![MEA02 Monitor, Evaluate and Assess The System of Internal Control [PDF]](https://pdfs.asia/img/200x200/mea02-monitor-evaluate-and-assess-the-system-of-internal-control.jpg)
29 0 182 KB
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02 – Process Setting Process Description1 Continuously monitor and evaluate the control environment, including self-assessments and independent assurance reviews. Enable management to identify control deficiencies and inefficiencies and to initiate improvement actions. Plan, organize and maintain standards for internal control assessment and assurance activities.
Process Purpose Statement1 Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.
Process Assessment Objectives1 The objectives of this assessment are to determine that:
Continuous monitoring improves the IT control environment, Effectiveness reviews help business processes to operate effectively, Ownership of control means ownership of control improvements, Internal control is established and deficiencies are identified and reported, Independent assurance that the system of internal control is operational and effective is provided, All assurance initiatives are planned and aligned with organizational objectives, Processes, resources and information meet enterprise internal control system requirements, and All assurance initiatives are planned and executed effectively.
Process Risk Drivers2
1
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
Compliance with regulatory, contractual and legal requirements not achieved Control deficiencies hampering the business processes Control deficiencies not identified in a timely manner Control gaps not communicated Control gaps not identified Control weaknesses hampering effective business process execution Extended time required to resolve the identified issues, thus decreasing the process performance Failures and degradations of service from the provider not identified in a timely manner Failures of mission-critical systems during operation Inaccurate or incomplete control deficiency data, resulting in erroneous management decisions Increased adverse impact on the organization’s operations or reputation Ineffective IT governance, risk management and internal control arrangements Insufficient assurance over the service provider's control framework and control performance IT services failing to meet the service specifications Management not informed about control deficiencies Objective recommendations not obtained, resulting in IT control arrangements not being optimized Processes not effectively controlled and failing to meet the business requirements Reputational damage caused by provider service performance degradation Reputational damage through failure to detect or prevent service performance degradation Undetected malfunctioning of internal control components Unethical behaviors adopted and accepted
2
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02 – Process Goal Assessment MEA02.01 Management Practice
1
Monitor internal controls. Continuously monitor, benchmark, and improve the IT control environment and control framework to meet organizational objectives. Activity Title1 MEA02.01.01 Monitoring and Evaluation
MEA02.01.02 Independent Evaluations MEA02.01.03 - Control System Boundaries
MEA02.01.04 - Exception
3
Activity Assessment Objectives1 Perform internal control monitoring and evaluation activities based on organizational governance standards and industry-accepted frameworks and practices. Include monitoring and evaluation of the efficiency and effectiveness of managerial supervisory reviews. Consider independent evaluations of the internal control system (e.g., by internal audit or peers). Identify the boundaries of the IT internal control system (e.g. consider how organizational IT internal control take into account out sourced and/or offshore development or production activities). Ensure that control activities are
Activity Assessment Step(s)2 1. Assess whether there is executive-level support for organizational governance standards for internal control and risk management (e.g., minutes, corporate policies, interview with CEO). 2. Verify that policies and procedures include governance for internal standards and risk management (e.g., adoption of COSO Internal Control's Integrated Framework, COSO Enterprise Risk Management's Integrated Framework, COBIT5). 3. Assess whether there is a continuous improvement approach to internal control monitoring (i.e., balanced scorecard, self-assessment). Determine if IT considers independent evaluations of the internal control system (e.g., by internal audit or peers). 1. Determine of the organization has identified the boundaries of the IT internal control system (e.g. consider how organizational IT internal control take into account out sourced and/or offshore development or production activities). 2. If possible, obtain or generate a chart showing the boundaries. 1. Determine how the organization ensures that control activities are in place and functioning.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control Activity Title1 Reporting and Follow-Up
MEA02.01.05 - Change Evaluation
MEA02.01.06 Framework Evaluation
MEA02.01.07 - SSAE 16
4
Activity Assessment Objectives1 in place and exceptions are promptly reported, followed up and analyzed, and appropriate corrective actions are prioritized and implemented according to the risk management profile (e.g., classify certain exceptions as a key risk and others as a non-key risk). Maintain the IT internal control system, considering ongoing changes in business and IT risk, the organizational control environment, relevant business and IT processes, and IT risk. If gaps exist, evaluate and recommend changes. Regularly evaluate the performance of the IT control framework, benchmarking against industry accepted standards and good practices. Consider formal adoption of a continuous improvement approach to internal control monitoring. Assess the status of external
Activity Assessment Step(s)2 2. Determine if exceptions are promptly reported, followed up and analyzed, and appropriate corrective actions are prioritized and implemented according to the risk management profile (e.g., classify certain exceptions as a key risk and others as a non-key risk). 3. Obtain examples of control evaluation reports and exception follow-up methodologies.
