Executing your audit

Audit workpapers are the main documentary evidence of audit testing, discussions, and observations. Workpaper management should be centralized, automated, and real-time so that ongoing audit oversight and transparency is instantly available. In this article, we discuss how to execute an audit using the Projects app.

This article illustrates how to execute an audit using a workplan workflow, which is useful for small- to mid-sized audit functions and teams. The workflow outlined in this article is appropriate for straightforward audits, which consist of a set of steps or procedures that the audit team will execute, and the documentation of the outcome of each step. This is one approach, but you can achieve the same or similar objectives using other project types.

What does it mean to execute an audit?

Executing an audit involves a variety activities including:

  • performing risk assessments
  • executing procedures
  • reviewing and analyzing evidence
  • documenting observations and issues
  • drafting interim conclusions and recommendations
  • consulting with clients and other team members

The result of executing an audit is issue identification and remediation.

Where do I execute an audit?

You can execute an audit using the Projects app.

The big picture

  • Project templates are used as a starting point for building out one or more audits, and can be modified as needed.
  • Projects are used to document objectives, risks, and procedures, document fieldwork, and to capture issues.
  • Frameworks are used to structure and manage the same information between multiple projects. You can use one framework to sync the same objectives, narratives, risks, controls, and test plans between multiple projects.

    When you make changes to the above elements in a project, you can sync those changes back to the framework the project is associated with, so you can apply those changes to all other projects associated with that framework. This is particularly helpful for audits that happen regularly. For more information, see Syncing projects with frameworks.

Within a project, the scope of audit work is guided through various stages and displayed in a series of sequential tabs.

These include:

  • project planning activities
  • documenting fieldwork
  • carrying out quality assurance reviews of work performed
  • reporting on audit results and providing recommendations to management
  • capturing and remediating issues

Steps

Ready for a tour?

Let's take a closer look at these features in context.

1. Set up your project

The first step is understanding the best method to set up data in the system so that you can report out appropriately. You can create projects to define objectives, risks, and procedures, execute procedures, and compile information for reporting purposes. You can also set up tagging structures to map objectives, risks, and procedures to relevant contextual data points (assets, owners, entities, etc.) and enable reporting on those dimensions.

Tip

The Projects app offers several risk and control libraries (project templates) that contain pre-populated content for specific workflows. A variety of project templates are typically used to jumpstart audits and create re-usable templates. These include:

  • Internal Audit (Operational) Templates
  • SOC/SSAE 16/ISAE 3402 Audit Templates
  • Internal Audit (Financial & Internal Control) Templates
  • the Sarbanes-Oxley (SOX) Audit Template (COSO 2013 Framework)

Set up a project

You can choose between two different types of project workflows, depending on whether their audits are operational or more comprehensive (such as SOX or ICFR reviews). After you set up a project, Projects enforces a simple workflow in the audit. This helps you identify relevant audit procedures and manage issues.

Modeling your organizational entity structure

Organizations are comprised of different business units, departments, locations, regions, and legal entities. You can model your business and legal entity structure in your audit management process. This allows you to report on testing results and issues to management and the audit committee.

Perform an audit risk assessment

Organizations typically engage in a systematic identification and assessment of risks. Audit risk assessments provide the means of assessing operational risks that impact the business, and prioritizing the risks that should be mitigated first. You can develop a common set of assessment criteria that can be used across operating segments, entities, or business units, and score operational risks based on the defined scoring framework.

Tip

To avoid manually scoring operational risks, you can use Assessment Drivers to automate different risk assessments. You can link a metric created in the Results app to a risk assessment in Projects in order to inform the assessment, and auto-populate inherent risk scores based on pre-defined metric ranges.

2. Gather, evaluate, and document evidence

Gathering, evaluating, and documenting evidence involves a variety of activities. Quality assurance reviews can be conducted as project work is completed. Senior auditors can easily add coaching notes and review comments, and assign additional tasks to junior team members. Projects automatically emails and notifies team members of tasks to complete, and engages them in the review process.

Tip

Using Diligent HighBond for iOS or Android, Audit teams can experience uninterrupted and real-time access to workpapers, regardless of the physical location of various team members.

Execute procedures

Auditors can record the outcome of procedures they have executed. As procedures are executed, Projects automatically aggregates testing results and issues, and calculates assurance in real-time.

Tip

Using the Projects and Results apps, you can directly link workpaper evidence to automated analytics for efficient and full-population testing. With truly analytics-driven risk assessments based on your organization’s actual data, management can know the exact state of your organization’s risks at any time, without needing to compile various reports and updates. Risk assessments automatically take into account inherent risks and mitigation efforts, providing a quantified estimate of residual risk.

Identify issues

Auditors can capture and assign flagged issues for remediation throughout the audit process. They can delegate issues to owners to update the status and related action plans. They can also assign actions to any stakeholder for easy tracking, evidence capture, and resolution.

Record time

Managers can use the Timesheets app to measure performance of individual resources by utilization. They can gain insight into scheduled resources allocated for a particular project including the number of hours worked. They can also measure the overall profitability and return on investment (ROI) of a particular project, and generate reports.

Manage requests

At any point during the project cycle, auditors can submit and track all client requests directly within Projects to keep all communication threads and requested items organized. You can also configure Projects to periodically send automatic prompts to remind project participants of outstanding requests.

3. Manage issue remediation

Issues management, follow-up, and remediation are the primary results of audits. The remediation phase involves managing the issues lifecycle and obtaining management responses to these issues. You can identify, catalog, evaluate, and break down issues into remedial actions. You can also summarize issues into larger themes for reporting purposes.

Define remediation plans

Auditors often work with management to ensure that responses to issues are appropriately stated and address root causes. By assigning issues to the appropriate owner, issue owners can enter their own management responses or action plans, state who is responsible, what they will do, and the time frame for completion.

Retest and close issues

Auditors can follow-up with management, retest issues, and record any subsequent findings. They can specify whether or not the issue has truly been remediated, and report back to the audit committee on the status of remediation activities.

What's next? 

Learn how to monitor and communicate results

The Results app can be used to identify and manage exceptions, gather information from respondents to contextualize data, and visualize data to highlight trends, patterns, or outliers. You can then present display multiple visualizations and rich text content in a single presentation using the Storyboards app.

To find out more, see Monitoring and communicating results.

Enroll in an Academy course

Continue to build your knowledge on the concepts introduced in this article by taking the PROJ 100 learning path.

Academy is Diligent's online training resource center. Academy courses are included at no extra cost for any user with a Diligent One subscription. For more information, see Academy.