audit software the enterprise edition

Size: px

Start display at page:

Download "audit software the enterprise edition"

Susan Williams
5 years ago
Views:

1 audit software the enterprise edition ProducT information

audimexee Content 1 Executive Summary 2 1.1 Improving efficiency 2 1.1.1 Work reduction 2 1.1.2 Time saving 2 1.2 Quality assurance 2 1.2.1 Standardisation 2 1.2.2 Auditable working 3 1.2.3 Traceability of results 3 1.

1 Structure 3 2.1.1 Audit Universe 3 2.2 Audit process 4 2.2.1 Planning 4 2.2.2 Audit 5 2.2.3 Word Reporting 6 2.2.4 Recommendation Tracking 6 2.2.5 Reporting 6 2.3 Other requirements 7 2.3.1 Time Recording 7 2.

2 audimexee Content 1 Executive Summary Improving efficiency Work reduction Time saving Quality assurance Standardisation Auditable working Traceability of results Comparability of all results Higher audit quality Compliance with required standards IIA standards Supervisory authorities Data protection 3 2 Product information Structure Audit Universe Audit process Planning Audit Word Reporting Recommendation Tracking Reporting Other requirements Time Recording Document Management Knowledge Base User Rights Management 7 1 Executive Summary The introduction of audit software has to be of benefit for your company. It is up to you whether the desired added value is more qualitative or quantitative in nature: You decide and we will help you to implement your aims, because audimexee was developed to generate essential added values. We would like to inform you over the following pages about the ways and means we can help you using audimexee: Generating added value flexibly adapted to your requirements. 1.1 Improving efficiency Work reduction audimexee supports you in the comprehensive, long-term planning approach and calculates the risks of the audit objects according to your requirements, whereby information from previous audits, risk relevant KPIs and values from other systems can also flow into the calculation Time saving All reports occur at the click of a button so that there is no need for time-consuming combination of information from various audit reports, s, telephone notes and other documents all of which have entirely different formats. This not only frees up resources for other activities, the required information is available precisely and immediately without any delay, even from decentral audit departments. Access to previous audits with all the relevant documentation, audit results and processing status of the measures is implemented location-independently in one system. The full text search in all or specific documents pertaining to a specific audit also saves valuable time and avoids redundancies. 1.2 Quality assurance Standardisation The implementation of an audit software imposes a standardized working method and ensures compliance with guidelines. The integration of new employees becomes easier. You specify what needs to be commented with obligatory fields in audimexee. You define the workflow with audit, audit procedures, measures, document and reporting status, and you can also determine the flow from status to status. Each of these states can require a sign-off before the process can be continued. You therefore meet both the requirements of external auditors and your own guidelines in the audit manual. 2

3 1.2.2 Auditable working Archiving and versioning means that all processes are implemented in an auditable manner. All changes in the system or in reports are recorded and archived. It is then clear who changed what document and when Traceability of results If individual audit procedures are documented in addition to the findings, then all procedures and the subsequent results can be determined by a third person. Added documents underline and explain the audit results. Findings and measures can of course be evaluated and categorized as usual Comparability of all results It is only possible to obtain results that can be compared with each other through standardisation and homogenisation. It is therefore of interest when findings occur in various organisational units but not in others during comparable auditing procedures. Not only can this be used to determine deficits: The role of auditing as a competent advisory unit is also underscored Higher audit quality A higher audit quality is achieved with a user-configured approval workflow through the use of best-practice audit procedures, knowledge exchange, compliance with specifications and a structured working method. 1.3 Compliance with required standards IIA standards audimexee supports the working method recommended by national and international associations Supervisory authorities audimexee is also used by supervisory authorities. You can therefore be sure that your requirements are met Data protection audimexee is based on a strict role and rule-based access system. Each user has specific access rights, depending on the role. You specify who receives read or write access or who sees which navigation links. You control access options and responsibilities with this access system. You can set up a strict separation of clients in audimexee. Read more in chapter User Rights Management. 2 Product information In this chapter we outline how audimexee supports you in your audit process. Please find out more about all the functions that are typically required by internal audit department in: Structure Audit Universe In audimexee you have the possibility to design your own view on the company and structure it in a multi-level hierarchy or matrix. So the audit universe serves more purposes than just planning. Rather, the audit universe in audimexee is the basis of: Long-term plan: audimexee allows you to view the risk estimation and due dates of audit objects in a long-term view. Audit planning: Here you define your audit objects which are the basis of the annual plan. Each object in the audit universe can potentially be subject to the annual plan, either as a mandatory audit object or as a risk-driven audit object. Reporting: The audit universe in audimexee actually is a company model. If you think about reporting, many reports are structured along the companies structure. An example would be a report showing open measures by process and business area. The business areas are structural nodes in the hierarchy of the company. Definition of responsibilities: You can also assign people (auditors, auditees, self assessors, etc.) to the company structure. This information can be e. g. used to derive mailing lists for the audit report. Permissions: Combined with the permission system, you can make sure that the users have access only to objects in the area of responsibility. An example would be the responsibility for the follow-up where auditees who are assigned to a department have access only to recommendations within their departments. In the audit universe, one can model arbitrary objects and structures such as processes, companies, projects, and organizational units in arbitrary depth and differentiation. The most common matrix model shows processes against organizational units such as companies or audit departments. 3

