Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance

Guidance to Validate
Internal Control
Assertions in Indian
Financial Reporting

Guidance to Validate Internal Control Assertions in Indian Financial Reporting
1
TABLE OF CONTENTS
Acknowledgements ....................................................................................................................................................................... 3
Section 1 – Executive Summary.......................................................................................................................................................... 4
Need for This publication ............................................................................................................................................................... 4
Objective Statement....................................................................................................................................................................... 5
Identified Stakeholders .................................................................................................................................................................. 5
An Introduction to This document ................................................................................................................................................. 5
Benefits Derived From This Document........................................................................................................................................... 7
Approach to This publication.......................................................................................................................................................... 8
An Example of How to Read the Document................................................................................................................................. 10
References for the Publication ..................................................................................................................................................... 17
Section 2 – Detailed Publication ....................................................................................................................................................... 18
Definitions .................................................................................................................................................................................... 18
Chapter 1 - Governance and Risk Management in India – Regulatory Requirements to Comply With Indian Regulations ........ 22
Governance.............................................................................................................................................................................. 22
Risk Management..................................................................................................................................................................... 24
Assurance................................................................................................................................................................................. 25
Information Technology Act, 2000 (as Amended by Information Technology Amendment Act, 2008).................................. 27
Summary .................................................................................................................................................................................. 28
Chapter 2: Introduction to COBIT 5.............................................................................................................................................. 29
Chapter 3 – How COBIT 5 Can Be Used to Comply With Governance.......................................................................................... 32
Stakeholder 1 – Board of Directors.......................................................................................................................................... 38
Stakeholder 2 - Management................................................................................................................................................... 46
Stakeholder 3 – Auditor ........................................................................................................................................................... 77
Summary .................................................................................................................................................................................. 92
Section 3 Checklists........................................................................................................................................................................... 92
Checklist 1 – General Checklist for Governance........................................................................................................................... 93
Checklist 2 – General Checklist for Risk Management ................................................................................................................. 94
Checklist 3 – General Checklist Audit and Assurance................................................................................................................... 94
Checklist 4 – Compliance With the Data Protection Areas of IT Act ............................................................................................ 95
Checklist 5 – Sample Checklist for the Auditor to Gain Assurance on the Controls That Are in Place to Protect Personally
Identifiable Information ............................................................................................................................................................... 98

2
ISACA
With more than 115,000 constituents in 180 countries, ISACA(www.isaca.org) helps business and IT leaders build trust in, and
value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards,
networking, and career development for information systems audit, assurance, security, risk, privacy and governance
professionals. ISACA offers the Cybersecurity Nexus
™
, a comprehensive set of resources for cybersecurity professionals, and
COBIT
®
, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances
and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor
®
(CISA
®
), Certified Information Security Manager
®
(CISM
®
), Certified in the Governance of Enterprise IT
®
(CGEIT
®
) and Certified in
Risk and Information Systems Control
™
(CRISC
™
) credentials. The association has more than 200 chapters worldwide.
Disclaimer
This book is not intended to, and does not, provide legal, technical or other advice on compliance or related matters. Every
entity or individual using this book should seek expert technical, legal or other advice as appropriate to its respective needs and
circumstances. ISACA, its office bearers, its advisors/consultants, the authors, the reviewers and other persons associated with
the writing, reviewing, printing or publication of this book do not guarantee or warrant the accuracy, adequacy, completeness or
suitability of the content of this publication and they hereby disclaim any and all responsibility or liability for damages incurred
as a result of the content contained herein. They also hereby disclaim any responsibility or liability whatsoever for the
consequences of the use of this book by any person or entity. Courts in Cook County, state of Illinois, USA, alone shall have
jurisdiction relating to any lawsuits pertaining to this book.
The opinions and views expressed in Guidance to Validate Internal Control Assertions in Indian Financial Reporting are solely
those of the authors of this publication, as a practical application and implementation of COBIT 5 principles and good practices.
The opinions and views of the authors do not necessarily reflect those of ISACA.
Reservation of Rights
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed,
stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or
otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are solely
permitted for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full
attribution of the material’s source. No other right or permission is granted with respect to this work.
This text uses relevant ISACA publications with permission.
ISACA
3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
ISACA® and COBIT® are registered trademarks of ISACA.
Participate in the ISACA Knowledge Center: www.isaca.org/topic-India
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ

3
ACKNOWLEDGMENTS
ISACA Wishes to Recognize:
The ISACA India Task Force
Chairman, Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India
Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK,
COBIT 5 Approved Trainer—Foundation, Advisor, ISACA’s India Task Force
Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO 14001 LA,
Freelance consultant and trainer, Pune, India
Mr. Anil Bhandari, CISA, CIA, DISA, AICWA, FCA, ANB Consulting Co., Mumbai, India
Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India
Mr. Sandeep Godbole, CISA, CISM, CGEIT, Syntel, Pune, India
Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India
Mr. Vaibhav Patkar, CISA, CISM, CRISC, CGEIT, Sutherland, Mumbai, India
Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India
Mr. Raghavendra Rao Hulgeri, CISA, Oracle Financial Services Software Ltd., Bangalore, India
Project Coordinator and Advisor
Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India
Content Development Team
Mr. Anand Prakash Jangid CISA, CISM, CFE, ACA, Quadrisk Advisors, Bangalore, India
Mr. Rajiv Gupta CISA, CFE, ACA, Coca-Cola India
Ms. Vishakha Chhawchharia CISA, ACA, Quadrisk Advisors, Bangalore, India
Mr. Amarnath Daga CISA, ACA, Quadrisk Advisors, Bangalore, India
Mr. Bharath Rao B CeHv8, Quadrisk Advisors, Bangalore, India
Mr. Anish Jain ACA, Quadrisk Advisors, Bangalore, India
Ms. Shefalika Sahu ACA, Quadrisk Advisors, Bangalore, India
Mr. Firoz Attarwala ACA, Quadrisk Advisors, Bangalore, India
Expert Reviewers
Mr. Abdul Rafeq, CISA, CGEIT, CIA, FCA, A. Rafeq and Associates, India
Mr. S.V. Sunder Krishnan, CISA, Reliance Life Insurance Company Ltd., Mumbai, India
Mr. Avinash W. Kadam, CISA, CISM, CGEIT, CRISC, CISSP, CSSLP, GSEC, GCIH, CBCP, MBCI, PMP, CCSK,
COBIT 5 Approved Trainer—Foundation, Advisor, ISACA’s India Task Force
Mr. Sunil Bakshi, CISA, CISM, CGEIT, CRISC, CISSP, PMP, CeHv6, ISO 27001:2005 LA, ISO 14001 LA,
Freelance consultant and trainer, Pune, India
Mr. Madhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd, New Delhi, India
Mr. Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt, Ltd., Hyderabad, India
Mr. Vittal Raj, CISA, CISM, CGEIT, Kumar and Raj, Chennai, India
Mr. Shrikant Patil
Mr. Shashikant Shirahatti

4
SECTION 1 – EXECUTIVE SUMMARY
NEED FOR THIS PUBLICATION
As a part of "Management's Responsibility for Financial Statements", executive management of Indian companies assert to their
stakeholders the relevance of "the design, implementation and maintenance of internal controls" for the preparation and
presentation of financial statements that need to give a true and fair view of financial position on a particular date and
performance for the relevant period. Financial statements need to be devoid of any material misstatements, whether due to
fraud or error. This responsibility is an onerous one.
Under Section 211 (7) of the Indian Companies Act, 1956, in the event that a company fails to take all reasonable steps to secure
compliance, the willful negligence may be punishable with imprisonment for a term which may extend up to six months or a fine
which may extend to ten thousand rupees or with both imprisonment and a fine. The new Companies Act, 2013 has not only
emphasized the above requirements, but also has upped the ante in increasing a number of corporate governance and risk
management requirements.
This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements
and committing to assertions on internal controls. This publication guides the board, management and auditors in complying
with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the
Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA’s COBIT 5 framework.
With the changing times, there also is a need for greater accountability of companies to their shareholders and customers. A
need for governance arises from the separation of management from ownership. For a firm success, companies need to
concentrate on both economic and social aspects. Companies needs to be fair with producers, shareholders, customers, etc.,
and have various responsibilities toward employees, and communities. Companies need to serve their responsibilities in all
aspects.
There are several important issues in governance and they play a great role. All the issues are inter-related and interdependent
with each other. Each of the issues connected with governance has different priorities in each of the corporate bodies.
The issues are:
1. Value-based corporate culture
2. Holistic view
3. Compliance with laws
4. Disclosure, transparency, and accountability
5. Governance and human resource management
6. Innovation
Corporate scandals, internally or at other companies, have shed light on the need to manage strategically in an effort to avoid
such catastrophes that often leave executives unemployed. Many executives believe that risks are higher than ever before.
However, they are unsure about how to manage them; therefore, many executives are welcoming risk management plans and
infrastructures. Finally, companies have learned that managing risk correctly can lead to increased shareholder value.
Companies are hoping to shift from a simple control process to a value creation process using an enterprisewide approach.
The concept of governance hinges on total transparency, integrity and accountability of management and the board of directors.
The importance of governance along with efficient risk management lies in its contribution both to business prosperity and to
accountability.

5
OBJECTIVE STATEMENT
This publication is aimed at solving the problems of C-level executives of various Indian enterprises signing financial statements
and committing to assertions on internal controls. This publication guides the board, management and auditors in complying
with the corporate governance and internal control requirements arising out of Clause 49 of the Listing Agreement of the
Securities and Exchange Board of India (SEBI) and the new Companies Act, 2013 in using ISACA’s COBIT 5 framework.
IDENTIFIED STAKEHOLDERS
This publication is targeted at the following audience, as their roles play the most crucial role in developing, maintaining and
evaluating governance. COBIT® 5 is a business framework for the governance and management of enterprise IT, and hence their
roles are restricted to the areas in which IT Information is present.
• Board of directors
• Management
o Chief executive officer (CEO)
o Chief financial officer (CFO)
o Chief information officer (CIO)
o Chief risk officer (CRO)
o Chief information security officer (CISO)
• Auditors (external and internal)
AN INTRODUCTION TO THIS DOCUMENT
Today, there is a growing dialogue among stakeholders about governance and how it should evolve to cope with the increasingly
dynamic and global nature of capital markets. This dialogue is taking place against a background of legislative and regulatory
change. There has been a significant increase in the scope of audit and other internal control and risk management along with
increased public scrutiny.
It is only with dialogue and active participation of all stakeholders that the appropriate balance can be reached between:
• Strengthened central controls and fast local responsiveness
• Effective risk management and the enduring need for innovation
• The costs of compliance with the new governance regulation and the value it brings
The following factors disrupt the normal operations of the company.
Internal Factors
The Board of Directors/Management
The board advises the company’s CEO, who runs the daily operations, and reviews the quality of recommendations the CEO
receives from others in corporate management.
Some board members may be employees or family members (most often from the extended family of the company’s founder).
Other board members may be affiliated with the company through a banking relationship, a law company retained by the
company, or someone who represents a customer or supplier. Such members may be subject to potential conflicts of interest
that cause them to act in ways not necessarily in the shareholders’ best interests. This has led some observers to argue that
boards should be composed primarily of independent directors and different individuals should hold the CEO and board
chairperson positions.

6
Internal Controls
Well-designed systems generate information that poses a reduced threat of material misstatements. However, simply having
systems in place—even if they are properly engineered and constructed—is not sufficient to guarantee both the effectiveness of
the required actions and the reliability of the collected data. Thus, extra procedures are built into every system by management
to help ensure that every operation is performed as intended and the resulting financial data are reliable. Internal controls over
financial reporting is a formal system of checks and balances, monitored by management and the board of directors and
reviewed by the outside auditor. To be efficient and effective, these systems must be carefully designed and maintained. They
need to keep company assets secure at a minimum cost. In addition, appropriate record keeping is a required aspect of virtually
every system.
Anti-takeover Defenses
A company’s management and board may employ defenses to gain leverage in negotiating with a potential suitor or to solidify
current management’s position within the company.
Corporate Culture and Values
While internal systems and controls are important, good governance also results when the employee culture is instilled with
appropriate core values and behaviors. Setting the right tone and direction comes from the board of directors and senior
management and their willingness to behave in a manner consistent with what they demand from other employees.
Impact Due to Internal Factors
One can conclude that if the company’s internal controls are not aligned for achieving governance, the company can face serious
repercussions regarding integrity and professionalism of the company, which in turn affects the goodwill of the company.
Internal controls help the company to achieve long-term stability. If there is chaos in the company, loss of shareholder faith and
loss of money would be inevitable.
External Factors
Federal and state legislation, the court system, regulators, institutional activists and the corporate takeover market all play an
important role in maintaining good governance practices.
Institutional Activists
Pension funds, hedge funds, private equity investors and mutual funds have become increasingly influential institutions that can
affect the policies of companies in which they invest. There is growing evidence that institutional activism, in combination with
merger and acquisition activity, has become an important factor in disciplining underperforming managers.
Amalgamations and Acquisitions
Changes in corporate control can occur because of a hostile (i.e., bids contested by the target’s board and management) or
friendly takeover of a target company or because of a proxy contest initiated by dissident shareholders. When a company’s
internal mechanisms that govern management control are relatively weak, the corporate takeover market seems to act as a
“court of last resort” to discipline inappropriate management behavior. Strong internal governance mechanisms, by contrast,
lessen the role of the takeover threat as a disciplinary factor. Moreover, the disciplining effect of a takeover threat on a
company’s management can be reinforced when it is paired with a large shareholding by an institutional investor.
Impact Due to External Factors
After establishing an ideal internal control environment for achieving governance, it is crucial that the company maintains the
same. External factors also affect the company’s governance. Thus, events like accounting frauds, cyberattacks, social
engineering attacks and market instability would be unavoidable if governance is not implemented correctly. Any changes in
legal, compliance, statutory, etc., areas has to be fulfilled by the company to sustain itself in the market and grow accordingly.

7
This publication is aimed at giving guidance in developing, maintaining and evaluating the governance that arises out of the
governance, risk management and information security regulatory requirements from the Companies Act, 2013, Clause 49 and
the Information Technology Act, 2008 (as amended).
BENEFITS DERIVED FROM THIS DOCUMENT
Using this guidance note results in a number of easier governance and enterprise risk management (ERM) solutions to the
enterprise and in a number of enterprise benefits, such as:
• Reduced complexity and increased cost-effectiveness due to improved and easier integration of governance and risk
management compliances, best practices, etc.
• Increased user satisfaction with governance arrangements and outcomes
• Improved integration of governance and ERM in the enterprise
• Informed risk decisions and risk awareness
• Reduced (impact of) costs of noncompliance of governance and ERM
• Improved management of costs related to the governance and ERM
• Better understanding of governance, ERM and internal controls
• Enhanced support for innovation and competitiveness

8
Regulations of
Companies Act,
2013 and Clause 49
• Regulations related to governance and risk
management and data privacy were identified.
• Stakeholders were identified.
Stakeholder Needs
Identification
• Questions are given from COBIT.
• Questions are selected based on the regulation that is
applicable to the stakeholder.
Enterprise Goals
Identification
• Respective enterprise goals are selected for stakeholder
needs.
IT Goals
Identification
• Enterprise goals are converted to relevant IT goals
according to the mapping that is given in the annexure
of the COBIT 5 framework.
Process Enablers &
Management
Practices
• Process enablers and practices from COBIT are selected
and applied in the relevant section.
APPROACH TO THIS PUBLICATION
This publication was prepared in keeping with the following:
The COBIT enablers are tailored for compliance of governance requirements, enterprise risk management (ERM) and data
security requirements based on the previous chart. Section two of this publication is divided into three chapters. The first
chapter gives a broad view of the following:

9
• Regulation requirements are captured in detail with respect to each identified stakeholder of the Companies Act, 2013,
Clause 49 and Information Technology Act, 2008, covering areas of governance, risk management, assurance and data
security.
• Relevant practices are suggested by COBIT 5 that can be implemented to comply with these areas.
Chapter 2 gives an idea of the COBIT 5 framework and the COBIT 5 methodology through its principles and enablers.
Chapter 3 gives the relevant guidance for compliance to the listed regulations, keeping the stakeholders in mind, by using COBIT
5. This chapter has segregated the requirements that were applicable for each stakeholder, respectively, and the respective
COBIT enabler usage to meet the stakeholder requirements is explained. Therefore, it is crucial that the previous chart be kept in
mind while going through the document.
Stakeholders are expected to follow these steps in order to bring value to their company:
Chapter 1
•Regulatory requirements from the
Companies Act, 2013, Clause 49 and
Information Technology Act, 2008
•Governance, risk management,
assurance and security
Chapter 2
•Introduction to COBIT 5
•Principles and enablers
Chapter 3
•Stakeholder segregation
•RACI charts for the role of the
stakeholder in an activity
•COBIT 5 recommended practices for
each stakeholder

10
AN EXAMPLE OF HOW TO READ THE DOCUMENT
Risk management compliance is to be performed by the company.
Step 1 – Identify the regulation with which the user needs to comply (from chapter 1).
Section Reference Regulatory Requirement
Companies Act, 2013
Section 134, Clause 3(n)
There shall be attached to statements laid before a company in general meeting, a
report by its board of directors, which shall include a statement indicating development
and implementation of a risk management policy for the company including
identification of elements of risk, if any, which in the opinion of the board may threaten
the existence of the company.
How this document will be
useful:
Provides guidance by mapping to COBIT 5 processes EDM03, APO12 and their relevant
management practices as identified for the various stakeholders in chapter 3
Step 2 – Determine the stakeholders that are affected. Classify them as primary and secondary.
Primary stakeholder identified—Board of Directors
Secondary stakeholder Identified—Management
Step 3 – Identify the required processes of COBIT that need to be incorporated in order to comply with the selected regulation
from the “How this document will be useful” row.
Identified processes – EDM03, APO12
Step 1 - Identify the regulation with which the company needs to comply
(from chapter 1).
Step 2 - Determine the stakeholders that are affected. Classify them as
primary and secondary.
Step 3 - Identify the required processes of COBIT that need to be
incorporated in order to comply with the selected regulation from the
“How this document will be useful” row.
Step 4 - Locate the processes under the respective stakeholder (in chapter
3) and identify the role of the stakeholder in the RACI (Responsible,
Accountable, Consulted, Informed) chart that has been provided.
Step 5 - Incorporate the activities that are described in detail under the
respective stakeholder in the RACI chart (in chapter 3).

11
Step 4 – Locate the processes under the respective stakeholder (in chapter 3) and identify the role of the stakeholder in the RACI
chart (Responsible, Accountable, Consulted, Informed) that has been provided.
RACI Chart – Board of Directors
Governance Practice Board
EDM03.01 Evaluate risk management. A
EDM03.02 Direct risk management. A
EDM03.03 Monitor risk management. A
RACI Chart - Management
Management Practice
ChiefExecutiveOfficer
ChiefFinancialOfficer
ChiefInformationSecurityOfficer
ChiefRiskOfficer
ChiefInformationOfficer
APO12.01 Collect data. I R R A
APO12.02 Analyze risk. I C R A
APO12.03 Maintain a risk profile. I C A R
APO12.04 Articulate risk. I C R A
APO12.05 Define a risk management action portfolio. I C A R
APO12.06 Respond to risk. I R R A
Step 5 – Incorporate the activities that are described in detail under the respective stakeholder in the RACI chart (in chapter 3).
Board of Directors –
1. EDM03.01 Evaluate risk management.
Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise.
Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is
identified and managed.

12
ACTIVITY DETAILED ACTIVITIES
1. Determine the level of IT-related risk that the
enterprise is willing to take to meet its risk
objectives.
2. Evaluate and approve proposed IT risk tolerance
thresholds against the enterprise’s acceptable risk
and opportunity levels.
3. Determine the extent of alignment of the IT risk
strategy to enterprise risk strategy.
4. Proactively evaluate IT risk factors in advance of
pending strategic enterprise decisions and ensure
that risk-aware enterprise decisions are made.
5. Determine that IT use is subject to appropriate risk
assessment and evaluation, as described in relevant
international and national standards.
6. Evaluate risk management activities to ensure
alignment with the enterprise’s capacity for IT-
related loss and leadership’s tolerance of it.
The board needs to actively take part in the risk evaluation
process of the enterprise, which also includes the IT-related
risks, and, in assessing the risk, define a risk tolerance
threshold for acceptable risks and opportunity levels.
The board needs to evaluate the risk factors before taking
decisions on strategies to ensure that impact of risk has
been factored.
The board should evaluate the risk management activities
and regularly define the enterprise’s capacity for loss and
the tolerance limits.
2. EDM03.02 Direct risk management.
Direct the establishment of risk management practices to provide reasonable assurance that IT risk management
practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
1. Promote an IT risk-aware culture and empower the
enterprise to proactively identify IT risk,
opportunity and potential business impacts.
2. Direct the integration of the IT risk strategy and
operations with the enterprise strategic risk
decisions and operations.
3. Direct the development of risk communication
plans (covering all levels of the enterprise) as well
as risk action plans.
4. Direct implementation of the appropriate
mechanisms to respond quickly to changing risk and
report immediately to appropriate levels of
management, supported by agreed-on principles of
escalation (what to report, when, where and how).
5. Direct that risk, opportunities, issues and concerns
may be identified and reported by anyone at any
time. Risk should be managed in accordance with
published policies and procedures and escalated to
the relevant decision makers.
6. Identify key goals and metrics of risk governance
and management processes to be monitored, and
approve the approaches, methods, techniques and
processes for capturing and reporting the
measurement information.
The board needs to actively take part in promoting a culture
where opportunities, risks and their impacts are proactively
identified.
The board should ensure that there is integration within the
risk strategies for IT and the enterprise and there are no
conflicts.
The board should direct the development of risk
communication plans and action plans to all levels of the
enterprise, which shall ensure timely responses to a
changing risk environment.
The board should encourage reporting of incidents by any
level of management in a timely manner and direct handling
of incidents according to the defined policies and
procedures.

13
3. EDM03.03 Monitor risk management.
Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be
identified, tracked and reported for remediation.
1. Monitor the extent to which the risk profile is
managed within the risk appetite thresholds.
2. Monitor key goals and metrics of risk governance
and management processes against targets, analyze
the cause of any deviations, and initiate remedial
actions to address the underlying causes.
3. Enable key stakeholders’ review of the enterprise’s
progress towards identified goals.
The board needs to monitor the extent to which the risk
profile is managed and whether the profile is within the
thresholds of risk appetite.
The board should ensure that deviations of the processes
against the defined targets are analyzed and corrective
action needed is taken.
Management -
1. APO12.01 Collect data.
Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting.
ACTIVITIES DETAILED ACTIVITIES
1. Establish and maintain a method for the collection,
classification and analysis of IT risk-related data,
accommodating multiple types of events, multiple
categories of IT risk and multiple risk factors.
2. Record relevant data on the enterprise’s internal and
external operating environment that could play a
significant role in the management of IT risk.
3. Survey and analyze the historical IT risk data and loss
experience from externally available data and trends,
industry peers through industry-based event logs,
databases, and industry agreements for common event
disclosure.
4. Record data on risk events that have caused or may
cause impacts to IT benefit/value enablement, IT
program and project delivery, and/or IT operations and
service delivery. Capture relevant data from related
issues, incidents, problems and investigations.
5. For similar classes of events, organize the collected data
and highlight contributing factors. Determine common
contributing factors across multiple events.
6. Determine the specific conditions that existed or were
absent when risk events occurred and the way the
conditions affected event frequency and loss
magnitude.
7. Perform periodic event and risk factor analysis to
identify new or emerging risk issues and to gain an
understanding of the associated internal and external
risk factors.
Management needs to establish and maintain a method for
collection, classification and analysis of risk-related data,
which accommodates multiple events, categories of risk and
risk factors.
Management can record relevant data on the enterprise
internal and external operating environment that would play
a significant role in management of risk.
There can be a survey and analysis of historical risk data and
loss experience from externally available trends, industry
peers through event logs, databases and agreements for
common event disclosures.
The risk events that have caused or potentially cause impact
to IT value benefits, programs and project delivery should be
captured. In addition, data from incidents, problems and
investigation can be recorded.
Management needs to determine the specific conditions
that existed or were absent when risk events occurred and
the way they affect event frequency and loss magnitude.
Management should perform periodic event and risk factor
analysis to identify new/emerging risk issues and gain an
understanding of associated risk factors.

