Internal Audit Department COBIT Control Assessment Questionnaire

The key to maintaining profitability in a technologically changing environment is how well you maintain control. COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 3 ! specific" detailed control ob#ectives throughout the 3$ IT processes. - IT Governance Institute

COBIT Control Assessment Questionnaire

Audit Information:
Audit / Project Name
%&ame 'ere(

Auditable Unit # Engagement #

%)udit *nit + ( %,ngagement +(

Start Date End Date

-- . // . 0000 -- . // . 0000

Audit Team Lead

%&ame 'ere( %Title 'ere( %1hone &umber 'ere(

Audit Team Member

%2ist &ame" Title" 3 1hone &umbers 'ere(

De cri!tion of Project
%/escription 'ere(

"lient Information:
Information #or "lient$ % Partici!ating In T&e 'oint A e ment Title P&one (e !on ible )fficer Location Name Title

Name

)t&er Information
%This space reserved for use as necessary(

/ate 1rinted4 56.67. $

1roprietary Information 8 9O: I&T,:&)2 *;, O&20

1age

of <

Internal Audit Department COBIT Control Assessment Questionnaire

)*erall (ating A igned #or T&i A e ment+: Overall Maturity Rating: <Rating Here>

* In the event that an assessment falls et!een t!o maturity ratings" the lo!er rating is assigne#$

,Plea e c&oo e bet-een t&i !age and t&e follo-ing !age. de!ending on -&et&er /ou -ill u e t&e generic rating definition or a !ecific rating definition to a ign /our o*erall rating01 Legend #or %eneri& ")2IT Management 3uideline Maturit/ (ating ++:
(ating
4 5 Non5E6i tent 7 5 Initial 8 5 (e!eatable 9 5 Defined : 5 Managed ; 5 )!timi<ed

De cri!tion
-anagement processes are not in place =Complete lack of any recogni>able processes. The organi>ation has not recogni>ed that there is an issue to be addressed?. 1rocesses are ad hoc and disorgani>ed =There is evidence that the organi>ation has recogni>ed that the issues e@ist and need to be addressed. 'owever" there are no standardi>ed processesA there are ad hoc approaches that tend to be applied on an individual or case8by8case basis. The overall approach to management is disorgani>ed?. 1rocesses follow a regular pattern =1rocesses have developed to a stage where different people undertaking the same task follow similar procedures. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and errors are likely as a result?. 1rocesses are documented and communicated =1rocedures have been standardi>ed and documented and communicated through formal training. 'owever" compliance with the procedures is left to each individual and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated" but are the formali>ation of e@isting practices?. 1rocesses are monitored and measured =It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. 1rocesses are under constant improvement and provide good practice. )utomation and tools are used in a limited or fragmented way?. Best practices are followed and automated =1rocesses have been refined to a level of best practice" based on the results of continuous improvement and benchmarking with other organi>ations and industry best practices. IT is used in an integrated way to automate the workflow" providing tools to improve Buality and effectiveness" making the enterprise Buick to adapt?.

CC'ote: %eneri& Ratings are a((lie# to assessments !here the overall revie! #oes not &orres(on# s(e&ifi&ally to a single one of C OBIT)s *+ High ,evel Control O -e&tives$ .here an overall revie! &orres(on#s to a s(e&ifi& IT (ro&ess" the s(e&ifi& maturity rating #efinition as #efine# in COBIT)s Management %ui#elines is use#$

Client)s Targete# Maturity Rating***:

<Rating Here>

*** Client)s Targete# Maturity Rating in#i&ates the level of maturity that the assessment o!ner elieves is an a((ro(riate maturity level for the assessment s&o(e$ Ris/s vary a&ross IT (ro&esses0 it is not #esira le for every (ro&ess to as(ire to a&hieve the highest maturity rating$

/ate 1rinted4 56.67. $

1roprietary Information 8 9O: I&T,:&)2 *;, O&20

1age 6 of <

Internal Audit Department COBIT Control Assessment Questionnaire

)*erall (ating A igned #or T&i A e ment+: Overall Maturity Rating: <Rating Here>

* In the event that an assessment falls et!een t!o maturity ratings" the lo!er rating is assigne#$

