COBIT® 5 Process Assessment Worksheet

Area: Management Domain: Monitor, Evaluate, and Assess

Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance

  MEA01 – Process Setting

Process Description1
Collect, validate and evaluate business, IT and process goals and metrics. Monitor that processes are performing against agreed-on performance and conformance goals and
metrics and provide reporting that is systematic and timely.

Process Purpose Statement1

Provide transparency of performance and conformance and drive achievement of goals.

Process Assessment Objectives1

The objectives of this assessment are to determine that:

 Goals and metrics are approved by the stakeholders,

 Processes are measured against agreed-on goals and metrics,
 The enterprise monitoring, assessing and informing approach is effective and operational,
 Process reporting on performance and conformance is useful and timely, and
 Goals and metrics are integrated within enterprise monitoring systems.

Process Risk Drivers2

 Business expectations and needs not met
 Customer expectations and business needs not identified
 Decisions failing to support the business needs and concerns
 Disconnect between management and IT
 Good performance not recognized, demotivating staff

1 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance
 Inability of the board and executive to direct and control key IT activities
 Incidents due to unresolved problems
 Ineffective reporting on organization-wide IT process performance indicators
 Lost opportunities for improvement
 Metrics based on incorrect or incomplete data
 Metrics based on objectives that are not aligned with business objectives
 Monitored data failing to support the analysis of the overall process performance
 Performance measurement not taken seriously
 Poor performance not acted upon, leading to further degradation
 Process performance weaknesses remaining and repeating themselves
 Senior management dissatisfied with IT performance
 Wrong decisions based on unreliable performance information

2 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance

MEA01 – Process Goal Assessment

1
MEA01.01 Management Practice
Establish a monitoring approach. Engage with stakeholders to establish and maintain a monitoring approach to define the objectives, scope and method for measuring
business solution and service delivery and contribution to enterprise objectives. Integrate this approach with the corporate performance management system.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
MEA01.01.01 - Identify stakeholders (e.g., Determine if the IT organization has identified its stakeholders (e.g., management, process owners
Stakeholders management, process owners and users).
and users).
MEA01.01.02 - Engage with stakeholders and 1. Interview a sample of managers and determine how they communicate with stakeholders.
Stakeholder Engagement communicate the enterprise
requirements and objectives for 2. Determine how IT communicates (verbally, written, etc.) monitoring dn reporting goals.
monitoring, aggregating, and
reporting, using common 3. Determine if IT uses baselining and benchmarking as a means of engaging with stakeholders
definitions (e.g., enterprise using common terms.
glossary, metadata and
taxonomy), baselining and
benchmarking.
MEA01.01.03 - Align and Align and continually maintain 1. Determine if the organization uses common means for data gathering and enterprise reporting.
Maintain the monitoring and evaluation
approach with the enterprise 2. Determine the extent that business intelligence applications are used as a common ground.
approach and the tools to be
used for data gathering and
enterprise reporting (e.g.,
business intelligence
applications).

3 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance
Activity Title1 Activity Assessment Activity Assessment Step(s)2
Objectives1
MEA01.01.04 - Goals and Agree on the goals and metrics 1. Using interviews with a sample of managers, determine how the organization aligns its goals
Metrics (e.g., conformance, performance, and metrics.
value, and risk), taxonomy
(classification and relationships 2. Obtain samples of how goals and metrics are used..
between goals and metrics) and
data (evidence) retention.
MEA01.01.05 - Agree on a life cycle 1. Obtain the policies, standards, and procedures associated with life cycle management including
Monitoring and Reporting management and change control the change control process.
process for monitoring and
reporting. Include improvement 2. Determine the extent of their use and how monitoring and reporting happen.
opportunities for reporting,
metrics, approach, baselining
and benchmarking.
MEA01.01.06 - Request, prioritize and allocate Through interviews with a sample set pf managers, determine if and how the organization
Monitoring Resources resources for monitoring requests, prioritizes and allocates resources.
(consider appropriateness,
efficiency, effectiveness and
confidentiality).
MEA01.01.07 - Approach Periodically validate the 1. Determine if and how the organization periodically validates the approach.
approach used and identify new
or changed stakeholders, 2. Determine how the organization becomes aware of new or changed stakeholders,
requirements and resources requirements, and/or resources.

