WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

APO06 Manage Budget and Costs
Audit/Assurance Program
ISACA
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value
from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking,
and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers
the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT , a business framework
that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical
skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security
Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control
(CRISC) credentials. The association has more than 200 chapters worldwide.
Disclaimer
ISACA has designed and created APO06 Manage Budget and Costs Audit/Assurance Program (the Work) primarily as an
educational resource for assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful
outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other
information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, assurance professionals should apply their own professional judgement to the specific
circumstances presented by the particular systems or information technology environment.
Reservation of Rights
2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse .
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Align-Plan-and-Organise.aspx
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
ISBN 978-1-60420-572-5
APO06 Manage Budget and Costs Audit/Assurance Program
ISACA 2014
All rights reserved. 2

ISACA wishes to recognize:

Development Team
Stefanie Grijp, PwC, Belgium
Bart Peeters, CISA, PwC, Belgium
Dirk Steuperaert, CISA, CGEIT, CRISC, IT In Balance BVBA, Belgium
Sven Van Hoorebeeck, PwC, Belgium
Expert Reviewers
Steven De Haes, University of Antwerp - Antwerp Management School, Belgium
John E. Jasinski, CISA, CGEIT, ISO20K, ITIL Expert, SSBB, USA
Joanna Karczewska, CISA, Poland
Patricia Prandini, CISA, CRISC, Universidad de Buenos Aires, Argentina
Abdul Rafeq, CISA, CGEIT, CIA, FCA, Wincer Infotech Limited, India
Claus Rosenquist, CISA, CISSP, Nets Holding, Denmark
Lily Shue, CISA, CISM, CGEIT, CRISC, LMS Associates LLC, USA
David A. Williams, CRISC, PMP, OceanFirst Bank, USA
Nikolaos Zacharopoulos, CISA, CISSP, MerckGroup, Germany
Daniel Zimerman, CISA, CRISC, CISSP, CEPT, CIH, GCIH, IQ Solutions, USA
Tichaona Zororo, CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT I Enterprise Governance of IT (Pty) Ltd., South Africa
ISACA Board of Directors

Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Adaptive Computing, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director
Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, ISO 27001 LA, CISSP, DHL Global Forwarding & Freight, Germany
Guidance and Practices Committee

Phil James Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
John Jasinski, CISA, CGEIT, ISO20K, ITIL Exp, SSBB, ITSMBP, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Brazil
Jotham Nyamari, CISA, Deloitte, USA
James Seaman, CISM, CRISC, A.Inst.IISP, CCP, QSA, RandomStorm Ltd, UK
Gurvinder Singh, CISA, CISM, CRISC, Australia
Siang Jun Julia Yeo, CISA, CRISC, CPA (Australia), MasterCard Asia/Pacific Pte. Ltd., Singapore
Nikolaos Zacharopoulos, CISA, CISSP, MerckGroup, Germany
ISACA 2014

Table of Contents
Page
Introduction.................................................................................................................................................................... 5
Assurance Engagement Approach Based on COBIT 5.................................................................................................5
Generic Audit/Assurance Program................................................................................................................................ 6
Customization of the Audit/Assurance Program.....................................................................................................6
About the Example Audit/Assurance Program: APO06 ...............................................................................................6
Assurance Engagement: Manage Budget and Costs...................................................................................................7
Assurance Topic..................................................................................................................................................... 7
Goal of the Review................................................................................................................................................. 7
Scoping................................................................................................................................................................... 7
COBIT 5-based Assurance Engagement Approach.......................................................................................................7
Phase ADetermine Scope of the Assurance Initiative.........................................................................................8
Phase BUnderstand Enablers, Set Suitable Assessment Criteria and Perform the Assessment.....................12
Phase CCommunicate the Results of the Assessments...................................................................................29
ISACA 2014

Introduction
This document contains an example audit/assurance program for a COBIT 5 process, based on the generic structure
developed in section 2B of COBIT 5 for Assurance1.
Figure 1Generic COBIT 5-based Assurance Engagement Approach
Important Note
The engagement approach is based on, but differs slightly from the generic approach described in COBIT 5 for
Assurance:
The order in which the enablers are discussed is different: the engagement approach described here is a
process audit/assurance program; consequently the Process enabler is discussed first.
The remaining six enablers are also included in the program, because they are relevant for a process assurance
engagement as well. They have been grouped together to make the program more compact.
Assurance Engagement Approach Based on COBIT 5

The COBIT 5 framework explains that the enablers are interconnected, e.g., processes use Organisational Structures
as well as Information items (inputs [I] and outputs [O]). When developing the audit/assurance program, it will become
clear that when all possible entities of all enablers are included in the scope and reviewed in detail, there is potential
for duplication.
In the development of this audit/assurance program, care has been taken to avoid or minimize duplication, meaning
that:
See www.isaca.org/COBIT/Pages/Assurance-product-page.aspx for more information on COBIT 5 for Assurance.
ISACA 2014

Some aspects of a process also relate to another enabler and are assessed there, e.g., inputs and outputs can
also be classified under the Information enabler heading and covered in detail there.
Some aspects relating to Skills and Competencies are to a large extent covered by process APO07 Manage
human resources.
In practice, assurance professionals will have to use their own professional judgment when developing their own
customized audit/assurance programs, to avoid duplication of work.
In addition, while audit/assurance programs will be available for each process, in practice, a group of processes are
often selected for audit. Therefore, a relevant set of audit/assurance programs of the applicable processes will need to
be selected for conducting assurance.
Generic Audit/Assurance Program

The assurance approach depicted in figure 1 is described in more detail and developed into a generic
audit/assurance programincluding guidance on how to proceed during each stepin section 2B of COBIT 5 for
Assurance. This audit/assurance program is:
Fully aligned with COBIT 5:

It explicitly references all seven enablers. In other words, it is no longer exclusively process-focused; it also
uses the different dimensions of the enabler model to cover all aspects contributing to the performance of the
enablers.
It references the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement
can be put into the enterprise and IT context, and concurrently it enables linkage of the assurance objectives
to enterprise and IT risk and benefits.
Comprehensive yet flexible. The generic program is comprehensive because it contains assurance steps
covering all enablers in quite some detail, yet it is also flexible because this detailed structure enables clear and
well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set
of enablers or some enabler instances and, while the decision will reduce the scope and related assurance
engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement
user.
Easy to understand, follow and apply because of its clear structure:

The table follows the flow described in figure 1, but splits each phase into different steps and substeps.
For each step, a short description is included, as is guidance for the assurance professional on how to
proceed with the step (text in italics).
Additional guidance on how to use other IT assurance-related standards for performing assurance can be found in
section 3 of COBIT 5 for Assurance.
Customization of the Audit/Assurance Program

