Archer Audit Management Solution

Archer Audit Management gives internal audit teams a modernized, risk-based framework for planning and executing audits.

This solution is part of Archer Core Solutions.

For information on the latest changes to the solution, see the Release Notes.

On this page

Key Components

Solution Architecture

The following diagram shows the relationships between the applications in the solution.

Archecture diagram of the audit solution structure.

Core Applications

The following table lists the core applications in the solution.

Applications

Description

Audit Entity

Audit entities are used to define what is subject to audit. Audit entities can be risk assessed to help with prioritization.

Audit Templates

Defines reusable audit templates including risks, controls, and testing procedures. Each new engagement requires a template, which can apply to any entity.

Audit Risks

Contains standardized audit risks that are reusable across entities. Audit Risks must be tied to a template, but can be used across multiple templates. This is an audit list that is not dependent on enterprise risk management risks.

Audit Controls

Contains standardized audit control procedures. It includes general control details, including a description of acceptable evidence and testing procedures. It can be linked to audit risks on an audit template.

Audit Plan

A time-focused, structured plan that outlines strategy, scoping, and timing for performing a set of audit engagements. Plans are used to group related audits, define a time frame, and align audits with organizational risk priorities or compliance obligations. Plans can be as broad as 202X Audits or as narrow as IT Audits - Sprint 15.

Audit Engagement

An individual execution of a specific audit. It’s a detailed project that follows the full audit lifecycle from initial proposal through reporting and issues management. Audit engagements start with the selection of an entity to assess and a template to use. Once prioritized, they allow users to plan the audit, scope in and out risks and controls from the template, test audit procedures and conduct fieldwork, and document observations and findings.

Entity Scoping Unit

A snapshot of the entity being assessed. This is created by the system and helps build out the entity-risk-control matrix on a specific engagement.

Risk Scoping Unit

A snapshot of the risks from the used audit template. This is created by the system and helps build out the entity-risk-control matrix on a specific engagement. It ties directly to the entity scoping unit.

Control Scoping Unit

A snapshot of the controls from the used audit template. This is created by the system and helps build out the entity-risk-control matrix on a specific engagement. This ties directly to the risk scoping unit.

Audit Workpapers

A record created by the system to capture testing activities, evidence, and commentary. One workpaper is created for each risk scoping unit that is marked In Scope on the engagement. It's a way to bundle similar audit procedures.

Audit Procedures

A record created by the system to document a specific test or activity that an auditor performs to evaluate whether a risk is effectively controlled or a process is functioning as intended. Auditors determine for each procedure if the control is operating and designed effectively.

Observations

Preliminary notes or review comments made by the auditor during fieldwork. Observations are made when something appears unusual, non-compliant, or needs clarification, but hasn’t yet been confirmed as a formal issue or finding.

Findings

A formal audit result that identifies a problem, deficiency, or gap in controls, processes, or compliance based on evidence gathered in the audit engagement. Synonymous with issues. Final approval is conducted by audit once the issue is remediated.

Access Groups

The following table describes each of the access groups for the solution.

Group Name

Description

Audit Management

Full admin access to all Audit applications.

Audit User

Limited access to all Compliance applications. Users in this group can own engagements, evidence, and workpapers.

Data Feeds (Automations)

The following table describes the data feeds for the solution.

Data Feed

Description

DF.AU.AWF.01.01 Create Engagement Scope from Template

Runs when the engagement moves into the planning phase through the advanced workflow. The feed creates the entity-risk-control matrix based on the entity and template selected.

DF.AU.AWF.01.03 Create Workpapers from Engagement (AWF)

Runs when the engagement moves to the fieldwork phase through the advanced workflow. The feed creates a workpaper record for each risk scoping unit and an audit procedure for each control scoping unit.

DF.AU.AWF.01.02 Create Evidence from Control Scoping Units (AWF)

Runs when the engagement moves to the fieldwork phase through the advanced workflow. The feed creates one evidence record per control scoping unit that is in scope, and assigns it to the business contact.

Dashboards

The following table contains the dashboards for this solution.
Dashboard Description

Compliance Overview

This dashboard is for compliance managers to see an overview of control activities, control mapping, and quick links to start testing.

Regulatory Change Management

This dashboard is for regulatory compliance and legal teams to see regulatory intelligence that is coming in and to see the status of regulatory reviews.

Workflow Overview

This section provides step-by-step guidance for key audit workflows in Archer.

Creating the Audit Universe

To define the auditable units in your organization, use the Audit Entity application.

  1. Navigate to the Audit Entity application and click Add New.

  2. Enter the entity name and select the entity type.

  3. Add region, owner, and business function attributes.

  4. (Optional) Attach documentation or evidence.

  5. Fill out the risk assessment to determine relative priority and acceptable audit frequency.

  6. Click Save.

Creating an Audit Template

Audit templates are aneffective way to see if an organization is mitigating risks and maintaining compliance. Defining reusable audit engagement templates help scale audit programs. These templates determine the workpapers and procedures on the engagements.

  1. Navigate to the Audit Template application and click Add New.

  2. Provide a name, scope, and overview of the audit template.

  3. Navigate to the Audit Risks section and click Add New.

  4. Enter the risk, impact, and likelihood rating.

  5. To create an audit control for your risk, do the following:

    1. Navigate to Audit Controls and click Add New.

    2. Define the control and acceptable evidence and testing procedures.

    3. Click Save.

  6. Click Save.

Creating and Managing an Audit Plan

Plan audit engagements across timeframes or scopes by creating an audit plan.

  1. Navigate to the Audit Plan application and click Add New.

  2. Enter a plan name and define the time frame

  3. Add details like audit cycle owner and review dates.

  4. In the Engagements sub-form, click Add New Engagement for each proposed audit (see Creating and Managing Audit engagement).

  5. Click Submit.

Creating & managing an audit engagement

The following diagram shows the process of creating and managing an audit engagement.

Frequently asked questions

What data should I have in place before I get started?

The following table contains a list of data types that should be considered when using Audit Management.

Application

Format

Priority

Audit Entities

A list of who and what the audit team will assess. Processes, business units, regions, and systems are all Audit Entities.

Required

Audit Templates (Audit Risks and Controls)

A list of audit risks, a list of audit controls that ties to those risks, and a list of templates those risks should be associated with.

Required

Can I change the questions on the procedures?

Yes. You can make changes to questions to meet your business needs. Changing the values lists of results and adding additional questions can make this application better align with your program.

If we are not ready for control tests, is there a way to still mark the effectiveness of the controls?

Yes. Navigate to the controls application as an admin, then modify Control Effectiveness Rating to be a manually-set field. This allows users to select the control effectiveness right on the control, simplifying the process.

You may also want to remove the full control tests from the layout and related testing fields. Additionally, you can make Control Effectiveness Rating a private field and assign users and groups access to it.