HOPEX Aquila EN

GRC - Internal Audit > Audit Execution > Executing Audits > Establishing Audit Findings

Establishing Audit Findings

The objective of the audit is to establish, for an organization at a given moment, findings on compliance of a system related to determined audit criteria.

Differences from these audit criteria can be detected. These differences should be recorded in audit findings.

Audit findings should accurately and honestly reflect audit activities, obstacles encountered, differing views of auditors and those audited, and any unresolved questions.

Audit findings can indicate:

• a strength (compliance)

• a weakness (non-compliance)

Audit findings are the results of assessment of the collected audit evidence against audit criteria. Audit findings can indicate either conformity or nonconformity with audit criteria or opportunities for improvement (source ISO 19011: 2011).

Creating findings

Findings are accessible from audit activities.

To create a finding:

1. Accessing your work program

2. Open your work program.

3. Right-click the activity concerned and select New > Finding.

The finding appears in the work program tree as well as in the properties of the activity.

4. In the properties of your findings you can indicate:

• the Finding Type (strength or weakness)

• Detailed Description of your finding.

• Causal analysis if findings are a weakness.

5. Click Save.

Saving audit evidence

You can connect business documents or specify an URL to illustrate your findings.

To save audit evidence:

1. In the properties page of a finding, expand the Attachments section.

2. Select one of the following tab:

• Business Documents: Drag and drop the document to the space provided.

A business document is a document whose content is independent of the HOPEX repository. This document can be MS Word, MS Powerpoint, or other files. A report (MS Word) generated on an object can become a business document.

• External Reference: specify an URL

These business documents or external references are owned by the audit of the finding. You can view them in the Documents page of the audit.

For more information, see Using Business Documents.

Connecting the finding to a risk and a control

In the finding properties, you may specify the risk or control connected to the audit activity.

To do this:

1. In the finding properties, expand the Risks and Controls section.

2. In the Risk or Control tab, click Connect.

3. Specify a risk or control among the suggested candidate objects and click Connect.