Joint Risk Assessment: <Audit Name Here>

XYZ Company

Joint Risk Assessment

PRODUCTION CONTROL

Report to Management

Internal Audit Contacts

Audit Director
Audit Manager
Lead Auditor

<Name & Phone ###.###.###>

<Name & Phone ###.###.###>
<Name & Phone ###.###.###>

XYZ Company
Internal Audit Department
123 Audit Lance
Anywhere, ZZ 99999

Confidential
XYZ Company

Internal Audit Department

Page 0

Joint Risk Assessment: <Audit Name Here>

XYZ Company

Executive Summary

At-A-Glance
Maturity Rating
Overall: Actual Here
Clients Target: Target Here

Overall Summary of Assessment Results

< Include a concise summary of overall assessment results here.>

Audit Issues
Priority A: # Here
Priority B: # Here
Priority C: # Here
Detailed Observations
Optimized: # Here
Managed: # Here
Defined: # Here
Repeatable: # Here
Initial: # Here
Prior Audit Report
Audit: Audit Name Here
Issue Date: Date Here

Background & Scope

< Include a brief background and summary of audit scope here.>

Responsible Officer Overall Response

Response from <Name & Title of Client Officer Here> (date):
<Insert Response Here>

Reportable Issues & Client Supplied Corrective Actions

Control Weakness
Title of Issue
<Description of issue here including impact
statement and recommendation>.

Priority

Response From: <Client Officer Name & Title

Here>

A
B
C

Response From: <Client Officer Name & Title

Here>

A
B
C

Response From: <Client Officer Name & Title

Here>

Relevant COBIT Detailed Objective:

DS5.4 User Account Management EXAMPLE

Title of Issue
<Description of issue here including impact
statement and recommendation>.

Relevant COBIT Detailed Objective:

DS5.4 User Account Management EXAMPLE

Title of Issue
<Description of issue here including impact
statement and recommendation>.
Relevant COBIT Detailed Objective:
DS5.4 User Account Management EXAMPLE

Internal Audit Department

Corrective Action

A
B
C

Due Date

<Insert client response here>

<Insert client response here>

<Insert client response here>

Page 1

Joint Risk Assessment: <Audit Name Here>

XYZ Company

Strategic Focal Points

(By COBIT High-Level Control Objective)

COBIT

Maturity
Rating

Ob
jec
tiv
es
High-level
Objective Name
Here
Detailed Objectives:

<All detailed
level objectives
included in the
scope of the audit
should be listed
here.>

Rating Justification

<IAD Internal Note: This section highlights assessment results

for each of the COBIT high-level objectives included in scope.
There is one row per high-level objective (COBIT detailed level
objectives are noted in the far left column).>

5: Optimized
4: Managed
3: Defined
2: Repeatable
1: Initial
0: Non-Existent

Detailed Objectives:

<All detailed
level objectives
included in the
scope of the audit
should be listed
here.>

M1 Monitor The
Processes
Detailed Objectives:

M1.1 Collecting
Monitoring Data

1.2 Assessing
Performance

1.4 Management
Reporting

List key indicators

here

Include an overall conclusion statement summarizing the results

that support the rating (similar to the old IAD audit report).

Include concise bullet point items that provide further detail to

justify the rating.
Another bullet.
Sub-bullets only when necessary.

<IAD Internal Note:

See M1 below as an
example>

High-level
Objective Name
Here

Indicators/Metric
s

5: Optimized
4: Managed
3: Defined
2: Repeatable
1: Initial
0: Non-Existent

Overall conclusion.

5: Optimized
4: Managed
3: Defined
2: Repeatable
1: Initial
0: Non-Existent

Overall conclusion.

List key indicators

here

List key indicators

here

<IAD Internal Note: M1 is to be included in all audits>

Control Focal Points

(By COBIT Detailed Control Objective)

COBIT
Rating

C
o
nt
ro
ls
Standard
Images
COBIT: DS9.2
Configuration
Baseline

Sustaining
Secure
Configurations
COBIT: DS9.4
Configuration
Control

Monitoring
Device Security
COBIT: DS5.10
Violation & Security
Activity Reports

Rating Justification

Indicators/Metric
s

5: Optimized
4: Managed
3: Defined
2: Repeatable
1: Initial
0: NonExistent

5: Optimized
4: Managed
3: Defined
2: Repeatable
1: Initial
0: NonExistent

Concise bullet-points that support the rating.

