore, by
organisational ethics and values by which the enterprise wants using appropriate auditing techniques, the assurance professional
to live in support of enterprise goals. will:
 Identify individuals who must comply with the Behaviours
under review.
 Identify the Organisational Structures involved.
 Assess whether desired Behaviours can be observed.
 Assess whether undesirable Behaviours are absent.
Desired Behaviour (Culture, Ethics and Behaviour Goal) Assessment Step
B-5.4 Understand the life cycle stages of the Culture, Ethics and Behaviour, and agree on the relevant criteria.
Assess the extent to which the Culture, Ethics and Behaviour life cycle is managed.
(This aspect is already covered by the assessment of the good practices, so no additional assurance steps are defined here.)
B-5.5 Understand good practice when dealing with Culture, Ethics and Behaviour, and agree on relevant criteria.
Assess the Culture, Ethics and Behaviour design, i.e., assess to what extent expected good practices are applied.
Communication, Existence and quality of the Apply appropriate auditing techniques to assess whether the good
enforcement and rules communication practice is adequately applied, i.e., assessment criteria are met.
Incentives and rewards Existence and application of
appropriate rewards and incentives
Awareness Awareness of desired Behaviours

Issue Cross-
reference
B-6 Obtain understanding of the Information items in scope.
Assess Information items.
Repeat steps B-6.1 through B-6.5 for each Information item defined in scope in A-3.2.
B-6.1 Understand the Information item context:
 Where and when is it used?
 For what purpose is it used?
 Understand the connection with other enablers in scope, e.g.:
Used by which processes?
Which Organisational Structures are involved (see also B-4.2)?
Which services/applications are involved?
B-6.2 Understand the major stakeholders of the Information item.
Understand the stakeholders for the Information item, i.e., identify the:
 Information producer
 Information custodian
 Information consumer
Stakeholders should be at the appropriate organisational level.
B-6.3 Understand the major quality criteria for the Information item, the related metrics and agree on expected values.
Assess whether the Information item quality criteria (outcomes) are achieved, i.e., assess the effectiveness of the Information item.
Leverage the COBIT 5 Information enabler model12 focussing on the quality goals description The assurance professional will, by
to select the most relevant Information quality criteria for the Information item at hand. using appropriate auditing techniques,
Document expectations regarding information criteria. The COBIT 5 Information enabler verify all quality criteria in scope and
model identifies 15 different quality criteria—although all of them are relevant, it is assess whether the criteria are met.
nonetheless possible and recommended to focus on a subset of the most important criteria
for the Information item at hand.
Mark the quality dimensions with a ‘’ that are deemed most important (key criteria), and by
consequence will be assessed against the described criteria.
Quality Dimension Key Criteria Description Assessment Step
Accuracy
Objectivity
Believability
Reputation
Relevancy
Completeness
Currency
Amount of information
Concise representation
Consistent
representation
Interpretability
Understandability
B-6.3
Manipulation
Cont.
Availability

