Question 1

Providing a sound and comprehensive reference of good practices is one of the ways in which
COBIT framework delivers to its stakeholders the most complete and up-to-date guidance on
governance and management of enterprise IT. Describe five principles of COBIT in brief. [10]

COBIT has 5 main principles which are Enterprise-wide Coverage, Creating an Integrated Framework,
Meeting the Needs of Stakeholders, Separating Governance from Management and Including it in IT
and Creating a Holistic Approach to Operational Efficiency.

The first principle is Enterprise-wide Coverage. When COBIT is implemented, it affects more than just
the IT department of an organization. COBIT is a framework that can be applied to the entire
enterprise, as it should be, to maximize its value to companies. The framework takes governance
and risk management for the entire company as a whole instead of focusing it on just the IT.

Creating an Integrated Framework is another principle of COBIT. COBIT is an integrated framework

that includes all the company’s teams, employees, and departments. It combines the organization’s
needs and processes with the IT management and governance of the company. This integrated
framework helps identify any potential threats to the organization and upgrades processes to
operate more efficiently.

Another principle of COBIT is Meeting the Needs of Stakeholders. Stakeholder needs are always a
priority for organizations because they can only succeed when all stakeholder needs are met. All
operations and processes should be directed towards achieving business objectives, and the most
crucial objective of them all should be meeting stakeholder needs. Stakeholders have certain
requirements that the COBIT framework addresses by managing all IT operations across the
organization successfully. This helps in creating value with the deliveries, which is crucial to
maintaining customer satisfaction.

Other principles of COBIT include Separating Governance from Management and Including it in IT.
The responsibility of governance of all applications and systems should shift from the management
teams to IT operations. This is because they are the ones best equipped to manage governance. If
the IT governance and enterprise governance are combined with the help of COBIT, and the entire
process becomes a lot more straightforward and simplified.

Lastly Creating a Holistic Approach to Operational Efficiency is a COBIT principle. COBIT for more
than just the IT department in a company. It can be used to increase the overall efficiency of an
organization. The framework provides an integrated and holistic approach to improving operational
processes to maximize efficiency. Team members can focus on being more productive and generate
more valuable output for the customers when they employ the COBIT framework in their enterprise.

An IS audit involves several steps and stakeholder engagements; using an organisation of your
choice explore how you would conduct an IS audit. [10]

Eclipse Business Studio has been scaling lately and more of the processes were geared towards
timely execution than actually recording them. As a result, a lot of shoddy work has been done and is
catching up with the organization. The audit process requires the IS auditor to gather evidence,
evaluate the strengths and weaknesses of internal controls based on the evidence gathered through
audit tests, and prepare an audit report that presents weaknesses and recommendations for
remediation in an objective manner to stakeholders. In general terms, the typical audit process
consists of three major phases: planning, fieldwork and reporting

The first step I would take is identifying the area to be audited (e.g., business function, system,
physical location). I will then define purpose of the audit. For example, an objective might be to
determine whether no steps defined in the Eclipse code of conduct were skipped while doing
business. The next stage is to identify the specific systems, function or unit of the organization to be
included in the review. For example, in the previous example (code of conduct), the scope statement
might limit the review to a single process at a predetermined period of time. This step is very
important because I will need to understand the IT environment and its components to identify the
resources that will be required to conduct a comprehensive evaluation. A clear scope will help me
define a set of testing points that is relevant to the audit and further determine the technical skills
and resources necessary to evaluate different technologies and their components. I will then
proceed with a preaudit plan. A risk assessment, which is critical in setting the final scope of a risk-
based audit will follow. For other types of audits (e.g., compliance), conducting a risk assessment is a
good practice because the results can help the IS audit team to justify the engagement and further
refine the scope and preplanning focus. The next step is to interview the auditee to inquire about
activities or areas of concern that should be included in the scope of the engagement. Regulatory
compliance requirements have to be identified. Once the subject, objective and scope are defined,
the audit team can identify the resources that will be needed to perform the audit work. Some of
the resources that need to be defined are technical skills and resources needed, budget and effort
needed to complete the engagement, locations or facilities to be audited, roles and responsibilities
among the audit team, time frame for the various stages of the audit, sources of information for test
or review, such as functional flowcharts, policies, standards, procedures and prior audit work papers.
They also include points of contact for administrative and logistics arrangements, a communication
plan that describes to whom to communicate, when, how often and for what purposes. After this
stage I will then determine audit procedures and steps for data gathering. At this stage of the audit
process, the audit team should have enough information to identify and select the audit approach or
strategy and start developing the audit program. Some of the specific activities in this step are
identifying and obtaining departmental policies, standards and guidelines for review. They also
include identifying any regulatory compliance requirements, a list of individuals to interview.
methods (including tools) to perform the evaluation, developing audit tools and methodology to test
and verify controls, developing test scripts, identifying criteria for evaluating the test and defining a
methodology to evaluate that the test and its results are accurate (and repeatable if necessary)

