Embedded Files
Process Description
Process Description
Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance.
Process Purpose Statement
Process Purpose Statement
Ensure that the enterprise is compliant with all applicable external requirements.
IT RELATED GOALS
IT RELATED GOALS
02 IT compliance and support for business compliance with external laws and regulations
02 IT compliance and support for business compliance with external laws and regulations
Cost of IT non-compliance, including settlements and fines, and the impact of reputational loss
Number of IT-related non-compliance issues reported to the board or causing public comment or embarrassment
Number of non-compliance issues relating to contractual agreements with IT service providers
Coverage of compliance assessments
04 Managed IT-related business risk
04 Managed IT-related business risk
Percent of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
Number of significant IT-related incidents that were not identified in risk assessment
Percent of enterprise risk assessments including IT-related risk
Frequency of update of risk profile
PROCESS GOALS
PROCESS GOALS
1. All external compliance requirements are identified.
1. All external compliance requirements are identified.
Average time lag between identification of external compliance issues and resolution
Frequency of compliance reviews
2. External compliance requirements are adequately addressed.
2. External compliance requirements are adequately addressed.
Number of critical non-compliance issues identified per year
Percent of process owners signing off, confirming compliance
RACI CHART
RACI CHART
MEA03.01 Identify external compliance requirements.
MEA03.01 Identify external compliance requirements.
On a continuous basis, identify and monitor for changes in local and international laws, regulations and other external requirements that must be complied with from an IT perspective.
Assign responsibility for identifying and monitoring any changes of legal, regulatory and other external contractual requirements relevant to the use of IT resources and the processing of information within the business and IT operations of the enterprise.
Identify and assess all potential compliance requirements and the impact on IT activities in areas such as data flow, privacy, internal controls, financial reporting, industry-specific regulations, intellectual property, health and safety.
Assess the impact of IT-related legal and regulatory requirements on third-party contracts related to IT operations, service providers and business trading partners.
Obtain independent counsel, where appropriate, on changes to applicable laws, regulations and standards.
Maintain an up-to-date log of all relevant legal, regulatory and contractual requirements, their impact and required actions.
Maintain a harmonized and integrated overall register of external compliance requirements for the enterprise.
MEA03.02 Optimize response to external requirements.
MEA03.02 Optimize response to external requirements.
Review and adjust policies, principles, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated. Consider industry standards, codes of good practice, and good practice guidance for adoption and adaptation.
Regularly review and adjust policies, principles, standards, procedures and methodologies for their effectiveness in ensuring necessary compliance and addressing enterprise risk using internal and external experts, as required.
Communicate new and changed requirements to all relevant personnel.
MEA03.03 Confirm external compliance.
MEA03.03 Confirm external compliance.
Confirm compliance of policies, principles, standards, procedures and methodologies with legal, regulatory and contractual requirements.
Regularly evaluate organizational policies, standards, procedures and methodologies in all functions of the enterprise to ensure compliance with relevant legal and regulatory requirements in relation to the processing of information.
Address compliance gaps in policies, standards and procedures on a timely basis.
Periodically evaluate business and IT processes and activities to ensure adherence to applicable legal, regulatory and contractual requirements.
Regularly review for recurring patterns of compliance failures. Where necessary, improve policies, standards, procedures, methodologies, and associated processes and activities.
MEA03.04 Obtain assurance of external compliance.
MEA03.04 Obtain assurance of external compliance.
Obtain and report assurance of compliance and adherence with policies, principles, standards, procedures and methodologies. Confirm that corrective actions to address compliance gaps are closed in a timely manner.
Obtain regular confirmation of compliance with internal policies from business and IT process owners and unit heads.
Perform regular (and, where appropriate, independent) internal and external reviews to assess levels of compliance.
If required, obtain assertions from third-party IT service providers on levels of their compliance with applicable laws and regulations.
If required, obtain assertions from business partners on levels of their compliance with applicable laws and regulations as they relate to intercompany electronic transactions.
Monitor and report on non-compliance issues and, where necessary, investigate the root cause.
Integrate reporting on legal, regulatory and contractual requirements at an enterprise wide level, involving all business units.
References :
ISACA. (2012). COBIT 5 Enabling Processes. USA: ISACA.
Page updated
Google Sites
Report abuse