The toolbar at the top of the screen shows the following five key tabs:
1.Internal Audit team tab: i.e. where you can define all Internal audit team members along with the number of annual vacations days for each auditor.
2.Internal Audit portfolio tab; i.e. the universe from which the elements to be audited in the coming year are to be selected. This is populated automatically by the system.
3.Control Environment for each element of that portfolio;
4.Risk Evaluation: This is where you can evaluate the perceived risk, from an Internal Auditor's point of view, of each element of the portfolio.
5.Resource Management provides useful information with regards to Internal Audit staff allocation and productivity
16.2.1 Internal Audit Team
The Internal Audit team screen allows the user to define all Internal audit team members along with the annual vacations for each auditor. The system will then automatically calculate the Available Mand-days for each Internal Auditor depending on the defined Annual Working days, Holidays and annual vacation days.
To add a new team member, click on “Add New” and fill the employee details requested by the system, once your done click on the save icon.
Once all Internal Audit team members have been defined, the system will automatically calculate the Available Man-days for each Internal Audit team member. In addition, the system will present the total Annual Vacation and Available Mandays for the entire team at the bottom of the screen.
If you would like to generate a report containing the details of the Internal Audit Team their vacations and available man-days, click on the "Print" button in the toolbar at the top of the screen and the system will display the following report.
16.2.2 Internal Audit Portfolio
As shown above, the data in the left-hand column is provided directly by the system; it is a list of every Entity in the database and therefore shows every area for which the Internal Auditors are responsible.
In a well-run Internal Audit function, the Internal Auditors should have responsibility for monitoring the entire organization and therefore everything in the Risk database should be available in their planning portfolio. However, sometimes the database might include Entities that are only used for, say, training, or are earlier back-ups of current Entities; in these cases, you do not want these Entities included in the planning process. You can select the entities that you would like to include in the planning process using the button “Select IA Entities”. If you would like to view all Entities you can also do that by selecting “Show All Entities”.
Man-Day Allocations: this is split into 3 elements:
1.Traditional audit work;
2.Additional entity man-days;
3.Corporate risk man-days.
The process consists of entering the number of man-days intended to be spent in each Entity within the portfolio in the coming year. These man-days are split between time spent in the Entity reviewing the controls over Corporate Risks and those spent auditing the rest of the Entity. The logic for this is that, by and large, the controls that need to be audited when verifying the control environment surrounding each Corporate Risk are embedded in one or more elements of the business and therefore, whilst spending time auditing the Corporate Risk controls in that area some insight can be gained into the control environment of that element of the business. For example:
One risk in the Corporate Risk profile might be the possibility of “Significant corporate crime”; one control relied upon to mitigate this risk could be “Weekly bank reconciliations”. Now, the Finance department are responsible for performing these reconciliations and so an estimate would be made of the length of time needed to review bank reconciliations in Finance and this figure would be inserted into the planning grid in the” Corporate Risk Man-days” cell against Finance Department; let’s say this figure is 2 man-days. These 2 man-days also represent audit time spent in Finance and so, if Finance were to be considered as requiring an audit in the coming period, 2 days of the estimated total time required to audit Finance will already have been allocated.
This process is designed to avoid duplication of audit effort by removing the need for a function to be visited twice for the same thing. What this methodology means is that once the estimated man-days needed for the audit of each element of the Corporate Risk Profile have been entered into the matrix a certain element of audit time has already been assigned to other areas of the portfolio.
To enter data, click on the Entity concerned; this brings up the following screen:
Clicking on "Edit" makes the screen “live” and allows data about how many man-days are to be spent in the various types of work to be entered. The full list of Corporate Risks is shown and can be scrolled through using the slider on the right, the man-days being entered in the relevant boxes. In some cases, the Entity in question will have no relevance to the Corporate Risk in question, in this case, enter 0 or leave blank; each cell accommodates 3 digits with no decimals allowed. Once all the data for this Entity is complete, click "update" in the toolbar at the top of the screen and the record will be saved. Click on "Internal Audit Portfolio" in the same toolbar to go back up to the main Planning screen. Like all of the other screens in the system, clicking on a column heading will allow the data in that column to be sorted in ascending or descending order.
The “Audit History log” will retrieve the number of Traditional Audit work, Additional Entity man-days, Corporate risks man-days and total man-days that were planned for the entity’s during the last three audits as shown in the following screen:
Once we are done with planning the number of days needed to complete the audit for each entity you would note that the system will present the following data at the bottom of the Internal Audit Portfolio screen:
-Planned Working days; This represents the total number of days that are planned for all entities within the portfolio.
-Available team working days; This represents the total number of available working days for the Internal Audit team after deducting the vacations and holidays.
-Surplus/Shortage Working days: The system compares the planned working days against the available team working days and highlights if there are any surplus or shortage.
In accordance with the above two possible situations pertain here:
1.The audit portfolio is small and all elements can be covered in sufficient detail each year (i.e. there is a surplus in the working days).
2.The portfolio is large and so needs to be spread over an “audit cycle” of more than 12 months (i.e. there is a shortage in the working days).
The audit portfolio is small and all elements can be covered in sufficient detail each year. In this situation, a detailed Audit Planning model is not required; each element of the portfolio can be audited based on convenience to the auditor and auditee. In reality, this type of situation is very rare.
The portfolio is large and so needs to be spread over an “audit cycle” of more than 12 months. Evidently, if everything cannot be audited in the coming 12 months then, all other things being equal, the elements of the portfolio considered to be the riskiest need to be done in preference to other areas. Clearly then some method of determining "riskiness" is needed. This is done using the Control Env Scoring section: this is the third of the headings in the toolbar at the top of the screen.
As stated above, some of the data needed to perform a risk rating for an element of the portfolio is derived from data captured about the control environment of elements of the Internal Audit portfolio. This data is captured and analysed here; click on the tab to bring up this screen:
The left-hand column is populated from the individual entities in the database.
The next 4 columns, “Target Score”, “Working Score”, “Actual Score” and "IA Actual Score" are the scores from the matrices for the relevant Entity. The "Gap Tolerance %”, the "SA Gap%" and the "IA Gap %" are also taken straight from the Entity screen for each Entity; these gaps have been explained in the Entity section of the manual.
The user has an option to select whether to use the SA (Self-Assessment) or IA (Internal Audit) GAP in determining the score for the Control Environment. The system will outline the control environment score that will be assigned for each entity in case the SA or IA GAP were selected through the SA Control Env score column or IA Control Env score column. The assigned scores represent the following; 1=Strong, 2= Medium and 3= Weak.
To make the selection between using the SA or IA GAP click on the "Edit" tab on the toolbar at the top of the screen to make the screen “live”, you have two options now:
1. To either apply the selected GAP on all entities by using the “Apply for all Entities” functionality.
2. To select the preferred GAP to be used for each entity individually by choosing the SA or IA gap from the drop-down list available in the “Reflect on Risk Evaluation” Column.
