HOPEX V5 EN

HOPEX Internal Audit > Audit Preparation > Planning Audits > Selecting Audits To Be Executed

Selecting Audits To Be Executed

HOPEX Internal Audit provides the audit director with decisional help in selecting audits to be executed.

Viewing audit cover

HOPEX enables description of entities, risks and processes. It is often necessary to audit these regularly.

A report provides information on the number of audits executed on each entity, risk or process between two specified dates. It indicates elements that need to be audited.

To access this report:

1. In Audit > Preparation > Decisional Reports, select Audit Coverage.

2. In the editing window, select:

• a Begin Date

• an End Date

3. (Optional) Select an object type, depending on the coverage targeted:

• Risks

• Processes

• Entities

4. (Optional) Filter audits by Score or Status.

5. Click Refresh at the bottom of the report.

For each audited object (below, processes), the report presents:

• The number of audits executed

• The name of the last audit

• The effective end date of the audit or its state if the audit is in progress

• The score of the audit.

The audits that appear in the report are those that have at least been published.

Objects covered are those connected to the audit Scope. See Audit scope.

For risks covered by an audit, you must also define the risk type to which they belong in order that they appear in the report. In this report risks are classified by risk type.

These risk types are defined by the IRM functional administrator in the IRM environment.

Consulting audit history

Consulting the history of audits can simplify your choice of audits to be executed. With HOPEX Internal Audit, you can:

• view past audits

• sort audits by score/assessment or find the audits that have not been executed.

Audit evaluation and status are defined in audit properties. For more details, see Defining Audit Properties.

To access complete audit history:

In the navigation menu, click My tasks > Audits then select Past Audits in the drop-down list.

Sorting audits by evaluation

In the list of audits of an audit plan, you can consult the evaluation of the audit by the lead auditor. You can sort audits based on this criterion, allowing you to create audits on appropriate entities, risks and processes.

To group audits by evaluation:

1. In the properties of an audit plan, select the Audits page.

2. In the list of audits of the audit plan, click the title of the Evaluation column.

Audits are then sorted by this criterion. An arrow associated with the column enables ascending or descending sort order.

Finding past non-executed audits

Audits can remain in "Potential", "Validated" or "Published" status without being executed, due to the fact that other audits are of a higher priority.

Audits published or in progress can also be canceled via the workflow.

Grouping audits by status enables identification of audits that must be recreated on a subject.

To find non-executed audits of a past audit plan:

1. In the properties of an audit plan, select Audits.

2. In the list of audits of the audit plan, click the title of the Status column.

Audits are then sorted by this criterion.

An arrow associated with the column enables ascending or descending sort order.

Viewing previous audit expenses

A report allows you to view expenses of previous audits.

To access this report:

1. Click Audit > Preparation > Decisional Reports > Expenses Report.

2. Click New then Next.

3. Select a Plan as well as the audit(s) of interest.

If you fail to select a value for audits, all audits are taken into account.

Risk assurance dashboard

As an auditor, you require an overview of the risks of your enterprise to better prioritize the risks to be audited during your next audit.

A dashboard enables you to provide a more focused Risk Assurance report to your board. With a dashboard, you can detect inconsistencies between risk assessments, control assessments and incident impacts.

This report is available to the Auditor, the Auditor Director and the IRM Functional Administrator.

To create the risk assurance dashboard report:

1. In the audit desktop, click Audit > Preparation> Decisional Reports > Risk Assurance Dashboard.

2. Click New.

3. In the dialog box that opens click Next then Connect to specify a list of risks.

4. Click OK.

The columns displayed are as follows:

• Risk

• Inherent Risk: risk assessments return an aggregated inherent risk

The inherent (gross) risk indicates the risk to which the organization is exposed in the absence of measures taken to modify the occurrence or impact.

• Risk Control Level: represents the level of confidence in risk mitigation

• Residual risk

The residual (or net) risk indicates the risk to which the organization remains exposed after management has processed the risk.

• Risk appetite

Risk appetite is the level of risk an organization is ready to accept to reach its objectives, before any measure is taken to mitigate the risk.

• Residual risk/ Risk appetite Gap: this gap allows the Audit Director to check the maturity of the second line of defense (support and transversal functions, for example, risk management and compliance)

Value for Residual risk / Risk appetite Gap	Interpretation possible
Wide gap	The maturity level of the organization with respect to risk is low.
A wide gap between certain risks and effective prevention controls	Contradiction between 1st and 2nd line of defense
Narrow gap for certain risks + non-existent or ineffective preventive controls	Contradiction between 1st and 2nd line of defense

• Preventive Control

• Control Level

The Control level characterizes the efficiency level of control elements deployed (controls) to mitigate the risk.

• Incident

• Incident Impact