HOPEX Aquila EN

GRC - Internal Audit > Audit Preparation > Planning Audits > Selecting Audits To Be Executed

Selecting Audits To Be Executed

HOPEX Internal Audit provides the audit director with decisional help in selecting audits to be executed.

Viewing audit coverage

HOPEX enables description of entities, risks, process categories and processes. It is often necessary to audit these regularly.

A report provides information on the number of audits executed on each entity, risk or process between two specified dates. It indicates the objects that need to be audited. From this report you can create audits for these context objects that need to be audited.

To access the audit coverage report:

1. In the navigation bar, click Audit > Preparation > Decisional Reports.

2. In the drop-down list, select Audit Coverage.

3. In the editing window, select:

• a Begin Date

• an End Date

4. (Optional) Select an object type, depending on the coverage targeted:

• Risks

• Processes

• Entities

5. (Optional) Filter audits by Score or Status.

6. Click Refresh.

For each audited object (entities in the example below), the report presents:

• The number of audits executed

• The name of the last audit

• The effective end date of the audit or its status if the audit is in progress

• The score of the audit.

The audits that appear in the report are those that have been published.

Objects covered are those connected to the audit Scope.

For risks covered by an audit, you must also define the risk type to which they belong in order that they appear in the report. In this report risks are classified by risk type.

These risk types are defined by the GRC functional administrator in the GRC environment.

To create audits for the non-audited context objects:

1. Select the context objects for which you want to create an audit.

2. Click Generate Audits.

3. Select a target plan.

You can choose to create one audit for all the selected objects.

4. Click OK.

Consulting audit history

Consulting the history of audits can simplify your choice of audits to be executed. With HOPEX Internal Audit, you can:

• view past audits

• sort audits by score/assessment or find the audits that have not been executed.

Audit evaluation and status are defined in audit properties. For further details, see Defining Audit Properties.

Finding past audits

To access audit complete history:

In the navigation bar, click Audit > Execution > My Activities > My Past audits.

Sorting audits by evaluation

In the list of audits of an audit plan, you can consult the evaluation of the audit that has been made by the lead auditor. You can sort audits based on this criterion, allowing you to create audits on appropriate entities, risks, process categories/processes.

To group audits by evaluation:

1. In the properties of an audit plan, select the Audits page.

2. In the list of audits of the audit plan, click the title of the Evaluation column.

Audits are then sorted by this criterion. An arrow associated with the column enables ascending or descending sort order.

Finding non-executed past audits

Audits can remain in "Potential", "Validated" or "Published" status without being executed, due to the fact that other audits are of a higher priority.

Audits published or in progress can also be canceled via the workflow.

Grouping audits by status enables identification of audits that must be recreated on a subject.

To find non-executed audits of a past audit plan:

1. In the properties of an audit plan, select Audits.

2. In the list of audits of the audit plan, click the title of the Status column.

Audits are then sorted by this criterion.

An arrow associated with the column enables ascending or descending sort order.

Viewing previous audit expenses

A report allows you to view expenses of previous audits.

To access this report:

1. Click Audit > Preparation > Decisional Reports > Expenses Report.

2. Click New then Next.

3. Select a Plan as well as the audit(s) of interest.

If you fail to select a value for audits, all audits are taken into account.

Risk assurance Matrix

You need to have an overview of the risks of your enterprise to better prioritize the risks to be audited during your next audit.

A matrix enables you to provide a more focused Risk Assurance report to your board. It enables to detect inconsistencies between risk assessments, control assessments and incident impacts.

To create a risk-assurance dashboard:

1. In the audit desktop, click Audit > Preparation> Decisional Reports > Risk Assurance Dashboard.

2. Click New.

3. In the dialog box that opens click Next then Connect to specify a list of risks.

4. Click OK.

The columns displayed are as follows:

• Risk

• Inherent Risk: risk assessments return an aggregated inherent risk

The inherent (gross) risk indicates the risk to which the organization is exposed in the absence of measures taken to modify the occurrence or impact.

• Control Level: represents the level of confidence in risk mitigation

• Residual risk

The residual (or net) risk indicates the risk to which the organization remains exposed after management has processed the risk.

• Risk appetite

Risk appetite is the level of risk an organization is ready to accept to reach its objectives, before any measure is taken to mitigate the risk.

• Residual risk/ Risk appetite Gap: this gap allows the Audit Director to check the maturity of the second line of defense (support and transversal functions, for example, risk management and compliance)

Value for Residual risk / Risk appetite Gap	Interpretation possible
Wide gap	The maturity level of the organization with respect to risk is low.
A wide gap between certain risks and effective prevention controls	Contradiction between 1st and 2nd line of defense
Narrow gap for certain risks + non-existent or ineffective preventive controls	Contradiction between 1st and 2nd line of defense

• Preventive Control

• Control level

The Control level characterizes the efficiency level of control elements deployed (controls) to mitigate the risk.

• Incident

• Incident Impact