MEGA GRC Audit

User Guide

MEGA GRC Suite 3.2 1st edition (January 2010)

Information in this document is subject to change and does not represent a commitment on the part of MEGA International. No part of this document may be reproduced, translated or transmitted in any form or by any means without the express written permission of MEGA International. MEGA International, Paris, 1996 - 2010 All rights reserved. MEGA GRC Audit and MEGA are registered trademarks of MEGA International. Windows is a registered trademark of Microsoft Corporation The other trademarks mentioned in this document belong to their respective owners.

CONTENTS

Introduction

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 . . . . . . . . . . . . . . . . . . . . . . . . .8 . . . . . . . . . . . . . . . . . . . . . . . . .8 . . . . . . . . . . . . . . . . . . . . . . . . .8 . . . . . . . . . . . . . . . . . . . . . . . . .8 . . . . . . . . . . . . . . . . . . . . . . . . .8 . . . . . . . . . . . . . . . . . . . . . . . . .9 . . . . . . . . . . . . . . . . . . . . . . . . .9 . . . . . . . . . . . . . . . . . . . . . . . . 10 . . . . . . . . . . . . . . . . . . . . . . . . 11

Main Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit repository management . . . . . . . . . . . . . . Document repository . . . . . . . . . . . . . . . . . . . . Audit plan and mission management . . . . . . . . . Mission execution . . . . . . . . . . . . . . . . . . . . . . Mission and recommendation follow-ups. . . . . . . Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . Collaborative work . . . . . . . . . . . . . . . . . . . . . . Conventions Used in the Guide. . . . . . . . . . . . . . . . Presentation of this Guide . . . . . . . . . . . . . . . . . . .

Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audit manager . . . . . . . . . . . . . . . . . . . . . . . . Mission manager . . . . . . . . . . . . . . . . . . . . . . . Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing the Audit Team . . . . . . . . . . . . . . . . . . . . Creating an Auditor . . . . . . . . . . . . . . . . . . . . . . . Managing Auditor Responsibilities . . . . . . . . . . . . . Managing Auditor Skills. . . . . . . . . . . . . . . . . . . . . Defining skills for each user . . . . . . . . . . . . . . . Viewing skills . . . . . . . . . . . . . . . . . . . . . . . . . Preparing Audit Plans . . . . . . . . . . . . . . . . . . . . . . . Creating Audit Plans . . . . . . . . . . . . . . . . . . . . . . . Defining a Calendar . . . . . . . . . . . . . . . . . . . . . . . Creating Audit Missions. . . . . . . . . . . . . . . . . . . . . Creating a mission manually . . . . . . . . . . . . . . . Creating a mission from a program . . . . . . . . . . Managing Audit Missions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 . . . . . . . . . . . . . . . . . . . . . . . .14 . . . . . . . . . . . . . . . . . . . . . . . .14 . . . . . . . . . . . . . . . . . . . . . . . .14 . . . . . . . . . . . . . . . . . . . . . . . . 15 . . . . . . . . . . . . . . . . . . . . . . . .15 . . . . . . . . . . . . . . . . . . . . . . . .16 . . . . . . . . . . . . . . . . . . . . . . . .16 . . . . . . . . . . . . . . . . . . . . . . . .16 . . . . . . . . . . . . . . . . . . . . . . . .16 . . . . . . . . . . . . . . . . . . . . . . . . 18 . . . . . . . . . . . . . . . . . . . . . . . .18 . . . . . . . . . . . . . . . . . . . . . . . .19 . . . . . . . . . . . . . . . . . . . . . . . .19 . . . . . . . . . . . . . . . . . . . . . . . .19 . . . . . . . . . . . . . . . . . . . . . . . .20 . . . . . . . . . . . . . . . . . . . . . . . .20

Contents
Accepting a mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Specifying audit mission scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Scheduling missions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Viewing unassigned missions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Preparing Audit Missions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Assigning Auditors to an Audit Mission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Viewing auditor availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Viewing auditor skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Assigning an auditor to a mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Managing Mission Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Creating an audit theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Creating an audit activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Specifying audit activity scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Scheduling Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Displaying the activities report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Modifying an activity from a Gantt diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Checking assignment of auditors via reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Managing Workpapers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Creating a workpaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Announcing and Starting a Mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Viewing the announcement letter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Sending the announcement letter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Starting the Mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Executing Audit Missions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Proposing a New Mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Managing Workpapers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Viewing and completing workpapers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Creating a workpaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Creating Audit Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Creating audit findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Sending Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Managing Mission Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Generating RTF documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Saving Audit Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Reports and Audit Follow-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Recommendation Follow-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Recommendation follow-up reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Viewing your recommendation list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Defining a steering calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Audit Plans Follow-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Comparing audit plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Action Plan Follow-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Audit Activity Follow-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Managing the Audit Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Audit repository principle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Managing Mission Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Creating a mission program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Creating an audit mission from a mission program . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Managing Activity Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Managing Workpaper Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Managing Form Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Managing Audit Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

MEGA GRC Audit

Contents

Managing operational document templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Contents

