COBIT® 5 Process Assessment Worksheet

Area: Governance Domain: Evaluate, Direct and Monitor

Process: EDM01 – Ensure Governance Framework Setting and Maintenance

EDM01 – Process Setting

1
Process Description
Analyze and articulate the requirements for the governance of enterprise IT, and put in place and maintain effective enabling structures, principles, processes and
practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals and objectives.

Process Purpose Statement1

Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the
enterprise’s strategies and objectives, ensure that IT-related processes are overseen effectively and transparently, compliance with legal and regulatory
requirements is confirmed, and the governance requirements for board members are met.

Process Assessment Objectives1

The objectives of this assessment are to determine if
 A consistent and integrated approach aligned with the enterprise governance approach is provided.
 IT-related decisions are made in line with the enterprise’s strategies and objectives.
 IT-related processes are overseen effectively and transparently.
 Compliance with legal and regulatory requirements is confirmed.
 The governance requirements for board members are met.

Process Risk Drivers2

 Controls not operating as expected
 Decreased stakeholder confidence
 High effort required to achieve compliance because of wrong or late decisions
 Ineffective responsibilities and accountabilities established for IT processes
 Non-compliance with regulatory requirements

1 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

 Organizational failure to maximize the use of emerging technological opportunities to improve business and IT capability
 Performance gaps not identified in a timely manner
 Remedial actions to maintain and improve IT process effectiveness and efficiency not identified or implemented
 Service deviations and degradations not recognized and addressed, resulting in failure to deliver business requirements
 Service performance failures causing legal and regulatory compliance exposures
 Technical incompatibilities or maintenance issues within the IT infrastructure
 The IT portfolio failing to support the enterprise's objectives and strategies

2 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

EDM01 – Process Goal Assessment

1
EDM01.01 Governance Practice
Evaluate the governance system. IT should continually identify and engage with the enterprise’s stakeholders, document an understanding of the requirements,
and make a judgement on the current and future design of governance of enterprise IT.

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
EDM01.01.01 - Business Identify and analyze the internal 1. Obtain, if possible,
Environment and external environmental a. A listing of the regulations and laws that affect this organization’s IT.
factors (e.g., legal, regulatory, and b. A listing of current, operating contracts.
contractual obligations) and c. A listing of current legal obligations (not specified in a contract).
trends in the business
environment that may influence 2. Through inquiry, determine whether, by whom, and how current and future trends and
governance design. regulations are monitored (e.g., technological developments, competitor activities,
infrastructure issues, legal requirements and regulatory environment changes, third-party
experts) and whether related risks or related opportunities for value creation are properly
assessed.

3. Understand,

a. How IT keeps current with technology trends.

b. How IT keeps current on regulations that might affect IT.
c. How IT maintains compliance with regulatory directives and contract obligations.

3 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
4. Through inquiry, understand whether the result of the monitoring is consistently passed on to
the appropriate bodies (e.g., IT steering committee(s), Audit Committee of the Board, other
oversight bodies) and to the IT tactical and infrastructure planning processes for action.
5. Understand,
a. How this information gets to the target audience.
b. How regulatory and compliance items and trends that affect IT are teed up and into the
planning process.

EDM01.01.02 - Business Determine the significance of IT 1. Obtain the Company and IT Scorecard's (or other similar strategic planning documentation).
Significance and its role with respect to the
2. Review, compare, and analyze the two sets of documents to determine the significance of IT:
business
a. In the number of strategic level measureable goals, and
b. In the significance of each goal

EDM01.01.03 - External Determine if and analyze how IT 1. From the listing of the regulations and laws that affect this organization’s IT, analyze how they
Influences considers external regulations, apply to the Company's governance.
laws and contractual obligations
and how to apply them within the 2. Through inquiry, understand how IT monitors and applies these laws and regulations within the
governance of enterprise IT. governance of IT.
EDM01.01.04 - Ethical Determine if and analyze how IT 1. Obtain the Company's statement of direction and any related IT direction documents.
Use of Information aligns the ethical use and
2. Through analysis, determine the influence that society, natural environment, and internal and
processing of information; its
4 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
impact on society and the natural external stakeholder's have on the Company's ethical approach to business.
environment; and, internal and
3. Through analysis of the obtained documents and inquiry of IT management, determine
external stakeholder interests with
IT's ethical drivers.
the enterprises direction, goals,
and objectives
EDM01.01.05 - Entity- Determine and analyze the 1. If the organization is a US publically traded company, obtain the most recent Sarbanes-
Level Control Influence implications of the overall Oxley Entity-Level assessment that evaluates the overall control environment for the
enterprise control environment Company.
with regard to IT.
2. Determine and assess the implications of the overall control environment with regard to its
influence on IT and IT risks.
3. If not, analyze the strategy documents to determine the state of the control environment, if
possible. This may also be done by inquiry.
EDM01.01.06 - Determine and analyze the Inquire whether and confirm that:
Governance Design principles that guide the design of
Principles governance and decision making 1. An agreed-upon process exists to align the IT governance framework with the overall
of IT. enterprise governance and control environment.
2. The framework is based on a comprehensive IT process and control model and defines
leadership, unambiguous accountability, roles and responsibilities, information
requirements, organizational structures, and practices to avoid breakdown in internal control
and oversight
3. The IT governance framework focuses on strategic alignment, value delivery, resource

5 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
management, risk management and performance measurement.