,Plea e c&oo e bet-een t&i !age and t&e !re*iou !age. de!ending on -&et&er /ou -ill u e t&e generic rating definition or a !ecific rating definition to a ign /our o*erall rating0 1 Legend #or ")2IT Management 3uideline Maturit/ (ating : 1234 Manage 5ro lems an# In&i#ents:
(ating
4 5 Non5E6i tent 7 5 Initial

De cri!tion
There is no awareness of the need for managing problems and incidents. The problem8solving process is informal and users and IT staff deal individually with problems on a case8by8case basis. The organi>ation has recogni>ed that there is a need to solve problems and evaluate incidents. Dey knowledgeable individuals provide some assistance with problems relating to their area of e@pertise and responsibility. The information is not shared with others and solutions vary from one support person to another" resulting in additional problem creation and loss of productive time" while searching for answers. -anagement freBuently changes the focus and direction of the operations and technical support staff. There is a wide awareness of the need to manage IT related problems and incidents within both the business units and information services function. The resolution process has evolved to a point where a few key individuals are responsible for managing the problems and incidents occurring. Information is shared among staffA however" the process remains unstructured" informal and mostly reactive. The service level to the user community varies and is hampered by insufficient structured knowledge available to the problem solvers. -anagement reporting of incidents and analysis of problem creation is limited and informal. The need for an effective problem management system is accepted and evidenced by budgets for the staffing" training and support of response teams. 1roblem solving" escalation and resolution processes have been standardi>ed" but are not sophisticated. &onetheless" users have received clear communications on where and how to report on problems and incidents. The recording and tracking of problems and their resolutions is fragmented within the response team" using the available tools without centrali>ation or analysis. /eviations from established norms or standards are likely to go undetected. The problem management process is understood at all levels within the organi>ation. :esponsibilities and ownership are clear and established. -ethods and procedures are documented" communicated and measured for effectiveness. The ma#ority of problems and incidents are identified" recorded" reported and analy>ed for continuous improvement and are reported to stakeholders. Dnowledge and e@pertise are cultivated" maintained and developed to higher levels as the function is viewed as an asset and ma#or contributor to the achievement of IT ob#ectives. The incident response capability is tested periodically. 1roblem and incident management is well integrated with interrelated processes" such as change" availability and configuration management" and assists customers in managing data" facilities and operations. The problem management process has evolved into a forward8looking and proactive one" contributing to the IT ob#ectives. 1roblems are anticipated and may even be prevented. Dnowledge is maintained" through regular contacts with vendors and e@perts" regarding patterns of past and future problems and incidents. The recording" reporting and analysis of problems and resolutions is automated and fully integrated with configuration data management. -ost systems have been eBuipped with automatic detection and warning mechanism" which are continuously tracked and evaluated.

8 5 (e!eatable

9 5 Defined

: 5 Managed

; 5 )!timi<ed

Client)s Targete# Maturity Rating**:

<Rating Here>

** Client)s Targete# Maturity Rating in#i&ates the level of maturity that the assessment o!ner elieves is an a((ro(riate maturity level for the assessment s&o(e$ Ris/s vary a&ross IT (ro&esses0 it is not #esira le for every (ro&ess to as(ire to a&hieve the highest maturity rating$ /ate 1rinted4 56.67. $ 1roprietary Information 8 9O: I&T,:&)2 *;, O&20 1age 3 of <

Internal Audit Department COBIT Control Assessment Questionnaire

Summar/ of (ating A igned #or S!ecific =ig&5le*el "ontrol )bjecti*e of T&i A e ment+:
* Maturity ratings for the follo!ing s(e&ifi& (ro&ess areas have een assigne# using C OBIT)s Management %ui#eline #efinitions for ea&h s(e&ifi& High6level Control O -e&tive$

P)nn Name of S!ecific Planning > )rgani<ation !roce n.n n.n &ame of first control ob#ective reviewed &ame of first control ob#ective reviewed

area

,(ating =ere1 %:ating 'ere( %:ating 'ere( area ,(ating =ere1 %:ating 'ere( %:ating 'ere(

AInn Name of S!ecific Ac?ui ition and Im!lementation !roce n.n n.n &ame of first control ob#ective reviewed &ame of first control ob#ective reviewed area

DSnn Name of S!ecific Deli*er/ and Su!!ort !roce n.n n.n &ame of first control ob#ective reviewed &ame of first control ob#ective reviewed

