CHAPTER 5

1. What are the five components of the COSO IC-IF Model?

COSO (which stands for Committee of Sponsoring Organization of the Treadway Commission) IC-
IF Model is designed to evaluate the internal controls of an organization. This model is usually
represented in the form of a cube showing the five components of internal control which are the (1)
Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication
and (5) Monitoring Activities. Its goal was to improve the quality of financial reporting through a focus
on corporate governance, ethical practices, and internal control (Murdock, 2016, p. 102).

2. Describe each of the components of the COSO IC-IF Model.

The control environment component of the COSO IC-IF Model provides discipline and order. It
drives ethical actions within the company and helps to prevent unethical practices. Murdock (2016)
stated that ethics and quality of care can never be separated (p. 103). If managers treat their employees
ethically, honestly, and fairly, it will boost the employee's morale. Employee morale is strengthened by a
healthy and ethical community which helps increase the productivity and performance of the
employees. In terms of customer and employee satisfaction, companies that set goals and encourage
doing the right thing appears to outperform other companies. As a result of this, the organization can
produce satisfied employees and offers customer experiences of high quality which can help to the
success of the company (Murdock, 2016, p.103).

Risk assessment refers to how an organization assesses risks to identify different things or
circumstances that may threaten the organization in achieving its objectives. It involves risk assessment
or the process of identifying, assessing, and measuring risks of the organization, its programs, and
processes. The management should identify risk areas and implement controls to prevent or detect
errors and activities that may go wrong which will affect achieving the organization's objectives. There
are many risks that an organization should consider to include in their risk assessment such as business
and process risks, technological and information technology risks, personnel risks, financial risks,
environmental risks, political risks, social risk, and many more (Murdock, 2016, pp. 111-112).

Control activities are those policies and procedures that help ensure if the management's
directives are properly executed. Controls may be manual or automates but there are some controls
that re a mixture of manual and automatic controls. Individuals who perform these control activities
should know what they are doing because it may result in many errors in executing these activities and
irregularities can be an indication of illegal activities. Therefore, proper procedures should be followed
by an individual while conducting control activities. Controls should be designed effectively because if it
is not adequately built, it is highly doubtful that they will function effectively (Murdock, 2016, p. 24).

The information and communication component of the COSO IC-IF Model measures the quality
of information circulating in an organization and the effectiveness of communication inside the
organization. Information should flow continuously in an organization and for its usefulness to be
maximized, it must be shared. Communication is important in an organization because it is the
foundation of the relationship between people and gives information to employees about each other,
their jobs, work environment, and the business itself. This helps personnel to boost morale, build faith,
and develop a common identity and corporate culture. Information and communication are the
lifeblood of every organization because it assists stakeholders to understand what has happened, what
is going on, and what is being planned (Murdock, 2016, pp. 127-128).

The monitoring component involves understanding how an organization monitors its control.
Even the strongest internal controls are useless if it is not monitored and if an organization cannot make
an adjustment when these controls are not effective. Monitoring activities are usually done to
determine whether the components of internal control are present and functioning efficiently. Ongoing
reviews are integrated into operational processes at various levels of the company to provide timely
input about how well or poorly these operations are doing. Also, it serves as a very effective tool to help
the organization in understanding how all internal control elements are being implemented and, when
implemented as intended, how can it increase organizational effectiveness. Monitoring tasks can be
carried out as ongoing or on different assessments. Put simply, monitoring activities involves monitoring
the performance of the organization, conducting evaluation or assessment, and reporting deficiencies
(Murdock 2016, pp. 132-133).

3. Explain the benefits of the COBIT Model in the IT and the general business context.

The COBIT model is designed for IT governance and management. It can be applied to bridge the
gap between technological challenges, business risk, and control requirements. Information technology
plays a crucial role in organizational performance. Thus, failure to leverage Information technological
capabilities will leave a company stagnant in an ever-changing and competitive environment, rendering
it extremely vulnerable to competitors. Effective information and technology governance help in the
innovation and transformation of an organization. The COBIT Model helps achieve operational
excellence by implementing technology effectively and efficiently and it optimizes IT facilities,
technological costs, and even IT services and technology. It also helps in It-related risk control and
maintenance activities and ensures the efficient and creative use of IT to comply with strategic business
objectives (Kidd, 2019).

4. Describe the implications of Principle 11 of the COSO 2013 IC-IF Framework.

According to Murdock (2016), to facilitate the achievements of goals, principle 11 states that an
organization selects and establishes general control activities over technology to facilitate the fulfillment
of their goals and objectives (p. 133). Principle 11 of the COSO 2013 IC-IF Framework offers
recommendations for measuring the efficacy of information technology controls. As part of an
organization's overall evaluation of internal control, this principle can assist an organization to navigate
the increasingly evolving technologies that they are using. This principle determines the dependence on
the use of technology in business processes and general controls on technology. It establishes related
infrastructure management activities for technology and related process control activities for security
management. It also establishes related process management activities for the acquisition, production,
and maintenance of technology (White, 2014).

5. Explain the relevance of IT GCCs for business auditors.

 Information Technology General Computer Controls (IT GCC) is described as controls, other than
application controls, which relates to the environment in which computer-based application systems are
created, maintained, and controlled and hence apply to all applications. These controls include policies,
processes, and practices that are set up by management to ensure that goals and objectives are
accomplished (Barouqa, n.d.). Because of GCCs, a business auditor may obtain an adequate
understanding of the IT control environment before any testing, reviews, or walkthroughs. GCCs,
support the judgment of the auditor on the quality of the information that the computer systems
process. When there are GCCs implemented, business auditors can easily execute their job well and
ensure that sufficient and reliable internal controls are in place and operating effectively and efficiently.