EDM01.01.07 - Understand IT’s decision-making 1. Obtain, if possible, the annual planning document for managers.
Decision-Making Culture culture and determine the optimal 2. Determine if these planning documents roll up to the head of IT and if that, in turn, rolls up
decision making model. and ties to the corporate planning documents.
3. From an analysis of these documents and inquiry, determine how decisions are made.

EDM01.01.08 - Determine and analyze the 1. For financial decision-making, obtain and review financial decision-making delegation rules
Delegation appropriate levels of authority that may apply to IT.
delegation, including threshold 2. Through inquiry of IT management, determine the levels of authority delegation, including
rules, for IT decisions. threshold rules, for IT decisions.
3. Analyze and determine that the delegations are appropriate and meet the letter and spirit of
the Company's policies.

6 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

EDDM01.02 Governance Practice1

Direct the governance system. Inform leaders and obtain their support, buy-in and commitment. Guide the structures, processes and practices for the
governance of IT in line with agreed- on governance design principles, decision-making models and authority levels. Define the information required for informed
decision-making.
Activity Title1 Activity Assessment Activity Assessment Step(s)2
Objectives1
EDM01.02.01 - Determine and analyze how IT 1. Obtain recent Board and Audit Committee minutes. Review them to determine if regular and
Governance communicates governance of IT special reporting occurs from IT.
Communications principles and agrees with
2. Obtain the most recent minutes of the IT Steering Committee. Determine that IT governance
executive management on the
status and issues are reported and any issues acted upon.
way to establish informed and
committed leadership.
EDM01.02.02 - Determine and analyze how IT 1. Through inquiry of the IT management team, determine their governance processes and
Governance Structure establishes or delegates the practices.
Design establishment of governance
2. Appropriate management governance structures exist, such as the IT strategy committee,
structures, processes and
IT steering committee, technology council, IT architecture review board and IT audit
practices to be in line with agreed-
committee. Verify that terms of reference and charters exist for each of these.
on design principles.
3. Determine if these are compatible with the corporate governance design.

EDM01.02.03 - Understand how IT allocates Through inquiry of the CIOs direct reports, determine and understand that the CIO allocates
Responsibility Allocation responsibility, authority, and responsibility, authority and accountability in line with agreed-on governance design principles,

7 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

Activity Title1 Activity Assessment Activity Assessment Step(s)2

Objectives1
accountability in line with agreed- decision-making models and delegation policies.
on governance design principles,
decision-making models, and
delegation.
EDM01.02.04 - Determine if and analyze how IT 1. Obtain copies of all types of communication from IT to the rest of the organization. This
Information and ensures that communication and includes communications at the Board level.
Communication reporting mechanisms provide
2. Determine if communication and reporting mechanisms provide those responsible for
those responsible for oversight
oversight and decision-making with appropriate information.
and decision-making with
appropriate information.
EDM01.02.05 - Ethical Determine and analyze how IT 1. Through inquiry of the CIO and direct reports, determine if and how staff is directed to follow
and Professional directs that staff follow relevant relevant guidelines for ethical and professional behavior.
Behavior guidelines for ethical and
2. Determine if and how consequences of non-compliance are known and enforced.
professional behavior and ensure
that consequences of non- 3. Analyze if management and staff perspectives are in agreement.
compliance are known and
enforced.
EDM01.02.06 - Reward Determine who and analyze how Through inquiry and review of reward system documentation, determine the reward systems in
System there is direction set and place that can affect culture changes from within IT.
implemented for the
establishment of a reward system
to promote desirable change.

8 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

EDM01.03 Governance Practice1

Monitor the governance system. Monitor the effectiveness and performance of the enterprise’s governance of IT. Assess whether the governance system and
implemented mechanisms (including structures, principles and processes) are operating effectively and provide appropriate oversight of IT.

Activity Title1 Activity Assessment Objectives1 Activity Assessment Step(s)2

EDM01.03.01 - Assess Determine and analyze who 1. Through inquiry, determine how measurements are made as to the effectiveness and
Stakeholder assesses the effectiveness and performance of those stakeholders given delegated responsibility and authority for
Performance performance of those stakeholders governance of enterprise IT.
given delegated responsibility and
2. 2. If available, obtain and analyze for effectiveness any reports showing performance
authority for governance of
measurements.
enterprise IT.
EDM01.03.02 - Assess Determine and analyze who Determine whether and confirm that:
Governance periodically assesses whether
1. The IT scorecard performance measures are properly aligned with the business scorecard
Performance agreed-on governance of IT
measures and accepted by the business
mechanisms (structures, principles,
processes, etc.) is established and 2. Verify that status reports include the extent to which planned objectives have been
operating effectively. achieved, deliverables obtained and performance targets met.
EDM01.03.03 - Assess Determine and analyze who Determine if and how the organization assesses and accepts the effectiveness of the processes
Governance Design assesses the effectiveness of the and the accuracy and completeness of the deliverables to measure and report IT performance in
governance design and identify relation to achievement of the strategic IT objectives.
actions to rectify any deviations
found.

