Post on 06-Jul-2018
8/17/2019 COBIT 5 introo
1/89
September 17, 2012
Pittsburgh ISACA Chapter
8/17/2019 COBIT 5 introo
2/89
What is COBIT?
• Control Objectives for Information and related Technologies – ISACA‘s guidance on the enterprise governance and management of IT.
– Builds on more than 15 years of practical usage and application of COBIT bymany enterprises and users from business, IT, risk, security and assurancecommunities.
• Connect to, and, where relevant, align with, other major frameworks
and standards in the marketplace, such as
– Information Technology Infrastructure Library (ITIL®)
– The Open Group Architecture Forum (TOGAF®)
– Project Management Body of Knowledge (PMBOK®) – PRojects IN Controlled Environments 2 (PRINCE2®)
– Committee of Sponsoring Organizations of the Treadway Commission (COSO)
– International Organization for Standardization (ISO) standards.
8/17/2019 COBIT 5 introo
3/89
What is COBIT?
• COBIT 5 brings together the five principles
that allow the organizations to build an
effective governance and management
framework based on a holistic set of seven
enablers that optimizes information and
technology investment and use for the benefit
of stakeholders.
8/17/2019 COBIT 5 introo
4/89
What you need to remember…
• ―All models are wrong, some models are useful‖ –
George Box or W. Edwards Deming
• Thus, when adopting COBIT, a certain degree of
adaptation also needs to occur in order for it to be
of value.
• Incorporate an operation model and a common
language for all parts of the enterprise involved inIT activities
• Leverage the Appendices for Model navigation
• Adapt to each unique organization
8/17/2019 COBIT 5 introo
5/89
Why Version 5?
• Provide more stakeholders a say…
• Address the increasing dependency on external
business and IT parties…
• Deal with the amount of information, which hasincreased significantly…
• Deal with much more pervasive IT…
• Provide further guidance in the area ofinnovation and emerging technologies…
• Less about audit and more about governance…
8/17/2019 COBIT 5 introo
6/89
Why Version 5?
• All previous content from these 3 models are
integrated and updated into COBIT 5
8/17/2019 COBIT 5 introo
7/89
COBIT begins with Information
• Information is a key resource.
• Information is created, used, modified,retained, disclosed and destroyed.
• Technology plays a key role in these actions.
• Technology is pervasive in all aspects of business.
What benefits do information and technologybring to organizations?
8/17/2019 COBIT 5 introo
8/89
Enterprise Benefits
• Organizations and their leaders strive to:
• Maintain quality information to support business decisions.
• Generate business value from IT-enabled investments, i.e.,
achieve strategic goals and realize business benefits through
effective and innovative use of IT.
• Achieve operational excellence through reliable and efficient
application of technology.
• Maintain IT-related risk at an acceptable level.
• Optimize the cost of IT services and technology.
How can these benefits be realized to create enterprise
stakeholder value?
8/17/2019 COBIT 5 introo
9/89
Stakeholder Value
• Delivering organizational stakeholder value requires good
governance and management of information and technology
(IT) assets.
• Corporate boards, executives and management have to
embrace IT like any other significant part of the business.
• External legal, regulatory and contractual compliance
requirements related to enterprise use of information and
technology are increasing, threatening value if breached.
• COBIT 5 provides a comprehensive framework that assistsenterprises to achieve their goals and deliver value through
effective governance and management of enterprise IT.
8/17/2019 COBIT 5 introo
10/89
The COBIT 5 Framework
• COBIT 5 helps organizations create optimal value from IT
by maintaining a balance between realizing benefits and
optimizing risk levels and resource use.
• COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the entire
organization, taking in the full end-to-end business and
functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders.
• The COBIT 5 principles and enablers are generic anduseful for organizations of all sizes, whether commercial,
not-for-profit or in the public sector.
8/17/2019 COBIT 5 introo
11/89
COBIT Structure
• COBIT provides cascading guidance to
align the complex relationship between
business and IT goals by depicting a
cascading relationship between the sets ofgoals and ―enablers‖.
• COBIT provides the ‗What‘ for defining
best practices and their subsequentmeasures.
