Thank you for sharing your document(s) with AuditNet.

You will receive the agreed upon compensation for each

working paper that we accept subject to answering the due diligence questions and certification required by our
attorney.

The audit working papers (programs or documents) you send must be original and current. You must have
either created the documents or have permission from whoever prepared them or from your organization to
share. They must be in Word or Excel  format (Excel preferred). 

Based on advice from legal counsel, before we accept the material and process your payment we need to perform
due diligence on what you are sharing. You must answer these questions and your email response will be
considered an electronic signature for purposes of this statement.

Name:
Organization:
Title of the Audit Working Paper(s) 

a)     Are you the author of the Materials (are the Materials original works that you created?

b)    Please provide a brief explanation of the purpose of the working paper:

c)     Please provide the audit objectives for the working paper:

d)    By submitting the Materials or other communication or content after receipt of this notice, you grant
AuditNet permission to, on an irrevocable, perpetual, worldwide and royalty-free basis, reproduce, distribute,
display, perform, read, enhance, adapt, modify, create derivative works or use the Submitted Materials and any
other such communication or content on this site, on any other site and anywhere throughout the world in all
media?

e)     Please provide the industry sector for your contribution. (i.e. life insurance, banking, energy etc.)

f)     Please provide the functional area for your audit program.
g)    Please provide several keywords to help categorize programs and facilitate searches.

h)     Please ensure that you have removed (scrubbed) all confidential or proprietary information such as company
name, employee name, email addresses, social security numbers, etc.

Your name and email address will not be added to the Materials.
Certification

I hereby certify that I am the author of the materials shared or have written permission from the author
and/or the organization that I work for in the form of a transfer of all rights or a license from the author to
grant use of the Materials to AuditNet.  By submitting the Materials or other communication or content after
receipt of this notice, I hereby grant AuditNet permission to, on an irrevocable, perpetual, worldwide and
royalty-free basis, reproduce, distribute, display, perform, read, enhance, adapt, modify, create derivative
works or use the Submitted Materials and any other such communication or content on this site, on any other
site and anywhere throughout the world in all media.

Signed:
Inserting your name here electronically will serve as a valid representation of your signature and will be considered bind
Date:

Price:
PayPal:
Payment Details if PayPal not an option:
COBIT ASSESSMENT

Yes

The Guide contains CobiT-related matrices used to assist field staff in

planning their audit engagements.

This Guide provides tabs for evaluation of the Entity (Short and Long Form),
Contract Services, Responsible Party reporting and Risk Assessment.

All

IT & Non-IT - Resources

 COBIT, Matrix, Audit, Guide

Yes

Name removed
be considered binding
1/5/2014
This is the AuditNet Standard Risk Control Audit Matix which incorporates formats
used by many audit organizations in their documentation working papers. There are
format templates for risk control, audit procedures, questionnaires and checklists.
There is a blank workpaper and a report summary that can in used by audit
organizations. AuditNet has prepared a monograph for guidance on preparing and
developing audit work programs, checklists, questionnaires and matrices. The
monograph is available to AuditNet subscribers. For more information go to
www.auditnet.org
Audit Program Licensing Terms 1. You accept that this product is intended for your
use, and you will not duplicate in any form or manner, electronic or otherwise, copies
of this product nor distribute this product to anyone else. 2. You recognize that the
product and its content are the sole property of AuditNet® (the Publisher), and that
we have copyrighted the product. 3. You agree that the Publisher is not responsible
for any interruption of service or malfunction that is a consequence of the Internet, a
service provider, personal computer, browser or other software or hardware
components. You accept that there is no guarantee that this product is totally error
free. You further understand and accept that the Publisher intends to provide reliable
information but does not guarantee the accuracy or completeness of any information,
and is not responsible for any results obtained from the use of such information. 4
This license is effective until terminated, when the license or subscription period ends
without renewal, or when you destroy this product and any related documentation.
The Publisher may terminate your license without notice if you fail to comply with the
conditions set forth in this agreement, and may pursue any other legal recourse.
This template was purchased by AuditNet from a third party under a work for hire
agreement. However, while we have attempted to provide accurate information no
representation is made or warranty given as to the completeness or accuracy of the
template. In particular, you should be aware that the template may be incomplete,
may contain errors, or may have become out of date. While every reasonable
precaution has been taken in the preparation of this template, neither the author nor
AuditNet assumes responsibility for errors or omissions, or for damages resulting
from the use of the information contained herein. The information contained in this
document is believed to be accurate. However, no guarantee is provided. Use this
information at your own risk.
Audit Program Licensing Terms 1. You accept that this product is intended for your use,
and you will not duplicate in any form or manner, electronic or otherwise, copies of this
product nor distribute this product to anyone else. 2. You recognize that the product and its
content are the sole property of AuditNet® (the Publisher), and that we have copyrighted
the product. 3. You agree that the Publisher is not responsible for any interruption of
service or malfunction that is a consequence of the Internet, a service provider, personal
computer, browser or other software or hardware components. You accept that there is no
guarantee that this product is totally error free. You further understand and accept that the
Publisher intends to provide reliable information but does not guarantee the accuracy or
completeness of any information, and is not responsible for any results obtained from the
use of such information. 4 This license is effective until terminated, when the license or
subscription period ends without renewal, or when you destroy this product and any
related documentation. The Publisher may terminate your license without notice if you fail
to comply with the conditions set forth in this agreement, and may pursue any other legal
recourse.
 Table of Contents