MEGA GRC Audit

INTRODUCTION

MEGA GRC Audit offers a simple and flexible solution adaptable to the specific requirements of each internal audit department to improve audit quality and to enhance decision-making capacity. Based on a proven methodology, MEGA GRC Audit helps internal auditors to optimize processes, increase action plan follow-up capacity, support findings, standardize best practices and improve transparency of results and information traceability. "Main Features", page 8 "Conventions Used in the Guide", page 10 "Presentation of this Guide", page 11

Introduction
MAIN FEATURES
Audit repository management

Audit templates Mission, activity, workpaper and associated checklist templates Creation of an operation mission template

Document repository

Help capitalize on legal notices and best practices Generate operations documents Creating customizable mission reports

Audit plan and mission management

Management of annual and multiannual audit plans Mission scheduling and planning according to established priorities Building mission plans with predefined and manual checklists Audit template management Task management for auditors and auditing teams Assignment of auditors as a function of missions Definition of skills and level required to perform specific missions

Mission execution

Task assignment Workpaper generation from templates or risks/controls matrix Possibility of documenting findings and associating recommendations Collection of auditee comments and progress follow-ups Approval workflow management Access to methodological documents

Mission and recommendation follow-ups

Progress follow-ups aligned with approbation workflow Recommendation follow-ups and action plans involving auditees Management of the different mission stages and the transition between stages Use of milestones to collect and report the implementation progress rate

MEGA GRC Audit

Introduction Main Features

Reporting

Analytical reports to follow up recommendations and action plans Generation of audit announcement letters, executive audit, summaries, and complete audit reports Several standard reports support audit team activity analysis Dashboard for mission follow-ups Gantt charts to prepare audit plans and missions and to manage auditor resources etc.

Collaborative work

Secure Web-based environment Configurable workflows Management of exchanges between auditors and auditees Document sharing Sending messages with attachments

Introduction
CONVENTIONS USED IN THE GUIDE

Remark on the preceding points. Definition of terms used in this guide.

A tip that may simplify things. Compatibility with previous versions. Things you must not do.

Very important remark to avoid errors during an operation. Commands are presented in this way: File > Open. The names of MEGA products and technical modules are presented in this way: MEGA.

10

MEGA GRC Audit

Introduction Presentation of this Guide

PRESENTATION OF THIS GUIDE

This user guide is supplemented by:
MEGA GRC Common Features, guide describing common functionalities of the MEGA GRC Suite platform. Guides dedicated to modules MEGA GRC Compliance & Control and MEGA GRC Risk. Administrator guide.

11

Introduction

12

MEGA GRC Audit

1
AUDIT

Internal auditing exists in various legal and cultural environments, as well as in organizations of differing size, complexity and structure. An internal audit is an independent, objective assurance and consulting activity designed to add value and improve organization operations. It helps an organization achieve its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes (source: IIA). MEGA GRC Audit offers a simple and flexible solution, adaptable to the specific needs of each internal audit organization unit, and a methodology integrating international standards. It helps internal auditors to optimize processes, increase action plan follow-up capacity, support findings, standardize best practices and improve transparency of results and information traceability. Internal auditors can use the audit module as support in the execution of classic audit missions (mission preparation, execution and follow-up) or as continuous auditing support.
Thanks to their integration in MEGA GRC Suite and its database, users can access descriptions of risk and control systems and their assessment with MEGA GRC Compliance & Control, and risk mapping with MEGA GRC Risk.

The following points are covered here: "User Profiles", page 14 "Managing the Audit Team", page 15 "Preparing Audit Plans", page 18 "Preparing Audit Missions", page 23 "Executing Audit Missions", page 32 "Managing Mission Documents", page 37 "Reports and Audit Follow-Up", page 39 "Managing the Audit Repository", page 44
The functionalities presented here can be configured. For more information on possible customizations, see the administrator guide.

13

1
USER PROFILES
For the MEGA GRC Audit module, there are by default three user profiles:

Audit Manager Audit Mission Manager Auditor

Operational users can connect to the application without being associated with a predefined profile. For example: auditee manager.

Audit manager
The audit manager ("Audit Manager" profile) is responsible for preparation of the audit plan. For more details, see "Preparing Audit Plans", page 18. This user is also responsible for defining and maintaining the audit repository, which includes:

Programs (mission programs, particularly for recurring missions). Reference documents to be provided to audit teams. Operational document templates used during audit execution to produce different reports. Skills.
For more details on the audit repository, see "Managing the Audit Repository", page 44.

Mission manager
The mission manager ("Audit Mission Manager" profile) is nominated by the audit manager as being responsible for execution of the mission. This includes:

Preparing the mission (assigning auditors, managing audit activities, defining mission scope). For more details, see "Preparing Audit Missions", page 23. Reporting on the mission to the auditee manager. For more details, see "Announcing and Starting a Mission", page 31. Supervising mission execution (follow-up of recommendations made by auditors). Generating the mission final report and submitting this for validation to the auditee manager. For more details, see "Managing Mission Documents", page 37.

Auditor
The auditor ("Auditor" profile) is responsible for progress of the audit activity in the field. For more details, see "Executing Audit Missions", page 32.