Issue Cross-
reference
Restricted access
B-6.4 Understand the life cycle stages of the Information item, and agree on the relevant criteria.
Assess to what extent the Information item life cycle is managed.
The life cycle of any Information item is managed through several business and IT-related processes. The scope of this review already
includes a review of (IT-related) processes so this aspect does not need to be duplicated here.
 When the Information item is internal to IT, the process review will have covered the life cycle aspects sufficiently.
 When the Information item also involves other stakeholders outside IT or other non-IT processes, some of the life cycle aspects
need to be assessed.
Mark the life cycle stages with a ‘’ that are deemed most important (key criteria), and by consequence will be assessed against the
described criteria.
Life Cycle Stage Key Criteria Description Assessment Step
Plan
Design
Build/acquire
Use/operate
Evaluate/monitor
Update/dispose
B-6.5 Understand important attributes of the Information item and expected values.
Assess the Information item design, i.e., assess the extent to which expected good practices are applied.
Good practices for Information items are defined as a series of attributes for the Information item13. The assurance professional will, by
using appropriate audit techniques, verify all attributes in scope and assess whether the attributes are adequately defined.
Mark the attributes with a ‘’ that are deemed most important (key criteria), and by consequence will be assessed against the described
criteria.
Attribute Key Criteria Description Assessment Step
Physical
Empirical
Syntactic
Semantic
Pragmatic
Social
12
COBIT 5 framework, appendix G, p.81-84
13
COBIT 5 framework, appendix G, p. 81-84
Issue Cross-
reference
B-7 Obtain understanding of the Services, Infrastructure and Applications in scope.
Assess the Services, Infrastructure and Applications.
Repeat steps B-7.1 through B-7.5 for each Service, Infrastructure and Applications element in scope.
B-7.1 Understand the Services, Infrastructure and Applications context.
Understand the organisational and technological context of this service. Refer to step A-2.2 and A-2.3 and re-use that information to
understand the significance of this Service, Infrastructure and Application.
B-7.2 Understand the major stakeholders of the Services, Infrastructure and Applications.
Understand who will be the major stakeholders of the service, i.e., the sponsor, provider and users. Stakeholders will include a number
of organisational roles but could also link to Processes.
B-7.3 Understand the major goals for the Services, Infrastructure and Applications, the related metrics and agree on expected values.
Assess whether the Services, Infrastructure and Applications goals (outcomes) are achieved, i.e., assess the effectiveness of the
Services, Infrastructure and Applications.
Service description  The Service is clearly described.  Verify that the Service exists and is clearly described.
 The Service is available to all  Assess the quality of the Service description and of the
potential stakeholders Service offered.
 Verify the accessibility of the Service to all potential
stakeholders.
Service level definition Service levels are defined for:  Verify that the following aspects are dealt with in the
 Quality of the service deliverables Service level definitions:
 Cost Quality of the Service deliverables
 Timeliness Cost
Timeliness
 Verify to what extent Service levels are achieved.
Contribution to related The Service contributes to the Assess to what extent the Service contributes to the
enabler, IT-related and achievement of related enabler and IT- achievement of the related enabler goals and to the overall IT-
enterprise goals related and enterprise goals. related and enterprise goals.
B-7.4 Understand the life cycle stages of the Services, Infrastructure and Applications, and agree on the relevant criteria.
Assess the extent to which the Services, Infrastructure and Applications life cycle is managed.14
B-7.5 Understand good practice related to the Services, Infrastructure and Applications and expected values.
Assess the Services, Infrastructure and Applications design, i.e., assess to what extent expected good practices are applied.
Leverage the description of Services, Infrastructure and Applications in the COBIT 5 framework 15 to identify good practices related to
Services, Infrastructure And Applications. In general the following practices need to be implemented:
 Buy/build decision needs to be taken.
 Use of the Service needs to be clear.
Sourcing (buy/build) A formal decision—based on a business  Verify that a formal decision—based on a business case—
case—needs to be taken regarding the was taken regarding the sourcing of the Service.
sourcing of the Service.  Verify the validity and quality of the business case.
 Verify that the sourcing decision has been duly executed.
B-7.5
Cont. Use The use of the Service needs to be  Verify that the use of the Service is clear, i.e., it is known
14
The life cycle of a service will be governed and managed by numerous of the COBIT 5 processes. As a consequence, a subset of the BAI and APO processes may have to be added to the scope
of the assurance engagement should it be required.
15
COBIT 5 framework, appendix G, p.85-86
Issue Cross-
reference
clear: when and by whom the service needs to be used.
 When it needs to be used and by  Verify that actual use is in line with requirement above.
whom  Verify that the actual Service output is adequately used.
 The required compliance levels  Verify that Service levels are monitored and achieved.
with the Service’s output

