The role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are adequate and operating effectively.
Normally Internal audit is risk based. Therefore, it is imperative for an audit to have visibility and access to the risk registers and related functions.
In practice the internal audit function can be summed up (see diagram below) with these items:
This form is used for system wide control of functions. The important and relevant ones are dealt with below.
Go to: GRC > Setup > Governance, Risk and Compliance parameters
Users can select rules to be used when controls are scored for effectiveness.
Dynamics 365 GRC supports ISO Audits and Internal Audits.
Select the group of users that will work with Internal Audits.
The Internal audit user group is critical. Only users in this group can interact with the forms, functions and reports of Internal audit. Reasons are obvious. Audit data is sensitive and certain data must be "ring fenced".
The user can do the following:
These rules are default for all types of audits, but D365 allows different scoring rules for every Audit type. Refer to Step 7 below.
In the example below, the top threshold for yellow indicator is set on 6 because the Expected score is 10.
Because the Expected score is 10, the bottom threshold for yellow indicator is set on 4.
Select a default Budget model for audit purposes. Thus, when planning for an audit, users will choose from the budgets in Dynamics 365, but filtered on the model selected here on the Parameters form.
Users choose which email templates to use for sending email notifications for audits to be done. This is applicable when auditors engage in an audit from the Area of compliance.
Auditors can record audit findings while performing Audit procedures and completing the Fieldwork. Two types of audit findings are support. Audit issues (less critical) and non-conformances (critical). Audit issues result in cases being created. For Audit issues (cases) the following setups are needed:
Remember to setup a Case category of type Audit to use when recording an audit issue.
Go to: GRC > Governance > Setup for governance > Case categories
By selecting roles for the Case category type security, only users with these roles assigned to them, will have the privilege to create a New contract request/Request for contract review.
Go to: Organization administration > Setup > Cases > Case category type security
Dynamics 365 GRC aids auditing by supporting a risk-based approach. For this, users must define Risk categories, and in particular, Inherent risk values. these are used on auditable entitites; audit universe and in particular on the RCM. See Step 19.
Go to: GRC > Risk > Setup for risks > Risk configuration
This form contains the Control effectiveness. These values are used as lookups on the Auditable entities.
Go to: GRC > Risk > Setup for risks > Control status and effectiveness
When planning an audit, auditors might want to achieve a specific goal. A lookup to the Goals form exist on the header section of the Audit universe. the records being used is from the Goals base table.
Go to: HR > Performance > Goals
Go to: GRC > Performance > Setup for performance > Goal category
A Goal category is selectable when the Audit scope, goal and rationale (SGR) are specified - on the Audit
Go to: GRC > Internal audit > Setup for internal audits > Audit committee
Users must define types of audits. This is imperative as the type of audit will guide D365 GRC to add or remove functionality. In specific internal audit functions differ from compliance type (ISO etc.) audits.
Go to: GRC > Internal audit > Setup for internal audit > Audit type
- If a team is not selected here, individual Auditable entity clause lines cannot be assigned to a Planned user to audit
- If no scoring method is specified on the Audit type, the scoring method specified on the Parameters will be used
- These values default to the scope of the Audit universe
Audit procedures are the techniques, processes, and methods that auditors use to obtain reliable audit evidence. We use checklists created form a Job plan of type Audit. Audit procedures are performed in order to test financial statement assertions. Therefore, the first step in explaining an audit procedure is to identify the assertion that needs to be tested.
A brief explanation of the various assertions is as follows:
Completeness - This means that all transactions have been recorded in the financial statements, i.e. all assets, liabilities, equity interests (capital and reserves) and other disclosures, have been included in the financial statements.
Occurrence - This assertion means that transactions and events and other matters that have been recorded, actually took place, and relate to this organisation.
Valuation and allocation - This means that all items have been included in the financial statements at appropriate amounts according to company policy and the relevant financial reporting framework. Furthermore, any allocations or valuation adjustments required (like impairment) have been made and financial and other information is disclosed fairly and at appropriate amounts.