,(ating =ere1 %:ating 'ere( %:ating 'ere(

DSnn Name of S!ecific Deli*er/ and Su!!ort !roce n.n n.n &ame of first control ob#ective reviewed &ame of first control ob#ective reviewed area

area

,(ating =ere1 %:ating 'ere( %:ating 'ere( ,(ating =ere1 %:ating 'ere( %:ating 'ere(

Mn Name of S!ecific Monitoring !roce n.n n.n

&ame of first control ob#ective reviewed &ame of first control ob#ective reviewed

/ate 1rinted4 56.67. $

1roprietary Information 8 9O: I&T,:&)2 *;, O&20

1age $ of <

Internal Audit Department COBIT Control Assessment Questionnaire

A e ment @ue tionnaire )rgani<ed 2/ ")2IT )bjecti*e:

/ate 1rinted4 56.67. $

1roprietary Information 8 9O: I&T,:&)2 *;, O&20

1age 7 of <

Internal Audit Department COBIT Control Assessment Questionnaire

High-level Control Objective: <High-level Objective 1 (follow CobiT order: PO first, then AI,
Detailed "ontrol )bjecti*e Maturit/ (ating
%:ating 'ere( . 6. 3.

!, "#$

)*erall Maturit/ (ating: <Insert Rating Here>

"lient (e !on e > A e ment (e ult

/efinition4 %COBIT -anagement /efinition of 'igh 2evel Ob#ective taken from the page in the -anagement Euidelines booklet with the rating definitions F begins with GControl over the IT process H with the business goal of H(

A e ment @ue tion

EAAMPLE: Bi itor E cort

)bjecti*e S!ecific to ACD "om!an/ Tec&nolog/ Area Under (e*ie-: Iisitors should be properly identified prior to being accorded access to the site. Iisitors to critical areas of the site =those areas that house critical computer and network hardware" monitoring areas where hardware and software can be controlled" and environmental control and monitoring areas? should be escorted and monitored by an appropriate IT representative. 2ogs should be kept to record activity. ;ecurity guards and general staff should understand the reBuirements related to admitting visitors to the site. Iisitor access procedures should detail reBuirements for authori>ation of entry and supervision. A!!licable ")2IT )bjecti*e: /; 6.3 Iisitor ,scort )ppropriate procedures are to be in place ensuring that individuals who are not members of the IT function's operations group are escorted by a member of that group when they must enter the computer facilities. ) visitor's log should be kept and reviewed regularly.

/escribe visitor access reBuirements" detailing identification" escort and monitoring of site visitors. Is a log kept to record the entry and e@it of each visitor to the siteJ )re visitors provided with electronic access badgesJ If so" please describe any controls relevant to restricting access to appropriate areas of the facility" and terminating access. )re visitor access policies and procedures documentedJ

$.

,Name of ")2IT Detailed )bjecti*e1

)bjecti*e S!ecific to ACD "om!an/ Tec&nolog/ Area Under (e*ie-: %Include K0L Company specific ob#ectives here( A!!licable ")2IT )bjecti*e: %&umber and name of COBIT ob#ective( %Te@t of the control ob#ective as taken from COBIT(

%:ating 'ere(

. 6. 3. $.

)ssessment Muestions 'ere %Muestion( %Muestion( %Muestion(

/ate 1rinted4 56.67. $

1roprietary Information 8 9O: I&T,:&)2 *;, O&20

1age N of <

Internal Audit Department COBIT Control Assessment Questionnaire

High-level Control Objective: <High-level Objective % (follow CobiT order: PO first, then AI,
Detailed "ontrol )bjecti*e Maturit/ (ating
%:ating 'ere( 7. N. O.