9 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

Activity Title1 Activity Assessment Objectives1 Activity Assessment Step(s)2

EDM01.03.04 - Determine and analyze who Determine who maintains oversight of the extent to which IT satisfies obligations (regulatory,
Obligation Oversight maintains oversight of the extent to legislation, common law, contractual), internal policies, standards, and professional guidelines.
which IT satisfies obligations
(regulatory, legislation, common
law, contractual), internal policies,
standards and professional
guidelines.
EDM01.03.05 - Control Determine and analyze who Determine who provides oversight of the effectiveness of, and compliance with, the enterprise
Compliance Oversight provides oversight of the system of control.
effectiveness of, and compliance
with, the enterprise system of
control.
EDM01.03.06 - Determine if and analyze how IT Through inquiry and review, determine who monitors regular and routine mechanisms for ensuring
Compliance monitors regular and routine that IT complies with relevant obligations (regulatory, legislation, common law, contractual),
Mechanism Oversight mechanisms for ensuring that the standards and guidelines.
use of IT complies with relevant
obligations (regulatory, legislation,
common law, contractual),
standards and guidelines.

10 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

EDM01 Assessment Summary1

Governance Practice Practice Description Practice Assessment Summary
Evaluate the governance system. IT should continually identify and engage with
the enterprise’s stakeholders, document an
understanding of the requirements, and make
a judgement on the current and future design
of governance of enterprise IT.
Direct the governance system. Inform leaders and obtain their support, buy-
in and commitment. Guide the structures,
processes and practices for the governance
of IT in line with agreed- on governance
design principles, decision-making models
and authority levels. Define the information
required for informed decision-making.
Monitor the governance system. Monitor the effectiveness and performance of
the enterprise’s governance of IT. Assess
whether the governance system and
implemented mechanisms (including
structures, principles and processes) are
operating effectively and provide appropriate
oversight of IT.

EDM01 Risk Summary1

11 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

Create multiple risk scenarios for each risk identified in the summary above that affects achieving the objective.

Risk Scenario - Describe the risk/opportunity scenario, including a discussion of the negative and positive impact of the scenario. The description clarifies the threat/
vulnerability type and includes the actors, events, assets and time issues.

Risk Scenario Component Mark all that apply

Threat Type (Describe the nature of the event) ⃣

Malicious
⃣ Accidental
⃣ Error
⃣ Failure
⃣ Natural
⃣ External requirement
Actor (Who or what could trigger the threat that exploits a vulnerability) ⃣ Internal
⃣ External
⃣ Human
⃣ Non-Human

Event (Something that happens that was not supposed to happen, something does not ⃣ Disclosure
happen that was supposed to happen, or a change in circumstances. Events always have ⃣ Interruption
causes and usually have consequences. A consequence is the outcome of an event and has ⃣ Modification
an impact on objectives.) ⃣ Theft
⃣ Destruction
⃣ Ineffective design
⃣ Ineffective execution
⃣ Rules and regulations
⃣ Inappropriate use

Asset (An asset is something of tangible or intangible value that is worth and skills protecting, ⃣ Process

12 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.

 COBIT® 5 Process Assessment Worksheet
Area: Governance Domain: Evaluate, Direct and Monitor
Process: EDM01 – Ensure Governance Framework Setting and Maintenance

Risk Scenario Component Mark all that apply

including people, systems, infrastructure, finances and reputation.) ⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Resource (A resource is anything that helps to achieve a goal.) ⃣ Process
⃣ People and Skills
⃣ Organizational Structure
⃣ Physical Infrastructure
⃣ IT Infrastructure
⃣ Information
⃣ Applications
Time Timing ⃣ Critical ⃣ Non-Critical
Duration ⃣ Short ⃣ Moderate ⃣ Extended
Detection ⃣ Slow ⃣ Moderate ⃣ Instant
Time lag ⃣ Immediate ⃣ Delayed
Velocity ⃣ Slowing ⃣ Constant ⃣ Increasing
Likelihood ⃣ Highly ⃣ Moderate ⃣ Unlikely
Impact ⃣ Great ⃣ Moderate ⃣ Little

Possible Risk Response Risk Avoidance:

Risk Acceptance:
Risk Sharing/Transfer:
Risk Mitigation:

13 1 - © 2012 ISACA. All rights reserved. COBIT® 5 is a registered trademark of the Information Systems Audit and Control Association (ISACA)

2 - © 2015 Wescott and Associates. All rights reserved.