Customization and completion of the example audit/assurance program in this document is required, and consists of
refining the scope by selecting goals and enabler instancesthe lists included in the example are comprehensive, yet
still are examples (i.e., different strategic priorities of the enterprise may dictate a different scope). The lists can also
be considered prohibitive by some, as they can lead to a very broad scope, and therefore a very expensive assurance
engagement; selection and prioritization will be required. The assurance professional will need to consider the
following steps:
Determine the stakeholders of the assurance initiative and their stake.
Determine the assurance objectives based on assessment of the internal and external environment/context,
including the strategic objectives, goals (figures 40 and 41 of COBIT 5 for Assurance) and priorities of the
enterprise.
Determine the enablers in scope and the instance(s) of the enablers in scope.
About the Example Audit/Assurance Program: APO06

In the next section, the assurance topic at handprocess APO06 Manage budget and costsis fully addressed
based on the generic audit/assurance program. The detailed program contains the following additional information:
In the Guidance column, the shaded text is specific to the example and provides practical guidance, e.g.,
examples of the Organisational Structures to include in scope, setting assessment criteria for the different
enablers and actually assessing the different enablers.
ISACA 2014

Two additional columns are included, in which the assurance professional can identify and cross-reference issues
and record comments.
Assurance Engagement: Manage budget and costs

Assurance Topic
The topic covered by this document is process APO06 Manage budget and costs.
Goal of the Review

The goal of the review is to provide assurance over the APO062 process that ensures:
There is a partnership between IT and enterprise stakeholders to enable the effective and efficient use of ITrelated resources
There is transparency and accountability of the cost and business value of solutions and services.
The enterprise is enabled to make informed decisions regarding the use of IT solutions and services.
Scoping
The scope of the assurance engagement is expressed as a function of the seven COBIT 5 enablers, with a focus on
the Process enabler. The process content is taken directly from the detailed process descriptions in COBIT 5:
Enabling Processes, i.e., these are standard COBIT 5 processes. Other enablers are also directly based on the same
process descriptions, e.g., the Organisational Structures and Information items.
Other enablers are described in a more generic way and may require customization before the audit/assurance
program can be applied.
COBIT 5-based Assurance Engagement Approach

The audit/assurance program is divided into three sections:
Phase ADetermine Scope of the Assurance InitiativeIn phase A of the assurance workflow, the auditor
scopes the assurance engagement. This process defines the scope in the COBIT 5 terms of enterprise goals, ITrelated goals and enablers.
Phase BUnderstand Enablers, Set Suitable Assessment Criteria and Perform the AssessmentIn phase
B of the assurance workflow, the auditor:
Builds an understanding of the subject matter over which assurance needs to be provided. The subject
matter is expressed in terms of COBIT 5 enablers.
Obtains agreement over the assessment criteria that will be used during the assurance engagement.
Assesses the design and outcomes of the enablers.
Phase CCommunicate the Results of the AssessmentsIn phase C of the assurance workflow, the auditor
communicates the observations to the initiative stakeholders. This includes carefully documenting all weaknesses
or exceptions found and communicating them to stakeholders effectively and efficiently, with a view to initiating
the appropriate response.
Additional related guidance for APO06 can be found in COBIT 5: Enabling Processes, p. 82.
ISACA 2014

Phase ADetermine Scope of the Assurance Initiative
Ref.
A-1
A-1.1
A-1.2
A-2
A-2.1
A-2.2
A-2.3
A-2.4
Assurance Step
Determine the stakeholders of the
assurance initiative and their stake.
Identify the intended user(s) of the assurance
report and their stake in the assurance
engagement. This is the assurance objective.
Identify the interested parties, accountable
and responsible for the subject matter over
which assurance needs to be provided.
Determine the assurance objectives based

on assessment of the internal and external
environment/context and of the relevant risk
and related opportunities (i.e., not achieving
the enterprise goals).
Understand the enterprise strategy and

priorities.
Understand the internal context of the
enterprise.
Understand the external context of the
enterprise.
Given the overall assurance objective,
translate the identified strategic priorities into
concrete objectives for the assurance
engagement.
A-2.4
Cont.
Issue Crossreference
Guidance
Intended user(s) of
the assurance report
Describe the users of the assurance report and their stakes.
Accountable and
responsible parties
for the subject matter
Describe the accountable and responsible parties for the

subject matter over which assurance is to be provided;
COBIT 5 includes a summary description of a comprehensive
set of roles that can be used as starting point for this audit
step (COBIT 5 framework, appendix 6, p.76); COBIT 5 for
Assurance also provides a summary description of a
comprehensive set of assurance roles, see section 2A,
chapter 4, p.37.
Assurance objectives are essentially a more detailed and tangible expression of those
enterprise objectives relevant to the subject of the assurance engagement.
Enterprise objectives can be formulated in terms of the generic enterprise goals (COBIT
5 framework) or they can be expressed more specifically.
Objectives of the assurance engagement can be expressed using the COBIT 5
enterprise goals, the IT-related goals (which relate more to technology),
information goals or any other set of specific goals.
Inquire with executive management or through available documentation (corporate
strategy, annual report) about the enterprise strategy and priorities for the coming
period, and document them to the extent the process under review is relevant.
Identify all internal environmental factors that could influence the performance of the
process under review.
Identify all external environmental factors that could influence the performance of the
process under review.
The following goals can be retained as key goals to be supported, in reflection of
enterprise strategy and priorities.3
Key goals
Enterprise goals:
EG12 Optimisation of business process costs
Additional goals
IT-related goals:
ITG05 Realised benefits from IT-enabled investments and

services portfolio
ITG06 Transparency of IT costs, benefits and risk
Enterprise goals:
EG01 Stakeholder value of business investments
EG02 Portfolio of competitive products and services
EG05 Financial transparency
EG10 Optimisation of service delivery costs

IT-related goals:
ITG01 Alignment of IT and business strategy
ISACA 2014
All rights reserved.
Comment

Ref.
Assurance Step
Guidance
Comment
A-2.5
Define the organizational boundaries of the

assurance initiative.
A-3
Determine the enablers in scope and the

instance(s) of the enablers in scope.
A-3.1
Define the Process in scope of the review.
A-3.2
Define the related enablers.