14
2. APO12.02 Analyze risk.
Develop useful information to support risk decisions that take into account the business relevance of risk factors.
ACTIVIES DETAILED ACTIVITIES
1. Define the appropriate breadth and depth of risk
analysis efforts, considering all risk factors and the
business criticality of assets. Set the risk analysis scope
after performing a cost-benefit analysis.
2. Build and regularly update IT risk scenarios, including
compound scenarios of cascading and/or coincidental
threat types, and develop expectations for specific
control activities, capabilities to detect and other
response measures.
3. Estimate the frequency and magnitude of loss or gain
associated with IT risk scenarios. Take into account all
applicable risk factors, evaluate known operational
controls and estimate residual risk levels.
4. Compare residual risk to acceptable risk tolerance and
identify exposures that may require a risk response.
5. Analyze cost-benefit of potential risk response options
such as avoid, reduce/mitigate, transfer/share, and
accept and exploit/seize. Propose the optimal risk
response.
6. Specify high-level requirements for projects or
programs that will implement the selected risk
responses. Identify requirements and expectations for
appropriate key controls for risk mitigation responses.
7. Validate the risk analysis results before using them in
decision making, confirming that the analysis aligns
with enterprise requirements and verifying that
estimations were properly calibrated and scrutinized for
bias.
Management needs to define the appropriate breadth and
depth of risk and criticality of assets, and set the risk scope
after performing a cost-benefit analysis.
Management needs to build and regularly update the risk
scenarios, including compound scenarios of
cascading/coincidental threat types and development
expectations for specific control activities, capabilities to
detect and other response measures.
Management needs to estimate the frequency and
magnitude of loss or gain associated with risk scenarios. The
applicable risk factors need to be taken into account and
management needs to evaluate operational controls and
estimate residual risk levels.
There needs to be a comparison between residual risk to
acceptable risk tolerance and risk exposure needs to be
identified, which will require responses.
Management needs to conduct a cost-benefit analysis of
potential risk response options such as avoid, reduce,
transfer and accept.
Management should specify high-level requirements for
programs that will implement the risk responses.
Management should identify requirements for key controls.
Management needs to validate the risk analysis results
before using them for decision making, confirm whether risk
aligns with enterprise requirements and verify that
estimations were calibrated.
3. APO12.03 Maintain a risk profile.
Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses) and
of related resources, capabilities and current control activities.
ACTIVITIES
MANAGEMENT’S ROLE
1. Inventory business processes, including supporting
personnel, applications, infrastructure, facilities, critical
manual records, vendors, suppliers and outsourcers,
and document the dependency on IT service
management processes and IT infrastructure resources.
Management can take an inventory of business processes,
applications, infrastructure, facilities, critical manual
records, vendors, etc., and document the dependency on IT
service management processes and IT infrastructure
resources.

15
2. Determine and agree on which IT services and IT
infrastructure resources are essential to sustain the
operation of business processes. Analyze dependencies
and identify weak links.
3. Aggregate current risk scenarios by category, business
line and functional area.
4. On a regular basis, capture all risk profile information
and consolidate it into an aggregated risk profile.
5. Based on all risk profile data, define a set of risk
indicators that allow the quick identification and
monitoring of current risk and risk trends.
6. Capture information on IT risk events that have
materialized, for inclusion in the IT risk profile of the
enterprise.
Further, management should determine and agree on which
IT services and infrastructure resources are essential to
sustain the operation of business processes. Analyze
dependencies and weak links.
Management needs to aggregate current risk scenarios by
categories, business lines and functional areas.
On a regular basis, management should capture risk profile
information and consolidate it into aggregated risk profiles.
Based on the profiles, management needs to define a set of
risk indicators that allow quick identification and monitoring
of current risk trends.
Capture the information on risk events that have
materialized for inclusion in profiles of the enterprise.
4. APO12.04 Articulate risk.
Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required
stakeholders for appropriate response.
ACTIVITIES
DETAILED ACTIVITIES
1. Report the results of risk analysis to all affected
stakeholders in terms and formats useful to support
enterprise decisions. Wherever possible, include
probabilities and ranges of loss or gain along with
confidence levels that enable management to balance
risk-return.
2. Provide decision makers with an understanding of
worst-case and most-probable scenarios, due diligence
exposures, and significant reputation, legal or
regulatory considerations.
3. Report the current risk profile to all stakeholders,
including effectiveness of the risk management process,
control effectiveness, gaps, inconsistencies,
redundancies, remediation status, and their impacts on
the risk profile.
4. Review the results of objective third-party assessments,
internal audit and quality assurance reviews, and map
them to the risk profile. Review identified gaps and
exposures to determine the need for additional risk
analysis.
Management needs to report the results of risk analysis to
all affected stakeholders in terms of formats supporting
decision making. Wherever possible, include probabilities
and range of loss or gain with confidence levels to balance
risk and return.
Management can provide to the decision makers an
understanding of worst case and most probable scenarios,
due diligence exposures and reputation, legal or regulatory
consideration.
The report on current risk profile includes effectiveness of
the risk management process, control effectiveness, gaps,
inconsistencies, etc., and their impact on risk profile to the
stakeholders.
Management should review the results of third-party
assessments, internal audits and quality assurance (QA)
reviews, and map them to the risk profiles.

16
5. APO12.05 Define a risk management action portfolio.
Manage opportunities to reduce risk to an acceptable level as a portfolio.
1. Maintain an inventory of control activities that are in
place to manage risk and that enable risk to be taken in
line with risk appetite and tolerance. Classify control
activities and map them to specific IT risk statements and
aggregations of IT risk.
2. Determine whether each organizational entity monitors
risk and accepts accountability for operating within its
individual and portfolio tolerance levels.
3. Define a balanced set of project proposals designed to
reduce risk and/or projects that enable strategic
enterprise opportunities, considering cost and benefits,
effect on current risk profile and regulations.
Management needs to make an inventory of control activities
that are in place to manage risk and that enable risk to be
taken in line with appetite and tolerance. The control activities
should be classified and mapped to specific risk statements
and aggregations of risk.
Management needs to determine that risk and accountability
for operating within individual and portfolio tolerance levels
are monitored.
Management defines a balanced set of project proposals
which are designed to reduce risk and/or projects that enable
strategic opportunities considering the cost-benefit analysis.
6. APO12.06 Respond to risk.
Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events.
1. Prepare, maintain and test plans that document the
specific steps to take when a risk event may cause a
significant operational or development incident with
serious business impact. Ensure that plans include
pathways of escalation across the enterprise.
2. Categorize incidents, and compare actual exposures
against risk tolerance thresholds. Communicate business
impacts to decision makers as part of reporting, and
update the risk profile.
3. Apply the appropriate response plan to minimize the
impact when risk incidents occur.
4. Examine past adverse events/losses, missed
opportunities, and determine root causes. Communicate
root cause, additional risk response requirements and
process improvements to appropriate decision makers
and ensure that the cause, response requirements and
process improvement are included in risk governance
processes.
Management needs to prepare, maintain and test plans that
document specific steps to take when a risk event may cause a
significant operational or development incident with serious
impact on the business. Further, ensure that plans include
escalations across the enterprise.
There needs to be a categorization of incidents and a
comparison of actual exposures against risk thresholds and
communication to decision makers as a part of reporting and
updating risk profiles.
Management should apply plans to minimize the impact when
risk incidents occur, to examine the past adverse event and
missed opportunities, and to determine root causes.
Communicate the root causes, risk response requirements and
process improvements to decision makers.

17
REFERENCES FOR THE PUBLICATION
• Companies Act, 2013
• Clause 49 of the Listing Agreement of SEBI
• Information Technology Act, 2000 (as Amended by IT Amendment Act, 2008)
• COBIT 5 framework
• COBIT® 5: Enabling Processes
• COBIT® 5 Implementation
• COBIT® 5 for Risk
• COBIT® 5 for Assurance
• Securing Sensitive Personal Data or Information Under India’s IT Act Using COBIT® 5
• COBIT® 5: Enabling Information
• COBIT® 5 for Information Security
• Board Briefing on IT Governance (an ISACA publication)

18
SECTION 2 – DETAILED PUBLICATION
Section 2 is the core section of this publication. Section 2 consists of the guidance note for compliance of governance and risk
management in India using COBIT 5. It is divided into three chapters. Chapter 1 describes all the regulations that are relevant to
be complied with in order to have the minimum required governance and ERM. Chapter 2 gives a brief introduction of the COBIT
5 framework and its five principles and its seven enablers. Chapter 3 gives a detailed explanation of how COBIT 5 can be used to
comply with the regulations that have been identified in chapter 1 for each stakeholder that has been identified in the scope of
this publication.
DEFINITIONS
The following terms are defined according to their respective acts. The same meaning should be used while interpreting this
document.
Sr. No. Term Definition
1 Board of Directors In relation to a company, the collective body of the directors of the
company
2 Independent Director An independent director referred to in sub-section (6) of section 149, i.e., a
director other than a managing director or a whole-time director or a
nominee director
a) in the opinion of the Board, a person of integrity who possesses relevant
expertise and experience
(b) (i) person who is or was not a promoter of the company or its holdings,
subsidiary or associate company
(b) (ii) person who is not related to promoters or directors in the company,
its holdings, subsidiary or associate company
(c) person who has or had no pecuniary relationship with the company, its
holdings, subsidiary or associate company, or their promoters, or directors,
during the two immediately preceding financial years or during the current
financial year
(d) person, none of whose relatives has or had a pecuniary relationship or
transaction with the company, its holdings, subsidiary or associate
company, or their promoters, or directors, amounting to two percent or
more of its gross turnover or total income or fifty lakh rupees or such higher
amount as may be prescribed, whichever is lower, during the two
immediately preceding financial years or during the current financial year

19
(e) person who, neither himself nor any of his relatives—
(i) holds or has held the position of key managerial personnel or is or
has been an employee of the company or its holdings, subsidiary or
associate company in any of the three financial years immediately
preceding the financial year in which he is proposed to be appointed
(ii) is or has been an employee or proprietor or a partner, in any of the
three financial years immediately preceding the financial year in which he is
proposed to be appointed, of:
(A) a firm of auditors or company secretaries in practice or cost
auditors of the company or its holdings, subsidiary or associate company; or
(B) any legal or a consulting firm that has or had any transaction with
the company, its holdings, subsidiary or associate company amounting to
ten percent. or more of the gross turnover of such firm
(iii) holds together with his relatives two percent. or more of the total
voting power of the company or
(iv) is a chief executive or director, by whatever name called, of any
nonprofit organization that receives twenty-five percent or more of its
receipts from the company, any of its promoters, directors or its holdings,
subsidiary or associate company or that holds two percent. or more of the
total voting power of the company or
(f) who possesses such other qualifications as may be prescribed
3 Key Managerial Personnel In relation to a company:
(i) the CEO or the managing director or the manager
(ii) the company secretary
(iii) the whole-time director
(iv) the chief financial officer; and
(v) such other officer as may be prescribed

20
4 Sensitive Personal Data Personal information that relates to passwords; financial information such
as bank account or credit card or debit card or other payment instrument
details; physical, psychological and mental health condition; sexual
orientation; medical records and history, biometric information
5 Body Corporate Any company, including a firm, sole proprietorship or other association of
individuals engaged in commercial or professional activities. The term is not
restricted to a body corporate established in India. It refers to an
organization that collects, stores or processes sensitive data on behalf of a
body corporate (data processor).
8 Identity Theft A form of stealing someone's identity in which someone pretends to be
someone else by assuming that person's identity, usually as a method to
gain access to resources. This process is also called personation.
9 Cyberterrorism Threats to the unity, integrity, security or sovereignty of India or to strike
terror in the people or any section of the people by:
(i) denying or causing the denial of access to any person authorized to
access a computer resource; or
(ii) attempting to penetrate or access a computer resource without
authorization or exceeding authorized access; or
(iii) introducing or causing to introduce any computer contaminant.
By means of such conduct, causes or is likely to cause death or injuries to
persons or damage to or destruction of property or disruptions or knowing
that it is likely to cause damage or disruption of supplies or services
essential to the life of the community or adversely affect the critical
information infrastructure specified under section 70.
10 Intermediary Any person who on behalf of another person stores or transmits a message
or provides any service with respect to that message
11 Computer resources Computer, communication device, computer system, computer network,
data, computer database or software
1 Internal Control Process/methods designed by management or other personnel to ensure
the integrity of financial and accounting information meet operational and
profitable targets and transmit management policies throughout the
organization. Basic policies related to internal controls were created to
ensure suitable business practices.
2 Audit Committee An operating committee of a company's board of directors that is in charge
of overseeing financial reporting and disclosure. They are also responsible
for overseeing all internal and external audit functions of a company.

21
3 Whistleblower Anyone who has and reports insider knowledge of illegal activities occurring
in an organization. Whistleblowers can be employees, suppliers,
contractors, clients or any individual who somehow becomes aware of
illegal activities taking place in a business, either through witnessing the
behavior or being told about it. In other words, a person who informs on a
person or organization regarded as engaging in an unlawful or immoral
activity.

22
CHAPTER 1 - GOVERNANCE AND RISK MANAGEMENT IN INDIA – REGULATORY REQUIREMENTS TO
COMPLY WITH THE INDIAN REGULATIONS
This chapter present information on the enactments, and it provides the scope and objectives of this guidance note using COBIT
5. Detailed explanation of the COBIT 5 guidance has been explained in chapter 3 with respect to each stakeholder. Companies
Act, 2013 and Clause 49 have been concentrated to a great extent. Because this is also the digital era, importance is also given to
the Information Technology Act, 2000 (as amended by IT Amendment Act, 2008) with respect to the data privacy and penalty
laws in India.
All of the respective regulations have been identified and explained for every stakeholder in the scope of this publication with
reference to the governance, risk management, assurance and privacy regulations.
GOVERNANCE
Governance regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause 49
and have been explained in the following table.
Companies Act, 2013
Section – 149, Schedule – IV
The Company and independent directors shall abide by the provision specified in Schedule
IV, which includes the roles and functions of independent directors, i.e.:
• To help in bringing an independent judgment to bear on the board’s deliberations on
risk management issues
• To satisfy themselves on the integrity of financial information, those financial
controls, and that the systems of risk management are robust and defensible
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO12, and their relevant
Companies Act, 2013
Section – 177, Clause – 4(vii)
Every audit committee shall act in accordance with the terms of reference specified in
writing by the board, which shall inter alia include evaluation of internal financial controls
and risk management systems.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, BAI01, BAI02,
DSS06, MEA01, MEA02, MEA03 and their relevant management practices as identified for
the various stakeholders in chapter 3
Clause 49
Section – IV, Clause – (c)
The company shall lay down procedures to inform board members about the risk
assessment and minimization procedures. These procedures shall be periodically
reviewed to ensure that executive management controls risk through means of a properly
defined risk management framework.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, APO01, APO02,
APO12, BAI01, BAI02 DSS06, MEA01, MEA02, MEA03 and their relevant management
practices as identified for the various stakeholders in chapter 3
Clause 49
Section – IV, Clause – (f)
As part of the directors’ report or as an addition thereto, a Management Discussion and
Analysis report should form part of the Annual Report to the shareholders. This
Management Discussion and Analysis report should include discussion on risks and
concerns within the limits set by the company’s competitive position.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO01, APO12, BAI01,
BAI02,BAI06, BAI07, DSS01, DSS06 and their relevant management practices as identified

23
for the various stakeholders in chapter 3
Companies Act, 2013
Section – 138 (1)
Such class or classes of companies as may be prescribed shall be required to appoint an
internal auditor, who shall be either a chartered accountant or a cost accountant, or such
other professional as may be decided by the board to conduct internal audit of the
functions and activities of the company.
How this document will be useful Provides guidance by mapping to COBIT 5 processes MEA01, MEA02, MEA03 and their
relevant management practices as identified for the various stakeholders in chapter 3
Companies Act, 2013
Section – 143, Clause 3€
The auditor’s report shall also state whether the company has adequate internal financial
controls system in place and the operating effectiveness of such controls.
Companies Act, 2013
Section – 177 (4)
writing by the board which shall, inter alia, include:
• Review and monitor of the auditor’s independence and performance, and the
effectiveness of the audit process.
• Evaluation of internal financial controls and risk management systems
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02,
MEA03 and their relevant management practices as identified for the various stakeholders
in chapter 3
Clause 49
Section – II, Clause – (d), (e)
The role of the audit committee shall include the following:
a) Reviewing, with management, performance of statutory and internal auditors,
adequacy of the internal control systems
b) Reviewing the adequacy of internal audit function, if any, including the structure of
the internal audit department, staffing and seniority of the official heading the
department, reporting structure coverage and frequency of internal audit
c) Discussion with internal auditors of any significant findings and follow up
d) Reviewing the findings of any internal investigations by the internal auditors into
matters where there is suspected fraud or irregularity or a failure of internal
control systems of a material nature and reporting the matter to the board
e) Management discussion and analysis of financial condition and results of operations
f) Management letters/letters of internal control weaknesses issued by the statutory
auditors.
g) Internal audit reports relating to internal control weaknesses
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03, MEA01, MEA02,
MEA03 and their relevant management practices as identified for the various stakeholders
in chapter 3

24
RISK MANAGEMENT
Risk management regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and Clause
49 and have been explained in the following table.
Companies Act, 2013
Section - 134, Clause - 3(n)
There shall be attached to statements laid before a company in general meeting, a report
by its board of directors, which shall include a statement indicating development and
implementation of a risk management policy for the company, including identification of
elements of risk, if any, which in the opinion of the board may threaten the existence of
the company.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM03, APO12 and their relevant
Companies Act, 2013
Section - 149 (8), Schedule – IV
The independent director shall help in bringing an independent judgment to bear on the
board’s deliberations on risk management resources and satisfy themselves that financial
controls and the systems of risk management are robust and defensible.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM04, EDM03, APO12,
DSS06 and their relevant management practices as identified for the various stakeholders
in chapter 3
Clause 49
Section - IV, Clause – c
The company shall lay down procedures to inform board members about the risk
assessment and minimization procedures. These procedures shall be periodically reviewed
to ensure that executive management controls risk through means of a properly defined
framework.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM05, APO12, DSS06,
MEA01, MEA02, MEA03, DSS01 and their relevant management practices as identified for
the various stakeholders in chapter 3
Clause 49
Section - IV, Clause – f
Management Discussion and Analysis report should include discussion on risks and
concerns as well as internal control systems and their adequacy within the limits set by
the company’s competitive position.
How this document will be useful Provides guidance by mapping to COBIT 5 processes APO12, MEA02 and their relevant

25
ASSURANCE
Assurance regulatory requirements for the auditor stakeholder have been identified from the Companies Act, 2013 and Clause
49 and have been explained in the following table.
Companies Act, 2013
Section - 134, Clause - 3(n)
writing by the board, which shall include evaluation of internal financial controls and risk
management systems.
Companies Act, 2013
Section - 138 (1)
Prescribed classes of companies shall be required to appoint an internal auditor, who is an
assurance professional (auditor) decided by the board to conduct internal audit of the
functions and activities of the company.
Companies Act, 2013
Section - 143 (3), clause – i
The auditor’s report shall state that whether the company has adequate internal financial
controls system in place and the operating effectiveness of such controls.
Clause 49
Section - II, Clause - d (6)
The role of the audit committee shall include reviewing, with management, the
performance of statutory and internal auditors, and adequacy of the internal control
systems.
Clause 49
The role of the audit committee shall include reviewing the adequacy of internal audit
function, if any, including the structure of the internal audit department, staffing and
seniority of the official heading the department, reporting structure coverage and
frequency of internal audit.
Clause 49
The role of the audit committee shall include reviewing the findings of any internal
investigations by the internal auditors into matters where there is suspected fraud or
irregularity or a failure of internal control systems of a material nature and reporting the
matter to the board.
Clause 49
The role of the audit committee shall include reviewing the functioning of the whistle-
blower mechanism, in case the same is prevailing.
Clause 49 The audit committee shall mandatorily review the management discussion and analysis of
financial condition and results of operations.

26
Section - II, Clause - e (1)
Clause 49
The audit committee shall mandatorily review the management letters / letters of
internal control weaknesses issued by the statutory auditors.
Clause 49
The audit committee shall mandatorily review the internal audit reports relating to
internal control weaknesses.
Clause 49
Section - VII, Clause - 1
The company shall obtain a certificate from either the auditors or practicing company
secretaries regarding compliance of conditions of governance as stipulated in this clause
and annex the certificate with the directors’ report, which is sent annually to all the
shareholders of the company.
How this document will be useful N/A

27
INFORMATION TECHNOLOGY ACT, 2000 (AS AMENDED BY INFORMATION TECHNOLOGY AMENDMENT
ACT, 2008)
Data privacy and penalty regulatory requirements for every stakeholder have been identified from the Companies Act, 2013 and
Clause 49 and have been explained in the following table.
Section 43A The obligation to protect sensitive personal data applies to every entity (body corporate)
that:
• Possesses, deals with or handles any sensitive personal data or information (SPDI)
• In a computer resource that it owns, controls or operates
How this document will be useful Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02,
in chapter 3
Section 43A Where an entity that is obliged to maintain security of sensitive personal data is negligent
in implementing and maintaining reasonable security practices and procedures and
thereby causes wrongful loss or wrongful gain to any person, such entity would be liable to
pay damages by way of compensation to the person so affected.
How this document will be useful Provides guidance by mapping to COBIT 5 processes APO013, MEA02, MEA03, DSS02,
in chapter 3
Section 43A Body corporate to provide policy for privacy and disclosure of information.
The body corporate or any person who on behalf of the body corporate collects, receives,
possesses, stores, deals or handles information of provider of information, shall provide a
privacy policy for handling of or dealing in personal information, including sensitive
personal data or information, and ensure that the policy is available for view by such
providers of information who have provided such information under lawful contract.
How this document will be useful Provides guidance by mapping to COBIT 5 processes EDM01, EDM03 and their relevant
Section 66E Punishment for violation for privacy :
Anybody being guilty of intentionally or knowingly captures, publishes or transmits the
image of a private area of any person without his or her consent, under circumstances
violating the privacy of that person, shall be punished with imprisonment which may
extend to three years or with a fine not exceeding two lakh rupees, or with both
imprisonment and a fine.
Section 66A Any person who sends, by means of a computer resource or a communication device:
a) any information that is grossly offensive or has menacing character; or
b) any information which he knows to be false, but for the purpose of causing annoyance,
inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or
ill will, persistently makes use of such computer resource or a communication device,
c) any electronic mail or electronic mail message for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about the origin of
such messages (Inserted vide ITAA 2008)

28
Section 66B Whoever dishonestly receives or retains any stolen computer resource or communication
device knowing or having reason to believe the resource or device to be stolen, shall be
punished with imprisonment of either description for a term, which may extend to three
years or with a fine, which may extend to rupees one lakh or with both imprisonment and a
fine.
Section 66C Whoever fraudulently or dishonestly makes use of the electronic signature, password or
any other unique identification feature of any other person, shall be punished with
imprisonment of either description for a term which may extend to three years and shall
also be liable to a fine which may extend to rupees one lakh.
Section 66D Whoever, by means of any communication device or computer resource cheats by
personation, shall be punished with imprisonment of either description for a term, which
may extend to three years and shall also be liable to a fine, which may extend to one lakh
rupees.
Section 67C (1) Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the central government may prescribe.
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub-
section (1) shall be punished with imprisonment for a term which may extend to three
years and shall also be liable to a fine
SUMMARY
There is great effort being made in India to achieve efficient governance and risk management. Governance and risk
management are regulated by the Companies Act, 2013 and Clause 49. Data that are generated have to be preserved, keeping in
mind Confidentiality and Privacy perspectives. Privacy of the data is regulated by the Information Technology Act, 2000 (as
amended in 2008).

