Calculating assurance for compliance
Assurance is a calculation that represents your organization's confidence in requirements being met. Assurance is a valuable calculation in a compliance map because it shows how much work needs to be done to comply with a specific standard or regulation.
How it works
After you map controls to requirements and specify a control weight for each control, assurance scores automatically display on the compliance map.
How are assurance scores displayed?
The compliance map displays assurance scores at both the requirement level and standard/regulation level. Each assurance score is displayed as percentage between 0-100.
Example assurance scores
A single, averaged assurance score displays beside the standard (COBIT 5 Framework).
Aggregated assurance scores display beside calculated requirements (APO and APO01).
Individual assurance scores display beside working requirements (APO01.01 - APO01.08).
Requirement APO01.04 has an assurance score of 100%, meaning that your organization is confident that Requirement APO01.04 is being effectively met by the controls currently in place.
COBIT 5 Framework has an assurance score of 81.25%, meaning that your organization is progressing well in terms of fully complying with the standard.
How are assurance scores calculated?
Assurance scores are calculated based on the following:
- Working and calculated requirements
- Expected assurance
- Control score and actual assurance
Note
Expected assurance, control score, and actual assurance are not displayed in the compliance map.
| Calculation | Formula |
|---|---|
| Assurance for working requirements | Actual Assurance / Expected Assurance |
| Assurance for calculated requirements and assurance at the standard or regulation level | SUM (Actual Assurance of descendant working requirements) / SUM (Expected Assurance of descendant working requirements) |
Working requirements vs. calculated requirements
Your compliance map is composed of working requirements and calculated requirements. Working requirements are noted in the compliance map with an icon 
.
- Working requirements requirements that you have directly mapped to controls
- Calculated requirements ancestors or descendants of working requirements
Example
Scenario
You create the following mappings:
- Requirement 1.1.1 to Control A
- Requirement 1.1.2 to Control B
Result
| Requirement | Requirement type | Mapped control(s) |
|---|---|---|
| Requirement 1 | Calculated | Related controls (A, B) |
|
Calculated | Related controls (A, B) |
|
Working | A |
|
Working | B |
Expected assurance
Expected assurance is a calculation that derives from your organization's expectation that requirements are being met.
| Requirement type | Expected assurance calculation |
|---|---|
| Working |
Expected assurance = 1 Note
This is a baseline score that represents assurance before controls are tested. |
| Calculated | SUM (Expected assurance of descendant working requirements) |
Example
Requirements 1.1.1 and 1.1.2 are working requirements, and each has an expected assurance of 1.
Requirements 1 and 1.1 are calculated requirements. Expected assurance is aggregated up the requirement tree.
- Expected assurance of Requirement 1.1 = 2 (1 + 1)
- Expected assurance of Requirement 1 is the same as Requirement 1.1 (2)
| Requirement | Requirement type | Expected Assurance |
|---|---|---|
| Requirement 1 | Calculated | 2 |
| Requirement 1.1 | Calculated | 2 |
|
Working | 1 |
|
Working | 1 |
Control score and actual assurance
Control score
Control score is a calculation that derives from whether control tests have passed, failed, or have not been tested.
The control score for each mapping between a control and requirement is calculated as follows:
- If all control tests pass OR if at least one of the applicable control tests passes while the others have not been tested, control score = 1
- If any control test fails, control score = 0
Actual assurance
Actual assurance is a calculation that derives from whether control tests have passed or failed and the percentage of the requirement that the control covers.
- The actual assurance for each mapping between a control and requirement is calculated using the following formula:
Control Weight x Control Score
- The actual assurance of a requirement is calculated using the following formula:
SUM (Actual Assurance of all control-requirement mappings)
Example
Scenario
You map Requirement 1.1.1 to Control A, and Requirement 1.1.2 to Control B.
You specify the Control Weight of Control A and Control B as 50%. All tests pass for Control A, but one test did not pass for Control B.