4 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance

MEA01.02 Management Practice1

Set performance and conformance targets. Work with stakeholders to define, periodically review, update and approve performance and conformance targets within the
performance measurement system.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
MEA01.02.01 - Goals and Define and periodically review 1. Obtain a listing of the metrics used in IT.
Metrics with stakeholders the goals and
metrics to identify any significant 2. Obtain the means for reporting these metrics.
missing items and define
reasonableness of targets and 3. Determine if the metrics are in line with the monitoring framework.
tolerances.
MEA01.02.02 - Changes Communicate proposed changes Inquire whether and confirm that there is a process to control all changes to performance
to performance and conformance monitoring data sources.
targets and tolerances (relating
to metrics) with key due diligence
stakeholders (e.g., legal, audit,
HR, ethics, compliance, finance).
MEA01.02.03 - Publish Publish changed targets and Determine if the organization publishes changed targets and tolerances to users of this
tolerances to users of this information.
information.
MEA01.02.04 - Evaluate Evaluate whether the goals and 1. Obtain IT goals and metrics.
metrics are adequate, i.e.,
specific, measurable, achievable, 2. Review these and determine if the goals and metrics are adequate (i.e., specific, measurable,
relevant and time-bound and achievable).
(SMART).

5 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance

MEA01.03 Management Practice1

Collect and process performance and conformance data. Collect and process timely and accurate data aligned with enterprise approaches

Activity Title1 Activity Assessment Activity Assessment Step(s)2

MEA01.03.01 - Data
Collection
MEA01.03.02 - Efficiency
and Appropriateness
MEA01.03.03 - Metric
Measurement
MEA01.03.04 -
Objectives Alignment
MEA01.03.05 - Tools and
Systems
Objectives1
Collect data from defined Determine that performance data is collected from defined processes—automated, where
processes—automated, where possible.
possible.
Assess efficiency (effort in Assess efficiency (effort in relation to insight provided) and appropriateness (usefulness and
relation to insight provided) and meaning) and validate integrity (accuracy and completeness) of performance data.
appropriateness (usefulness and
meaning) and validate integrity
(accuracy and completeness) of
collected data.
Aggregate data to support Determine if data is aggregated to support measurement of agreed-on metrics.
measurement of agreed-on
metrics.
Align aggregated data to the Determine if reports data is appropriately aligned and aggregated.
enterprise reporting approach
and objectives
Use suitable tools and systems Determine if the organization uses suitable tools and systems for the processing and format of
for the processing and format of data for analysis.
data for analysis.

6 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance

MEA01.04 Management Practice1

Analyze and report performance. Periodically review and report performance against targets, using a method that provides a succinct all-around view of IT performance and
fits within the enterprise monitoring system.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

MEA01.04.01 - Process
Performance Reports
MEA01.04.02 -
Performance Values
MEA01.04.03 - Changes
MEA01.04.04 -
Stakeholder Reporting
MEA01.04.05 - Deviation
Analysis
Objectives1
Design process performance Notes: IT should facilitate effective, timely decision-making (e.g., scorecards, traffic light reports)
reports that are concise, easy to and ensure that the cause and effect between goals and metrics are communicated in an
understand, and tailored to understandable manner.
various management needs and
audiences. 1.  Interview process owners to confirm that target performance levels for key processes are
established and validated against the industry and competition.
2.  Inspect performance reports for timeliness of measurement and effectiveness of comparison to
the targets.
Compare the performance Determine if and who compares the performance values to internal targets and benchmarks and,
values to internal targets and where possible, to external benchmarks (industry and key competitors).
benchmarks and, where
possible, to external
benchmarks (industry and key
competitors).
Recommend changes to the Determine if and who recommends changes to the goals and metrics, where appropriate.
goals and metrics, where
appropriate.
Distribute reports to the relevant Determine if the organization distributes reports to the relevant stakeholders.
stakeholders.
Analyze the cause of deviations Notes: IT should, at appropriate times, review all deviations and search for root causes, where
against targets, initiate remedial necessary. Document the issues for further guidance if the problem recurs. Document results.

