Audit/Assurance Program
ISACA
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value
from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking,
and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers
the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT , a business framework
that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical
skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security
Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control
(CRISC) credentials. The association has more than 200 chapters worldwide.
Disclaimer
ISACA has designed and created APO06 Manage Budget and Costs Audit/Assurance Program (the Work) primarily as an
educational resource for assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful
outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other
information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, assurance professionals should apply their own professional judgement to the specific
circumstances presented by the particular systems or information technology environment.
Reservation of Rights
2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/COBITuse .
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Align-Plan-and-Organise.aspx
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
ISBN 978-1-60420-572-5
APO06 Manage Budget and Costs Audit/Assurance Program
ISACA 2014
Expert Reviewers
Steven De Haes, University of Antwerp - Antwerp Management School, Belgium
John E. Jasinski, CISA, CGEIT, ISO20K, ITIL Expert, SSBB, USA
Joanna Karczewska, CISA, Poland
Patricia Prandini, CISA, CRISC, Universidad de Buenos Aires, Argentina
Abdul Rafeq, CISA, CGEIT, CIA, FCA, Wincer Infotech Limited, India
Claus Rosenquist, CISA, CISSP, Nets Holding, Denmark
Lily Shue, CISA, CISM, CGEIT, CRISC, LMS Associates LLC, USA
David A. Williams, CRISC, PMP, OceanFirst Bank, USA
Nikolaos Zacharopoulos, CISA, CISSP, MerckGroup, Germany
Daniel Zimerman, CISA, CRISC, CISSP, CEPT, CIH, GCIH, IQ Solutions, USA
Tichaona Zororo, CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT I Enterprise Governance of IT (Pty) Ltd., South Africa
Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, ISO 27001 LA, CISSP, DHL Global Forwarding & Freight, Germany
ISACA 2014
Table of Contents
Page
Introduction.................................................................................................................................................................... 5
Assurance Engagement Approach Based on COBIT 5.................................................................................................5
Generic Audit/Assurance Program................................................................................................................................ 6
Customization of the Audit/Assurance Program.....................................................................................................6
About the Example Audit/Assurance Program: APO06 ...............................................................................................6
Assurance Engagement: Manage Budget and Costs...................................................................................................7
Assurance Topic..................................................................................................................................................... 7
Goal of the Review................................................................................................................................................. 7
Scoping................................................................................................................................................................... 7
COBIT 5-based Assurance Engagement Approach.......................................................................................................7
Phase ADetermine Scope of the Assurance Initiative.........................................................................................8
Phase BUnderstand Enablers, Set Suitable Assessment Criteria and Perform the Assessment.....................12
Phase CCommunicate the Results of the Assessments...................................................................................29
ISACA 2014
Introduction
This document contains an example audit/assurance program for a COBIT 5 process, based on the generic structure
developed in section 2B of COBIT 5 for Assurance1.
Figure 1Generic COBIT 5-based Assurance Engagement Approach
Important Note
The engagement approach is based on, but differs slightly from the generic approach described in COBIT 5 for
Assurance:
The order in which the enablers are discussed is different: the engagement approach described here is a
process audit/assurance program; consequently the Process enabler is discussed first.
The remaining six enablers are also included in the program, because they are relevant for a process assurance
engagement as well. They have been grouped together to make the program more compact.
ISACA 2014
Some aspects of a process also relate to another enabler and are assessed there, e.g., inputs and outputs can
also be classified under the Information enabler heading and covered in detail there.
Some aspects relating to Skills and Competencies are to a large extent covered by process APO07 Manage
human resources.
In practice, assurance professionals will have to use their own professional judgment when developing their own
customized audit/assurance programs, to avoid duplication of work.
In addition, while audit/assurance programs will be available for each process, in practice, a group of processes are
often selected for audit. Therefore, a relevant set of audit/assurance programs of the applicable processes will need to
be selected for conducting assurance.