Classification and understandability - Financial information is appropriately presented and disclosed, and disclosures are clearly expressed so as to make them understandable to the users. For this, the disclosures should use simple language and state matters clearly and concisely.
Accuracy - Accuracy means that amounts and other data relating to transactions and events have been recorded at the correct amounts, i.e. at the amounts appearing in the source documents.
Rights and obligations - This means that the entity has a right to its assets, i.e. it is free to use or dispose of the assets as it sees fit. Furthermore, the entity is obliged to pay off the liabilities that are shown in the statement of financial position.
Existence - This means that assets, liabilities and equity interests (capital and reserves) are physically present/belong to the entity on the reporting date.
Cut-off - This means that transactions and events have been recorded in the correct accounting period. For example, if goods are delivered prior to year end, they are included in the cost of goods sold, not inventory.
Go to: GRC > Setup > Job plan
Go to: GRC > Internal audit > Periodic > Audit procedures. These will be covered below in Step 21.
On the Audit procedute list page, move the Show closed slider to Yes if you want to see all the checklists including the closed records
The Audit procedure statusses are:
When the status of a Working paper is set to Void, the Audit procedure status will also be changed to Void
Auditable entities are in essence the business functions to be audited. They contain multiple controls to be checked for effectiveness and adequacy.
Auditable entity groups, group individual Auditable entities together and carry rules for time-based audits, i.e., scheduling of future audits.
Go to: GRC > Internal audit > Setup for internal audit > Auditable entity group
General fast tab: Some general information is contained in this section of the form. Accounting area and related business process is of particular importance.
To create a new Auditable entity:
Go to: GRC > Internal audit > Auditable entity
Expand the Risk Fast tab
Expand the Coverage Fast tab
Expand the Scheduling Fast tab
Expand the Controls Fast tab
OR
For the controls to be on the dropdown list, make sure of the following:
- The Accounting area on the Control galaxy and on the Auditable entity under the Generel Fast tab, has to be the same
- The Effective date on the Control galaxy cannot be earlier than today's date
- The Active slider on the Control galaxy has to be set to Yes
OR
Users can calculate the control design and effectiveness for the Auditable entity by clicking on the button on the Action pane. This will take the individual control lines and aggregate the Effectiveness.
Expand the RACI Fast tab
- To send an email to workers selected under the RACI field group, click on the email icon next to the relevant name
- The selected worker must have a primary email address
Once the inherent risk and control environment ratings are calculated (on the Auditable Entity) an Audit Needs Assessment ('ANA') can be determined. The ANA outcomes will be used to determine the areas of focus for internal audit and provide the basis for the risk-based audit plan. The setup form below contains ANA ratings.
The ANA is executed on the lines (Auditbale entity) section of the Audit univers.
Go to:GRC > Internal audit > Setup for internal audit > Audit need assessment
"Audit clients” normally require a written report with related audit findings. Management of "Audit clients” reply to the Audit report for correcting or improving the finding situation. The auditor can then respond to management’s improvement plan. All collaborations are included in the final audit report that is distributed to the Board of Directors and the external auditors.
The records in this form will be used in creating an Audit response checklist. See Step 18 below for a typical flow of the audit process.
Go to: GRC > Internal audit > Setup for internal audits > Audit response
As was noted in the above step, audit reports must be generated. To help auditors in the generation of a report, Dynamics 365 GRC requires a baseline or template. Follow the steps below to create a template.
Go to: GRC > Internal audit > Audit reports
In short these are used to create user spesific text for Audit and Audit file declarations.
Go to: GRC > Setup > GRC actions and questions
The Question text is the text that is displayed on the Declaration of interest dialogue on the Audit file.