1. Determine if the IT organization maintains the IT internal control system, considering ongoing changes in business and IT risk, the organizational control environment, relevant business and IT processes, and IT risk. 2. Obtain examples of these. 3. Evaluate the population and determine ff gaps exist. If gaps exist understand if and how IT evaluates and recommends changes. 1. Determine if and who regularly evaluates the performance of the IT control framework. 2. Determine if these evaluations benchmarking against industry accepted standards and good practices. 3. Obtain examples of these evaluations.
1. Confirm that internal control requirements are addressed in the policies and procedures for
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control Activity Title1 Evaluations
Activity Assessment Objectives1 service provider’s internal control and confirm that service providers comply with legal and regulatory requirements and contractual obligations.
Activity Assessment Step(s)2 contracts and agreements with third parties and that appropriate provisions for rights to audit are included. 2. Confirm that there is a process in place to ensure that reviews are periodically performed to access the internal controls of all third parties and that non-compliance issues are communicated. 3. Confirm that policies and procedures are in place to confirm receipt of any required legal or regulatory internal control assertions from affected third-party service providers. 4. Confirm that policies and procedures are in place to investigate exceptions, and obtain assurance that appropriate remedial actions have been implemented.
5
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02.02 Management Practice1 Review business process controls effectiveness. Review the operation of controls, including a review of monitoring and test evidence, to ensure that controls within business processes operate effectively. Include activities to maintain evidence of the effective operation of controls through mechanisms such as periodic testing of controls, continuous controls monitoring, independent assessments, command and control centers, and network operations centers. This provides the business with the assurance of control effectiveness to meet requirements related to business, regulatory and social responsibilities. Activity Title1 MEA02.02.01 - Risk Priorities MEA02.02.02 - Control Validation
Activity Assessment Objectives1 Understand and prioritize risk to organizational objectives Identify key controls and develop a strategy suitable for validating controls.
Activity Assessment Step(s)2 1. Understand how IT prioritizes its risk to achieving objectives. 2. Obtain an example of how this is accomplished. 1. Determine if the IT organization has identified key controls and developed a strategy suitable for validating controls. 2. Obtain the population of key controls.
MEA02.02.03 - Effective Internal Control Environment MEA02.02.04 - CostEffective Procedures
6
3. Obtain the testing and validation strategy and determine if it is adequate. Identify information that will 1. Determine if the IT organization identified information that indicates whether the internal control persuasively indicate whether the environment is operating effectively. internal control environment is operating effectively. 2. Obtain an example of how this is communicated to stakeholders. Develop and implement cost1. Review the evaluation process. effective procedures to determine that persuasive information is 2. Analyze if the processes are effective and, in the end, are cost effective. based on the information criteria.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control Activity Title1 MEA02.02.05 - Evidence
7
Activity Assessment Objectives1 Maintain evidence of control effectiveness.
Activity Assessment Step(s)2 Determine if and how IT maintains evidence of control effectiveness.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02.03 Management Practice1 Perform control self- assessments. Encourage management and process owners to take positive ownership of control improvement through a continuing program of self-assessment to evaluate the completeness and effectiveness of management’s control over processes, policies and contracts. Activity Title1 MEA02.03.01 - Plans, Scope, and Evaluations
MEA02.03.02 - Testing Frequency
MEA02.03.03 - Individual Assignment MEA02.03.04 Independent Review
8
Activity Assessment Objectives1 Maintain plans and scope and identify evaluation criteria for conducting self-assessments. Plan the communication of results of the self-assessment process to business, IT general management, and the board. Consider internal audit standards in the design of selfassessments. Determine the frequency of periodic self-assessments, considering the overall effectiveness and efficiency of ongoing monitoring. Assign responsibility for selfassessment to appropriate individuals to ensure objectivity and competence Provide for independent review to ensure objectivity of the self-
Activity Assessment Step(s)2 1. If they exist, review control self-assessment procedures to ensure the inclusion of relevant information such as scope, self-assessment approach, evaluation criteria, frequency of selfassessment, roles and responsibilities, and results reporting. 2. Determine if the results are adequately reported to executive business and IT stakeholders (e.g., reference internal audit standards or accepted practices in the design of selfassessments). 3. Obtain examples of these communications and evaluate their effectiveness. 1. Determine the frequency of periodic self-assessments, considering the overall effectiveness and efficiency of ongoing monitoring. 2. Obtain, if possible, a schedule of assessments and their scope and objectives. 1. Determine, if any, who has been assigned responsibility for self-assessment. 2. Evaluate the assessor qualifications to make such assessments. 1. Determine if independent reviews of control self-assessment are performed against industry standards and best practices to ensure objectivity.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control Activity Title1
Activity Assessment Objectives1 assessment and enable the sharing of internal control good practices from other enterprises. MEA02.03.05 - Standards Compare the results of the selfand Best Practices assessments against industry standards and good practices. MEA02.03.06 - Reporting Summarize and report outcomes of self-assessments and benchmarking for remedial actions. MEA02.03.07 - Approach Define an agreed-on, consistent approach for performing control self-assessments and coordinating with internal and external auditors.
