D3.

Example Report Template

The following is an example of the process assessment report for an example
company, performed using the COBIT assessment programme methodology.

COBIT Process Capability Assessment Report

Company/Scope/COBIT Process

Date
This is an assessment report based on the COBIT 4.1 process assessment
model and not an attestation or assurance report on the effectiveness of
the process or its related internal controls. It is intended as an internal
report to provide information for managements use only, and should not
be relied upon by others. Its purpose is to provide information about the
capability of an organisations processes and to give management some
indication of what processes need improving.
REVISION HISTORY
Version
Modification

Date

Table of Contents
1
2

3
4
5

Executive Summary
Introduction
2.1 Purpose of the Assessment
2.2 Assessment Scope
2.2.1 Organisational Unit
2.2.2 Processes and Capability Levels
2.2.3 Processes Reviewed and Basis for Selection
2.2.4 Class of Assessment
2.3 Assessment Constraints
2.4 Summary of the Approach
2.5 Assessment Team Members
2.6 Critical Dates
2.7 Assessment Schedule
2.8 Confidentiality Agreements
Summary of Results
3.1 Process Assessment Profile and Process Capability Reached
Detailed Findings
Recommendations

Author

1 Executive Summary
Describe the overall context and objectives as they relate to this assignment.
Include anticipated benefits, scope summary and rationale, assessment
approach and summary of findings (executive level).
2 Introduction
2.1 Purpose of the Assessment
The purpose of this assessment is to determine the capability level of
(organisation/business or functional unit assessed) IT-related processes, and
to identify good practices that might be implemented to result in overall
improvement of the organisations processes (if part of the assessment
objective).
2.2 Assessment Scope
Describe the overall scope chosenbusiness reasons, COBIT processes used.
2.2.1 Organisational Unit
Describe the organisational unit(s) chosen, their size, and placement in
the overall organisation (inclusion of an organisational chart, if
appropriate).
2.2.2 Processes and Capability Levels
The process assessment model (PAM) used for this assessment is the
COBIT PAM. Document the specific target capability levels t for the
processes selected.
2.2.3 Processes Reviewed and Basis for Selection
Describe the COBIT processes reviewed in the assessment and the basis
for choosing them. For example, note that an assessment relied on the IT
Control Objectives for Cloud Computing. The description should consist of
a general description of which of the 34 COBIT processes were used.
2.2.4 Class of Assessment
The class of assessment will determine the necessary rigour under which
the assessment is to be performed. This was a class (#) assessment,
which means that the assessment has a suitability as shown in the
following table.
Class
Suitability
One
Comparison with other organisations
Two
Reliable internal assessment for internal reporting
Three
Monitoring the ongoing progress of an improvement
programme
2.3 Assessment Constraints
A description of the key constraints during the assessment:
Resource availability
Business activity (key busy time frames such as end of quarter, year end)
Processes or business unit excluded
Evidence gathering (e.g., interviews only vs. document gathering)
Ownership of deliverables (e.g., The assessment sponsor owns and
communicates all deliverables)
2.4 Summary of the Approach
Provide high-level background on the assessment process used. Describe the
process used and the roles involved.

2.5 Assessment Team Members

Describe the various roles involved in an assessment (descriptive and/or
table driven). The following table presents the roles and responsibilities for
this assessment.
Role

Name

Organisation

Position in the
organisation

Sponsor
Coordinator
Lead
assessor
Assessor (s)
Etc.
2.6 Critical Dates
Document the primary critical dates during the assessment:
Assessment start date
Kick-off meeting
Interview dates
Scheduled end date (if different from actual end date)
Actual end date (include indication of reasons for any delay)
2.7 Assessment Schedule
Input the actual interview schedule, including people, dates, duration and
processes reviewed. Chart form is likely best, but results can be listed if it is
preferred.
Time/Day Interviewee
Duration
Processes Discussed
name/Function

