The purpose of the COBIT Assessment Programme is to support the evaluation of IT process capability in an understandable, logical, repeatable, reliable and robust way (based on international standard ISO/IEC 15504). The assessment results provide a determination of process capability and can be used for process improvement, delivering value to the business, measuring the achievement of current or projected business goals, benchmarking, consistent reporting, and organizational compliance.
- Conduct COBIT 5 awareness sessions to identified stakeholders1—Conducting awareness and training sessions helps to ensure adequate levels of participation of all identified stakeholders during the assessment, which is key for successful completion of all assessment activities and making good decisions and taking corrective actions.
- Meet with business/IT functional teams to understand the pain areas and/or opportunities2—Understanding business/IT context is an important activity to scope the assessment. This will help to understand and analyse current priorities and pain areas from a team perspective, as success of any enterprise depends on its people.
- Perform the goals cascade mechanism to prioritise the applicable COBIT 5 processes3—The COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific, actionable and customised enterprise, IT-related and enabler goals. This translation allows for prioritising of specific COBIT 5 processes to assess and implement in support of the overall goals and stakeholder requirements.
- Agree on the scope of the COBIT 5 processes and target capability levels4—Confirming the preliminary selection of targeted COBIT processes with the project sponsor and key stakeholders of the process assessment is a critical success factor. In setting the target capability levels, consideration should be given to the impact on the business objectives of the enterprise if a specified level of capability is not achieved. The first consideration should be the impact on the enterprise if the process is non-existent or not working effectively or efficiently. The second consideration concerns the additional consequences of the effective and efficient operation of the processes at the various capability levels.
- Identify the respective process owners and conduct briefing sessions5—The process owners, participants in the processes and users of its work products are a principal source of knowledge and expertise about the processes, and they are in a good position to identify potential process capability weaknesses. Management support for the assessment needs to be in evidence to motivate participants to be open and constructive. It should be made clear that process assessments focus on the processes, not on the performance of enterprise staff involved with them. The intent is to make the processes perform more effectively in support of the defined business goals, not to allocate blame to individuals for poor performance.
- Obtain required evidence using agreed-upon methodologies6—Evidence should be collected in a systematic manner using explicitly identified strategies and techniques that are easily demonstrable. All evidence collected should be easily associated with each process involved in the assessment and sufficient to meet the purpose and scope of the assessment.
- Validate and gather additional evidence using direct and indirect approaches7—For each process, relate the evidence to defined process indicators and ensure that the data collected are correct and objective. Evidence can be either in the form of direct evidence, such as a document or an outcome, or indirect, such as plans to produce particular outcomes. In general, the primary sources of evidence will come from interviews that will be confirmed through an examination of work products and from base practices for the process being assessed to see whether the process outcomes are being achieved. In some cases, it could involve working through the process to understand it.
- Perform the process attribute rating8, 9—For each process assessed, a rating is assigned to attribute up to and including the highest capability level defined in the assessment scope. The rating is based on validated data, and traceability must be maintained between the objective evidence collected and the process attribute ratings assigned. The defined set of assessment indicators as indicated in the COBIT Process Assessment Model (PAM): Using COBIT 5 should be used.
- Report the identified strengths and opportunities10—The results of the assessment must be reported in an output document and provided to the assessment sponsor. The results of the assessment should be analysed and presented in the report, which should cover observed strengths and weaknesses in process capability, as well as identify any process improvement opportunities and define the capability of the processes assessed.
The formality of the programme approach requires an investment of time and expertise by a competent assessor, ideally a Certified COBIT Assessor. Therefore, when considering if and when a formal assessment is required, it is often helpful to perform an informal self-assessment exercise first. This will help to provide focus on the processes to be assessed. A self-assessment guide is available to all from ISACA.11
Leela Ravi Shankar Dhulipalla, CGEIT, COBIT 5 Certified Assessor, Implementer and Accredited Trainer, PMP
Is a senior-level governance and management of enterprise IT professional with more than 16 years of experience. He can be reached at [email protected]
1 ISACA, COBIT 5, USA, 2012, ch. 5
3 Ibid, ch. 2
4 ISACA, COBIT 5 Assessor Guide: Using COBIT 5, USA, 2013, sec. 4.1
5 Ibid., sec. 4.3
6 Ibid., sec. 4.4
7 Ibid., sec. 4.4 and 4.5
8 Ibid., sec. 4.3
9 ISACA, COBIT Process Assessment Model (PAM): Using COBIT 5, USA, 2013, sec. 2 and 4
10 ISACA, COBIT 5 Assessor Guide: Using COBIT 5, sec. 4.7
11 ISACA, COBIT Self-Assessment Guide: Using COBIT 5, USA, 2013