A question must have an Answer type:
The response to the question is set by the Negative outcome setting:
Dynamics 365 GRC supports Audit, Risk Management and Compliance processes without forcing users into a particular methodology or workflow. The Internal audit module is explained using the illustration below.
For the purpose of this document, it will start with controls and then move to associated risks. Then taking into account auditable entitites; the audit universe will be explored.
What is a "Control galaxy"? It is a list of internal controls which are basically processes used in an enterprise to ensure the integrity of reporting.
Controls help enterprises to comply with laws and regulations, and prevent fraud. They also can help to improve operational efficiency by ensuring that budgets are adhered to, policies are followed, and risks are mitigated.
The records in this form will be used on the Auditable entity, under the Controls Fast tab.
Go to: GRC > Risk > Setup for risks > Process groups
Go to: GRC > Internal audit > Control galaxy
Risks are things that threaten the integrity of a subprocess. For example, unauthorized changes to vendors, and bank accounts that do not reconcile. There are several fields that categorize risks to help with this.
Risks identified by users should be recorded in the Dynamics 365 GRC risk register.
Controls exist to mitigate these identified business risks. These controls can be created manually on the risk register, or by adding controls from the Control galaxy. On the control galaxy, controls can be flagged as of control type Manual process, Key control, Fraud detecting, or Computerized.
Go to: GRC > Risk > Registers > All enterprise risk registers
By using the “risk register type” (in this example it is "Economic") users can group risks together. It is also useful to use the risk registers on the Control matrix (RCM). Users can:
The Audit universe represents a range of potential audit activities to be carried out by internal auditors. It consists of several auditable entities (refer back to Step 9 above), controls, processes, procedures and systems.
Its starts with a basic definition (on the header) and other identification fields. The definition is expanded with RACI details, risk rating, scope, scheduling rules and documents (to be used in Audit files).
The detail follows as “lines” and “sub-lines”. The lines inside the Auditable universe list the Auditable entities, and are followed by the "sub-lines" which are the Controls per Auditable entity to be audited.
Go to: GRC > Internal audit > Audit universe
The Last audited date field will be populated with the end date entered on the Internal audit project, and the project stage is set to finished. The last posted scores per Auditable entity control is also visable on the lines.
A responsibility assignment matrix describes the participation by various roles in completing tasks or deliverables for an audit.
(On the All audit schedules list page, this person is the Owner)
- To send an email to workers selected under the RACI field group, click on the email icon next to the relevant name
- The selected worker must have a primary email address
The overall audit strategy includes consideration of planned audit responses to specific risks through the development of the audit plan. The overall audit strategy also helps the auditor determine the resources required for the engagement, including engagement staffing. Therefore, at a minimum the following matters should be included in the overall audit strategy:
Risk rating:
- Using all risks (per control found inside every Auditable entity), Dynamics 365 will calculate an average inherent risk for the current universe and display it as Inherent risk %
- Residual risk % is captured manually
- The Strategic objective can be selected from the dropdown list (refer to Step 5 above)
The Document pack relevant to the Audit universe can be selected from the dropdown list.
For more information on how documents and document packs are created in Dynamics 365, please refer to the GRC wiki page for Other documents
This is an indication of the level of coverage of the previous audit that was done on the selected auditable entity
Three years’ coverage can be entered as well as the worker who did the scoring
The department manager will be displayed when a Department being audited is selected. The email address linked to this manager will be used when sending out the Audit notification.
Users can also choose an “audit budget”. This will show the total hours and cost associated with doing the budget. Remember that the lookup here is filtered based on the value in the Dynamics 365 GRC parameters form.
- Only users that belong to the Audit team that was selected on the Audit universe, will be on the Planned auditor dropdown list. If no Team was selected on the Audit universe, the system will take the Team that is linked to the Audit type
- A Bulk change can be made to all the lines by clicking on the button in the button strip and entering the required Score and Heading values on the dialog form
- The Expected score has to be entered before an audit is created otherwise scoring cannot be done on the Fieldwork form
To adjust/update the manual risk rating on the Audit universe
Based on the Audit needs assessment, Dynamics 365 will update the need assessment from the auditable entities into the Audit universe. Thus, effectively proposing to the user which area needs focused audit attention.
