Executing your audit

Audit workpapers are the main documentary evidence of audit testing, discussions, and observations. Workpaper management should be centralized, automated, and real-time so that ongoing audit oversight and transparency is instantly available. In this article, we discuss how to execute an audit using the Projects app.

This article illustrates how to execute an audit using a workplan workflow, which is useful for small- to mid-sized audit functions and teams. The workflow outlined in this article is appropriate for straightforward audits, which consist of a set of steps or procedures that the audit team will execute, and the documentation of the outcome of each step. This is one approach, but you can achieve the same or similar objectives using other project types.

What does it mean to execute an audit?

Executing an audit involves a variety activities including:

  • performing risk assessments
  • executing procedures
  • reviewing and analyzing evidence
  • documenting observations and issues
  • drafting interim conclusions and recommendations
  • consulting with clients and other team members

The result of executing an audit is issue identification and remediation.

Where do I execute an audit?

You can execute an audit using the Projects app.

The big picture

  • Project templates are used as a starting point for building out one or more audits, and can be modified as needed.
  • Projects are used to document objectives, risks, and procedures, document fieldwork, and to capture issues.

  • Frameworks are used to structure and manage the same information between multiple projects. You can use one framework to sync the same objectives, narratives, risks, controls, and test plans between multiple projects.

    When you make changes to the above elements in a project, you can sync those changes back to the framework the project is associated with, so you can apply those changes to all other projects associated with that framework. This is particularly helpful for audits that happen regularly. For more information, see Syncing projects with Frameworks.

Within a project, the scope of audit work is guided through various stages and displayed in a series of sequential tabs.

These include:

  • project planning activities
  • documenting fieldwork
  • carrying out quality assurance reviews of work performed
  • reporting on audit results and providing recommendations to management
  • capturing and remediating issues

Steps

Ready for a tour?

Let's take a closer look at these features in context.

1. Set up your project

The first step is understanding the best method to set up data in the system so that you can report out appropriately. You can create projects to define objectives, risks, and procedures, execute procedures, and compile information for reporting purposes. You can also set up tagging structures to map objectives, risks, and procedures to relevant contextual data points (assets, owners, entities, etc.) and enable reporting on those dimensions.

Tip

The Projects app offers several risk and control libraries (project templates) that contain pre-populated content for specific workflows. A variety of project templates are typically used to jumpstart audits and create re-usable templates. These include:

  • Internal Audit (Operational) Templates
  • SOC/SSAE 16/ISAE 3402 Audit Templates
  • Internal Audit (Financial & Internal Control) Templates
  • the Sarbanes-Oxley (SOX) Audit Template (COSO 2013 Framework)

Set up a project

You can choose between two different types of project workflows, depending on whether their audits are operational or more comprehensive (such as SOX or ICFR reviews). After you set up a project, Projects enforces a simple workflow in the audit. This helps you identify relevant audit procedures and manage issues.

Example

Scenario

You are a staff auditor responsible for a physical security audit, and you want to begin centralizing your audit documentation. The project will focus on the physical security of the rubber inventory that is extremely important to your organization, Vandelay Industries.

Process

Help topic Using project templates

As a starting point for building out your project, you create a project using the Latex Facility Security Review project template.

Result

The project is populated with a list of objectives. Each objective contains a series of risks and procedures.

Modeling your organizational entity structure

Organizations are comprised of different business units, departments, locations, regions, and legal entities. You can model your business and legal entity structure in your audit management process. This allows you to report on testing results and issues to management and the audit committee.

Example

Scenario

Vandelay Industries is comprised of different geographies and locations. You want to be able to create reports from different cross-sections of the business, and allow stakeholders at all levels of the organization to obtain the information they require. As well, the Health and Safety committee has also requested their own reports.

Process

Help topic Setting up entity tagging

Under Manage Entities, you model your business structure based on the geographies and locations that are applicable to the project.

Result

You can now tag projects, objectives, risks, procedures, and issues to the relevant contextual data points and enable reporting on those dimensions.

Perform an audit risk assessment

Organizations typically engage in a systematic identification and assessment of risks. Audit risk assessments provide the means of assessing operational risks that impact the business, and prioritizing the risks that should be mitigated first. You can develop a common set of assessment criteria that can be used across operating segments, entities, or business units, and score operational risks based on the defined scoring framework.

Tip

To avoid manually scoring operational risks, you can use Assessment Drivers to automate different risk assessments. You can link a metric created in the Results app to a risk assessment in Projects in order to inform the assessment, and auto-populate inherent risk scores based on pre-defined metric ranges.

Example

Scenario

Your organization has a mature and refined operational risk assessment process, and evaluates risk across two dimensions (Likelihood and Impact) on a three-point scale:

  • 1 - Low
  • 2 - Medium
  • 3 - High

Now, you need to evaluate the inherent risk score to determine the raw risk the organization faces if no controls or other mitigating factors have been put in place.

Process

Help topics

You capture the following information within the Latex Facility Security Review project:

Risk 4-A: In the event of an emergency, the facility security and activities may be interrupted.

  • Impact 2 - Medium
  • Likelihood 2 - Medium

Risk 4-B: Failure to meet safety requirements during an inspection may result in fines, or other penalties, including closure.

  • Impact 1 - Low
  • Likelihood 3 - High

Result

The inherent risk assessment is completed:

2. Gather, evaluate, and document evidence

Gathering, evaluating, and documenting evidence involves a variety of activities. Quality assurance reviews can be conducted as project work is completed. Senior auditors can easily add coaching notes and review comments, and assign additional tasks to junior team members. Projects automatically emails and notifies team members of tasks to complete, and engages them in the review process.

Tip

Using Diligent HighBond for iOS or Android, Audit teams can experience uninterrupted and real-time access to workpapers, regardless of the physical location of various team members.