29
CHAPTER 2: INTRODUCTION TO COBIT 5
Executive Summary
According to COBIT 5, information is the currency of the 21st century enterprise. Information, and the technology that supports
it, can drive success, but it also raises challenging governance and management issues. This section explains the need for using
the approach and latest thinking provided by globally recognized framework COBIT 5 as a benchmark for reviewing and
implementing governance and management of enterprise IT. It explains the principles and enablers of COBIT 5 and how it can be
an effective tool to help enterprises to simplify complex issues, deliver trust and value, manage risk, reduce potential public
embarrassment, protect intellectual property, and maximize opportunities.
COBIT 5 helps enterprises to manage IT-related risk and ensures compliance, continuity, security and privacy. COBIT 5 enables
clear policy development and good practice for IT management, including increased business user satisfaction. The key
advantage of using a generic framework such as COBIT 5 is that it is useful for enterprises of all sizes, whether commercial, not-
for-profit or in the public sector.
Five Principles of COBIT 5
Source: COBIT 5, ISACA, USA, 2012, figure 2
COBIT 5 simplifies governance challenges with just five principles. The five key principles for governance and management of
enterprise IT in COBTI 5 taken together enable the enterprise to build an effective governance and management framework
that optimizes information and technology investment and use for the benefit of stakeholders.
Principles 1: Meeting Stakeholder Needs: Enterprises exist to create value for their stakeholders by maintaining a balance
between the realization of benefits and the optimization of risk and use of resources. COBIT 5 provides all of the required
processes and other enablers to support business value creation using IT. Because every enterprise has different objectives, an
enterprise can customize COBIT 5 to suit its own context through the goals cascade, translating high-level enterprise goals into
manageable specific, IT-related goals and mapping these to specific processed and practices.
The COBIT 5 goals cascade is the mechanism to translate stakeholder needs to specific, actionable and customized enterprise
goals—IT-related goals and enabler goals.

30
Principle 2: Covering the Enterprise End-to-end: COBIT 5 integrates governance of enterprise IT into enterprise governance. It
covers all functions and processes within the enterprise; COBIT 5 does not focus only on the IT function, but treats information
and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. It considers
all IT-related governance and management enablers to be enterprisewide and end-to-end, i.e., inclusive of everything and
everyone internal and external that is relevant to governance and management of enterprise information and related IT.
Principle 3: Applying a Single Integrated Framework: There are many IT-related standards and best practices, each providing
guidance on a subset of IT activities. COBIT 5 is a single and integrated framework because it aligns with other latest relevant
standards and frameworks; this allows the enterprise to use COBIT 5 as the overarching governance and management
framework integrator. It is complete in enterprise coverage, providing a basis to integrate effectively other frameworks,
standards and practices used.
Principle 4: Enabling a Holistic Approach: Efficient and effective governance and management of enterprise IT require a holistic
approach, taking into account several integrating components. COBIT 5 defines a set of enablers to support the implementation
of a comprehensive governance and management system for enterprise IT. Enablers are broadly defined as anything that can
help to achieve objectives of the enterprise.
Principle 5: Separating Governance From Management: The COBIT 5 framework makes a clear distinction between
governance and management. These two disciplines encompass different types of activities, require different organizational
structures and serve different purposes.
• Governance: It ensures that stakeholder needs, conditions and options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making,
and monitoring performance and compliance against agreed-on direction and objectives. In most
organizations, governance is the responsibility of the board of directors under the leadership of the
chairperson. Specific governance responsibilities may be delegated to special organizational structures at an
appropriate level, especially in larger, complex organizations.
• Management: It plans, builds, runs and monitors activities in alignment with the direction set by the
governing body to achieve the objectives. In most enterprises, management is the responsibility of executive
management under the leadership of the chief executive officer (CEO).
From the definition of governance and management it is clear that they comprise different types of activities, with different
responsibilities; however, given the role of governance to evaluate, direct and monitor, a set of interactions is required between
governance and management to result in an efficient and effective governance system.
Seven Enablers of COBIT 5
Enablers are factors that, individually and collectively, influence whether something will work, in this case, governance and
management over enterprise IT. The goals cascade, i.e., higher level IT-related goals defining what the different enablers should
achieve, drives enablers.
The seven categories of enablers are:
• Principles, Policies and Frameworks are the vehicles to translate the desired behavior into practical guidance for day-
to-day management.
• Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of
outputs in support of achieving overall IT-related goals.
• Organizational Structures are the key decision-making entities in an enterprise.
• Culture, Ethics and Behavior of individuals and of the enterprise are very often underestimated as a success factor in
governance and management activities.
• Information is pervasive throughout any organization and includes all information produced and used by the
enterprise. Information is required for keeping the organization running and well governed, but at the operational level,
information is very often the key product of the enterprise itself.

31
• Services, Infrastructure and Applications include the infrastructure, technology and applications that provide the
enterprise with information technology processing and services.
• People, Skills and Competencies are linked to people and are required for successful completion of all activities and for
making correct decisions and taking corrective actions.
Source: COBIT 5, ISACA, USA, 2012, figure 2

32
CHAPTER 3 – HOW COBIT 5 CAN BE USED TO COMPLY WITH GOVERNANCE
Chapter 3 has been developed so that the COBIT 5 practices that are required for every stakeholder as an individual are
provided. COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance
and management of enterprise IT. Simply stated, it helps enterprises create optimal value from IT by maintaining a balance
between realizing benefits and optimizing risk levels and resource use. COBIT 5 enables IT to be governed and managed in a
holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility,
considering the IT-related interests of internal and external stakeholders. COBIT 5 is generic and useful for enterprises of all
sizes, whether commercial, not-for-profit or in the public sector.
The solution has been formulated by following these steps:
Step 1 – Identification of stakeholder needs that are required by the regulations and mapping with the relevant enterprise goals
Step 2 – Mapping of enterprise goals with the relevant IT goals
Step 3 – Mapping of IT goals with relevant IT processes
Step 4 – Segregation of IT processes that would be applicable to the following stakeholders:
Stakeholder 1 – Board of directors
Stakeholder 2 – Management (CEO, CFO, CISO, CIO and other members of the C-level)
Stakeholder 3 – Auditors
This chapter consists of tables, as follows:
Activities DETAILED ACTIVITIES
The text in the “ACTIVITIES” column consists of the set of suggestions and guidance that have been prescribed by the COBIT 5
product family publications. The text in the “DETAILED ACTIVITIES” column consists of the interpretation of the activities from
the perspective of the stakeholder, area under discussion and the regulatory requirements.

33
Step 1 – Identification of Stakeholder Needs That Are Required by the Regulations and Mapping With the Relevant Enterprise Goals
All stakeholder needs which are relevant have been highlighted in blue and the corresponding enterprise-related goals have
been derived.
Stakeholdervalueofbusiness
investments
Portfolioofcompetitive
productsandservices
Managedbusinessrisks
(safeguardingofassets)
Compliancewithexternallaws
andregulations
Financialtransparency
Customer-orientedservice
culture
Businessservicecontinuityand
availability
Agileresponsestoachanging
businessenvironment
Information-basedstrategic
decisionmaking
Optimisationofservicedelivery
costs
Optimisationofbusiness
processfunctionality
Optimisationofbusiness
processcosts
Managedbusinesschange
programmes
Operationalandstaff
productivity
Compliancewithinternal
policies
Skilledandmotivatedpeople
Productandbusiness
innovationculture
Stakeholder Needs 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
How do I get value from the use of IT? Are end users satisfied with
the quality of the IT service? Y Y Y Y Y Y Y
How do I manage performance of IT? Y Y Y Y Y Y Y
How can I best exploit new technology for new strategic
opportunities? Y Y Y Y Y Y
How do I best build and structure my IT department? Y Y Y Y Y Y Y
How dependent am I on external providers? How well are IT
outsourcing agreements being managed? How do I obtain
assurance over external providers? Y Y Y
What are (control) requirements for Information? Y Y Y
Did I address all IT-related risks? Y Y Y Y
Am I running an efficient and resilient IT operation? Y Y
How do I control cost of IT? How do I use IT resources in the most
effective and efficient manner? What are the most effective and
efficient sourcing options? Y Y Y
Do I have enough people for IT? How do I develop and maintain
their skills, and how do I manage their performance? Y Y Y
How do I get assurance over IT? Y Y
Is the information I am processing well secured? Y Y Y
How do I improve business agility through a more flexible IT
environment? Y Y Y Y
Do IT projects fail to deliver what they promised, and if so - why? Is
IT standing in the way of executing the business strategy? Y Y Y Y Y Y Y
How critical is IT to sustaining the enterprise? What do I do if IT is
not available? Y Y Y
What concrete vital primary business processes are dependent on
IT, and what are the requirements of business processes? Y Y Y Y
What has been the average overrun of IT operational budgets? How
often and how much do IT projects go over budget? Y Y Y Y
How much of the IT effort goes to fire fighting rather than enabling
business improvements? Y Y Y
Are sufficient IT resources and infrastructure available to meet
required enterprise strategic objectives? Y Y Y Y
How long does it take to make major IT decisions? Y Y Y Y
Are the total IT effort and investments transparent? Y Y Y Y
Does IT support the enterprise in complying with regulations and
service levels? How do I know whether I’m compliant with all
applicable regulations? Y Y

34
Step 2 – Mapping of enterprise goals With the Relevant IT Goals
The enterprise goals that have been derived from step 1 have been mapped to their corresponding IT-related goal. This mapping
is based on the matrix that is presented in the COBIT 5 framework.

35
Step 3 – Mapping of IT goals With Relevant IT processes
The IT processes that have been derived from step 2 have been mapped to the relevant COBIT 5 processes. This mapping is
based on the matrix that is presented in the COBIT 5 framework.

36
Summary of Selected IT-related Goals
The following IT-related goals as derived from step 3 would be made applicable after following the goals cascade approach and
keeping in mind the scope of the document.
IT Goal
No.
IT-related Goal Priority Comments
1 Alignment of IT and business strategy P Irrelevant
2 IT compliance and support for business compliance with external laws and regulations P Relevant
3 Commitment of executive management for making IT-related decisions P Irrelevant
4 Managed IT-related business risks P Relevant
5 Realized benefits from IT-enabled investments and services portfolio P Irrelevant
6 Transparency of IT costs, benefits and risk P Relevant
7 Delivery of IT services in line with business requirements P Relevant
8 Adequate use of applications, information and technology solutions P Relevant
9 IT agility P Irrelevant
10 Security of information and processing infrastructure and applications P Irrelevant
11 Optimization of IT assets, resources and capabilities P Relevant
12 Enablement and support of business processes by integrating applications and
technology into business processes
P Irrelevant
13 Delivery of programs on time, on budget, and meeting requirements and quality
standards
P Irrelevant
14 Availability of reliable and useful information for decision making P Irrelevant
15 IT compliance with internal policies P Relevant
16 Competent and motivated business and IT personnel P Irrelevant
17 Knowledge, expertise and initiatives for business innovation P Irrelevant
P = Primary

37
Step 4 – Segregation of IT Processes That Would Be Applicable to Stakeholders Collectively
The following figure gives an idea of the relationship between the board of directors, management and auditors to comply with
the regulatory requirements that have been imposed by the regulators of the enterprise. Therefore, the board of directors
needs to ensure compliance to regulations, which shall be verified by the auditors and shall, in the end, report the same to the
regulators. Management will have to implement the directions that have been imposed by the board of directors and account
for the same to the board of directors.

38
STAKEHOLDER 1 – BOARD OF DIRECTORS
The board of directors is the highest governing authority within the management structure at any publicly traded company. They
are policy managers of a corporation or organization elected by the shareholders or members. The board in turn chooses the
officers of the corporation, sets basic policy and is responsible to the shareholders. In small corporations, there are usually only
three directors. The board is directly accountable to the shareholders, and each year the company will hold an annual general
meeting (AGM) at which the directors must provide a report to shareholders on the performance of the company and what its
plans and strategies are, and submit themselves for re-election to the board. Roles of board of directors include:
• Determine the company's vision and mission to guide and set the pace for its current operations and future
development.
• Determine the values to be promoted throughout the company.
• Determine and review company goals.
• Determine company policies.
• Review and evaluate present and future opportunities, threats and risks in the external environment and current and
future strengths, weaknesses and risks relating to the company.
• Determine strategic options, select those to be pursued, and decide the means to implement and support them.
• Determine the business strategies and plans that underpin the corporate strategy.
• Ensure that the company's organizational structure and capability are appropriate for implementing the chosen
strategies.

39
Because COBIT 5 is a comprehensive framework for governance and management of enterprise IT, it allows enterprises to use
the enablers and management practices to satisfy needs and goals. It can be tailored and used, according to the discretion of
management, toward achieving their goals and objectives.
The image below depicts that, out of the 37 processes, the stakeholder (the board) can adapt relevant processes (borders
shaded in black) and their underlying management practices, which shall assist in achieving the goals of the enterprise.
RACI CHART
A responsibility assignment matrix, also known as a RACI chart (Responsible, Accountable, Consulted, Informed), ARCI matrix or
linear responsibility chart, describes the participation by various roles in completing tasks or deliverables for a project or
business process. The following RACI chart explains the roles of the board of directors in contributing to effective corporate IT
governance. The processes explained in this chapter would have to be executed keeping in mind the perspective of the roles in
the following chart.
Governance Practice
Board
EDM01.01 Evaluate the governance system. A
EDM01.02 Direct the governance system. A
EDM01.03 Monitor the governance system. A

40
Governance Practice
Board
EDM03.01 Evaluate risk management. A
EDM03.02 Direct risk management. A
EDM03.03 Monitor risk management. A
EDM05.01 Evaluate stakeholder-reporting requirements. A
EDM05.02 Direct stakeholder communication and reporting. A
EDM05.03 Monitor stakeholder communication. A
MEA01.05 Ensure the implementation of corrective actions. I
MEA02.02 Review business process controls effectiveness. I
MEA02.08 Execute assurance initiatives. I
MEA03.03 Confirm external compliance. I
MEA03.04 Obtain assurance of external compliance. I
1. EDM01.01 Evaluate the governance system.
Continually identify and engage with the enterprise’s stakeholders, document an understanding of the requirements,
and make a judgment on the current and future design of governance of enterprise IT.
1. Analyze and identify the internal and external
environmental factors (legal, regulatory &
contractual obligations) and trends in the
business environment that may influence
governance decisions.
2. Determine the significance of IT and its role
with respect to business.
3. Consider external regulations, laws and
The board needs to identify the internal and external factors
and trends in the business environment that influence
governance decisions.
The board should envision the significance of IT and the role
it shall play toward achieving business objectives and benefits
realization.
The board needs to consider the impact of laws and

41
contractual obligations and determine how they
should be applied with the governance of
enterprise IT.
4. Align the ethical use and processing of
information and its impact on society, natural
environment, and internal and external
stakeholder interests with the enterprise’s
direction, goals and objectives.
5. Determine the implications of the overall
enterprise control environment with regard to
IT.
6. Articulate principles that will guide the design
of governance and decision making of IT
7. Understand the enterprise’s decision-making
culture and determine the optimal decision-
making model for IT.
8. Determine the appropriate levels of authority
delegation, including threshold rules, for IT
decisions.
regulations and determine the governance of enterprise IT.
The board needs to frame ethical standards and consider the
impact of business decisions on society, environment and the
interests of stakeholders in relation to business objectives.
The board can develop guidelines and principles for
governance in IT.
The board can devise appropriate levels of delegated
authority and devise rules for IT-related decisions.
2. EDM01.02 Direct the governance system.
Inform leaders and obtain their support, buy-in and commitment. Guide the structures, processes and practices for the
governance of IT in line with agreed-on governance design principles, decision-making models and authority levels.
Define the information required for informed decision-making.
1. Communicate governance of IT principles and
agree with executive management on the way
to establish informed and committed
leadership.
2. Establish or delegate the establishment of
governance structures, processes and practices
in line with agreed-on design principles.
3. Allocate responsibility, authority and
accountability in line with agreed-on
governance design principles, decision-making
models and delegation.
4. Ensure that communication and reporting
mechanisms provide those responsible for
oversight and decision-making with appropriate
information.
5. Direct that staff follow relevant guidelines for
ethical and professional behavior and ensure
that consequences of non-compliance are
known and enforced.
6. Direct the establishment of a reward system to
promote desirable cultural change.
The board needs to communicate the governance principles
and establish systems toward committed leadership.
The board needs to ensure that a system is established with
governance structures, practices and processes, which are in
line with an agreed-on governance methodology.
The board should allocate responsibility—should allocate
accountability to management on the basis of agreed-on
governance principles.
The board needs to direct staff to follow guidelines on ethical
and professional behavior and ensure that staff are aware of
the consequences and actions of noncompliance.
The board can also implement a reward-based system to
promote a cultural change within the organization.

42
3. EDM01.03 Monitor the governance system.
Monitor the effectiveness and performance of the enterprise’s governance of IT. Assess whether the governance
system and implemented mechanisms (including structures, principles and processes) are operating effectively and
provide appropriate oversight of IT.
1. Assess the effectiveness and performance
of those stakeholders given delegated
responsibility and authority for governance
of enterprise IT.
2. Periodically assess whether agreed-on
governance of IT mechanisms (structures,
principles, processes, etc.) is established
and operating effectively.
3. Assess the effectiveness of the governance
design and identify actions to rectify any
deviations found.
4. Maintain oversight of the extent to which
IT satisfies obligations (regulatory,
legislation, common law, contractual),
internal policies, standards and
professional guidelines.
5. Provide oversight of the effectiveness of,
and compliance with, the enterprise’s
system of control.
6. Monitor regular and routine mechanisms
for ensuring that the use of IT complies
with relevant obligations (regulatory,
legislation, common law, contractual),
standards and guidelines.
The board needs to assess the effectiveness and performance
of management personnel who have been assigned the task
of governance of the enterprise.
The board should assess periodically the governance systems,
policies and procedures for efficient operations and rectify
the deviations, if any, found in the governance system.
The board should maintain oversight of the extent to which IT
is able to satisfy obligations, standards and professional
guidelines.
4. EDM03.01 Evaluate risk management.
Continually examine and make judgment on the effect of risk on the current and future use of IT in the enterprise.
Consider whether the enterprise’s risk appetite is appropriate and that risk to enterprise value related to the use of IT is
identified and managed.
1. Determine the level of IT-related risk that the
enterprise is willing to take to meet its risk
objectives.
2. Evaluate and approve proposed IT risk
tolerance thresholds against the enterprise’s
acceptable risk and opportunity levels.
3. Determine the extent of alignment of the IT risk
strategy to enterprise risk strategy.
4. Proactively evaluate IT risk factors in advance of
The board needs to actively take part in the risk evaluation
process of the enterprise, which also includes the IT-related
risks and, on assessing those risks, define a risk tolerance
threshold for acceptable risks and opportunity levels.
The board needs to evaluate the risk factors before making
decisions on strategies to ensure that impact of risk has been
factored in.

43
pending strategic enterprise decisions and
ensure that risk-aware enterprise decisions are
made.
5. Determine that IT use is subject to appropriate
risk assessment and evaluation, as described in
relevant international and national standards.
6. Evaluate risk management activities to ensure
alignment with the enterprise’s capacity for IT-
related loss and leadership’s tolerance of it.
The board should evaluate risk management activities and
regularly define the enterprise’s capacity for loss and the
tolerance limits.
5. EDM03.02 Direct risk management
Direct the establishment of risk management practices to provide reasonable assurance that IT risk management
practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
1. Promote an IT risk-aware culture and empower
the enterprise to proactively identify IT risk,
opportunity and potential business impacts.
2. Direct the integration of the IT risk strategy and
operations with the enterprise strategic risk
decisions and operations.
3. Direct the development of risk communication
plans (covering all levels of the enterprise) as
well as risk action plans.
4. Direct implementation of the appropriate
mechanisms to respond quickly to changing risk
and report immediately to appropriate levels of
management, supported by agreed-on
principles of escalation (what to report, when,
where and how).
5. Direct that risk, opportunities, issues and
concerns may be identified and reported by
anyone at any time. Risk should be managed in
accordance with published policies and
procedures and escalated to the relevant
decision makers.
6. Identify key goals and metrics of risk
governance and management processes to be
monitored, and approve the approaches,
methods, techniques and processes for
capturing and reporting the measurement
information.
The board needs to actively take part in promoting a culture
where opportunities, risks and their impacts are proactively
identified.
The board should ensure that there is integration within the
risk strategies for IT and the enterprise and there are no
conflicts.
The board should direct the development of risk
communication plans and action plans to all levels of the
enterprise, which shall ensure timely responses to changing
risk environments.
The board should encourage reporting of incidents by any
level of management in a timely manner and direct handling
of incidents according to defined policies and procedures.
6. EDM03.03 Monitor risk management
Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be

44
1. Monitor the extent to which the risk profile is
managed within the risk appetite thresholds.
2. Monitor key goals and metrics of risk
governance and management processes against
targets, analyze the cause of any deviations,
and initiate remedial actions to address the
underlying causes.
3. Enable key stakeholders’ review of the
enterprise’s progress towards identified goals.
The board needs to monitor the extent to which the risk
profile is managed and whether it lies within the thresholds
of risk appetite.
The board should ensure that deviations of the processes
against the defined targets are analyzed and corrective action
is taken.
7. EDM05.01 Evaluate stakeholder reporting.
Continually examine and make judgment on the current and future requirements for stakeholder communication and
reporting, including both mandatory reporting requirements (e.g., regulatory) and communication to other
stakeholders. Establish the principles for communication.
1. Examine and make a judgment on the current
and future mandatory reporting requirements
relating to the use of IT within the enterprise
(regulation, legislation, common law,
contractual), including extent and frequency.
2. Examine and make a judgment on the current
and future reporting requirements for other
stakeholders relating to the use of IT within the
enterprise, including extent and conditions.
3. Maintain principles for communication with
external and internal stakeholders, including
communication formats and communication
channels, and for stakeholder acceptance and
sign-off of reporting
The board needs to make a judgment on current and future
mandatory reporting requirements relating to the use of IT
within the enterprise and maintain principles for
communication with stakeholders, including communication
formats and channels.
.
8. EDM05.02 Direct stakeholder communication and reporting.
Ensure the establishment of effective stakeholder communication and reporting, including mechanisms for ensuring
the quality and completeness of information, oversight of mandatory reporting, and creating a communication strategy
for stakeholders.
1. Direct the establishment of the communication The board needs to establish a communication strategy for

45
strategy for external and internal stakeholders.
2. Direct the implementation of mechanisms to ensure
that information meets all criteria for mandatory IT
reporting requirements for the enterprise.
3. Establish mechanisms for validation and approval of
mandatory reporting.
4. Establish reporting escalation mechanisms.
internal and external stakeholders and direct the
implementation of mechanisms to ensure that information
needs meet all criteria for reporting requirements of the
enterprise.
The board needs to establish mechanisms for validation and
approval of reporting and for escalation mechanisms.
9. EDM05.03 Monitor stakeholder communication.
Monitor the effectiveness of stakeholder communication. Assess mechanisms for ensuring accuracy, reliability and
effectiveness, and ascertain whether the requirements of different stakeholders are met.
1. Periodically assess the effectiveness of the
mechanisms for ensuring the accuracy and
reliability of mandatory reporting.
2. Periodically assess the effectiveness of the
mechanisms for, and outcomes from,
communication with external and internal
stakeholders.
3. Determine whether the requirements of
different stakeholders are met.
The board needs to ensure that they assess the effectiveness
of the mandatory reporting mechanisms and determine
whether there are deviations from the predefined
requirements of the stakeholders, and take corrective action
to remediate the deviations.
MEA01.05, MEA02.03, MEA02.08, MEA03.03 and MEA03.04 are the other management practices that have been identified
for the board as well as auditors. They are explained in the stakeholder 3 section that follows.