Result
| Requirement | Requirement type | Mapped Controls | Expected Assurance | Control Weight | All Tests Passed? | Control Score | Actual Assurance |
|---|---|---|---|---|---|---|---|
| Requirement 1 | Calculated | Related controls (A, B) | 2 | -- | -- | -- | 0.5 |
|
Calculated | Related controls (A, B) | 2 | -- | -- | -- | 0.5 |
|
Working | A | 1 | 50% | Y | 1 | 0.5 |
|
Working | B | 1 | 50% | N | 0 | 0 |
Assurance in action
Your organization needs to comply with COBIT 5 Framework. You begin a compliance program to:
- showcase your organization's commitment in addressing legal obligations and considerations facing the business
- demonstrate due diligence
- clarify the boundaries of permissible conduct for organizational staff
- provide a possibility for mitigating the cost of non-compliance
Example
Step 1: Map controls to requirements
To comply with COBIT 5 Framework, you identify the requirements that are applicable, and map controls to the requirements:
| Requirement | Mapped control(s) |
|---|---|
| Requirement 1 | Related controls (A, B) |
|
A |
|
B |
| Requirement 2 | Related controls (C, D) |
|
C |
|
D |
Result Requirement 1.1, 1.2, 2.1, and 2.2 are all working requirements, and each has an expected assurance score of 1. Requirement 1 and Requirement 2 each have an expected assurance score of 2, based on the aggregation up the requirement tree (1 + 1 = 2).
Step 2: Specify control weight and test controls
After mapping controls, you specify the percentage of each control that covers each requirement, and test controls to see if they pass or fail.
| Requirement | Mapped control(s) | Control Weight | Test Passed |
|---|---|---|---|
| Requirement 1 | Related controls (A, B) | -- | -- |
|
A | 50% | Yes |
|
B | 25% | Yes |
| Requirement 2 | Related controls (C, D) | -- | |
|
C | 25% | No |
|
D | 25% | Yes |
Result The tests for controls A, B, and D passed, and each receives a control score of 1. The test for control C did not pass, so it receives a control score of 0.
Step 3: View assurance scores
After specifying control weight and testing controls, you view the assurance scores for each requirement and the total assurance score for COBIT 5 Framework.
Actual assurance for each mapping between a control and a requirement is calculated as follows:
Control Weight x Control Score
Assurance for working requirements is calculated as follows:
Actual Assurance / Expected Assurance
Assurance for calculated requirements and assurance at the standard or regulation level is calculated as follows:
SUM (Actual Assurance of descendant working requirements) / SUM (Expected Assurance of descendant working requirements)
| Requirement | Expected Assurance | Actual Assurance | Assurance |
|---|---|---|---|
| Requirement 1 | 2 | 0.75 | 38% |
|
1 | 0.5 | 50% |
|
1 | 0.25 | 25% |
| Requirement 2 | 2 | 0.25 | 13% |
|
1 | 0 | 0% |
|
1 | 0.25 | 25% |
Aggregated results
- Expected Assurance = 4
(Expected assurance of requirements 1 and 2 = 2 + 2)
- Actual Assurance = 1
(Actual assurance of requirements 1 and 2 = 0.75 + 0.25)
- Assurance = 25%
(Actual assurance divided by expected assurance = 1 / 4)
You demonstrate your organization's commitment to conducting business in conformity with the COBIT 5 Framework. However, there is still a significant amount of work that your organization needs to do in order to fully comply with the COBIT 5 Framework.
What changes impact the way assurance works?
There are a variety of changes that impact the way assurance works.
| Change | Impact |
|---|---|
| You specify that a requirement is not applicable. | All framework controls mapped to the requirement and any descendant requirements in its group are automatically unmapped, and are not calculated as part of the assurance score. |
| You change the scope of a standard or regulation. | All framework controls mapped to out-of-scope requirements are automatically unmapped, and are not calculated as part of the assurance score. |
| You unmap a framework control from a requirement. | Any testing results and issues from projects associated with the framework will not be aggregated to the compliance map, and the assurance score is updated. |
| You define a control weight of a framework control within the compliance map. | The actual assurance score (not shown in compliance maps) is recalculated, and the assurance score is updated. |
| You import objectives or controls and / sync changes from a framework to a project. | If a framework control is mapped to a requirement, any testing results and issues in the project will be aggregated to the compliance map, and the assurance score is updated. |
| You archive a project or rollforward an archived project that was previously synced with framework controls used in compliance maps. | Only testing results and issues from active projects are aggregated to the compliance map. The assurance score updates and excludes the testing results and issues from the archived or rollforward project. |
| You unarchive a project that is synced with framework controls used in compliance maps. | The assurance score updates and testing results and issues from the unarchived project are aggregated to the compliance map. |