8/17/2019 COBIT 5 introo
12/89
COBIT 5 Principles
Source: COBIT® 5, © 2012 ISACA®
8/17/2019 COBIT 5 introo
13/89
Goals Cascade
The COBIT 5 Goals Cascadeis the mechanism to translate
stakeholder needs into
specific, actionable and
customized enterprise goals,
IT-related goals and
enabler goals.
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
14/89
COBIT Stakeholder
Drivers & Needs
• A governance system should consider all stakeholders when makingbenefit, risk and resource assessment decisions.
• For each decision, the following questions can and should be asked:
– For whom are the benefits?
– Who bears the risk?
– What resources are required?
8/17/2019 COBIT 5 introo
15/89
Stakeholders
Needs
• These
questions
point us
towardsEnterprise
Goal
focus
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
16/89
Stakeholder
Needs
• These
questions
point us
towardsEnterprise
Goal
focus
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
17/89
COBIT Enterprise Goals
• COBIT provides 17 general enterprise
goals
• These goals are categorized into four
domains:
– Financial
– Customer
– Internal
– Learning and Growth
8/17/2019 COBIT 5 introo
18/89
COBIT Enterprise Goals
Primary & SecondarySource: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
19/89
COBIT 5 Model
• ‗P‘ stands for primary, when there is an
important relationship and is primary
support for the achievement of a COBIT
object (e.g. goal).
• ‗S‘ stands for secondary, when there is still
a strong, but less important, relationship.
8/17/2019 COBIT 5 introo
20/89
COBIT Enterprise Goals -
Metrics
Source: COBIT® 5. © 2012 ISACA®
COBIT E t i G l
8/17/2019 COBIT 5 introo
21/89
COBIT Enterprise Goals -
Metrics
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
22/89
COBIT IT Goals
• COBIT provides 17 Generic IT Goals
• Enterprise Goals translate into these IT
Goals
• The IT Goals require the successfulapplication and use of a number of
enablers.
Enterprise
GoalsIT Goals
Traceability
8/17/2019 COBIT 5 introo
23/89
COBIT IT Goals
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
24/89
COBIT IT Goals - Metrics
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
25/89
COBIT IT Goals - Metrics
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
26/89
COBIT IT Goals - Metrics
Source: COBIT® 5. © 2012 ISACA® All rights reserved.® ®
8/17/2019 COBIT 5 introo
27/89
Mapping of
Goals• Understanding
the alignment of
Enterprise
Goals with ITGoals is critical
to leveraging
COBIT 5.
Source: COBIT® 5. © 2012 ISACA® All rights reserved.
8/17/2019 COBIT 5 introo
28/89
COBIT 5 Enablers
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
29/89
COBIT Enablers
• Enablers are factors that, individually and
collectively, influence whether something
will work—in this case, governance and
management over enterprise IT.
• Enablers are driven by the goals cascade,
i.e., higher-level IT-related goals define
what the different enablers shouldachieve.
8/17/2019 COBIT 5 introo
30/89
COBIT Enablers
1. Principles, policies and frameworks are the vehicle to translate the desired
behavior into practical guidance for day-to-day management.
2. Processes describe an organized set of practices and activities to achieve certain
objectives and produce a set of outputs in support of achieving overall IT-related
goals.
3. Organizational structures are the key decision-making entities in an enterprise.
4. Culture, ethics and behavior of individuals and of the enterprise are very often
underestimated as a success factor in governance and management activities.
5. Information is pervasive throughout any organization and includes all information
produced and used by the enterprise. Information is required for keeping the
organization running and well governed, but at the operational level, information is
very often the key product of the enterprise itself.
6. Services, infrastructure and applications include the infrastructure, technology andapplications that provide the enterprise with information technology processing and
services.
7. People, skills and competencies are linked to people and are required for
successful completion of all activities and for making correct decisions and taking
corrective actions.
8/17/2019 COBIT 5 introo
31/89
COBIT Enablers
• Some of the enablers defined previously are also
enterprise resources that need to be managed and
governed as well.