Comprehensive yet flexible. The generic program is comprehensive because it contains assurance steps
covering all enablers in quite some detail, yet it is also flexible because this detailed structure enables clear and
well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set
of enablers or some enabler instances and, while the decision will reduce the scope and related assurance
engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement
user.
Determine the assurance objectives based on assessment of the internal and external environment/context,
including the strategic objectives, goals (figures 40 and 41 of COBIT 5 for Assurance) and priorities of the
enterprise.
Determine the enablers in scope and the instance(s) of the enablers in scope.
In the Guidance column, the shaded text is specific to the example and provides practical guidance, e.g.,
examples of the Organisational Structures to include in scope, setting assessment criteria for the different
enablers and actually assessing the different enablers.
ISACA 2014
Two additional columns are included, in which the assurance professional can identify and cross-reference issues
and record comments.
There is a partnership between IT and enterprise stakeholders to enable the effective and efficient use of ITrelated resources
There is transparency and accountability of the cost and business value of solutions and services.
The enterprise is enabled to make informed decisions regarding the use of IT solutions and services.
Scoping
The scope of the assurance engagement is expressed as a function of the seven COBIT 5 enablers, with a focus on
the Process enabler. The process content is taken directly from the detailed process descriptions in COBIT 5:
Enabling Processes, i.e., these are standard COBIT 5 processes. Other enablers are also directly based on the same
process descriptions, e.g., the Organisational Structures and Information items.
Other enablers are described in a more generic way and may require customization before the audit/assurance
program can be applied.
Phase ADetermine Scope of the Assurance InitiativeIn phase A of the assurance workflow, the auditor
scopes the assurance engagement. This process defines the scope in the COBIT 5 terms of enterprise goals, ITrelated goals and enablers.
Phase BUnderstand Enablers, Set Suitable Assessment Criteria and Perform the AssessmentIn phase
B of the assurance workflow, the auditor:
Builds an understanding of the subject matter over which assurance needs to be provided. The subject
matter is expressed in terms of COBIT 5 enablers.
Obtains agreement over the assessment criteria that will be used during the assurance engagement.
Phase CCommunicate the Results of the AssessmentsIn phase C of the assurance workflow, the auditor
communicates the observations to the initiative stakeholders. This includes carefully documenting all weaknesses
or exceptions found and communicating them to stakeholders effectively and efficiently, with a view to initiating
the appropriate response.
Additional related guidance for APO06 can be found in COBIT 5: Enabling Processes, p. 82.
ISACA 2014
A-1.2
A-2
A-2.1
A-2.2
A-2.3
A-2.4
Assurance Step
Determine the stakeholders of the
assurance initiative and their stake.
Identify the intended user(s) of the assurance
report and their stake in the assurance
engagement. This is the assurance objective.
Identify the interested parties, accountable
and responsible for the subject matter over
which assurance needs to be provided.
A-2.4
Cont.
Issue Crossreference
Guidance
Intended user(s) of
the assurance report
Accountable and
responsible parties
for the subject matter
Additional goals
IT-related goals:
ISACA 2014
Comment
Assurance Step
Issue Crossreference
Guidance
Comment
A-2.5
A-3
A-3.1
A-3.2
Organisational Structures
Information
<list here the most relevant Principles, Policies and Framework elements>
Organisational Structures: Based on the process under review, the following
Organisational Structures and functions are considered to be in scope of this assurance
engagement, and available resources will determine which ones will be reviewed in
detail: 5
Head IT administration
CuIture, Ethics and Behaviour: In the context of this process review, the following
enterprisewide Behaviours are in scope:
4
5
The suggested set of enterprise goals can and should vary with enterprise strategy and priorities. However, in this generic program the following logic was applied: first the mapping table between
IT processes and IT-related goals (COBIT 5: Enabling Processes, appendix B, p.227-229) was used. The mappings between the process at hand and the IT goals listed as P are retained as key
IT-related goals. The mappings listed as S are retained as additional IT-related goals. Next, the mapping table between enterprise goals and IT-related goals (COBIT 5: Enabling Processes,
appendix B, p.226) is used. The previously selected key IT-related goals are looked up, and those enterprise goals that support half or more of the IT-related goals as P are retained as key
enterprise goals. The remaining enterprise goals listed as P are retained as additional enterprise goals. Again, after application of the logic described here, the resulting set of goals should
be reviewed and tailored if necessary.