9
Activity Assessment Step(s)2 2. Determine if there is sharing of internal control good practices (e.g., benchmarking against maturity model levels across similar organizations and the relevant industry). Determine if assessors compare the results of the self-assessments against industry standards and good practices. Obtain examples. Determine if IT reviewers summarize and report outcomes of self-assessments and benchmarking for remedial actions. Obtain examples. Determine if assessors have an agreed-on, consistent approach for performing control selfassessments and coordinate with internal and external auditors. Obtain examples.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02.04 Management Practice1 Identify and report control deficiencies. Identify control deficiencies and analyze and identify their underlying root causes. Escalate control deficiencies and report to stakeholders. Activity Title1 MEA02.04.01 - Control Exceptions MEA02.04.02 - Related Enterprise Risk MEA02.04.03 Escalation Procedures
MEA02.04.04 Communications and
10
Activity Assessment Objectives1 Identify, report, and log control exceptions, and assign responsibility for resolving them and reporting on the status. Consider related enterprise risk to establish thresholds for escalation of control exceptions and breakdowns. Communicate procedures for escalation of control exceptions, root cause analysis, and reporting to process owners and IT stakeholders.
Decide which control exceptions should be communicated to the
Activity Assessment Step(s)2 Review and confirm that policies include establishing thresholds for acceptable levels of control exceptions and control breakdowns. Determine if assessors consider related enterprise risk to establish thresholds for escalation of control exceptions and breakdowns. 1. Confirm that the escalation procedures for control exceptions have been communicated and reported to business and IT stakeholders (e.g., via the intranet, hard copy procedures). 2. Interview management to assess knowledge and awareness of the escalation procedures, as well as root cause analysis and reporting. 3. Determine if the escalation procedures include criteria or thresholds for escalations (e.g., control exceptions less than a specific amount of impact do not need to be escalated, control exceptions greater than a specific amount of impact need immediate reporting to CIO, and control exceptions greater than a specific amount of impact require immediate reporting to the board of directors). Determine how assessors decide which control exceptions should be communicated to the individual responsible for the function and which exceptions should be escalated.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control Activity Title1 Escalations
MEA02.04.05 - Follow-Up MEA02.04.06 Management Action Tracking
11
Activity Assessment Objectives1 individual responsible for the function and which exceptions should be escalated. Inform affected process owners and stakeholders. Follow up on all exceptions to ensure that agreed-on actions have been addressed. Identify, initiate, track and implement remedial actions arising from control assessments and reporting.
Activity Assessment Step(s)2
Determine if and how IT follows up on all exceptions to ensure that agreed-on actions have been addressed. Confirm that individuals have been assigned accountability for root cause analysis and reporting as well as exception resolution.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02.05 Management Practice1 Ensure that assurance providers are independent and qualified. Ensure that the entities performing assurance are independent from the function, groups or organizations in scope. The entities performing assurance should demonstrate an appropriate attitude and appearance, competence in the skills and knowledge necessary to perform assurance, and adherence to codes of ethics and professional standards. Activity Title1 MEA02.05.01 Adherence to Standards
MEA02.05.02 Independence MEA02.05.03 Competency and Qualifications
12
Activity Assessment Objectives1 Establish adherence to applicable codes of ethics and standards (e.g., Code of Professional Ethics of ISACA) and (industry- and geographyspecific) assurance standards (e.g. IT audit and assurance standards of ISACA and the International auditing and assurance standards board (IAASB) International Framework for Assurance Engagements (IAASB Assurance Framework). Establish independence of assurance providers. Establish competency and qualification of assurance providers.
Activity Assessment Step(s)2 Determine what standards are used for testing of IT controls.