• This applies to:
– Information, which needs to be managed as a
resource. Some information, such as management
reports and business intelligence information, are
important enablers for the governance and
management of the enterprise. – Service, infrastructure and applications
– People, skills and competencies
8/17/2019 COBIT 5 introo
32/89
COBIT Enablers Interconnected
• Each enabler needs the input of other enablers to be fully effective;
– For Example:
• processes need information
• organizational structures need skills and behavior
• And delivers output to the benefit of other enablers. – For Example :
• processes deliver information,
• skills and behavior make processes efficient.
• This means that to deal with any stakeholder need, all interrelated
enablers have to be analyzed for relevance and addressed if
required.
8/17/2019 COBIT 5 introo
33/89
COBIT 5 Enablers
33Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
34/89
COBIT Enablers
• All enablers have a set of common dimensions. This set
of common dimensions:
• Provides a common, simple and structured way to deal
with enablers
• Allows an entity to manage its complex interactions
• Facilitates successful outcomes of the enablers
8/17/2019 COBIT 5 introo
35/89
COBIT Enabler Dimensions
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
36/89
COBIT Information Criteria
COBIT 5 information model allows definition of an additional set of criteria, hence
adding value to the COBIT 4.1 criteria.
8/17/2019 COBIT 5 introo
37/89
COBIT: Enabling Processes
8/17/2019 COBIT 5 introo
38/89
COBIT: Enabling Processes
• A process is defined as ‘a collection of
practices influenced by the enterprise‘s
policies and procedures that takes inputs
from a number of sources (including otherprocesses), manipulates the inputs and
produces outputs (e.g., products,
services)‘.
8/17/2019 COBIT 5 introo
39/89
COBIT: Enabling Processes
The processes model shows:
• Stakeholders - Processes have internal and external
stakeholders, with their own roles; stakeholders and their
responsibility levels are documented in RACI charts. External
stakeholders include customers, business partners,shareholders and regulators. Internal stakeholders include the
board, management, staff and volunteers.
• Goals - process goals are defined as ‗a statement describing
the desired outcome of a process. An outcome can be an
artifact, a significant change of a state or a significantcapability improvement of other processes‘. They are part of
the goals cascade, i.e., process goals support IT-related
goals, which in turn support enterprise goals.
8/17/2019 COBIT 5 introo
40/89
Process Goals
Process goals can be categorized as:
• Intrinsic goals—Does the process have intrinsic
quality? Is it accurate and in line with good practice? Is it
compliant with internal and external rules?
• Contextual goals—Is the process customized and
adapted to the enterprise‘s specific situation? Is the
process relevant, understandable, easy to apply?
• Accessibility and security goals—The process
remains confidential, when required, and is known andaccessible those who need it.
8/17/2019 COBIT 5 introo
41/89
Process Goal Metrics
• At each level of the goals cascade, metrics are defined
to measure the extent to which goals are achieved.
• Metrics can be defined as ‗a quantifiable entity that
allows the measurement of the achievement of a
process goal.
• Metrics should be SMART—specific, measurable,
actionable, relevant and timely‘.
• To manage the enabler effectively and efficiently,
metrics need to be defined to measure the extent towhich the expected outcomes are achieved.
8/17/2019 COBIT 5 introo
42/89
Process Life cycle
• Life cycle—Each process has a life cycle. It is
defined, created, operated, monitored, and
adjusted/updated or retired.
• Generic process practices such as those definedin the COBIT process assessment model based
on ISO/IEC 15504 can assist with defining,
running, monitoring and optimizing processes.
8/17/2019 COBIT 5 introo
43/89
Good Practices
• Good practices—COBIT 5: Enab l ing
Processes contains a process reference model,
in which process internal good practices are
described in growing levels of detail: practices,activities and detailed activities.
8/17/2019 COBIT 5 introo
44/89
COBIT Enabling Processes
• COBIT provides 37 IT Processes
segmented into 5 domains
– Evaluate, Direct and Monitor (EDM)
– Align, Plan and Organize (APO)
– Build, Acquire and Implement (BAI)
– Delver, Service and Support (DSS)
– Monitor, Evaluate and Assess (MEA)
8/17/2019 COBIT 5 introo
45/89
COBIT Enabling Processes
• Although, as described previously, most of the
processes require ‗planning‘, ‗implementation‘,
‗execution‘ and ‗monitoring‘ activities within the process
or within the specific issue being addressed (e.g.,
quality, security), they are placed in domains in line withwhat is generally the most relevant area of activity when
regarding IT at the enterprise level.