46
STAKEHOLDER 2 - MANAGEMENT
Chief Executive Officer (CEO)
The CEO is the top executive responsible for a firm's overall operations and performance. He or she is the leader of the firm,
serves as the main link between the board of directors and the firm's various parts or levels, and is held solely responsible for
the firm's success or failure. One of the major duties of a CEO is to maintain and implement corporate policy, as established by
the board. Also called president or managing director (MD), he or she may also be the chairperson of the board.
Responsibilities of the CEO-
The responsibilities of an organization's CEO or MD are set by the organization's board of directors or other authority, depending
on the organization's legal structure. The responsibilities can be far-reaching or quite limited and are typically enshrined in a
formal delegation of authority.
Typically, the CEO/MD has responsibilities as a director, decision maker, leader, manager and executor. The communicator role
can involve the press and the rest of the outside world, as well as the organization's management and employees; the decision-
making role involves high-level decisions about policy and strategy. As a leader of the company, the CEO/MD advises the board
of directors, motivates employees and drives change within the organization. As a manager, the CEO/MD presides over the
organization's day-to-day operations.
Chief Financial Officer (CFO)
The CFO is the senior manager responsible for overseeing the financial activities of an entire company. The CFO's duties include
financial planning and monitoring cash flow. He or she analyzes the company's financial strengths and weaknesses and suggests
plans for improvement. The CFO is similar to a treasurer or controller in that he or she is responsible for overseeing the

47
accounting and finance departments and for ensuring that the company's financial reports are accurate and completed on time.
The role of CFO includes:
• Credit control
• Preparing budgets and financial statements
• Coordinating financing and fundraising
• Monitoring expenditure and liquidity
• Managing investment and taxation issues
• Reporting financial performance to the board
• Providing timely financial data to the CEO, etc.
Chief Information Officer (CIO)
The CIO is a company executive who is responsible for the management, implementation and usability of information and
computer technologies. The CIO will analyze how these technologies can benefit the company or improve an existing business
process and will then integrate a system to realize that benefit or improvement. In other words, the CIO is responsible for
development, implementation and operation of a firm's information technology policy. He or she oversees all information
systems infrastructure within the organization and is responsible for establishing information-related standards to facilitate
management control over all corporate resources. Roles of the CIO include:
• Develop and maintain an appropriate IT organizational structure that supports the needs of the business.
• Establish IT departmental goals, objectives and operating procedures.
• Identify opportunities for the appropriate and cost-effective investment of financial resources in IT systems and
resources, including staffing, sourcing, purchasing and in-house development.
• Assess and communicate risks associated with IT investments.
• Develop, track and control the information technology annual operating and capital budgets.
• Develop business case justifications and cost-benefit analyses for IT spending and initiatives.
• Direct development and execution of an enterprisewide disaster recovery and business continuity plan.
• Assess and make recommendations on the improvement or re-engineering of the IT organization.
Chief Risk Officer (CRO)
The chief risk officer (CRO), or chief risk management officer (CRMO), of a corporation is the executive accountable for enabling
the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. He
or she is responsible for identifying, analyzing and mitigating internal and external events that could threaten a company. The
CRO works to ensure that the company is compliant with government regulations and reviews factors that could negatively
affect investments or a company's business units.
The position of CRO is constantly evolving. As new technologies are adopted by a company, the CRO must govern information
security, protect against fraud and guard intellectual property. By developing internal controls and overseeing internal audits,
threats from within a company can be identified before they result in regulatory issues.
Chief Information Security Officer (CISO)
The CISO is a senior-level executive responsible for aligning security initiatives with enterprise programs and business objectives,
ensuring that information assets and technologies are adequately protected.

48
The CISO's responsibilities have shifted over the years from general security to identifying, developing, implementing and
maintaining security-related processes that reduce the organization's operational risks. Duties and responsibilities may include:
• Establish and implementing security-related policies.
• Oversee regulatory compliance.
• Ensure data privacy.
• Manage the company's Computer Security Incident Response Team.
• Supervise identity and access management.
• Establish and overseeing the organization's security architecture.
• Conduct electronic discovery and digital forensic investigations.
• Work with other high-level executives to establish disaster recovery and business continuity plans.
the enablers and management practices to satisfy needs and goals. It can be tailored and used, according to the discretion of
The image below depicts that, out of the 37 processes, the stakeholder (the management) can adapt relevant processes (border
RACI CHART
A responsibility assignment matrix, also known as a RACI chart, ARCI matrix or linear responsibility chart, describes the
participation by various roles in completing tasks or deliverables for a project or business process. The following RACI chart
explains the different roles of the members of management in contributing to effective corporate IT governance. The processes
explained in this chapter would have to be executed keeping in mind the perspective of the roles in the following RACI chart.

49
Management Practice
ChiefRiskOfficer
EDM04.01 Evaluate resource management R C C C R
EDM04.02 Direct resource management. R C I I R
EDM04.03 Monitor resource management R C C C R
APO01.01 Define the organizational structure. C C A
APO01.02 Establish roles and responsibilities. A
APO01.03 Maintain the enablers of the management system. A C C C R
APO01.04 Communicate management objectives and direction. A R R R R
APO01.05 Optimize the placement of the IT function. C C R
APO01.06 Define information (data) and system ownership. I I C
APO01.07 Manage continual improvement of processes. R
APO01.08 Maintain compliance with policies and procedures. A R
APO02.01 Understand enterprise direction. C C C C R
APO02.02 Assess the current environment, capabilities and performance. C C C A
APO02.03 Define the target IT capabilities. A C C R
APO02.04 Conduct a gap analysis. C A
APO02.05 Define the strategic plan and road map. C I C C A
APO02.06 Communicate the IT strategy and direction. R I I I R
APO03.01 Develop the enterprise architecture vision. A C C R
APO03.02 Define reference architecture. C C C R
APO03.03 Select opportunities and solutions. A C C R
APO03.04 Define architecture implementation. A C C R
APO03.05 Provide enterprise architecture services. A C C R
APO12.01 Collect data. I R R A

50
Management Practice
ChiefRiskOfficer
APO12.02 Analyze risk. I C R A
APO12.03 Maintain a risk profile. I C A R
APO12.04 Articulate risk. I C R A
APO12.05 Define a risk management action portfolio. I C A R
APO12.06 Respond to risk. I R R A
APO13.01 Establish and maintain an ISMS. C A C R
APO13.02 Define and manage an information security risk treatment plan. C A C R
APO13.03 Monitor and review the ISMS. A R
DSS01.02 Manage outsourced IT services. I A
DSS01.03 Monitor IT infrastructure. I I
DSS01.04 Manage the environment. A C C
DSS01.05 Manage facilities. A C C
DSS06.01 Align control activities embedded in business processes with
enterprise objectives.
C C I I C
DSS06.02 Control the processing of information. R R I I C
DSS06.03 Manage roles, responsibilities, access privileges and levels of
authority.
R I C
DSS06.04 Manage errors and exceptions. I
DSS06.05 Ensure traceability of information events and accountabilities. I C
DSS06.06 Secure information assets. C I I C
MEA01.01 Establish a monitoring approach. A R R
MEA01.02 Set performance and conformance targets. I I C
MEA01.03 Collect and process performance and conformance data. A
MEA01.04 Analyze and report performance. C
MEA01.05 Ensure the implementation of corrective actions. I I A

51
Management Practice
ChiefRiskOfficer
MEA02.01 Monitor internal controls. I C R A
MEA02.02 Review business process controls effectiveness. I R I I C
MEA02.03 Perform control self-assessments. I C R A
MEA02.04 Identify and report control deficiencies. I C I I A
MEA02.05 Ensure that assurance providers are independent and qualified. R
MEA02.06 Plan assurance initiatives. A R
MEA02.07 Scope assurance initiatives. R
MEA02.08 Execute assurance initiatives. I I I R
MEA03.01 Identify external compliance requirements. R
MEA03.02 Optimize response to external requirements. R R R
MEA03.03 Confirm external compliance. R R R
MEA03.04 Obtain assurance of external compliance. I I R
1. EDM04.01 Evaluate resource management.
Continually examine and make judgment on the current and future need for IT-related resources, options for resourcing
(including sourcing strategies), and allocation and management principles to meet the needs of the enterprise in the
optimal manner.
ACTIVITIES
DETAILED ACTIVITIES
1. Examine and make judgment on the current and
future strategy, options for providing IT resources,
and developing capabilities to meet current needs
and future needs (including sourcing options).
2. Define the principles for guiding the allocation and
management of resources and capabilities so that IT
can meet the needs of the enterprise, with the
required capability and capacity according to the
agreed-on priorities and budgetary constraints.
Management is the link toward accomplishment of
stakeholder expectations and their fulfillment. Management
should examine and make a judgment on the current future
strategies for providing resources and developing capabilities
to meet the present and future needs of the organization.
Management should define the principles for guidance,
allocation and management of resources according to
agreed-on priorities, keeping in mind the budgetary
constraints so that there is a balance maintained between

52
3. Review and approve the resource plan and
enterprise architecture strategies for delivering
value and mitigating risk with the allocated
resources.
4. Understand requirements for aligning resource
management with enterprise financial and human
resources (HR) planning.
5. Define principles for the management and control
of the enterprise architecture.
the constraints and the budgets.
Management should align resource management with
finance and human resources (HR) departments.
Management should set the principles for managing and
controlling the enterprise.
2. EDM04.02 Direct resource management.
Ensure the adoption of resource management principles to enable optimal use of IT resources throughout their full
economic life cycle.
1. Communicate and drive the adoption of the
resource management strategies, principles, and
agreed-on resource plan and enterprise architecture
strategies.
2. Assign responsibilities for executing resource
management.
3. Define key goals, measures and metrics for resource
management.
4. Establish principles related to safeguarding
resources.
5. Align resource management with enterprise
financial and HR planning.
Management needs to ensure optimization of the resources
and adherence to the agreed-on principles, plans and
strategies.
Responsibilities need to be assigned toward execution of
resource management and its alignment with the HR and
finance departments.
3. EDM04.03 Monitor resource management.
Monitor the key goals and metrics of the resource management processes and establish how deviations or problems will be
ACTIVITIES
DETAILED ACTIVITIES
1. Monitor the allocation and optimization of
resources in accordance with enterprise objectives
and priorities using agreed-on goals and metrics.
2. Monitor IT sourcing strategies, enterprise
architecture strategies, IT resources and capabilities
to ensure that current and future needs of the
enterprise can be met.
3. Monitor resource performance against targets,
analyze the cause of deviations, and initiate
remedial action to address the underlying causes.
Management, after defining and directing the resources,
needs to ensure that resources are monitored in accordance
with the priorities and goals of the enterprise.
This also includes monitoring the sourcing strategies and
architecture strategies for present and future needs of the
enterprise.

53
4. APO01.01 Define the organizational structure.
Establish an internal and extended organizational structure that reflects business needs and IT priorities. Put in place the
required management structures (e.g., committees) that enable management decision making to take place in the most
effective and efficient manner.
ACTIVITIES
DETAILED ACTIVITIES
1. Define the scope, internal and external functions,
internal and external roles, and capabilities and
decision rights required, including those IT activities
performed by third parties.
2. Identify decisions required for the achievement of
enterprise outcomes and the IT strategy, and for the
management and execution of IT services.
3. Establish the involvement of stakeholders who are
critical to decision making (accountable,
responsible, consulted or informed).
4. Align the IT-related organization with enterprise
architecture organizational models.
5. Define the focus, roles and responsibilities of each
function within the IT-related organizational
structure.
6. Define the management structures and
relationships to support the functions and roles of
management and execution, in alignment with the
governance direction set.
7. Establish an IT strategy committee (or equivalent) at
the board level. This committee should ensure that
governance of IT, as part of enterprise governance,
is adequately addressed; advise on strategic
direction; and review major investments on behalf
of the full board.
8. Establish an IT steering committee (or equivalent)
composed of executive, business and IT
management to determine prioritization of IT-
enabled investment programs in line with the
enterprise’s business strategy and priorities; track
status of projects and resolve resource conflicts; and
monitor service levels and service improvements.
9. Provide guidelines for each management structure
(including mandate, objectives, meeting attendees,
timing, tracking, supervision and oversight) as well
as required inputs for and expected outcomes of
meeting
10. Define ground rules for communication by
identifying communication needs, and
implementing plans based on those needs,
Management needs to play a pivotal role in defining the
scope, functions, roles and capabilities of the organization
and identify decisions required for achievement of expected
outcomes.
Management needs to ensure that stakeholders are engaged
in critical decision making regarding the enterprise.
Management needs to ensure the alignment of the IT
framework with the architecture of the organization and
accordingly define the roles and responsibilities of each
function within the organization.
Management can create an IT strategy committee at the
board level, and the committee should ensure that
governance of IT is addressed, advise on strategic decisions
and review the major investments on behalf of the board.
Establish an IT steering committee, which is composed of
executives of business and IT management for determining
priority of IT investment programs, which should be in line
with the enterprise business strategies. Track status of
projects and resolve conflicts.
Management needs to provide guidelines for each level of
management and the expected outcomes need to be
informed and updated.

54
considering top-down, bottom-up and horizontal
communication.
11. Regularly verify the adequacy and effectiveness of
the organizational structure.
5. APO01.02 Establish roles and responsibilities.
Establish, agree on and communicate roles and responsibilities of IT personnel, as well as other stakeholders with
responsibilities for enterprise IT, that clearly reflect overall business needs and IT objectives and relevant personnel’s
authority, responsibilities and accountability.
ACTIVITIES
DETAILED ACTIVITIES
1. Establish, agree on and communicate IT-related
roles and responsibilities for all personnel in the
enterprise, in alignment with business needs and
objectives. Clearly delineate responsibilities and
accountabilities, especially for decision-making and
approvals.
2. Consider requirements from enterprise and IT
service continuity when defining roles, including
staff back-up and cross-training requirements.
3. Provide input to the IT service continuity process by
maintaining up-to-date contact information and role
descriptions in the enterprise.
4. Include in role and responsibility descriptions
adherence to management policies and procedures,
the code of ethics, and professional practices.
5. Implement adequate supervisory practices to
ensure that roles and responsibilities are properly
exercised, to assess whether all personnel have
sufficient authority and resources to execute their
roles and responsibilities, and to generally review
performance. The level of supervision should be in
line with the sensitivity of the position and extent of
responsibilities assigned.
6. Ensure that accountability is defined through roles
and responsibilities.
7. Structure roles and responsibilities to reduce the
possibility for a single role to compromise a critical
process.
Management needs to establish, agree on and communicate
the roles and responsibilities for all personnel in the
enterprise and also consider the requirements of the
enterprise while defining roles, which includes backup plans
for staff and cross-training functions.
Management needs to provide inputs to the IT service
continuity process by maintaining up-to-date contact
information for all of the roles within the enterprise.
The code of ethics and professional practices should form a
part of the responsibilities of the organizational personnel.
Management needs to ensure that supervisory practices
ensure proper exercise of roles and there is sufficient
authority to execute the responsibilities by the concerned
authority. The levels of supervision should be aligned with
the sensitivity of the position.
There needs to be accountability for all the roles and
responsibilities defined for the organization.
The roles should be structured in such a way that there is no
conflict between roles, and also so that no single role
compromises a critical process.
6. APO01.03 Maintain the enablers of the management system.
Maintain the enablers of the management system and control environment for enterprise IT, and ensure that they are
integrated and aligned with the enterprise’s governance and management philosophy and operating style. These enablers
include the clear communication of expectations/requirements. The management system should encourage cross-divisional
co-operation and teamwork, promote compliance and continuous improvement, and handle process deviations (including
failure).

55
ACTIVITIES
DETAILED ACTIVITIES
1. Obtain an understanding of the enterprise vision,
direction and strategy.
2. Consider the enterprise’s internal environment,
including management culture and philosophy, risk
tolerance, security, ethical values, code of conduct,
accountability, and requirements for management
integrity.
3. Derive and integrate IT principles with business
principles.
4. Align the IT control environment with the overall IT
policy environment, IT governance and IT process
frameworks, and existing enterprise-level risk and
control frameworks. Assess industry-specific good
practices or requirements (e.g., industry-specific
regulations) and integrate them where appropriate.
5. Align with any applicable national and international
governance and management standards and codes
of practice, and evaluate available good practices
such as the Committee of Sponsoring Organizations
of the Treadway Commission (COSO) Internal
Control—Integrated Framework and the COSO
Enterprise Risk Management—Integrated
Framework.
6. Create a set of policies to drive the IT control
expectations on relevant key topics such as quality,
security, confidentiality, internal controls, and usage
of IT assets, ethics and intellectual property rights.
7. Evaluate and update the policies at least yearly to
accommodate changing operating or business
environments.
8. Roll out and enforce IT policies to all relevant staff,
so they are built into, and are an integral part of,
enterprise operations.
9. Ensure that procedures are in place to track
compliance with policies and define the
consequences of non-compliance.
Management needs to get an understanding of the vision of
the stakeholders toward the direction, strategies and
operations of the enterprise.
Management needs to consider internal factors like culture
and philosophy, risk tolerance, ethical values, and codes of
conduct to develop enablers of the system.
Management needs to ensure that there exists an alignment
between the principles, governance, process and frameworks
between IT and the enterprise as a whole. The industry-
specific goals and practices should be incorporated into the
system.
Management can align the principles and practices set by
international governance and management standards and
the codes of practice from the COSO model and any other
framework.
Management needs to create a set of policies, which shall
drive IT control and expectations on quality, security,
confidentiality, internal controls, usage of IT assets and
intellectual property rights.
Management should evaluate and update policies on a yearly
basis to accommodate changing business environments.
On developing policies and frameworks, management needs
to ensure that they are adhered to and there is a tracking
mechanism to check on the noncompliance of policies.
7. APO01.04 Communicate management objectives and direction.
Communicate awareness and understanding of IT objectives and direction to appropriate stakeholders and users
throughout the enterprise.
ACTIVITIES
DETAILED ACTIVITIES
1. Continuously communicate IT objectives and
direction. Ensure that executive management in
action and words, using all available channels,
supports communications.
Management ensures that it communicates the objectives
and directions, which are supported by executive
management where there is a clearly defined mission,
objectives, security, internal controls, quality, code of

56
2. Ensure that the information communicated
encompasses a clearly articulated mission, service
objectives, security, internal controls, quality, code
of ethics/conduct, policies and procedures, roles
and responsibilities, etc. Communicate the
information at the appropriate level of detail for the
respective audiences within the enterprise.
3. Provide sufficient and skilled resources to support
the communication process.
ethics/conduct, roles and responsibilities, etc., and provides
resources to support the communication process.
8. APO01.05 Optimize the placement of the IT function.
Position the IT capability in the overall organizational structure to reflect an enterprise model relevant to the importance of
IT within the enterprise, specifically its criticality to enterprise strategy and the level of operational dependence on IT. The
reporting line of the CIO should be commensurate with the importance of IT within the enterprise.
ACTIVITIES
DETAILED ACTIVITIES
1. Understand the context for the placement of the
IT function, including an assessment of the
enterprise strategy and operating model
(centralized, federated, decentralized, hybrid),
importance of IT, and sourcing situation and
options.
2. Identify, evaluate and prioritize options for
organizational placement, sourcing and
operating models.
3. Define placement of the IT function and obtain
agreement.
Management should assess the enterprise strategy and
operating model to ensure that the functions are optimized.
9. APO01.06 Define information (data) and system ownership.
Define and maintain responsibilities for ownership of information (data) and information systems. Ensure that owners make
decisions about classifying information and systems and protecting them in line with this classification.
1. Provide policies and guidelines to ensure
appropriate and consistent enterprise wide
classification of information (data).
2. Define, maintain and provide appropriate tools,
techniques and guidelines to provide effective
security and controls over information and
information systems in collaboration with the
owner.
3. Create and maintain an inventory of information
(systems and data) that includes a listing of owners,
custodians and classifications. Include systems that
Management should provide policies and guidelines for
appropriate classification of data throughout the enterprise
by defining and maintaining appropriate tools, techniques
and guidelines, which ensure effective security and controls
over information and information systems.
Management should create an inventory of information that
includes lists of owners, custodians and classifications.
Further, there should be integrity and consistency for all
information stored in data warehouses and data archives.

57
are outsourced and those for which ownership
should stay within the enterprise.
4. Define and implement procedures to ensure the
integrity and consistency of all information stored in
electronic form such as databases, data warehouses
and data archives.
10. APO01.07 Manage continual improvement of processes.
Assess, plan and execute the continual improvement of processes and their maturity to ensure that they are capable of
delivering against enterprise, governance, management and control objectives. Consider COBIT process implementation
guidance, emerging standards, compliance requirements, automation opportunities, and the feedback of process users, the
process team and other stakeholders. Update the process and consider impacts on process enablers.
1. Identify business-critical processes based on
performance and conformance drivers and related
risk. Assess process capability and identify
improvement targets. Analyze gaps in process
capability and control. Identify options for
improvement and redesign of the process. Prioritize
initiatives for process improvement based on
potential benefits and costs.
2. Implement agreed-on improvements; operate as
normal business practice, and set performance goals
and metrics to enable monitoring of process
improvements.
3. Consider ways to improve efficiency and
effectiveness (e.g., through training,
documentation, standardization and automation of
the process).
4. Retire outdated processes, process components or
enablers.
Management should identify business-critical processes on
performance drivers and related risks.
There should be an assessment of process capability and
control and options identified for improvement and redesign
of processes when needed.
The improvements should be implemented and performance
goals and metrics should be defined to monitor the
processes.
Management should take action to retire outdated
processes, components and enablers.
11. APO01.08 Maintain compliance with policies and procedures.
Put in place procedures to maintain compliance with and performance measurement of policies and other enablers of the
control framework, and enforce the consequences of non-compliance or inadequate performance. Track trends and
performance and consider these in the future design and improvement of the control framework.
ACTIVITIES
DETAILED ACTIVITIES
1. Track compliance with policies and procedures.
2. Analyze non-compliance and take appropriate
action (this could include changing requirements).
3. Integrate performance and compliance into
Management must ensure compliance with policies and
procedures within the organization and take appropriate
action when required.