4 audimexee 2.2 Audit process Planning audimexee supports you in the comprehensive, long-term planning approach and calculates the risks of the audit objects according to your requirements, whereby information from previous audits, risk relevant KPI s and values from other systems can also flow into the calculation. audimexee suggests the next audit date for each audit object, based on the risk assessment and the due dates of compulsory audits Risk based annual planning The audit planning can be done on various hierarchy levels. Each audit object can be classified independently from its location in the structure: schedulable or not, with a structuring and/or informative character. The classification of the audit objects can be done according to the processes, business divisions, as well as according to the products, regulations, methods etc. The risk value is determined on the basis of a risk model in which the risk indicators and rules are freely defined with questions to a user database queries computations and formulae data import of KPI and other numbers that influence the risk Note that you can have multiple risk models e. g. for each audit department a different one considering local regulatory rules. To each risk-driven audit object a risk model is assigned. The actual risk values can of course change over time. audimexee will then automatically execute all required computations and version the risk model. Doing so, one will get a risk history for each audit object. The final risk value is automatically computed from the risk criteria according to a formula. Instead of the simple pre-configured average also complex algorithms can be used. The single risk criteria of a risk model can be differently weighted. Given the risk value audimexee computes an audit interval from which the system then derives a proposal for an audit plan Long-term planning A rapid overview already starts during long-term planning. audimexee allows you to view the risk estimation and due dates of audit objects at a glance. This gives you a firm grip on the coverage of your audit universe. A constant alignment of the audit efforts with residual capacities helps to always keep in mind the feasibility of the audit planning. The horizon of the audit planning can be chosen freely Annual Planning The plan taken over from the multiyear plan is refined and consolidated in the annual plan. The planning auditor will be assisted with the permanently updated comparison of planned and available capacities. By adjusting suggested audit efforts or by postponing of the audits into following years the auditor refines the initial plan into a feasible one. The resulting plan can be documented as an approved plan, for example after approval by the audit committee. audimexee can then automatically generate projects from the planned audits. Special audits can be ad hoc created at any time and will be considered during the capacity planning. Long-term planning 4

2.2.1.4 Audit Scheduling The audits planned in the annual planning will be distributed over the year in the audit scheduling and exact audit periods will be fixed.