Examine the components of an Audit Charter. [10]

The Audit Charter is made up of several different sections, such as the Authority, the Mission and
Purpose, and the International Standards for the Professional Practice of Internal Auditing.
Supporting the internal audit charter, A timely, risk-based, and agile internal audit plan, a budget
and resource plan for the internal audit, timely updates from the CAE on its internal audit plan's
performance, active participation in discussions about and final approval of decisions on the
appointment and removal of the CAE.

The goal of internal audit is to increase and safeguard the value of the organization by offering risk-
based, unbiased assurance, counsel, and insight. The goal of internal audit is to offer unbiased,
independent assurance and advisory services that add value and enhance the organization's
operations.

The International Professional Practices Framework (IPPF) of the IIA, which includes its Standards,
Core Principles for the Professional Practice of Internal Auditing, Definition of Internal Auditing, and
Code of Ethics, will govern the internal audit activities.

The internal audit charter should state the CAE's functional and administrative reporting
relationships within the organization. It should also state that the governing body will establish,
maintain, and ensure that the internal audit activity has the authority necessary to carry out its
responsibilities by approving a timely, risk-based, and agile internal audit plan, approving the
internal audit budget and resource plan, and receiving timely communications from the internal
audit activity.

Stakeholders must provide a distinct and unmistakable message about internal audit's function
inside the company. They should be asking the following five important questions: 1. Has the
overseeing body established an internal audit charter that outlines the objective and mission of the
activity, as well as its scope, authority, responsibility, and reporting structures? 2. Does the charter
address establishing reporting arrangements that allow the CAE to be independent and objective? 3.
Does the charter explicitly state that internal audit has the right to full and unrestricted access to all
records and individuals as required to carry out its work? 4. Is the role of the CAE specified in the
audit charter? 5. Does the audit charter require the activity to report on its effectiveness in addition
to requiring internal audit to adhere to IIA global internal audit standards?

The charter ought to indicate that the CAE will take steps to keep the internal audit activity free of
circumstances that could jeopardize its capacity to conduct its operations objectively. If
independence or objectivity is actually impaired or appears to be impaired, the CAE shall inform the
necessary parties and provide details of the impairment. It should also specify that none of the
activities under audit will fall under the direct operational responsibility or authority of the internal
audit activity. It should be stated that precautions will be put in place to prevent impairments to
independence and objectivity if the CAE has or is anticipated to have functions and/or
responsibilities outside of internal auditing. The charter should also include requirements for the
CAE to confirm at least annually the independence of the internal audit activity to the governing
body.

The internal audit activities should be described in the charter as having a scope that includes, but is
not limited to, objective evidence reviews for the goal of offering independent assessments of the
suitability and efficacy of governance, risk management, and control systems. It should also say that
the CAE will routinely update the governing body and senior management on the performance of
the activity and the results of its department.