Clicking on the Manual audit button creates a manual/ad-hoc schedule on the form. It also creates an audit and an audit file.
- On engagement, Dynamics 365 will create a new audit file following the numbering sequence rules (found on the parameters form) ensuring a complete set with a unique identifier.
- This audit file will include a reference to the “manually created schedule”, links to the document pack from the Audit universe, and will automatically add applicable internal audit working papers from the field work.
- Also note that users can add any type of additional documents to the selected audit file via the attachment button.
- Finally, Dynamics 365 will propose a name (which is editable) based on the Audit universe and the Auditable entities. This proposal includes a semi colon after the Audit universe, and commas after each auditable entity.
A Manual audit can also be created by clicking on the Create audit button on the Action pane of the Audit universe list page.
By completing the dialog, a manual/ad-hoc schedule is created on the form. It also creates an audit and an audit file.
The Schedule audits button gives users access to the periodic scheduling form to allow them to schedule future audits.
If the Scheduling period on the Audit universe is different to that on the Auditable entity, a yellow line with a warning message will appear across the screen.
The system will use the scheduling period as set up on the Audit universe.
The purpose of an internal audit is to provide independent assurance that an organization’s risk management, governance and internal control processes are operating effectively. It starts with having a budget.
Go to: GRC > Internal audit > All audit budget entries
Go to: GRC > Internal audit > Periodic > Audit planning
To print the audit plan report, go to: GRC > Internal audits > Reports and Inquiries > Audit three year plan report
Enterprises require scheduled audits to be created based on user specific frequency rules. In addition, automation (recurring and batch driven) of scheduling is also needed. For this to work users must have scheduling rules defined on the Compliance group form.
Both these requirements are supported in Dynamics 365 GRC.
Go to: GRC > Internal audit > Audit universe
- The Scheduling period frequency for each Auditable entity will be displayed (it can be changed)
- The last date when a schedule for this Auditable entity was run is displayed, as well as the next scheduled start date.
Go to: GRC > Create schedules
Go to: GRC > Internal audit > Schedules > All audit schedules
(The Owner is selected on the Audit universe as the Employee responsible in the RACI group under the General Fast tab)
The status is important:
- Only Approved records can be used and will allow users to enter field work. When the status is Approved, the Created, Scheduled and Approved buttons will be unavailable to the user.
- When the status is Created, the Created and Scheduled buttons will be unavailable to the user, and the record cannot be maintained in the Audit file.
Also please note that Dynamics 365 will propose a Name and ask for a Description for the new Audit file to be created.
Buttons in the Work group on the Action pane:
On the Scheduled capacity load form:
If the Skip zero check box is NOT ticked, details for all the audits will be displayed – those without budgeted hours as well
The word audit is derived from a Latin word "audire" which means "to hear". During medieval times when manual book-keeping was prevalent, auditors in Britain used to hear the accounts read out for them and checked that the organization’s personnel were not negligent or fraudulent.
An Audit is an official examination/inspection of an individual or organization's accounts, controls, and processes, typically by an independent body. Any subject matter may be audited. Audits aim to provide objective 3rd party assurance to various stakeholders that the subject matter is free from material misstatement.