58
individual staff members’ performance objectives.
4. Regularly assess the performance of the
framework’s enablers and take appropriate action.
12. APO02.01 Understand enterprise direction.
Consider the current enterprise environment and business processes, as well as the enterprise strategy and future
objectives. Consider also the external environment of the enterprise (industry drivers, relevant regulations, basis for
competition).
1. Develop and maintain an understanding of
enterprise strategy and objectives, as well as the
current enterprise operational environment and
challenges.
2. Develop and maintain an understanding of the
external environment of the enterprise.
3. Identify key stakeholders and obtain insight on their
requirements.
4. Identify and analyze sources of change in the
enterprise and external environments.
5. Ascertain priorities for strategic change.
6. Understand the current enterprise architecture and
work with the enterprise architecture process to
determine any potential architectural gaps.
Management needs to develop and maintain the strategies
and objectives of the enterprise, which cover not only the
current but the future objectives.
Management needs to also obtain insights of the
stakeholders.
Management needs to analyze sources of change to the
enterprise and external environment.
Management should review the current enterprise
architecture and identify the gaps within the present
structure.
13. APO02.02 Assess the current environment capabilities and performance
Assess the performance of current internal business and IT capabilities and external IT services, and develop an
understanding of the enterprise architecture in relation to IT. Identify issues currently being experienced and develop
recommendations in areas that could benefit from improvement. Consider service provider differentiators and options and
the financial impact and potential costs and benefits of using external services.
ACTIVITIES
DETAILED ACTIVITIES
1. Develop a baseline of the current business and IT
environment, capabilities and services against which
future requirements can be compared. Include the
relevant high-level detail of the current enterprise
architecture (business, information, data,
applications and technology domains), business
processes, IT processes and procedures, the IT
organization structure, external service provision,
governance of IT, and enterprise wide IT-related
skills and competencies.
2. Identify risk from current, potential and declining
technologies.
3. Identify gaps between current business and IT
capabilities and services and reference standards
Management should develop a baseline of the current
business and IT environment against which the future
requirements can be compared. It should contain high-level
details of the present business processes, IT processes and
procedures.
Risk from current technologies should be identified and the
gaps identified between current business and IT capabilities
and services and reference standards and good practices
should be made.
Management should identify the strengths, opportunities and
threats in the current environment, capabilities and services
to understand current performance and identify areas for

59
and good practices, competitor business and IT
capabilities, and comparative benchmarks of good
practice and emerging IT service provision.
4. Identify issues, strengths, opportunities and threats
in the current environment, capabilities and services
to understand current performance. Identify areas
for improvement in terms of IT’s contribution to
enterprise objectives.
improvement.
14. APO02.03 Define the target IT capabilities.
Define the target business and IT capabilities and required IT services. This should be based on the understanding of the
enterprise environment and requirements; the assessment of the current business process and IT environment and issues;
and consideration of reference standards, good practices and validated emerging technologies or innovation proposals.
ACTIVITIES
DETAILED ACTIVITIES
1. Consider validated emerging technology or
innovation ideas.
2. Identify threats from declining, current and newly
acquired technologies.
3. Define high-level IT objectives/goals and how they
will contribute to the enterprise’s business
objectives.
4. Define required and desired business process and IT
capabilities and IT services and describe the high-
level changes in the enterprise architecture
(business, information, data, applications and
technology domains), business and IT processes and
procedures, the IT organization structure, IT service
providers, governance of IT, and IT skills and
competencies.
5. Align and agree with the enterprise architect on
proposed enterprise architecture changes.
6. Demonstrate traceability to the enterprise strategy
and requirements.
Management needs to consider emerging technologies and
innovative ideas. Further, management should ascertain the
present threats from declining, current and newly acquired
technologies.
Management needs to define the desired business process
and IT capabilities and services in the current enterprise
architecture and align them with the proposed architecture.
15. APO02.04 Conduct a gap analysis.
Identify the gaps between the current and target environments and consider the alignment of assets (the capabilities that
support services) with business outcomes to optimize investment in and utilization of the internal and external asset base.
Consider the critical success factors to support strategy execution.
ACTIVITIES
DETAILED ACTIVITIES
1. Identify all gaps and changes required to realize the
target environment.
2. Consider the high-level implications of all gaps.
Management needs to identify the gaps and changes
required to reach the target environment.
To achieve the target environment, the high-level implication

60
Consider the value of potential changes to business
and IT capabilities, IT services and enterprise
architecture, and the implications if no changes are
realized.
3. Assess the impact of potential changes on the
business and IT operating models, IT research and
development capabilities, and IT investment
programs.
4. Refine the target environment definition and
prepare a value statement with the benefits of the
target environment.
of gaps needs to be considered as well as their potential
changes to business and architecture.
Management needs to assess the impact of potential changes
on business, IT operational models, IT research and
development capabilities and the IT investment program.
16. APO02.05 Define the strategic plan and road map
Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT-related goals will contribute to the
enterprise’s strategic goals. Include how IT will support IT-enabled investment programs, business processes, IT services and
IT assets. Direct IT to define the initiatives that will be required to close the gaps, the sourcing strategy and the
measurements to be used to monitor achievement of goals, then prioritize the initiatives and combine them in a high-level
road map.
ACTIVITIES
DETAILED ACTIVITIES
1. Define the initiatives required to close gaps and
migrate from the current to the target environment,
including investment/operational budget, funding
sources, sourcing strategy and acquisition strategy.
2. Identify and adequately address risk, costs and
implications of organizational changes, technology
evolution, regulatory requirements, business
process re-engineering, staffing, insourcing and
outsourcing opportunities, etc., in the planning
process.
3. Determine dependencies, overlaps, synergies and
impacts amongst initiatives, and prioritize the
initiatives.
4. Identify resource requirements, schedule and
investment/operational budgets for each of the
initiatives.
5. Create a road map indicating the relative scheduling
and interdependencies of the initiatives.
6. Translate the objectives into outcome measures
represented by metrics (what) and targets (how
much) that can be related to enterprise benefits.
Management needs to define the initiatives required to close
the gaps and migrate to the target environment, which
includes the investment budgets, sourcing strategy and
acquisition strategy.
Management needs to identify and address risks, costs and
implication of organizational changes, technology evolution,
business process re-engineering, staffing, etc. during the
planning process.
Management needs to determine the dependencies,
overlaps, synergies and impact among initiatives and
prioritize them. Further, management should identify the
resource requirements, schedule and investment budgets for
each initiative.
Management should create a road map, which indicates the
scheduling and interdependencies of the initiatives and then
translate the objectives into outcome measures that can be
related to enterprise benefits.

61
17. APO02.06 Communicate the IT strategy and direction.
Create awareness and understanding of the business and IT objectives and direction, as captured in the IT strategy, through
communication to appropriate stakeholders and users throughout the enterprise.
1. Develop and maintain a network for endorsing,
supporting and driving the IT strategy.
2. Develop a communication plan covering the
required messages, target audiences,
communication mechanisms/channels and
schedules.
3. Obtain feedback and update the communication
plan and delivery as required.
Management needs to develop and maintain a network for
endorsing and supporting IT strategy.
Management needs to develop a communication plan
covering the required messages, target audiences and
channels.
18. APO03.01 Develop the enterprise architecture vision.
The architecture vision provides a first-cut, high-level description of the baseline and target architectures, covering the
business, information, data, application and technology domains. The architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to stakeholders within the enterprise. The architecture vision describes
how the new capability will meet enterprise goals and strategic objectives and address stakeholder concerns when
implemented.
1. Identify the key stakeholders and their
concerns/objectives, and define the key enterprise
requirements to be addressed as well as the
architecture views to be developed to satisfy the
various stakeholder requirements.
2. Identify the enterprise goals and strategic drivers of
the enterprise and define the constraints that must
be dealt with, including enterprise wide constraints
and project-specific constraints (time, schedule,
resources, etc.).
3. Align architecture objectives with strategic program
priorities.
4. Understand the capabilities and desires of the
business, then identify options to realize those
capabilities.
5. Assess the enterprise’s readiness for change.
6. Define what is inside and what is outside the scope
of the baseline architecture and target architecture
efforts, understanding that the baseline and target
need not be described at the same level of detail.
7. Confirm and elaborate architecture principles,
including enterprise principles. Ensure that any
Management needs to identify stakeholder objectives and
define the key enterprise requirements, along with
architecture views, which need to be addressed and
developed to satisfy stakeholder requirements.
Management shall identify the goals and strategic drivers of
the enterprise and define the constraints that must be dealt
with, which includes project-specific constraints.
Management needs to understand the capabilities and
desires of the business and then identify the options to
realize them.
Management needs to factor in the enterprises’ readiness to
change.
Management needs to define what is within and outside of
the scope of baseline architecture and target architecture
efforts.
Management should elaborate on the existing definitions and

62
existing definitions are current and clarify any areas
of ambiguity.
8. Understand the current enterprise strategic goals
and objectives and work with the strategic planning
process to ensure that IT-related enterprise
architecture opportunities are leveraged in the
development of the strategic plan.
9. Based on stakeholder concerns, business capability
requirements, scope, constraints and principles,
create the architecture vision a high-level view of
the baseline and target architectures.
10. Define the target architecture value propositions,
goals and metrics.
11. Identify the enterprise change risk associated with
the architecture vision, assess the initial level of risk
(e.g., critical, marginal or negligible) and develop a
mitigation strategy for each significant risk.
12. Develop an enterprise architecture concept business
case, outline plans and statement of architecture
work, and secure approval to initiate a project
aligned and integrated with the enterprise strategy.
clarify the areas of ambiguity.
Based on the enterprise goals, Management needs to work
on strategic planning processes to ensure that the IT-related
architecture opportunities are leveraged in the development
of the plans.
Based on the concerns, the business capability requirements,
scope, constraints and principles, management can create a
high-level vision of the baseline and target architectures.
Management should develop a business case, outline plans
and statement of architecture work and secure approval to
initiate a project aligned and integrated with the enterprise
strategy.
19. APO03.02 Define reference architecture.
The reference architecture describes the current and target architectures for the business, information, data, application
and technology domains.
ACTIVITIES
DETAILED ACTIVITIES
1. Maintain an architecture repository containing
standards, reusable components, Modelling
artifacts, relationships, dependencies and views to
enable uniformity of architectural organization and
maintenance.
2. Select reference viewpoints from the architecture
repository that will enable the architect to
demonstrate how stakeholder concerns are being
addressed in the architecture.
3. For each viewpoint, select the models needed to
support the specific view required, using selected
tools or methods and the appropriate level of
decomposition.
4. Develop baseline architectural domain descriptions,
using the scope and level of detail necessary to
support the target architecture and, to the extent
possible, identifying relevant architecture building
blocks from the architecture repository.
5. Maintain a process architecture model as part of the
baseline and target domain descriptions.
Standardize the descriptions and documentation of
processes. Define the roles and responsibilities of
Management needs to maintain a repository containing the
standards, reusable components, modeling artifacts and
relationships, dependencies, and views to enable uniformity
within the architectural organization.
There should be a selection of reference viewpoints from the
repository that will enable demonstration of how stakeholder
concerns are being addressed within the architecture.
For each viewpoint, management should select the model
needed to support the specific view that is required using
selected tools or methods and an appropriate level of
decomposition.
Management should develop baseline architecture domain
descriptions using scope and level of details necessary to
support target architecture and identify relevant architecture
building blocks from the repository.
A process architecture model should be maintained as a part
of baseline and target domain descriptions. Standardize the
descriptions and document processes. The roles and
responsibilities of the process decision makers, process

63
the process decision makers, process owner,
process users, process team and any other process
stakeholders who should be involved.
6. Maintain an information architecture model as part
of the baseline and target domain descriptions,
consistent with the enterprise’s strategy to enable
optimal use of information for decision-making.
Maintain an enterprise data dictionary that
promotes a common understanding and a
classification scheme that includes details about
data ownership, definition of appropriate security
levels, and data retention and destruction
requirements.
7. Verify the architecture models for internal
consistency and accuracy and perform a gap
analysis between the baseline and target. Prioritize
gaps and define new or modified components that
must be developed for the target architecture.
Resolve potential impacts such as incompatibilities,
inconsistencies or conflicts within the envisioned
architecture.
8. Conduct a formal stakeholder review by checking
the proposed architecture against the original
motivation for the architecture project and the
statement of architecture work.
9. Finalize business, information, data, applications
and technology domain architectures, and create an
architecture definition document.
owners and team and other process should be defined.
An information architecture model should be maintained as a
part of baseline and target domain descriptions, consistent
with enterprise strategy to enable optimal use of information
for decision making.
A data dictionary should be maintained that promotes a
common understanding and classification scheme that
includes details about data ownership and definition of
appropriate security levels.
20. APO03.03 Select opportunities and solutions.
Rationalize the gaps between baseline and target architectures, taking both business and technical perspectives, and
logically group them into project work packages. Integrate the project with any related IT-enabled investment program to
ensure that the architectural initiatives are aligned with and enable these initiatives as part of overall enterprise change.
Make this a collaborative effort with key enterprise stakeholders from business and IT to assess the enterprise’s
transformation readiness, and identify opportunities, solutions and all implementation constraints.
ACTIVITIES
DETAILED ACTIVITIES
1. Determine and confirm key enterprise change
attributes, including the enterprise’s culture and
how this will impact enterprise architecture
implementation, as well as the enterprise’s
transition capabilities.
2. Identify any enterprise drivers that would constrain
the sequence of implementation, including a review
of the enterprise and line of business strategic and
business plans, and consideration of the current
enterprise architecture maturity.
3. Review and consolidate the gap analysis results
between the baseline and target architectures and
Management needs to determine and confirm key enterprise
change attributes, including the enterprise’s culture and how
it will influence architecture implementation, as well as
transition capabilities.
Management needs to identify drivers that constrain the
sequence of implementation, which includes a review of the
enterprise and line of business strategic and plans, and
architecture maturity should be considered.
Management needs to review and consolidate the gaps
identified between the baseline and target architectures and
assess the implication for potential solutions and alignment

64
assess their implications with respect to potential
solutions/opportunities, interdependencies and
alignment with current IT-enabled programs.
4. Assess the requirements, gaps, solutions and factors
to identify a minimal set of functional requirements
whose integration into work packages would lead to
a more efficient and effective implementation of the
target architecture.
5. Reconcile the consolidated requirements with
potential solutions.
6. Refine the initial dependencies, ensuring that any
constraints on the implementation and migration
plans are identified, and consolidate them into a
dependency analysis report.
7. Confirm the enterprise’s readiness for, and the risk
associated with, enterprise transformation.
8. Formulate a high-level implementation and
migration strategy that will guide the target
architecture implementation and structure the
transition architectures in alignment with enterprise
strategic objectives and time scales.
9. Identify and group major work packages into a
coherent set of programs and projects, respecting
the enterprise strategic implementation direction
and approach.
10. Develop a series of transition architectures as
necessary where the scope of change required to
realize the target architecture requires an
incremental approach.
with IT-enabled programs.
There needs to be an assessment of the requirements, gaps,
solutions and factors to identify a minimal set of functional
requirements whose integration would lead to efficient and
effective implementation of target architecture.
Management should refine the dependencies ensuring that
the constraints on implementation and migration plans are
identified and consolidated into a dependency report.
Management needs to confirm the readiness and risk
association with enterprise transformation.
Management needs to formulate a high-level
implementation and migration strategy that will guide the
target architecture implementation and structure transitions
in alignment with objectives and time scales.
Major work packages should be identified and grouped into a
set of programs and projects.
Management should develop a series of transition
architecture, as necessary and where the change is required,
to realize the target architecture.
21. APO03.04 Define architecture implementation.
Create a viable implementation and migration plan in alignment with the program and project portfolios. Ensure that the
plan is closely coordinated to ensure that value is delivered and the required resources are available to complete the
necessary work.
ACTIVITIES
DETAILED ACTIVITIES
1. Establish what the implementation and migration
plan should include as part of program and project
planning and ensure that it is aligned with the
requirements of applicable decision makers.
2. Confirm transition architecture increments and
phases and update the architecture definition
document.
3. Define architecture implementation governance
requirements.
Management needs to establish what implementation and
migration plan shall be included as a part of the program and
ensure its alignment with requirements of the stakeholders.
Management needs to confirm transition architecture
increments and phases, update the definition document, and
define architecture governance requirements.
22. APO03.05 Provide enterprise architecture services.
The provision of enterprise architecture services within the enterprise includes guidance to and monitoring of

65
implementation projects, formalizing ways of working through architecture contracts, and measuring and communicating
architecture’s value-add and compliance monitoring.
ACTIVITIES
DETAILED ACTIVITIES
1. Confirm scope and priorities and provide guidance
for solution development and deployment.
2. Manage the portfolio of enterprise architecture
services to ensure alignment with strategic
objectives and solution development.
3. Manage enterprise architecture requirements and
support with architectural principles, models and
building blocks.
4. Identify and align enterprise architecture priorities
to value drivers. Define and collect value metrics
and measure and communicate enterprise
architecture value.
5. Establish a technology forum to provide
architectural guidelines, advice on projects and
guidance on the selection of technology. Measure
compliance with these standards and guidelines,
including compliance with external requirements
and their business relevance.
Management needs to confirm scope, priority and guidance
for solution development and deployment.
A portfolio of enterprise architecture services needs to be
managed to ensure alignment with strategic objectives and
solution development.
The architecture requirements need to be managed to
support principles, models and building blocks.
Management needs to identify and align enterprise priorities
to value drivers.
Management needs to establish a technology form to provide
architectural guidelines and advice on projects and guidance
on the selection of technology.
23. APO12.01 Collect data.
Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting.
ACTIVITIES
DETAILED ACTIVITIES
1. Establish and maintain a method for the collection,
classification and analysis of IT risk-related data,
accommodating multiple types of events, multiple
categories of IT risk and multiple risk factors.
2. Record relevant data on the enterprise’s internal
and external operating environment that could play
a significant role in the management of IT risk.
3. Survey and analyze the historical IT risk data and
loss experience from externally available data and
trends, industry peers through industry-based event
logs, databases, and industry agreements for
common event disclosure.
4. Record data on risk events that have caused or may
cause impacts to IT benefit/value enablement, IT
program and project delivery, and/or IT operations
and service delivery. Capture relevant data from
related issues, incidents, problems and
investigations.
5. For similar classes of events, organize the collected
Management needs to establish and maintain a method for
collection, classification and analysis of risk-related data,
which accommodates multiple events, categories of risk and
risk factors.
Management can record relevant data on an enterprise’s
internal and external operating environment that would play
a significant role in the management of risk.
There can be a survey and analysis of historical risk data and
loss experience from externally available trends, industry
peers through event logs, databases and agreements for
common event disclosures.
The risk events that have caused or potentially cause impact
to IT value benefits, programs and project delivery should be
captured. In addition, data from incidents, problems and
investigation can be recorded.
Management needs to determine the specific conditions that

66
data and highlight contributing factors. Determine
common contributing factors across multiple
events.
6. Determine the specific conditions that existed or
were absent when risk events occurred and the way
the conditions affected event frequency and loss
magnitude.
7. Perform periodic event and risk factor analysis to
identify new or emerging risk issues and to gain an
understanding of the associated internal and
external risk factors.
existed or were absent when risk events occurred and the
way they affect event frequency and loss magnitude.
Management should perform periodic event and risk factor
analysis to identify new/emerging risk issues and gain an
understanding of associated risk factors.
24. APO12.02 Analyze risk.
Develop useful information to support risk decisions that take into account the business relevance of risk factors.
1. Define the appropriate breadth and depth of risk
analysis efforts, considering all risk factors and the
business criticality of assets. Set the risk analysis
scope after performing a cost-benefit analysis.
2. Build and regularly update IT risk scenarios,
including compound scenarios of cascading and/or
coincidental threat types, and develop expectations
for specific control activities, capabilities to detect
and other response measures.
3. Estimate the frequency and magnitude of loss or
gain associated with IT risk scenarios. Take into
account all applicable risk factors, evaluate known
operational controls and estimate residual risk
levels.
4. Compare residual risk to acceptable risk tolerance
and identify exposures that may require a risk
response.
5. Analyze cost-benefit of potential risk response
options such as avoid, reduce/mitigate,
transfer/share, and accept and exploit/seize.
Propose the optimal risk response.
6. Specify high-level requirements for projects or
programs that will implement the selected risk
responses. Identify requirements and expectations
for appropriate key controls for risk mitigation
responses.
7. Validate the risk analysis results before using them
in decision-making, confirming that the analysis
aligns with enterprise requirements and verifying
that estimations were properly calibrated and
scrutinized for bias.
Management needs to define the appropriate breadth and
depth of risk and criticality of assets. Set the risk scope after
performing a cost-benefit analysis.
Management needs to build and regularly update the risk
scenarios, including compound scenarios of
cascading/coincidental threat types and development
expectations for specific control activities, capabilities to
detect and other response measures.
Management needs to estimate the frequency and
magnitude of loss or gain associated with risk scenarios.
Applicable risk factors need to be taken into account, and
evaluate operational controls and estimate residual risk
levels.
There needs to be a comparison of residual risk to acceptable
risk tolerance and risk exposures should be identified, which
will require responses.
Management needs to conduct a cost-benefit analysis of
potential risk response options such as avoid, reduce,
transfer and accept.
Management should specify high-level requirements for
programs that will implement the risk responses. Identify
requirements for key controls.
Management needs to validate the risk analysis results
before using them for decision making, and confirm whether
the results align with enterprise requirements, and verify that
estimations were calibrated.

67
25. APO12.03 Maintain a risk profile.
Maintain an inventory of known risk and risk attributes (including expected frequency, potential impact and responses) and
of related resources, capabilities and current control activities.
ACTIVITIES
DETAILED ACTIVITIES
1. Inventory business processes, including supporting
personnel, applications, infrastructure, facilities,
critical manual records, vendors, suppliers and
outsourcers, and document the dependency on IT
service management processes and IT infrastructure
resources.
2. Determine and agree on which IT services and IT
infrastructure resources are essential to sustain the
operation of business processes. Analyze
dependencies and identify weak links.
3. Aggregate current risk scenarios by category,
business line and functional area.
4. On a regular basis, capture all risk profile
information and consolidate it into an aggregated
risk profile.
5. Based on all risk profile data, define a set of risk
indicators that allow the quick identification and
monitoring of current risk and risk trends.
6. Capture information on IT risk events that have
materialized, for inclusion in the IT risk profile of the
enterprise.
Management can take an inventory of business processes,
applications, infrastructure, facilities, critical manual records,
vendors, etc., and document the dependency on IT service
management processes and IT infrastructure resources.
Further, management should determine and agree on which
IT services and infrastructure resources are essential to
sustain the operation of business processes. Analyze
dependencies and weak links.
Management needs to aggregate current risk scenarios by
categories, business lines and functional areas.
On a regular basis, management should capture risk profile
information and consolidate it into aggregated risk profiles.
Based on the profiles, management needs to define a set of
risk indicators that allow quick identification and monitoring
of current risk trends.
Capture the information on risk events that have materialized
for inclusion in profiles of the enterprise.
26. APO12.04 Articulate risk.
Provide information on the current state of IT-related exposures and opportunities in a timely manner to all required
stakeholders for appropriate response.
ACTIVITIES
DETAILED ACTIVITIES
1. Report the results of risk analysis to all affected
stakeholders in terms and formats useful to support
enterprise decisions. Wherever possible, include
probabilities and ranges of loss or gain along with
confidence levels that enable management to
balance risk-return.
Management needs to report the results of risk analysis to all
the affected stakeholders in terms of formats supporting
decision making. Wherever possible, include probabilities and
range of loss or gain with confidence levels to balance risk
and return.
Management can provide to the decision makers an

68
2. Provide decision makers with an understanding of
worst-case and most-probable scenarios, due
diligence exposures, and significant reputation, legal
or regulatory considerations.
3. Report the current risk profile to all stakeholders,
including effectiveness of the risk management
process, control effectiveness, gaps, inconsistencies,
redundancies, remediation status, and their impacts
on the risk profile.
4. Review the results of objective third-party
assessments, internal audit and quality assurance
reviews, and maps them to the risk profile. Review
identified gaps and exposures to determine the
need for additional risk analysis.
understanding of worst case and most probable scenarios,
due diligence exposures and reputation, legal or regulatory
consideration.
The report to stakeholders on current risk profile should
include effectiveness of the risk management process,
control effectiveness, gaps, inconsistencies, etc., and their
impact on the risk profile.
Management should review the results of third-party
assessments, internal audits and quality assurance (QA)
reviews, and map them to the risk profiles.
27. APO12.05 Define a risk management action portfolio.
Manage opportunities to reduce risk to an acceptable level as a portfolio.
1. Maintain an inventory of control activities that are in
place to manage risk and that enable risk to be taken in
line with risk appetite and tolerance. Classify control
activities and map them to specific IT risk statements and
aggregations of IT risk.
2. Determine whether each organizational entity monitors
risk and accepts accountability for operating within its
individual and portfolio tolerance levels.
3. Define a balanced set of project proposals designed to
reduce risk and/or projects that enable strategic
enterprise opportunities, considering cost/benefits, effect
on current risk profile and regulations.
Management needs to make an inventory of control activities
that are in place to manage risk and that enable risk to be
taken in line with appetite and tolerance. The control activities
should be classified and mapped to specific risk statements
and aggregations of risk.
Management needs to determine that risk and accountability
for operating within individual and portfolio tolerance levels
are monitored.
Management defines a balanced set of project proposals
which are designed to reduce risk and/or projects that enable
strategic opportunities, considering the cost-benefit analysis.
28. APO12.06 Respond to risk.
Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events.
1. Prepare, maintain and test plans that document the
specific steps to take when a risk event may cause a
significant operational or development incident with
serious business impact. Ensure that plans include
pathways of escalation across the enterprise.
Management needs to prepare, maintain and test plans that
document specific steps to take when a risk event may cause
significant operational or development incident with serious
impact on the business. Further, ensure that plans include

69
2. Categorize incidents, and compare actual exposures
against risk tolerance thresholds. Communicate business
impacts to decision makers as part of reporting, and
update the risk profile.
3. Apply the appropriate response plan to minimize the
impact when risk incidents occur
4. Examine past adverse events/losses, missed
opportunities, and determine root causes. Communicate
root cause, additional risk response requirements and
process improvements to appropriate decision makers
and ensure that the cause, response requirements and
process improvement are included in risk governance
processes.
escalations across the enterprise.
There needs to be a categorization of incidents, a comparison
of actual exposures against risk thresholds and communication
of this to decision makers as a part of reporting, and an update
of risk profiles.
Management should apply plans to minimize the impact when
risk incidents occur, examine the past adverse event and
missed opportunities, and determine root causes.
Communicate the root causes, risk response requirements and
process improvements to decision makers.
29. APO13.01 Establish and maintain an information security management system (ISMS).
Establish and maintain an ISMS that provides a standard, formal and continuous approach to security management for
information, enabling secure technology and business processes that are aligned with business requirements and enterprise
security management.
ACTIVITIES
DETAILED ACTIVITIES
1. Define the scope and boundaries of the ISMS in
terms of the characteristics of the enterprise, the
organization, its location, assets and technology.
2. Include details of, and justification for, any exclusion
from the scope.
3. Define ISMS in accordance with enterprise policy
and aligned with the enterprise, the organization, its
location, assets and technology.
4. Align the ISMS with the overall enterprise approach
to the management of security.
5. Obtain management authorization to implement
and operate or change the ISMS.
6. Prepare and maintain a statement of applicability
that describes the scope of the ISMS.
7. Define and communicate Information security
management roles and responsibilities.
8. Communicate the ISMS approach.
Management needs to define the scope and boundaries of
the ISMS in terms of characteristics such as location, assets
and technology of the enterprise.
Include the justification for any exclusion from the scope.
Management needs to define the ISMS in accordance with
the policy and align with the enterprise approach toward
management of security.
Management needs to obtain the authorization to implement
and operate changes to the ISMS.
Management should prepare and maintain a statement of
applicability that describes scope of the ISMS, and should
communicate roles and responsibilities.
30. APO13.02 Define and manage an information security risk treatment plan.
Maintain an information security plan that describes how information security risk is to be managed and aligned with the
enterprise strategy and enterprise architecture. Ensure that recommendations for implementing security improvements are
based on approved business cases and implemented as an integral part of services and solutions development, then
operated as an integral part of business operation.

