Establish a general monitoring framework and approach to define the scope, methodology and process to be followed for measuring IT’s solution and service delivery, and monitor IT’s contribution to the business. Integrate the framework with the corporate performance management system.

Work with the business to define a balanced set of performance targets and have them approved by the business and other relevant stakeholders. Define benchmarks with which to compare the targets, and identify available data to be collected to measure the targets. Establish processes to collect timely and accurate data to report on progress against targets.

Deploy a performance monitoring method (e.g., balanced scorecard) that records targets; captures measurements; provides a succinct, all-around view of IT performance; and fits within the enterprise monitoring system.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Periodically review performance against targets, analyze the cause of any deviations, and initiate remedial action to address the underlying causes. At appropriate times, perform root cause analysis across deviations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop senior management reports on IT’s contribution to the business, specifically in terms of the performance of the enterprise’s portfolio, IT-enabled investment programs, and the solution and service deliverable performance of individual programs. Include in status reports the extent to which planned objectives have been achieved, budgeted resources used, set performance targets met and identified risks mitigated. Anticipate senior management’s review by suggesting remedial actions for major deviations. Provide the report to senior management, and solicit feedback from management’s review.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify and initiate remedial actions based on performance monitoring, assessment and reporting. This includes follow-up of all monitoring, reporting and assessments through:

• Review, negotiation and establishment of management responses

• Assignment of responsibility for remediation

• Tracking of the results of actions committed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Continuously monitor, benchmark and improve the IT control environment and control framework to meet organizational objectives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Monitor and evaluate the efficiency and effectiveness of internal IT managerial review controls.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify control exceptions, and analyze and identify their underlying root causes. Escalate control exceptions and report to stakeholders appropriately. Institute necessary corrective action.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Evaluate the completeness and effectiveness of management’s control over IT processes, policies and contracts through a continuing program of self-assessment.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Obtain, as needed, further assurance of the completeness and effectiveness of internal controls through third-party reviews.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Assess the status of external service providers’ internal controls. Confirm that external service providers comply with legal and regulatory requirements and contractual obligations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify, initiate, track and implement remedial actions arising from control assessments and reporting.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify, on a continuous basis, local and international laws, regulations, and other external requirements that must be complied with for incorporation into the organization’s IT policies, standards, procedures and methodologies.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Review and adjust IT policies, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Confirm compliance of IT policies, standards, procedures and methodologies with legal and regulatory requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Obtain and report assurance of compliance and adherence to all internal policies derived from internal directives or external legal, regulatory or contractual requirements, confirming that any corrective actions to address any compliance gaps have been taken by the responsible process owner in a timely manner.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Integrate IT reporting on legal, regulatory and contractual requirements with similar output from other business functions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define, establish and align the IT governance framework with the overall enterprise governance and control environment. Base the framework on a suitable IT process and control model and provide for unambiguous accountability and practices to avoid a breakdown in internal control and oversight. Confirm that the IT governance framework ensures compliance with laws and regulations and is aligned with, and confirms delivery of, the enterprise’s strategies and objectives. Report IT governance status

and issues.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Enable board and executive understanding of strategic IT issues, such as the role of IT, technology insights and capabilities. Ensure that there is a shared understanding between the business and IT regarding the potential contribution of IT to the business strategy. Work with the board and the established governance bodies, such as an IT strategy committee, to provide strategic direction to management relative to IT, ensuring that the strategy and objectives are cascaded into business units and IT functions, and that confidence and trust are developed between the business and IT. Enable the alignment of IT to the business in strategy and operations, encouraging co-responsibility between the business and IT for making strategic decisions and obtaining benefits from IT-enabled investments.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Manage IT-enabled investment programs and other IT assets and services to ensure that they deliver the greatest possible value in supporting the enterprise’s strategy and objectives. Ensure that the expected business outcomes of IT-enabled investments and the full scope of effort required to achieve those outcomes are understood; that comprehensive and consistent business cases are created and approved by stakeholders; that assets and investments are managed throughout their economic life cycle; and that there is active management of the realization of benefits, such as contribution to new services, efficiency gains and improved responsiveness to customer demands. Enforce a disciplined approach to portfolio, program and project management, insisting that the business takes ownership of all IT-enabled investments and IT ensures optimization of the costs of delivering IT capabilities and services.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Oversee the investment, use and allocation of IT resources through regular assessments of IT initiatives and operations to ensure appropriate resourcing and alignment with current and future strategic objectives and business imperatives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Work with the board to define the enterprise’s appetite for IT risk, and obtain reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite. Embed risk management responsibilities into the organization, ensuring that the business and IT regularly assess and report IT-related risks and their impact and that the enterprise’s IT risk position is transparent to all stakeholders.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Confirm that agreed-upon IT objectives have been met or exceeded, or that progress toward IT goals meets expectations. Where agreed-upon objectives have been missed or progress is not as expected, review management’s remedial action. Report to the board relevant portfolios, program and IT performance, supported by reports to enable senior management to review the enterprise’s progress toward identified goals.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Obtain independent assurance (internal or external) about the conformance of IT with relevant laws and regulations; the organization’s policies, standards and procedures; generally accepted practices; and the effective and efficient performance of IT.

There are no PSGs published for this topic; however, the topic is under review for future PSGs