A new Internal audit can be created from the Internal audit workspace by clicking on the New internal audit tile
OR a new Internal audit can be created by clicking on the New button on the All internal audits list page
Go to: GRC > Internal audit > All internal audits
Audits can also be created:
- Manually: From the Area of compliance (Audit universe) by clicking the Functions button and selecting the Engage option from the dropdown list
- Automatically: When an audit schedule has a status of created, it can be approved in order to create an audit
Go to: GRC > Internal audit > All internal audits
The Checklist number and the created Checklist lines will be displayed under the Audit initiation Index tab
Do feedback by clicking on the Feedback button
The Document pack selected on creation of the Audit universe will be displayed, as well as the list of documents in the document pack
Before clicking the Generate audit report button, make sure that the relevant clauses on the baseline audit report have the Copy tick on
All the open and reportable Non-conformances on the Internal audit will be copied to the References index tab on the Internal audit report when users click the Generate audit report in the action pane.
When the user clicks on the Agree button, this user’s name will populate the Project manager field in the Responsible group under the General FastTab, and the Declaration done slider will be moved to Yes.
Refer to Step 19 below. Risk and control matrix ('RCM')
Refer to the page on Meeting management for details on meetings
If no scoring method is specified on the Audit type, the scoring method specified on the Parameters will be used
For more detail on the Fieldwork form, refer to Step 22 below
Go to: GRC > Internal audit > Periodic > Fieldwork
Based on the specified budget in the Scope of the audit file, Dynamics 365 will calculate the % utilized for the particular audit by considering the actual hours against the budgeted hours
Go to: GRC > Internal audit > Audit reports to view the created report
The Audit engagement letter documents and confirms the auditor's acceptance of the appointment, the objective and scope of the audit, the extent of the auditor's responsibilities to the client and the form of any reports.
The Risk Control Matrix ('RCM') is an essential element of the Internal Audit module. A RCM enables auditors to perform a "data-driven" analysis for a given process, IT system, control or event. This analysis is focused on determining objectives, identifying related risks, documenting mitigating controls and loading supporting test information that validates the adequacy and effectiveness of controls.
Inside Dynamics 365 GRC the RCM is key to the execution of an audit. Here audit managers can create sample, audit procedures and more. Auditors can accepts the controls to be audited (ones listed on the Audit universe that created this audit RCM) or add more controls here on the RCM.
- The Missing slider will automatically be on Yes for newly added controls
- Once controls have beenn saved they cannot be deleted
The risk rating is done per selected control on the left-hand side of the screen
A record will be added on the Risk register line under the Associations Fast tab
The Risk type when doing a risk assessment, is selected on the GRC parameters under the Compliance and audit tab
The risk registers and lines that are created can be found under GRC > Risk > Registers > All enterprise risk registers
All risk assessments for internal audits can be viewed on the Risk assessments for internal audit worksheet.
Go to: GRC > Internal audit > Reports and Inquiries > Risk assessments for internal audit
Audit files is a crucial element of an Audit (project). It groups together related audit activitites. Every applicable internal control and Working paper is listed in the Audit file.
Audit files have a header with lines. Working papers and Audit findings are found on the header. On “posting” of audit test results, users choose which audit file to update with test results; posted as scores to the lines.
Go to: GRC > Internal audit > All internal audit files
OR
To view the Audit files linked to the Audit:
There are three methods to create an Audit file in Dynamics 365 GRC:
Users can also attach any additional documents, including scanned invoices, delivery notes, MS Outlook emails, photos etc. using the attachment icon.
The Audit file has a lifecycle with a number of stages that it cycles through. Each stage is represented by a status which is changed on the General FastTab.
The statuses of the Audit file are as follows:
Not started |
The Audit has been approved but has not been started. This is the default status and cannot move to another status unless a Declaration of interest was done. Please note that the Audit file is locked for editing. |
Planning |
The Audit is being planned. The budget for an audit can be changed in the this cycle |
Started |
Fieldwork commences |
Completed |
Fieldwork has been completed |
Draft report |
A Draft Audit report is generated |
Final report |
A Final Audit report has been published |
Closed |
No more changes can be made to the Audit file |
Archived |
The Audit file is archived |
When the user clicks on the Declaration of interest button on the Button strip, this user’s name will populate the Preparer field in the Administration group under the General Fast tab, and the Declaration done slider will be on Yes. The audit file will now be open and ready to receive working papers.