14

MEGA GRC Audit

Audit Managing the Audit Team

MANAGING THE AUDIT TEAM

Before scheduling audit missions, the audit manager must set up appropriate audit teams and assign roles and responsibilities. To do this, the audit manager has tools available that enable definition and display of the skills of team members.
An auditor is a person with skills required to execute an audit (source ISO 19011:2002)

Creating an Auditor
To create an auditor: 1. Select Audit > Team Management > Manage Auditors and click Insert in the right pane of the window. 2. Specify the Code and the Name of the auditor.
The code corresponds to the user login in the connection window.

3. 4. 5. The new

Select Profile "Auditor". Select an Organization Unit. Click Save. auditor is created.

15

Managing Auditor Responsibilities

MEGA GRC Audit allows you to manage controls, processes and risk and control systems that are the responsibility of a given auditor. You can create or connect controls, processes and risk and control systems to the auditor. To connect an existing control to the auditor: 1. In Audit > Team Management > Manage Auditors, select the desired auditor and click View. 2. In the Responsibilities section, select the Controls Managed tab and click Search. 3. In the search window that appears, select the desired controls and click Connect.
To connect a process or a risk and control system to an auditor, proceed in the same way as above in the corresponding tabs.

Managing Auditor Skills

MEGA GRC Suite enables management and viewing of skills for each auditor. To do this, you must first define skill types, a list of skills, and skill levels. For more details on skill definition, see the Administrator guide.

Defining skills for each user

To define skills: 1. Select Audit > Team Management > Manage Skills by Auditor. 2. Select a user and click the Define Skills button. In the page that appears, you can specify user skills as a function of previously defined skills, skill types and skill levels.

Example of skills

Viewing auditor experience

The Experience section allows you to view mission categories, missions and activities executed by the auditor.

Viewing skills
To view the skills and skill levels available within the team: Select Audit > Team Management > Auditors/Skills Matrix.

16

MEGA GRC Audit

Audit Managing the Audit Team

A list appears. You can sort the list by skill, skill level and user by clicking the header of the corresponding column.

You can also view auditor skills graphically before assigning a mission. For more details, see "Viewing auditor skills", page 23.

17

1
PREPARING AUDIT PLANS
The audit plan is prepared by the audit manager ("Audit Manager" profile).
The audit manager must also build the repository of the audit before scheduling missions (define mission and activity programs, workpaper templates etc.). For more details, see "Managing the Audit Repository", page 44.

Creating Audit Plans

The audit manager ("Audit Manager" profile) defines an audit plan over a period of one year. This plan contains all missions to be executed over the year.
The audit plan is a description of the expected scope and conduct of the audit. It is carried out in accordance with auditing standards and practices. It comprises a description of the audit approach and the planning schedule. It comprises several audit missions carried out during a given period.

To create 1. 2. 3. 4. 5.

an audit plan: Select Audit > Preparation > Audit Plans > Audit Plans. Click Insert. Enter the name of the audit plan in the Description field. Select the audit plan Responsible User. Select a Period in the corresponding box.
An audit period corresponds to the fiscal period over which audit missions or assessment sessions are carried out. This is often a period of three years in the audit framework.

6. 7.

Specify a Begin Date and End Date for the audit plan. Click Save. The audit plan is created.

18

MEGA GRC Audit

Audit Preparing Audit Plans

Defining a Calendar
A calendar can be connected to the audit plan. The calendar is made up of calendar periods. This calendar is not required, and is used for information only in reports.
Calendar periods should be distinguished from the period indicated at creation of the audit plan, the latter being required and considered as a reporting period.

To create 1. 2. 3.

a calendar: Select Audit > Preparation > Audit Plans > Calendars. In the right pane of the window, click Insert. Enter the name of the calendar in the Description field, and enter Begin and End dates. 4. Click Save. You can then divide the calendar into calendar periods. To divide the calendar: 1. In the Calendar Period section, click Insert. 2. Specify the description, as well as begin and end dates for the calendar period. 3. Click Save. 4. Create other calendar periods in the same way. When the calendar has been created, you can connect it to an audit plan.

Creating Audit Missions

The audit manager can create audit missions:

manually or from a program.

Creating a mission manually

An audit mission is a mission assigned to an internal auditor in the context of an audit plan. To create 1. 2. 3. 4. 5. an audit mission: Select Audit > Preparation > Missions > Create a Mission. Specify the mission name in Description. Select an Audit Plan. Specify an Audit Leader. Specify a Planned Begin Date and a Planned End Date for the mission. These dates constitute mission milestones.
If you enter dates that do not agree with those of the audit plan, an error message appears.

6.

Click Save.

19

1
Creating a mission from a program
To help you select missions to be executed, you can use as a basis programs that have not yet been executed. You can then decide to create a mission from a mission program that has not yet been executed.
A mission program is a mission template relating to the main characteristics of an audit mission. For more details on mission programs, see "Managing Mission Programs", page 44.

To view programs not yet executed: 1. Select Audit > Preparation > Audit Plans > Unassigned Missions. 2. Select a Period in the drop-down list. The list of unexecuted programs for the selected period appears. To create a mission from an unexecuted program: 1. Select a program in the list and click the Create Mission from Program button. 2. In the search window that appears, select an audit plan and click Create a Mission. A mission is created. It carries the same name as the mission program.