5 Audit Scheduling The audits planned in the annual planning will be distributed over the year in the audit scheduling and exact audit periods will be fixed. audimexee provides a scheduling tool comprising: calendar of audits calendar of auditor assignments calendar showing audit projects (audits and assignments) team assignment matrix Using these screens one can define a detailed audit scheduling. Note that the scheduling also allows for special partnership audits. These are audits that are executed by auditors of different audit departments. audimexee supports a process to define and confirm such audit assignments. This is very important for big audit organizations where an informal planning of e. g. global audits is not feasible Audit Preparation Audit procedures and checklists do not need to be reworked each time. They are selected in audimexee according to the audit area and auditing depth from your Best Practice catalogues. So the wheel does not need reinventing each time: In contrast, each auditor can profit from the knowledge of colleagues and in turn contribute towards the optimisation of such catalogues by contributing experience and special skills. The first step of each audit is the audit preparation where the content of the audit is defined in detail. The structural basis of an audit is the so-called audit manual. An audit manual consists of a set of audit topics each containing a checklist. The checklist comprises audit actions or partial aspects which should be audited in detail. audimexee manages a library of standard audit manuals containing standardized checklists. During preparation or execution of an audit you can adopt a standard audit manual either completely or in excerpts, and then manually adapt it. Note that the library can be managed on a group level or on a local level or as a combination Audit Announcement Based on a document template audimexee can generate an audit notification letter into which the relevant audit master data are automatically transferred. The standard MS Word document reflects your Corporate Design and can be further processed as usual. Irritating formatting work in Word can be completely omitted. Read more in chapter Word Reporting Audit Execution During field work all audit work is documented in audimexee. Audit results and the audit trail can be documented and evaluated down to the level of individual audit actions. An approval mechanism and coaching notes are available for audit actions, findings and work papers. Furthermore each object like finding, recommendation, audit action, document can be referenced to each other. You can record findings and corrective measures with its classifications. Findings can be allocated to its originating process or sub process according to your audit universe and actions can be allocated to your organizational structure. Audit staffing 5

audimexee Alternatively the recording of findings and corrective measures can be done using special Word or Excel forms that are also available offline.

6 audimexee Alternatively the recording of findings and corrective measures can be done using special Word or Excel forms that are also available offline. The data can be imported into the system afterwards. Any work paper or other information can be imported and in a structured way filed into audimexee in any format (Word, Excel, pdf etc.), e. g. in the knowledge base or as attachment to an audit. Also the versioning of documents is supported. We also support the full-text retrieval within typical office documents such as Word, Excel, or PDF. The search is cross-audit and is similar to Google. So you can e. g. issue a query show me all reports of the last year that contained the words fraud and Smith Word Reporting The audit report can be generated by audimexee. As all document templates, the MS Word format templates can be arranged in accordance to your individual needs. This also allows for taking over your familiar audit documentation layouts into audimexee. In contrast to other tools, as all formatting is done in MS Word, the quality of the output is very high and many of our customers use the generated report as a final version. As our formatted texts support graphics, tables, charts, etc., these objects will be transferred into the report exactly as they are. There will be no format change or conversion. Further, audimexee can read information automatically out of Word documents. This can be used for the report approval phase where e. g. the text of a finding changes. In this case, audimexee can update the text in the database by reading the document. Another mechanism of Word Integration can be used to read information out of a Word document. Thus, we also support an audit process where the report is completely written in Word and after the audit field work and report approval, audimexee creates new findings and measures in the application by interpreting the Word document. This mechanism requires an adaption to the specific layout in the customizing Recommendation Tracking The integrated deadline and resubmission administration ensures seamless monitoring of measure implementation. The implementation documentation of the auditees or their representatives in the system guarantees seamless traceability of measure processing. You will be automatically reminded about deadlines and due measures. In addition, an escalation process can be defined on the basis of your requirements. For the auditor, a resubmission list of open and due corrective measures is available. Note that one can assign an individual resubmission date to each measure. Additionally, audimexee supports the cross-audit monitoring of the completion status of measures as well as the view to a single audit. The responsible auditor will then be constantly informed by about new responses of the responsible business divisions. An underlying configurable workflow can be used as approval mechanism for responses. audimexee supports follow-up audits, which enables users to take-over (copy) corrective measures resulting from pre-audits to review its implementation actions Reporting The contents of the central data storage are always current, meaningful and without gaps. So that you can obtain the required information without any ifs or buts, and always up to date. audimexee offers you a wide range of analysis instruments. The central data management has the advantage of providing access to all current and historical data of the system. You can limit the view to data by filtering, sorting, and grouping according to many criteria. Views to data can be saved permanently as bookmarks and called over and over again. audimexee thereby preserves individual filter adjustments, grouping, etc. The results can be exported completely or as a selection of individual columns to Excel, too. audimexee allows you to compile your own (dynamic) reports according to your requirements. Here you have again a broad range of options for the design, layout and content of the report. The dynamic reports are available for all screens and thus for all data visible in audimexee. A further possibility is the extraction of data into individually formatted Word templates which has been described. See Word Reporting. KPIs become an increasingly popular instrument for improving control processes within the audit department. In audimexee you can define your own individual KPIs that can be displayed in various charts, resulting from data base queries or from any kind of calculations. All KPIs are defined on a timeline and can be saved as historical data. 6