Execute procedures

Auditors can record the outcome of procedures they have executed. As procedures are executed, Projects automatically aggregates testing results and issues, and calculates assurance in real-time.

Tip

Using the Projects and Results apps, you can directly link workpaper evidence to automated analytics for efficient and full-population testing. With truly analytics-driven risk assessments based on your organization’s actual data, management can know the exact state of your organization’s risks at any time, without needing to compile various reports and updates. Risk assessments automatically take into account inherent risks and mitigation efforts, providing a quantified estimate of residual risk.

Example

Scenario

As a result of the audit risk assessment, your team identifies the need to focus on ensuring that environmental controls are in place. You need to execute the procedure that is associated with Risk 4-A and Risk 4-B:

4-03: Facilities must undergo periodic fire marshal inspections. Deficiencies discovered should be promptly resolved. Handheld fire extinguishers or fixed fire hoses are available.

Process

Help topic Executing procedures and testing controls

In the Procedure Results section, you write your observations and make note of an expired fire extinguisher that you found. You specify Issues Noted next to Were issues identified when completing this procedure?.

Result

The procedure evaluation is captured:

Identify issues

Auditors can capture and assign flagged issues for remediation throughout the audit process. They can delegate issues to owners to update the status and related action plans. They can also assign actions to any stakeholder for easy tracking, evidence capture, and resolution.

Example

Scenario

Since procedure 4-03 failed, you need to note the exception by logging an issue. You want to add the issue, and the context for why it was captured, in your working papers.

Process

Help topicRecording issues

You document the following issue:

  • Title/Headline Expired fire extinguisher
  • Description An expired fire extinguisher was found next to the West entrance of the facility.
  • Owner Building Manager
  • Issue Type Finding
  • Date Identified Date
  • Severity Low
  • Published Published

Once you have finished auditing the fire extinguishers, you sign off, and set your manager as the next reviewer to approve your work.

Result

The issue is captured. At a later date, Audit can review the remediation plan, and document retesting results to determine whether or not the deficiency has been truly remediated.

Record time

Managers can use the Timesheets app to measure performance of individual resources by utilization. They can gain insight into scheduled resources allocated for a particular project including the number of hours worked. They can also measure the overall profitability and return on investment (ROI) of a particular project, and generate reports.

Example

Scenario

You need to record the time you spent inspecting the fire extinguishers in the building. You want to add the time entry in your working papers.

Process

Help topic Recording time

You quickly capture the following suggested time entry, which is based on your recent activity:

  • Date 07/11/2018
  • Hours 1
  • Description Fire extinguisher inspection

Result

The time entry is captured:

Manage requests

At any point during the project cycle, auditors can submit and track all client requests directly within Projects to keep all communication threads and requested items organized. You can also configure Projects to periodically send automatic prompts to remind project participants of outstanding requests.

Example

Scenario

You are ready to execute the following procedure:

3-02: On weekends, only the main entrances of facilities (South 1 in Denver (DV1)) and South 2 in Los Angeles (LA1)) are to permit key card entry.

Before you can execute this procedure, you need to review the building key card access logs. You want to submit a request for the access logs so that you can proceed with executing the procedure.

Process

Help topic Adding requests

You capture the following request item in the Requests panel:

  • Requestor yourName
  • Description Please send me the access logs so that I may analyze them.
  • Owner Building Manager
  • Send now selected
  • Email email
  • Due Date July 27, 2018

Result

The request item is captured, and a notification is sent to the Building Manager. The Building Manager can then view the request and upload the requested access logs.

3. Manage issue remediation

Issues management, follow-up, and remediation are the primary results of audits. The remediation phase involves managing the issues lifecycle and obtaining management responses to these issues. You can identify, catalog, evaluate, and break down issues into remedial actions. You can also summarize issues into larger themes for reporting purposes.

Define remediation plans

Auditors often work with management to ensure that responses to issues are appropriately stated and address root causes. By assigning issues to the appropriate owner, issue owners can enter their own management responses or action plans, state who is responsible, what they will do, and the time frame for completion.

Example

Scenario

You need to record a remediation plan to address the fire safety plan concerns, and record an action as a follow-up measure.

Process

Help topics

From the Follow-up & Remediation subtab, you specify the Remediation Status as Awaiting Management Response. As part of the remediation plan, you specify directions for management to review the fire safety plan and ensure that all requirements are met. Finally, you create two actions to address the issue.

Result

The actions are captured:

Retest and close issues

Auditors can follow-up with management, retest issues, and record any subsequent findings. They can specify whether or not the issue has truly been remediated, and report back to the audit committee on the status of remediation activities.

Example

Scenario

Both actions have been fulfilled; the fire extinguisher has been replaced and management has reviewed the fire safety plan. You re-inspect the fire extinguishers and find they have been replaced, and you notice that management has reviewed the fire safety plan and ensured compliance.

Process

Help topics

You document the retesting results to verify that the issue has been truly remediated:

Retesting Results Overview

The fire extinguishers have been inspected and replaced and the fire safety plan has been reviewed.

Then, you close the issue and actions:

Result

The retesting results are captured and the items are closed and ready for reporting.

What's next? 

Learn how to monitor and communicate results

The Results app can be used to identify and manage exceptions, gather information from respondents to contextualize data, and visualize data to highlight trends, patterns, or outliers. You can then present display multiple visualizations and rich text content in a single presentation using the Storyboards app.

To find out more, see Monitoring and communicating results.

Enroll in an Academy course

Continue to build your knowledge on the concepts introduced in this article by taking the PROJ 100 learning path.

Academy is Diligent's online training resource center. Academy courses are included at no extra cost for any user with a Diligent One subscription. For more information, see Academy.