7 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance
Activity Title1 Activity Assessment Activity Assessment Step(s)2
Objectives1
actions, assign responsibilities
for remediation, and follow up.
Determine if the organization analyzes the cause of deviations against targets, initiate remedial
actions, assign responsibilities for remediation, and follow up.
MEA01.04.06 - Rewards Where feasible, link Describe how the organization, where feasible, links achievement of performance targets to the
Link achievement of performance organizational reward compensation system.
targets to the organizational
reward compensation system.

8 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance

MEA01.05 Management Practice1

Ensure the implementation of corrective actions. Assist stakeholders in identifying, initiating and tracking corrective actions to address anomalies.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
MEA01.05.01 - Issues Review management 1. Inquire whether processes, policies and procedures exist to initiate, prioritize and allocate
Responses responses, options and responsibility and tracking for all remedial actions.
recommendations to address
issues and major deviations 2. Confirm by inspecting the documentation of the approach and observing the process, where
possible.
MEA01.05.02 - Ensure that the assignment of Determine that the organization ensures that there is assignment of responsibility for corrective
Responsibility responsibility for corrective action.
Assignments action is maintained.
MEA01.05.03 - Track the results of actions 1. Obtain a sample of historic performance reporting.
Commitment Tracking committed.
2. Analyze and verify that substandard performance trends are routinely identified.

3. Understand if and how problems are escalated to senior management.

MEA01.05.04 - Report the results to the 1. Determine if and how the reported results go to the stakeholders.
Stakeholder Reporting stakeholders.
2. Obtain samples of these communications.

9 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance

MEA01 Assessment Summary1

Management Practice Practice Description Practice Assessment Summary
Establish a monitoring approach. Engage with stakeholders to establish and
maintain a monitoring approach to define the
objectives, scope and method for measuring
business solution and service delivery and
contribution to enterprise objectives. Integrate
this approach with the corporate performance
management system.
Set performance and Work with stakeholders to define, periodically
conformance targets. review, update and approve performance and
conformance targets within the performance
measurement system.

Collect and process performance
and conformance data.
Analyze and report performance.
Ensure the implementation of
corrective actions.
Collect and process timely and accurate data
aligned with enterprise approaches.
Periodically review and report performance
against targets, using a method that provides
a succinct all-around view of IT performance
and fits within the enterprise monitoring
system.
Assist stakeholders in identifying, initiating
and tracking corrective actions to address
anomalies.

10 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance

MEA01 Risk Summary1

Create multiple risk scenarios for each risk identified in the summary above that affects achieving the objective.

Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the threat/
vulnerability type and includes the actors, events, assets and time issues.

Risk Scenario Component Mark all that apply

Threat Type (Describe the nature of the event) ⃣

Malicious
⃣ Accidental
⃣ Error
⃣ Failure
⃣ Natural
⃣ External requirement
Actor (Who or what could trigger the threat that exploits a vulnerability) ⃣ Internal
⃣ External
⃣ Human
⃣ Non-Human

Event (Something that happens that was not supposed to happen, something does not happen ⃣ Disclosure
that was supposed to happen, or a change in circumstances. Events always have causes and ⃣ Interruption
usually have consequences. A consequence is the outcome of an event and has an impact on ⃣ Modification
objectives.) ⃣ Theft
⃣ Destruction
⃣ Ineffective design
⃣ Ineffective execution
⃣ Rules and regulations
⃣ Inappropriate use
Asset (An asset is something of tangible or intangible value that is worth and skills protecting, ⃣ Process
including people, systems, infrastructure, finances and reputation.) ⃣ People and Skills
⃣ Organizational Structure

11 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Management Domain: Monitor, Evaluate, and Assess
Process: MEA01 – Monitor, Evaluate and Assess Performance and Conformance
Risk Scenario Component Mark all that apply
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Resource (A resource is anything that helps to achieve a goal.) ⃣ Process
⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Time Timing ⃣ Critical ⃣ Non-Critical
Duration ⃣ Short ⃣ Moderate ⃣ Extended
Detection ⃣ Slow ⃣ Moderate ⃣ Instant
Time lag ⃣ Immediate ⃣ Delayed
Velocity ⃣ Slowing ⃣ Constant ⃣ Increasing
Likelihood ⃣ Highly ⃣ Moderate ⃣ Unlikely
Impact ⃣ Great ⃣ Moderate ⃣ Little

Possible Risk Response Risk Avoidance:

Risk Acceptance:
Risk Sharing/Transfer:
Risk Mitigation:

12 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.