Cobit Gap Analysis

INTERNAL AUDIT, RISK & COMPLIANCE
IS GOVERNANCE: COBIT Gap Analysis
ADVISORY
Jan, 20XX
Index
Page
Executive Summary 2
Plan and Organize Gap Analysis 3
Acquire and Implement Gap Analysis 20
Deliver and Support Gap Analysis 42
Monitor and Evaluate Gap Analysis 57
2010 Caipo y Asociados S. Civil de R. L., sociedad civil peruana de responsabilidad limitada y firma miembro de la red de firmas miembro independientes
de KPMG afiliadas a KPMG International Cooperative (KPMG International), una entidad suiza. Derechos reservados. Impreso en el Per 1
Executive Summary
This document illustrates the analysis made as a result of the validation process of the controls based on the COBIT
Quick Start framework, related to the current practice of the IT Department.
Its purpose is to present the analysis of the current situation / current work practices, issues identified and
recommendations in order to improve the IT control environment under the COBIT Quick Start framework.
This report should be used to generate an IT High-Level Work Plan that will close the gaps identified, and take corrective
action in a cost-benefit manner, in the context of implementing an internal control system.
This report present the controls for each four domain that comprises COBIT Quick Start framework.
Plan & Organize Gap Analysis
Plan and Organize Gap Analysis
COBIT domain: Plan and Organize

Process Description: PO1 Define a Strategic IT Plan
Sub process Current Practice Gap Recommended Actions

IT Value IT investments related to IT IT investments does not contain Ensure the management activities of IT-enabled
Management projects are estimated based on programmes that include investments use a formal process that requires
referrals from past acquisitions business cases. business cases that include: cost-benefit analysis,
or provider market position. risk assessments, SLAs for IT Services and the
Investments are prepared impact to the current portfolio.
independently by IT or business Ensure that accountability for value delivery is
areas. Afterward, IT Department clearly assigned at an appropriate level.
centralizes the estimations and
proceeds to evaluate them.
Business-IT IT Manager was involve during User areas prepare their own Ensure that IT management contributes to
Alignment the process of the strategic initiatives and they sometimes do business strategy planning and identifies
planning. not communicate that to IT capabilities available to support enterprise goals
IT Manager established the department. IT department knows and other opportunities to contribute to business
initiatives which are aligned and about that when user areas are value.
integrated to business requesting a quick answer to Make the scope of the IT strategic and planning
strategies. implement the initiatives and take initiatives enterprise wide such that they address,
action as soon as possible. document and consider all business and support
activities.
Assessment IT Department evaluates the System tools are not used on a Ensure that enterprise management and key
of Current current capability and regular basis to evaluate the stakeholders discuss with IT management future
Capability performance of its services only current capability and business directions and enterprise goals to
and when the budget is being performance. collaborate and develop a common understanding
Performance prepared. of the potential for IT to enable business goals.
For actual requirements, compare the actual IT
capabilities (systems, resources, people) with
future requirements, in order to deliver the required
solutions and services in a timely manner.

Process Description: PO1 Define a Strategic IT Plan

IT Strategic There is an IT Strategic Some business requirements are Ensure that IT has established a process to identify,
Plan Plan that is defined and not incorporated into the IT Plan, document and adequately address organizational
formally approved. and must be treated separately , changes, technology evolution, regulatory requirements,
because they are reported to IT business process re-engineering, staffing, in- and
manager out of time. outsourcing opportunities, etc., in the planning process.
Formally approve and communicate the IT strategic plan
and ensure that it is clearly understood by those who
need to translate it into budgets, tactical plans, sourcing
and acquisition strategies, processes, and organizational
structures.
IT Tactical IT initiatives are defined Lack of IT tactical plans that Translate the approved IT strategic plan into tactical
Plans in a high level mode. should be sufficiently detailed to plans.
allow the definition of project plans. Ensure that the content of the tactical plans includes
clearly stated project definitions for all programmes,
project time frames and deliverables, required
resources, and business benefits to be monitored .
IT Portfolio IT initiatives have been Even if each IT initiatives have a Develop and promulgate prioritization schemes relating
Management defined and planned to specific beginning and end date, prioritization criteria to business goals and technical
be deployed during the execution could not be performed requirements. Project prioritization may be modified due
period 2010-2012. on time due to lack of enough to the availability of scarce resources, implementation
personnel. alternatives, funding methods, risks, and timing of
Each IT initiatives have a competing or complementary projects.
specific beginning and
Communicate projects that will be delayed, postponed or
end date
not continued so that business and IT management can
use resources in an efficient and effective manner.

