Enabling Processes
Enabling Processes
Enabling Processes
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER 5<br />
COBIT 5 PROCESS REFERENCE GUIDE CONTENTS<br />
MEA02 Process Practices, Inputs/Outputs and Activities (cont.)<br />
Management Practice Inputs Outputs<br />
MEA02.07 Scope assurance initiatives.<br />
From Description Description To<br />
Define and agree with management on the scope of the<br />
��������� ����������� ����� �� ��� ��������� �����������<br />
APO11.05 Root causes of quality<br />
delivery failures<br />
Assurance review scope Internal<br />
APO12.06 Risk-related root causes Engagement plan Internal<br />
DSS06.01 Root cause analyses and Assurance review Internal<br />
recommendations practices<br />
MEA03.04 Reports of non-compliance<br />
issues and root causes<br />
Activities<br />
1. Define the actual scope by identifying the enterprise and IT goals for the environment under review, the set of IT processes and resources, and all the<br />
relevant auditable entities within the enterprise and external to the enterprise (e.g., service providers), if applicable.<br />
2. Define the engagement plan and resource requirements.<br />
3. Define practices for gathering and evaluating information from process(es) under review to identify controls to be validated, and current findings<br />
(both positive assurance and any deficiencies) for risk evaluation.<br />
4. Define practices to validate control design and outcomes and determine whether the level of effectiveness supports acceptable risk (required by<br />
organisational or process risk assessment).<br />
5. Where control effectiveness is not acceptable, define practices to identify residual risk (in preparation for reporting).<br />
Management Practice Inputs Outputs<br />
MEA02.08 Execute assurance initiatives.<br />
From Description Description To<br />
Execute the planned assurance initiative. Report<br />
on identified findings. Provide positive assurance<br />
opinions, where appropriate, and recommendations<br />
for improvement relating to identified operational<br />
performance, external compliance and internal control<br />
APO11.05 Root causes of quality<br />
delivery failures<br />
Refined scope<br />
All APO<br />
All BAI<br />
All DSS<br />
All MEA<br />
system residual risk.<br />
APO12.04 Risk analysis and Assurance review results EDM05.01<br />
risk profile reports for<br />
EDM05.03<br />
stakeholders<br />
All APO<br />
APO12.06 Risk-related root causes<br />
All BAI<br />
All DSS<br />
DSS05.02 Results of penetration tests<br />
All MEA<br />
DSS06.01 Root cause analyses and Assurance review report EDM05.03<br />
recommendations<br />
All APO<br />
�� ������ ��� ������������� �� ��� �� ��������� ��������<br />
MEA03.03 Identified compliance gaps<br />
Activities<br />
All BAI<br />
All DSS<br />
All MEA<br />
�� ������ ��� ����� �� ��� ������� ���������� ��� ��� �� ��������� ��������<br />
�� ���� ��� ������������� �� ��� ������� ������ �� ��� ��� ������� �����������<br />
�� �������������������������� ���� ��� ������� �� ��� ��� ������� �����������<br />
5. Document the impact of control weaknesses.<br />
6. Communicate with management during execution of the initiative so that there is a clear understanding of the work performed and agreement on and<br />
acceptance of the preliminary findings and recommendations.<br />
�� ��������� ��� ��������� ���������� ��� ���� ���� ��� ���� ���� �� ��������� ����� ���������� ��� �� �� �� ���������� ��������<br />
8. Provide management with a report (aligned with the terms of reference, scope and agreed-on reporting standards) that supports the results of the<br />
initiative and enables a clear focus on key issues and important actions.<br />
MEA02 Related Guidance<br />
Related Standard Detailed Reference<br />
����<br />
Personal Copy of: Mr. Dong Hong Wang<br />
211<br />
Monitor, Evaluate and Assess