Managing Audit Missions

Accepting a mission
You can view missions that have been proposed and that could form part of an audit plan. To view missions that could form part of an audit plan: Select Audit > Preparation > Audit Plans > Suitable Missions for Plan. The list that appears shows: Missions proposed by auditors or audit mission managers. Missions created from a program. From here you can accept missions and associate them with an audit leader.

Specifying audit mission scope

The audit manager can specify mission scope, for example processes, risks and controls concerned by the mission. To specify mission scope: In the page of an audit mission, expand the Scope section and connect the required elements.
By default, risks and controls connected to selected processes are automatically connected here. In addition, only controls associated with selected risks are connected.

20

MEGA GRC Audit

Audit Preparing Audit Plans

Scheduling missions
You can schedule your missions by displaying a Gantt report by entity, manager or mission. To display a report enabling scheduling of missions: 1. Select Audit > Preparation > Audit Plans > Schedule Missions. 2. Select a plan and a report type. In the report that appears, you can click a mission to modify it and specify the estimated number of auditors, the estimated workload, the planned begin and end dates, etc.

The number of auditors required per month for the selected audit plan is indicated at the bottom of the report.

Viewing unassigned missions

To view missions that have not yet been assigned: Select Audit > Preparation > Audit Plans > Unassigned Missions. Missions for which no audit leader has yet been indicated appear in the list.

21

1
To specify an audit leader: 1. Select a mission in the list. 2. Click the Edit button. 3. Select an audit leader in the corresponding field. 4. Click Save.

22

MEGA GRC Audit

Audit Preparing Audit Missions

PREPARING AUDIT MISSIONS

When the audit plan has been prepared by the audit manager, the mission manager ("Mission Manager" profile) can prepare audit missions.
The audit manager can also carry out these mission preparation tasks.

Assigning Auditors to an Audit Mission

MEGA GRC Suite allows the mission manager to view the availability and skills of auditors and, based on these, to assign auditors to missions.

Viewing auditor availability

To view auditor availability: 1. Select Audit > Preparation > Missions > Assign Missions. 2. Select an audit plan in the first drop-down list in the right pane of the window. 3. If required, select a calendar period in the second drop-down list.

4. 5. 6.

Click the Display button. In the frame at top left, select the audit mission. In the frame at top right, select the user. Its availability is indicated in the lower frame of the window.

Viewing auditor skills

In the assign mission page, when carrying out the operations described above to display auditor availability, you can also display auditor skills.

23

1
To display auditor skills (at the same time as auditor availability): Select the Auditor Skills and reselect an auditor. A graphic appears. It shows:

in blue: skills of the auditor concerned.

For more details on their creation, see the Administrator guide.

in red: skills required for the mission.

These are defined in the mission program serving as a template for the mission; for more details, see "Defining skills required for missions", page 45.

in yellow: the maximum level possible for a skill type.

This graphic allows you to select the auditor most suitable for the mission.

Assigning an auditor to a mission

To assign an auditor to a mission: 1. From the assign mission page, in the frame at top left, select the desired audit mission . 2. In the frame at top right, select a user. 3. Click the Auditors button. The name of the selected user appears in the column corresponding to the audit mission.

24

MEGA GRC Audit

Audit Preparing Audit Missions

Managing Mission Content

To access mission content: In the page of a mission, select the Work Program tab. In this tab you can create a tree of content of your mission. The basic element of the mission is the workpaper. Themes and activities can be used to group workpapers.

Themes can be created to organize mission content. Audit activities constitute an additional level enabling grouping of workpapers.

From this tree you can also create findings and recommendations, depending on your position in the tree and your profile. Hierarchy is as follows:

Audit themes Audit activities Workpapers Findings Recommendations

Creating an audit theme

Audit mission content can be divided into themes. Before creating activities and workpapers, you can therefore create audit themes. To create 1. 2. 3. an audit theme: In the page of a mission, select the Work Program tab. Select Insert > Audit Theme. Enter a Description and a Parent audit theme (if you wish to create a tree of themes).

25

1
4. 5. Enter comments if required. Click Save. You can view the tree of themes and sub-themes created. You can now create audit activities and workpapers.

Creating an audit activity

Creating an audit activity manually
An audit activity is an element of an audit mission that can relate to a set of processes, applications, risks or controls to be audited in an enterprise organization unit. It is assigned to an auditor. To create 1. 2. 3. 4. an audit activity: On the page of an audit mission, select the Work Program tab. Select Insert > Audit Activities. Enter the name of the audit activity in the Description field. Connect the audit activity to a Theme if you wish the activity to be located under a theme in the tree.

5.

Click Save. The audit activity appears in the the tree of the Work Program tab under the specified theme.

Creating activities and workpapers automatically

Having specified mission scope, and if you are in the appropriate workflow status (after schedule validation and before mission announcement), you can generate activities automatically.
The audit plan to which the mission is attached must have been validated to be able to create activities from mission scope.

26

MEGA GRC Audit

Audit Preparing Audit Missions

To generate activities from mission scope: 1. At the top of the mission page, click the Generate Activities button. An intermediate window appears proposing selection of a form template for corresponding workpapers.