Information Technology Assessment

The following are CobiT-related matrices

used to assist field staff in planning their
audit engagements.

Table of Contents

Sheet
1 Table of Contents
2 Entity Short Form
3 Entity Long Form
4 Contract Service
5 Responsible Party
6 Prior Audit Work
7 Risk Assessment

Page 10
 Information Technology Assessment
Entity Short Form

Entity:________________________
Audit Number: _________________

Importance Performance
Somewhat Important
Very Important

Not Important

Satisfactory
Very good
Excellent
Not sure

Poor
IT Process
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define organization and relationships
PO5 Manage the investment
PO6 Communicate management aims & direction
PO7 Manage human resources
PO8 Ensure compliance with external requirements
PO9 Assess risk
PO10 Manage projects
PO11 Manage quality

AI1 Identify automated solutions

AI2 Acquire & maintain application software
AI3 Acquire & maintain technology architecture
AI4 Develop & maintain procedures
AI5 Install & accredit system
AI6 Manage changes

DS1 Define service levels

DS2 Manage third party services
DS3 Manage performance & capacity
DS4 Ensure continuous service
DS5 Ensure system security
DS6 Identify & allocate costs
DS7 Educate & train users
DS8 Assist & advise customers
DS9 Manage the configuration

Completed by ____________________

Date ______________
 Information Technology Assessment
Entity Short Form

DS10 Manage problems & incidents

DS11 Manage data
DS12 Manage facilities
DS13 Manage operations

M1 Monitor the process

M2 Assessing internal control adequacy
M3 Obtain independent assurance
M4 Providing for independent audit

Completed by ____________________

Date ______________
 Information Technology Assessment
Entity Short Form

Performance
Not Sure

Completed by ____________________

Date ______________
 Information Technology Assessment
Entity Long Form

Entity:________________________
Audit Number: _________________

Internal WP
Importance Performance Controls Ref.
Somewhat Important

Not Documented
Very Important

Not Important

Documented
Satisfactory
Very good
Excellent

Not Sure

Not Sure
Not sure

Poor
IT Process
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define organization and relationships
PO5 Manage the investment
PO6 Communicate management aims & direction
PO7 Manage human resources
PO8 Ensure compliance with external requirements
PO9 Assess risk
PO10 Manage projects
PO11 Manage quality

AI1 Identify automated solutions

AI2 Acquire & maintain application software
AI3 Acquire & maintain technology architecture
AI4 Develop & maintain procedures
AI5 Install & accredit system
AI6 Manage changes

DS1 Define service levels

DS2 Manage third party services
DS3 Manage performance & capacity
DS4 Ensure continuous service
DS5 Ensure system security
DS6 Identify & allocate costs
DS7 Educate & train users
DS8 Assist & advise customers
DS9 Manage the configuration

Completed by __________

Date __________
 Information Technology Assessment
Entity Long Form

DS10 Manage problems & incidents

DS11 Manage data
DS12 Manage facilities
DS13 Manage operations

M1 Monitor the process

M2 Assessing internal control adequacy
M3 Obtain independent assurance
M4 Providing for independent audit

Completed by __________

Date __________
 Information Technology Assessment
Contract Service

Entity:________________________
Audit Number: _________________

Internal Formal Contract WP

Performed by Controls in place? Ref.
Within Organization

Not Documented

Not Applicable
IT Department

Documented
Outsourced

Not Sure

Not Sure
Not sure

Yes
No
IT Process
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define organization and relationships
PO5 Manage the investment
PO6 Communicate management aims & direction
PO7 Manage human resources
PO8 Ensure compliance with external requirements
PO9 Assess risk
PO10 Manage projects
PO11 Manage quality

AI1 Identify automated solutions

AI2 Acquire & maintain application software
AI3 Acquire & maintain technology architecture
AI4 Develop & maintain procedures
AI5 Install & accredit system
AI6 Manage changes