Assess the independence of Internal Audit and other assurance providers. Determine the competency and qualifications of assurance providers.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02.06 Management Practice1 Plan assurance initiatives. Plan assurance initiatives based on enterprise objectives and strategic priorities, inherent risk, resource constraints, and sufficient knowledge of the enterprise. Activity Title1 MEA02.06.01 - Intended Users MEA02.06.02 - Risk Assessment
MEA02.06.03 - Control Objective Agreement
13
Activity Assessment Objectives1 Determine the intended users of the assurance initiative output and the object of the review. Perform a high-level risk assessment and/or assessment of process capability to diagnose risk and identify critical IT processes Select, customize and reach agreement on the control objectives for critical processes that will be the basis for the control assessment.
Activity Assessment Step(s)2 Sample a set of IT internal audits and IT SOx tests to determine if the objectives of the review have been clearly stated. Sample a set of IT internal audits and IT SOx tests to determine if adequate risk assessment has been done.
Sample a set of IT internal audits and IT SOx tests to determine if control objectives for critical processes are the basis for the control assessment.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02.07 Management Practice1 Scope assurance initiatives. Define and agree with management on the scope of the assurance initiative, based on the assurance objectives. Activity Title1 MEA02.07.01 - Scope Definition
MEA02.07.02 Resources MEA02.07.03 - Gather and Evaluate Information
MEA02.07.04 - Control Design Validation
14
Activity Assessment Activity Assessment Step(s)2 1 Objectives Define the actual scope by 1. Verify that independent control reviews, certifications or accreditations are performed identifying the enterprise and IT periodically according to risk and business objectives along with required external skill sets goals for the environment under (e.g., conduct an annual risk assessment and define risk areas for review). review, the set of IT processes and resources, and all the 2. Obtain examples, if available. relevant auditable entities within the enterprise and external to the enterprise (e.g., service providers), if applicable. Define the engagement plan and Sample a set of IT internal audits and IT SOx tests to determine if planning and resource resource requirements. requirements have been done. Define practices for gathering Sample a set of IT internal audits and IT SOx tests to determine if planning steps and detailed and and evaluating information from if risk is determined. process(es) under review to identify controls to be validated, and current findings (both positive assurance and any deficiencies) for risk evaluation. Define practices to validate Sample a set of IT internal audits and IT SOx tests to determine how control design if tested to control design and outcomes and support risk assessment. determine whether the level of effectiveness supports
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control Activity Title1
MEA02.07.05 - Residual Risk
15
Activity Assessment Objectives1 acceptable risk (required by organizational or process risk assessment). Where control effectiveness is not acceptable, define practices to identify residual risk (in preparation for reporting).
Activity Assessment Step(s)2
Sample a set of IT internal audits and IT SOx tests to determine residual risk definitions.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02.08 Management Practice1 Execute assurance initiatives. Execute the planned assurance initiative. Report on identified findings. Provide positive assurance opinions, where appropriate, and recommendations for improvement relating to identified operational performance, external compliance and internal control system residual risk. Activity Title1 MEA02.08.01 - Subject Definition MEA02.08.02 - Scope MEA02.08.03 - Testing MEA02.08.04 - Testing Outcomes MEA02.08.05 Documentation MEA02.08.06 Communication
16
Activity Assessment Objectives1 Define the understanding of the IT assurance subject Define the scope of key control objectives for the IT assurance subject Test the effectiveness of the control design of the key control objectives Alternatively/additionally test the outcome of the key control objectives Document the impact of control weaknesses. Communicate with management during execution of the initiative so that there is a clear understanding of the work performed and agreement on and acceptance of the preliminary findings and recommendations.
Activity Assessment Step(s)2 Verify that the SOx and IT Audit universe is complete and addresses all IT activities. Determine how annual IT Audit and IT SOx work is scheduled and how key control objectives are determined. Verify that independent control reviews, certifications or accreditations are performed periodically according to risk and business objectives along with required external skill sets (e.g., conduct an annual risk assessment and define risk areas for review). Sample a set of IT internal audits and IT SOx tests to determine if key control objectives have been achieved. Sample a set of IT internal audits and IT SOx tests to determine documentation behind control weaknesses discovered. Sample a set of IT internal audits and IT SOx tests to determine if they document managements understanding of the work.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control Activity Title1 MEA02.08.07 - Supervision
MEA02.08.08 - Reporting
17
Activity Assessment Objectives1 Supervise the assurance activities and make sure the work done is complete, meets objectives, and is of an acceptable quality Provide management with a report (aligned with the terms of reference, scope and agreed-on reporting standards) that supports the results of the initiative and enables a clear focus on key issues and important actions.
