REGUNAYAN, MARCO PAUL C.

CBET – 01 – 502E PROF. MACRINA VIOLETA MUTUC

CHAPTER 5: Control Frameworks

1. What are the five components of the COSO IC-IF Model?

The five components of the COSO IC-IF Model are:

 Control Environment
 Risk Assessment
 Control Activities
 Information and Communication
 Monitoring Activities

(Murdock, 2016, page 102)

2. Describe each of the components of the COSO IC-IF Model.

A control environment is the foundation on which an effective system of internal control

is built and operated in an organization that strives to achieve its strategic objectives, provide
reliable financial reporting to internal and external stakeholders, operate its business efficiently
and effectively, comply with all applicable laws and regulations, and safeguard its assets.
The risk assessment forms the basis for determining how risks will be managed. Risk
assessment requires management to consider the impact of possible changes in the internal and
external environment and to potentially take action to manage the impact.
Control activities are actions, generally described in policies, procedures, and standards,
which help management mitigate risks in order to ensure the achievement of objectives. Control
activities may be preventive or detective in nature and may be performed at all levels of the
organization.
Information is obtained or generated by management from both internal and external
sources in order to support internal control components. Communication based on internal and
external sources is used to disseminate important information throughout and outside of the
organization, as needed to respond to and support meeting requirements and expectations.
Monitoring activities are periodic or ongoing evaluations to verify that each of the five
components of internal control, including the controls that affect the principles within each
component is present and functioning around their products.

(Murdock, 2016, pages 103-132)

3. Explain the benefits of the COBIT Model in the IT and the general business context.

COBIT Model (Control Objectives for Information and Related Technologies) is an IT

management framework developed by the ISACA to help businesses develop, organize and
implement strategies around information management and governance.
IT audit experts agree that the principles set out by COBIT help organizations enhance
the protection of their information. They often refer to COBIT's tools for evaluating IT
governance for organizations. Therefore, as auditors visit to search for compliance, being COBIT
compliant can really help an entity. With COBIT already introduced, the last minute set-up of
policies and procedures for a scheduled or unplanned auditor search can be minimized.
COBIT implementation also ensures that the business adheres to industry requirements.
In exchange, this helps both the firm's internal and external stakeholders. Internal in the sense
that worker study and use business metrics to deliver their job. External stakeholders, including
consumers and suppliers, often benefit from data protection and data quality IT policies.

(Murdock, 2016, pages 133-134)

4. Describe the implications of Principle 11 of the COSO 2013 IC-IF Framework.

The 11th principle of the COSO 2013 IC-IF Framework under the component of Control
Activities: Select and develop IT GCCs.
This principle states that the organization selects and develops general technology
management practices to facilitate the accomplishment of goals. In this way, the main position of
IT as important to long-term success is manifested and acknowledged. In addition, it recognizes
that IT GCCs (General Computer Controls), procedures, and automated control activities are
fundamentally dependent and related.

(Murdock, 2016, page 133)

5. Explain the relevance of IT GCCs for business auditors.

The concept of IT General Computer Controls (IT GCCs) is getting more and more
important in companies and organizations. The increasing IT regulations and the need for an
effective and efficient IT governance implies that an organization knows very well and has full
control of the maturity of implemented controls across the whole organization. With the help of
well-established IT GCCs an organization can leverage many complex topics, such as
information and IT security, internal and external audit, IT compliance, risk management and IT
governance management etc. Business auditors should provide a reasonable assurance that the
information technology within an organization operates as intended, data is reliable and the
organization is in compliance with applicable laws and regulations.

(Murdock, 2016, page 133)

