Cobit Audit Questionnaire: P01 Define A Strategic IT Plan: Confidential When Filled in

Confidential When Filled In
Cobit Audit Questionnaire: P01 Define a Strategic IT Plan

INSTRUCTIONS:
Please respond to each question by placing an "X" in the "Yes", "No" or "N/A" column and by providing the information requested. Use the Tab
key to move between items. Use the Supporting information field for explanatory comments regarding how a particular objective is met. This
information, together with your attached documentation, will provide the evidence required to establish compliance with each given objective.
Please note that there is also room provided for further comment at the end of the questionnaire. Any comments entered in this section should
reference the item being explained (e.g. RE: Item 1.1.1).
Copies of all related documentation are required. Please record the filename and specific section/paragraph reference for each
document in the appropriate space for each question.
Questionnaire completed by:
Contact number for follow-up questions:
Date Completed:
PO1.1 IT Value Management

Number
PO1.1.1
PO1.1.2
PO1.1.3
Question
Yes
No
N/A
Is there a process in place to determine which IT services and projects are commissioned based upon a solid business case
analysis?
If you answered No to this question, skip to P01.2, Business-IT Alignment
Supporting information:
Supporting documentation:
Does the process distinguish between mandatory, sustaining and discretionary investments in IT?
Are the costs, timeliness and functionality of all IT services monitored in such a way as to provide early warning for any
deviations from plan?
2009 Cobit Questionnaire P01 v1.1a
Page
1 of 5

Number
PO1.1.4
PO1.1.5
PO1.1.6
Question
Yes
No
N/A
Yes
No
N/A
Are there equitable and enforceable Service Level Agreements (SLA) in place?
Sample SLAs:
Is the responsibility and accountability for achieving the benefits and controlling costs clearly assigned?
Is the business case review and evaluation process fair, transparent, repeatable and comparable, using a standardized
practice that includes financial worth, the risk of not delivering a capability and the risk of not realizing the expected
benefits?
PO1.2 Business-IT Alignment

Number
PO1.2.1
PO1.2.2
PO1.2.3
PO1.2.4
Question
Is there a strategic planning process in place that is designed to ensure that IT services are aligned and integrated with
organizational goals and objectives?
If you answered No to this question, skip to P01.3, Assessment of Current Capability and Performance
Is the process bi-directional, including input from both major stakeholder and IT perspectives?
Does this process occur at the executive cabinet level?
Does the process allow for sufficient mediation between organization an IT imperatives and produce mutually agreed
priorities?
Page
2 of 5

PO1.3 Assessment of Current Capability and Performance
Number
PO1.3.1
PO1.3.2
PO1.3.3
Question
Yes
No
N/A
Yes
No
N/A
Are there processes in place to assess and capability and performance of IT services and solutions?
If you answered No to this question, skip to P01.4, IT Strategic Plan
Is the assessment process used to establish baseline data against which future requirements can be compared?
Is performance defined in such a way as to determine IT contribution to organizational objectives, functionality, stability,
complexity, costs, strengths and weaknesses?
PO1.4 IT Strategic Plan

Number
PO1.4.1
PO1.4.2
PO1.4.3
PO1.4.4
PO1.4.5
PO1.4.6
PO1.4.7
Question
Is there a process in place to develop an IT strategic plan that defines how IT goals will contribute to the enterprises
strategic objectives and related costs and risks?
If you answered No to this question, skip to P01.5, IT Tactical Plans
If you answered Yes to this question, please include a copy of the IT strategic plan.
Does the plan define how IT will support IT-enabled programs, IT services and IT assets?
Does the plan define:
How IT will meet the objectives?
The measurements to be used?
The procedures for formal sign-off from stakeholders?
Supporting Information:
Does the plan cover budget, funding sources, sourcing strategy, acquisition strategy, and legal and regulatory
requirements?
At what level in the organization are changes to the IT strategic plan authorized?
What period of time is covered by the IT strategic plan?
Please describe the process and interval for updating the IT strategic plan:
Page
3 of 5

Number
PO1.4.8
Question
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
Is the plan sufficiently detailed to allow for the definition of tactical IT plans?
PO1.5 IT Tactical Plans

Number
PO1.5.1
PO1.5.2
PO1.5.3
PO1.5.4
PO1.5.5
PO1.5.6
PO1.5.7
Question
Is there a process in place to develop a portfolio of tactical IT plans that are derived from the IT strategic plan?
If you answered No to this question, skip to P01.6, Portfolio Management
If you answered Yes to this question, please include sample copies of your IT tactical plans.
Do the plans address all IT-enabled programs, IT services and IT assets?
Do the plans describe the required IT initiatives and resource requirements?
Do the plans describe how the use of resources and achievement of benefits will be monitored and managed?
What period of time do the IT tactical plans cover?
Are the plans sufficiently detailed to allow for the creation of IT project plans?
Are the plans actively managed through analysis of project and service portfolios?
PO1.6 IT Portfolio Management

Number
PO1.6.1
PO1.6.2
Question
Is there a process in place by which the portfolio of IT-enabled programs and services is managed?
If you answered No to this question, you have completed Cobit Process P01, Define a Strategic Plan
If you answered Yes to this question, please include a sample of your IT service portfolio.
Who participates in the process?
Page
4 of 5

PO1.6.3
PO1.6.4
PO1.6.5
PO1.6.6
PO1.6.7
Does the process identify, define, evaluate, prioritize and manage IT programs based upon the requirements to achieve
specific organizational goals and objectives?
Does the process clarify desired organizational outcomes and ensure that program objectives support those outcomes?
Does the process:
Assign clear accountability?
Define projects associated with appropriate programs?
Allocate resources and funding?
Delegate authority?
Commission required projects?
Supporting Information:
Does the process address organization processes and workflow and attempt to use value-added capabilities by leveraging
the use of applications and technologies through business process reengineering?
Does the process serve to determine both the internal and external resource requirements?
Additional Information for the Audit Team: General Information
Page
5 of 5

Cobit Audit Questionnaire: P01 Define A Strategic IT Plan: Confidential When Filled in

Uploaded by

Copyright:

Available Formats

Cobit Audit Questionnaire: P01 Define A Strategic IT Plan: Confidential When Filled in

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cobit Audit Questionnaire: P01 Define A Strategic IT Plan: Confidential When Filled in

Uploaded by

Copyright:

Available Formats

Confidential When Filled In