Related enablers include:
Principles, Policies and Frameworks
Organisational Structures
Culture, Ethics and Behaviour
Information
Services, Infrastructure and

Applications
Peoples, Skills and Competencies
ITG03 Commitment of executive management for making ITrelated decisions
ITG04 Managed IT-related business risk
ITG07 Delivery of IT services in line with business

requirements
ITG08 Adequate use of applications, information and

technology solutions
ITG11 Optimisation of IT assets, resources and capabilities
ITG13 Delivery of programmes delivering benefits on time, on

budget, and meeting requirements and quality standards
Describe the organizational boundaries of the assurance engagement, i.e., to which
organizational entities the review is limited. All other aspects of scope limitation are
identified during phase A-3.
The scope of this assurance engagement is a process. Nevertheless, as per the COBIT
5 enabler model, all related enablers will have to be considered for inclusion in the scope
as well.
The following process as defined in COBIT 5: Enabling Processes is in scope of this
assurance engagement: APO06 Manage budget and costs.
Principles, Policies and Frameworks: In the context of this process review, and taking
into account the goals identified in A-2.4, the following Principles, Policies and
Frameworks could be considered in scope of the review4:
<list here the most relevant Principles, Policies and Framework elements>
Organisational Structures: Based on the process under review, the following
Organisational Structures and functions are considered to be in scope of this assurance
engagement, and available resources will determine which ones will be reviewed in
detail: 5
Chief financial officer (CFO)
Value management office
Chief information office (CIO)
Head IT administration
CuIture, Ethics and Behaviour: In the context of this process review, the following
enterprisewide Behaviours are in scope:
<list here the most relevant Behaviour elements>
4
5
The suggested set of enterprise goals can and should vary with enterprise strategy and priorities. However, in this generic program the following logic was applied: first the mapping table between
IT processes and IT-related goals (COBIT 5: Enabling Processes, appendix B, p.227-229) was used. The mappings between the process at hand and the IT goals listed as P are retained as key
IT-related goals. The mappings listed as S are retained as additional IT-related goals. Next, the mapping table between enterprise goals and IT-related goals (COBIT 5: Enabling Processes,
appendix B, p.226) is used. The previously selected key IT-related goals are looked up, and those enterprise goals that support half or more of the IT-related goals as P are retained as key
enterprise goals. The remaining enterprise goals listed as P are retained as additional enterprise goals. Again, after application of the logic described here, the resulting set of goals should
be reviewed and tailored if necessary.
The logic applied here is the following: if there are any Policies or Frameworks identified as inputs or outputs of any of the process practices of the process under review, they will be included
here.
Only those roles that have an A or R in the RACI chart of the process are included here. Roles are taken from the RACI charts in COBIT 5: Enabling Processes; some more specific roles may
be taken from COBIT 5 for Assurance, COBIT 5 for Risk or COBIT 5 for Information Security.
ISACA 2014

Ref.
Assurance Step
Guidance
Comment
Information items: Based on the process under review, the following Information items
are considered to be in scope of this assurance engagement, and available resources
will determine which ones will be reviewed in detail.6
APO06.01:
Asset register (I)
Accounting processes (O)
IT costs classification scheme (O)
Financial planning practices (O)

APO06.02:
Evaluation of investments and services portfolios (I)
Prioritisation and ranking of IT initiatives (O)
Actions to improve value delivery (I)
Proof-of-concept scope and outline business case (I)
Investment return expectations (I)
Business case assessments (I)
Programme business case (I)
Budget allocations (O)
A-3.2
Cont.
APO06.03:
IT budget and plan (O)
Budget communications (O)

APO06.04:
Categorised IT costs (O)
Cost allocation model (O)
Cost allocation communications (O)
Operational procedures (O)

APO06.05:
Feedback on portfolio and programme performance (I)
Cost data collection method (O)
Programme benefit realisation plan (I)
Cost consolidation method (O)
Programme budget and benefits register (I)
Results of benefit realisation monitoring (I)
Cost optimisation opportunities (O)

Services, Infrastructure and Applications: In the context of this process review, and
taking into account the goals identified in A-2.4, the following Services and related
Infrastructure or Applications could be considered in scope of the review:
6
Leverage the inputs and outputs (also referred to as work products) described for each process practice in COBIT 5: Enabling Processes to identify the most relevant or important information
items. All inputs and outputs are listed here, with those work products written in italic font to be dealt with (in more detail) as part of the Information enabler.
ISACA 2014
10

Ref.
Assurance Step
Guidance
<list here the most relevant Services, Infrastructure and Applications components in
scope>
People, Skills and Competencies: In the context of this process review, taking into
account key processes and key roles, the following Skill sets are included in scope:
Knowledge of financial management
Other relevant Skill sets required
ISACA 2014
11
Comment

ISACA 2014
12

Phase BUnderstand Enablers, Set Suitable Assessment Criteria and Perform the Assessment
Ref.
B-1
B-1.1
Assurance Steps and Guidance

Agree on metrics and criteria for enterprise goals and IT-related goals.
Assess enterprise goals and IT-related goals.
Obtain (and agree on) metrics for enterprise goals and expected values of the metrics and assess whether enterprise goals in scope are
achieved.
Leverage the list of suggested metrics for the enterprise goals to define, discuss and agree on a set of relevant, customized metrics for the
enterprise goals, taking care that the suggested metrics are driven by the performance of the topic of this assurance initiative.
Next, agree on the expected values for these metrics, i.e., the values against which the assessment will take place.
The following metrics and expected values are agreed on for the key enterprise goals defined in step A-2.4.
Enterprise Goal
Metric
Expected Outcome (Ex)
Assessment Step
EG12 Optimisation of
Agree on the expected
In this step, the related metrics for each
Frequency of business process

business process costs
values for these metrics,
goal will be reviewed and an assessment
cost optimisation assessments
i.e., the values against
will be made whether the defined criteria
Trend of cost assessment vs.

which the assessment
are achieved.
service level results
will take place.
Satisfaction levels of board and
B-1.2
B-2
B-2.1
executive management with

business processing costs
Obtain (and agree on) metrics for IT-related goals and expected values of the metrics and assess whether IT-related goals in scope are
achieved.
The following metrics and expected values are agreed on for the key IT-related goals defined in Step A-2.4.
IT-related Goal
Metric
Expected Outcome (Ex)
Assessment Step
ITG05 Realised benefits
Percent of IT-enabled
from IT-enabled
values for the IT-related
investments where benefit
investments and
goal metrics, i.e., the
realisation is monitored through
services portfolio
values against which the
are achieved.
full economic life cycle
assessment will take
Percent of IT services where

place.
expected benefits are realised
Percent of IT-enabled
investments where claimed
benefits are met or exceeded
ITG06 Transparency of
Percent of investment business

IT costs, benefits and
values for the IT-related
cases with clearly defined and
risk
approved expected IT-related
are achieved.
costs and benefits
Percent of IT services with

place.
clearly defined and approved
operational costs and expected
benefits
Satisfaction survey of key

stakeholders regarding the
transparency, understanding and
accuracy of IT financial
information
Obtain understanding of the Process in scope and set suitable assessment criteria.
Assess the Process. 7
Understand the Process purpose.
ISACA 2014
13
Comment

Ref.
B-2.2
B-2.2
Cont.

