Audit Structures, Procedures and Work Programmes

1.1 define different business streams and allocate audit programmes and staff to these. E.g. Performance Audit, Financial Audit, National Studies

Essential

1.2 define audit programmes which consist of a number of audit projects.

Essential 1.3 define audit projects which consist of a number

of audit tasks.

Essential 1.4 define different types of audit projects and/or

programmes which have different configurations (E.g. rules, workflow, authorisation or access levels). To meet the different needs of the WAO business streams (E.g. Studies Team working across audit years with different sign off requirements, to Financial Audit of Accounts or Performance Audit Compliance work)

Essential

1.5 record the results of audit tasks, details of work undertaken and linked to conclusions and audit matters arising

Essential

1.6 link multiple audit assertions to a single test and prepopulate designated fields with consistent text once approved.

Essential

audit body

1.8 create new audit tasks / projects / programmes which can be added to the library and given a pre-defined label/tag such as audit year, audit type so that the can be easily identified and found (system must be capable of allowing bilingual names – Welsh and English)

Essential

1.9 allocate audit tasks to individuals. Essential 1.10 add labels/tags to documents, audit tasks,

projects or programmes to support searching. E.g. Survey, Corporate Assessment,

Improvement Study, Public Interest Review, VFM Study

Essential ,

1.11 central library functionality to store and manage standard audit tasks, projects and programmes. E.g. Ability to import audit tasks into an audit project from a central library.

Essential

1.12 allow a user with the appropriate level of authorisation to add audit tasks to an audit project.

Essential

1.13 define mandated audit tasks that can be deleted from a project when allocated to an audit body if approved by a user with appropriate level of authorisation and an explanation and an audit trail of approval is generated.

Desirable

1.14 define "programme" milestones linked to the completion of projects within an audit programme E.g. Planning, Issue Analysis, Fieldwork, Drawing Conclusions, Drafting, Clearance

1.15 define " project" milestones linked to the completion of a group of specified audit tasks. E.g. Planning, Issue Analysis, Fieldwork, Drawing Conclusions, Drafting Report, Clearance, Completed.

Desirable

1.16 copy and amend audit tasks / projects / programmes previously used within the central library

Desirable

1.17 automatically generate an audit project for an audit body based on the responses to a specified set of questions. E.g. A Risk assessment.

Desirable

1.18 link risks to audit tasks, conclusions and proposals for improvement

Useful 1.19 link audit matters arising to audit tasks,

conclusions and proposals for improvement

Useful 1.20 allocate audit tasks based on predefined fields

containing certain text or if certain pre-defined conditions have been assigned

2 Work-flow

2.1 define different work-flow processes and the levels of compliance for the different types of audit project. E.g. Audit tasks must be

completed in a specified order such as project plan approved by Director before moving to the audit fieldwork.

Essential

2.2 track and manage translation requests and associated information such as cost.

Desirable 2.3 integrate work flow with the e-mail system (MS

Exchange 2007) to raise alerts

Desirable 2.4 generate a unique report reference number

when a report is passed to Publishing Team.

Desirable 2.5 raise risks and link these to audit tasks,

conclusions, matters arising, proposals for improvement, follow up action and allocate additional audit tasks

Desirable

2.6 add publishing control information when passing a request to Publishing Team and track progress using a document status. E.g. Translation requirements, Printing requirements, draft or final version

Desirable

2.7 Publishing team to allocate Publishing tasks e.g. proofread and edit, format, etc.

Desirable 2.8 audit tasks to be completed out of order if

authorised and a reason/rational and audit trail provided e.g. date, authorisation.

3 "Enter once" information flows (especially risks)

3.1 define automated links for significant issues, such as risks to relevant predefined places in the system

Desirable

3.2 allow audit tasks to be automatically created based on responses to previous audit tasks or matters arising raised. E.g. If the answer to a test at planning is that there is a risk of fraud, then an audit task or set of audit tasks are automatically created to address those risks

Desirable

3.3 define automatic links between proposals for improvement, recommendations, good practice to relevant places in the system.

Desirable

3.4 define the automatic flow of materiality and performance materiality figures through the audit project / programme.

Useful

4 Trial balance / financial statement functionality

4.1 import or link to audit body data held in another system and automatically generate lead

schedules, based on sector specific templates. If not, specify one or more solutions to satisfy the requirements of this technical specification in an equivalent manner.

