COBIT® 5 Process Assessment Worksheet

Area: Governance Domain: Evaluate, Direct and Monitor

Process: EDM05 – Ensure Stakeholder Transparency

EDM05 – Process Setting

Process Description1
Ensure that enterprise IT performance and conformance measurement and reporting are transparent, with stakeholders approving the goals and metrics and the necessary
remedial actions.

Process Purpose Statement1

Make sure that the communication to stakeholders is effective and timely and the basis for reporting is established to increase performance, identify areas for improvement, and
confirm that IT-related objectives and strategies are in line with the enterprise’s strategy.

Process Assessment Objectives1

The objectives of this assessment are to determine that IT management
 
 aligns stakeholder reporting with stakeholder expectations,
 offers complete, timely, and accurate stakeholder reporting, and
 ensures that their communications are effective and that stakeholders are satisfied.

Process Risk Drivers2

 Decreased stakeholder confidence
 Disconnect between management and IT
 Failure to integrate IT-related compliance issues into overall reporting, resulting in erroneous strategic decision making by enterprise management
 Inability of the board and executive to direct and control key IT activities
 Incidents due to unresolved problems
 Increased enterprise non-compliance exposure

1 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM05 – Ensure Stakeholder Transparency

 Increased likelihood of disputes

 IT is out of compliance and subject to penalties
 Lost opportunities for improvement
 Other business functions unaware of compliance requirements and status related to IT processes
 Performance gaps not identified in a timely manner
 Performance measurement not taken seriously
 Poor performance not acted upon, leading to further degradation
 Process performance weaknesses remaining and repeating themselves

2 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM05 – Ensure Stakeholder Transparency

EDM05 – Process Goal Assessment

1
EDM05.01 Governance Practice
Evaluate stakeholder reporting requirements. Continually examine and make judgement on the current and future requirements for stakeholder communication and
reporting, including both mandatory reporting requirements (e.g., regulatory) and communication to other stakeholders. Establish the principles for communication.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

EDM05.01.01 - Internal
Reporting Requirements
EDM05.01.02 - Other
Reporting Requirements
EDM05.01.03 - Principles
of Communication
Objectives1
Understand if and how IT For a selected number of IT managers, ask them to describe any mandatory reporting
examines and makes judgment requirements relating to the use of IT to internal parties, if any, including extent and frequency.
on any current and future
mandatory reporting
requirements relating to the use
of IT within the enterprise
(regulation, legislation, common
law, contractual), including extent
and frequency.
Understand if and how IT For a selected number of IT managers, ask them to describe any additional that IT does apart from
examines and make judgment on its mandatory reporting for internal stakeholders.
the current and future reporting
requirements for other
stakeholders (especially external
stakeholders and the Board of
Directors, if any) relating to the
use of IT within the enterprise
including extent and conditions.
Determine if IT has and how For a selected number of IT managers, ask them to describe how and in what forms IT
they maintain principles for communicates with stakeholders.

3 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM05 – Ensure Stakeholder Transparency

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
communication with external and
internal stakeholders, including
communication formats and
communication channels, and for
stakeholder acceptance and
sign-off of reporting, if required.

4 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM05 – Ensure Stakeholder Transparency

EDM05.02 Governance Practice1

Direct stakeholder communication and reporting. Ensure the establishment of effective stakeholder communication and reporting, including mechanisms for ensuring the
quality and completeness of information, oversight of mandatory reporting, and creating a communication strategy for stakeholders.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
EDM05.02.01 - Determine if IT has established For a selected number of IT managers, ask them to describe ITs general communication strategy,
Communications Strategy a communication strategy for if any.
external and internal
stakeholders.
EDM05.02.02 - Determine how IT ensures that For a selected number of IT managers, ask them to describe what reviews occur with
Implementation information in communications the mandatory reporting that ensures information meets the necessary criteria, if any.
Mechanisms to external stakeholders meets
all criteria for mandatory IT
reporting requirements for the
enterprise.