70
1. Formulate and maintain an information security risk
treatment plan aligned with strategic objectives and
the enterprise architecture. Ensure that the plan
identifies the appropriate and optimal management
practices and security solutions, with associated
resources, responsibilities and priorities for
managing identified information security risk.
2. Develop proposals to implement the information
security risk treatment plan, supported by suitable
business cases, which include consideration of
funding and allocation of roles and responsibilities.
3. Provide input to the design and development of
management practices and solutions selected from
the information security risk treatment plan.
4. Define how to measure the effectiveness of the
selected management practices and specify how
these measurements are to be used to assess
effectiveness to produce comparable and
reproducible results.
5. Recommend information security training and
awareness programs.
6. Integrate the planning, design, implementation and
monitoring of information security procedures and
other controls capable of enabling prompt
prevention, detection of security events and
response to security incidents.
Management needs to formulate and maintain an
information security risk plan, which should be aligned with
strategic objectives and enterprise architecture. Also, ensure
the plan identifies appropriate and optimal management
practices and security solutions, with associated resources
and responsibilities for managing identified information
security risk.
Develop proposals to implement the information security risk
treatment plan, supported by suitable business cases,
considering funding and allocation of roles and
responsibilities.
Management needs to provide input to design and
development of practices and solutions selected from the risk
treatment plan.
Management should define how to measure the
effectiveness of selected management practices and specify
how these measures are used to assess effectiveness to
produce comparable results.
Further, recommend information security training and
awareness programs.
Management should integrate the planning, design,
implementation and monitoring of information security
procedures and other controls capable of enabling prompt
prevention, detection of security events and response to
security incidents.
31. APO13.03 Monitor and review the ISMS.
Maintain and regularly communicate the need for, and benefits of, continuous information security improvement. Collect
and analyze data about the ISMS, and improve the effectiveness of the ISMS. Correct non-conformities to prevent
recurrence. Promote a culture of security and continual improvement.
ACTIVITIES
DETAILED ACTIVITIES
1. Undertake regular reviews of the effectiveness of
the ISMS including meeting ISMS policy and
objectives, and review of security practices. Take
into account results of security audits, incidents, and
results from effectiveness measurements,
suggestions and feedback from all interested
parties.
2. Conduct internal ISMS audits at planned intervals.
3. Undertake a management review of the ISMS on a
regular basis to ensure that the scope remains
Management should undertake regular reviews of
effectiveness of the ISMS, including meeting policies and
objectives, and review of practices. Also, take into account
results of security audits, results from effectiveness
measurements, suggestions and feedback from all interested
parties.
Management should conduct ISMS audits at planned
intervals and undertake a management review of the ISMS
on a regular basis to ensure that the scope remains adequate
and improvements to processes are identified.

71
adequate and improvements in the ISMS process
are identified.
4. Provide input to the maintenance of the security
plans to take into account the findings of monitoring
and reviewing activities.
5. Record actions and events that could have an
impact on the effectiveness or performance of the
ISMS.
The actions and events that may impact effectiveness of
performance should be recorded.
32. DSS01.02 Manage outsourced IT services.
Manage the operation of outsourced IT services to maintain the protection of enterprise information and reliability of
service delivery.
1. Ensure that the enterprise’s requirements for
security of information processes are adhered to in
accordance with contracts and SLAs with third
parties hosting or providing services.
2. Ensure that the enterprise’s operational business
and IT processing requirements and priorities for
service delivery are adhered to in accordance with
contracts and SLAs with third parties hosting or
providing services.
3. Integrate critical internal IT management processes
with those of outsourced service providers,
covering, e.g., performance and capacity planning,
change management, configuration management,
service request and incident management, problem
management, security management, business
continuity, and the monitoring of process
performance and reporting.
4. Plan for independent audit and assurance of the
operational environments of outsourced providers
to confirm that agreed-on requirements are being
adequately addressed.
Management needs to ensure that requirements of security
of information processes are adhered to in accordance with
contracts and SLAs with third parties, which provide services.
Also, ensure that the operational business and IT process
requirements and priorities for service delivery are adhered
to in accordance with contracts.
Management should integrate critical internal IT
management processes with those of outsourced service
providers covering change management, configurations
management, service requests and incident management
problems, security management and business continuity.
Plan for independent audit assurance of the operational
environment of outsourced providers to confirm that agreed-
on requirements are being addressed.
33. DSS01.03 Monitor IT infrastructure.
Monitor the IT infrastructure and related events. Store sufficient chronological information in operations logs to enable the
reconstruction, review and examination of the time sequences of operations and the other activities surrounding or
supporting operations.
1. Log events, identifying the level of information to be Management needs to ensure that events are logged and

72
recorded based on a consideration of risk and
performance.
2. Identify and maintain a list of infrastructure assets
that need to be monitored based on service
criticality and the relationship between
configuration items and services that depend on
them.
3. Define and implement rules that identify and record
threshold breaches and event conditions. Find a
balance between generating spurious minor events
and significant events so event logs are not
overloaded with unnecessary information.
4. Produce event logs and retain them for an
appropriate period to assist in future investigations.
5. Establish procedures for monitoring event logs and
conduct regular reviews.
6. Ensure that incident tickets are created in a timely
manner when monitoring identifies deviations from
defined thresholds.
identified levels of information are recorded based on a
consideration of risk and performance.
Identify and maintain a list of infrastructure assets that need
to be monitored based on service criticality and the
relationship between configurations and services that are
dependent on them.
Management should define and implement rules that identify
and record threshold breaches and event conditions. Find a
balance between generating spurious events and significant
events so event logs are not overloaded with unnecessary
information.
The event logs need to be produced and retained for
appropriate periods for future investigation assistance.
Management needs to ensure that incident tickets are
created, which identify deviations from defined thresholds.
34. DSS01.04 Manage the environment.
Maintain measures for protection against environmental factors. Install specialized equipment and devices to monitor and
control the environment.
1. Identify natural and man-made disasters that might
occur in the area within which the IT facilities are
located. Assess the potential effect on the IT
facilities.
2. Identify how IT equipment, including mobile and off-
site equipment, is protected against environmental
threats. Ensure that the policy limits or excludes
eating, drinking and smoking in sensitive areas, and
prohibits storage of stationery and other supplies
posing a fire hazard within computer rooms.
3. Situate and construct IT facilities to minimize and
mitigate susceptibility to environmental threats.
4. Regularly monitor and maintain devices that
proactively detect environmental threats (e.g., fire,
water, smoke, humidity).
5. Respond to environmental alarms and other
notifications. Document and test procedures, which
should include prioritization of alarms and contact
with local emergency response authorities, and train
personnel in these procedures.
6. Compare measures and contingency plans against
insurance policy requirements and report results.
Address points of non-compliance in a timely
manner.
Management needs to identify natural and man-made
disasters that might occur in the area within which the IT
facilities are located and assess the potential effect on IT
facilities.
Management should identify how IT equipment, including
mobile and offsite equipment, is protected against
environmental threats. Ensure that policies include
prohibitions on consumption and smoking in sensitive areas
and storage of stationery, which might pose a fire hazard
within the computer rooms.
Management should ensure that the situation and
construction of IT facilities minimize and mitigate
environmental threats.
Further, regularly monitor and maintain devices that detect
threats proactively and monitor that response to alarms and
other notifications are made. Document and test procedures,
which should include prioritization of alarms and contacts
with local emergency authorities.
Management should compare measures and contingency
plans with insurance policy requirements and report the
results. Address points of noncompliance in a timely manner.

73
7. Ensure that IT sites are built and designed to
minimize the impact of environmental risk (e.g.,
theft, air, fire, smoke, water, vibration, terror,
vandalism, chemicals, and explosives). Consider
specific security zones and/or fireproof cells (e.g.,
locating production and development
environments/servers away from each other).
Further, ensure that the sites built are designed to minimize
the impacts of environmental threats and consider specific
security zones and fireproof cells.
35. DSS01.05 Manage facilities.
Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business
requirements, vendor specifications, and health and safety guidelines.
1. Examine the IT facilities’ requirement for protection
against power fluctuations and outages, in
conjunction with other business continuity planning
requirements. Procure suitable uninterruptible
supply equipment (e.g., batteries, generators) to
support business continuity planning.
2. Regularly test the uninterruptible power supply’s
mechanisms, and ensure that power can be
switched to the supply without any significant effect
on business operations.
3. Ensure that the facilities housing the IT systems
have more than one source for dependent utilities
(e.g., power, telecommunications, water, gas).
Separate the physical entrance of each utility.
4. Confirm that cabling external to the IT site is located
underground or has suitable alternative protection.
Determine that cabling within the IT site is
contained within secured conduits, and wiring
cabinets have access restricted to authorized
personnel. Properly protect cabling against damage
caused by fire, smoke, water, interception and
interference.
5. Ensure that cabling and physical patching (data and
phone) are structured and organized. Cabling and
conduit structures should be documented (e.g.,
blueprint building plan and wiring diagrams).
6. Analyze the facilities housing’s high-availability
systems for redundancy and fail-over cabling
requirements (external and internal).
7. Ensure that IT sites and facilities are in ongoing
compliance with relevant health and safety laws,
regulations, guidelines, and vendor specifications.
8. Educate personnel on a regular basis on health and
safety laws, regulations, and relevant guidelines.
Educate personnel on fire and rescue drills to
Management needs to examine the IT facilities for protection
against power fluctuations and outages, in conjunction with
business continuity planning requirements by procuring
suitable uninterruptible supply equipment.
Regularly test the power supply mechanisms and ensure that
power can be switched to the supply without any significant
effect on business operations.
The facilities housing IT systems need to have more than one
source for dependent utilities and separate physical
entrances for each utility.
Management needs to confirm that the external cabling to
the site is located underground or has suitable alternative
protection and determine whether the cabling within the IT
site is contained with secured conduits.
Also, ensure that physical patching is structured and
organized, and the conduit structures need to be
documented.
Management needs to analyze the facilities housing’s high-
availability systems for redundancy and fail-over cabling
requirements.
The IT sites and facilities are in ongoing compliance with
relevant health and safety laws, regulations, guidelines and
vendor specifications.
Also, educate personnel on fire and rescue drills to ensure
knowledge and corrective action taken in case of any future
incidents.
Management should record, monitor, manage and resolve
facilities incidents in line with management process and
ensure that incidents are disclosed in terms of laws and

74
ensure knowledge and actions taken in case of fire
or similar incidents.
9. Record, monitor, manage and resolve facilities
incidents in line with the IT incident management
process. Make available reports on facilities
incidents where disclosure is required in terms of
laws and regulations.
regulations.
36. DSS06.01 Align control activities embedded in business processes with enterprise objectives
Continually assess and monitor the execution of the business process activities and related controls, based on enterprise
risk, to ensure that the processing controls are aligned with business needs.
ACTIVITIES
DETAILED ACTIVITIES
1. Identify and document control activities of key
business processes to satisfy control requirements
for strategic, operational, reporting and compliance
objectives
2. Prioritize control activities based on the inherent
risk to the business and identify key controls.
3. Ensure ownership of key control activities.
4. Continually monitor control activities on an end-to-
end basis to identify opportunities for
improvement.
5. Continually improve the design and operation of
business process controls.
Management needs to identify and document control
activities of key business processes to satisfy control
requirements.
Management needs to prioritize the control activities based
on the inherent risk to the business and identify key controls.
Management needs to ensure ownership of key control
activities.
Management needs to continuously monitor the activities on
an end-to-end basis to identify opportunities for
improvement.
37. DSS06.02 Control the processing of information.
Operate the execution of the business process activities and related controls, based on enterprise risk, to ensure that
information processing is valid, complete, accurate, timely, and secure (i.e., reflects legitimate and authorized business use).
1. Create transactions by authorized individuals
following established procedures, including, where
appropriate, adequate segregation of duties
regarding the origination and approval of these
transactions.
2. Authenticate the originator of transactions and
verify that he/she has the authority to originate the
transaction.
3. Input transactions in a timely manner. Verify that
transactions are accurate, complete and valid.
Validate input data and edit or, where applicable,
send back for correction as close to the point of
Management needs to create transactions by authorized
individuals following established procedures, including,
where appropriate, adequate segregation of duties regarding
the origination and approval of transactions.

75
origination as possible.
4. Correct and resubmit data that were erroneously
input without compromising original transaction
authorization levels. Where appropriate for
reconstruction, retain original source documents for
the appropriate amount of time.
5. Maintain the integrity and validity of data
throughout the processing cycle. Ensure that
detection of erroneous transactions does not
disrupt processing of valid transactions.
6. Maintain the integrity of data during unexpected
interruptions in business processing and confirm
data integrity after processing failures.
7. Handle output in an authorized manner, deliver to
the appropriate recipient and protect the
information during transmission. Verify the accuracy
and completeness of the output.
8. Before passing transaction data between internal
applications and business/operational functions
(inside or outside the enterprise), check for proper
addressing, authenticity of origin and integrity of
content. Maintain authenticity and integrity during
transmission or transport.
38. DSS06.03 Manage roles, responsibilities, access privileges and levels of authority.
Manage the business roles, responsibilities, levels of authority and segregation of duties needed to support the business
process objectives. Authorize access to any information assets related to business information processes, including those
under the custody of the business, IT and third parties. This ensures that the business knows where the data are and who is
handling data on its behalf.
1. Allocate roles and responsibilities based on
approved job descriptions and allocated business
process activities.
2. Allocate levels of authority for approval of
transactions, limits and any other decisions relating
to the business process, based on approved job
roles.
3. Allocate access rights and privileges based on only
what is required to perform job activities, based on
pre-defined job roles. Remove or revise access
rights immediately if the job role changes or a staff
member leaves the business process area.
Periodically review to ensure that the access is
appropriate for the current threats, risk, technology
and business need.
4. Allocate roles for sensitive activities so that there is
a clear segregation of duties.
Management should allocate roles and responsibilities based
on approved descriptions and allocate business process
activity.
Management should allocate levels of authority for approval
of transactions, limits and any other decisions relating to the
business process based on the approved roles.
Management should also include allocation of access rights
and privileges based on predefined roles. Also, remove or
revise access rights if the roles change or staff member leaves
the process areas.
Management should allocate roles for sensitive activities so
that there is a clear segregation of duties.
Awareness and training regarding roles and responsibilities
should be provided on a regular basis to everyone.

76
5. Provide awareness and training regarding roles and
responsibilities on a regular basis so that everyone
understands their responsibilities; the importance of
controls; and the integrity, confidentiality and
privacy of company information in all its forms.
6. Periodically review access control definitions, logs
and exception reports to ensure that all access
privileges are valid and aligned with current staff
members and their allocated roles.
Management should periodically review access control
definitions, logs and exception reports to ensure that all
access privileges are valid and aligned.
39. DSS06.04 Manage errors and exceptions.
Manage business process exceptions and errors and facilitate their correction. Include escalation of business process errors
and exceptions and the execution of defined corrective actions. This provides assurance of the accuracy and integrity of the
business information process.
1. Define and maintain procedures to assign
ownership, correct errors, override errors and
handle out-of-balance conditions.
2. Review errors, exceptions and deviations.
3. Follow up, correct, approve and resubmit source
documents and transactions.
4. Maintain evidence of remedial actions.
5. Report relevant business information process errors
in a timely manner to perform root cause and
trending analysis.
Management should define and maintain procedures to
assign ownership, correct and override errors and handle
out-of-balance conditions.
Management needs to review errors, exceptions and
deviations.
Management should report relevant business information
process errors in a timely manner to perform the root cause
analysis.
40. DSS06.05 Ensure traceability of Information events and accountabilities.
Ensure that business information can be traced to the originating business event and accountable parties. This enables
traceability of the information through its life cycle and related processes. This provides assurance that information that
drives the business is reliable and has been processed in accordance with defined objectives.
1. Define retention requirements, based on business
requirements, to meet operational, financial
reporting and compliance needs.
2. Capture source information, supporting evidence
and the record of transactions.
3. Dispose of source information, supporting evidence
and the record of transactions in accordance with
the retention policy.
Management needs to define retention requirements, which
are based on business requirements to meet the operational,
financial reporting and compliance needs.
Management can capture source information, support
evidence and record the transaction.
Management should dispose of source information,
supporting evidence accordance to the retention policy.

77
41. DSS06.06 Secure information assets.
Secure information assets accessible by the business through approved methods, including information in electronic form
(such as methods that create new assets in any form, portable media devices, user applications and storage devices),
information in physical form (such as source documents or output reports) and information during transit. This benefits the
business by providing end-to-end safeguarding of information.
MEA01, MEA02 and MEA03 are explained in the stakeholder 3 section that follows.
STAKEHOLDER 3 – AUDITOR
Assurance means that, pursuant to an accountability relationship between two or more parties, an IT audit and assurance
professional may be engaged to issue a written communication expressing a conclusion about the subject matters to the
accountable party.
Assurance refers to a number of related activities designed to provide the reader or user of the report with a level of assurance
or comfort over the subject matter. For example, assurance engagements could include support for audited financial
statements; assessment of value provided by IT to the enterprise; reviews of controls; compliance with required standards and
practices; and compliance with agreements, licenses, legislation and regulations.
An auditor can be either an independent auditor unaffiliated with the company being audited or a captive auditor, and some are
elected public officials. Auditors are used to ensure that organizations are maintaining accurate and honest financial records and
statements. Auditors can work for many different entities. Auditors are also found in the private sector at accounting firms.
There are both internal and external auditors; internal auditors are usually employees or contractors with the company they are
auditing, while external auditors generally work either directly for or in conjunction with governmental agencies. Various roles
of the auditor include:

78
• Inquiring of management and others to gain an understanding of the organization itself, its operations, financial
reporting, and known fraud or error
• Evaluating and understanding the internal control system
• Performing analytical procedures on expected or unexpected variances in account balances or classes of transactions
• Testing documentation supporting account balances or classes of transactions
• Observing the physical inventory count
• Confirming accounts receivable and other accounts with a third party
• At the completion of the audit, the auditor may also offer objective advice for improving financial reporting and internal
controls to maximize a company’s performance and efficiency.
The need of this stakeholder can be assessed by virtue of the following questions that the auditor should primarily develop prior
to an audit engagement:
• How dependent am I on external providers?
• What are the (control) requirements for information?
• Did I address all IT-related risk?
• Am I running an efficient and resilient IT operation?
• How do I get assurance over IT?
• Is the information I am processing well secured?
• How do I know my business partner’s operations are secure and reliable?
• How do I know the enterprise is compliant with applicable rules and regulations?
• How do I know the enterprise is maintaining an effective system of internal control?
• Do business partners have the information chain between them under control?
The auditor will be able to perform the following:
• Better understanding of their responsibilities and roles with regard to assurance provisioning with reference to the
governance and internal controls and risk management
• Having a well-illustrated, structured and comprehensive approach for providing assurance over IT with reference to the
governance and internal controls and risk management
• Having a structured framework that provides a common language among all stakeholders to provide assurance over
specific IT areas
As drafted in COBIT 5 for Assurance, an assurance initiative consists of five components, as illustrated in the following figure.
Each of those components is described in further detail in the following subsections.

79
Source: COBIT 5 for Assurance, ISACA, USA, 2013, figure 4
Three-party Relationship
An accountable party is the individual, group or entity (auditee), usually involving management, that is ultimately responsible for
subject matter, process or scope. An assurance engagement involves two other parties:
• Depending on the circumstances, the user could include a variety of stakeholders, such as shareholders, creditors,
customers, the board of directors, the audit committee, legislators or regulators. For some types of assurance activities,
the auditee and the user can be identical, e.g., IT management.
• The assurance professional (auditor) is the person who has overall responsibility for the performance of the assurance
engagement and for the issuance of the report on the subject matter.
In conducting an assurance assignment, an accountability relationship exists among the three parties. The accountability
relationship is a prerequisite for an assurance engagement, and it exists when one party (the auditee) is responsible to another
party (the user) for a subject matter, or voluntarily chooses to report to another party on a subject matter. The accountability
relationship may arise as a result of an (contractual) agreement or legislation, or because a user can be expected to have an
interest in how the accountable party has discharged its responsibility for a subject matter.
Subject Matter
Subject matter is the specific information, practices or controls, such as any of the seven COBIT 5 enablers, that are the subject
of an audit and assurance professional’s review, examination and report. This subject matter can include the design or operation
of internal controls and management practices over any aspect of the enterprise, or compliance with privacy practices or
standards or specified laws and regulations.
Suitable Criteria
Criteria are the standards and benchmarks, such as COBIT 5, used to measure and present the subject matter and against which
the practitioner evaluates the subject matter. Criteria can be formal or less formal. There can be different criteria for the same
subject matter. Suitable criteria are required for reasonably consistent evaluation or measurement of a subject matter within
the context of professional judgment. Suitable criteria must have the necessary information quality goal attributes as defined in
the COBIT 5 Information model, in particular:

80
• Objectivity—Criteria should be free from bias.
• Measurability—Criteria should permit reasonably consistent measurements, qualitative or quantitative, of subject
matter.
• Understandability—Criteria should be communicated clearly and not be subject to significantly different
interpretations by intended users.
• Completeness—Criteria should be sufficiently complete so that those relevant factors that would alter a conclusion
about the subject matter are not omitted.
• Relevance—Criteria should be relevant to the subject matter.
Where criteria are established by management, assurance professionals must ensure that the scope covers what would normally
be considered appropriate based on generally accepted definitions of the scope of the subject matter, or identify any scope
limitations in their reports.
Execution
When undertaking an assurance activity, the audit and assurance professional eventually executes the assignment by following a
structured approach, dependent on other enablers, to reach a conclusion on the evaluation of the subject matter.
Conclusion
The process of evaluating the results of audit or assurance testing, after confirmation, to arrive at conclusions and
recommendations can be complex. What appears to be a problem may, in fact, be the effect of a problem, not the cause.
Therefore, it is important for the audit and assurance professional to follow the conclusion process, from confirming facts with
key individuals in the areas being audited to determining root causes. The individual findings can then be used to provide
examples that support higher-level analysis:
• Developing various scenarios leading to potential recommendations
• Selecting an appropriate recommendation that is practical and achievable
• Identifying steps necessary to ensure buy-in of key stakeholders
Indeed, audit and assurance professionals should obtain an adequate understanding of the subject matter and its business
environment. They should see the bigger picture, link the impact of the issues/findings to the overall organizational strategic
goals and objectives to tell the “the story behind the story,” and communicate value insights. Executives are not very interested
in knowing the observations; they need to understand the insights behind the findings.
Recommendations resulting from the conduct of audit and assurance engagements may be reported in a separate report, not as
part of the audit or assurance report. The recommendations—which, as part of the reporting process require review and
agreement by management and the auditee or other stakeholders—should be presented in a clear, concise and actionable
manner. Reports to senior management and executives should address issues and concepts, with detailed audit findings used as
illustrations of the issue, problem or result. Reports to middle and line management should contain the same information, but
with a different level of detail, to allow them to fully understand the issue and handle the problem. Where appropriate,
recommendations should include provision for timely monitoring and follow-up.
The Assurance Function
The assurance function perspective has been adopted from COBIT 5 for Assurance.
The assurance function perspective describes what is needed in an enterprise to build and provide assurance functions. COBIT 5
is an end-to-end business framework, meaning that it considers the provisioning and use of assurance as part of the overall
governance and management of enterprise IT.