2. Click Generate Activities. The following elements are automatically created:

An activity per process indicated in the scope. A workpaper per risk/control pair to be audited. A form (based on the form template) per workpaper. Select the Work Program tab of the mission.
You can also view: Workpapers from the page of an activity. Forms from the page of a workpaper.

To view activities generated:

27

1
Specifying audit activity scope
In an audit activity page, Activity Scope section, you can specify the audited object, for example:

Applications Controls Org-Units Process Risks

When a business process is linked to a mission, risks and controls connected to the process can be automatically connected to the mission. For more details, see the Administrator guide.

Scheduling Activities
You can display a Gantt diagram to schedule mission activities.

Displaying the activities report

To display the activities report: 1. Select Audit > Preparation > Missions > Assign & Schedule Activities. 2. Select an audit plan and a calendar period if required. 3. Click Display.

28

MEGA GRC Audit

Audit Preparing Audit Missions

4.

Select a mission in the list that appears.

A Gantt diagram displaying mission activities appears in the bottom part of the page.

Completed activities appear in green.

29

1
Modifying an activity from a Gantt diagram
To modify an audit activity: 1. In the Gantt diagram, click the bar representing the activity over time. A window opens allowing you to modify the activity, in particular its dates.

2.

Make the necessary modifications and click Save.

Checking assignment of auditors via reports

To view auditors assigned by calendar period and by mission: Select Audit > Preparation > Missions > Report - Auditors by Mission. To view missions assigned to each auditor by calendar period: Select Audit > Preparation > Missions > Report - Missions by Auditor.

Managing Workpapers
Workpapers serve as the basis for the auditor for execution of his/her mission.
A workpaper comprises points to be checked on a given subject in the course of an audit activity.

30

MEGA GRC Audit

Audit Preparing Audit Missions

Workpapers obtained directly via a mission program contain forms, which contain questions and answers.

Creating a workpaper
Workpapers can be created automatically from the mission scope. For more details, see "Creating activities and workpapers automatically", page 26. You can also create workpapers manually. To create 1. 2. 3. 4. a workpaper manually: In the page of an audit activity, Workpapers section, click Insert. Enter a Description. Enter your comments or observations. Click Save.
You can also create workpapers from the Work Program tab of a mission.

Announcing and Starting a Mission

Having completed specifications necessary for accomplishment of the mission, you can generate and send an announcement letter to the manager of the audited entity.

Viewing the announcement letter

You can view the announcement letter before passing to the mission announcement workflow step. To view the announcement letter: 1. Select Audit > Preparation > Missions > Missions in Preparation. 2. Select a mission, click the Generate Document button and select Announcement Letter. The document appears. You can save this before sending.

Sending the announcement letter

To announce the mission: In the main page of the mission, click the Announce Mission button. The mission can then be started.

Starting the Mission

Having sent the mission announcement letter, the mission can then be started. You must previously have assigned mission activities to an auditor, specified appropriate dates, etc. To start the mission: In the main page of the mission, click the Start Mission button.

31

1
EXECUTING AUDIT MISSIONS
The auditor has two menus for viewing his/her assigned tasks:

Home > My Responsibilities Audit > Operational Domain

Proposing a New Mission

During execution of missions, the auditor can propose a new mission, which the audit manager must then accept. To propose a mission: 1. Select Audit > Operational Domain > Mission Proposals > Create Mission Proposal. The mission creation page appears. 2. Enter a Description, select an Audit Plan and click Save. 3. At the top of the page, click the Propose a Mission button.

You can also create a mission proposal but submit this later, via menu Audit > Operational Domain > Mission Proposals > My Proposal to be Submitted.

The mission changes status. It becomes "Mission Proposed". It must then be accepted by the audit manager to be included in the list of missions in preparation.

Managing Workpapers
Workpapers are files or work documents that serve as a basis for the auditor in execution of the mission. They contain points to be assessed and serve as a basis for interviews carried out by the auditor during the course of the audit.
A workpaper comprises points to be checked on a given subject in the course of an audit activity.

The auditor can create his/her own workpapers, or base these on workpaper templates in the context of a mission program. Workpapers are also created automatically depending on scope of the activity.

32

MEGA GRC Audit

Audit Executing Audit Missions

Viewing and completing workpapers

Workpapers may have been generated automatically:

by risks/controls defined in mission scope. by the workflow. Select Audit > Operational Domain > Work Area > My Workpapers.
You can also access workpapers from the page of an activity.

To view workpapers to be completed:

To complete a workpaper: 1. Select a workpaper and click the Complete Workpaper button. 2. Answer the questions by selecting values from those proposed in the drop-down lists. 3. Click Save. To complete all workpapers at one time: 1. On the page of the activity, click the Complete All Workpapers button. A page appears allowing you to answer all workpapers present in the list at one time. 2. Select a form from the list provided for this purpose. The corresponding workpapers appear. You can reply and enter a comment if required.

Creating a workpaper
You can also create workpapers manually if required. To create a workpaper manually: 1. In an audit activity page, Workpapers section, click the Insert button. 2. Enter a Description and your comments.
In this case, the workpaper is not necessarily connected to a workpaper template (which is a workpaper model). You can simply enter free text in the workpaper comment.

3.

Click Save.

