Annex 2 – Goals Cascade, adapted from COBIT5

Annex 1

(Integrated frameworks on Business/IT alignment)

#

Enabler

1

Principles, policies, and frameworks Turn desired behaviors into practical directions to management

2

Processes

Composed by a set of activities/practices to produce a certain output

3

Organizational structures

Key decision making bodies

4

Culture, ethics, and behavior

Beliefs, morals, and customs of the members of the company

5

Information

Includes all the information produced and used by the enterprise

6

Services, infrastructure, and applicatiIT processing and services

7

People, skills, and competencies

Needed to perform activities, make decisions, and take corrective actions

Description

R

Responsible

The one(s) who performs the activit

A

Accountable

The one with decision authority

C

Consulted

The one(s) who give input

I

Informed

Entity(ies) who receive information

Annex 2

–

RACI chart for EDM01, Retrieved from COBIT5

Description:

Annex 4

–

Complete list of COBIT’s processes

Area

Domain

Process

EDM1

Set and Maintain the Governance Framework

EDM2

Ensure Value Optimization

EDM3

Ensure Risk Optimization

EDM4

Ensure Resource Optimization

EDM5

Ensure Stakeholder Transparency

APO1

Define the Management Framework for IT

APO2

Manage Strategy

APO3

Manage Enterprise Architecture

APO4

Manage Innovation

APO5

Manage Portfolio

APO6

Manage Budget and Cost

APO7

Manage Human Resources

APO8

Manage Relationships

APO9

Manage Service Agreements

APO10

Manage Suppliers

APO11

Manage Quality

APO12

Manage Risk

APO13

Manage Security

BAI1

Manage Programs and Projects

BAI2

Define Requirements

BAI3

Identify and Build Solutions

BAI4

Manage Availability and Capacity

BAI5

Manage Organizational Change Enablement

BAI6

Manage Changes

BAI7

Manage Change Acceptance and Transitioning

BAI8

Manage Knowledge

BAI9

Manage Assets

BAI10

Manage Configuration

DSS1

Manage Operations

DSS2

Manage Service Requests and Incidents

DSS3

Manage Problems

DSS6

Manage Continuity

DSS5

Manage Security Services

DSS6

Manage Business Process Controls

MEA1

MEA Performance and Conformance

MEA2

MEA the System of Internal Control

MEA3

MEA Compliance with External Requirements

MEA

PBRM

EDM

APO

BAI

EDM

DSS

#

Principle

1

Meeting Stakeholders' Needs

Goals Cascade

2

Covering the Enterprise End-to-end

RACI charts

3

Applying a single, integrated framework

Integrates previous ISACA’s frameworks , the latest standards

and frameworks, and offers GEIT and management best practices

4

Enabling a holistic approach

Enablers

5

Separating Governance from Management Division of processes in two domains, EDM and PBRM

Point of reference

#

Capability level

#

Process Attributes

1

Incomplete

0

-

The purpose is not achieved; non-implemented process.

2

Performed

1

Process Performance

The purpose is achieved

2

Performance Management

3

Work product Management

4

Process Definition

5

Process Deployment

6

Process Measurement

7

Process Control

8

Process Innovation

9

Process Optimization

The established process is confined to attaining its specified objectives

Continuous improvement of the process to meet current and future enterprise goals

Predictable

Optimizing

6

5

4

3

Process Capability

Managed

Established

Implementation of the managed process

The purpose is achieved, and the process is managed (planned, monitored, adjusted)

Annex 5

–

5 principles of COBIT5

Annex 6

–

Implementation Cycle, Retrieved from COBIT 5 implementation Guide

APO01

Purpose

Assess whether the following

outcomes are achieved. Criteria

Criteria Are

Met Y/N Comment Not achieved (0-15%) Partially Achieved (15% -50%) Largely Achieved (50% - 85%)

Fully Achieved

(85-100%)

Level 0 Incomplete

The process is not implemented, or fails to achieve its process purpose.