The purpose of process APO06 is as per the standard COBIT 5 process statement: Foster partnership between IT and enterprise
stakeholders to enable the effective and efficient use of IT-related resources and provide transparency and accountability of the cost and
business value of solutions and services. Enable the enterprise to make informed decisions regarding the use of IT solutions and services.
Understand the Process goals and related metrics and define expected values (criteria), and assess whether the Process goals
(outcomes) are achieved, i.e., assess the effectiveness of the Process.
The process APO06 Manage budget and costs has four standard defined process goals, as
described in COBIT 5: Enabling Processes, chapter 5, p. 79. Based on these goals and their
related metrics, the subset of following goals and associated metrics are defined for this
process.
Process Goal
Related Metric
Criteria/Expected Value
Assessment Step
A transparent and
Number of budget changes due
complete budget for IT
values for the Process
to omissions and errors
accurately reflects
Numbers of deviations between
planned expenditures.
are achieved.
expected and actual budget
categories
place.
The allocation of IT
Percent of alignment of IT
resources for IT
resources with high-priority
initiatives is prioritised
initiatives
based on enterprise
are achieved.
Number of resource allocation
needs.
issues escalated
place.
Costs for services are
Percent of overall IT costs that
allocated in an equitable
are allocated according to the
way.
agreed-on cost models
are achieved.
place.
Budgets can be
Percent of variance amongst
accurately compared to
budgets, forecasts and actual
actual costs.
costs
are achieved.
place.
The process APO06 Manage budget and costs is described in
Each practice is typically implemented through a number of activities,
COBIT 5: Enabling Processes.
and a well-designed process will implement all these practices and
The Process requires a number of management practices to be
activities.
implemented, as described in the process description in the same
guide. These are:
A sound process design
The reference against which the process will be assessed in

phase C, with the criteria as mentioned, i.e., all management
practices are expected to be fully implemented.
Reference
Assessment Step
Process Practice
Because this is a process audit/assurance program, several of the assurance steps from COBIT 5 for Assurance have been combined or removed.
ISACA 2014
14
Comment

Ref.
AP006.01 Manage
finance and accounting.
Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
practice is effectively implemented through the following typical (control) activities:
1.
2.
3.
4.
5.
AP006.02 Prioritise
resource allocation.
2.
3.
4.
AP006.03 Create and

maintain budgets.
Establish a decision-making body for prioritising business and IT resources, including use of external
service providers within the high-level budget allocations for IT-enabled programmes, IT services and IT
assets as established by the strategic and tactical plans. Consider the options for buying or developing
capitalised assets and services vs. externally utilised assets and services on a pay-for-use basis.
Rank all IT initiatives based on business cases and strategic and tactical plans, and establish procedures
to determine budget allocations and cut-off. Establish a procedure to communicate budget decisions and
review them with the business unit budget holders.
Identify, communicate and resolve significant impacts of budget decisions on business cases, portfolios
and strategy plans (e.g., when budgets may require revision due to changing enterprise circumstances,
when they are not sufficient to support strategic objectives or business case objectives).
Obtain ratification from the executive committee for the overall IT budget changes that negatively impact
the entitys strategic or tactical plans and offer suggested actions to resolve these impacts.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with the actual
accountability and responsibility for this practice and assess whether:
Accountability and responsibility are assigned and assumed.
Accountability and responsibility are assigned at the appropriate level in the organisation
1.
2.
ISACA 2014
Define processes, inputs and outputs, and responsibilities in alignment with the enterprise budgeting and
cost accounting policies and approach to systematically drive IT budgeting and costing; enable fair,
transparent, repeatable and comparable estimation of IT costs and benefits for input to the portfolio of ITenabled business programmes; and ensure that budgets and costs are maintained in the IT asset and
services portfolios.
Define a classification scheme to identify all IT-related cost elements, how they are allocated across
budgets and services, and how they are captured.
Use financial and portfolio information to provide input to business cases for new investments in IT assets
and services.
Define how to analyse, report (to whom and how), and use the budget control and benefit management
processes.
Establish and maintain practices for financial planning, investment management and decision making, and
the optimisation of recurring operational costs to deliver maximum value to the enterprise for the least
expenditure.
Accountability and responsibility are assigned at the appropriate level in the organisation.
1.
B-2.2
Cont.
Implement a formal IT budget, including all expected IT costs of IT-enabled programmes, IT services and
IT assets as directed by the strategy, programmes and portfolios.
When creating the budget, consider the following components:
15
Comment

Ref.
3.
4.
5.
6.
7.
AP006.04 Model and

allocate costs.
Alignment with the business
Alignment with the sourcing strategy
Authorised sources of funding
Internal resource costs, including personnel, information assets and accommodations
Third-party costs, including outsourcing contracts, consultants and service providers
Capital and operational expenses
Cost elements that depend on the workload

Document the rationale to justify contingencies and review them regularly.
Instruct process, service and programme owners, as well as project and asset managers, to plan budgets.
Review the budget plans and make decisions about budget allocations. Compile and adjust the budget
based on changing enterprise needs and financial considerations.
Record, maintain and communicate the current IT budget, including committed expenditures and current
expenditures, considering IT projects recorded in the IT-enabled investment portfolios and operation and
maintenance of asset and service portfolios.
Monitor the effectiveness of the different aspects of budgeting and use the results to implement
improvements to ensure that future budgets are more accurate, reliable and cost-effective.
1.
2.
3.
4.
5.
6.
B-2.2
Cont.
Categorise all IT costs appropriately, including those relating to service providers, according to the
enterprise management accounting framework.
Inspect service definition catalogues to identify services subject to user chargeback and those that are
shared services.
Define and agree on a model that:
Supports the calculation of chargeback rates per service
Defines how IT costs will be calculated/charged
Is differentiated, where and when appropriate
Is aligned with the IT budget

Design the cost model to be transparent enough to allow users to identify their actual usage and charges,
and to better enable predictability of IT costs and efficient and effective utilisation of IT resources.
After review with user departments, obtain approval and communicate the IT costing model inputs and
outputs to the management of user departments.
Communicate changes in the cost/chargeback model with enterprise process owners.
AP006.05 Manage
costs.
ISACA 2014
16
Comment

Ref.
1.
2.
3.
4.
5.
6.
7.
8.
9.
B-2.3
B-2.3
Cont.

Ensure proper authority and independence between IT budget holders and the individuals who capture,
analyse and report financial information.
Establish time scales for the operation of the cost management process in line with budgeting and
accounting requirements.
Define a method for the collection of relevant data to identify deviations for:
Budget control between actual and budget
Benefit management of:

Actual vs. Targets for investments or solutions; possibly expressed in terms of ROI, NPV or IRR
The actual trend of service cost for cost optimisation of services (e.g., defined as cost per user)
Actual vs. Budget for responsiveness and predictability improvements of solutions delivery
Cost distribution between direct and indirect (absorbed and unabsorbed) costs
Define how costs are consolidated for the appropriate levels in the enterprise and how they will be
presented to the stakeholders. The reports provide information to enable the timely identification of
required corrective actions.
Instruct those responsible for cost management to capture, collect and consolidate the data, and present
and report the data to the appropriate budget owners analysts and owners jointly analyse deviations and
compare performance to internal and industry benchmarks. The results of the analysis provide an
explanation of significant deviations and the suggested corrective actions.
Ensure that the appropriate levels of management review the results of the analysis and approve
suggested corrective actions.
Align IT budgets and services to the IT infrastructure, enterprise processes and owners who use them.
Ensure that changes in cost structures and enterprise needs are identified and budgets and forecasts are
revised as required.
At regular intervals, and especially when budgets are cut due to financial constraints, identify ways to
optimise costs and introduce efficiencies without jeopardising services.
Agree on the Process work products (inputs and outputs as defined in the process practices description) that are expected to be present
(process design).
Assess the extent to which the process work products are available.
The Process APO06 identifies a set of inputs and outputs for the different management
Criteria: All listed work products should
practices. The most relevant of these work products (and those not assessed as Information
demonstrably exist and be used.
items in scope in section A-3.2) are identified as follows, as well as the criteria against which
they will be assessed, i.e., existence and usage.
Process Practice
Work Product8
Assessment Step
APO06.01
Asset register (I)
Accounting processes (O)
IT costs classification scheme (O)
Financial planning practices (O)
APO06.02
Evaluation of investments and services portfolios (I)
Actions to improve value delivery (I)
Apply appropriate auditing techniques to
Proof-of-concept scope and outline business case (I)
Only the work products not already dealt with (in more detail) as part of the Information enabler are listed here.
ISACA 2014
17
Comment

Ref.
Comment
determine for each work product:

Investment return expectations (I)
Existence of the work product

Business case assessments (I)
Appropriate use of the work product

Programme business case (I)
Budget allocations (O)
APO06.03
Budget communications (O)
APO06.04
Categorised IT costs (O)
Cost allocation communications (O)
Operational procedures (O)
APO06.05
Feedback on portfolio and programme performance (I)
Cost data collection method (O)
Programme benefit realisation plan (I)
Cost consolidation method (O)
Programme budget and benefits register (I)
Results of benefit realisation monitoring (I)
B-2.4
Agree on the Process capability level to be achieved by the process.
Process APO06 isgiven the strategic prioritiesimportant, and will require the following Process capability level and attributes, which is
equivalent to achieving a Process capability level _____.9
B-3
Obtain understanding of the Principles, Policies and Frameworks in scope.
Assess Principles, Policies and Frameworks.
Repeat steps B-3.1 through B-3.5 for all Principles, Policies and Frameworks in scope.
B-3.1
Understand the Principles, Policies and Frameworks context.
Obtain understanding of the overall system of internal control and the associated Principles, Policies and Frameworks.
B-3.2
Understand the stakeholders of the Principles, Policies and Frameworks
Understand the stakeholders in the policies. The stakeholders for the policies include those setting the policies and those who need to be in
compliance with the policies.
B-3.3
Understand the goals for the Principles, Policies and Frameworks, and the related metrics, and agree on expected values.
Assess whether the Principles, Policies and Frameworks goals (outcomes) are achieved, i.e., assess the effectiveness of the Principles,
Policies and Frameworks.
Goal
Criteria
Assessment Step
Comprehensiveness
The set of policies is comprehensive
Verify that the set of policies is comprehensive in its coverage.
in its coverage.
Currency
The set of policies is up to date. This
Verify that the set of policies is up to date. This at least requires:
at least requires:
A regular validation of all policies whether they are still up to date
A regular validation of all policies
An indication of the policies expiration date or date of last update
whether they are still up to date
An indication of the policies
expiration date or date of last
update
Flexibility
The set of policies is flexible. It is
Verify the flexibility of the set of policies, i.e., that it is structured in
structured in such a way that it is easy such a way that it is easy to add or update policies as circumstances
to add or update policies as
require.
circumstances require.
9
This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which
no reference practices, work products or outcomes are approved, cannot use this assessment method, therefore the concept capability level does not apply.
ISACA 2014
18

Ref.
Policies are available to all

Verify that policies are available to all stakeholders.
stakeholders.
Verify that policies are easy to navigate and have a logical and
Policies are easy to navigate and
hierarchical structure.
have a logical and hierarchical
structure.
B-3.4
Understand the life cycle stages of the Principles, Policies and Frameworks, and agree on the relevant criteria. Assess to what extent the
Principles, Policies and Frameworks life cycle is managed.
The life cycle of the IT-related policies is managed by the Process APO01. The review of this life cycle is therefore equivalent to a process
review of process APO01 Manage the IT management framework.
B-3.5
Understand good practices related to the Principles, Policies and Frameworks and expected values. Assess the Principles, Policies and
Frameworks design, i.e., assess the extent to which expected good practices are applied.
The assurance professional will, by using appropriate auditing techniques assess the following aspects.
Good Practice
Criteria
Assessment Step
Scope and validity
The scope is described and the
Verify that the scope of the framework is described and the validity
validity date is indicated.
date is indicated.
Exception and
The exception and escalation
Verify that the exception and escalation procedure is described,

escalation
procedure is explained and
explained and commonly known.
commonly known.
Through observation of a representative sample, verify that the
The exception and escalation
exception and escalation procedure has not become de facto
procedure has not become de
standard procedure.
B-3.5
facto standard procedure.
Cont.
Compliance
The compliance checking mechanism
Verify that the compliance checking mechanism and non-compliance
and non-compliance consequences
consequences are clearly described and enforced.
are clearly described and enforced.
B-4
Obtain understanding of the Organisational Structures in scope.
Assess the Organisational Structures.
Repeat steps B-4.1 through B-4.5 for each Organisational Structure in scope, as determined in step A-3.2.
B-4.1
Understand the Organisational Structure context.
Identify and document all elements that can help to understand the context in which the Organisational Structure/role has to operate,
including:
The overall organisation
Management/process framework
History of the role/structure
Contribution of the Organisational Structure to achievement of goals

B-4.2
Understand all stakeholders of the Organisational Structure/function.
Determine through documentation review (policies, management communications, etc.) the key stakeholders of the role, i.e.:
Incumbent of the role and/or members of the Organisational Structure
Other key stakeholders affected by the decisions of the Organisational Structure/role

B-4.3
Understand the goals of the Organisational Structure, the related metrics and agree on expected values. Understand how these goals
contribute to the achievement of the enterprise goals and IT-related goals.
Organisational Structure Goal
Assessment Step
Determine through interviews with key stakeholders and
This step only applies if specific goals are defined. In that case, the
documentation review the goals of the Organisational Structures,
assurance professional will use appropriate auditing techniques to:
i.e., the decisions for which they are accountable10,11.
Identify the decisions made by the Organisational Structure.