Desirable

4.2 update lead schedules with journals to match audit body adjustments which show the revised figures.

5 Cluster/Group/Sector audits

5.1 group audit bodies together into different categories to support searching and reporting E.g. By sector

Essential

5.2 group categories into defined groups to support searching reporting and drilling down. E.g. Geographical

Desirable

5.3 support linking of audit tasks, projects based upon predefined relationships and / or criteria. E.g. Link tasks / projects across years within an audited body,

Desirable

6 Sign-offs, manager review and quality reviews

6.1 support multiple preparer and reviewer sign-offs (E.g. Manager, Editing, Publishing, Group Director, Auditor General for Wales).

Essential

6.2 support preparer and reviewer sign-off (including date) on audit tasks.

Essential 6.3 support preparer and reviewer sign-off (including

date) on documents E.g. Regulatory Plans, Project initiation document, Reports, Editing Screening, Publishing

Essential

6.4 prevents one person having different roles within a project / programme. E.g. to enforce

segregation of duties between auditor and reviewer

Essential .

6.5 ability to undertake an independent review by a person independent of the team with read only access E.g. Quality Assurance

6.6 allow users to act as reviewer on one project / programme and preparer on another.

Essential

6.7 include additional evidence at second stage review on selected tests and documents.

Essential 6.8 allows reviewer to add comments when signing

off. E.g. if signing off a document electronically on 10th of month can add comment that manual review was performed on 1st

Essential

6.9 raise review notes at specific points which can hyper link to specific documents and

paragraphs.

Essential

6.10 delete and make amendments to text covered by review notes without deleting the review note.

Desirable

7 Audit trails and version control

7.1 maintain a clear audit trail of who has edited and signed off procedures and documents.

Essential

7.2 maintain a history of changes to planned audit tasks.

Essential 7.3 maintain a history of changes to findings, risks,

conclusions.

Essential 7.4 maintain a history of changes to documents(if

they are held within the system).

Essential 7.5 able to convert an Audit Task / Project /

Programme to „read only‟ once completed to prevent unauthorised alteration.

Essential

8 Audit Matters Arising

Risk, Issue, Good Practice, Monitor 8.2 raise matters arising E.g. Significant audit

matters, mis-statements

Essential 8.3 link audit matters arising through to audit tasks

and documents.

Essential 8.4 open and close down audit matters arising. Essential 8.5 generate reports on audit matters arising by

categories

Desirable 8.6 require certain fields to contain text when raising

audit matters.

Desirable 8.7 require that categories are assigned when audit

matters arising are raised.

Desirable

9 Review functionality

9.1 Review notes must show who raised them and who addressed them.

Essential 9.2 Review notes must be customisable and have a

status. E.g. not yet assigned, assigned but not started

Essential

9.3 raise review notes on documents and audit tasks

Essential 9.4 It must be able to allocate multiple levels of

review if required.

Essential 9.5 Editing / Screening team comments to be

recorded. E.g. Readability Statistics

Desirable 9.6 support a team review to allow two team

members (auditor and reviewer) to work

E.g. Open, Closed,

9.7 able to have several postings between preparer and reviewer on each review note

Useful

10 User Interface Requirements

10.1 scale and customise screens, fonts and windows to address accessibility.

Essential 10.2 users can customise their user interface and

displayed fields E.g. Zoom - users can magnify the screen and scalable cursor - users can increase the size of the mouse cursor, Display adjustment - users can adjust or reverse colour contrast

Desirable

10.3 can customise the system to use WAO terminology

Desirable 10.4 voiceover provided both speech input and

audible output, combined with support for keyboard navigation, talking alerts and spoken items

Useful

11 Roll-forward

11.1 define automated roll-forward procedures from prior year to current year audits.

Essential 11.2 systematically update relevant procedures,

processes etc. when moving to new files or apply other standard file updates. E.g. Template changes following screening, changes to

guidance

Desirable

12.1 report progress against projects / programmes / business streams and ability to drill down to different levels. E.g. Annual Reports, Letters incorporating, conclusions, proposals for improvement etc.

Essential

12.2 generate customisable "audit body" based reports based upon information held in the system using templates and extracting and collating information recorded in the system E.g. PI Audits

Essential

12.3 allow a snapshot view of audit task status by a range and combination of labels/tags

Essential 12.4 present information on screen in different ways

and drill down to get more detail E.g. individual, AIB, Region, Project, Programme, Study

Essential

12.5 export management information into various formats.