Issue Cross-
reference
B-8 Obtain understanding of the People, Skills and Competencies in scope.
Assess People, Skills and Competencies.
Repeat steps B-8.1 through B-8.5 for each People, Skill and Competency aspect in scope.
B-8.1 Understand the People, Skills and Competencies context.
Understand the context of the Skill/Competency, i.e.:
 Where and when is it used?
 For what purpose is it used?
 Understand the connection with other enablers in scope, e.g.:
In which roles and structures is the Skill/Competency used? (See also B-4.1.)
Which behaviours are associated with the Skill/Competency?
B-8.2 Understand the major stakeholders for People, Skills and Competencies.
Identify to whom in the organisation the skill requirement applies.
B-8.3 Understand the major goals for the People, Skills and Competencies, the related metrics and agree on expected values.
Assess whether the People, Skills and Competencies goals (outcomes) are achieved, i.e., assess the effectiveness of the People,
Skills and Competencies.
For the People, Skills and Competencies at hand, the following goals and associated criteria can be addressed.
Experience Apply appropriate auditing techniques to assess whether the
Education People, Skills and Competencies goals are adequately achieved,
Qualification i.e., that assessment criteria are met.
Knowledge
Technical skills
Behavioural skills
Number of people with
appropriate skill level
B-8.4 Understand the life cycle stages of the People, Skills and Competencies, and agree on the relevant criteria.
Assess to what extent the People, Skills and Competencies life cycle is managed.
For the People, Skills and Competencies at hand, the life cycle phases and associated For the People, Skills and Competencies at
criteria can be expressed in function of the process APO07. hand the assurance professional will
perform the following assessment steps.
Life Cycle Element Criteria Assessment Step
Plan Practice APO07.03, activity 1 (Define the required and Assess whether practice APO07.03 activity
currently available skills and competencies of internal and 1 is implemented in relation to this skill.
external resources to achieve enterprise, IT and process
goals.) is implemented in relation to this skill.
Design
Practice APO07.03 activity 2 (Provide formal career Assess whether practice APO07.03 activity
planning and professional development to encourage 2 is implemented in relation to this skill.
competency development, opportunities for personal
advancement and reduced dependence on key
individuals.) is implemented in relation to this skill.
Assess whether practice APO07.03 activity
Practice APO07.03 activity 3 (Provide access to 3 is implemented in relation to this skill.

Issue Cross-
reference
B-8.4 knowledge repositories to support the development of
Cont. skills and competencies.) is implemented in relation to this
skill.
Build Practice APO07.03 activity 4 (Identify gaps between Assess whether practice APO07.03 activity
required and available skills and develop action plans to 4 is implemented in relation to this skill.
address them on an individual and collective basis, such
as training [technical and behavioural skills], recruitment,
redeployment and changed sourcing strategies.) is
implemented in relation to this skill.
Operate Practice APO07.03 activity 5 (Develop and deliver training Assess whether practice APO07.03 activity
programmes based on organisational and process 5 is implemented in relation to this skill.
requirements, including requirements for enterprise
knowledge, internal control, ethical conduct and security.)
is implemented in relation to this skill.
Evaluate Practice APO07.03 activity 6 (Conduct regular reviews to Assess whether practice APO07.03 activity
assess the evolution of the skills and competencies of the 6 is implemented in relation to this skill.
internal and external resources. Review succession
planning.) is implemented in relation to this skill.
Update/dispose Practice APO07.03 activity 7 (Review training materials Assess whether practice APO07.03 activity
and programmes on a regular basis to ensure adequacy 7 is implemented in relation to this skill.
with respect to changing enterprise requirements and their
impact on necessary knowledge, skills and abilities.) is
implemented in relation to this skill.
B-8.5 Understand good practice related to the People, Skills and Competencies and expected values.
Assess the People, Skills and Competencies design, i.e., assess to what extent expected good practices are applied.
Good Practice Assessment Step
Skill set and Competencies are defined.  Determine that an inventory of Skills and Competencies is
maintained by organisational unit, job function and
individual.
 Evaluate the relevance and the contribution of the Skills and
Competencies to the achievement of the goals of the
Organisational Structure, and by consequence, IT-related
goals and enterprise goals.
 Evaluate the gap analysis between necessary portfolio of
Skills and Competencies and current inventory of skills and
capabilities.
Skill levels are defined.  Assess the flexibility and performance of meeting Skills
development to address identified gaps between necessary
and current Skill levels.
 Assess the process for 360-degree performance
evaluations.