Process Description: PO2 Define the Information Architecture

Enterprise A data dictionary is in place for Syntax rules are not documented. Establish and maintain data syntax guidelines that
Data some systems such as are valid throughout the organization.
Dictionary balance, SIAF, Accounting. Implement data dictionary management software
and Data to manage and maintain the organization's data
Syntax Rules dictionary and data syntax rules .
Data Data classification scheme is Lack of data classification policy Define data classification levels for each of the
Classification not defined and implemented. and procedure. defined attributes.
Scheme Identify business owners accountable for
Data ownership is assigned to information (data owners).
C-Level but it is not formally Ensure that the data owner classifies all
established. information using the defined scheme and levels.
Classification covers the whole life cycle of
information from creation to disposal. Where an
asset has been assessed as having a certain
classification, any component inherits the same
classification.
Integrity Some procedures to ensure Lack of procedures to manage and Implement procedures to manage and maintain
Management the integrity and consistency of maintain all data integrity and data integrity and consistency throughout the
all data are documented. consistency in Exploration complete data process and life cycle.
However, these procedures Department.
have not been formalized and
communicate to Exploration
Department who manages
their own systems.

Process Description: PO3 Determine Technological Direction

Technological Existing and emerging There are some deviations due to Perform a SWOT (strengths, weaknesses,
Direction technologies are known by that the IT Department does not opportunities, threats) analysis of all current critical
Planning IT Department and know about the initiatives from and significant IT assets on a regular basis.
documented as initiatives user areas on a timely basis Identify what is needed in terms of technological
in the IT Strategic Plan. directions for business systems architecture, migration
strategies and contingency aspects of infrastructure
components.
Monitor Future Law/regulatory conditions C-Levels has not established a Ensure that adequately skilled staff members within
Trends and are managed by Legal process to monitor future trends the IT department routinely monitor technological
Regulations Department. and regulatory conditions. developments, competitor activities, infrastructure
issues, legal requirements and regulatory environment
Future trends to acquire changes, and provide relevant information to senior
technical software and management.
hardware are reviewed by Ensure that the organization's legal counsel monitors
both IT Department and legal and regulatory conditions in all relevant locations
Exploration Department. and informs the IT steering committee of any changes
that may impact the technology infrastructure plan.
Technology IT Manager has Technology standards are not Ensure that management establishes and maintains
Standards established standards to documented and formally an approved list of vendors and system components
acquire notebooks, PCs / approved. that conform with the technological infrastructure plan
Servers and office and technology standards.
software. Establish a process to prevent the acquisition of non-
conforming systems or applications.

Process Description: PO4 Define the IT Processes, Organization and Relationships

IT Steering The IT Manager does not There is not an IT Steering Establish and IT Steering Committee (or equivalent)
Committee play a key role in the Committee. IT Manager composed of executive, business and IT
Management Committee participates in the Management management.
meetings, only participates Committee once a week or on
when an explanation of demand. Determine that the responsibilities for the committee
current projects are include at least:
required. o Determination of prioritization of IT-enabled
investment programmes in line with the
enterprises business strategy and priorities.
o Tracking of status of projects and resolution of
resource conflict.
o Monitoring of service levels and service
improvements.
Establishment Tasks and responsibilities Job descriptions and Formalize the skills, experience, authority,
of Roles and have been documented on responsibilities for key responsibility and accountability for each IT task,
Responsibilities November 20XX for all IT positions are still under and get approval of High Level manager.
staff, except for the new reviewing of Human
position related with Resources Department. Ensure that management initiates regular training
Information Security and awareness campaigns to reinforce staff
Officer. Information Security Officer knowledge of roles. This may be supplemented with
responsibilities are not clearly occasional assessments of understanding and
defined. compliance.
Acquire and Implement Gap Analysis
Acquire and Implement Gap Analysis
COBIT domain: Acquire and Implement
Process Description: AI1 Identify automated solutions
Definition Based on the methodology Documentation was Define and implement a requirements definition and
and of development and developed for a project of maintenance procedure and a requirements repository that
maintenance maintenance known as information systems 3 years are appropriate for the size, complexity, objectives and
of business RAD (Rapid Application ago and may not include the risks of the business initiative that the organization is
functional Development), business necessary elements that considering undertaking. This procedure should take into
and technical requirements are presented control the functional and account the nature of the enterprises business, strategic
requirements in "Information Collection technical aspects. direction, strategic and tactical IT plans, in-house and
format. As a reference: outsourced business and IT processes, emerging
Local Balance regulatory requirements, people skills and competencies,
(development prepared 3 structure, business case, and enabling technology.
years ago). IT Department Confirm that all user, functional and technical
uses a format to manage requirements, including relevant acceptance criteria, are
change requests from considered, captured, prioritized and recorded in a way
applications. that is understandable, and includes business sponsors
and technical implementation personnel.
Feasibility Feasibility studies are not Lack of working procedures Define and implement a procedure that document and
study and prepared. There is an initial and documentation supporting formalize a feasibility study that clearly and concisely
formulation definition of system the feasibility study and the describes the key alternative courses of action that will
of alternative information context, where establishment of alternative satisfy the business and functional requirements with an
courses of requirements are defined in solutions in a technical evaluation of their technological and economic feasibility.
action a top level overview in manner. Identify required actions for the acquisition or development,
order to begin the and take into account scope and/or time and/or budget
development. limitations.
Review the alternative courses of action with all
stakeholders, and select the most appropriate one based
on feasibility criteria, including risks and cost.
Translate the preferred course of action into a high-level
acquisition/development plan identifying resources to be
used and stages requiring a go or no-go decision.
Deliver and Support Gap Analysis
Deliver and Support Gap Analysis
COBIT domain: Deliver and Support

