COBIT® 5 Process Assessment Worksheet

Area: Management Domain: Monitor, Evaluate, and Assess

Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements

MEA03 – Process Setting

Process Description1
Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements
have been identified and complied with, and integrate IT compliance with overall enterprise compliance.

Process Purpose Statement1

Ensure that the enterprise is compliant with all applicable external requirements.

Process Assessment Objectives1

The objectives of this assessment are to determine that:

 All external compliance requirements are identified.

 External compliance requirements are adequately addressed.
 Internal compliance requirements are adequately addressed.
 Corrective actions adequately address compliance gaps.

Process Risk Drivers2

 Areas of non-compliance not identified and reported

 Corrective actions not initiated in a timely manner, adversely impacting the overall performance of the organization
 Decreased customer and business partner satisfaction
 Failure to integrate IT-related compliance issues into overall reporting, resulting in erroneous strategic decision making by management
 Failure to report non-compliance incidents, adversely impacting PGE's performance and reputation
 Financial losses and penalties

1 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements
 Increased likelihood of disputes with customers and regulators
 Increased non-compliance exposure
 Increased risk to business continuity from sanctions imposed by regulators
 Non-compliance areas not identified
 Non-compliance incidents not identified, adversely impacting performance and reputation
 Other business functions unaware of compliance requirements and status related to IT processes
 Outdated compliance requirements remaining in effect
 Personnel unaware of procedures and practices to comply with legal and regulatory requirements
 Policies failing to meet compliance needs
 Poor corporate operational and financial performance
 Potential areas of financial losses and penalties not identified
 Relevant laws or regulations overlooked, leading to non-compliance

2 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements

MEA03 – Process Goal Assessment

1
MEA03.01 Management Practice

Identify external compliance requirements. Identify and monitor for changes in local and international laws, regulations and other external requirements that
must be complied with from an IT perspective.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objective1
MEA03.01.01 - Determine that IT has Identify who has been assigned responsibility for monitoring changes of legal, regulatory and other
Responsibility assigned responsibility for external contractual requirements.
Assignments identifying and monitoring any
changes of legal, regulatory
and other external contractual
requirements relevant to the
use of IT resources and the
processing of information
within the business and IT
operations of the enterprise.
MEA03.01.02 - Understand that IT has Confirm that procedures are in place to ensure that legal, regulatory and contractual obligations
Compliance identified and assessed all impacting IT are reviewed.
Requirements potential compliance
requirements and the impact
on IT activities in areas such
as data flow, privacy, internal
controls, financial reporting,
industry-specific regulations,
intellectual property, health

3 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements
Activity Title1 Activity Assessment Activity Assessment Step(s)2
Objective1
and safety.
MEA03.01.03 - Impacts Determine that IT has Understand how third-party contracts are assessed to ensure compliance with IT-related legal and
assessed the impact of IT- regulatory requirements.
related legal and regulatory
requirements on third-party
contracts related to IT
operations, service providers
and business trading partners.
MEA03.01.04 - Determine if IT has obtained Determine the use of legal resources in understanding the changes in the legal and regulatory
Independent Counsel independent counsel, where environment.
appropriate, on changes to
applicable laws, regulations,
and standards.
MEA03.01.05 - Determine if IT maintains an Confirm that there exists an IT log of relevant legal, regulatory and contractual requirements, their
Compliance Logs up-to-date log of all relevant impact and required actions.
legal, regulatory and
contractual requirements, their
impact and required actions.
MEA03.01.06 - Determine if IT maintains a Confirm that there exists a central repository of all relevant compliance requirements.
Compliance Register harmonized and integrated
overall register of external
compliance requirements for
the enterprise.

4 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements

MEA03.02 Management Practice1

Optimize response to external requirements. Review and adjust policies, principles, standards, procedures and methodologies to ensure that legal, regulatory
and contractual requirements are addressed and communicated. Consider industry standards, codes of good practice, and good practice guidance for adoption
and adaptation.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objective1
MEA03.02.01 - Policy Understand that IT regularly Confirm that there are procedures and practices to ensure compliance with legal, regulatory and
Review reviews and adjusts policies, contractual requirements.
principles, standards,
procedures and methodologies
for their effectiveness in
ensuring necessary compliance
and addressing enterprise risk
using internal and external
experts, as required.
MEA03.02.02 - Understand how IT Confirm that appropriate functions are included (e.g., legal department, production, accounting, HR)
Communications communicates new and in the communications of new and/or changed requirements.
changed requirements to all
relevant personnel.

5 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements

MEA03.03 Management Practice1

Confirm external compliance. Results of installed license audits Confirm compliance of policies, principles, standards, procedures and methodologies with legal,
regulatory and contractual requirements.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objective1
MEA03.03.01 - Policy Understand who, how, and if Review the IT organization policies, standards and procedures and confirm their regular and timely
Evaluations the organization regularly update to address any non-compliance (legal and regulatory) gaps identified.
evaluates organizational
policies, standards,
procedures, and
methodologies in all functions
of the enterprise to ensure
compliance with relevant
legal and regulatory
requirements in relation to
the processing of information.
MEA03.03.02 - Understand how the Review the IT organization procedures for addressing any non-compliance (legal and regulatory) gaps
Compliance Gaps organization addresses identified.
compliance gaps in policies,
standards and procedures on
a timely basis.
MEA03.03.03 - Process Determine whom and to what Review the IT organization's practices in evaluating business and IT processes for compliance with
Evaluations extent periodic evaluations of applicable legal, regulatory, and contractual requirements.
the business and IT
processes and activities
occur to ensure adherence to

6 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements
Activity Title1 Activity Assessment Activity Assessment Step(s)2
Objective1
applicable legal, regulatory
and contractual
requirements.
MEA03.03.04 - Determine if the organization Note: Where necessary, improve policies, standards, procedures, methodologies, and associated
Compliance Failure regularly reviews for recurring processes and activities.
Review patterns of compliance
failures. 1. Obtain issue-tracking reports and determine any analysis that assists in observing patterns of
compliance failures.

