COBIT Control Assessment Questionnaire

The key to maintaining profitability in a technologically changing environment is how well you maintain control. COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 318 specific, detailed control objectives throughout the 34 IT processes.
- IT Governance Institute

Audit Information:

Audit / Project Name
Auditable Unit #
Engagement #
Start Date
End Date
Audit Team Lead
Audit Team Members

MM / DD / YYYY
MM / DD / YYYY

Description of Project

Client Information:

Information For Client(s) Participating In The Joint Assessment
Responsible Officers
Name
Title
Phone
Location
Name
Title

Other Information

Overall Rating Assigned For This Assessment*:

Overall Maturity Rating:

* In the event that an assessment falls between two maturity ratings, the lower rating is assigned.

Legend For Generic COBIT Management Guidelines Maturity Ratings**:
Rating
Description
0 - Non-Existent
Management processes are not in place (Complete lack of any recognizable processes. The organization has not recognized that there is an issue to be addressed).

1 - Initial
Processes are ad hoc and disorganized (There is evidence that the organization has recognized that the issues exist and need to be addressed. However, there are no standardized processes; there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized).
2 - Repeatable
Processes follow a regular pattern (Processes have developed to a stage where different people undertaking the same task follow similar procedures. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and errors are likely as a result).
3 - Defined
Processes are documented and communicated (Procedures have been standardized and documented and communicated through formal training. However, compliance with the procedures is left to each individual and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated, but are the formalization of existing practices).
4 - Managed
Processes are monitored and measured (It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way).
5 - Optimized
Best practices are followed and automated (Processes have been refined to a level of best practice, based on the results of continuous improvement and benchmarking with other organizations and industry best practices. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt).
**Note: Generic Ratings are applied to assessments where the overall review does not correspond specifically to a single one of COBIT’s 34 High Level Control Objectives. Where an overall review corresponds to a specific IT process, the specific maturity rating definition as defined in COBIT’s Management Guidelines is used.

Client’s Targeted Maturity Rating***:

*** Client’s Targeted Maturity Rating indicates the level of maturity that the assessment owner believes is an appropriate maturity level for the assessment scope. Risks vary across IT processes; it is not desirable for every process to aspire to achieve the highest maturity rating.
Overall Rating Assigned For This Assessment*:

Overall Maturity Rating:

* In the event that an assessment falls between two maturity ratings, the lower rating is