IT Assurance Guide: Using COBIT, Appendix I -- Process Control

2007 IT Governance Institute. All rights reserved. www.itgi.org 1

Process # Category Description
PC1 Process Goals and
Objective
Define and communicate specific, measurable, actionable, realistic, results-oriented and timely (SMARRT)
process goals and objectives for the effective execution of each IT process. Ensure that they are linked to the
business goals and supported by suitable metrics.
PC1 Value Drivers
Key processes measured efficiently and effectively
Processes in line with business objectives
PC1 Risk Drivers
Process effectiveness difficult to measure
Business objectives not supported by processes
PC1 Test the Control
Design
Ensure that a formal process exists for communicating goals and objectives and that, when updated, such
communication is repeated.
Enquire whether and confirm that process goals and objectives have been defined. Verify that process
stakeholders understand these goals.
Enquire whether and confirm that the IT process goals link back to business goals.
Confirm through interviews with process stakeholders that the IT process goals are SMARRT.
Enquire whether and confirm that outputs and associated quality targets are defined for each IT process.
Walk through the process design with selected process stakeholders and verify whether the process is
understood and likely to achieve its objectives.
PC1 Test the Outcome
of the Control Objective
Analyse process metrics, targets and performance reports to verify that process goals have SMARRT
characteristics and are being measured effectively and efficiently.
Assess the effectiveness of communicating the process goals and objectives through discussions with
personnel at various levels and examination of training materials, memos and other documentation.
Test the appropriateness of the frequency of communication of goals and objectives.
Ensure that business goals are supported by IT processes by tracing between the two and identifying
unsupported businesses goals.
PC1 Document the
Impact of Control
Weaknesses
Determine the business impact if process goals and objectives are not linked to the business goals.
Assess the impact on business processing in the event that process goals are not defined in a SMARRT
manner.
IT Assurance Guide: Using COBIT, Appendix I -- Process Control
2007 IT Governance Institute. All rights reserved. www.itgi.org 2
Process # Category Description
PC2 Process Ownership
Assign an owner for each IT process, and clearly define the role and responsibilities of the process owner.
Include, for example, responsibility for process design, interaction with other processes, accountability for the end
results, measurement of process performance and the identification of improvement opportunities.
PC2 Value Drivers
Processes operating smoothly and reliably
Processes interacting with each other effectively
Process problems and issues identified and resolved
Processes continually improved
PC2 Risk Drivers
Processes performing unreliably
Processes not working together effectively
Gaps in process coverage likely
Process errors not rectified
PC2 Test the Control
Design
Enquire whether and confirm that an owner exists for each IT process.
Enquire whether and confirm that roles and responsibilities have been defined. Verify that the owners
understand and accept these responsibilities.
Confirm with the process owner and direct supervisor that sufficient authority has been provided to support the
role and responsibilities.
Ensure that processes are in place to assign ownership and accountability for processes and deliverables,
including communications.
PC2 Test the Outcome
of the Control Objective
Review job descriptions and performance appraisals of the process owner to verify assignment, understanding
and acceptance of ownership.
Review the roles and responsibilities to ensure that they are complete and appropriate.
Review organisation charts and reporting lines to verify actual authority.
Verify that processes are interacting with each other effectively.
Verify that process owners are driving continuous improvement.
PC2 Document the
Impact of Control
Weaknesses
Assess whether the process ownership sufficiently supports achieving business processing services to meet
short- and long-range organisational objectives.
IT Assurance Guide: Using COBIT, Appendix I -- Process Control
2007 IT Governance Institute. All rights reserved. www.itgi.org 3
Process # Category Description
PC3 Process
Repeatability
Design and establish each key IT process such that it is repeatable and consistently produces the expected
results. Provide for a logical but flexible and scalable sequence of activities that will lead to the desired results
and is agile enough to deal with exceptions and emergencies. Use consistent processes, where possible, and
tailor only when unavoidable.