Note: Very often, the goals of an Organisational Structure
Assess whether decisions are appropriately documented and

Availability
ISACA 2014
19
Comment

Ref.
B-4.4
B-4.4
Cont.
B-4.5
10
11
Comment
making decisionsare already described by some of the process

communicated.
practices and/or process activities in COBIT 5: Enabling
Evaluate the decisions by, assessing whether:

Processes. Therefore, they will be part of the process review and
They have contributed to the achievement of the IT-related
should not be repeated here. Only when very specific decisions
and enterprise goals as anticipated.
would be required is there a need to list them explicitly in this
Decisions are duly executed on a timely basis.
step.
Agree on the expected good practices for the Organisational Structure against which it will be assessed.
Assess the Organisational Structure design, i.e., assess the extent to which expected good practices are applied.
Good Practice
Criteria
Assessment Step
Operating principles
Operating principles are documented.
Verify whether operating principles are appropriately

documented.
Regular meetings take place as defined
Verify that regular meetings take place as defined in the

in operating principles.
operating principles.
Meeting reports/minutes are available
Verify that meeting reports/minutes are available and are

and are meaningful.
meaningful.
Composition
The organisational structures composition is
Assess whether the Organisational Structures composition is
balanced and complete, i.e., all required
balanced and complete, i.e., all required stakeholders are
stakeholders are sufficiently represented.
sufficiently represented.
Span of control
The span of control of The
Verify whether the span of control of the Organisational

Organisational Structure is defined.
Structure is defined.
The span of control is adequate, i.e., the
Assess whether the span of control is adequate, i.e., the

Organisational Structure has the right to
Organisational Structure has the right to make all
make all decisions it should.
decisions it should.
The span of control is in line with the
Verify and assess whether the span of control is in line

overall enterprise governance
with the overall enterprise governance arrangements.
arrangements.
Level of authority/
Decision rights of the Organisation
Verify that decision rights of the Organisation Structure

decision rights
Structure are defined and documented.
are defined and documented.
Decision rights of the Organisational
Verify whether decision rights of the Organisational

Structure are respected and complied
Structure are complied with and respected.
with (also a culture/behaviour issue).
Delegation of authority
Delegation of authority is implemented in a
Verify whether delegation of authority is implemented in a
meaningful way.
meaningful way.
Escalation procedures
Escalation procedures are defined and
Verify the existence and application of escalation procedures.
applied.
Understand the life cycle and agree on expected values.
Assess the extent to which the Organisational Structure life cycle is managed.
Life Cycle Element
Criteria
Assessment Steps
Mandate
The Organisational Structure is
Verify through interviews and observations that the

formally established.
Organisational Structure is formally established.
The Organisational Structure has Verify through interviews and observations that the
a clear, documented and wellOrganisational Structure has a clear, documented and well-
The RACI charts in COBIT 5: Enabling Processes can be leveraged as a starting point for the expected goals of a role or Organisational Structure.
The Organisational Structure/role as described may not exist under the same name in the enterprise; in that case, the closest Organisational Structure assuming the same responsibilities and
accountability should be considered.
ISACA 2014
20

Ref.
understood mandate.
understood mandate.
The performance of the
Verify whether the performance of the Organisational Structure

Organisational Structure and its
and its members is regularly monitored and evaluated by
members should be regularly
competent and independent assessors.
monitored and evaluated by
Verify whether the regular evaluations have resulted in

competent and independent
improvements to the Organisational Structure, in its composition,
assessors.
mandate or any other parameter.
The regular evaluations should

result in the required continuous
improvements to the
Organisational Structure, either
in its composition, mandate or
any other parameter.
B-5
Obtain understanding of the Culture, Ethics and Behaviour in scope.
Assess Culture, Ethics and Behaviour.
Repeat steps B-5.1 through B-5.5 for each Culture, Ethics, and Behaviour aspect in scope.
B-5.1
Understand the Culture, Ethics and Behaviour context.
Understand the context of the Culture/Ethics/Behaviour, i.e.:
What the overall corporate Culture is like
Understand the interconnection with other enablers in scope:
Identify roles and structures that could be affected by the Culture.
Identify processes that could be affected by Culture, Ethics and Behaviour, including any processes in scope of the review.
B-5.2
Understand the major stakeholders of the Culture, Ethics and Behaviour.
Understand to whom the behaviour requirements will apply, i.e., understand who embodies the roles/structures expected to demonstrate
the correct set of Behaviours. This is usually linked to the roles and Organisational Structures identified in scope.
B-5.3
Understand the goals for the Culture, Ethics and Behaviour, and the related metrics and agree on expected values.
Assess whether the Culture, Ethics and Behaviour goals (outcomes) are achieved, i.e., assess the effectiveness of the Culture, Ethics
and Behaviour.
Define what constitutes desired and undesirable Behaviours and
Culture and especially Behaviours are associated to individuals and
why they are so classified, i.e., relate Behaviours to the
the Organisational Structures of which they are a part, therefore, by
organisational ethics and values by which the enterprise wants to
using appropriate auditing techniques, the assurance professional will:
live in support of enterprise goals.
Identify individuals who must comply with the Behaviours under

review.
Identify the Organisational Structures involved.
Assess whether desired Behaviours can be observed.
Assess whether undesirable Behaviours are absent.

Desired Behaviour (Culture, Ethics and Behaviour Goal)
Assessment Step
Monitoring
B-5.4
B-5.5
Understand the life cycle stages of the Culture, Ethics and Behaviour, and agree on the relevant criteria.
Assess the extent to which the Culture, Ethics and Behaviour life cycle is managed.
(This aspect is already covered by the assessment of the good practices, so no additional assurance steps are defined here.)
Understand good practice when dealing with Culture, Ethics and Behaviour, and agree on relevant criteria.
Assess the Culture, Ethics and Behaviour design, i.e., assess to what extent expected good practices are applied.
Good Practice
Criteria
Assessment Step
Communication,
Existence and quality of the
Apply appropriate auditing techniques to assess whether the good
ISACA 2014
21
Comment

Ref.

enforcement and rules
Incentives and rewards
Awareness
ISACA 2014
communication
Existence and application of
appropriate rewards and incentives
Awareness of desired Behaviours
practice is adequately applied, i.e., assessment criteria are met.
22
Comment

Ref.
B-6
Obtain understanding of the Information items in scope.

Assess Information items.
Repeat steps B-6.1 through B-6.5 for each Information item defined in scope in A-3.2.
B-6.1
Understand the Information item context:
Where and when is it used?
For what purpose is it used?
Understand the connection with other enablers in scope, e.g.:
Used by which processes?
Which Organisational Structures are involved (see also B-4.2)?
Which services/applications are involved?
B-6.2
Understand the major stakeholders of the Information item.
Understand the stakeholders for the Information item, i.e., identify the:
Information producer
Information custodian
Information consumer
Stakeholders should be at the appropriate organisational level.
B-6.3
Understand the major quality criteria for the Information item, the related metrics and agree on expected values.
Assess whether the Information item quality criteria (outcomes) are achieved, i.e., assess the effectiveness of the Information item.
Leverage the COBIT 5 Information enabler model12 focussing on the quality goals description to
The assurance professional will, by using
select the most relevant Information quality criteria for the Information item at hand. Document
appropriate auditing techniques, verify all
expectations regarding information criteria. The COBIT 5 Information enabler model identifies 15
quality criteria in scope and assess whether
different quality criteriaalthough all of them are relevant, it is nonetheless possible and
the criteria are met.
recommended to focus on a subset of the most important criteria for the Information item at hand.
Mark the quality dimensions with a that are deemed most important (key criteria), and by
consequence will be assessed against the described criteria.
Quality Dimension
Key Criteria
Description
Accuracy
Objectivity
Believability
Reputation
Relevancy
Completeness
Currency
Amount of information
Concise representation
Consistent
representation
Interpretability
Understandability
Manipulation
12
Assessment Step
COBIT 5 framework, appendix G, p.81-84
ISACA 2014
23
Comment