At this level, there is little or no evidence of any

achievement of the process purpose. Y X

PA 1.1 The implemented process achieves its process

The following process outcomes are being

achieved: X

APO01-O1 An effective set of policiesis defined

and maintained. Y X

APO1-O2 Everyone is aware of the policies and

how they should be implemented. Y X As a result of full achievement of this attribute: Y

a) Objectives for the performance of the process are identified. Y b) Performance of the process is planned and monitored. Y c) Performance of the process is adjusted to meet plans. Y d) Responsibilities and authorities for performing the process are defined, assigned and communicated.

Y

e) Resources and information necessary for performing the process are identified, made available, allocated and used.

Y

f) Interfaces between the involved parties are managed to ensure both effective communication and also clear assignment of responsibility.

Y

As a result of full achievement of this attribute:

Y

a) Requirements for the work products of the process are defined. Y b) Requirements for documentation and control of the work products are defined. Y c) Work products are appropriately identified, documented, and controlled. Y d) Work products are reviewed in accordance with planned arrangements and adjusted as necessary to meet requirements.

Y

As a result of full achievement of this attribute: N

a) A standard process, including appropriate tailoring guidelines, is defined that describes the fundamental elements that must be incorporated into a defined process.

N

b) The sequence and interaction of the standard process with other processes is determined.

N

c) Required competencies and roles for performing a process are identified as part of the standard process.

N

d) Required infrastructure and work environment for performing a process are identified as part of the standard process.

N

e) Suitable methods for monitoring the effectiveness and suitability of the process are determined. N As a result of full achievement of this attribute: N

a) A defined process is deployed based upon an appropriately selected and/or tailored standard process.

N

b) Required roles, responsibilities and authorities for performing the defined process are assigned and communicated. N

c) Personnel performing the defined process are competent on the basis of appropriate education, training, and experience. N d) Required resources and information necessary for performing the defined process are made available, allocated and used.

N

e) Required infrastructure and work environment for performing the defined process are made available, managed and maintained.

N

f) Appropriate data are collected and analysed as a basis for understanding the behaviour of, and to demonstrate the suitability and effectiveness of the process, and to evaluate where continuous improvement of the process can be made.

N

As a result of full achievement of this attribute:

N

a) Process information needs in support of relevant defined business goals are established. N

b) Process measurement objectives are derived from process information needs. N c) Quantitative objectives for process performance in support of relevant business goals are established.

N

d) Measures and frequency of measurement are identified and defined in line with process measurement objectives and quantitative objectives for process performance.

N

e) Results of measurement are collected, analysed and reported in order to monitor the extent to which the quantitative objectives for process performance are met.

N

f) Measurement results are used to

characterise process performance. N As a result of full achievement of this attribute:

N

a) Analysis and control techniques are determined and applied where applicable. N b) Control limits of variation are established for normal process performance. N c) Measurement data are analysed for special causes of variation. N d) Corrective actions are taken to address special causes of variation. N e) Control limits are re-established (as necessary) following corrective action. N As a result of full achievement of this attribute: N

a) Pprocess improvement objectives for the process are defined that support the relevant business goals.

N

b) Appropriate data are analysed to identify common causes of variations in process performance.

N

c) Appropriate data are analysed to identify opportunities for best practice and innovation. N d) Improvement opportunities derived from new

o Level 5

Optimizing.

PA 5.1 Process innovation - A measure of the extent to which changes to the process are identified from analysis of common causes of variation in performance, and from investigations of innovative approaches to the definition and deployment of the process.

X

PA 4.2 Process Control - A measure of the extent to which the process is quantitatively managed to produce a process that is stable, capable and predictable within defined

limits. X

Level 4 Predictable

PA 4.1 Process Measurement - A measure of the extent to which measurement results are used to ensure that performance of the process supports the achievement of relevant process performance objectives in support of defined business goals.

X

~ PA 3.2 Process Deployment - A measure of the extent to which the standard process is effectively deployed as a defined process to achieve its process outcomes.

X

Level 3 Established

PA 3.1 Process Definition - A measure of the extent to which a standard process is maintained to support the deployment of the defined process.

X

PA 2.2 Work Product Management - A measure of the extent to which the work products produced by the process are appropriately managed. The work products (or outputs from the process) are defined and controlled.