EDM05.02.03 - Validation
and Approval
EDM05.02.04 - Escalation
Understand if and how IT has For a selected number of IT managers, ask them to describe the mechanism used to validate and
established mechanisms for approve any mandatory reporting.
validation and approval of
mandatory reporting.
Determine if there are For a selected number of IT managers, ask them to describe any reporting escalation
any reporting escalation mechanisms, if any.
mechanisms and if they are
necessary.

EDM05.03 Governance Practice1

5 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM05 – Ensure Stakeholder Transparency

Monitor stakeholder communication. Assess mechanisms for ensuring accuracy, reliability and effectiveness, and ascertain whether the requirements of different
stakeholders are met.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

EDM05.03.01 - Assess
Accuracy and Reliability
EDM05.03.02 - Assess
Effectiveness
EDM05.03.03 - Assess
Differing Requirements
Objectives1
Determine if IT periodically For a selected number of IT managers, ask them to describe who is responsible for assessing the
assesses the effectiveness of effectiveness of the mechanisms for ensuring the accuracy and reliability of mandatory reporting.
the mechanisms for ensuring
the accuracy and reliability of
any mandatory reporting.
Determine if IT management For a selected number of IT managers, ask them to describe who and with what frequency this
periodically assesses the reporting effectiveness is assessed.
effectiveness of the
mechanisms for, and outcomes
from, communication with
external and internal
stakeholders.
Understand who in IT and how For a selected number of IT managers, ask them who decides whether the requirements of
they determine whether the different stakeholders are met.
requirements of different
stakeholders are met.

6 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM05 – Ensure Stakeholder Transparency

EDM05 Assessment Summary1

Governance Practice Practice Description Practice Assessment Summary
Evaluate stakeholder reporting Continually examine and make judgement on
requirements. the current and future requirements for
stakeholder communication and reporting,
including both mandatory reporting
requirements (e.g., regulatory) and
communication to other stakeholders.
Establish the principles for communication.
Direct stakeholder Ensure the establishment of effective
communication and reporting stakeholder communication and reporting,
including mechanisms for ensuring the quality
and completeness of information, oversight of
mandatory reporting, and creating a
communication strategy for stakeholders.
Monitor stakeholder Assess mechanisms for ensuring accuracy,
communication reliability and effectiveness, and ascertain
whether the requirements of different
stakeholders are met.

7 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM05 – Ensure Stakeholder Transparency

EDM05 Risk Summary1

Create multiple risk scenarios for each risk identified in the summary above that affects achieving the objective.

Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the
threat/ vulnerability type and includes the actors, events, assets and time issues.

Risk Scenario Component Mark all that apply

Threat Type (Describe the nature of the event) ⃣

Malicious
⃣ Accidental
⃣ Error
⃣ Failure
⃣ Natural
⃣ External requirement
Actor (Who or what could trigger the threat that exploits a vulnerability) ⃣ Internal
⃣ External
⃣ Human
⃣ Non-Human

Event (Something that happens that was not supposed to happen, something does not happen ⃣ Disclosure
that was supposed to happen, or a change in circumstances. Events always have causes and ⃣ Interruption
usually have consequences. A consequence is the outcome of an event and has an impact on ⃣ Modification
objectives.) ⃣ Theft
⃣ Destruction
⃣ Ineffective design
⃣ Ineffective execution
⃣ Rules and regulations
⃣ Inappropriate use

Asset (An asset is something of tangible or intangible value that is worth and skills protecting, ⃣ Process

8 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM05 – Ensure Stakeholder Transparency

Risk Scenario Component Mark all that apply

including people, systems, infrastructure, finances and reputation.) ⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Resource (A resource is anything that helps to achieve a goal.) ⃣ Process
⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Time Timing ⃣ Critical ⃣ Non-Critical
Duration ⃣ Short ⃣ Moderate ⃣ Extended
Detection ⃣ Slow ⃣ Moderate ⃣ Instant
Time lag ⃣ Immediate ⃣ Delayed
Velocity ⃣ Slowing ⃣ Constant ⃣ Increasing
Likelihood ⃣ Highly ⃣ Moderate ⃣ Unlikely
Impact ⃣ Great ⃣ Moderate ⃣ Little

Possible Risk Response Risk Avoidance:

Risk Acceptance:
Risk Sharing/Transfer:
Risk Mitigation:

9 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.