Process Description: DS01 Define and Manage Service Level

Service Level Service Level Agreements (SLAs) There is not a framework for IT Define and document an SLA framework to
Management have not been defined and management services. manage the IT service life cycle. The
Framework documented yet, but some Key process should involve senior management
Performance Indicators (KPI) representing both the business and IT
have been established by functions.
Planning Department.
The framework should include processes for
creating service requirements, service
definitions, SLAs, OLAs and funding sources
Review of No control activities have been SLAs not defined and documented, Conduct reviews of SLAs and Underpinning
Service Level identified. including Exploration Department. contracts (Ucs) on a regular basis with all
Agreements impacted parties to ensure that they remain
and Contracts effective and are in alignment with business
objectives.
Monitor and Evaluate Gap Analysis
COBIT domain: Monitor and Evaluate

Process Description: ME1 Monitor and evaluate IT performance

Definition There is an informal process of Lack of procedures to collect Define targets for the IT metrics in line with
and gathering information on a limited information, analyzing and reporting. the coverage and characteristics of the
Collection of basis particularly in support metrics defined in the monitoring framework.
Monitoring activities, and does not include all Obtain IT and business management
Data IT services. It also does not include approval for the targets.
IT services areas from Exploration Collect performance data needed by the
Department that manages its own monitoring approach in an automated
data center. fashion wherever feasible. Compare the
measured performance to the targets at
agreed-to intervals.
Ensure consistency, completeness and
integrity of performance monitoring source
data. Ensure control over all changes to
performance monitoring data sources.
Define performance targets and focus on
those that provide the largest insight-to-
effort ratio.
Assess the integrity of the data collected by
carrying out reconciliation and control
checks at agreed-upon intervals.


Performance IT Department have established Lack of procedures to Compare the performance values to internal targets
Assessment maintenance activities for inventory execute performance and benchmarks and, where possible, to external
of applications, patching, help desk. assessment. benchmarks (industry and key competitors).
There are some reports of Novell Consider implementing in parallel with the
network servers and actions for performance management system a less formal
improvement the technology feedback mechanism to obtain alternative
platform. There is a schedule for measures of perceived performance. Use the data
implementing these activities. to improve the performance measurement system
However, there are no common and, where necessary, solution and service
practices. delivery.
Assess performance against targets and analyze
results. Compare measured performance to targets
at agreed-to intervals. Ensure that performance
targets and results are communicated to IT and
senior and business management via the
established performance monitoring framework.
Analyze the cause of deviations against targets,
initiate remedial actions, assign responsibilities for
remediation, and follow up. At appropriate times,
review all deviations and search for root causes,
where necessary. Document the issues for further
guidance if the problem recurs. Collect and retain
the appropriate evidence and documentation to
support the analysis.
Where feasible, link achievement of performance
targets to the organizational reward compensation
system.


Board and There is a level of reporting through Lack of procedures to report Establish a board and executive reporting process,
Executive e-mail and a formal way in a activities in a formal manner. based on the performance monitoring framework,
Reporting quarterly basis both in Lima and for regular, accurate and timely reporting on ITs
Mirafloes offices. This includes contribution to the business by measuring
project activities with IT suppliers achievement of IT goals, mitigation of IT risks and
related with important issues. the usage of resources.
Design senior management reports to highlight key
issues (positive and negative) generally relating to
ITs contribution to the business and specifically to
IT solution and service delivery capability and
performance.
Consolidate results of IT performance
measurement. Translate them into business
performance impacts (positive or negative) and
incorporate the results into standard periodic
reports to the board. Clearly link IT performance
measurement to business outcomes and identify
how IT supports business strategy.

Cobit Gap Analysis

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cobit Gap Analysis

Uploaded by

Copyright:

Available Formats

INTERNAL AUDIT, RISK & COMPLIANCE

IS GOVERNANCE: COBIT Gap Analysis

Plan and Organize Gap Analysis 3

Acquire and Implement Gap Analysis 20

Deliver and Support Gap Analysis 42

Monitor and Evaluate Gap Analysis 57

COBIT domain: Plan and Organize

Sub process Current Practice Gap Recommended Actions

COBIT domain: Plan and Organize

Sub process Current Practice Gap Recommended Actions

COBIT domain: Plan and Organize

Sub process Current Practice Gap Recommended Actions

COBIT domain: Plan and Organize

Sub process Current Practice Gap Recommended Actions

COBIT domain: Plan and Organize

Sub process Current Practice Gap Recommended Actions

Sub process Current Practice Gap Recommended Actions

COBIT domain: Deliver and Support

Sub process Current Practice Gap Recommended Actions

COBIT domain: Monitor and Evaluate

Sub process Current Practice Gap Recommended Actions

COBIT domain: Monitor and Evaluate

Sub process Current Practice Gap Recommended Actions

COBIT domain: Monitor and Evaluate

Sub process Current Practice Gap Recommended Actions

You might also like