MediTrust Health — a digital health platform (300 employees, HIPAA-covered). Full audit working paper pack covering four ITGC domains tested against COBIT 2019. End-to-end audit engagement from planning through corrective action planning. Published professional working papers, risk-rated findings register, and management remediation plan.
Each phase produces professionally formatted working papers and audit artifacts aligned to COBIT 2019.
Engagement memo defining scope, objectives, and timeline. Entity-level risk assessment identifying key systems and in-scope processes. COBIT 2019 control objective mapping across all four ITGC domains. Audit program development with 16 detailed test procedures.
16 test procedures executed across 4 ITGC domains (UAM, CM, B&R, SOD). Each test includes control objective, risk rating, test steps, evidence documentation, and results. Walkthroughs conducted with process owners to validate control design. All evidence indexed and cross-referenced.
14 findings risk-rated using COBIT 2019 impact criteria (2 Critical, 5 High, 5 Medium, 2 Low). Root cause analysis performed for each finding with control deficiency classification. Business impact assessment tied to MediTrust's digital health operations and HIPAA compliance obligations.
Management corrective action plan addressing all 14 findings with P1-P3 priority rankings. 3-6 month remediation horizon with assigned owners and target dates. Tracking metrics for closure verification and residual risk acceptance. Executive summary report with board-ready presentation.
Breakdown of 14 findings by severity and ITGC domain, providing clear visibility into control gaps.
2 Critical, 5 High, 5 Medium, 2 Low — 7 findings require immediate remediation
UAM=4, CM=4, B&R=3, SOD=3 — evenly distributed across all four ITGC domains
Engagement scope, risk assessment, COBIT 2019 control mapping, and 16-procedure audit program
Detailed test procedures with control objectives, walkthrough notes, evidence references, and test results across all domains
14 findings with COBIT 2019 impact ratings, root cause analysis, and business impact assessments
P1-P3 prioritized remediation plan with owners, target dates, tracking metrics, and residual risk acceptance
Board-ready audit report with findings summary, risk heat map, and management response overview
ITGC control baseline established for SOC 2 Type II audit readiness with complete working paper package
5 Critical/High findings addressed through structured CAP with clear ownership and 3-6 month remediation timeline
All controls mapped to COBIT 2019 with traceability to business processes and HIPAA compliance requirements
All working papers, findings register, and corrective action plan are available in the project repository.
View on GitHub Back to GRC Projects