Server Error
Server Error
Server Error
Server Error
Server Error
Server Error

Internal Controls

Record your Internal Controls and their Audit records

  • Episodes7
  • Duration38m 2s
  • LanguagesEN
Episode 7

Audits and Maintenance Tasks

How to review items on the module

Introduction

This episode is only relevant if you have defined Audits or/and Maintenance tasks in your Internal Controls.

Testing internal controls systematically is challenging and expensive so if you believe your organisation is not ready yet it is best to avoid them until you feel comfortable with defining all your problems and associating solutions by title to each one of them.

Audit Records Details

It is important to understand the fields a standard audit record has and what they mean before starting to work with them. Under the "Audit" tab you will find all your audits.  The fields on a standard Audit are:

  • Audit Methodology: this is inherited from whatever was defined on the parent control but can be modified if you want.
  • Audit Success Criteria: this is inherited from whatever was defined on the parent control, the same as above
  • Audit Result: Fail or Passed
  • Conclusion: why the control has passed or failed
  • Auditor: this is inherited from whatever was defined on the parent control but can be modified if you want.
  • Evidence Owner: this is inherited from whatever was defined on the parent control but can be modified if you want.
  • Planned Date: the date you planned for the testing to begin. This is inherited from the parent control
  • Start Date: the date when testing
  • End Date: when you finished testing actually began
  • Evidence:  evidence for the Internal Control can be uploaded.  This will end up as "Comments & Attachments" of the audit records.

The following fields will have to be completed on every Audit you perform. For those fields that are inherited from the parent Internal Control, remember that changes done on the parent control will be reflected on all incomplete, future audit records.

Default Audits

After saving a control, if you defined audits and/or maintenance tasks, eramba will create audit records for the current and next year based on the dates you defined.

In our example, we created an Internal Control with the following Audit settings:

When we save the control we get the following:

  • 6 audit records (3 for the current year and another 3 for next year) and
  • the status of the control switched to "Last Audit Expired"

Clicking the dropdown icon next to the audit count (shown as 6 in the example image above) will display the Audit tab with a filter that will show the related audit records. The example shows a control created on the 11th of November. Audits with a "Planned Date" earlier than that date show as "Expired" because they are "Incomplete" and in the past. This is normal when creating new controls.

You can edit these expired audits and mark them as "Passed" with a description that explains these are new audits from a new control.  Alternatively, you can remove these audit records. We prefer editing them.

Comments & Attachments

Each audit/maintenance record has the option to include Comments and Attachments.

When you or the person giving you feedback click there they can write whatever they want, for example, "We are collecting the audit evidence, we will let you know". You can then click there as well and reply back. In the end, a trail of conversations will be logged where "who", "wrote what" and "when" will be evident.

After all discussions take place you can then complete the audit/maintenance. Is of course important to remind you that accessing those menus is completely controlled by Access Lists, so you can remove the "Remove" function, etc to those that provide you with feedback.

Audit Process

As mentioned before the Audit/Maintenance process is typically an interaction between two roles, the "Audit Owner" and the "Audit Evidence Owner". This interaction typically works in two ways:

  • Offline: the interactions take place between the two roles over email or in person and once they agree to something, the "Audit Owner" updates the audit/maintenance and attaches as evidence whatever discussion took place.
  • Online: both parties might talk offline, but their feedback goes into eramba as "Comments & Attachments" (in the offline mode only the GRC Contact uploads content to "Comments & Attachments").

The offline mode:

The online mode:

Completing Audit Records

To complete an audit record click on the item menu and then Edit. You simply have to complete the form following the instructions provided there.

When uploading evidence the files attached appear in the "Comments & Attachments" option for that audit. If you need to upload further evidence you can go directly to the "Comments & Attachments" option instead of editing the Audit.

Adding Audit Records

If you want to add an Audit record to an Internal Control, outside the ones that the system created based on the dates you provided to the Internal Control, then you need to go to the Audit tab and click on Actions / Add or use CSV templates (see CSV Imports documentation for details)

Dealing with Failed Audits

If you tag an audit as failed the record will be tagged as such until the next audit record (based on its planned date) will be tested. If you want to re-test a failed audit the best way to record this is to create an additional audit record (see above).

Changing Audit Dates

If you decide to change your audit settings on the Control because you want to test less frequently, more frequently or on different dates simply edit the Control and change the dates and save the control.

  • If you add new dates (because you changed existing dates to other days or you added new dates) eramba will create audit records based on those dates.
  • If you removed dates eramba will not remove anything existing audit records
  • If you update the testing methodology, success criteria, auditor or evidence owner fields then eramba will update all incomplete audit records that have a planned date in the future.