2.8 Confidentiality Agreement

The participants in the assessment have been assured of absolute
confidentiality for the information they have provided. Where applicable a
non-disclosure agreement (NDA) is signed by the assessor and the assessor
tem, if appropriate.
3 Summary of Results
Present consolidated results in chart form using the processes reviewed and
capability levels achieved as input. Add information on whether the results are
based on interview only (less reliable) or on data collection and review (more
reliable). It may be worth adding a small table showing the different levels of
assessable process capability and highlighting those chosen for this assignment.
Consider including:
3.1 Process Assessment Profile and Process Capability Reached
Include a chart showing achieved capability, as shown in figure 1. Optionally,
include a chart showing capability achieved vs. target, as shown in figure 2.

Figure 1Process Capability Level Reached

Summary Results
Achieved Capability Level
PROCE
SS ID

Process
Descriptio
n

AI1

Identify
Automate
d
Solutions

AI2

Acquire
and
Maintain
Applicatio
n
Software

DS2

Manage
Third
Parties

DS5

Manage
Informati
on
Security

DS11

Manage
Data

Process Purpose
Satisfy the business
requirement of
identifying automated
solutions that translate
business functional and
control requirements
into effective and
efficient solutions.
Satisfy the business
requirement of aligning
available applications
with business and
security requirements,
and do so in a timely
manner and at a
reasonable cost.
Satisfy the business
requirement of
providing satisfactory
third-party services
while being transparent
about benefits, costs
and risk.
Satisfy the business
requirement of
maintaining the
confidentiality, integrity
and availability of
information and the
processing
infrastructure aligned
to business needs and
minimizing the impact
of security
vulnerabilities.
Satisfy the business
requirement of
optimizing the use of
information and
ensuring that
information is available
as required.

1
Perform
ed

2
Manage
d

3
Establis
hed

4
Predicta
ble

5
Optimisi
ng

Figure 2Capability Achieved vs. Target

4 Detailed Findings
Describe the processes reviewed in detail including results of interviews or data
collection. Describe any previous capability level assessment results (if
available) and findings relating to improvement of those levels (if any).
Consider a section or paragraph for each process with findings, related data and
suggestions for improvement (if required in the engagement scope). The report
also shows any key issues raised during the assessment, such as observed areas
of strength and weakness, and implications.
This section should contain all the data discovered during the assignment, with
charts, graphs and details included, while also referencing the evidence
gathered.

Chart the ratings for each

Rating
Percentag
e
NNot
0% to 15%
Achieve
d
P
>15% to
Partiall
50%
y
Achieve
d
L
> 50% to
Largely 85%
Achieve
d
FFully > 85% to
Achieve 100%
d

process using the ratings in the following table.

Description
There is little or no evidence of achievement of the
defined attribute in the assessed process.
There is some evidence of an approach to, and some
achievement of, the defined attribute in the assessed
process. Some aspects of achievement of the
attribute may be unpredictable.
There is evidence of a systematic approach to, and
significant achievement of, the defined attribute in
the assessed process. Some weakness related to this
attribute may exist in the assessed process.
There is evidence of a complete and systematic
approach to, and full achievement of, the defined
attribute in the assessed approach. No significant
weaknesses related to this attribute exist in the
assessed process.

The report might contain tables in an appendix for each process.

Evidentiary requirements must be met for the report to provide reliability and
repeatability. The existence in this report of detailed base practices, work
products and work product characteristics provide evidence of the performance
of the processes associated with them. Similarly, the existence of process
capability indicators (an assessment indicator that supports the judgement of
the process capability of a specific process) provide evidence of process
capability.
5 Recommendations
Provide your recommendations resulting from the assessment. Ensure that each
recommendation can be traced to the related process, capability attribute and
process outcome/work product as appropriate. Indicate any recommendations
that apply across multiple processes within the scope of this assessment
program. Consider the target process capability level for the processes within
the scope of this assessment during the development of these recommendations
and indicate the degree of achievement.
Appendices
Assessment Records
(Examples are provided in the tool kit.)