Essential 12.6 view and print detailed delivery plans that sets

out, for each audit project or programme, the stages of planning, fieldwork, reporting, closure and follow up and within each stage details of the tasks to be carried out and the resources required / allocated. E.g. By Whole WAO, Business Stream, Team, Region, Audit Body

Essential

12.7 it should provide an overview of projects / tasks "to complete" incorporating time and resources

Desirable 12.8 it should provide an overview of progress of

Audit tasks / projects / programmes through percentage of completion

Desirable

responsibilities and audit tasks.

12.10 enable viewing status of documents, review notes, proposals for improvement

Desirable 12.11 produce management reports based upon

publishing information. E.g. number of reports outstanding, number of reports published in a given period, list reports for a given AIB.

Desirable

12.12 generate customisable reports based upon the results of audit tasks. E.g. By Whole WAO, Business Stream, Team, Region, audit body

Desirable

12.13 provide snapshots of individual auditor progress visible only to manager/director

Useful

13 Document Management

13.1 ability to reference (link to) a single version of a document which can be referenced from multiple audit programmes /projects / tasks. E.g. spread sheets and word documents containing macros, presentations, images, e- mails, Visio, Vide, survey result so etc. Not limited to Microsoft products

Essential

13.2 link to, or include, Snap Survey results, Photographs, Visio documents etc. (E.g. as Evidence or as outputs from the audit).

Essential

13.3 cross reference using hyperlinks to various types of document types across audit projects

Essential 13.4 lock a document to maintain integrity while it is

being edited and maintain a record of the changes made.

Essential

not view, view only, edit based upon role and work allocation

13.6 integrate document management with workflow processes and maintain a single version of the document. With full version control and history of changes. E.g. Editing Screening and Publishing

Essential

13.7 compliance with retention/destruction schedules and WAO and BSI policies as well as the requirements of FOI.

Essential

13.8 define policies and procedures to automate archiving documents periodically.

Essential 13.9 view only access archived documents with

authorised individuals with destruction rights

Essential 13.10 integrate with a document management system.

At a simple level this would be via hyperlinks and ability to view details E.g. WAO Intranet, Internet, SharePoint

Desirable

13.11 integrate the creation and editing of documents such as word, excel and PowerPoint documents from within the system.

Desirable

13.12 create and maintain a library of audit tasks (E.g. Question Hierarchies / tests / tools / surveys ) which can be used by copying into single or multiple audit programmes

Desirable

13.13 link to specific points within documents and spread sheets

Desirable 13.14 annotate (E.g. a comment, explanation,

presentational mark-up) to a variety of documents such as Word, PowerPoint and

13.15 drag-and-drop functionality Desirable 13.16 maintain a Library of labels/tags that can be

selected amend added to documents / audit tasks, projects, programmes and then used to support searching and reporting E.g. Business Stream, Sector, Year, Audit Type

Desirable

13.17 It should be able to search across the system or within specific cross sections using labels/ tags and key words

Desirable

13.18 It should be able to flag and restrict access to documents that contain sensitive information E.g. personal

Desirable 13.19 lock a section of a document to maintain

integrity while it is being edited enabling others to work on other sections at the same time and maintain a record of the changes made.

Useful

13.20 provide summary reports on which documents contain sensitive information and action taken to remove such data

Useful

14 Resource Management

14.1 define or import resource information per individual or group. E.g. skills, charge out rate, availability, cost centre, vehicle data

Essential

14.2 allocate audit tasks to individuals (including contractors and firms)

Essential 14.3 allocate projects, programmes to teams, and

others such as firms.

Essential

to deliver) audit tasks.

14.5 link tasks to the following people requirements: charge out rate / grade, specific skills or competencies

Desirable

14.6 allocate deadlines to audit task, projects and programmes.

Desirable 14.7 generate timesheets for individuals based upon

tasks allocation

Desirable 14.8 record actual time taken to deliver audit tasks

and identify reasons for any variances from the time allocated. Ideally from a pre-defined list of criteria supported by additional free text

Desirable

14.9 record time against non-audit task to support easy reconciliation with other systems. E.g. Annual Leave, Sickness, Training, etc.