Creating Audit Findings

The objective of the audit is to establish, for an organization at a given moment, findings on compliance of a system related to determined audit criteria. Audit criteria are a set of determined policies, procedures or requirements (source ISO 19011: 2002). Differences from these audit criteria can be detected. These differences should be recorded in audit findings. Audit findings should accurately and honestly reflect audit activities, obstacles encountered, differing views of auditors and those audited, and any unresolved questions.

33

1
Audit findings can indicate compliance or non-compliance as well as opportunities for improvements.
Audit findings are the results of the evaluation of the collected audit evidence against audit criteria. Audit findings can indicate either conformity or nonconformity with audit criteria or opportunities for improvement (source ISO 19011:2002). 2002).

Findings are accessible by default from audit activities. For more details on findings behavior configuration, see the Administrator guide.

Creating audit findings

Creation of a findings must be done from an audit activity. Audit activities are accessible via Audit > Operational Domain > Context > Activities. To create findings: 1. In the page of an audit activity, Findings section, click Insert. 2. Select a Finding Type. You can for example specify if findings are positive or negative. 3. Enter a Recommendation Proposal if required. 4. Enter your conclusions in the Remarks box.

5.

Click Save.
You can also create findings from the Work Program tab of a mission.

34

MEGA GRC Audit

Audit Executing Audit Missions

Sending Recommendations
Recommendations are accessible from missions, audit activities and findings. for more details on recommendation behavior configuration, see the Administrator guide. Audit team members meet to review audit findings and information collected during audit activities The resulting audit conclusions can indicate a need for recommendations. A recommendation describes what must be done to correct noncompliance detected during an audit. To create a recommendation: 1. In the page of a finding, select the Recommendations tab and click Insert.

2. 3. 4.

Enter the text of your recommendation in the Details box. Specify the recommendation name in the Description field. Click Save.

35

1
Recommendations are visible in a specific tab of a mission page.
You can also create recommendations from the Work Program tab of a mission.

36

MEGA GRC Audit

Audit Managing Mission Documents

MANAGING MISSION DOCUMENTS

Generating RTF documents
You can generate several documents in RTF format from a mission:

the announcement letter. the audit mission follow-up report: this contains a description of the mission, its scope, audit activities of the mission, and an indication of mission progress. Mission description: this document lists mission themes and sub-themes.

To generate a document concerning a mission: 1. Select Audit > Operational Domain > Context > Missions. 2. Select the desired mission and click the Generate Document button. 3. In the sub-menu, select : "Mission Description" "Announcement Letter" "Audit Mission Report" An RTF document is generated.
HTML format reports are also accessible via menu Audit > Audit Reporting. Availability of these reports varies according to the profile with which you are connected.

Saving Audit Attachments

You can manage attachments/documents connected to the mission from the page of the mission. To add a document: 1. In the page of an audit mission, select the Document Follow-Up tab.

2. 3. 4. 5.

Above the tree, click the Insert button. Enter a Description. Select a file by search from the File Name box. Select the "Audit" Document Category or one of the proposed subcategories.

37

1
6. Click Save. Your document is now available in the document tree.

38

MEGA GRC Audit

Audit Reports and Audit Follow-Up

REPORTS AND AUDIT FOLLOW-UP

Certain reports allow you to follow progress of audit missions. Depending on your profile, these reports concern:

audit plans recommendations action plans audit activities

Auditors can access only those reports concerning recommendations and action plans. The steering calendar system assures follow-up of recommendations.

Recommendation Follow-Up
MEGA GRC Suite enables different methods of recommendation follow-up:

via reports via the steering calendar

Recommendation follow-up reports

You can generate several types of recommendation follow-up report via Audit > Audit Reporting > Recommendations.

Recommendation follow-up report example

39

1
Viewing your recommendation list
To access your recommendations: 1. Select Audit > Audit Reporting > Recommendations > My Recommendation Follow-Up. 2. Specify if you wish to display On Time Recommendations or Late Recommendations. 3. Click Calculate. The list of your recommendations appears.

Defining a steering calendar

The steering calendar also enables recommendation follow-up by requesting persons concerned to indicate progress of work at regular intervals. The steering calendar is a recommendation follow-up calendar. It allows the audit manager to fix dates by which a measure of progress is achieved. The calendar is defined for an entity.
To create a steering calendar, see the Administrator guide, chapter "Administrating MEGA GRC Suite", paragraph "Defining application generic values".

Audit Plans Follow-Up

MEGA GRC Suite allows the audit manager to follow-up an audit plan result as a function of its different criteria. To view follow-up of a given audit plan: 1. Select Audit > Audit Reporting > Audit Plans > Audit Plan FollowUp. 2. In the right pane of the window, select an audit plan, a calendar period if required and begin and end dates . 3. Click Calculate. The report presenting progress of the audit plan is displayed.

40

MEGA GRC Audit

Audit Reports and Audit Follow-Up

Tabs indicate:

missions started missions completed the number of missions per category and state of progress (in progress, validated, etc.) the workload by category of mission and state of progress.

Comparing audit plans

A report enables comparison of audit plans on the basis of the status of missions they contain. To assure follow-up of the different audit plans: 1. Select Audit > Audit Reporting > Audit Plans > Audit Plan Comparison. 2. Select the audit plans you wish to compare, holding the <Ctrl> key down.