81
The assurance function perspective describes how each enabler contributes to the overall provisioning of assurance, for
example:
• Which organizational structures are required to provide assurance (board/audit committee, audit function, etc.)
• Which information items are required to provide assurance (audit universe, audit plan, audit reports, etc.)
Core Assurance Processes
the enablers and management practices to satisfy needs and goals. It can be tailored and used, according to the discretion of the
The image following depicts that, out of the 37 processes, the stakeholder (the auditor) can adapt relevant processes (borders

82
The processes comprised in the Monitor, Evaluate and Assess (MEA) domain of COBIT 5 can be regarded as the core assurance
processes required within every enterprise.
Process Identification Reasoning
MEA01 Monitor, evaluate and assess
performance and conformance.
This process covers the provisioning of transparency regarding performance and
conformance, and drives achievement of goals by:
• Collecting, validating and evaluating business, IT and process goals and
metrics
• Monitoring that processes are performing against agreed-on performance
and conformance goals and metrics
• Providing reporting that is systematic and timely
the system of internal control.
This process covers obtaining transparency for key stakeholders on the adequacy of the
system of internal controls and thus providing trust in operations, confidence in the
achievement of enterprise objectives and an adequate understanding of residual risk
by:
• Continuously monitoring and evaluating the control environment, including
self-assessments and independent assurance reviews
• Enabling management to identify control deficiencies and inefficiencies and
initiate improvement actions
• Planning, organizing and maintaining standards for internal control
assessment and assurance activities
compliance with external
requirements.
This process ensures that the enterprise is compliant with all applicable external
requirements by:
• Evaluating that IT processes and IT-supported business processes are
compliant with laws, regulations and contractual requirements

83
• Obtaining assurance that the requirements have been identified and the
enterprise has complied with these requirements.
• Integrating IT compliance with overall enterprise compliance
As shown in the previous figure, the proposed assurance engagement approach refers explicitly to all COBIT 5 enabler
categories. The COBIT 5 framework explains that the enablers are interconnected, e.g., processes use organizational structures,
as well as information items (inputs and outputs).
When developing the audit/assurance program, it will become clear that when all possible entities of all enablers are included in
the scope and reviewed in detail, there is potential for a lot of duplication. Avoiding duplication is up to the assurance
professional.
Generic Assurance Program

84
The assurance approach depicted in the previous figure is described in more detail and developed into a generic audit/assurance
program—including guidance on how to proceed during each step—in the remainder of this section.
This generic audit/assurance program is:
• Aligned with generally accepted auditing standards and practices, distinguishing among:
– Phase A—Planning and scoping the assurance engagement
– Phase B—Understanding the subject matter, setting suitable assessment criteria and performing the actual
assessment
– Phase C—Communicating the results of the assessment
• Fully aligned with COBIT 5:
– It explicitly references all seven enablers. In other words, it is no longer exclusively process-focused; it also
uses the different dimensions of the enabler model to cover all aspects contributing to the performance of the
enablers.
– It references the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement can be
put into the enterprise and IT context, and concurrently it enables linkage of the assurance objectives to
enterprise and IT risk and benefits.
• Comprehensive yet flexible:
– The generic program is comprehensive because it contains assurance steps covering all enablers in quite some
detail, yet it is also flexible because this detailed structure enables clear and well-understood scoping decisions
to be made. That is, the assurance professional can decide to not cover a set of enablers or some enabler
instances and, while the decision will reduce the scope and related assurance engagement effort, the issue of
what is or is not covered will be quite transparent to the assurance engagement user.
• Easy to understand, follow and apply because of its clear structure
RACI CHART
A responsibility assignment matrix, also known as RACI matrix, ARCI matrix or linear responsibility chart, describes the
participation by various roles in completing tasks or deliverables for a project or business process. The following RACI chart
explains the roles of the auditor in evaluating effective corporate IT governance. The processes explained in this chapter would
have to be executed keeping in mind the perspective of the roles in the following RACI chart.
Management Practice
Auditor
MEA01.01 Establish a monitoring approach. C
MEA01.04 Analyze and report performance. C
MEA01.05 Ensure the implementation of corrective actions. C
MEA02.01 Monitor internal controls. R
MEA02.02 Review business process controls effectiveness. R
MEA02.03 Perform control self-assessments. R

85
MEA02.04 Identify and report control deficiencies. R
MEA02.06 Plan assurance initiatives. C
MEA02.07 Scope assurance initiatives. A
MEA02.08 Execute assurance initiatives. A
MEA03.01 Identify external compliance requirements. R
MEA03.02 Optimize response to external requirements. R
MEA03.04 Obtain assurance of external compliance. A
1. MEA01.01 Establish a monitoring approach.
Engage with stakeholders to establish and maintain a monitoring approach to define the objectives, scope and method for
measuring business solution and service delivery and contribution to enterprise objectives. Integrate this approach with the
corporate performance management system.
1. Engage with the stakeholders and communicate
the enterprise requirements and objectives for
monitoring, aggregating and reporting, using
common definitions (e.g., enterprise glossary,
metadata and taxonomy), base lining and
benchmarking.
2. Align and continually maintain the monitoring
and evaluation approach with the enterprise
approach and the tools to be used for data
gathering and enterprise reporting (e.g.,
business intelligence applications).
3. Agree on the goals and metrics (e.g.,
conformance, performance, value, and risk),
taxonomy (classification and relationships
between goals and metrics) and data (evidence)
retention.
4. Agree on a life cycle management and change
control process for monitoring and reporting.
Include improvement opportunities for
reporting, metrics, approach, base lining and
benchmarking.
5. Request, prioritize and allocate resources for
monitoring (consider appropriateness, efficiency,
effectiveness and confidentiality).
The auditor needs to engage with the stakeholders toward
developing the objectives of monitoring, using common
definitions, base lining and benchmarking.
Further, on setting the previous objectives, the auditor needs
to ensure that monitoring and evaluation are done on a
continuous basis.
The auditor needs to ensure that the goals, metrics,
taxonomies and retention polices are agreed on, which shall
result in administrative efficiencies.
The auditor can review the policies on life cycle management
and change control, which may include improvement
opportunities for performance base lining and benchmarking.
The auditor should validate the approach periodically for
changes within the environment, which could be change of
stakeholders, requirements and resources.

86
6. Periodically validate the approach used and
identify new or changed stakeholders,
requirements and resources.
2. MEA01.04 Analyze and report performance.
Periodically review and report performance against targets, using a method that provides a succinct all-around view of IT
performance and fits within the enterprise monitoring system.
1. Design process performance reports that are easy to
understand, and tailored to the management needs.
Facilitate effective, timely decision-making (e.g.,
scorecards, traffic light reports) and ensure that the
cause and effect between goals and metrics are
communicated in an understandable manner.
2. Compare the performance values to targets and
benchmarks.
3. Recommend changes to the goals and metrics, where
appropriate.
4. Distribute reports to the stakeholders.
5. Analyze the cause of deviations against targets, initiate
remedial actions, assign responsibilities for
remediation, and follow up and search for root causes,
where necessary. Document the results of the events.
6. Where feasible, link achievement of performance
targets to the organizational reward compensation
system.
The auditor can assist in designing the performance reports
which are easy to understand and are tailored to the needs of
management in facilitating timely decision-making.
The reports should highlight the performance of the results
against the targets set.
Whenever there arises a deviation from the desirable results,
there should be a root cause analysis to identify the real cause
and appropriate action should be taken based on the findings.
The findings and corrective action should be well documented.
The auditor should ensure that the reports are made available
to the stakeholders in a timely manner.
3. MEA01.05 Ensure the implementation of corrective action.
Assist stakeholders in identifying, initiating and tracking corrective actions to address anomalies.
1. Review management responses and recommendations
to address issues and major deviations.
2. Ensure that the assignment of responsibility for
corrective action is maintained.
3. Track the results of actions committed.
4. Report the results to the stakeholders.
The auditor should ensure that the recommendations have
been accepted and management responses have been
obtained.
The auditor should also ensure that the responsibility to take
corrective action is assigned to correct process owners.
In case there is any difference of opinion, the auditor should
report it to the stakeholders, i.e., board of directors.

87
4. MEA02.01 Monitor internal controls.
Continuously monitor benchmark, improve the IT control environment, and control framework to meet organizational
objectives.
1. Perform internal control monitoring and evaluation
of the activities based on organizational
governance standards and industry-accepted
frameworks and Practices.
2. Consider independent evaluations of the internal
control system (e.g., by internal audit or peers).
3. Identify the boundaries of the IT internal control
system (e.g., consider how organizational IT
internal controls take into account outsourced
and/or offshore development or production
activities).
4. Ensure that control activities are in place and
exceptions are promptly reported, followed up and
analyzed, and appropriate corrective actions are
prioritized and implemented according to the risk
management profile (e.g., classify certain
exceptions as a key risk and others as a non-key
risk).
5. Maintain the IT internal control system,
considering ongoing changes in business and IT
risk, the organizational control environment,
relevant business and IT processes, and IT risk. If
gaps exist, evaluate and recommend changes.
6. Regularly evaluate the performance of the IT
control framework. Consider formal adoption of a
continuous improvement approach to internal
control monitoring.
7. Assess the status of external service providers’
internal controls and confirm that service providers
comply with legal and regulatory requirements and
contractual obligations.
The auditor should ensure that the internal controls are
monitored, for which compliance testing can be performed.
Identify exceptions, if any, which should be reported and the
root causes.
The auditor needs to define his/her boundaries for internal
control systems for outsourced/offshore work during the
engagement process to ensure that the objectives of the
review are predefined and set.
The auditor should ensure that the control activities are in
place and the exceptions, if any, are analyzed and corrective
action is taken in a timely manner.
The auditor can assist management toward benchmarking
performances against the best practices accepted.
The auditor faces the challenge to maintain the prerequisite
controls in a changing environment, which can be prone to
new risks. Gap analysis can be performed and
recommendations made for incorporating changes.
5. MEA02.02 Review business process controls effectiveness.
Review the operation of controls, including a review of monitoring and test evidence, to ensure that controls within
business processes operate effectively. Include activities to maintain evidence of the effective operation of controls through
mechanisms such as periodic testing of controls, continuous controls monitoring, independent assessments, command and
control centers, and network operations centers. This provides the business with the assurance of control effectiveness to
meet requirements related to business, regulatory and social responsibilities.

88
1. Understand and prioritize risk to organizational
objectives.
2. Identify key controls and develop a strategy
suitable for validating controls.
3. Identify information that will persuasively indicate
whether the internal control environment is
operating effectively.
4. Develop and implement cost-effective procedures
to determine that persuasive information is based
on the information criteria.
5. Maintain evidence of control effectiveness.
The auditor should prioritize the risks that may impact the
objectives of the organization.
The auditor should identify the key controls and develop
strategies to reduce the impact of risks.
The review should be well-defined and cost-effective to the
organization, and all the findings should be documented with
relevant evidences.
6. MEA02.03 Perform control self-assessments.
Encourage management and process owners to take positive ownership of control improvement through a continuing
program of self-assessment to evaluate the completeness and effectiveness of management’s control over processes,
policies and contracts.
1. Maintain plans and scope and identify evaluation
criteria for conducting self-assessments. Plan the
communication of results of the self-assessment
process to business, IT, general management, and
the board. Consider internal audit standards in the
design of self-assessments.
2. Determine the frequency of periodic self-
assessments, considering the overall effectiveness
and efficiency of ongoing monitoring.
3. Assign responsibility for self-assessment to
appropriate individuals to ensure objectivity and
competence.
4. Provide for independent reviews to ensure
objectivity of the self-assessment and enable the
sharing of internal control good practices from
other enterprises.
5. Compare the results of the self-assessments
against industry standards and good practices.
6. Summarize and report outcomes of self-
assessments and benchmarking for remedial
actions.
The auditor should ensure that management has developed
plans and procedures for conducting self-assessment and
communicate the results to management.
The auditor can assist in determining the frequency of periodic
self-assessments, considering the overall effectiveness and
efficiency of the monitoring process.
The auditor can assist in assigning responsibilities to
competent individuals to ensure objectivity is met for the
defined procedures.
The auditor can also provide independent reviews toward
setting good practices from the industry.
The results of the self-assessment can be pegged against the
industry standards and benchmarking standards can be set for
comparisons.
The auditor can ensure that the approach is consistent in
terms of measurability of performances.
7. MEA02.04 Identify and report control deficiencies.

89
Identify control deficiencies, analyze, and identify their underlying root causes. Escalate control deficiencies and report to
stakeholders.
1. Identify report and log control exceptions, and
assign responsibility for resolving them and
reporting on the status.
2. Consider related enterprise risk to establish
thresholds for escalation of control exceptions and
breakdowns.
3. Communicate procedures for escalation of control
exceptions, root cause analysis, and reporting to
process owners and IT stakeholders.
4. Decide which control exceptions should be
communicated to the individual responsible for the
function and which exceptions should be escalated.
Inform affected process owners and stakeholders.
5. Follow up on all exceptions to ensure that agreed-
on actions have been addressed.
6. Identify, initiate, track and implement remedial
actions arising from control assessments and
reporting.
The auditor should identify and log exceptions and ensure that
process owners resolve them.
The auditor should define the thresholds for escalation of
identified exceptions and breakdowns of controls.
The auditor needs to ensure that he/she follows up on the
exceptions, which have been reported, and they have to be
addressed in a timely manner.
8. MEA02.06 Plan assurance initiatives.
Plan assurance initiatives based on enterprise objectives and strategic priorities, inherent risk, resource constraints, and
sufficient knowledge of the enterprise
1. Determine the intended users of the assurance
initiative output and the object of the review.
2. Perform a high-level risk assessment and/or
assessment of process capability to diagnose risk
and identify critical IT processes.
3. Select, customize and reach agreement on the
control objectives for critical processes that will be
the basis for the control assessment.
The auditor should first set the objective of the assurance
review and determine the intended users.
The auditor should then perform the risk assessment and
identify critical IT processes.
After the assessment is done, the auditor can define the
control objectives for the critical processes as identified, in
consultation with management.
9. MEA02.07 Scope assurance initiatives.
Define and agree with management on the scope of the assurance initiative, based on the assurance objectives.

90
1. Define the actual scope by identifying the
enterprise and IT goals for the environment under
review, the set of IT processes and resources, and
all the relevant auditable entities within the
enterprise and external to the enterprise (e.g.,
service providers), if applicable.
2. Define the engagement plan and resource
requirements.
3. Define practices for gathering and evaluating
information from process(es) under review to
identify controls to be validated, and current
findings (both positive assurance and any
deficiencies) for risk evaluation.
4. Define practices to validate control design and
outcomes and determine whether the level of
effectiveness supports acceptable risk (required by
organizational or process risk assessment).
5. Where control effectiveness is not acceptable,
define practices to identify residual risk (in
preparation for reporting).
The auditor, in agreement with management, should decide
on the scope of the assurance function and accordingly plan
the audit to cover entities (including external service
providers, if agreed on) and IT processes.
The engagement plan can also have the resources defined for
the activity.
The audit plan should include the practices defined for
gathering and evaluating information, validating controls and
determining the levels of risk and whether the risks are
acceptable or not.
The auditor needs to identify residual risks where the control
effectiveness is not acceptable and report it to management.
10. MEA02.08 Execute assurance initiatives.
Execute the planned assurance initiative. Report on identified findings. Provide positive assurance opinions, where
appropriate, and recommendations for improvement relating to identified operational performance, external compliance
and internal control system residual risk.
1. Refine the understanding of the IT assurance
subject.
2. Refine the scope of key control objectives for the IT
assurance subject.
3. Test the effectiveness of the control design of the
key control objectives.
4. Alternatively/additionally test the outcome of the
key control objectives.
5. Document the impact of control weaknesses.
6. Communicate with management during execution
of the initiative so that there is a clear
understanding of the work performed and
agreement on and acceptance of the preliminary
findings and recommendations.
7. Supervise the assurance activities and make sure
the work done is complete, meets objectives and is
of an acceptable quality.
8. Provide management with a report (aligned with the
The auditor should execute the audit plan based on the
parameters set during the planning stage and test the
effectiveness of controls.
The auditor can refine the scope of key control objectives by
conducting alternative/additional tests.
The auditor should document the impact of control
weaknesses and communicate the findings and
recommendations with management.
The auditor should furnish a report to management on the
findings of the audit.

91
terms of reference, scope and agreed-on reporting
standards) that supports the results of the initiative
and enables a clear focus on key issues and
important actions.
11. MEA03.01 Identify external compliance requirements
On a continuous basis, identify and monitor for changes in local and international laws, regulations and other external
requirements that must be complied with from an IT perspective.
1. Assign responsibility for identifying and monitoring
any changes of legal, regulatory and other external
contractual requirements relevant to the use of IT
resources and the processing of information within
the business and IT operations of the enterprise.
2. Identify and assess all potential compliance
requirements and the impact on IT activities in areas
such as data flow, privacy, internal controls,
financial reporting, industry-specific regulations,
intellectual property, health and safety. The impact
of IT-related legal and regulatory requirements on
third-party contracts related to IT operations,
service providers and business trading partners.
3. Obtain independent counsel, where appropriate, on
changes to applicable laws, regulations and
standards.
4. Maintain an up-to-date log of all relevant legal,
regulatory and contractual requirements, their
impact and required actions.
5. Maintain a harmonized and integrated overall
register of external compliance requirements for the
enterprise.
The auditor can direct management to assign responsibility
to individuals to identify and monitor changes to legal,
regulatory and other contractual requirements relevant to IT.
The auditor should ensure that the potential compliance
requirements and the impact on IT activities of data flow,
privacy, internal controls, health and safety are identified.
The auditor can, if the need arises, ask management to
obtain legal opinion on changes to applicable laws,
regulations and standards.
The auditor should ensure that management maintains a
regular log of all relevant legal requirements, their impact
and desired actions.
12. MEA03.02 Optimize response to external requirements.
Review and adjust policies, principles, standards, procedures and methodologies to ensure that legal, regulatory and
contractual requirements are addressed and communicated. Consider industry standards, codes of good practice, and good
practice guidance for adoption and adaptation.
1. Regularly review and adjust policies, principles,
standards, procedures and methodologies for their
effectiveness in ensuring necessary compliance and
addressing enterprise risk using internal and
The auditor should review and adjust the policies, standards
and principles to ensure that they are effective in ensuring
compliance and addressing risk.

92
external experts, as required.
2. Communicate new and changed requirements to all
relevant personnel.
The auditor should ensure that the changes made to the
requirements are communicated to the process owners in a
timely manner.
13. MEA03.04 Obtain assurance of external compliance.
Obtain and report assurance of compliance and adherence with policies, principles, standards, procedures and
methodologies. Confirm that corrective actions to address compliance gaps are closed in a timely manner.
1. Obtain regular confirmation of compliance with internal
policies from business and IT process owners and unit
heads.
2. Perform regular (and, where appropriate, independent)
internal and external reviews to assess levels of
compliance.
3. If required, obtain assertions from third party IT service
providers on levels of their compliance with applicable
laws and regulations.
4. If required, obtain assertions from business partners on
levels of their compliance with applicable laws and
regulations as they relate to intercompany electronic
transactions.
5. Monitor and report on non-compliance issues and,
where necessary, investigate the root cause.
6. Integrate reporting on legal, regulatory and contractual
requirements at an enterprise wide level, involving all
business units.
The auditor should, while discharging the assurance function,
obtain assertions/confirmation on compliance from
management for adherence to laws and regulations.
The assertions can also be obtained from third-party service
providers.
The auditor can then monitor and report on the
noncompliance of individual parties and initiate corrective
action.
The auditor can develop an integrated report involving all the
business units and submit the report to management.
SUMMARY
The concept of governance hinges on total transparency, integrity and accountability of the management and the board of
directors. The importance of governance lies in its contribution both to business prosperity and to accountability. Because COBIT
5 is a business framework for the governance and management of enterprise IT and a flexible framework, it can be used to
achieve governance, risk management and assurance requirements from the Indian context. The activities and implications
mentioned previously can be followed by the stakeholder according to his/her needs and situation. Governance is a means, not
an end; corporate excellence should be the end.
SECTION 3 – CHECKLISTS

93
This section consists of all of the checklists that have been drafted, keeping in mind all of the stakeholders targeted in this
publication. These checklists can be used by the stakeholder as an evaluation to check that the COBIT 5 processes that have
been implemented in their enterprise are compliant with the regulations with which the enterprise is bound to comply.
The checklists that have been included in this publication are illustrative and are not exhaustive.
CHECKLIST 1 – GENERAL CHECKLIST FOR GOVERNANCE
Sl. No Topic Checklist
1 Internal
Control—CARO
Internal control relating to purchase of inventory and fixed asset.
Is there a "continuing failure" in correcting any major weakness in the internal
controls relating to purchases?
Were these weaknesses communicated to management in earlier year(s)?
Are there previous year's working papers where the weakness was communicated
to management?
Internal control relating to sales of goods and services.
Is there a record of the system relating to sale of goods and services in our files?
Have we tested the system?
Is there a "continuing failure" in correcting any major weakness in the internal
controls relating to sale of goods and services?
Were these weaknesses communicated to management in earlier year(s)?
2 Whistle-blower
Policy
Does the audit committee consider whether management arrangements for
whistle-blowing are satisfactory?
Shall the company affirm that it has not denied access to the audit committee of
the company (in respect to matters involving alleged misconduct) and that it has
provided protection to "whistle-blowers" from unfair termination and other unfair
or prejudicial employment practices?
3 CEO/CFO
Certification
Have the CEO/CFO reviewed the balance sheet and profit and loss account and all
its schedules and notes on accounts, as well as the cash flow statements and the
directors’ report?
Have they established and maintained the internal control of the company?
4 Directors'
Responsibilities
Is the company in compliance with governance requirements under applicable law
and has adequate internal control in response to this been established whether:
reporting functions are adequate?
the company has in place insider trading restrictions?
each of the directors and the company’s shareholders are sufficiently informed
about the company’s operations and financial status, and concerns are dealt with

94
in a timely and effective manner?
the company has obtained a certificate from either the auditors or practicing
company secretaries regarding compliance of conditions of governance as
stipulated in this clause and annexure of the certificate with the directors’ report,
which is sent annually to all shareholders of the company? The same certificate
shall also be sent to the stock exchanges along with the annual returns filed by the
company.
CHECKLIST 2 – GENERAL CHECKLIST FOR RISK MANAGEMENT
Area Sl. No Question
Risk Management 1 Elements of risk have been identified or not?
2 Risk management policy has been developed or not?
3 Risk management policy has been implemented or not?
4 Risk management resources have been identified or not?
5 Resources to manage risk have been allocated efficiently and effectively or not?
6 Functioning of risk management system has been tested or not?
7 Frequency to review the system has been decided or not?
8 Procedures to review the system have been laid down or not?
9 Elements of risk have been identified or not?
10 Risk management policy has been developed or not?
11 Risk management policy has been implemented or not?
12 Risk management resources have been identified or not?
13 Resources to manage risk have been allocated efficiently and effectively or not?
14 Functioning of risk management system has been tested or not?
15 Frequency to review the system has been decided or not?
16 Procedures to review the system have been laid down or not?
CHECKLIST 3 – GENERAL CHECKLIST AUDIT AND ASSURANCE
Area Sl. No Question
Audit and Assurance 1 Internal auditor has been appointed or not?