5: Optimized
4: Managed
3: Defined
2: Repeatable
1: Initial
0: NonExistent

Concise bullet-points that support the rating.

Internal Audit Department

Concise bullet-points that support the rating.

<IAD Internal Note: This section highlights the top 3 5 key

controls that are critical to the success of the function being
assessed. Each row included here equates to a row in the COBIT
Control Assessment Questionnaire.>

List key indicators

here

List key indicators

here

List key indicators

here

Page 2

Joint Risk Assessment: <Audit Name Here>

XYZ Company

Control Focal Points

(By COBIT Detailed Control Objective)

COBIT
Rating

C
o
nt
ro
ls
Vulnerability
Assessment
COBIT: DS5.7
Security Surveillance

Internal Audit Department

5: Optimized
4: Managed
3: Defined
2: Repeatable
1: Initial
0: NonExistent

Rating Justification

Concise bullet-points that support the rating.

Indicators/Metric
s

List key indicators

here

Page 3

Joint Risk Assessment: <Audit Name Here>

XYZ Company

ILLUSTRATIVE EXAMPLE ONLY (Not representative of a real environment)

Workflow Diagram
(Overview of Key Tasks & Control Points)
E -M a il In fr a s tr u c tu r e O v e r v ie w
W in d o w s
F ile s e r v e r s
(M c A fe e
N e t S h ie ld )

M a il S e r v ic e
G a te w a y ( In )
(M c A fe e
W e b S h ie ld )

D e s k to p
P o p u la t io n
(M c A fe e
V ir u s S c a n )

E xchange
S e rv e rs
(T re n d
M ic r o
S c a n M a il)

E xchange
P u b lic F o ld e r s
(M c A fe e
G r o u p S h ie ld )

M a il S e r v ic e
G a te w a y (O u t)
(M c A fe e
W e b S h ie ld )
M a il S e r v ic e
G a te w a y ( In )
(M c A fe e
W e b S h ie ld )

T C V S
S M T P E - M a il
R e la y ( P H X )
( T r e n d M ic r o
In te r S c a n )

F ir e w a ll
P H X

In te rn e t

S M T P E - M a il
R e la y ( S F O )
( T r e n d M ic r o
In te r S c a n )

F ir e w a ll
S F O

M a il S e r v ic e
G a te w a y (O u t)
(M c A fe e
W e b S h ie ld )

2
Process Steps

Control
Point
Reference
.

Provides Internet gateway protection. TVC server polled on an hourly basis for vendor software
updates.

Second line of defense used to scan in/out bound Exchange E-mail messages. Software updated
weekly or as necessary.

All Exchange in/out bound e-mail messages are scanned. TVC server polled on an hourly basis for
vendor software updates.

Home and Public network drives on-access/active scanning. All files scanned weekly on all local
drives. Software updated bi-weekly or as necessary with Castanet.

Download and on-access scanning. All files scanned weekly on all local drives. Software updated
bi-weekly with Castanet.

Active scan of all attachments in mail queues and weekly scan of all attachments in mail stores.
Software updated bi-weekly with Castanet.

Control
Type
(manual or
system)

Performance Indicator

LEGEND:
Manual control.
Programmed control.

Internal Audit Department

Page 4

Joint Risk Assessment: <Audit Name Here>

XYZ Company

COBIT Maturity Rating & Issue Priority Definitions

<IAD Internal Note: Auditors, like with the questionnaire please choose between this page and the following page, depending
on whether you will use the generic rating definition or a specific rating definition to assign your overall audit rating.>

Legend For Generic COBIT Management Guidelines Maturity Ratings

COBIT Maturity
Ratings
0 - Non-Existent

Definition
Management processes are not in place (Complete lace of any recognizable processes. The
organization has not recognized that there is an issue to be addressed).
Processes are ad hoc and disorganized (There is evidence that the organization has recognized that the
issues exist and need to be addressed. However, there are no standardized processes, but there are ad
hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach
to management is disorganized).
Processes follow a regular pattern (Processes have developed to a stage where different people
undertaking the same task follow similar procedures. There is no formal training or communication
of standard procedures and responsibility is left to the individual. There is a high degree of reliance
on the knowledge of individuals and errors are likely as a result).
Processes are documented and communicated (Procedures have been standardized and documented
and communicated through formal training. However, compliance with the procedures is left to each
individual and it is unlikely that deviations will be detected. The procedures themselves are not
sophisticated, but are the formalization of existing practices).
Processes are monitored and measured (It is possible to monitor and measure compliance with
procedures and to take action where processes appear not to be working effectively. Processes are
under constant improvement and provide good practice. Automation and tools are used in a limited
or fragmented way).
Best practices are followed and automated (Processes have been refined to a level of best practice,
based on the results of continuous improvement and benchmarking with other organizations and
industry best practices. IT is used in an integrated way to automate the workflow, providing tools to
improve quality and effectiveness, making the enterprise quick to adapt).