Phase C—Communicate the Results of the Assessment

Ref. Assurance Step Guidance
C-1 Document exceptions and gaps.
C-1.1 Understand and document weaknesses and their impact on the • Illustrate the impact of enabler failures or weaknesses with numbers and scenarios of errors,
achievement of process goals. inefficiencies and misuse.
• Clarify vulnerabilities, threats and missed opportunities that are likely to occur if enablers do not
perform effectively.
C-1.2 Understand and document weaknesses and their impact on enterprise • Illustrate what the weaknesses would affect (e.g., business goals and objectives, enterprise
goals. architecture elements, capabilities, resources). Relate the impact of not achieving the enabler goals to
actual cases in the same industry and leverage industry benchmarks.
• Document the impact of actual enabler weaknesses in terms of bottom-line impact, integrity of
financial reporting, hours lost in staff time, loss of sales, ability to manage and react to the market,
customer and shareholder requirements, etc.
• Point out the consequence of non-compliance with regulatory requirements and contractual
agreements.
• Measure the actual impact of disruptions and outages on business processes and objectives, and on
customers (e.g., number, effort, downtime, customer satisfaction, cost).
C-2 Communicate the work performed and findings.
C-2.1 Communicate the work performed.  Communicate regularly to the stakeholders identified in A-1 on progress of the work performed.
C-2.2 Communicate preliminary findings to the assurance engagement • Document the impact (i.e., customer and financial impact) of errors that could have been caught by
stakeholders defined in A-1. effective enablers.
• Measure and document the impact of rework (e.g., ratio of rework to normal work) as an efficiency
measure affected by enabler weaknesses.
• Measure the actual business benefits and illustrate cost savings of effective enablers after the fact.
• Use benchmarking and survey results to compare the enterprise’s performance with others.
• Use extensive graphics to illustrate the issues.
• Inform the person responsible for the assurance activity about the preliminary findings and verify
his/her correct understanding of those findings.
C-2.3 Deliver a report (aligned with the terms of reference, scope and agreed-
on reporting standards) that supports the results of the initiative and
enables a clear focus on key issues and important actions.

WAPO02 Manage Strategy Audit Assurance Program - Icq - Eng - 0814

Uploaded by

Copyright:

Available Formats

You might also like

WAPO02 Manage Strategy Audit Assurance Program - Icq - Eng - 0814

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WAPO02 Manage Strategy Audit Assurance Program - Icq - Eng - 0814

Uploaded by

Copyright:

Available Formats

APO02 Manage Strategy

Provide feedback: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Align-Plan-and-Organise.aspx

© ISACA 2014 All rights reserved. 2

ISACA Board of Directors

Guidance and Practices Committee

© ISACA 2014 All rights reserved. 3

© ISACA 2014 All rights reserved. 4

Figure 1—Generic COBIT 5-based Assurance Engagement Approach

Assurance Engagement Approach Based on COBIT 5

© ISACA 2014 All rights reserved. 5

Generic Audit/Assurance Program

Customization of the Audit/Assurance Program

About the Example Audit/Assurance Program: APO02

© ISACA 2014 All rights reserved. 6

Assurance Engagement: Manage Strategy

The topic covered by this document is process APO02 Manage strategy.

Goal of the Review

COBIT 5-based Assurance Engagement Approach

© ISACA 2014 All rights reserved. 7

Phase A—Determine Scope of the Assurance Initiative

Objectives of the assurance engagement can be expressed using the COBIT 5

© ISACA 2014 All rights reserved. 8

Phase A—Determine Scope of the Assurance Initiative

A-2.4 IT-related goals:

Phase A—Determine Scope of the Assurance Initiative

Phase A—Determine Scope of the Assurance Initiative

© ISACA 2014 All rights reserved. 11

Phase A—Determine Scope of the Assurance Initiative

© ISACA 2014 All rights reserved. 12

© ISACA 2014 All rights reserved. 13

© ISACA 2014 All rights reserved. 14

© ISACA 2014 All rights reserved. 16

© ISACA 2014 All rights reserved. 17

1. Consider validated emerging technology or innovation ideas.

© ISACA 2014 All rights reserved. 18

© ISACA 2014 All rights reserved. 21

© ISACA 2014 All rights reserved. 23

© ISACA 2014 All rights reserved. 24

© ISACA 2014 All rights reserved. 25

© ISACA 2014 All rights reserved. 28

© ISACA 2014 All rights reserved. 29

© ISACA 2014 All rights reserved. 30

Phase C—Communicate the Results of the Assessment

© ISACA 2014 All rights reserved. 31

You might also like