The charter should specify who is responsible for what, including communicating with senior
management and the governing body about the impact of resource limitations on the plan,
submitting an internal audit plan based on risk at least once a year, making sure the internal audit
activity has access to the right resources in terms of competency and skill, managing the activity
effectively so it can carry out its mandate, ensuring compliance with IIA Standards, and
communicating the results.

The internal audit activity's quality assurance and improvement program, which covers all facets of
the internal audit activity and includes an assessment of adherence to IIA Standards, should be
outlined in the charter. a requirement that the CAE receive an external assessment of the activity at
least once every five years and that it communicates the outcomes of its quality assurance and
improvement program on a regular basis to senior management and the governing body.

Explore the steps undertaken by an IS auditor in coming up with an individual audit plan
assignment. [10]

Creating a unique audit strategy and conducting a risk assessment are essential steps in determining
the precise parameters of a risk-based audit. Conducting a risk assessment is a useful practice for
other types of audits (such as compliance) since the findings can assist the IS audit team in defending
the engagement and further defining the scope and preplanning emphasis. To find out about any
activities or causes for concern that ought to be covered by the engagement, we must speak with
the auditee. The prerequisites for complying with regulations must be determined. Once the subject,
goal, and scope have been identified, the audit team can select which resources are needed. Some
of the resources that require definition include the following: Locations or facilities that will be
audited, the roles and responsibilities of the audit team, deadlines for the different stages of the
audit, information sources that will be tested or reviewed, such as functional flowcharts, policies,
standards, and previous audit work papers, points of contact for administrative and logistical
arrangements, and a communication plan that outlines who will be informed at what stage of the
audit.

Question 2

Explain each and every one of the following Audit stages:

Audit Planning, [5]

Audit planning is an essential component of the audit and is typically done at the start of the audit
process to make sure that crucial areas are given the correct attention, potential issues are quickly
detected, work is finished quickly, and work is appropriately coordinated. Creating a broad strategy
and a specific plan for the anticipated nature, time, and scope of the audit is referred to as "audit
planning." The auditor intends to carry out the audit quickly and effectively.

Definition of audit objectives and scope, [5]

At this stage we identify the purpose of the audit. For example, an objective might be to determine
whether program source code changes occur in a well-defined and controlled environment. Identify
the specific systems, function or unit of the organization to be included in the review. For example,
in the previous example (program changes), the scope statement might limit the review to a single
application, system or a limited period of time. This step is very important because the IS auditor will
need to understand the IT environment and its components to identify the resources that will be
required to conduct a comprehensive evaluation. A clear scope will help the IS auditor define a set of
testing points that is relevant to the audit and further determine the technical skills and resources
necessary to evaluate different technologies and their components.

Evidence collection and evaluation, [5]

The audit team should have sufficient information at this point in the process to identify and choose
the audit technique or strategy and begin planning the audit program. Some examples of the precise
actions to be taken include locating, obtaining, and studying departmental rules, standards, and
guidelines. Other examples include listing any legal criteria for compliance, creating a list of people
to be interviewed deciding on techniques (including tools) for carrying out the evaluation, creating
auditing techniques and tools to evaluate and confirm controls. There is also creation of test scripts,
deciding on evaluation standards for the test, establishing a mechanism to assess the accuracy of the
test and its outcomes (and repeatable if necessary).

Documentation and reporting. [5]

Based on the scope of the review, the IS auditor should prepare a list of documents to be used to
complete the planning phase and during fieldwork. Identify and document risk and internal controls.
Risk assessment is necessary to meet audit standards.

Follow up [5]

When a reportable condition arises that poses an audit area risk in accomplishing a control target, IT
audit follow-up is what is done. IT audit follow-up activities are process components for audit area
management to assess the sufficiency, effectiveness, and timeliness of deployment actions regarding
reportable engagement conditions. Following the presentation of the corrective action, follow-up
procedures must be carried out. Evaluation of management answers and, if necessary, response
verification is included in the follow-up activities. IT audit follow-up operations can be carried out
with the help of an automated engagement tracking system and results database.