• In COBIT 5, the processes also cover the full scope ofbusiness and IT activities related to the governance and
management of enterprise IT, thus making the process
model truly enterprise-wide.
8/17/2019 COBIT 5 introo
46/89
Governance and Management
• Governance ensures that organizational objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritization and
decision making; and monitoring performance,
compliance and progress against agreed-upon direction
and objectives.
• Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the organizationalobjectives.
46
8/17/2019 COBIT 5 introo
47/89
Source: COBIT® 5. © 2012 ISACA®
E l t Di t d M it
8/17/2019 COBIT 5 introo
48/89
Evaluate, Direc t and Mon itor
(EDM) • Governance ensures that enterprise
objectives are achieved by evaluating
stakeholder needs, conditions and options;
setting direction through prioritization anddecision making; and monitoring
performance, compliance and progress
against agreed-on direction and objectives(EDM).
E l t Di t d M it
8/17/2019 COBIT 5 introo
49/89
Evaluate, Direc t and Mon itor
(EDM)
EDM01 Ensure Governance Framework
Setting and Maintenance
EDM02 Ensure Benefits Delivery
EDM03 Ensure Risk Optimization
EDM04 Ensure Resource Optimization
EDM05 Ensure Stakeholder Transparency
A li Pl d O i
8/17/2019 COBIT 5 introo
50/89
A lign , Plan and Organ ize
(APO) • The Align, Planning and Organization domain
covers the use of information & technology and
how best it can be used in a company to help
achieve the company‘s goals and objectives. Italso highlights the organizational and
infrastructural form IT is to take in order to
achieve the optimal results and to generate the
most benefits from the use of IT.
A li Pl d O i
8/17/2019 COBIT 5 introo
51/89
A lign , Plan and Organ ize
(APO) APO01 Manage the IT Management Framework
APO02 Manage Strategy
APO03 Manage Enterprise Architecture
APO04 Manage Innovation
APO05 Manage Portfolio
APO06 Manage Budget and Costs
APO07 Manage Human Relations
APO08 Manage Relationships
APO09 Manage Service Agreements
APO10 Manage Suppliers
APO11 Manage Quality
APO12 Manage Risk
APO13 Manage Security
B i ld A i d I l t
8/17/2019 COBIT 5 introo
52/89
Bui ld, Acquire and Implemen t
(BAI) • The Build, Acquire and Implement domain
covers identifying IT requirements,
acquiring the technology, and
implementing it within the company‘scurrent business processes.
B i ld A i d I l t
8/17/2019 COBIT 5 introo
53/89
Bui ld, Acquire and Implemen t
(BAI) BAI01 Manage Programs and Projects
BAI02 Manage Requirements Definition
BAI03 Manage Solutions Identification and Build
BAI04 Manage Availability and Capacity
BAI05 Manage Organizational Change Enablement
BAI06 Manage Changes
BAI07 Manage Changes Acceptance and
Transitioning
BAI08 Manage Knowledge
BAI09 Manage Assets
BAI10 Manage Configuration
D li S i d S t
8/17/2019 COBIT 5 introo
54/89
Del iver, Serv ice and Support
(DSS) • The Deliver, Service and Support domain
focuses on the delivery aspects of the
information technology. It covers areas
such as the execution of the applicationswithin the IT system and its results, as well
as, the support processes that enable the
effective and efficient execution of these ITsystems.