PC3 Value Drivers
Increased efficiency and effectiveness of recurring activities
Ease of process maintenance
Ability to demonstrate process effectiveness to auditors and regulators
Processes supporting the overall IT organisation goals and enhancing IT value delivery
PC3 Risk Drivers
Inconsistent process results and likelihood of process errors
High reliance on process specialists
Processes unable to react to problems and new requirements
PC3 Test the Control
Design
Enquire whether and confirm that process repeatability is a management objective.
For important and high-risk processes, review the process steps in detail and ensure that they provide for
evidence of management review.
Confirm which good practices and industry standards were used when defining the IT processes.
Interview selected process stakeholders and determine adherence to the process.
Ensure that systems are designed for scalability and flexibility.
PC3 Test the Outcome
of the Control Objective
Walk through the process design with the process owner, and verify whether the steps are logical and likely to
contribute to the end result.
Review process documentation to verify the adoption of applicable process standards and degree of
customisation.
Assess the maturity and level of integration of supporting tools used for the process.
PC3 Document the
Impact of Control
Weaknesses
Select data about process results not meeting objectives, and analyse whether the causes relate to process
design, ownership, responsibilities or inconsistent application.
IT Assurance Guide: Using COBIT, Appendix I -- Process Control
2007 IT Governance Institute. All rights reserved. www.itgi.org 4
Process # Category Description
PC4 Roles and
Responsibilities
Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and
responsibilities for effective and efficient execution of the key activities and their documentation as well as
accountability for the processs end deliverables.
PC4 Value Drivers
Increased efficiency and effectiveness of recurring activities
Staff members knowing what to do and why, improving morale and job satisfaction
PC4 Risk Drivers
Uncontrolled, unreliable processes
Processes not supporting the business objectives
Processes not performed as intended
Problems and errors likely to remain unresolved
Process performance likely to be variable and unreliable
PC4 Test the Control
Design
Ensure that a process is in place to define and maintain information about the key activities and deliverables.
Ensure that the process includes the development of supporting policies, procedures and guidance.
Ensure that processes are designed to capture accomplishments and include them in employee performance
information.
PC4 Test the Outcome
of the Control Objective
Confirm through interviews and documentation review that key activities and end deliverables for the process
have been identified and recorded.
Review job descriptions, and verify that roles and responsibilities for key activities and process documentation
are recorded and communicated.
Verify through interviews with owners, management and staff members that accountability for the process and
its outputs are assigned, communicated, understood and accepted. Corroborate interview findings through
analysis of the resolution to significant process incidents and review of a sample of job performance appraisals.
Enquire whether and confirm that regular job performance appraisal is performed to assess actual performance
against process responsibilities, such as:
Executing roles and responsibilities as defined
Performing process-related activities in line with goals and objectives
Contributing to the quality of the process end deliverables
Review the resolution to significant process incidents, and review a sample of job performance appraisals to
verify whether responsibilities and accountabilities are enforced.
Review roles and responsibilities with various staff members and ascertain their understanding, whether the
allocations are appropriate and whether the reporting relationships are effective.
Assess whether the roles and responsibilities are designed to support compliance with various activities within
the roles.
PC4 Document the
Impact of Control
Weaknesses
Assess whether the roles and responsibilities sufficiently support the achievement of business processing
services to meet short- and long-range organisational objectives.
IT Assurance Guide: Using COBIT, Appendix I -- Process Control
2007 IT Governance Institute. All rights reserved. www.itgi.org 5
Process # Category Description
PC5 Policy, Plans and
Procedures
Define and communicate how all policies, plans and procedures that drive an IT process are documented,
reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of
these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies,
plans and procedures are accessible, correct, understood and up to date.
PC5 Value Drivers
Increased staff awareness of what to do and why
Decreasing number of incidents from policy violations
Policies and associated procedures remaining current and effective
PC5 Risk Drivers
Processes not aligned with business objectives
Staff members not knowing how to perform critical tasks
Policy violations
PC5 Test the Control
Design
Enquire whether and confirm that such rules exist and are communicated, known and applied to how all IT
process-related documentation (e.g., policies, plans, procedures, guidelines, instructions, methodologies) that
drives an IT process will be developed, documented, reviewed, maintained, approved, stored, used for training
and communicated.
