GRC Case Study — 2026

IT General Controls
Audit Simulation

MediTrust Health — a digital health platform (300 employees, HIPAA-covered). Full audit working paper pack covering four ITGC domains tested against COBIT 2019. End-to-end audit engagement from planning through corrective action planning. Published professional working papers, risk-rated findings register, and management remediation plan.

Engagement at a Glance

0 ITGC Domains
0 Test Procedures
0 Findings Identified
0 CAP Coverage

Four-Phase Audit Engagement

Each phase produces professionally formatted working papers and audit artifacts aligned to COBIT 2019.

Phase 1
Week 1
Phase 2
Weeks 2-3
Phase 3
Week 3
Phase 4
Week 4
Phase 1 — Week 1 3 documents

Planning & Risk Assessment

Engagement memo defining scope, objectives, and timeline. Entity-level risk assessment identifying key systems and in-scope processes. COBIT 2019 control objective mapping across all four ITGC domains. Audit program development with 16 detailed test procedures.

Phase 2 — Weeks 2-3 16 test scripts

Test Execution — Working Papers

16 test procedures executed across 4 ITGC domains (UAM, CM, B&R, SOD). Each test includes control objective, risk rating, test steps, evidence documentation, and results. Walkthroughs conducted with process owners to validate control design. All evidence indexed and cross-referenced.

Phase 3 — Week 3 1 document

Findings Analysis & Risk Rating

14 findings risk-rated using COBIT 2019 impact criteria (2 Critical, 5 High, 5 Medium, 2 Low). Root cause analysis performed for each finding with control deficiency classification. Business impact assessment tied to MediTrust's digital health operations and HIPAA compliance obligations.

Phase 4 — Week 4 2 documents

Corrective Action Plan & Report

Management corrective action plan addressing all 14 findings with P1-P3 priority rankings. 3-6 month remediation horizon with assigned owners and target dates. Tracking metrics for closure verification and residual risk acceptance. Executive summary report with board-ready presentation.

Audit Findings Analysis

Breakdown of 14 findings by severity and ITGC domain, providing clear visibility into control gaps.

Findings by Severity

2 Critical, 5 High, 5 Medium, 2 Low — 7 findings require immediate remediation

Findings by Domain

UAM=4, CM=4, B&R=3, SOD=3 — evenly distributed across all four ITGC domains

Key Audit Deliverables

Audit Program & Planning Memo

Engagement scope, risk assessment, COBIT 2019 control mapping, and 16-procedure audit program

Working Papers (16 Test Scripts)

Detailed test procedures with control objectives, walkthrough notes, evidence references, and test results across all domains

Risk-Rated Findings Register

14 findings with COBIT 2019 impact ratings, root cause analysis, and business impact assessments

Corrective Action Plan

P1-P3 prioritized remediation plan with owners, target dates, tracking metrics, and residual risk acceptance

Executive Summary

Board-ready audit report with findings summary, risk heat map, and management response overview

Business Impact

SOC 2 Readiness

ITGC control baseline established for SOC 2 Type II audit readiness with complete working paper package

Risk Reduction

5 Critical/High findings addressed through structured CAP with clear ownership and 3-6 month remediation timeline

Framework Alignment

All controls mapped to COBIT 2019 with traceability to business processes and HIPAA compliance requirements

Full Audit Repository

All working papers, findings register, and corrective action plan are available in the project repository.

View on GitHub Back to GRC Projects