D li S i d S t
8/17/2019 COBIT 5 introo
55/89
Del iver, Serv ice and Support
(DSS)
DSS01 Manage Operations
DSS02 Manage Service Requests and
Incidents
DSS03 Manage Problems
DSS04 Manage Continuity
DSS05 Manage Security Services
DSS06 Manage Business ProcessControls
Mon itor Evaluate and Assess
8/17/2019 COBIT 5 introo
56/89
Mon itor, Evaluate and Assess
(MEA) • The Monitor, Evaluate and Assess domain deals with a
company‘s strategy in assessing the needs of the
company and whether or not the current IT system still
meets the objectives for which it was designed and the
controls necessary to comply with regulatoryrequirements. Monitoring also covers the issue of an
independent assessment of the effectiveness of IT
system in its ability to meet business objectives and the
company‘s control processes by internal and externalauditors
Mon itor Evaluate and Assess
8/17/2019 COBIT 5 introo
57/89
Mon itor, Evaluate and Assess
(MEA)
MEA01 Monitor, Evaluate and Assess
Performance and Conformance
MEA02 Monitor, Evaluate and Asses the
System of Internal Control
MEA03 Evaluate and Assess Compliancewith External Requirements
8/17/2019 COBIT 5 introo
58/89
Governance & Management
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
59/89
IT Process
to IT GoalMapping
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
60/89
IT Process
to IT GoalMapping
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
61/89
COBIT Enabling Process
• Example Walkthrough:
– APO 02 Manage Strategy
• Process Label – Domain Prefix and Number
• Process Name
• Area of the Process – Governance or Management
8/17/2019 COBIT 5 introo
62/89
APO 02 Manage Strategy
• Description – What it does and accomplishes
• Purpose Statement – Overall purpose description
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
63/89
APO 02 Manage Strategy
• Goal Cascade – Related IT Goals
• Generic Metrics – Measure achievement of IT Goals
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
64/89
APO 02 Manage Strategy
• Process Goals
• Process MetricsSource: COBIT® 5. © 2012 ISACA®
APO 02 Manage Strategy
8/17/2019 COBIT 5 introo
65/89
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
66/89
APO 02 Manage Strategy
RACI Chart
• Responsible – Who is getting the task
done?
• Accountable - Who accounts for the
success of the task?
• Consulted – Who is providing input?
• Informed – Who is receiving information?
APO 02 Manage Strategy
8/17/2019 COBIT 5 introo
67/89
APO 02 Manage Strategy
• Detailed description
• Activities
Source: COBIT® 5. © 2012 ISACA®
APO 02 Manage Strategy
8/17/2019 COBIT 5 introo
68/89
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
69/89
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
70/89
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
71/89
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
72/89
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
73/89
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
74/89
APO 02 Manage Strategy
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
75/89
APO 02 Manage Strategy
• Related guidance from external sources
Source: COBIT® 5. © 2012 ISACA®
Generic Guidance for
8/17/2019 COBIT 5 introo
76/89
Generic Guidance for
Processes
Source: COBIT® 5. © 2012 ISACA®
8/17/2019 COBIT 5 introo
77/89
New & Modified Processes
• 5 new Governance Processes
– EDM 01 Ensure Governance Framework
Setting and Maintenance
– EDM 02 Ensure Benefits Delivery – EDM 03 Ensure Risk Optimization
– EDM 04 Ensure Resource Optimization
– EDM 05 Ensure Stakeholder Transparency
& f
8/17/2019 COBIT 5 introo
78/89
New & Modified Processes
Summary of changes between COBIT 4.1and COBIT 5 • Processes in CobiT® 4.1 that are merged in CobiT® 5
• DS7 is merged with PO7 (Education and Human Resources)
• PO6 is merged with PO1 (Management Communications and
Management)
• PO2 is merged with PO3 (Information and Technical Architectures)
• AI2 is merged with AI3 (Application Software and Infrastructure
Components)• DS12 is merged with DS5 (Physical Environment and Information
Security)
N & M difi d P
8/17/2019 COBIT 5 introo
79/89
New & Modified Processes
Entirely new processes in COBIT
• EDM1 Set and Maintain Governance Framework
• APO1 Define the Management Framework
• APO4 Manage Innovation (partly PO3)
• APO8 Manage Relationships
• BAI8 Knowledge Management
• DSS2 Manage Assets (partly DS9)• DSS8 Manage Business Process Controls.
