Audit Engagements & Workpapers Use Case Design

The Audit Entity application provides a single, centralized location to capture details about each area that could be the subject of audit scrutiny, such as business processes, organizational units (such as departments), specific topics (for example, a regulation, such as FFIEC), IT infrastructure and applications, and other individual areas.

Through the Audit Entity application, you can:

• Define each audit entity and create a "universe" of audit entities.
• Scope each audit entity for the control-based audit by relating the entity to cross-referenced records in the Business Units, Business Processes, Facilities, Applications, Process Narratives, Compliance Scope, and Controls applications.
• Assign audit and business ownership to each audit entity.

The Audit Entity application supports additional fields and functionality when the Audit Planning & Quality use case is licensed. If that use case is not licensed, the additional fields are not needed and can be removed.

In this use case, the Audit Entity application does not provide the following assessments, sections, and calculations:

• Audit Entity Risk Assessment.
• Historical Audit Engagements and Entity Assessments.
• A Entity Assessment Summary section.
• Management Information Risk Summary section and calculations.
• Calculations in the Audit Entity Prioritization section do not account for the Risk Assessment.

In this use case, the Audit Entity application calculates the Next Audit Date using only a combination of the last qualifying Audit Engagement date, the Frequency, and the Audit Override date are used, as follows:

• If Required Frequency and the Audit Override date are both empty, but there is a Last Audit Engagement Date, the system automatically adds 1095 days to that date to determine a Next Audit Date.
• The Override Audit date always trumps the Frequency, unless the override date is in the past.
• If both the Frequency and the Last Audit Engagement Date are defined, but no Override date, it adds the days of the Frequency value to the Last Engagement date.
• If there is no Frequency defined, no last engagement date, and no override value, the next Audit Date is NoValue.

The Audit Engagement application serves as an Internal Audit mechanism for creating, managing, tracking, and reporting on individual audit engagements. The application allows users to determine the audit engagement’s scope, create and manage workpapers, perform audit testing, document observations and findings, and draft the audit report. Most of these tasks can be performed in either online or offline mode, however any appointments created offline cannot be correctly synced.

The Audit Engagement application supports additional fields and functionality when the Audit Planning & Quality use case is licensed. If that use case is not licensed, the additional fields are not needed and can be removed.

In this use case, the Audit Engagement application does not provide the following:

• Engagement Hours & Expenses section.
• Variances section.
• Staffing or Scheduler field.
• Ability to plan an Audit Engagement and track the performance levels.

The Audit Observations application is used to document deficiencies or gaps found during the audit workpaper control testing and the ability to capture the common observations across multiple controls at the engagement level. Through the Audit Observations application, you can:

• Review Observations that are captured through the results of workpaper control testing

• Capture and identify the appropriate personnel and track the tasks associated with the Audit Observations resolution.

The Audit Program Library application provides a repository to create and house audit programs and related audit procedures for use on multiple audit engagements. When you select audit programs with corresponding audit procedures, the system makes copies of the audit programs and procedures for audit engagements and creates workpapers for documenting tests and results.

Through the Audit Program Library application, you can:

• Capture audit program and test objectives, detailed procedures, and estimated time for testing.
• Relate audit procedures to your organizational risks and control procedures to be tested.
• Maintain standard and consistent audit programs to be used across all audit engagements.

The Audit Workpaper application provides a method for automatically generating the tests outlined in audit programs and related procedures for a specific audit engagement. The Audit Workpaper application is designed to mirror the Audit Program Library; you can create project-specific versions of standard audit programs and procedures and use them to document your testing. This approach allows audit department management to maintain consistency of audit procedures across engagements by leveraging the Audit Program Library while enabling auditors to customize or add procedures to fit the needs of the engagement on which they are working.

Once an audit entity is identified as a target for an audit engagement, based on factors such as risk, regulatory scrutiny, or strategic value, the plan entity is required in order to accurately link the audit entity to any audit engagements. Each time you select the same audit entity for an engagement, you are specifying the details of the audit for that audit engagement. For example, in one plan year you may select an audit entity to be included in an audit engagement as just a Department Review, which requires a limited scope. In the next plan year, that same audit entity is included in another audit engagement, but this time as a full blown External Audit Engagement, which requires more resources and a larger objective scope. The plan entity captures the name of the plan entity, the type of audit engagement, the objective and scope, and the stakeholders.

The Plan Entity application supports additional fields and functionality when the Audit Planning & Quality use case is licensed. If that use case is not licensed, the additional fields are not needed and can be removed.

