IT Assurance Guide: Using COBIT, Appendix I -- Process Control
2007 IT Governance Institute. All rights reserved. www.itgi.org 1
Process # Category Description PC1 Process Goals and Objective Define and communicate specific, measurable, actionable, realistic, results-oriented and timely (SMARRT) process goals and objectives for the effective execution of each IT process. Ensure that they are linked to the business goals and supported by suitable metrics. PC1 Value Drivers Key processes measured efficiently and effectively Processes in line with business objectives PC1 Risk Drivers Process effectiveness difficult to measure Business objectives not supported by processes PC1 Test the Control Design Ensure that a formal process exists for communicating goals and objectives and that, when updated, such communication is repeated. Enquire whether and confirm that process goals and objectives have been defined. Verify that process stakeholders understand these goals. Enquire whether and confirm that the IT process goals link back to business goals. Confirm through interviews with process stakeholders that the IT process goals are SMARRT. Enquire whether and confirm that outputs and associated quality targets are defined for each IT process. Walk through the process design with selected process stakeholders and verify whether the process is understood and likely to achieve its objectives. PC1 Test the Outcome of the Control Objective Analyse process metrics, targets and performance reports to verify that process goals have SMARRT characteristics and are being measured effectively and efficiently. Assess the effectiveness of communicating the process goals and objectives through discussions with personnel at various levels and examination of training materials, memos and other documentation. Test the appropriateness of the frequency of communication of goals and objectives. Ensure that business goals are supported by IT processes by tracing between the two and identifying unsupported businesses goals. PC1 Document the Impact of Control Weaknesses Determine the business impact if process goals and objectives are not linked to the business goals. Assess the impact on business processing in the event that process goals are not defined in a SMARRT manner. IT Assurance Guide: Using COBIT, Appendix I -- Process Control 2007 IT Governance Institute. All rights reserved. www.itgi.org 2 Process # Category Description PC2 Process Ownership Assign an owner for each IT process, and clearly define the role and responsibilities of the process owner. Include, for example, responsibility for process design, interaction with other processes, accountability for the end results, measurement of process performance and the identification of improvement opportunities. PC2 Value Drivers Processes operating smoothly and reliably Processes interacting with each other effectively Process problems and issues identified and resolved Processes continually improved PC2 Risk Drivers Processes performing unreliably Processes not working together effectively Gaps in process coverage likely Process errors not rectified PC2 Test the Control Design Enquire whether and confirm that an owner exists for each IT process. Enquire whether and confirm that roles and responsibilities have been defined. Verify that the owners understand and accept these responsibilities. Confirm with the process owner and direct supervisor that sufficient authority has been provided to support the role and responsibilities. Ensure that processes are in place to assign ownership and accountability for processes and deliverables, including communications. PC2 Test the Outcome of the Control Objective Review job descriptions and performance appraisals of the process owner to verify assignment, understanding and acceptance of ownership. Review the roles and responsibilities to ensure that they are complete and appropriate. Review organisation charts and reporting lines to verify actual authority. Verify that processes are interacting with each other effectively. Verify that process owners are driving continuous improvement. PC2 Document the Impact of Control Weaknesses Assess whether the process ownership sufficiently supports achieving business processing services to meet short- and long-range organisational objectives. IT Assurance Guide: Using COBIT, Appendix I -- Process Control 2007 IT Governance Institute. All rights reserved. www.itgi.org 3 Process # Category Description PC3 Process Repeatability Design and establish each key IT process such that it is repeatable and consistently produces the expected results. Provide for a logical but flexible and scalable sequence of activities that will lead to the desired results and is agile enough to deal with exceptions and emergencies. Use consistent processes, where possible, and tailor only when unavoidable. PC3 Value Drivers Increased efficiency and effectiveness of recurring activities Ease of process maintenance Ability to demonstrate process effectiveness to auditors and regulators Processes supporting the overall IT organisation goals and enhancing IT value delivery PC3 Risk Drivers Inconsistent process results and likelihood of process errors High reliance on process specialists Processes unable to react to problems and new requirements PC3 Test the Control Design Enquire whether and confirm that process repeatability is a management objective. For important and high-risk processes, review the process steps in detail and ensure that they provide for evidence of management review. Confirm which good practices and industry standards were used when defining the IT processes. Interview selected process stakeholders and determine adherence to the process. Ensure that systems are designed for scalability and flexibility. PC3 Test the Outcome of the Control Objective Walk through the process design with the process owner, and verify whether the steps are logical and likely to contribute to the end result. Review process documentation to verify the adoption of applicable process standards and degree of customisation. Assess the maturity and level of integration of supporting tools used for the process. PC3 Document the Impact of Control Weaknesses Select data about process results not meeting objectives, and analyse whether the causes relate to process design, ownership, responsibilities or inconsistent application. IT Assurance Guide: Using COBIT, Appendix I -- Process Control 2007 IT Governance Institute. All rights reserved. www.itgi.org 4 Process # Category Description PC4 Roles and Responsibilities Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of the key activities and their documentation as well as accountability for the processs end deliverables. PC4 Value Drivers Increased efficiency and effectiveness of recurring activities Staff members knowing what to do and why, improving morale and job satisfaction PC4 Risk Drivers Uncontrolled, unreliable processes Processes not supporting the business objectives Processes not performed as intended Problems and errors likely to remain unresolved Process performance likely to be variable and unreliable PC4 Test the Control Design Ensure that a process is in place to define and maintain information about the key activities and deliverables. Ensure that the process includes the development of supporting policies, procedures and guidance. Ensure that processes are designed to capture accomplishments and include them in employee performance information. PC4 Test the Outcome of the Control Objective Confirm through interviews and documentation review that