6. List five ISO standards and explain their relevance to internal auditors.

International Organization for Standardization (ISO) is a non-government and autonomous body

that brings experts together to share expertise and create voluntary standards that foster innovation
and provide solutions to global and business challenges. Some of the ISO standards are (1) ISO 9000
Quality management; (2) ISO 22000 Food safety management; (3) ISO 45001 Occupational health and
safety; (4) ISO 37001 Anti-bribery management systems and (5) ISO 31000 Risk management (Murdock,
2016, pp. 134-135).

As internal auditors guide the organization's decisions, policies, and organizational procedures,
they should become acquainted with ISO standards. To help create better regulation and sound
decisions, internal auditors should make ISO standards as their solid base or guide in performing audits
since regulators and policymakers also rely on these standards. Relying on these standards allows
internal auditors to assess the policies, procedures, and practices of an organization whether they
conform to ISO standards or not. If internal auditors align these standards, it will provide an organized,
reliable, and secure procedures.

7. Explain how ISO 9000—Quality Management and related standards can help internal auditors
improve business practices and strengthen the Three Lines of Defense framework.

ISO 9001 (Quality Management) is an international standard defining specification for a quality
management system. The standard is used by an organization to show the ability to deliver goods and
services reliably that satisfy consumer and regulatory requirements. This standard provides
comprehensive business processes and enables the organization to identify quality control obligations
(Brand, n.d.).

Internal auditors must align the ISO 9001 standard in the policies, procedures, and practices of
an organization. By doing so, they can assess whether the business can consistently deliver goods and
services that meet customer's expectations or not and make improvements. Using this standard helps
ensure that consumers get goods and services that are reliable and of high quality, which in turn brings
several business advantages

The three lines of defense model is an accepted controlled structure that is intended to promote
an efficient method of risk management. This model is traditionally used because it offers a systematic
and thorough framework for risk management that clarifies responsibilities, lowers costs, and reduces
effort. If an organization relies on the ISO 9001 (Quality Management) standard, it can strengthen the
three lines of defense since this standard provides less waste and an increase in efficiency, productivity,
and profit. Therefore, because of these benefits that this standard provides, the occurrence of risk can
be minimized and even prevented.

8. Explain how ISO 31000—Risk Management and related standards can help internal auditors
improve business practices and better identify and assess organizational risks.

ISO 31000 seeks to simplify risk management into a collection of easily understandable and
actionable guidelines that, regardless of the scale, nature, or location of a company, should be easy to
enforce (Peterson, 2019). If internal auditors make the ISO standards in risk management as their solid
base, it will help them increase the probability of achieving the organization's objectives and to enhance
the identification of opportunities and risks. This standard offers guidance for internal and external
programs. Thus, organizations relying on this standard can compare their risk management practices
analyzing whether they conform with one another. By comparing, it will be easier for internal auditors to
identify errors and improvements to be made and sound decisions about the organization's
effectiveness and efficiency in achieving its objectives.

9. What is ITIL and how can it help improve the practice of integrated auditing?

Information Technology Infrastructure Library (ITIL) focuses on aligning business needs with IT
services. It guides an organization to use IT as an instrument that promotes the growth and
transformation of businesses. The ITIL defines different processes, activities, procedures, checklists that
are not defined by an organization, but they can be used by an organization to integrate with the
strategy of the organization and provide value (Murdock, 2016, pp. 135-136).

In creating an effective and productive internal control environment, an integrated audit

considers the relationship between information technology, financial and operational controls regarding
the achievement of control objectives. ITIL promotes a quality approach to achieve operational
productivity and efficacy in the use of information systems. Since ITIL optimizes IT process, improves the
usability and reliability of IT services, integrates core procedures, and enhances other IT related issues,
this would also strengthen the practice of integrated auditing.

10. What are the five maturity levels in the CMMI Model?

The maturity levels in the CMMI Model are: (1) initial; (2) repeatable; (3) defined; (4) manage
and (5) optimized. In level 1, it is undocumented and loosely controlled, usually ad hoc, with the reactive
handling of activities and events in a state of constant change. In level 2, the process is adequately
understood so that employees can try to repeat the same steps. Activities are consistent as well as the
results. While in level 3, the process is properly specified and verified by documents, so that it is the
usual business procedure. Based on agreed-upon metrics, processes are quantitatively calculated and
regulated. By modifying and changing the process based on the developed metrics, management is
usually able to monitor the process in level 4. Level 5 talks about the emphasis on developing processes
and following best practices. The process is in a state of continuous performance improvement involving
incremental and innovative process and technical changes (Murdock, 2016, pp. 137-138).
REFERENCES:

Kidd, Chrissy. (2019, June 21). What is COBIT? COBIT Explained. BMC. Retrieved from
https://www.bmc.com/blogs/cobit/

White, John. (2014, May 1). How to use COSO to assess IT controls. Retrieved from
https://www.journalofaccountancy.com/issues/2014/may/coso-it-controls-20138951.html

Barouqa, Mais. (n.d.). Information Technology General Controls: The Basics. Retrieved from
http://www.internalauditor.me/article/information-technology-general-controls-the-basics/

Brand, Steven. (n.d.). 5 Benefits of Being ISO 9001 Certified. CMTC. Retrieved from
https://www.cmtc.com/blog/5-benefits-of-being-iso-9001-certified

The three lines of defense model explained. (2020, February 26). Retrieved from
https://managingrisktogether.orx.org/free-resources/three-lines-defence-model-explained

Peterson, Oliver. (2019, July 24). What Is ISO 31000? Getting Started with Risk Management. Retrieved
from https://www.process.st/iso-31000/