Ted Demetral, Senior Data Analyst in Forensic Audit at Delphi Corporation and Adam Garshell, Director of Internal Audit at Morgans Hotel Group, joined the policyIQ team in helping our audience to learn how they can efficiently manage their audits using policyIQ.
Common issues without a tool for managing audits
Ted Demetral described the process prior to implementing policyIQ for Internal Audit at Delphi Corporation: the organization previously did not have a formal folder structure for storing workpapers, there was no formal naming convention, audit materials were decentralized and every region managed their own audit program. As such, auditors struggled to find prior audit workpapers. Delphi also did not have a consistent method for tracking approval company-wide. Then, in 2006, they implemented policyIQ…
In our January CPE session we referred the audience to previously recorded sessions and policyIQ Help pages to refresh their memories on how to customize policyIQ Page Templates for their Risk, Control and Audit documentation. This month, we focused primarily on the structure for organizing audit-related materials and the steps for most efficiently managing the audit process.
Here is a recap of the critical steps that we recommend:
Update your structure
- Create a Folder structure that houses your Audit Programs (All relevant Tests per Audit) separate from Risks and Controls.
- Ensure that these “master” Test pages contain information that is consistent from one audit to the next (security, Test Objective, Sample, Testing Steps, link to relative Control)
Copy Folders with Pages and Links
- Highlight and copy appropriate Audit Program Folder with Pages and Links to set up all Test pages per Audit.
- File into appropriate “parent” folder structure (i.e. 2012 Audits)
- Alternatively, if your organization has a relatively small audit group and great confidence that you are aware of any changes to Controls and, therefore, to relative Tests, then you might prefer to copy prior audit workpapers to be used in subsequent audits (as opposed to copying the master test pages that do not include detailed workpapers and test results). While Morgans Hotel Group sees revenues exceeding $225 million annually, they have a relatively small number of people updating their Risk and Control documentation and performing testing. Adam Garshell, their Director of Internal Audit, prefers this method of preparing for upcoming audits.
“Check Out To Others” in bulk
- Highlight all relevant Tests and assign pages (Check Out To Others) to Tester.
- As a part of that assignment, if you are among the reviewers and one of the Administrators of the Test page, have them automatically checked out to you upon completion.
Leverage Dashboard, Export
- Testers watch email and “Checked Out To Me”
- Reviewers watch email and “Awaiting My Approval”
- Reporting! Reviewers utilize Favorite Reports and Export features to make analysis and roll-up to management more efficient.
Make your audit process run more smoothly, efficiently and with greater confidence in your results.
With a configuration similar to what we’ve described here, Delphi’s Ted Demetral reported significant gains in efficiency and integrity of information in their audits. “policyIQ’s really allowed us to tailor the pages to fit our needs so as things change, we are able to adapt with it.”
With Ted’s and Adam’s help, we pulled together this list of benefits related to the implementation of policyIQ for Financial Audits:
- Consistent audit process company wide
- Centralized access to workpapers
- Simplified administration of process
- Ability to leverage audit programs and previous audits
- Communication streamlined
- Monitoring of status nearly instantaneous
- Management and Audit Committee Reporting is simplified
A special thanks to…
…Adam Garshell and Ted Demetral for your support in developing this session and in addressing attendees’ questions. Thank you, too, to our attendees for your active participation! Here’s a peek at part of our Chat conversation:
Facilitator Comment: Related to a comment regarding moving Test pages out of the “By Process” folder and into their own folder
Customer Reply: “We have found that recommendation critical for reporting. Otherwise, items often become comingled.”
Customer Question: “How do most users control access to the Audit Programs and/or test templates (i.e., are non-auditors given access to unpublished audit documents)?”
Customer Reply: “We assign security and segregate viewing to the individual pages or workprogram templates.”
Customer Reply: “For SOX, we create groups with access to individual folders.”
Facilitator Comment: “Sometimes copying the previous audit [for re-use in current audit] is more efficient. Others require that the audit be started with completely blank templates.”
Note: Both are possible in policyIQ (re-use previous audit workpapers or start from Audit Program “master” test pages).
Customer Note: “You can never hurt anything (from previous audits or in Audit Programs). It’s always a copy.”
Customer Comment: “Every time I take one of your trainings, my whiteboard fills up with ideas. :)”
Customer Comment: “bulk changes = invaluable”
Customer Question: “We link our test templates to the related controls that management identifies each year. If you copy tests as you described, will the links remain intact?”
Facilitator Reply: “Yes – and that’s critical, you are right. When you copy the folder and pages, the 4th option on the Copy Folder feature is specifically designed to maintain those links.”
Customer Comment: “It’s also beneficial to build reports to perform bulk changes on pages across folders.”
Facilitator Response: “…that’s a great point. I typically work from Reports rather than Folders, because my reports have the columns and fields that I want to see.”
Customer Question: “Do any of the participants have any suggestions about how to use policyIQ for internal audit reports? I mean written reports for distribution to audit committees, etc.”
Customer Responses in recording: both customer responders indicate that they use policyIQ to report on information, then export the information to Excel (option within the print/export feature) to reformat and present in the desired layout for audit committee and others.
Customer Response: “We also do manual reports but we use policyIQ for our deficiency logs that are requested by external auditors and others.”