N & M difi d P
8/17/2019 COBIT 5 introo
80/89
New & Modified Processes
Processes in COBIT 4.1 that arereassigned in COBIT 5
• ME4 to EDM1, 2, 3, 4, 5 (Governance)
Processes in COBIT 4.1 that are
relocated in COBIT 5
• PO1 to APO2 (Strategic Planning)
• PO4 to APO1 (Organization, Relationships
and Processes)
P tti thi ll t th
8/17/2019 COBIT 5 introo
81/89
Putting this all together
Enabler
Goals
IT
Goals
Enterprise
Goals
Processes
Activities
8/17/2019 COBIT 5 introo
82/89
COBIT Capability
COBIT Process Capability
8/17/2019 COBIT 5 introo
83/89
COBIT Process Capability
Model
Source: COBIT® 5. © 2012 ISACA®
COBIT Process Capability
8/17/2019 COBIT 5 introo
84/89
COBIT Process Capability
Model
Source: COBIT® 5. © 2012 ISACA®
COBIT Process Capability
8/17/2019 COBIT 5 introo
85/89
COBIT Process Capability
ModelThere are six levels of capability that a process can achieve, including an ‗incompleteprocess‘ designation if the practices in it do not achieve the intended purpose of the
process:
• 0 Incomplete process—The process is not implemented or fails to achieve its
process purpose. At this level, there is little or no evidence of any systematic
achievement of the process purpose.
• 1 Performed process (one attribute)—The implemented process achieves itsprocess purpose.
• 2 Managed process (two attributes)—The previously described performed process is
now implemented in a managed fashion (planned, monitored and adjusted) and its
work products are appropriately established, controlled and maintained.
• 3 Established process (two attributes)—The previously described managed process
is now implemented using a defined process that is capable of achieving its processoutcomes.
• 4 Predictable process (two attributes)—The previously described established
process now operates within defined limits to achieve its process outcomes.
• 5 Optimizing process (two attributes)—The previously described predictable
process is continuously improved to meet relevant current and projected business
goals.
COBIT Process Capability
8/17/2019 COBIT 5 introo
86/89
CO ocess Capab ty
Model Assessing whether the process achieves its goals—or, in other words, achieves capability level1—can be done by:
1. Reviewing the process outcomes as they are described for each process in the detailed
process descriptions, and using the ISO/IEC 15504 rating scale to assign a rating to what
degree each objective is achieved. This scale consists of the following ratings:
• N (Not achieved)—There is little or no evidence of achievement of the defined attribute in
the assessed process. (0 to 15 percent achievement)
• P (Partially achieved)—There is some evidence of an approach to, and some achievement
of, the defined attribute in the assessed process. Some aspects of achievement of the attribute
may be unpredictable. (15 to 50 percent achievement)
• L (Largely achieved)—There is evidence of a systematic approach to, and significant
achievement of, the defined attribute in the assessed process. Some weakness related to this
attribute may exist in the assessed process. (50 to 85 percent achievement)
• F (Fully achieved)—There is evidence of a complete and systematic approach to, and full
achievement of, the defined attribute in the assessed process. No significant weaknessesrelated to this attribute exist in the assessed process. (85 to 100 percent achievement)
2. In addition, the process (governance or management) practices can be assessed using the
same rating scale, expressing the extent to which the base practices are applied.
3. To further refine the assessment, the work products also may be taken into consideration to
determine the extent to which a specific assessment attribute has been achieved.
A dit Ti
8/17/2019 COBIT 5 introo
87/89
Auditor Tips
• Evidence of activities (as well asinputs/outputs) are critical in assessing the
existence of controls
• Information, metrics/measurements arekey to any critical IT process.
R i i Th ht
8/17/2019 COBIT 5 introo
88/89
Remaining Thoughts
• COBIT has evolved to provide the over-arching framework for organizations toachieve IT Governance while leveraging
other industry best practices,frameworks, and models to provideprescriptive actions.
• COBIT promotes tight alignment with IT
processes and enterprise goals.• COBIT is a useful tool beyond just the
standard audit guidance.
Q ti ?
8/17/2019 COBIT 5 introo
89/89
Questions?
Thank you