The logic applied here is the following: if there are any Policies or Frameworks identified as inputs or outputs of any of the process practices of the process under review, they will be included
here.
Only those roles that have an A or R in the RACI chart of the process are included here. Roles are taken from the RACI charts in COBIT 5: Enabling Processes; some more specific roles may
be taken from COBIT 5 for Assurance, COBIT 5 for Risk or COBIT 5 for Information Security.
ISACA 2014
Assurance Step
Issue Crossreference
Guidance
Comment
Information items: Based on the process under review, the following Information items
are considered to be in scope of this assurance engagement, and available resources
will determine which ones will be reviewed in detail.6
APO06.01:
A-3.2
Cont.
APO06.03:
Leverage the inputs and outputs (also referred to as work products) described for each process practice in COBIT 5: Enabling Processes to identify the most relevant or important information
items. All inputs and outputs are listed here, with those work products written in italic font to be dealt with (in more detail) as part of the Information enabler.
ISACA 2014
10
Assurance Step
Issue Crossreference
Guidance
<list here the most relevant Services, Infrastructure and Applications components in
scope>
People, Skills and Competencies: In the context of this process review, taking into
account key processes and key roles, the following Skill sets are included in scope:
ISACA 2014
11
Comment
ISACA 2014
12
Issue Crossreference
B-1.2
B-2
B-2.1
Percent of IT-enabled
from IT-enabled
values for the IT-related
goal will be reviewed and an assessment
investments where benefit
investments and
goal metrics, i.e., the
will be made whether the defined criteria
realisation is monitored through
services portfolio
values against which the
are achieved.
full economic life cycle
assessment will take
Percent of IT-enabled
investments where claimed
benefits are met or exceeded
ITG06 Transparency of
Agree on the expected
In this step, the related metrics for each
ISACA 2014
13
Comment
B-2.2
B-2.2
Cont.
Issue Crossreference
Because this is a process audit/assurance program, several of the assurance steps from COBIT 5 for Assurance have been combined or removed.
ISACA 2014
14
Comment
Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
practice is effectively implemented through the following typical (control) activities:
1.
2.
3.
4.
5.
AP006.02 Prioritise
resource allocation.
2.
3.
4.
Establish a decision-making body for prioritising business and IT resources, including use of external
service providers within the high-level budget allocations for IT-enabled programmes, IT services and IT
assets as established by the strategic and tactical plans. Consider the options for buying or developing
capitalised assets and services vs. externally utilised assets and services on a pay-for-use basis.
Rank all IT initiatives based on business cases and strategic and tactical plans, and establish procedures
to determine budget allocations and cut-off. Establish a procedure to communicate budget decisions and
review them with the business unit budget holders.
Identify, communicate and resolve significant impacts of budget decisions on business cases, portfolios
and strategy plans (e.g., when budgets may require revision due to changing enterprise circumstances,
when they are not sufficient to support strategic objectives or business case objectives).
Obtain ratification from the executive committee for the overall IT budget changes that negatively impact
the entitys strategic or tactical plans and offer suggested actions to resolve these impacts.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with the actual
accountability and responsibility for this practice and assess whether:
Accountability and responsibility are assigned at the appropriate level in the organisation
Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
practice is effectively implemented through the following typical (control) activities:
1.
2.
ISACA 2014
Define processes, inputs and outputs, and responsibilities in alignment with the enterprise budgeting and
cost accounting policies and approach to systematically drive IT budgeting and costing; enable fair,
transparent, repeatable and comparable estimation of IT costs and benefits for input to the portfolio of ITenabled business programmes; and ensure that budgets and costs are maintained in the IT asset and
services portfolios.