!, "#$

)*erall Maturit/ (ating: <Insert Rating Here>

"lient (e !on e > A e ment (e ult

/efinition4 %COBIT -anagement /efinition of 'igh 2evel Ob#ective taken from the page in the -anagement Euidelines booklet with the rating definitions F begins with GControl over the IT process H with the business goal of H(

A e ment @ue tion

EAAMPLE: Bi itor E cort

)bjecti*e S!ecific to ACD "om!an/ Tec&nolog/ Area Under (e*ie-: Iisitors should be properly identified prior to being accorded access to the site. Iisitors to critical areas of the site =those areas that house critical computer and network hardware" monitoring areas where hardware and software can be controlled" and environmental control and monitoring areas? should be escorted and monitored by an appropriate IT representative. 2ogs should be kept to record activity. ;ecurity guards and general staff should understand the reBuirements related to admitting visitors to the site. Iisitor access procedures should detail reBuirements for authori>ation of entry and supervision. A!!licable ")2IT )bjecti*e: /; 6.3 Iisitor ,scort )ppropriate procedures are to be in place ensuring that individuals who are not members of the IT function's operations group are escorted by a member of that group when they must enter the computer facilities. ) visitor's log should be kept and reviewed regularly.

/escribe visitor access reBuirements" detailing identification" escort and monitoring of site visitors. Is a log kept to record the entry and e@it of each visitor to the siteJ )re visitors provided with electronic access badgesJ If so" please describe any controls relevant to restricting access to appropriate areas of the facility" and terminating access. )re visitor access policies and procedures documentedJ

!.

,Name of ")2IT Detailed )bjecti*e1

)bjecti*e S!ecific to ACD "om!an/ Tec&nolog/ Area Under (e*ie-: %Include K0L Company specific ob#ectives here( A!!licable ")2IT )bjecti*e: %&umber and name of COBIT ob#ective( %Te@t of the control ob#ective as taken from COBIT(

%:ating 'ere(

7. N. O. !.

)ssessment Muestions 'ere %Muestion( %Muestion( %Muestion(

/ate 1rinted4 56.67. $

1roprietary Information 8 9O: I&T,:&)2 *;, O&20

1age O of <

Internal Audit Department COBIT Control Assessment Questionnaire

High-level Control Objective: <High-level Objective & (follow CobiT order: PO first, then AI,
Detailed "ontrol )bjecti*e Maturit/ (ating
%:ating 'ere( <.

!, "#$

)*erall Maturit/ (ating: <Insert Rating Here>

"lient (e !on e > A e ment (e ult

/efinition4 %COBIT -anagement /efinition of 'igh 2evel Ob#ective taken from the page in the -anagement Euidelines booklet with the rating definitions F begins with GControl over the IT process H with the business goal of H(

A e ment @ue tion

EAAMPLE: Bi itor E cort

)bjecti*e S!ecific to ACD "om!an/ Tec&nolog/ Area Under (e*ie-: Iisitors should be properly identified prior to being accorded access to the site. Iisitors to critical areas of the site =those areas that house critical computer and network hardware" monitoring areas where hardware and software can be controlled" and environmental control and monitoring areas? should be escorted and monitored by an appropriate IT representative. 2ogs should be kept to record activity. ;ecurity guards and general staff should understand the reBuirements related to admitting visitors to the site. Iisitor access procedures should detail reBuirements for authori>ation of entry and supervision. A!!licable ")2IT )bjecti*e: /; 6.3 Iisitor ,scort )ppropriate procedures are to be in place ensuring that individuals who are not members of the IT function's operations group are escorted by a member of that group when they must enter the computer facilities. ) visitor's log should be kept and reviewed regularly.

/escribe visitor access reBuirements" detailing identification" escort and monitoring of site visitors.

5. Is a log kept to record the entry and e@it of each visitor to the siteJ . )re visitors provided with electronic access badgesJ If so" please describe any controls relevant to restricting access to appropriate areas of the facility" and terminating access. 6. )re visitor access policies and procedures documentedJ

,Name of ")2IT Detailed )bjecti*e1

)bjecti*e S!ecific to ACD "om!an/ Tec&nolog/ Area Under (e*ie-: %Include K0L Company specific ob#ectives here( A!!licable ")2IT )bjecti*e: %&umber and name of COBIT ob#ective( %Te@t of the control ob#ective as taken from COBIT(

%:ating 'ere(

<.

)ssessment Muestions 'ere

5. %Muestion( . %Muestion( 6. %Muestion(

/ate 1rinted4 56.67. $

1roprietary Information 8 9O: I&T,:&)2 *;, O&20

1age ! of <

Internal Audit Department COBIT Control Assessment Questionnaire

And o onE

/ate 1rinted4 56.67. $

1roprietary Information 8 9O: I&T,:&)2 *;, O&20

1age < of <