If you require reports that are sophistically designed or comprise a complex computation, audimexee can be provided reports using special standard products such as Jasper or Crystal reports.

7 If you require reports that are sophistically designed or comprise a complex computation, audimexee can be provided reports using special standard products such as Jasper or Crystal reports. Jasper and Crystal Reports are tightly integrated into audimexee so that reports can be called directly from audimexee. 2.3 Other requirements Time Recording Actually audimexee supports not only the internal audit process but offers also a set of functionalities in the field of work organization and communication. audimexee includes a fully integrated time recording providing the possibility to book time on an audit. This effort is aligned with the audit plan afterwards. The time recording is supplemented by the vacations and absence management (e. g. trainings). The recording of efforts enables planning optimisation using the statistical data results obtained from previous audits. In addition, the types of activities within the audit become quantifiable and can therefore be displayed, for example, administrative overhead of audits. The target/actual analyses integrated in audimexee enable comparisons between the real actual status and the original annual plan. A simple click on a standard report provides a comprehensive view of the actual processing status and informs you about possible deviations from milestones Document Management audimexee has its own document management. You can save all the files in a structured way in the knowledge base or also as attachments e. g. to a risk evaluation, to an audit manual, to an audit object, to an audit, to corrective measures or even to a finding. audimexee is designed using a central data management in the audimexee database. This includes the (generated) audit documentation in MS Word as well as attachments in any formats e. g. MS Excel, MS PowerPoint, PDF or GIF. All kind of documents can be managed using a configurable release process, automatically versioned, and a read-only archive Knowledge Base The idea of the knowledge base is to share a common database of non-audit related information among all auditors. It is on the one hand hierarchically structured according to freely configurable criteria and on the other hand it is a full text search over all documents stored in audimexee User Rights Management audimexee supports a freely configurable permission system for users. The outline of the system is divided into: User roles: At first, each user is in a certain fixed role. Examples for this would be Audit Manager or Auditor or Local Department Head. Additionally, the user can inherit so called dynamic roles such as auditor in the team of a specific audit. In this case, the user has the role only for a certain audit. Objects: Each screen is an object, each part of a screen (e. g. list of auditors), and each button on the screen is an object. Rules: Between roles and objects one can define rules. A rule determines what the user can do. Rules can allow or can forbid. Further rules can be combined with and, or, and not. So an example for a rule would be: A user can (write-) access the screen audit preparation if he is in the static role auditor and in the role auditor in the team of a specific audit. Read Restrictions: One can additionally define so-called read restriction that limit the access of a user to data. An example would be An auditee can only access recommendations in his area of responsibility or an auditor can only access an audit if it is within the same department. Note that in the second example, the auditor will not even be in formed about the existence of audits of other departments. All configurations can be done by the customer himself. We deliver a basis as sample data. Sample KPI-charts as shown in the audimex portal (Time Recording, Audit Status) 7

audimex ag As developers and suppliers of high class software products for internal audit and compliance, audimex ag offers its clients turnkey solutions for highest standards.

Activities range from the development of software solutions for internal audit and compliance, to presales consulting services and end user and post-implementation technical support.

8 audimex ag As developers and suppliers of high class software products for internal audit and compliance, audimex ag offers its clients turnkey solutions for highest standards. From its locations in Augsburg and Dreieich, the company, founded in 1999, takes care of customers of all sizes and from every sector of industry. Activities range from the development of software solutions for internal audit and compliance, to presales consulting services and end user and post-implementation technical support. Augsburg: Stettenstraße 6, D Augsburg Phone: / Fax: / Dreieich: Am Taubhaus 18, D Dreieich Phone: / Fax: / info@audimex.com