Define a classification scheme to identify all IT-related cost elements, how they are allocated across
budgets and services, and how they are captured.
Use financial and portfolio information to provide input to business cases for new investments in IT assets
and services.
Define how to analyse, report (to whom and how), and use the budget control and benefit management
processes.
Establish and maintain practices for financial planning, investment management and decision making, and
the optimisation of recurring operational costs to deliver maximum value to the enterprise for the least
expenditure.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with the actual
accountability and responsibility for this practice and assess whether:
Accountability and responsibility are assigned at the appropriate level in the organisation.
Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
practice is effectively implemented through the following typical (control) activities:
1.
B-2.2
Cont.
Issue Crossreference
Implement a formal IT budget, including all expected IT costs of IT-enabled programmes, IT services and
IT assets as directed by the strategy, programmes and portfolios.
When creating the budget, consider the following components:
15
Comment
3.
4.
5.
6.
7.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with the actual
accountability and responsibility for this practice and assess whether:
Accountability and responsibility are assigned at the appropriate level in the organisation.
Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
practice is effectively implemented through the following typical (control) activities:
1.
2.
3.
4.
5.
6.
B-2.2
Cont.
Issue Crossreference
Categorise all IT costs appropriately, including those relating to service providers, according to the
enterprise management accounting framework.
Inspect service definition catalogues to identify services subject to user chargeback and those that are
shared services.
Define and agree on a model that:
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with the actual
accountability and responsibility for this practice and assess whether:
Accountability and responsibility are assigned at the appropriate level in the organisation.
AP006.05 Manage
costs.
ISACA 2014
Assess by applying appropriate audit techniques (interview, observation, testing) whether the management
practice is effectively implemented through the following typical (control) activities:
16
Comment
4.
5.
6.
7.
8.
9.
B-2.3
B-2.3
Cont.
Issue Crossreference
Cost distribution between direct and indirect (absorbed and unabsorbed) costs
Define how costs are consolidated for the appropriate levels in the enterprise and how they will be
presented to the stakeholders. The reports provide information to enable the timely identification of
required corrective actions.
Instruct those responsible for cost management to capture, collect and consolidate the data, and present
and report the data to the appropriate budget owners analysts and owners jointly analyse deviations and
compare performance to internal and industry benchmarks. The results of the analysis provide an
explanation of significant deviations and the suggested corrective actions.
Ensure that the appropriate levels of management review the results of the analysis and approve
suggested corrective actions.
Align IT budgets and services to the IT infrastructure, enterprise processes and owners who use them.
Ensure that changes in cost structures and enterprise needs are identified and budgets and forecasts are
revised as required.
At regular intervals, and especially when budgets are cut due to financial constraints, identify ways to
optimise costs and introduce efficiencies without jeopardising services.
Compare the RACI chart as included in the reference process in COBIT 5: Enabling Processes with the actual
accountability and responsibility for this practice and assess whether:
Accountability and responsibility are assigned at the appropriate level in the organisation.
Agree on the Process work products (inputs and outputs as defined in the process practices description) that are expected to be present
(process design).
Assess the extent to which the process work products are available.
The Process APO06 identifies a set of inputs and outputs for the different management
Criteria: All listed work products should
practices. The most relevant of these work products (and those not assessed as Information
demonstrably exist and be used.
items in scope in section A-3.2) are identified as follows, as well as the criteria against which
they will be assessed, i.e., existence and usage.
Process Practice
Work Product8
Assessment Step
APO06.01
Asset register (I)
Accounting processes (O)
IT costs classification scheme (O)
Financial planning practices (O)
APO06.02
Evaluation of investments and services portfolios (I)
Actions to improve value delivery (I)
Apply appropriate auditing techniques to
Proof-of-concept scope and outline business case (I)
Only the work products not already dealt with (in more detail) as part of the Information enabler are listed here.