3.

Click the Calculate button.

41

1
The report displays the status of audit plan missions:

by Status (mission status) by Timing (late, OK) by Priority by Score (score attributed to mission) by Category etc.

Action Plan Follow-Up

Following audit conclusions and possible recommendations, you can initiate and manage action plans. To follow-up action plans: Select Audit > Audit Reporting > Action Plans.
For more details on action plans, see the MEGA GRC Common Features user guide.

Audit Activity Follow-Up

A report allows you to view progress of activities by auditor. To access this report: 1. Select Audit > Audit Reporting > Activities > Activity Progression by Auditor. 2. Select an auditor, a begin date and an end date.

42

MEGA GRC Audit

Audit Reports and Audit Follow-Up

3.

Click Calculate. The generated report presents:

the mission of which the activity is part, its status and workload the activity, its status and workload the number of recommendations and findings concerning the activity

43

1
MANAGING THE AUDIT REPOSITORY
The audit manager and administrator have tools available in the audit module enabling them to manage the audit repository.

Audit repository principle

Here you will find "templates" serving as a basis for creation of recurrent missions. The principle is the following: You create a mission program, which contains activity programs. These activity programs contain workpaper templates, which are based on form templates.

Concept
Mission Activity Workpaper Form

Model
Mission program Activity program Workpaper template Form template

Correspondence between concepts and templates

Managing Mission Programs

Creating a mission program
A mission program enables simple creation of audit missions from certain predefined main characteristics. It enables simple management of recurrent missions to be executed over a predefined period.
A mission program is a mission template relating to the main characteristics of an audit mission.

44

MEGA GRC Audit

Audit Managing the Audit Repository

To create a mission program: 1. Select Audit > Audit Repository > Audit Program > Mission Programs, and click Insert in the right pane of the window.

Enter the name of the mission program in the Description field. Specify the Category of the mission (process, regulatory obligation, quality, etc.). 4. Specify the Origin. This specifies the client of the mission (internal or external origin). 5. Specify the other fields that interest you and click Save. The other fields you can specify are the following: 2. 3.

Justification: here you can enter a comment justifying usefulness of the new mission program. Estimated Number of Auditors: the estimated number of auditors necessary for execution of this type of mission. Estimated Duration: the estimated duration for a mission based on this mission program. Mission Priority: priority of a mission based on this program. Last Execution Date: last date on which a mission based on this mission program was executed. Estimated Workload (M-D): estimated number of man-days necessary for execution of a mission based on this program.

Defining skills required for missions

In the mission program, you can specify skills of auditors enabling them to carry out missions based on this program.

45

1
To define the required skills: 1. In the page of a mission, select the Skills tab. 2. Connect the skills you consider necessary. When assigning auditors to a mission, you will be able to compare skills of auditors and skills required for the mission. For more details on the report providing this information, see "Assigning Auditors to an Audit Mission", page 23.

Defining an activity program

The mission program should be based on an activity program, in the same way as a mission is based on activities. For more details on activity programs, see "Managing Activity Programs", page 46.

Creating an audit mission from a mission program

To create an audit mission from a mission program: 1. Select Audit > Audit Repository > Audit Program > Mission Programs, select the mission program and click Create Mission From Program in the right pane of the window. 2. In the window that appears, select the desired audit plan and click Create Mission. The audit mission created is connected to the specified audit plan. You can open it and modify its characteristics to suit your requirements.

Managing Activity Programs

An activity program enables simple creation of audit activities from certain predefined main characteristics.
An activity program is an activity template relating to the main characteristics of an audit activity to be carried out.

To create an activity program: 1. Select Audit > Audit Repository > Audit Program > Activity Programs and click Insert in the right pane of the window.

46

MEGA GRC Audit

Audit Managing the Audit Repository

2. 3.

Specify the name of the activity program in the Description field, and specify the Mission Program. Click Save.

Managing Workpaper Templates

A workpaper template is a predefined point to be checked. It serves as the basis for creation of a workpaper that is assessed in the course of an audit activity.

To create a workpaper template: 1. Select Audit > Audit Repository > Audit Program >Workpaper Templates and click Insert in the right pane of the window.

2. 3. 4.

Enter the name of the workpaper template in the Description field. Click Save. In the page of the workpaper template, connect a form template.
A form template is a list of predefined questions designed to assess a point to be checked in the course of an audit activity.

Managing Form Templates

A form template is a list of predefined questions designed to assess a point to be checked in the course of an audit activity.

A form template serves as the basis for creation of a form:

in the framework of activity creation from an activity program, in the framework of mission workflow.

To create a form template: 1. Select Audit > Audit Repository > Audit Program > Form Templates and click Insert in the right pane of the window. 2. Enter a Description and click Save. You can now create a question. 3. In the Question section, click Insert. 4. Enter the text of the question in the Description box and click Save. You can now create the answers to this question. 5. Select the question and click the View button.

47

1
6. 7. 8. 9. 10. In the Answer section, click Insert. Enter the text of your answer in the Description field. Select the Deficient check box if the answer concerns a deficiency. Click Save. Create other answers in the same way. Your form template is now ready to use.