Activity Assessment Step(s)2 Sample a set of IT internal audits and IT SOx tests to determine if they receive adequate supervision during the process.
Verify that the review results have been reported to an appropriate management level (e.g., audit committee) and remedial action has been initiated.
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02 Assessment Summary1 Management Practice Monitor internal controls.
Review business process controls effectiveness.
Perform control selfassessments.
18
Practice Description Continuously monitor, benchmark, and improve the IT control environment and control framework to meet organizational objectives. Review the operation of controls, including a review of monitoring and test evidence, to ensure that controls within business processes operate effectively. Include activities to maintain evidence of the effective operation of controls through mechanisms such as periodic testing of controls, continuous controls monitoring, independent assessments, command and control centers, and network operations centers. This provides the business with the assurance of control effectiveness to meet requirements related to business, regulatory and social responsibilities. Encourage management and process owners to take positive ownership of control improvement through a continuing program of self-assessment to evaluate the completeness and effectiveness of management’s control over processes, policies and contracts.
Practice Assessment Summary
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control Management Practice Identify and report control deficiencies. Ensure that assurance providers are independent and qualified.
Plan assurance initiatives.
Scope assurance initiatives. Execute assurance initiatives.
19
Practice Description Identify control deficiencies, analyze, and identify their underlying root causes. Escalate control deficiencies and report to stakeholders. Ensure that the entities performing assurance are independent from the function, groups or organizations in scope. The entities performing assurance should demonstrate an appropriate attitude and appearance, competence in the skills and knowledge necessary to perform assurance, and adherence to codes of ethics and professional standards. Plan assurance initiatives based on enterprise objectives and strategic priorities, inherent risk, resource constraints, and sufficient knowledge of the enterprise. Define and agree with management on the scope of the assurance initiative, based on the assurance objectives. Execute the planned assurance initiative. Report on identified findings. Provide positive assurance opinions, where appropriate, and recommendations for improvement relating to identified operational performance, external compliance and internal control system residual risk.
Practice Assessment Summary
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control
MEA02 Risk Summary1 Create multiple risk scenarios for each risk identified in the summary above that affects achieving the objective..
Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the threat/ vulnerability type and includes the actors, events, assets and time issues.
Risk Scenario Component Threat Type (Describe the nature of the event)
Actor (Who or what could trigger the threat that exploits a vulnerability)
Mark all that apply ⃣
⃣ ⃣ ⃣ ⃣ ⃣ ⃣ ⃣ ⃣ ⃣
Malicious Accidental Error Failure Natural External requirement Internal External Human Non-Human
Event (Something that happens that was not supposed to happen, something does not happen that was supposed to happen, or a change in circumstances. Events always have causes and usually have consequences. A consequence is the outcome of an event and has an impact on objectives.)
⃣ ⃣ ⃣ ⃣ ⃣ ⃣ ⃣ ⃣ ⃣
Asset (An asset is something of tangible or intangible value that is worth and skills protecting, including people, systems, infrastructure, finances and reputation.)
⃣ Process ⃣ People and Skills ⃣ Organizational Structure
20
Disclosure Interruption Modification Theft Destruction Ineffective design Ineffective execution Rules and regulations Inappropriate use
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
COBIT® 5 Process Assessment Worksheet Area: Management Domain: Monitor, Evaluate, and Assess Process: MEA02 – Monitor, Evaluate and Assess the System of Internal Control Risk Scenario Component
Resource (A resource is anything that helps to achieve a goal.)
Time
Possible Risk Response
21
Mark all that apply ⃣ Physical Infrastructure ⃣ IT Infrastructure ⃣ Information ⃣ Applications ⃣ Process ⃣ People and Skills ⃣ Organizational Structure ⃣ Physical Infrastructure ⃣ IT Infrastructure ⃣ Information ⃣ Applications Timing ⃣ Duration ⃣ Detection ⃣ Time lag ⃣ Velocity ⃣ Likelihood ⃣ Impact ⃣
Critical Short Slow Immediate Slowing Highly Great
⃣ Non-Critical ⃣ Moderate ⃣ Moderate ⃣ Constant ⃣ Moderate ⃣ Moderate
⃣ Extended ⃣ Instant ⃣ Delayed ⃣ Increasing ⃣ Unlikely ⃣ Little
Risk Avoidance: Risk Acceptance: Risk Sharing/Transfer: Risk Mitigation:
1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA) 2 - © 2015 Wescott and Associates. All rights reserved.