ISACA 2014
17
Comment
Issue Crossreference
Comment
This step is warranted only if the process under review is a standard COBIT 5 governance or management process to which the ISO/IEC 15504 PAM can be applied. Any other processes, for which
no reference practices, work products or outcomes are approved, cannot use this assessment method, therefore the concept capability level does not apply.
ISACA 2014
18
Issue Crossreference
Management/process framework
ISACA 2014
19
Comment
B-4.4
B-4.4
Cont.
B-4.5
10
11
Issue Crossreference
Comment
The RACI charts in COBIT 5: Enabling Processes can be leveraged as a starting point for the expected goals of a role or Organisational Structure.
The Organisational Structure/role as described may not exist under the same name in the enterprise; in that case, the closest Organisational Structure assuming the same responsibilities and
accountability should be considered.
ISACA 2014
20
Issue Crossreference
understood mandate.
understood mandate.
The performance of the
B-5.4
B-5.5
Understand the life cycle stages of the Culture, Ethics and Behaviour, and agree on the relevant criteria.
Assess the extent to which the Culture, Ethics and Behaviour life cycle is managed.
(This aspect is already covered by the assessment of the good practices, so no additional assurance steps are defined here.)
Understand good practice when dealing with Culture, Ethics and Behaviour, and agree on relevant criteria.
Assess the Culture, Ethics and Behaviour design, i.e., assess to what extent expected good practices are applied.
Good Practice
Criteria
Assessment Step
Communication,
Existence and quality of the
Apply appropriate auditing techniques to assess whether the good
ISACA 2014
21
Comment
Issue Crossreference
ISACA 2014
communication
Existence and application of
appropriate rewards and incentives
Awareness of desired Behaviours
22
Comment
Phase BUnderstand Enablers, Set Suitable Assessment Criteria and Perform the Assessment
Ref.
Issue Crossreference
B-6
Information producer
Information custodian
Information consumer
Stakeholders should be at the appropriate organisational level.
B-6.3
Understand the major quality criteria for the Information item, the related metrics and agree on expected values.
Assess whether the Information item quality criteria (outcomes) are achieved, i.e., assess the effectiveness of the Information item.
Leverage the COBIT 5 Information enabler model12 focussing on the quality goals description to
The assurance professional will, by using
select the most relevant Information quality criteria for the Information item at hand. Document
appropriate auditing techniques, verify all
expectations regarding information criteria. The COBIT 5 Information enabler model identifies 15
quality criteria in scope and assess whether
different quality criteriaalthough all of them are relevant, it is nonetheless possible and
the criteria are met.
recommended to focus on a subset of the most important criteria for the Information item at hand.
Mark the quality dimensions with a that are deemed most important (key criteria), and by
consequence will be assessed against the described criteria.
Quality Dimension
Key Criteria
Description
Accuracy
Objectivity
Believability
Reputation
Relevancy
Completeness
Currency
Amount of information
Concise representation
Consistent
representation
Interpretability
Understandability
Manipulation
12
Assessment Step
ISACA 2014
23
Comment
B-6.5
Issue Crossreference
When the Information item is internal to IT, the process review will have covered the life cycle aspects sufficiently.
When the Information item also involves other stakeholders outside IT or other non-IT processes, some of the life cycle aspects need to be
assessed.
Mark the life cycle stages with a that are deemed most important (key criteria), and by consequence will be assessed against the described
criteria.
Life Cycle Stage
Key Criteria
Description
Assessment Step
Plan
Design
Build/acquire
Use/operate
Evaluate/monitor
Update/dispose
Understand important attributes of the Information item and expected values.
Assess the Information item design, i.e., assess the extent to which expected good practices are applied.
Good practices for Information items are defined as a series of attributes for the Information item13. The assurance professional will, by using
appropriate audit techniques, verify all attributes in scope and assess whether the attributes are adequately defined.
Mark the attributes with a that are deemed most important (key criteria), and by consequence will be assessed against the described criteria.