X

Level 1 Performed

Level 2 Managed

PA 2.1 Performance Management - A measure of the extent to which the performance of the process is managed.

X

Provide a consistent management approach to enable the enterprise governance requirements to be met, covering management processes, organisational structures, roles and responsibilities, reliable and repeatable activities, and skills and competencies.

Define the Management Framework for IT

Overall rating for the process

Table 1

Table 2

APO013.2

210

20

OK

BAI01

32

287

NOT OK

MEA02.6

197

20

OK

BAI03

24

229

NOT OK

MEA03.2

197

18

OK

MEA02

981

161

OK

MEA02.3

196

17

OK

APO01

784

156

OK

MEA02.8

196

23

OK

BAI07

15

153

NOT OK

APO02.6

195

17

OK

DSS04

13

148

NOT OK

MEA01.4

195

17

OK

DSS02

19

147

NOT OK

MEA01.5

195

19

OK

APO02

210

136

OK

MEA02.1

195

20

OK

DSS05

12

135

NOT OK

APO01.1

194

19

OK

BAI05

25

135

NOT OK

APO01.3

194

20

OK

APO07

11

128

NOT OK

APO01.4

194

24

OK

APO05

22

125

NOT OK

APO01.7

194

17

OK

APO012

29

121

NOT OK

APO011.2

194

19

OK

DSS06

11

115

NOT OK

APO011.6

194

17

OK

APO011

553

111

OK

MEA01.2

194

17

OK

APO08

7

105

NOT OK

MEA02.4

194

21

OK

APO04

16

104

NOT OK

APO011.4

146

19

OK

APO09

20

104

NOT OK

# of times the

process is an

output

Comment

# of times the

process is an

input

# of times the

process is an

output

Comment

Subprocesses

Processes

# of times the

process is an

input

Step 2:

consolidation of the previous table. For each specified level, the company must assess

if the criteria is met or not, and what is the respective rating (N, P, L, F). As previously

explained, it is only possible to move on to the next level if the current one possesses a rating

level either of L or F.

Annex 9

–

Primary findings from the study made of inputs and outputs in COBIT5. When

considering the sub-processes instead of processes, it was possible to see that the number of times a

process is used as an input is greater than the number of times the same process is an output (Table

1). This is helpful when implementing the framework since it makes it easier to identify which

processes to start from. Processes that serve more times as inputs should be implemented first, as

they provide foundation for subsequent processes. The effect is lost when considering processes

rather than sub-processes (Table 2).

Process Name

Level 0

Level 1

Rating by Criteria

F

F

L

L

P

N

N

N

N

N

Capability Level

2

Annex 10

–

Example of the application of COBIT’s Mapping, applied to the enterprise goals of

the financial area:

The following formula was then applied throughout the matrix:

Annex 11

–

Results from the exercise described in Annex 10. Overall total impact is the sum of

all the enterprise goals’ influence in the BSC’s four areas.

According to previous studies, the

optimal number of control objectives to be between 10 and 15. (Gerke, 2006), (Al Omari, 2012)

(Huissoud, 2005). Given that there is a map in COBIT5 which enables to relate each control

objective form previous versions of COBIT to a process in COBIT5, it would be possible to

make a valid comparison between both. As such, the top 18 most influential processes were

selected. Note on the fact that the great majority of the processes with the highest level of

influence on enterprise goals is also present in the top 15 of the processes with higher influence

Process

Overal Total Impact

APO01

58,75

EDM01

56,75

MEA01

56

EDM02

55,25

APO02

55

APO08

54,75

BAI02

54,75

APO03

52,25

DSS04

50,25

APO07

49,75

BAI01

47,75

EDM04

47,5

APO11

47,5

BAI06

46

APO05

45,75

APO01

58,75

EDM01

56,75

MEA01

56

EDM02

55,25

APO02

55

APO08

54,75

BAI02

54,75

APO03

52,25

DSS04

50,25

APO07

49,75

BAI01

47,75

EDM04

47,5

APO11

47,5

BAI06

46

APO05

45,75

APO10

45

EDM03

43,25

APO12

41,5

Top 18

Processes

Overall

Total

impact

were then included in the final list of processes with more influence, resulting in a list of 18

processes:

Annex 12

–

Results from the test made to

Hypothesis 1

, where no correlation was found

between the inputs’

maturity level and the capability level of the outputs.