Ref.
B-6.3
Cont.
B-6.4
B-6.5

Availability
Restricted access
Understand the life cycle stages of the Information item, and agree on the relevant criteria.
Assess to what extent the Information item life cycle is managed.
The life cycle of any Information item is managed through several business and IT-related processes. The scope of this review already includes a
review of (IT-related) processes so this aspect does not need to be duplicated here.
When the Information item is internal to IT, the process review will have covered the life cycle aspects sufficiently.
When the Information item also involves other stakeholders outside IT or other non-IT processes, some of the life cycle aspects need to be
assessed.
Mark the life cycle stages with a that are deemed most important (key criteria), and by consequence will be assessed against the described
criteria.
Life Cycle Stage
Key Criteria
Description
Assessment Step
Plan
Design
Build/acquire
Use/operate
Evaluate/monitor
Update/dispose
Understand important attributes of the Information item and expected values.
Assess the Information item design, i.e., assess the extent to which expected good practices are applied.
Good practices for Information items are defined as a series of attributes for the Information item13. The assurance professional will, by using
appropriate audit techniques, verify all attributes in scope and assess whether the attributes are adequately defined.
Mark the attributes with a that are deemed most important (key criteria), and by consequence will be assessed against the described criteria.
Attribute
Key Criteria
Description
Assessment Step
Physical
Empirical
Syntactic
Semantic
Pragmatic
Social
13
COBIT 5 framework, appendix G, p. 81-84
ISACA 2014
24
Comment

Ref.
Comment
B-7
Obtain understanding of the Services, Infrastructure and Applications in scope.

Assess the Services, Infrastructure and Applications.
Repeat steps B-7.1 through B-7.5 for each Service, Infrastructure and Applications element in scope.
B-7.1
Understand the Services, Infrastructure and Applications context.
Understand the organisational and technological context of this service. Refer to step A-2.2 and A-2.3 and re-use that information to understand
the significance of this Service, Infrastructure and Application.
B-7.2
Understand the major stakeholders of the Services, Infrastructure and Applications.
Understand who will be the major stakeholders of the service, i.e., the sponsor, provider and users. Stakeholders will include a number of
organisational roles but could also link to Processes.
B-7.3
Understand the major goals for the Services, Infrastructure and Applications, the related metrics and agree on expected values.
Assess whether the Services, Infrastructure and Applications goals (outcomes) are achieved, i.e., assess the effectiveness of the Services,
Infrastructure and Applications.
Goal
Criteria
Assessment Step
Service description
The Service is clearly described.
Verify that the Service exists and is clearly described.
The Service is available to all
Assess the quality of the Service description and of the Service

potential stakeholders
offered.
Verify the accessibility of the Service to all potential stakeholders.

Service level definition
Service levels are defined for:
Verify that the following aspects are dealt with in the Service level
Quality of the service deliverables

definitions:
Quality of the Service deliverables
Cost
Cost
Timeliness
Timeliness
Verify to what extent Service levels are achieved.

Contribution to related
The Service contributes to the
Assess to what extent the Service contributes to the achievement of the
enabler, IT-related and
achievement of related enabler and ITrelated enabler goals and to the overall IT-related and enterprise goals.
enterprise goals
related and enterprise goals.
B-7.4
Understand the life cycle stages of the Services, Infrastructure and Applications, and agree on the relevant criteria.
Assess the extent to which the Services, Infrastructure and Applications life cycle is managed.14
B-7.5
Understand good practice related to the Services, Infrastructure and Applications and expected values.
Assess the Services, Infrastructure and Applications design, i.e., assess to what extent expected good practices are applied.
Leverage the description of Services, Infrastructure and Applications in the COBIT 5 framework 15 to identify good practices related to Services,
Infrastructure And Applications. In general the following practices need to be implemented:
Buy/build decision needs to be taken.
Use of the Service needs to be clear.

Good Practice
Criteria
Assessment Step
Sourcing (buy/build)
A formal decisionbased on a business
Verify that a formal decisionbased on a business casewas taken

caseneeds to be taken regarding the
regarding the sourcing of the Service.
sourcing of the Service.
Verify the validity and quality of the business case.
Verify that the sourcing decision has been duly executed.

Use
The use of the Service needs to be
Verify that the use of the Service is clear, i.e., it is known when and by
clear:
whom the service needs to be used.
14
The life cycle of a service will be governed and managed by numerous of the COBIT 5 processes. As a consequence, a subset of the BAI and APO processes may have to be added to the scope of the
assurance engagement should it be required.
ISACA 2014
25

Ref.
B-7.5
Cont.
15
When it needs to be used and by

whom
The required compliance levels
with the Services output
Verify that actual use is in line with requirement above.

Verify that the actual Service output is adequately used.
Verify that Service levels are monitored and achieved.
COBIT 5 framework, appendix G, p.85-86
ISACA 2014
26
Comment

Ref.
B-8
Obtain understanding of the People, Skills and Competencies in scope.

Assess People, Skills and Competencies.
Repeat steps B-8.1 through B-8.5 for each People, Skill and Competency aspect in scope.
B-8.1
Understand the People, Skills and Competencies context.
Understand the context of the Skill/Competency, i.e.:
Where and when is it used?
For what purpose is it used?
Understand the connection with other enablers in scope, e.g.:
In which roles and structures is the Skill/Competency used? (See also B-4.1.)
Which behaviours are associated with the Skill/Competency?
B-8.2
Understand the major stakeholders for People, Skills and Competencies.
Identify to whom in the organisation the skill requirement applies.
B-8.3
Understand the major goals for the People, Skills and Competencies, the related metrics and agree on expected values.
Assess whether the People, Skills and Competencies goals (outcomes) are achieved, i.e., assess the effectiveness of the People, Skills and
Competencies.
For the People, Skills and Competencies at hand, the following goals and associated criteria can be addressed.
Goal
Criteria
Assessment Step
Experience
Apply appropriate auditing techniques to assess whether the People, Skills
and Competencies goals are adequately achieved, i.e., that assessment
Education
criteria are met.
Qualification
B-8.4
Knowledge
Technical skills
Behavioural skills
Number of people with
appropriate skill level
Understand the life cycle stages of the People, Skills and Competencies, and agree on the relevant criteria.
Assess to what extent the People, Skills and Competencies life cycle is managed.
For the People, Skills and Competencies at hand, the life cycle phases and associated criteria can
For the People, Skills and Competencies at
be expressed in function of the process APO07.
hand the assurance professional will
perform the following assessment steps.
Life Cycle Element
Criteria
Assessment Step
Plan
Practice APO07.03, activity 1 (Define the required and currently
Assess whether practice APO07.03 activity
available skills and competencies of internal and external resources to
1 is implemented in relation to this skill.
achieve enterprise, IT and process goals.) is implemented in relation to
this skill.
Design
Practice APO07.03 activity 2 (Provide formal career planning and
professional development to encourage competency development,
opportunities for personal advancement and reduced dependence on
key individuals.) is implemented in relation to this skill.
ISACA 2014
27
Comment