Attribute
Key Criteria
Description
Assessment Step
Physical
Empirical
Syntactic
Semantic
Pragmatic
Social
13
ISACA 2014
24
Comment
Issue Crossreference
Comment
B-7
Verify that the following aspects are dealt with in the Service level
Cost
Cost
Timeliness
Timeliness
Verify that the use of the Service is clear, i.e., it is known when and by
clear:
whom the service needs to be used.
14
The life cycle of a service will be governed and managed by numerous of the COBIT 5 processes. As a consequence, a subset of the BAI and APO processes may have to be added to the scope of the
assurance engagement should it be required.
ISACA 2014
25
B-7.5
Cont.
15
Issue Crossreference
ISACA 2014
26
Comment
Phase BUnderstand Enablers, Set Suitable Assessment Criteria and Perform the Assessment
Ref.
Issue Crossreference
B-8
B-8.4
Knowledge
Technical skills
Behavioural skills
Number of people with
appropriate skill level
Understand the life cycle stages of the People, Skills and Competencies, and agree on the relevant criteria.
Assess to what extent the People, Skills and Competencies life cycle is managed.
For the People, Skills and Competencies at hand, the life cycle phases and associated criteria can
For the People, Skills and Competencies at
be expressed in function of the process APO07.
hand the assurance professional will
perform the following assessment steps.
Life Cycle Element
Criteria
Assessment Step
Plan
Practice APO07.03, activity 1 (Define the required and currently
Assess whether practice APO07.03 activity
available skills and competencies of internal and external resources to
1 is implemented in relation to this skill.
achieve enterprise, IT and process goals.) is implemented in relation to
this skill.
Design
Practice APO07.03 activity 2 (Provide formal career planning and
Assess whether practice APO07.03 activity
professional development to encourage competency development,
2 is implemented in relation to this skill.
opportunities for personal advancement and reduced dependence on
key individuals.) is implemented in relation to this skill.
ISACA 2014
27
Comment
B-8.4
Cont.
B-8.5
Issue Crossreference
ISACA 2014
28
Comment
Assurance Step
Document exceptions and gaps.
Understand and document weaknesses and their impact on the
achievement of process goals.
Understand and document weaknesses and their impact on enterprise
goals.
Guidance
C-2
C-2.1
C-2.2
C-2.3
Illustrate the impact of enabler failures or weaknesses with numbers and scenarios of errors, inefficiencies and misuse.
Clarify vulnerabilities, threats and missed opportunities that are likely to occur if enablers do not perform effectively.
Illustrate what the weaknesses would affect (e.g., business goals and objectives, enterprise architecture elements,
capabilities, resources). Relate the impact of not achieving the enabler goals to actual cases in the same industry and
leverage industry benchmarks.
Document the impact of actual enabler weaknesses in terms of bottom-line impact, integrity of financial reporting, hours lost
in staff time, loss of sales, ability to manage and react to the market, customer and shareholder requirements, etc.
Point out the consequence of non-compliance with regulatory requirements and contractual agreements.
Measure the actual impact of disruptions and outages on business processes and objectives, and on customers (e.g.,
number, effort, downtime, customer satisfaction, cost).
Communicate regularly to the stakeholders identified in A-1 on progress of the work performed.
Document the impact (i.e., customer and financial impact) of errors that could have been caught by effective enablers.
Measure and document the impact of rework (e.g., ratio of rework to normal work) as an efficiency measure affected by
enabler weaknesses.
Measure the actual business benefits and illustrate cost savings of effective enablers after the fact.
Use benchmarking and survey results to compare the enterprises performance with others.
Use extensive graphics to illustrate the issues.
Inform the person responsible for the assurance activity about the preliminary findings and verify his/her correct
understanding of those findings.
Deliver a report (aligned with the terms of reference, scope and agreedon reporting standards) that supports the results of the initiative and
enables a clear focus on key issues and important actions.
ISACA 2014
29