95
2 Audit committee has been formed or not?
3 Statutory auditor has been appointed on not?
4 How often does management review and act on the work and observations of
the internal auditor?
the audit committee?
the statutory auditor?
7 Did they obtain a certificate from the auditors for compliance of conditions of
governance according to Clause 49?
8 Did they review the risk management policy and procedures?
9 Did they review the internal control policy and procedures?
10 Did they evaluate the adequacy of the risk management system?
11 How often do they evaluate the adequacy of the risk management system?
12 Did they evaluate the adequacy of the internal control system?
13 How often do they evaluate the adequacy of the internal control system?
14 Did they have a discussion with management regarding their work and
observations after reviewing and evaluation of risk management system?
15 Did they have discussion with management regarding their work and
observations after reviewing and evaluating the internal control system?
9 Does the auditor include the status on adequacy of internal control system and
risk management system in his or her audit report?
10 Does the auditor include the status on operating effectiveness of such controls
in his/her audit report?
11 Did they review the structure of internal audit department, staffing and
seniority of the official heading the department?
12 Did they review the reporting structure coverage for the internal audit?
13 Does the auditor certify the company for compliance of conditions of
governance as stipulated in Clause 49?
CHECKLIST 4 – COMPLIANCE WITH THE DATA PROTECTION AREAS OF THE INFORMATION
TECHNOLOGY ACT
Sl. No Area Question

96
1 Section 43A -- Applicability
of the act to body
corporate
1. Is the entity concerned a firm—sole proprietorship or partnership? A private limited
or public limited company? Or any other association of individuals (such as those
registered as a society or public trust or other organization)?
2. Does it possess, deal with or handle sensitive personal data?
3. Are such data in a computer resource?
4. Does the entity own, control or operate such a computer resource?
5. Is such firm, sole proprietorship or other association of individuals engaged in
commercial or professional activities?
2 Section 43A -- Reasonable
Security practices to be
included
1. Is it sensitive personal information?
2. Does any agreement specify protection from unauthorized access, etc.?
3. Does any sector-specific law specify such protection?
4. Is protection specified under the Central Government notified Rules issued on 11
April 2011 and titled ”Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules,” 2011?
3 Section 43A -- Body
corporate’s obligations as
to privacy policy
1. Does the entity collect, receive, possess, store, deal with or handle personal
information (including sensitive personal data)?
2. Is the personal information made available under lawful contract?
3. Do we have a privacy policy?
4. Is the personal information available for viewing by the people who provide their
personal information?
4 Section 43A –
Compensation for failure
to protect data
1. Was the entity negligent in implementing and maintaining reasonable security
practices and procedures?
2. Was wrongful loss or wrongful gain caused to any person by such negligence?
5 Section 66 – Computer
Related Offences
1. Is there a mechanism in place to detect the computer-related offenses?
6 Section 66A – Punishment
for sending offensive
messages through
communication service,
etc.
1. What are the different communication modes of sending offensive messages?
2. Is there any mechanism to detect the sending of offensive messages through such
communication services?
7 Section 66B – Punishment
for dishonestly receiving
stolen computer resource
or communication device
1. Is there a mechanism in place to ensure that the stolen computer or resources are
returned or intimated?
8 Section 66C – Punishment
for identity theft
1.Is there any mechanism to track fraudulent or dishonest use of the electronic
signature, password or any other unique identification feature of any other person?
9 Section 66D – Punishment
for cheating by
personation by using
computer resource
1. Are the means of communication devices or resources available to cheat by
personation in the entity?
2. How are such fraudulent actions traced and tackled?
3. Is there any disciplinary committee to take action on such instances?
10 Section 66E – Punishment
for violation for privacy
1. Is there any policy mandating procedures to deal with violation of privacy?
2. What are the penal actions taken for such privacy breaches?

97
11 Section 66F – Punishment
for cyber terrorism
1. Is there any intent of threat to unity, integrity, security and sovereignty of India?
2. Is there any attempt to penetrate/access the computer resources?
3. Is there an attempt of unauthorized access?
12 Section 67C – Preservation
and Retention of
information by
intermediaries
1. Does the entity have in place appropriate information security policies?
2. Do such policies contain managerial, technical, operational and physical security
control measures?
3. Are such measures commensurate with the information assets being protected and
the nature of our business?
4. Is there in place a comprehensive information security program?
5. Is the information security program well documented?
6. Do we consistently implement such security practices and standards?
7. Can it be demonstrated, whenever called upon to do so by an agency mandated
under the law, that we have implemented security control measures as per our
documented information security program and policies?
13 Section 72A – Punishment
for Disclosure of
information in breach of
lawful contract
1. Does the entity have mechanisms in place to:
• Review all materials published by us?
• Check if any sensitive personal data are part of such materials?
• Mask or redact such sensitive personal data?
2. Does the entity obtain agreement from third parties with whom we share sensitive
personal data to forbid them from further disclosing such data?
3. Is there a mechanism in place to ensure the above?

98
CHECKLIST 5 – SAMPLE CHECKLIST FOR THE AUDITOR TO GAIN ASSURANCE ON THE CONTROLS THAT
ARE IN PLACE TO PROTECT PERSONALLY IDENTIFIABLE INFORMATION (PII)
1. PLANNING AND SCOPING THE AUDIT
1.1 Define audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program.
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan and charter.
1.2 Define boundaries of review.
The review must have a defined scope. The reviewer must understand the operating environment and prepare a proposed
scope, subject to a later risk assessment.
1.2.1 Perform a high-level walk-through of the organization’s data privacy and PII-specific policies, including the organization’s
schema for data classification.
1.2.2 Establish initial boundaries of the audit/assurance review.
1.2.2.1 Identify limitations and/or constraints affecting the audit.
1.3 Define assurance.
The review requires two sources of standards. The enterprise standards defined in the policy and procedure documentation
establish the enterprise’s expectations. At minimum, the enterprise standards should be implemented. The second source, a
good practice reference, establishes industry standards. Enhancements should be proposed to address gaps between the two.
1.3.1 Determine whether COBIT 5 and the appropriate data privacy framework will be used as a good practice reference.
1.4 Identify and document risk.
The risk assessment is necessary to evaluate where audit resources should be focused. The risk-based approach assures
utilization of audit resources in the most effective manner.
1.4.1 Identify the data flow of PII and evaluate the effectiveness of the controls in place.
1.4.2 Identify the business risk associated with the failure to implement appropriate data organization-wide classification and
PII protection policies and procedures. Proper protection procedures include segregation of files containing PII information on
separate servers or virtual local area networks (VLANs); access to such files and information is restricted to authorized
personnel only; and all access is logged, reviewed and monitored.
1.4.3 Identify the technology risk associated with the failure to implement appropriate electronic data protection, such as
encryption, data masking, tokenization, application logical security and general IT controls (antivirus, firewall, etc.), in an
appropriately secure fashion.
1.4.4 Determine whether a network security assessment and vulnerability modelling have been conducted recently and
specifically include network components where PII is received, processed and/or stored.
1.4.5 Determine whether all issues identified in the network security assessment and vulnerability modelling have been
addressed and appropriately remediated.
1.4.6 Based on risk assessment, identify changes to the scope.

99
1.4.7 Discuss the risk with business, IT and operational audit management, and adjust the risk assessment as appropriate.
1.5 Define the change process.
The initial audit approach is based on the reviewer’s understanding of the operating environment and associated risk, based
on the information life cycle of PII and other possible assessment activities. As further research and analysis are performed,
changes to the scope and approach may result.
1.5.1 Identify the senior IT audit/assurance resource responsible for the review.
1.5.2 Establish the process for suggesting and implementing changes to the audit/assurance program and the authorizations
required.
1.6 Define assignment success.
Define the audit/review success factors and ensure appropriate and regular communication among the IT audit/assurance
team, other assurance teams, and the organization.
1.6.1 Identify the drivers for a successful review (this should exist in the audit/assurance function’s standards and procedures).
1.6.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement.
1.7 Define audit/assurance resources required.
The resources required are defined in the introduction to this audit/assurance program.
1.7.1 Determine the audit/assurance skills necessary for the review.
1.7.2 Determine the estimated total resources (hours) and time frame (start and end dates), required for the review.
1.8 Define deliverables.
Deliverables include control evaluations, assessments, questionnaires, analysis of technical documentation supporting the
interim report (as applicable) and final report. Communication between the audit/assurance teams and the process owner is
essential to assignment success.
1.8.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due dates for responses and
the final report.
1.9 Communicate.
The audit/assurance process is clearly communicated to the customer/client.
1.9.1 Conduct an opening conference to discuss the review objectives with the executive(s) responsible for data privacy and
protection.
2. RISK MANAGEMENT
2.1 Risk Assessment
Audit/Assurance Objective: The protection of PII is subject to routine risk assessment processes.
2.1.1 PII Initial Risk Assessment
Control: Management evaluated the risk associated with maintenance of PII.
2.1.1.1 Verify that there is an inventory of PII held, with justification, retention period, classification and security
requirements.
2.1.1.2 Determine whether a recent risk assessment relating to PII has been performed that includes the organization’s PII

100
data classification and inventory.
2.1.1.3 If so, determine whether the risk assessment scope was adequate to support the organization’s PII inventory and
associated inherent risk.
2.1.1.4 Determine whether the compliance requirements relating to PII have been determined and documented for every
relevant legal jurisdiction and industry-standard.
2.1.1.5 Obtain and review risk assessment documentation and determine that PII and data privacy policies and procedures are
adequate to support the PII protection program and appropriately protect the organization as required.
2.1.1.6 Obtain and review board minutes or other documentation to support the approval of the risk assessment.
2.1.2 PII Continuing Risk Assessment
Control: A risk assessment is performed and approved by management where significant changes are initiated in the PII or
data privacy programs or to reaffirm the previous risk assessment.
2.1.2.1 Determine whether subsequent risk assessments have been performed after the initial risk assessment.
2.1.2.2 Obtain and review the risk assessment documentation, if available, to determine whether the risk assessment scope is
adequate to support the changes in the PII or data privacy programs that continue to protect the organization as appropriate.
3. POLICIES
3.1 Policies
Audit/Assurance Objective: Policies supporting PII protection initiatives have been defined, documented, implemented and
maintained.
3.1.1 Third Parties
Control: Agreements with third parties relating to PII are properly enforced
3.1.1.1 Check whether there are any agreements with external customers, clients regarding retention, classification and
security of PII
3.1.1.2 If so, verify that the corresponding third-party PII is subject to the same restrictions and protections (see below) as the
organization’s own PII.
3.1.2 Employee PII Agreement
Control: The employee agreement clearly defines the responsibilities of the company and employee when handling or
processing PII.
3.1.2.1 Verify that employees must sign the PII agreement before being granted access to PII.
3.1.2.2 Verify that, as an awareness technique, employees must review and sign the PII agreement annually.
3.1.2.3 Review the employee PII agreement for the following:
· Employee is aware of the sensitivity of PII
· Employee is aware of the organization’s policies and procedures for classifying and handling PII
· Employee is required to undergo training, at or near orientation/onboarding, in the handling, storage and processing of PII
· Employee must immediately report any incident of lost, stolen or compromised PII that comes to their attention

101
· Employee is aware of the appropriate channels for reporting PII-related incidents
· Employee is aware of the procedures required for a PII-related incident
· Employee will exercise reasonable care when handling PII
· Employee will subscribe to organizational use policies related to PII
· Employee will subscribe to organizational data security policies
· Employee will abide by the updated PII agreement when revised and distributed
· The organization may impose disciplinary action (up to and including termination) for infringement of policies relating to
PII
3.1.2.4 Determine that all employees have signed their acceptance of the employee agreement.
3.1.2.5 Determine the date of the last PII employment agreement revision.
3.1.2.6 Select a sample of employees with access to PII, stored in both electronic and hard copy forms. Include employees of
varying job functions and titles in the sample. Obtain their PII employee agreements and determine that each agreement is:
· The most current employee agreement
· Signed and dated
· Amended if revisions have been instituted since the previous signed document
3.1.3 PII Acceptable Use and Handling Policy
Control: The employee must adhere to the organization's PII Acceptable Use and Handling Policy
3.1.3.1 Obtain and verify the PII Acceptable Use and Handling Policy.
3.1.3.2 Determine that all employees and relevant third parties (e.g., consultants) have been made aware of the policy, e.g.,
through formal training at orientation with regular refreshes.
3.1.3.3 Determine the date of the last revision to the policy.
3.1.3.4 Select a sample of employees with access to PII. Include employees of varying job functions and titles in the sample.
3.1.3.5 Obtain their individual employee agreements and determine that each one is:
· The most current policy
· Signed and dated
· Suitably amended if revisions have been instituted since the previous signed document
3.1.4 Human Resources (HR) Support for PII
Control: PII handling, processing, and storing processes are integrated into HR services, policies and compliance.
3.1.4.1 Determine whether the HR function is responsible for initial and annual signing of Employee PII and PII Acceptable Use
and Handling Policy documents.
3.1.4.2 Determine whether HR onboarding procedures include signing of Employee PII and Acceptable Use and Handling Policy
statements.
3.1.4.3 Determine whether background checks are carried out and references taken for all employees with access to PII.

102
3.1.4.3.1 Select a sample of new employees with access to PII. Determine if the employees had signed the appropriate
documents.
3.1.4.4 Determine whether HR has a current list of employees with access to PII, to ensure termination procedures include PII
exit procedures.
3.1.4.5 Obtain the PII participant list. Select a sample and determine whether the names on the list are current employees.
3.1.4.6 Obtain the list of recently terminated employees. Verify that terminated employees are not on the PII participant list.
3.1.4.7 Determine how HR manages the transfer of PII participants to other divisions or locations. Prepare appropriate audit
test procedures to satisfy audit objective,
3.1.4.8 Determine whether disciplinary policies and supporting processes are in effect for violations of the PII and Acceptable
Use and Handling policy, including:
· Established and publicized disciplinary action for infringements
· Uniform application of disciplinary action policy
3.1.4.9 Evaluate the effectiveness of disciplinary policies.
3.1.4.10 Determine whether disciplinary policies are applied uniformly, considering staff, middle management and senior
management in your evaluation.
3.1.4.11 Determine whether violations are recorded in a disciplinary system.
3.1.4.12 If a disciplinary system exists, select a sample of incidents, determine the disciplinary action and evaluate if policy is
followed.
3.1.4.13 If no disciplinary system exists, determine how disciplinary actions are managed.
3.1.4.14 Determine how policies and execution of policies are aligned with governmental and other regulatory rules to avoid
fines, legal action or other penalties for noncompliance.
3.1.4.15 Evaluate PII employee policies and determine if additional controls, policies or procedures are required to protect
organizational assets, including monitoring and logging of access and restriction of data download capability.
3.1.5 Contractors
Control: Contractors and other third parties have only restricted access to PII when connecting to the organization’s network.
3.1.5.1 Determine the policies in effect to permit third parties, e.g., contractors and customers, to utilize organizational IT
resources, while protecting organizational assets and intellectual property from unauthorized access.
3.1.5.2 Determine that a clear definition exists of the types of information not to be made accessible to third parties, such as
contractors.
3.1.5.3 Evaluate the effectiveness of PII and data privacy controls upon third-party access. Such access should be closely
monitored and logged. Restriction of data download should be considered.

103
4. LEGAL
4.1 Legal Issues
Audit/Assurance Objective: PII policies and procedures comply with legal requirements and minimize the organization’s
exposure to legal actions.
4.1.1 Legal Involvement in PII Policies and Procedures
Control: Legal counsel with appropriate knowledge and experience has reviewed and approved the organization’s PII policies
and procedures.
4.1.1.1 Determine whether legal counsel has reviewed and approved legal issues relating to PII policies and procedures.
Consider:
· The various geographic and national jurisdictions, as well as industry mandates, with bearing on the organization’s controls
and security over PII
· Legal discovery on employee-owned mobile devices, e.g., smartphones and tablet computers.
4.1.1.2 Obtain evidence of legal counsel’s review and approval.
4.1.1.3 Determine that the most recent legal review covers all recent changes in PII legislation, industry mandates and
organizational policies/procedures.
5. GOVERNANCE
5.1 Governance
Audit/Assurance Objective: Handling of PII is subject to oversight and monitoring by management.
5.1.1 PII Oversight
Control: A formal PII/privacy oversight committee is in place with responsibility for all aspects of PII handling, storage,
processing and protection.
5.1.1.1 Determine that a senior management-level committee exists to oversee PII and data privacy.
5.1.1.2 Determine that the PII/data privacy committee has representatives from senior management, legal, HR, PR and lines of
business.
5.1.1.3 Determine from minutes and documentation that the PII/data privacy committee meets regularly (at least quarterly).
5.1.1.4 Determine from documentation that the PII/data privacy committee reports to the highest level of the organization.
5.1.1.5 Determine that the PII/data privacy committee performs at least the following:
· Defines policy and procedures relating to PII
· Ensures that PII policy and procedures are in line with changes in the environment, e.g., changes to legislation or industry
mandates
· Is directly involved in all incidents relating to loss or compromise of PII, including reporting to the board and to relevant
authorities, public relations, financial budgets for resolving issues, etc.
5.1.2 Policy Approval
Control: PII and data privacy policy has been approved by executive management.

104
5.1.2.1 Determine the reporting structure of the PII approval process and evaluate whether the approval process included
affected business units that collect, handle, process, store or dispose of PII.
5.1.2.2 Obtain the minutes of the meeting and other documentation used to evaluate the approval process.
5.1.3 Monitoring PII Execution
Control: Executive management receives regularly scheduled status reports on PII issues, adherence to policy and exceptions.
5.1.3.1 Verify that formal measures are in place to monitor the use and processing of PII.
5.1.3.2 Obtain executive management status reports for PII.
5.1.3.3 Determine the frequency with which management receives status reports.
5.1.3.4 Determine the contents of the status report, including:
· PII-related incidents with relevant ongoing status
· Follow-up and disposition
6. TRAINING
6.1 User Awareness and Training
Audit/Assurance Objective: Users with access to PII attend initial orientation awareness training with periodic training on a
regular schedule (at least annually or when significant policy or procedure changes are implemented).
6.1.1 Initial Training
Control: PII users are required to attend initial training on PII and data privacy policy, acceptable use and support procedures.
6.1.1.1 Obtain the training resources used in initial training.
6.1.1.2 Evaluate the completeness of the training program. Ensure it addresses all policy issues identified in the policy section
of this audit program.
6.1.1.3 Determine that users with access to, or responsible for, PII have attended the session(s).
6.1.1.4 Select a sample of PII users at all organizational levels and business units. Inspect attendance logs and other
documentation to determine whether the selected users have completed required training.
6.1.2 Security and Awareness Training
Control: Security awareness and periodic training are required and conducted at least annually.
6.1.2.1 Obtain the PII and data privacy awareness program. Perform the following steps.
6.1.2.2 Determine that the program continues to address adequately the handling of PII and defines appropriate security
policies.
6.1.2.3 Determine the requirement for attendance at training programs.
6.1.2.4 Select a sample of PII users; determine the frequency of attendance.
6.1.2.5 Determine the percentage of PII users who have attended the subsequent training program.
6.1.2.6 Evaluate the effectiveness of the training program, based on historical metrics, e.g., numbers of PII handling incidents
or procedure failures per period.

105
7. PII-RELATED INFORMATION SECURITY
7.1 PII-related Information Security Controls
Audit/Assurance Objective: Information security policy and procedures specifically address the technical aspects of data
privacy and protection of PII.
7.1.1 Information Security Policy Addresses PII
Control: The organization’s Information Security policy addresses the special needs of data privacy and PII.
7.1.1.1 Obtain a copy of the organization’s current Information Security policy and determine that it addresses the technical IT
aspects related to processing, storing, disposing of and managing PII.
7.1.1.2 Determine that the Network Security Policy requires the highest levels of technical security when processing or storing
PII, including encryption of PII both at rest and in transit across networks, strong authentication (preferably two-factor) to
access databases and files containing PII, appropriate data classification; formal key management for handling
encryption/decryption keys, etc.
7.1.1.3 If the organization develops its own application software (on any platform), obtain a copy of the organization’s current
system development life cycle (SDLC) standards document and policy and determine that it addresses the security
requirements for software that will process PII.
7.1.1.4 Determine that the organization’s SDLC standards require all applications that process PII to pass formal vulnerability
testing before deployment into production.
7.1.1.5 Determine that assessments are performed to identify and remediate vulnerabilities in new and existing code, relevant
to protection of PII.
7.1.1.6 Select a sample of new applications and maintenance on preexisting applications.
7.1.1.7 Obtain copies of the relevant vulnerability assessments.
7.1.1.8 Determine that the assessments were completed and all material vulnerabilities were remediated before the
corresponding code was deployed into production.
7.1.2 Network Security Addresses the Needs of PII
Control: Networks that process PII meet the organization’s highest levels of technical security.
7.1.2.1 Select a sample of networks (or all networks, if possible) and obtain the corresponding network architecture diagrams.
7.1.2.1.1 Determine that each network in the sample has been secured to the organization’s highest security level, including
the following:
· Encryption of all in-flight PII, using Secure Sockets Layer (SSL)/ /transport layer security (TLS) or virtual private networks
(VPNs)
· Encryption of all at-rest databases which store PII, using AES or 3DES
· Strong authentication (preferably two-factor) procedures before any user is permitted to access PII
· All networks containing PII are isolated from non-PII networks, using firewalls, VLANs, or dedicated networks
· All networks containing PII are in scope of operational intrusion detection systems (IDSs)/intrusion prevention systems (IPSs)
· Formal authorization on a strictly need-to-know basis
· Regular security reviews and penetration studies of networks containing PII, by external and internal groups

106
7.1.2.2 Obtain copies of the reports from recent security reviews, audit reports, and penetration studies of a sample of
networks containing PII and determine, by review of documentation, that the following occurred in a timely manner:
· Identified vulnerabilities were remediated
· Vulnerabilities were reported to both the Data Privacy/Protection committee and to senior business management
· Any recommendations were addressed
· Reasons were provided for all exceptions, i.e., where recommendations were not addressed
· Measures are in place to mitigate the risk identified
7.1.3 IT Identifies all Systems That Process PII and the Locations Thereof
Control: IT has a set of operational procedures to identify the location of PII in all systems.
7.1.3.1 Obtain a copy of IT’s relevant procedures for locating PII in existing and new systems.
7.1.3.2 Determine that IT has an effective ongoing process to identify the presence of PII in databases and flat files.
7.1.3.3 Determine whether IT possesses software tools to scan databases and flat files (including emails, text documents,
spreadsheets, etc.) for the presence, or likelihood, of PII. Such tools often report the statistical likelihood that columns in
databases or text may comprise PII such as social security numbers, or debit/credit card numbers.
7.1.3.4 Obtain copies of reports from the above scanning tools and determine that the presence of unexpected PII was
suitably remediated (i.e., ether by removing the PII or by ensuring appropriate protection in accordance with the
organization’s data privacy/protection standards).
7.2 PII-related Information Security Controls
Audit/Assurance Objective: PII-related issues are included in the compliance with statutes and industry requirements,
especially if international.
7.2.1 IT Is Aware of PII Compliance Requirements
Control: Individuals in IT, in cooperation with privacy and legal professionals, are responsible for ensuring that IT systems
comply with all relevant PII-related statues (e.g., jurisdictional data privacy laws) and industry requirements (e.g., those
required for credit card or health care processing.)
7.2.1.1 By discussion and review of relevant documentation, identify individuals in IT with responsibility for PII compliance of
IT systems.
7.2.1.2 Determine that these individuals have appropriate levels of experience and training in PII compliance issues.
7.2.1.3 Where relevant, obtain copies of recent reports after external compliance reviews.
7.2.1.4 Determine that the IT specialists were involved with the reviews and that they followed relevant findings through to
full remediation (i.e., “clean” reports).
7.3 Incident Response and Reporting
Audit/Assurance Objective: The organization’s incident response and reporting process meets the requirements for PII-related
incidents, e.g., after loss or compromise of PII.
7.3.1 PII-related Incident Management

107
Control: The organization’s standard, documented incident response and reporting process specifically includes PII-related
incidents and any special procedures for PII, such as reporting the loss of PII to the individuals concerned or to designated law
enforcement authorities as required by local legislation.
7.3.1.1 Obtain a copy of the organization’s incident response and reporting procedure document and determine that it
addresses any special needs related to compliance with PII-related laws or industry requirements. This may require
consultation with appropriate legal counsel to identify all relevant in-scope legislation or industry requirements.
7.3.1.2 Obtain a copy of a recent incident response report, or if no such incident has occurred recently, a copy of a recent
incident response test, and determine that all relevant PII-related procedures were properly carried out.

Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance

More Related Content

Similar to Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance (20)

More from Bharath Rao (20)

Recently uploaded (20)

Internal Controls for Indian Financial Reporting using COBIT 5 based Guidance