Process

Overal Impact - Financial

APO01

19,25

EDM01

19

MEA01

18,5

EDM02

17,5

BAI02

17,25

APO02

16,75

APO08

16,75

DSS04

16,25

APO07

16

APO03

15,75

EDM03

15,5

APO11

15,5

APO12

15,5

BAI06

15,25

Rate

1. Create transactions by authorised individuals following established procedures, including, where appropriate, adequate

segregation of duties regarding the origination and approval of these transactions.

2. Authenticate the originator of transactions and verify that he/she has the authority to originate the transaction.

0

3. Input transactions in a timely manner. Verify that transactions are accurate, complete and valid. Validate input data and

edit or, where applicable, send back for correction as close to the point of origination as possible.

4. Correct and resubmit data that were erroneously input without compromising original transaction authorisation levels.

Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.

5. Maintain the integrity and validity of data throughout the processing cycle. Ensure that detection of erroneous transactions

does not disrupt processing of valid transactions.

6. Maintain the integrity of data during unexpected interruptions in business processing and confirm data integrity after

processing failures.

7. Handle output in an authorised manner, deliver to the appropriate recipient and protect the information during transmission.

Verify the accuracy and completeness of the output.

8. Before passing transaction data between internal applications and business/operational functions (inside or outside the

enterprise), check for proper addressing, authenticity of origin and integrity of content. Maintain authenticity

and integrity during transmission or transport

0,5

1

DSS06.02 (with capability of 3) Activities

0

1

1

1

1

Rate

1. Develop and maintain a network for endorsing, supporting and driving the IT strategy.

0

2. Develop a communication plan covering the required messages, target audiences, communication mechanisms/channels

and schedules.

3. Prepare a communication package that delivers the plan effectively using available media and technologies.

1

4. Obtain feedback and update the communication plan and delivery as required.

1

APO02.06 (with capability of 3) Activities

1

Rate

1. Identify business-critical processes based on performance and conformance drivers and related risk. Assess process

capability and identify improvement targets. Analyse gaps in process capability and control. Identify options for

improvement and redesign of the process. Prioritise initiatives for process improvement based on potential benefits/costs

2. Implement agreed-on improvements, operate as normal business practice, and set performance goals and metrics to

enable monitoring of process improvements.

3. Consider ways to improve efficiency and effectiveness (e.g., through training, documentation, standardisation and

automation of the process).

4. Apply quality management practices to update the process.

1

5. Retire outdated processes, process components or enablers.

1

APO01.07 (with capability of five) Activities

1

1

1

Rate

1. Analyse and identify the internal and external environmental factors (legal, regulatory and contractual obligations),

and trends in the business environment that may influence governance design.

2. Determine the significance of IT and its role with respect to the business.

0

3. Consider external regulations, laws and contractual obligations and determine how they should be applied

within the governance of enterprise IT.

4. Align the ethical use and processing of information and its impact on society, natural environment, and internal

0

and external stakeholder interests with the enterprise’s direction, goals and objectives.

5. Determine the implications of the overall enterprise control environment with regard to IT.

6. Articulate principles that will guide the design of governance and decision making of IT.

0

7. Understand the enterprise’s decision-making culture and determine the optimal decision-making model for IT.

0

8. Determine the appropriate levels of authority delegation, including threshold rules, for IT decisions.

0

EDM01.01 (capability of 0) Activities

0

0

0

Annex 13

–

Examples of how the determination of the performance levels of the activities within

processes was made. The Activities’ description is retrieved from COBIT5.

Annex 14

–

Results from the testing of hypothesis 3. The Nature of the roles which has more

responsibilities assigned is highlighted in grey.

A

9

3

4

1

2

2

R

33

37

16

17

8

17

C

49

33

21

5

17

15

I

41

28

19

9

1

0

Management/

Governance Roles

Management/

Governance Roles

Management/

Governance Roles

IT Roles

IT Roles

IT Roles