Ref.
B-8.4
Cont.
B-8.5

Practice APO07.03 activity 3 (Provide access to knowledge repositories
to support the development of skills and competencies.) is implemented 3 is implemented in relation to this skill.
in relation to this skill.
Build
Practice APO07.03 activity 4 (Identify gaps between required and
available skills and develop action plans to address them on an
individual and collective basis, such as training [technical and
behavioural skills], recruitment, redeployment and changed sourcing
strategies.) is implemented in relation to this skill.
Operate
Practice APO07.03 activity 5 (Develop and deliver training programmes
based on organisational and process requirements, including
requirements for enterprise knowledge, internal control, ethical conduct
and security.) is implemented in relation to this skill.
Evaluate
Practice APO07.03 activity 6 (Conduct regular reviews to assess the
evolution of the skills and competencies of the internal and external
resources. Review succession planning.) is implemented in relation to
this skill.
Update/dispose
Practice APO07.03 activity 7 (Review training materials and
programmes on a regular basis to ensure adequacy with respect to
changing enterprise requirements and their impact on necessary
knowledge, skills and abilities.) is implemented in relation to this skill.
Understand good practice related to the People, Skills and Competencies and expected values.
Assess the People, Skills and Competencies design, i.e., assess to what extent expected good practices are applied.
Good Practice
Assessment Step
Skill set and Competencies are defined.
Determine that an inventory of Skills and Competencies is maintained

by organisational unit, job function and individual.
Evaluate the relevance and the contribution of the Skills and

Competencies to the achievement of the goals of the Organisational
Structure, and by consequence, IT-related goals and enterprise goals.
Evaluate the gap analysis between necessary portfolio of Skills and

Competencies and current inventory of skills and capabilities.
Skill levels are defined.
Assess the flexibility and performance of meeting Skills development

to address identified gaps between necessary and current Skill levels.
Assess the process for 360-degree performance evaluations.
ISACA 2014
28
Comment

Phase CCommunicate the Results of the Assessment
Ref.
C-1
C-1.1
C-1.2
Assurance Step
Document exceptions and gaps.
Understand and document weaknesses and their impact on the
achievement of process goals.
Understand and document weaknesses and their impact on enterprise
goals.
Guidance
C-2
C-2.1
Communicate the work performed and findings.

Communicate the work performed.
C-2.2
Communicate preliminary findings to the assurance engagement

stakeholders defined in A-1.
C-2.3
Illustrate the impact of enabler failures or weaknesses with numbers and scenarios of errors, inefficiencies and misuse.
Clarify vulnerabilities, threats and missed opportunities that are likely to occur if enablers do not perform effectively.
Illustrate what the weaknesses would affect (e.g., business goals and objectives, enterprise architecture elements,
capabilities, resources). Relate the impact of not achieving the enabler goals to actual cases in the same industry and
leverage industry benchmarks.
Document the impact of actual enabler weaknesses in terms of bottom-line impact, integrity of financial reporting, hours lost
in staff time, loss of sales, ability to manage and react to the market, customer and shareholder requirements, etc.
Point out the consequence of non-compliance with regulatory requirements and contractual agreements.
Measure the actual impact of disruptions and outages on business processes and objectives, and on customers (e.g.,
number, effort, downtime, customer satisfaction, cost).
Communicate regularly to the stakeholders identified in A-1 on progress of the work performed.
Document the impact (i.e., customer and financial impact) of errors that could have been caught by effective enablers.
Measure and document the impact of rework (e.g., ratio of rework to normal work) as an efficiency measure affected by
enabler weaknesses.
Measure the actual business benefits and illustrate cost savings of effective enablers after the fact.
Use benchmarking and survey results to compare the enterprises performance with others.
Use extensive graphics to illustrate the issues.
Inform the person responsible for the assurance activity about the preliminary findings and verify his/her correct
understanding of those findings.
Deliver a report (aligned with the terms of reference, scope and agreedon reporting standards) that supports the results of the initiative and
enables a clear focus on key issues and important actions.
ISACA 2014
29

WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

Hochgeladen von

Copyright:

Verfügbare Formate

APO06 Manage Budget and Costs

All rights reserved. 2

APO06 Manage Budget and Costs

ISACA wishes to recognize:

ISACA Board of Directors

Guidance and Practices Committee

All rights reserved. 3

APO06 Manage Budget and Costs

All rights reserved. 4

APO06 Manage Budget and Costs

Assurance Engagement Approach Based on COBIT 5

See www.isaca.org/COBIT/Pages/Assurance-product-page.aspx for more information on COBIT 5 for Assurance.

All rights reserved. 5

APO06 Manage Budget and Costs

Generic Audit/Assurance Program

Fully aligned with COBIT 5:

Easy to understand, follow and apply because of its clear structure:

Customization of the Audit/Assurance Program

Determine the stakeholders of the assurance initiative and their stake.

About the Example Audit/Assurance Program: APO06

All rights reserved. 6

APO06 Manage Budget and Costs

Assurance Engagement: Manage budget and costs

Goal of the Review

COBIT 5-based Assurance Engagement Approach

Assesses the design and outcomes of the enablers.

All rights reserved. 7

APO06 Manage Budget and Costs

Determine the assurance objectives based

Understand the enterprise strategy and

Describe the users of the assurance report and their stakes.

Describe the accountable and responsible parties for the

EG12 Optimisation of business process costs

ITG05 Realised benefits from IT-enabled investments and

EG01 Stakeholder value of business investments

EG02 Portfolio of competitive products and services

EG05 Financial transparency

EG10 Optimisation of service delivery costs

ITG01 Alignment of IT and business strategy

All rights reserved.

APO06 Manage Budget and Costs

Define the organizational boundaries of the

Determine the enablers in scope and the

Define the Process in scope of the review.

Define the related enablers.

Principles, Policies and Frameworks

Culture, Ethics and Behaviour

Services, Infrastructure and

Peoples, Skills and Competencies

ITG03 Commitment of executive management for making ITrelated decisions

ITG04 Managed IT-related business risk

ITG07 Delivery of IT services in line with business

ITG08 Adequate use of applications, information and

ITG11 Optimisation of IT assets, resources and capabilities

ITG13 Delivery of programmes delivering benefits on time, on

Chief financial officer (CFO)

Value management office

Chief information office (CIO)

<list here the most relevant Behaviour elements>

All rights reserved.

APO06 Manage Budget and Costs

Asset register (I)

Accounting processes (O)

IT costs classification scheme (O)