DS1 Define service levels

DS2 Manage third party services
DS3 Manage performance & capacity
DS4 Ensure continuous service
DS5 Ensure system security
DS6 Identify & allocate costs
DS7 Educate & train users
DS8 Assist & advise customers
DS9 Manage the configuration
DS10 Manage problems & incidents
DS11 Manage data
DS12 Manage facilities
DS13 Manage operations
 Information Technology Assessment
Contract Service

M1 Monitor the process

M2 Assessing internal control adequacy
M3 Obtain independent assurance
M4 Providing for independent audit

Completed by:
Name:
Title:
 Information Technology Assessment
Responsible Party

Entity:________________________ Audit Number: _________________

Primary
Performed by (1) IT Process Responsible Party
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define organization and relationships
PO5 Manage the investment
PO6 Communicate management aims & direction
PO7 Manage human resources
PO8 Ensure compliance with external requirement
PO9 Assess risk
PO10 Manage projects
PO11 Manage quality

AI1 Identify automated solutions

AI2 Acquire & maintain application software
AI3 Acquire & maintain technology architecture
AI4 Develop & maintain procedures
AI5 Install & accredit system
AI6 Manage changes

DS1 Define service levels

DS2 Manage third party services
DS3 Manage performance & capacity
DS4 Ensure continuous service
DS5 Ensure system security
DS6 Identify & allocate costs
DS7 Educate & train users
DS8 Assist & advise customers
DS9 Manage the configuration
DS10 Manage problems & incidents
DS11 Manage data
DS12 Manage facilities
DS13 Manage operations

M1 Monitor the process

 Information Technology Assessment
Responsible Party

M2 Assessing internal control adequacy

M3 Obtain independent assurance
M4 Providing for independent audit

(1) Identify organizational units which perform

activities incorporated within the IT process
 Audit Planning Sheet
Prior Audit Work

In Prior Audit
Scope Audit Opinion Findings

Not Determined
Unqualified

Unresolved
Disclaimer

Resolved
Qualified
Adverse

N/A
Yes
No

IT Process
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define organization and relationships
PO5 Manage the investment
PO6 Communicate management aims & direction
PO7 Manage human resources
PO8 Ensure compliance with external requirements
PO9 Assess risk
PO10 Manage projects
PO11 Manage quality

AI1 Identify automated solutions

AI2 Acquire & maintain application software
AI3 Acquire & maintain technology architecture
AI4 Develop & maintain procedures
AI5 Install & accredit system
AI6 Manage changes

DS1 Define service levels

DS2 Manage third party services
DS3 Manage performance & capacity
DS4 Ensure continuous service
DS5 Ensure system security
DS6 Identify & allocate costs
DS7 Educate & train users
DS8 Assist & advise customers
DS9 Manage the configuration
DS10 Manage problems & incidents
DS11 Manage data
DS12 Manage facilities
DS13 Manage operations

Completed by __________

Date __________
 Audit Planning Sheet
Prior Audit Work

M1 Monitor the process

M2 Assessing internal control adequacy
M3 Obtain independent assurance
M4 Providing for independent audit
Insert the number of findings if there is more
than one per process category and then
reflect the appropriate number under each
column.

Completed by __________

Date __________
 Audit Planning Sheet
Prior Audit Work

Prior
Audit
Number of findings

Completed by __________

Date __________
 Audit Planning Sheet
Risk Assessment

Entity:________________________
Audit Number: _________________

Internal
Importance Risk Controls
Somewhat Important

Not Documented
Very Important

Not Important

Documented
Immaterial
Not Sure

Not Sure
Not sure

Medium
High

Low
IT Process
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define organization and relationships
PO5 Manage the investment
PO6 Communicate management aims & direction
PO7 Manage human resources
PO8 Ensure compliance with external requirements
PO9 Assess risk
PO10 Manage projects
PO11 Manage quality

AI1 Identify automated solutions

AI2 Acquire & maintain application software
AI3 Acquire & maintain technology architecture
AI4 Develop & maintain procedures
AI5 Install & accredit system
AI6 Manage changes

DS1 Define service levels

DS2 Manage third party services
DS3 Manage performance & capacity
DS4 Ensure continuous service
DS5 Ensure system security
DS6 Identify & allocate costs
DS7 Educate & train users
DS8 Assist & advise customers
 Audit Planning Sheet
Risk Assessment

DS9 Manage the configuration

DS10 Manage problems & incidents
DS11 Manage data
DS12 Manage facilities
DS13 Manage operations

M1 Monitor the process

M2 Assessing internal control adequacy
M3 Obtain independent assurance
M4 Providing for independent audit
 Audit Planning Sheet
Risk Assessment

WP
Ref.