- To send an email to users selected under Administration, click on the email icon next to the relevant name
- The selected worker must have a primary email address
Details of the Audit report that will be influenced by work done on the audit file, are displayed
The Document pack is passed on from the Audit universe
This is the “heart and soul” of the Audit file. It lists all system generated working papers grouped by an Auditable entity, and also lists the applicable Audit procedures. Refer to step 21 for detail on Working papers.
When fieldwork is done, and findings (non-conformances/issues) are created, the details are displayed under these two Fast tabs on the Audit file.
A Quality Assurance and Improvement Program (QAIP) enables an evaluation of the internal audit activity's conformance with the Definition of Internal Auditing and the International Standards for the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.
Comments are displayed under the status in which the Audit file was when the comment was added
Select the workers who Performed the audit tasks, as well as the workers who Reviewed the tasks
The lines view provides a list of all the posted scores (from the Fieldwork form) of the inidividual control adequacy.
Audit working papers are used to document the information gathered during an audit. They provide evidence that sufficient information was obtained by an auditor to support his or her opinion regarding the underlying financial statements. Inside Dynamics 365 GRC auditors can view and use working papers by going to the Audit and clicking on View working papers or by opening the Audit file for a selected audit.
Go to: GRC > Internal audit > Internal Audit files
In the Button strip, click on the Print working paper button
Note that the information printed on the working paper is derived from control description on the RCM and auditing clerks filling in fields on the Audit procedure lines (refer to Step 21.1.4)
If the working paper status = Void (cancelled), Voided will be printed in red at the top of the report
Click on the Export to Microsoft Excel button to export the grid to Excel
The status of each Working paper can be changed by clicking on the Working paper status button
When a working paper status changes to "Void" all lines in the underlying audit procedure will also be cancelled.
Audit control testing is done here. Audit clerks will have received a list of Audit procedures (per control) to execute. These are created by the Audit manager via the RCM.
Click on the Feedback button in the Button strip.
The Checklist feedback (individual audit procedures steps) form will open.
Click on the Comment button in the button strip to add comments on the selected checklist line
By clicking on the Complete all button in the button strip, all the checklist lines can be marked as Completed and a control effectiveness score given
Use Create audit finding button in the button strip, to create a non-conformance
The Non conformance number will be dislayed under the Checklist Index tab, Result field group
Go to: GRC > Internal audit > Findings > Non conformances
Go to: GRC > Internal audit > All internal audits
All the same steps and actions as per above is applicable when working on an audit procedure via the working papers of a specific audit.
Internal auditors must identify, analyze, evaluate and document sufficient information to achieve the engagement’s objectives. This includes assisting the organization in maintaining effective controls by evaluating their effectiveness and efficiency, and by promoting continuous improvement.
Engagement findings and recommendations emerge through a process of comparing “what should be” with “what is”. Whether or not there is a difference, the internal auditor now has a foundation on which to build the report.
When conditions meet the criteria, applicable test programs will be marked as “Effective”, and no findings will be raised. However, in cases where the conditions do not meet the criteria, internal audit findings will be raised, and any issues to be reported verbally based on their materiality, will be taken into consideration.
Internal audit findings will be raised as and when the individual test programs are completed and reviewed by the audit manager. This is done in two ways; Dynamics 365 can log a formal (more serious) non-conformance, or just log an issue via the Audit register.
Audit managers would most likely use this Fieldwork form to review audit clerks working papers and rate internal controls.
Go to: GRC > Internal audit > Periodic > Fieldwork
OR
Go to: GRC > Internal audit > All internal audits and click on Fieldwork button inside the Execution tab.
The user can choose which columns to see in the left-hand side grid by clicking on the Show button in the Action pane and moving the relevant sliders to Yes
The checklists that are displayed under the Audit procedures Fast tab, are per selected control.
