Selecting Audits To Be Executed
HOPEX Internal Audit provides the audit director with decisional help in selecting audits to be executed.
A report enables evaluation of coverage of risks, processes and entities in the audit process. You can sort audits according to certain criteria, in order to:
• view past audits
• find audits planned but not finally executed
You can also access:
• A risk assurance dashboard which gives an overview of your enterprise risks, and which enables you to prioritize risks to be audited.
• A report of past audit expenses
Viewing the audit coverage report
HOPEX enables description of entities, risks and processes. It is often necessary to audit these regularly.
A report provides information on the number of audits executed on each entity, risk or process between two specified dates. It indicates elements that need to be audited.
The audit director can access this report.
To access this report:
1. In Audit > Decisional Reports, click Audit Coverage.
2. In the edit window, select a begin date and end date.
3. Select the object type, depending on whether you want to study coverage of risks, processes or entities.
4. If required, select the score obtained by the audit or its status.
5. Refresh the report by clicking the Refresh button 
at the bottom of the report.
at the bottom of the report.For each audited object (below, processes), the report presents:
• The number of audits executed
• The name of the last audit
• The effective end date of the audit or its state if the audit is in progress
• The score of the audit.
The audits that appear in the report are those that have at least been publishes.
Objects covered by an audit are those connected to the audit Scope. See Audit scope.
For risks covered by an audit, we must also define the type of risk to which they belong in order that they appear in the report. In this report risks are classified by risk type. These types of risk are defined by the administrator in the audit environment.
Consulting audits history
Consulting the history of audits can simplify your choice of audits to be executed.
HOPEX Internal Audit can help you to find:
• past audits
• audits that have not been executed.
Past audits
In the list of audits of an audit plan, you can consult the evaluation of the audit that has been made by the lead auditor.
You can sort audits based on this criterion, allowing you to create audits on appropriate entities, risks and processes.
To group audits by evaluation:
1. In menu Audit > Preparation > Audit Plans, select the audit plan that interests you and click the Properties button.
Audit plan properties appear.
2. Click Audits.
The list of audits making up the audit plan appears.
3. Click the "Evaluation" column title.
Audits are then sorted by this criterion.
An arrow associated with the column enables ascending or descending sort order.
In menu Audit > Preparation > Audit Plans > All Audits, you can also show groupings to obtain the obtain the required information.Audits not executed
Audits can remain in "Potential", or even "Validated" or "Published" status never to be executed, due other audits being of higher priority.
Audits published or in progress can also be canceled via the workflow.
Grouping audits by status enables identification of audits that must be recreated on a subject.
To find audits of a past audit plan that were not executed:
1. In menu Audit > Preparation > Audit Plans, select the audit plan that interests you and click the Properties button.
Audit plan properties appear.
2. Click Audits.
The list of audits making up the audit plan appears.
3. Click the "Status" column title.
Audits are then sorted by this criterion.
An arrow associated with the column enables ascending or descending sort order.
Audit evaluation and status are defined in audit properties. For more details, see Defining Audit Properties.
Viewing previous test expenses
A report allows you to view expenses of previous audits.
To access this report:
1. Click Decisional Reports > Expenses Report.
2. (Mandatory) Select a Plan.
3. (Optional) Specify parameter values that interest you from among:
• audits
• expenses categories
• auditors
If you do not select a value for audits/categories/auditors, all audits/categories/auditors of the plan are taken into account.Risk Assurance Dashboard
As an auditor, you require an overview of the risks of your enterprise to better prioritize the risks to be audited during your next audit.
A dashboard allows you to provide a more focused Risk Assurance report to your board. With a dashboard, you can detect inconsistencies between risk assessments, control assessments and incident impacts.
This report is available to the Auditor, the Auditor Director and the Audit Functional Administrator.Accessing the risk assurance dashboard
To create this report:
4. In the audit desktop, click Decisional Reports > Risk Assurance Dashboard.
5. Click New.
6. In the dialog box that opens click Connect to specify a list of risks.
Report content
The columns displayed are as follows:
• Risk
• Inherent Risk (gross risk): risk assessments return an aggregated inherent risk
The inherent (or gross) risk indicates the risk to which the organization is exposed in the absence of measures taken to modify the occurrence likelihood or impact of this risk. This is the result of multiplying impact value and probability value before taking account of risk prevention or reduction measures.• Risk Control Level: represents the level of confidence in risk mitigation
• Net risk
The residual (or net) risk indicates the risk to which the organization remains exposed after management has processed the risk. is the difference between the Inherent Risk and the Control Level.• Target risk: represents the organization's risk appetite
The inherent (or gross) risk indicates the risk to which the organization is exposed in the absence of measures taken to modify the occurrence likelihood or impact of this risk. This is the result of multiplying impact value and probability value before taking account of risk prevention or reduction measures.• Net Risk/Target Risk Gap: this gap allows the Audit Director to check the maturity of the second line of defense (support and transversal functions, for example, risk management and compliance)
Net risk/Target risk gap | Interpretation possible |
|---|---|
Wide gap | The maturity level of the organization with respect to risk is low. |
A wide gap between certain risks and effective prevention controls | Contradiction between 1st and 2nd line of defense |
Narrow gap for certain risks + non-existent or ineffective preventive controls | Contradiction between 1st and 2nd line of defense |
• Preventive Control
• Control Level
• Incident
• Incident Impact
Report example