In this use case, the Plan Entity application does not provide the following:

• Plan Entity Scope.
• The Status excludes all deferment of audit engagements.
• Audit planning capabilities.

The Business Processes application captures the base data for a given process. A process may be assigned to a particular business unit or shared across multiple business units. A business process may also be referenced to one or multiple products or services. The application enables you to track the business processes personnel, criticality, recovery time objective (RTO) and ITIL category, and associate it with other aspects of the enterprise infrastructure.

The Contacts application allows you to document information about audit staff, such as their skills and roles, as well as information about other internal and external contacts that need to be involved in the audit process.

The Contacts application serves as a central repository for contact information, is utilized across multiple areas of Archer, and contains information that is often leveraged by other use cases. Updates to a profile record within this application automatically propagate in any records with displayed contact information.

The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure.

The Facilities application maintains a listing of all organizational facilities such as data centers and branches. This application allows you to document and review all information associated with a specific facility, such as contact personnel, related incidents and technologies associated with the location.

Through the Facilities application, you can:

• Capture facility information in a central database.

• Understand the vendors, incidents and technologies that are linked to a facility.

• Measure and track the risks associated with a facility and take action to minimize the impact of those risks.

The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure.

The Scoping Units application works in the background of the Audit Engagement applications. It enables users to determine whether Business Units, Business Process, Applications, Facilities, Process Narratives, Compliance Scope, Risks, and Controls instances are in or out of scope for a specific engagement.

The Evidence Repository allows users to manage evidence records after initiating their testing procedures. You can create evidence records automatically or manually.

To automatically create evidence records, you must allow the Automatic Evidence Collection bulk action schedule to run on Master Controls or Control Procedures records. For more information about the Automatic Evidence Collection bulk action schedule, see "Creating Master Controls" in the IT Controls Assurance Use Case Help and "Creating Control Procedures" in the IT Controls Assurance Use Case Help.

You can manually create evidence records and attach related controls through the Evidence Repository application.

Manages the IA organization and oversees the audit team, the assessment of the audit universe, and subsequent planning. The CAE or IAD works with audit management and teams in the planning and performing of audit engagements, reports to the Audit Committee and executive management, and coordinates work with external auditors.

Works with the CAE or IAD to oversee IA, receives audit results focusing on critical matters, selects external auditors, and provides recommendations to the board of directors.

Consists of multiple levels in an organization, such as vice presidents, directors, and managers. IA managers oversee a functional area within the IA department, such as a region, discipline, product lines, or subject matter areas. IA managers report to the CAE or IAD and are responsible for helping assess the audit universe, determine the audit plan, oversee audit engagements, and lead audit teams.

Scopes and plans engagements and testing, reviews testing, drafts reports, and oversees internal auditors on engagements. The lead, sometimes called an audit senior, reports to a manager or director.

Works on audit engagements. The internal auditor reports to a lead, auditor, manager, or director for specific engagements and may be a subject matter expert for certain audit types or areas.

Provides Audit Business Owners with information about their assigned audit entities and open findings against their engagements.

Provides Audit Executives an aggregate view of the audit universe, including planning, scheduling, staffing, and management of audit entities. From the dashboard, Audit Executives can view details around audit plans and their performance; audit entity status, prioritization, and risk profile; open findings generated by audit engagements; and management risk coverage of audit plans.

Provides information about findings, remediation plans, and exception requests that are related to your audit program.

By default, this dashboard is not displayed in the Issues Management workspace.

Provides Audit Managers an aggregate view of the audit universe, including planning, scheduling, staffing, and management of audit entities.

Provides a portal for auditors to access their recurring or ongoing tasks.

The feed allows you to auto scope an audit entity based on Risk or Control based approach and populates the Controls, Risks, Information Assets, Facilities, Applications and Devices based on the Audit Scope.

This data feed creates a copy of the scoped records for Audit entities tagged to Audit Engagement through a plan entity.

This JavaScript data feed out scopes any scoped content to be out scoped as a part of this engagement. The data feed also out scopes the related Risks and Controls when the feed out scopes the related scoped entity.

This feed creates Audit Workpapers (both levels) from the Audit Program Library application, based on the audit grouping attribute that is defined in the Audit Engagement and Audit Program Library applications.

The Create feed creates Audit Workpapers (both levels) from the Audit Program Library application based on a individual selection in an audit engagement. The Clear feed clears the Audit Program Library cross-reference in the Audit Engagement application.

This feed creates audit workpapers for audit engagement and Audit Procedure for respective in-scoped Control Procedure based on the audit grouping attribute that is defined in the audit engagement.