Feedback can be done on the selected checklist by clicking on the Feedback button.
For future use
There are three Index tabs under the Findings Fast tab for capturing the following details per control:
After an audit team collects the facts and completes its investigation, it is time to determine the results of the investigation. For audits, the results are called audit findings.
The first step is to evaluate the evidence against the audit criteria. The evidence is the factual information collected or observed during the performance of the audit. The audit criteria are the standards, procedures, regulations or objectives which the organization was audited against. The criteria represent requirements the organization must comply with.
Using the Findings button on the Fieldwork form, users can choose to
- Raise a non-conformance inside Dynamics or,
- Record an issue in the Internal audit register if the outcome is less critical and of lesser significance
Note that these reported outcomes are counted and recorded as findings
Go to: GRC > Internal audit > Findings > Non-conformances
A quality assurance and improvement plan should be designed to compare the audit activity’s conformance with applicable Audit standards and an evaluation of whether internal auditors apply the Code of Ethics. The plan also assesses the effectiveness of the audit activity and identifies opportunities for improvement.
Future releases will see dedicated audit test (from the RCM above) extended into the field work form and test results posted to the audit files.
Posting does three things:
Fieldwork cannot be posted if an Auditable entity has not been selected.
Audit working papers are the documents which record all audit evidence obtained during internal auditing, information systems auditing, financial audits and investigations. Audit working papers are used to support the audit work done in order to provide assurance that the audit was performed in accordance with the relevant auditing standards.
Working papers are important because they:
To print the Internal audit population and sampling working paper:
Go to: GRC > Internal audits
Go to: GRC > Internal audits > Findings > Internal audit issue register
Go to: GRC > Internal audits > Findings > Non conformances
Go to: GRC > Internal audit > Findings > Non-conformances
A blue line will appear confirming that a Planned action has been created for the follow up
Findings are created from two sources:
- Audit procedures feedback form (Refer to Step 21.1.4)
- Fieldwork form (Refer to Step 22)
The auditor's report is a document containing the auditor's opinion on whether a company's statements comply with complaince obligations (e.g. IFRS, GAAP) and are free from material misstatement.
Go to the Audit report, under the Content Fast tab, open the References Index tab to see the lines created with Reportable findings
When the status of the Internal audit report is changed to Approved, the status of the referenced findings will also be changed to Approved
The auditor can select an audit response type from the dropdown list. The response is linked to a job plan (checklist) that can be used for detail step by step actions to be taken.
Another audit can be selected as cross reference.
Internal audit reports provide a formal means of communicating to management the results arising from audits undertaken. Such reports should include audit findings, recommendations and conclusions relating to the adequacy of and compliance with the system of internal control and the efficiency, effectiveness, and economy of operations in the area covered by the audit. From a completeness point of view; management response to the audit findings should preferably also be included in the report.
Reports:
Inquiries:
Go to: GRC > Internal audit > Reports and Inquiries > Audit schedule report
Go to: GRC > Internal audit > Reports and Inquiries > Risk control matrix report
Go to: GRC > Internal audit > Reports and Inquiries > Risk assessments for internal audit
Go to: GRC > Internal audit > Reports and Inquiries > Detailed findings and action plans report
Go to: GRC > Internal audit > Reports and Inquiries > Findings age analysis report
Go to: GRC > Internal audit > Reports and Inquiries > Executive committee report
GRC > Internal audit > Reports and Inquiries > Executive committee report
The Executive committee report dialog allows the user to print three reports (one at a time)
Select the parameters and then click OK
Go to: GRC > Internal audit > Reports and Inquiries > Audit universe inquiry
Go to: GRC > Internal audit > Reports and Inquiries > Audit plan delivery
Go to: GRC > Internal audit > Reports and inquiries > Internal audit findings
A dedicated workspace is given to Internal Audit. Future release will see more features being added.
Go to: GRC > All planned Governance, Risk and Compliance actions