1 Initial

2 Repeatable

3 Defined

4 Managed

5 Optimized

Issue
Priorities
A
B
C

Definition
Sign-off Authority: EVP
These represent the highest level of significance and generally pose material risk to the company if not
resolved in a timely manner.
Sign-off Authority: SVP
Pose less risk but will have an adverse impact on the company if the underlying issues are not properly
addressed.
Sign-off Authority: VP
Opportunities to enhance the existing control environment to ensure continued compliance with company and
regulatory guidelines.

Distribution
<Insert client names here in alphabetical order>

Internal Audit Department

Page 5

Joint Risk Assessment: <Audit Name Here>

XYZ Company

COBIT Maturity Rating & Issue Priority Definitions

<IAD Internal Note: Auditors, like with the questionnaire, please choose between this page and the previous page, depending
on whether you will use the generic rating definition or a specific rating definition to assign your overall rating.
Example: For the Problem Management audit, we would use the specific guidelines as follows:>

Legend For COBIT Management Guidelines Maturity Ratings

DS10 Manage Problems and Incidents
COBIT Maturity
Ratings
0 - Non-Existent

Definition
There is no awareness of the need for managing problems and incidents. The problem-solving
process is informal and users and IT staff deal individually with problems on a case-by-case basis.
The organization has recognized that there is a need to solve problems and evaluate incidents. Key
knowledgeable individuals provide some assistance with problems relating to their area of expertise
and responsibility. The information is not shared with others and solutions vary from one support
person to another, resulting in additional problem creation and loss of productive time, while
searching for answers. Management frequently changes the focus and direction of the operations and
technical support staff.
There is a wide awareness of the need to manage IT related problems and incidents within both the
business units and information services function. The resolution process has evolved to a point where
a few key individuals are responsible for managing the problems and incidents occurring.
Information is shared among staff; however, the process remains unstructured, informal and mostly
reactive. The service level to the user community varies and is hampered by insufficient structured
knowledge available to the problem solvers. Management reporting of incidents and analysis of
problem creation is limited and informal.
The need for an effective problem management system is accepted and evidenced by budgets for the
staffing, training and support of response teams. Problem solving, escalation and resolution
processes have been standardized, but are not sophisticated. Nonetheless, users have received clear
communications on where and how to report on problems and incidents. The recording and tracking
of problems and their resolutions is fragmented within the response team, using the available tools
without centralization or analysis. Deviations from established norms or standards are likely to go
undetected.
The problem management process is understood at all levels within the organization. Responsibilities
and ownership are clear and established. Methods and procedures are documented, communicated
and measured for effectiveness. The majority of problems and incidents are identified, recorded,
reported and analyzed for continuous improvement and are reported to stakeholders. Knowledge and
expertise are cultivated, maintained and developed to higher levels as the function is viewed as an
asset and major contributor to the achievement of IT objectives. The incident response capability is
tested periodically. Problem and incident management is well integrated with interrelated processes,
such as change, availability and configuration management, and assists customers in managing data,
facilities and operations.
The problem management process has evolved into a forward-looking and proactive one, contributing
to the IT objectives. Problems are anticipated and may even be prevented. Knowledge is maintained,
through regular contacts with vendors and experts, regarding patterns of past and future problems and
incidents. The recording, reporting and analysis of problems and resolutions is automated and fully
integrated with configuration data management. Most systems have been equipped with automatic
detection and warning mechanism, which are continuously tracked and evaluated.

1 Initial

2 Repeatable

3 Defined

4 Managed

5 Optimized

Issue
Priorities
A
B
C

Definition
Sign-off Authority: EVP
These represent the highest level of significance and generally pose material risk to the company if not
resolved in a timely manner.
Sign-off Authority: SVP
Pose less risk but will have an adverse impact on the company if the underlying issues are not properly
addressed.
Sign-off Authority: VP
Opportunities to enhance the existing control environment to ensure continued compliance with company and
regulatory guidelines.

Distribution
<Insert client names here in alphabetical order>

Internal Audit Department

Page 6