key activities and end deliverables for the process have been identified and recorded. Review job descriptions, and verify that roles and responsibilities for key activities and process documentation are recorded and communicated. Verify through interviews with owners, management and staff members that accountability for the process and its outputs are assigned, communicated, understood and accepted. Corroborate interview findings through analysis of the resolution to significant process incidents and review of a sample of job performance appraisals. Enquire whether and confirm that regular job performance appraisal is performed to assess actual performance against process responsibilities, such as: Executing roles and responsibilities as defined Performing process-related activities in line with goals and objectives Contributing to the quality of the process end deliverables Review the resolution to significant process incidents, and review a sample of job performance appraisals to verify whether responsibilities and accountabilities are enforced. Review roles and responsibilities with various staff members and ascertain their understanding, whether the allocations are appropriate and whether the reporting relationships are effective. Assess whether the roles and responsibilities are designed to support compliance with various activities within the roles. PC4 Document the Impact of Control Weaknesses Assess whether the roles and responsibilities sufficiently support the achievement of business processing services to meet short- and long-range organisational objectives. IT Assurance Guide: Using COBIT, Appendix I -- Process Control 2007 IT Governance Institute. All rights reserved. www.itgi.org 5 Process # Category Description PC5 Policy, Plans and Procedures Define and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date. PC5 Value Drivers Increased staff awareness of what to do and why Decreasing number of incidents from policy violations Policies and associated procedures remaining current and effective PC5 Risk Drivers Processes not aligned with business objectives Staff members not knowing how to perform critical tasks Policy violations PC5 Test the Control Design Enquire whether and confirm that such rules exist and are communicated, known and applied to how all IT process-related documentation (e.g., policies, plans, procedures, guidelines, instructions, methodologies) that drives an IT process will be developed, documented, reviewed, maintained, approved, stored, used for training and communicated. Inspect selected policies, plans and procedures to verify if they were created following the rules and are kept up to date. Enquire whether and confirm that responsibilities are defined for developing, maintaining, storing and communicating process-related documentation. Enquire whether and confirm that there are documented processes under which policies and procedures are identified, developed, approved, reviewed and maintained to provide consistent guidance. PC5 Test the Outcome of the Control Objective Verify that those who perform the activities understand their responsibility. Inspect selected documents to verify that they are up to date and understood. Review IT process-related documentation and verify if sign-off is done at the appropriate level. Review if IT process-related documentation is accessible, correct, understood and up to date. Ensure that policies are effectively promulgated through awareness and training. Assess, through interviews at all staff levels, whether the policies and procedures are clearly understood and support the business objectives. PC5 Document the Impact of Control Weaknesses Assess whether all policies, plans and procedures sufficiently support achieving business processing services to meet short- and long-range organisational objectives. IT Assurance Guide: Using COBIT, Appendix I -- Process Control 2007 IT Governance Institute. All rights reserved. www.itgi.org 6 Process # Category Description PC6 Process Performance Improvement Identify a set of metrics that provides insight into the outcomes and performance of the process. Establish targets that reflect on the process goals and the performance drivers that enable the achievement of process goals. Define how the data are to be obtained. Compare actual measurement to the target and take action upon deviations, where necessary. Align metrics, targets and methods with ITs overall performance monitoring approach. PC6 Value Drivers Process costs optimised Processes nimble and responsive to business needs PC6 Risk Drivers Process outcomes and deliverables not in line with overall IT and business objectives Processes too costly Processes slow to react to business needs PC6 Test the Control Design Enquire whether and confirm that a process is in place to establish key metrics designed to provide a high level of insight into the operations with limited effort. Verify that the design of the metrics enables measurement of achievement of the process goals, resource utilisation, output quality and throughput time to support improvement of the process performance and outcome. Enquire whether and confirm that relationships between outcome and performance metrics have been defined and integrated into the enterprises performance management system (e.g., balanced scorecard) where appropriate. Enquire whether and confirm that procedures have been designed to identify specific targets for process goals and performance drivers. The procedures should define how the data will be obtained, including mechanisms to facilitate process measurement (e.g., automated and integrated tools, templates). Enquire whether and confirm that processes exist to obtain and compare actual results to established internal and external benchmarks and goals. Verify that for key processes, management compares process performance and process outcomes against internal and external benchmarks and considers the result of the analysis for PC6 Test the Outcome of the Control Objective Enquire whether and confirm that appropriate metrics are defined to assess process performance and achievement of the process goals. Analyse some of the key metrics and corroborate, via other means, whether they provide sufficient insight into goals. Enquire whether and confirm that targets have been defined for process goals and performance drivers. Review targets and assess whether they align to the goals and enable efficient and appropriate identification of corrective action. Review the procedures for collecting data and measurement to ascertain the effectiveness and efficiency of monitoring. Interview process owners and stakeholders to assess the appropriateness of the measurement method and mechanisms. For significant goals of important processes, reperform data collection and measurement of targets. Inspect a sample of process metrics to assess the appropriateness of relationships between metrics (i.e., whether a performance metric provides insight into the likely achievement of the process outcome). Obtain and review major deviations against targets and confirm that action was taken. Inspect the list of actions IT Assurance Guide: Using COBIT, Appendix I -- Process Control 2007 IT Governance Institute. All rights reserved. www.itgi.org 7 Process # Category Description PC6 Document the Impact of Control Weaknesses Determine the business impact if a set of key metrics is not available to measure the achievement of the process goals, resource utilisation, output quality and throughput time to support improvement of the process performance and outcome.