MO03 Assurance Reviews

MO03: Assurance Reviews

Description

Controls

KGI

KPI

CSF

Maturity Levels

1. Description

Independent assurance reviews carried out at regular intervals.

2. Control Objectives

Independent Security and Internal Control Certification/Accreditation of Information Technology Services - Management should obtain independent certification/accreditation of security and internal controls prior to implementing critical new information technology services and re-certification/re-accreditation of these services on a routine cycle after implementation
Independent Security and Internal Control Certification/Accreditation of Third-Party Service Providers - Management should obtain independent certification/accreditation of security and internal controls prior to using information technology service providers and re-certification/re-accreditation on a routine cycle
Independent Effectiveness Evaluation of Information Technology Services - Management should obtain independent evaluation of the effectiveness of information technology services on a routine cycle
Independent Effectiveness Evaluation of Third-Party Service Providers - Management should obtain independent evaluation of the effectiveness of information technology service providers on a routine cycle
Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments - Management should obtain independent assurance of the information service function’s compliance with legal and regulatory requirements, and contractual commitments on a routine cycle
Independent Assurance of Compliance with Laws and Regulatory Requirements and Contractual Commitments by Third-Party Service Providers - Management should obtain independent assurance of third-party service providers’ compliance with legal and regulatory requirements and contractual commitments on a routine cycle
Competence of the Independent Assurance Function - Management should ensure that the independent assurance entity possesses the technical competence, and skills and knowledge necessary to perform such reviews in an effective, efficient and economical manner
Proactive Audit Involvement - Information technology management should seek audit involvement in a proactive manner before finalising information technology service solutions

3. Key Goal Indicators

Increased number of accepted opinions on the overall system of internal control for all agreed domains
Increased number of quality certifications or accreditations for all agreed domains
Increased number of second opinions reported to the stakeholders for major IT decisions such as going live, contract negotiations, joint ventures and major acquisitions
Percentage of recommendations closed on time relative to independent internal control reviews, quality certifications or accreditations and second opinions
Reduced number of failed or reversed major IT decisions
Index of confidence and trust of stakeholders

4. Key Performance Indicators

Reduced overhead of obtaining assurance and certifications
Timeliness of assurance reporting
Timeliness of assurance activities
Number of assurance processes initiated
Number of iterations before assurance reports are accepted
Number of IT decisions requiring assurance where no assurance was sought
Number of IT decisions not requiring assurance where assurance was sought
Reduced number of failed or reversed major IT decisions after a positive assurance was obtained

5. Critical Success Factors

There is continuous alignment with stakeholder needs
The organisation has defined processes for IT assurance activities, especially overall internal control, certification and major decisions
Benchmarking of external service providers is routinely performed
Major IT decisions have an up-front requirements analysis for a third-party assurance opinion
Prior to obtaining independent assurance, a high-level risk assessment is performed with the key stakeholders
There is a commitment to leverage independent assurance for sustainable improvement
Assurance activities are performed in accordance with generally accepted practices, such as SysTrust
There is a partnership between auditor and auditee, to encourage cooperation

6. Service Maturity Variations

0 Non-existent	The organisation does not have assurance processes in place. Security policies are not implemented. Service level agreements have not been developed and processes are not measured. Management has not instituted any assurance or certification programs.
1 (Initial/Ad Hoc)	The organisation manages IT processes independently. Certification and assurance processes are in place on an exception basis. Certification and assurance are driven by events such as regulatory changes or requirements or customer demand. The assurance process is conducted reactively by task forces or by technical specialists who do not have specific assurance skills.
2 (Repeatable but Intuitive)	Information services function management has implemented processes for managing assurance activities. Assurance requirements are still linked to business needs and requirements and are driven by the information system services function. Risk management, as part of information services function management, drives certification and assurance programs. The information services function performs risk assessments to identify system level risks. Senior management supports and has committed to independent assurance. Methods and techniques are developed for certification and assurance and are being benchmarked to develop best practices. The process for selecting internal or external resources is being formalised.
3 (Defined Process)	The organisation has defined and institutionalised the processes for IT assurance activities and the criteria for using internal and external resources based on the level of expertise, sensitivity and independence required. Assurance processes include legal and regulatory requirements, certification needs, general organisational effectiveness and identification of best practices. Assurance requirements have been developed for IT processes. Management conducts participative reviews of all assurance activities. Management outside of the information services function has proactive involvement in assurance and certification reviews. A knowledge base of certification and assurance best practices has been developed. Key IT processes have been certified.
4 (Managed and Measurable)	Management has implemented assurance processes for ensuring that critical IT processes are identified and have specific assurance plans. IT processes are reviewed in the context of the business process they support. Assurance processes are quantitatively managed and controlled. Management uses what is learned from assurance and certification processes to improve other processes, based on what was learned. The knowledge base is utilised to ensure that best practices are used in new processes and to benchmark other processes. A formal process is in place to ensure the competence of the assurance function by continually evaluating the balance between internallyand externally-available knowledge and skills. Cost/benefit criteria for conducting internal and externalbased assessments are defined.
5 Optimized	Management has implemented measures to ensure that all critical business processes have assurance processes over the IT infrastructures that support them. The organisation has a continuous improvement program for the assurance and certification processes that reflects industry best practices. Management has developed the ability to quickly integrate the results of assurance and certification activities into organisation-wide processes. The effectiveness of third-party service providers and relationships with business partners are routinely evaluated. There is a formally-defined strategy, supported by senior management, for developing compliance with national and international standards and for obtaining certifications that are seen as providing recognition and a competitive advantage.