Managing Audit Documents

Managing operational document templates
Operational document templates are document templates used as a basis for creation of RTF format documents. By default, document templates are provided for:

Announcement letter. Audit mission follow-up report: Audit plan description. Mission description.

To define content of a document template: 1. Select Audit > Audit Repository > Audit Documents > Operational Document Templates. 2. Expand the tree of the document template that interests you. 3. Select an element of the document template and click the Edit button. 4. Select the fields you want to include in the final document by selecting the corresponding check boxes.

48

MEGA GRC Audit

INDEX

A
action plan activity program announcement
follow-up . . . . . . . . . . . . . . . . . . . . . . . . . . 42 creating . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 definition . . . . . . . . . . . . . . . . . . . . . . . . . . 46 letter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 mission . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 auditor mission . . . . . . . . . . . . . . . . . . . . . . . . . 24 report . . . . . . . . . . . . . . . . . . . . . . . . . . 30 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 . 46 . 37 . 28 . 48 . 33 . 13 . 32 . 37 . 18 . 40 . 18 . 14 . 35 . 44 . 19 . 40 . 15 . 25 . 32

audit activity
. . . . . . audit attachment . follow-up . manually. . modifying . scheduling scope . . . . workpaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 26 30 28 28 26 37

audit leader audit manager

profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

announcement letter assignment

audit mission . . . . . . . . . . . . . . . . . . . . . . . . 32
accept . . . . . . . . . . announcement letter audit report . . . . . . . . content. . . . . . . . . . creating . . . . . . . . . milestone . . . . . . . . mission program . . . modifying . . . . . . . . preparing . . . . . . . . program . . . . . . . . . proposing . . . . . . . . scheduling . . . . . . . scope . . . . . . . . . . . starting . . . . . . . . . unassigned . . . . . . . . . . . . . . . . . . . . . . . . 20 . . . . . . . . . . . . . . . 31, 37 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 25 19 19 46 21 23 44 32 21 20 31 21

audit

activity. . . . . . . . . activity program . . attachments . . . . . audited element . . document template findings . . . . . . . . generalities. . . . . . mission creating . . . . . report . . . . . . . plan . . . . . . . . . . . follow-up . . . . . preparing . . . . . . . profiles . . . . . . . . recommendation . . repository. . . . . . . schedule . . . . . . . monitoring. . . . team . . . . . . . . . . theme . . . . . . . . . workpaper . . . . . .

audit plan auditor

creating . . . . . . . . . . . . . . . . . . . . . . . . . . 18 follow-up . . . . . . . . . . . . . . . . . . . . . . . . . 40 assigning . . . . availability . . . creating . . . . . experience . . . profile . . . . . . Responsibilities role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 23 15 16 14 16 24

49

Index
skill . . . . . . . . . . . . . . . . . . . . . . . . . . . 16, 23 auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

availability

G
Gantt

C
calendar period . . . . . . . . . . . . . . . . . . . . . . . 19

Gantt diagram

audit activity. . . . . . . . . . . . . . . . . . . . . . . . 29 audit activity. . . . . . . . . . . . . . . . . . . . . . . . 29

M
milestone mission manager
mission . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 . 20 . 44 . 45 . 37

D
date document
mission . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 audit mission . . . . . . . . . . . . . . . . . . . . . . . 37 audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

mission program

document template

creating . . . . . . creating mission definition . . . . . last execution . . mission report . . .

E
experience
auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

O
origin
mission . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

F
findings follow-up
audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 creating . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 audit creating . . . . . . . . . . . . . . . . . . . . . . . . 47

P
period profile
audit plan . . . . . . . . . . . . . . . . . . . . . . . . . . 18 consolidation. . . . . . . . . . . . . . . . . . . . . . . . 18 audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

form template

R
recommendation
audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 follow-up . . . . . . . . . . . . . . . . . . . . . . . . . . 39

50

MEGA GRC Audit

Index

report

sending . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 steering calendar . . . . . . . . . . . . . . . . . . . . 40 mission audit. . . . . . . . . . . . . . . . . . . . . . . . . . . 37 audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

workpaper . . . . . . . . . . . . . . . . . . . . . . . . . . 30
audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 complete all . . . . . . . . . . . . . . . . . . . . . . . 33 creating manually . . . . . . . . . . . . . . . . . . . . . . . 33 audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 creating . . . . . . . . . . . . . . . . . . . . . . . . . . 47

repository

workpaper template

responsibility

S
schedule scope score skill
period adding . . . . . . . . . . . . . . . . . . . . . . . . . 19 audit activity. . . . . . . . . . . . . . . . . . . . . . . . 28 audit mission . . . . . . . . . . . . . . . . . . . . . . . 20 mission . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 . 24 . 24 . 45 . 16 . 23

steering calendar

defining . . . . . . . . . maximum coverage . required . . . . . . . . . defining. . . . . . . view . . . . . . . . . . . graphically. . . . .

audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

T
team theme tree
audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 document . . . . . . . . . . . . . . . . . . . . . . . . . . 37 work program . . . . . . . . . . . . . . . . . . . . . . . 25

W
work program
audit mission . . . . . . . . . . . . . . . . . . . . . . . 25

51

Index

52

MEGA GRC Audit