| Versi | Tanggal | Revisi oleh | Perubahan |
| 0.1 | 3 Juni 2007 | Sarwono Sutikno | Draft awal, cut-paste dari IT Assurance Guide using CObIT |
| 0.2 | 14 Juni 2007 | Sarwono Sutikno | Penambahan Control Practice PO5.5 |
| 0.21 | 15 Juni 2007 | Sarwono Sutikno | Penambahan referensi |
| Tanggal | :……………………… |
| Evaluator | :……………………… |
| Responden | :……………………… |
| Jabatan | :……………………… |
| Unit kerja | :……………………… |
| Alamat | :……………………………………………………………………………….. |
| Scope | |
Referensi:
- IT Assurance Guide using CobIT, ISACA, May 2007
- CobIT Control Practice: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Ed, ISACA, 2007
| PO5.5 Control Objective | Benefit Management - Implement a process to monitor the benefits from providing and maintaining appropriate IT capabilities. IT’s contribution to the business, either as a component of IT-enabled investment programmes or as part of regular operational support, should be identified and documented in a business case, agreed to, monitored and reported. Reports should be reviewed and, where there are opportunities to improve IT’s contribution, appropriate actions should be defined and taken. Where changes in IT’s contribution impact the programme, or where changes to other related projects impact the programme, the programme business case should be updated. |
| PO5.5 Value Drivers | • Accurate identification of benefit variances during and after implementation |
| PO5.5 Risk Drivers | • Misspending of IT investments |
| PO5.5 Control Practices | 1. Develop metrics for monitoring IT’s contribution to the business case and establish in co-operation with all stake holders. · Targets that reflect on the required IT capabilities and, where possible, are easy to translate into business capability targets · Trends in term of cost reduction and the satisfaction of IT’s customers with the services delivered · Post-implementation reviews for IT projects 2. Assign accountability for achieving benefits as recorded in the business case. Track and record in the business case. Track and record in the business case how benefits change through the life cycle of programmes and projects and how they compare to internal and industry benchmark. 3. Communicate the underlying reasons for measuring and monitoring selected benefits and the remediation process for the identified deviations. 4. Implement correction action when benefits significantly deviate: · For IT-enabled investment programmes – Update the business case of the project and the programme, and inform those responsible for portfolio management. · For IT service delivery – Initiate improvement 5. Consider obtaining guidance from external experts, industry leaders and comparative benchmarking data to test and improve the metrics and targets. 6. Identify, quantify and qualify benefits of delivering IT solutions, providing IT services and managing IT assets as IT’s contribution to the business case. |
| | Detailed Assurance Guide | Evidence, Record, Document, Reference |
| PO5.5 Test the Control Design | • Enquire whether and confirm that the cost management process provides sufficient information to identify, quantify and qualify benefits of delivering IT solutions, providing IT services and managing IT assets. | |
| • Enquire whether and confirm that the allocation of benefits across time allows for meaningful analysis of benefits. | | |
| • Review the process for developing metrics for measuring benefits (e.g., obtaining guidance from external experts, industry leaders and comparative benchmarking data). | | |
| • Enquire whether and confirm that there is a remediation process for identified benefit deviations | |
| PO5 Control Process | Manage the IT Investment - A framework is established and maintained to manage IT-enabled investment programmes and that encompasses cost, benefits, prioritisation within budget, a formal budgeting process and management against the budget. Stakeholders are consulted to identify and control the total costs and benefits within the context of the IT strategic and tactical plans, and initiate corrective action where needed. The process fosters partnership between IT and business stakeholders; enables the effective and efficient use of IT resources; and provides transparency and accountability into the total cost of ownership, the realisation of business benefits and the ROI of IT-enabled investments. |
| | Detailed Assurance Guide | Evidence, Record, Document, Reference |
| PO5 Test the Outcome of the Control Objectives | • Enquire whether and confirm that a financial management framework, processes and responsibilities have been defined and maintained to enable fair, transparent, repeatable and comparable estimation of IT costs and benefits for input to the portfolio of IT-enabled business programmes. | |
| • Assess whether the financial management framework provides information to enable effective and efficient IT investment and portfolio decisions, enables estimation of IT costs and benefits, and provides input into the maintenance of IT asset and services portfolios. Determine whether the financial management framework and processes provide sufficient financial information to assist in the development of business cases and facilitate the budget process. | | |
| • Verify that investments, IT assets and services are being taken into account in preparing IT budgets. | | |
| • Enquire whether and confirm that the current IT budget is tracked against actual costs and that variations are analysed. | | |
| • Enquire whether and confirm that information provided by the budgeting process is sufficient to track project costs and assist in the allocation of IT resources. | | |
| • Enquire whether and confirm that an effective decision-making process is implemented to prioritise all IT initiatives and allocate budgets accordingly. | | |
| • Enquire whether and confirm that a methodology has been implemented to establish, maintain and communicate for change and approval of a formal IT budget. | | |
| Detailed Assurance Guide | Evidence, Record, Document, Reference | |
| • Enquire whether and confirm that process, service and programme owners as well as project and asset managers have been instructed in how to capture budget requirements and plan budgets. | | |
| • Confirm that there is a budgeting process and that this process is reviewed/improved on a periodic basis. | | |
| • Review the cost management framework and verify that it defines all IT-related costs. Verify that the tools used to monitor costs are effective and used properly (i.e., how costs are allocated across budgets and projects, how costs are captured and analysed, and to whom and how they are reported). | | |
| • Enquire whether and confirm that the allocation of the budget across time is aligned with IT projects and support activities to allow for meaningful analysis of budget variances | | |
| • Enquire whether and confirm that IT financial management members have been instructed in how to capture, consolidate and report the cost data. | | |
| • Enquire whether and confirm that the appropriate level of management reviews the results of cost analysis and approves corrective actions. | | |
| • Enquire whether and confirm that responsibility and accountability for achieving benefits as recorded in the business case have been assigned. | | |
| • Enquire whether and confirm that the metrics for monitoring IT’s and the business’s contribution to the business case are collected, reported and analysed at regular intervals. | | |
| • Enquire whether and confirm that the identified budget deviations are approved by business and IT management | |
| | Detailed Assurance Guide | Evidence, Record, Document, Reference |
| PO5 Document the Impact of the Control Weaknesses | • Assess the risks (e.g., threats, potential vulnerabilities, security, internal controls) that: | |
No comments:
Post a Comment