Inspect selected policies, plans and procedures to verify if they were created following the rules and are kept up
to date.
Enquire whether and confirm that responsibilities are defined for developing, maintaining, storing and
communicating process-related documentation.
Enquire whether and confirm that there are documented processes under which policies and procedures are
identified, developed, approved, reviewed and maintained to provide consistent guidance.
PC5 Test the Outcome
of the Control Objective
Verify that those who perform the activities understand their responsibility.
Inspect selected documents to verify that they are up to date and understood.
Review IT process-related documentation and verify if sign-off is done at the appropriate level.
Review if IT process-related documentation is accessible, correct, understood and up to date.
Ensure that policies are effectively promulgated through awareness and training.
Assess, through interviews at all staff levels, whether the policies and procedures are clearly understood and
support the business objectives.
PC5 Document the
Impact of Control
Weaknesses
Assess whether all policies, plans and procedures sufficiently support achieving business processing services to
meet short- and long-range organisational objectives.
IT Assurance Guide: Using COBIT, Appendix I -- Process Control
2007 IT Governance Institute. All rights reserved. www.itgi.org 6
Process # Category Description
PC6 Process
Performance
Improvement
Identify a set of metrics that provides insight into the outcomes and performance of the process. Establish targets
that reflect on the process goals and the performance drivers that enable the achievement of process goals.
Define how the data are to be obtained. Compare actual measurement to the target and take action upon
deviations, where necessary. Align metrics, targets and methods with ITs overall performance monitoring
approach.
PC6 Value Drivers
Process costs optimised
Processes nimble and responsive to business needs
PC6 Risk Drivers
Process outcomes and deliverables not in line with overall IT and business objectives
Processes too costly
Processes slow to react to business needs
PC6 Test the Control
Design
Enquire whether and confirm that a process is in place to establish key metrics designed to provide a high level
of insight into the operations with limited effort.
Verify that the design of the metrics enables measurement of achievement of the process goals, resource
utilisation, output quality and throughput time to support improvement of the process performance and outcome.
Enquire whether and confirm that relationships between outcome and performance metrics have been defined
and integrated into the enterprises performance management system (e.g., balanced scorecard) where
appropriate.
Enquire whether and confirm that procedures have been designed to identify specific targets for process goals
and performance drivers. The procedures should define how the data will be obtained, including mechanisms to
facilitate process measurement (e.g., automated and integrated tools, templates).
Enquire whether and confirm that processes exist to obtain and compare actual results to established internal
and external benchmarks and goals. Verify that for key processes, management compares process performance
and process outcomes against internal and external benchmarks and considers the result of the analysis for
PC6 Test the Outcome
of the Control Objective
Enquire whether and confirm that appropriate metrics are defined to assess process performance and
achievement of the process goals.
Analyse some of the key metrics and corroborate, via other means, whether they provide sufficient insight into
goals.
Enquire whether and confirm that targets have been defined for process goals and performance drivers. Review
targets and assess whether they align to the goals and enable efficient and appropriate identification of corrective
action.
Review the procedures for collecting data and measurement to ascertain the effectiveness and efficiency of
monitoring.
Interview process owners and stakeholders to assess the appropriateness of the measurement method and
mechanisms.
For significant goals of important processes, reperform data collection and measurement of targets.
Inspect a sample of process metrics to assess the appropriateness of relationships between metrics (i.e.,
whether a performance metric provides insight into the likely achievement of the process outcome).
Obtain and review major deviations against targets and confirm that action was taken. Inspect the list of actions
IT Assurance Guide: Using COBIT, Appendix I -- Process Control
2007 IT Governance Institute. All rights reserved. www.itgi.org 7
Process # Category Description
PC6 Document the
Impact of Control
Weaknesses
Determine the business impact if a set of key metrics is not available to measure the achievement of the process
goals, resource utilisation, output quality and throughput time to support improvement of the process performance
and outcome.