Desirable

14.10 identify variances in time allocated and actual time charged at a task, project and programme level and also by individual

Desirable

14.11 undertake workforce planning based on audit projects and/or programmes and establish critical path and priorities and dependencies of tasks.

Desirable

14.12 forecast "time to complete" based on

programme and project information within the system using allocated resources.

Desirable

14.13 use scenarios to support resource planning. Desirable 14.14 identify resource gaps and conflicts. Desirable 14.15 analyse workforce requirements in terms of Desirable

skills, grades, time based upon planned audit tasks.

14.16 calculate audit costs by collating information (times allocated to tasks, grades) for all of the tasks allocated to an audit programme or audit body.

Useful

14.17 record expenses against audit tasks, such as travel expenses, mileage and carbon emission band data, accommodation etc. and if possible auto fill post code information from information held in the system (i.e.. Designated place of work, home) or AIB location.

Useful

15 Access controls/levels

15.1 restrict access to Audit Tasks, Projects/ programmes based upon role and work allocated. .

Essential

15.2 single sign on functionality. The ability to determine a user's identity (userid and password), role and relationships with others (E.g. Manager) from Active Directory i.e. without the need for the user to remember and use a separate username and password

Desirable

16 Data Migration and testing

16.1 ability to export/import data between instances of systems. E.g. between a test and training instances of the system

Desirable .

16.2 import test system configurations. Useful 16.3 automatically anonymise data held in test and

training systems

17 Security / Data integrity

17.1 manage data conflicts arising from simultaneous edits to audit tasks, projects and programmes

Essential 17.2 handle unexpected loss of network connectivity

without losing or corrupting data, including during synchronisation operations

Essential

17.3 encrypt (or permits 3rd party encryption of) data stored on local drives (E.g. laptops) and

backups up to minimum standards required for IL3 Security Standard or equivalent (that securing confidentiality of sensitive information)

Desirable

17.4 facilitate recovery of data accidentally erased by a user.

Desirable

18 Network Requirements

18.1 support effective working over low bandwidth connections E.g. home broadband or 3G mobile data.

Essential

18.2 an "offline" mode allowing the user to work with content previously downloaded, and to upload changes when connectivity is resumed whilst maintaining data integrity

Essential

19 Desktop environment

19.1 the system must be compatible and work effectively on Windows 7 with Office 2010 installed

Essential

19.2 any browser-based client components must work effectively on up-to-date versions of Internet Explorer and Chrome

19.3 it would be desirable for the supplier to make a commitment to support future versions of Microsoft Windows and Microsoft office within a timeframe of 12 months from their release

Desirable

19.4 WAO is based wholly within a web environment, and it would be useful if any browser-plug-ins required are installed automatically. With no need for software to be installed manually, or as part of a software build, on the client PC

Useful

19.5 works effectively on Windows Vista with Office 2007 installed

Useful

20 Server environment

20.1 the Database functionality must run either on Microsoft SQL Server or an open source database e.g. MySQL.

Essential

20.2 all server functionality must run either on Microsoft Windows Server or Linux

Essential 20.3 all server functionality must be capable of

running inside a VMware virtual machine

Essential

21 Interfaces with other systems

21.1 all system data must be able to be exported to standard file formats E.g. CSV, XML, Excel.

Essential 21.2 schedule routine import/updates to information

relating to WAO workforce from another system and report changes. E.g. HR System

Essential

21.3 support data being bulk-loaded in from standard file formats E.g. CSV, XML.

At a simple level this would be via hyperlinks and ability to view details E.g. WAO Intranet, Internet, SharePoint

21.5 interface with report writing tools. E.g. Crystal Reports or equivalent report tools

Desirable

21.6 select / report and export data into a variety of formats

Desirable

22 Technical support

22.1 a range of annual support and maintenance contract options must be available

Essential 22.2 a service level agreement must clearly define

response and resolution times to problems and matters arising raised with clearly defined escalation criteria.

Essential

22.3 the system must be regularly maintained to address software issues and service packs issued to address these.

Essential

22.4 product support must be available as a consultancy service to support the design and implementation.

Essential

22.5 formal notifications of changes and system developments must be provided with a 6 month minimum lead in time for mandated

implementation

Essential

23 On-line Help functionality

23.1 the system should prompt for the completion of one audit task before moving on to the next with an explanation of why cannot proceed to the

In document Wales Audit Office. Configuration and Delivery of Audit Management Software with Support (Page 32-55)