6. List five ISO standards and explain their relevance to internal auditors.

ISO 19011—Auditing Management Systems defined as the standard that sets forth
guidelines for auditing management systems. The standard contains guidance on managing an
audit program, the principles of auditing, and the evaluation of individuals responsible for
managing the audit programs. An audit program consists of the arrangements made to complete
all of the individual audits needed to achieve a specific purpose.
ISO 37001—Anti-Bribery Management Systems lead auditors to conduct bribery-free
audits. Through extensive examination of knowledge and personal attributes, it can give proof of
competence to effectively audit and assurance that the audits will be accepted globally. In
accordance with this, it provides individuals with proof of competence to effectively manage
anti-bribery issues.
ISO 9000—Quality Management and related standards address various aspects of quality
management and provides guidance and tools for organizations that want to ensure that their
products and services consistently meet customer’s requirements, and that quality is improved
continuously.
ISO 31000—Risk Management affect organizations in many ways and can cause damage
in terms of business performance, reputation, environmental impact, and stakeholder safety,
among others. As a result, it is imperative to identify, assess, and manage risks effectively.
ISO 27001—Information Security Management provides guidelines and general
principles for identifying, initiating, deploying, and maintaining an organization’s information
security infrastructure. It provides guidance and best practices on commonly accepted
information security objectives, such as security, asset management, human resources security,
physical and environmental security, communications and operations management, IT asset
acquisition and maintenance, incident response, and compliance and business continuity.

(Murdock, 2016, pages 134-135)

7. Explain how ISO 9000—Quality Management and related standards can help
internal auditors improve business practices and strengthen the Three Lines of
Defense framework.

ISO 9000—Quality Management and related standards can help internal auditors improve
business practices and strengthen the Three Lines of Defense framework through the
management responsibility, constant training and professional qualifications, and through
internal check oriented towards addressing nonconformities, all that with a view to
tackling risk detection and their diminishing through constantly improved preventive actions.
Therefore, it can be concluded that Quality Management improve practices and strengthen the
Three Lines of Defense through synergistic acting.

(Murdock, 2016, page 135)

8. Explain how ISO 31000—Risk Management and related standards can help internal
auditors improve business practices and better identify and assess organizational
risks.

ISO 31000—Risk Management provides principles, a framework and a process for

managing risk. It can be used by any organization regardless of its size, activity or sector. It can
help organizations increase the likelihood of achieving objectives, improve the identification of
opportunities and threats and effectively allocate and use resources for risk treatment. It does
provide guidance for internal or external audit programmes. Organizations using it can compare
their risk management practices with an internationally recognized benchmark, providing sound
principles for effective management and corporate governance.
(Murdock, 2016, page 135)

9. What is ITIL and how can it help improve the practice of integrated auditing?
 ITIL determines the organizational structure and expertise specifications of an IT
company and common management processes and standards for conducting an IT operation.
ITIL is a systematic set of best practices for IT service management that encourage a quality
approach to achieving market productivity and reliability through the use of information systems.
It helps the company to create the framework on which it can schedule, execute and assess its
operations in order to achieve consistent standards of operation. It is used to show conformity
and assess change.

(Murdock, 2016, pages 135-136)

10. What are the five maturity levels in the CMMI Model?
The five maturity levels in the CMMI Model are:
Level 1—Initial: Unpredictable, undocumented, and poorly controlled, typically ad hoc,
in a state of constant change with the reactive handling of activities and events.
Level 2—Repeatable: The process is understood sufficiently so that repeating the same
steps may be attempted by workers. Activities are consistent and there may be consistent results.
Level 3—Defined: Process is sufficiently defined and confirmed through documentation
so that it is the standard business process.
Level 4—Managed: Processes are measured and controlled quantitatively based on
agreed upon metrics. Management is typically able to control the process by adjusting and
adapting the process based on the established metrics.
Level 5—Optimized: The focus is on process improvement and the pursuit of best
practices. The process is in a state of continuous performance improvement involving
incremental and innovative process and technological changes

(Murdock, 2016, pages 137-138)

REFERENCES:

Gerbino, F. (n.d.). The Value of IT General Controls within an Organization. SCIP. Retrieved
October 1, 2020, from https://www.scip.ch/en/?labs.20140619

ISO 19011: Guidelines for Auditing Management Systems | ASQ. (n.d.). American Society for
Quality. Retrieved October 1, 2020, from https://asq.org/quality-resources/iso-19011

K. (2016, November 14). How Does COBIT Benefit Organisation? Knowledge Hut.
https://www.knowledgehut.com/blog/security/how-does-cobit-benefit-organisation

Murdock, H. (2016). Operational Auditing: Principles and Techniques for a Changing World
(Internal Audit and IT Audit) (1st ed.). Auerbach Publications.