2. Understand what happens with the analysis and if any changes result.

7 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements

MEA03.04 Management Practice1

Obtain assurance of external compliance. Obtain and report assurance of compliance and adherence with policies, principles, standards, procedures and
methodologies. Confirm that corrective actions to address compliance gaps are closed in a timely manner.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

MEA03.04.01 -
Compliance
Confirmations
MEA03.04.02 - Regular
Reviews
MEA03.04.03 - Third-
Party Assertions
MEA03.04.04 - Business
Partner Assertions
Objectives1
Determine if IT management Review from process owners, evidence of regular confirmation of compliance with applicable laws,
obtains regular confirmation of regulations and contractual commitments (i.e., final report and letter from regulators acknowledging
compliance with internal policies the completion of their review).
from business and IT process
owners and unit heads.
Determine who and to what Review that processes are in place to track and execute internal and external reviews to ensure
extent the organization performs that there is adequate planning and resource allocation to assist/complete reviews (e.g., inventory
regular (and, where appropriate, of regulatory requirements, scheduling of internal compliance reviews, scheduling of resources
independent) internal and required to assist reviews).
external reviews to assess levels
of compliance.
If required, obtain assertions Review policies and procedures to ensure that contracts with third-party service providers require
from third party IT service regular confirmation of compliance (e.g., receipt of assertions) with applicable laws, regulations and
providers on levels of their contractual commitments.
compliance with applicable laws
and regulations.
If required, obtain assertions Inquire whether procedures are in place to regularly assess levels of compliance with legal and
from business partners on levels regulatory requirements by all business partners.
of their compliance with
applicable laws and regulations
as they relate to intercompany

8 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements
Activity Title1 Activity Assessment Activity Assessment Step(s)2
Objectives1
electronic transactions.
MEA03.04.05 - Non- Determine if the organization Confirm that a process to monitor and report on incidents of non-compliance is implemented that
Compliance Monitoring monitors and reports on non- includes, where necessary, further investigation of the root cause of incidents taking place.
compliance issues and, where
necessary, investigate the root
cause.
MEA03.04.06 - Reporting Understand that there is Inquire whether and confirm that:
integrated reporting on legal,
regulatory and contractual 1. There is coordination for corporate reporting on legal and regulatory compliance, including the
requirements at an enterprise- requirement to retain any historical information.
wide level, involving all business
units. 2. IT compliance reporting conforms with corporate reporting requirements, such as distribution,
frequency, scope, content and format, to ensure reporting consistency and completeness

9 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements

MEA03 Assessment Summary1

Management Practice
Identify external compliance
requirements.
Optimize response to external
requirements.
Confirm external compliance.
Obtain assurance of external
compliance.
Practice Description Practice Assessment Summary
Identify and monitor for changes in local and
international laws, regulations and other
external requirements that must be complied
with from an IT perspective.
Review and adjust policies, principles,
standards, procedures and methodologies to
ensure that legal, regulatory and contractual
requirements are addressed and
communicated. Consider industry standards,
codes of good practice, and good practice
guidance for adoption and adaptation.
Results of installed license audits Confirm
compliance of policies, principles, standards,
procedures and methodologies with legal,
regulatory and contractual requirements.
Obtain and report assurance of compliance
and adherence with policies, principles,
standards, procedures and methodologies.
Confirm that corrective actions to address
compliance gaps are closed in a timely
manner.

10 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements

MEA03 Risk Summary1

Create multiple risk scenarios for each risk identified in the summary above that affects achieving the objective.

Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the threat/
vulnerability type and includes the actors, events, assets and time issues.

Risk Scenario Component Mark all that apply

Threat Type (Describe the nature of the event) ⃣

Malicious
⃣ Accidental
⃣ Error
⃣ Failure
⃣ Natural
⃣ External requirement
Actor (Who or what could trigger the threat that exploits a vulnerability) ⃣ Internal
⃣ External
⃣ Human
⃣ Non-Human

Event (Something that happens that was not supposed to happen, something does not happen ⃣ Disclosure
that was supposed to happen, or a change in circumstances. Events always have causes and ⃣ Interruption
usually have consequences. A consequence is the outcome of an event and has an impact on ⃣ Modification
objectives.) ⃣ Theft
⃣ Destruction
⃣ Ineffective design
⃣ Ineffective execution
⃣ Rules and regulations
⃣ Inappropriate use
Asset (An asset is something of tangible or intangible value that is worth and skills protecting, ⃣ Process
including people, systems, infrastructure, finances and reputation.) ⃣ People and Skills
⃣ Organizational Structure

11 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA03 – Monitor, Evaluate and Assess Compliance with External Requirements
Risk Scenario Component Mark all that apply
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Resource (A resource is anything that helps to achieve a goal.) ⃣ Process
⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Time Timing ⃣ Critical ⃣ Non-Critical
Duration ⃣ Short ⃣ Moderate ⃣ Extended
Detection ⃣ Slow ⃣ Moderate ⃣ Instant
Time lag ⃣ Immediate ⃣ Delayed
Velocity ⃣ Slowing ⃣ Constant ⃣ Increasing
Likelihood ⃣ Highly ⃣ Moderate ⃣ Unlikely
Impact ⃣ Great ⃣ Moderate ⃣ Little

Possible Risk Response Risk Avoidance:

Risk Acceptance:
Risk Sharing/Transfer:
Risk Mitigation:

12 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.