Skip to content | Change text size
 

Monash Audit Planning System

The Monash Audit Planning System (MAPS) is a fully integrated audit management and planning system which includes the following modules:-

  • A Planning Module that automatically generates rolling three-year plans on a risk priority basis.
  • A Time Recording and Allocation Module which enables time spent by audit staff on audit assignments to be monitored against budget.
  • A Reports Management Module which provides a facility for tracking the status of all reports issued and a facility to ensure that information in the Master Risk Database is kept up to date.

A. Planning Module

In developing the current Triennium Plan the following processes were undertaken:-

1. Determining auditable units

2. Establishing a risk priority score

(i)   Audit Assurance
(ii)  Materiality
(iii) Inherent/Control Risk
(iv) Audit Judgement

3. Special arrangements

(i)   Mandatory Annual
(ii)  Cost Centres (Budgetary Units)
(iii) One-off Audits

4. Estimating available audit resources

5. Generating the plan

 

1. Determining auditable units

A list of auditable units was determined using the established audit program and the results from risk management projects conducted to date. Auditable units are areas which have been identified as requiring some audit attention and include functional units, activities and systems.

For planning purposes, the large administrative systems have been broken down into various program elements, each of which is separately evaluated.

2. Establishing a priority risk priority score

A standard methodology was then used to calculate an initial priority score for each auditable unit using three simple risk factors and one compound risk factor. The simple risk factors were evaluated on a scale of 1 to 5, with 5 indicating highest risk. The compound factor, Inherent/Control risk was evaluated using a two-dimensional table with each factor again rated on a 1 to 5 scale.

The factors used were:-

(i) Audit Assurance

This factor takes account of the results from previous audit reviews with areas where problems had been identified receiving a higher risk rating.

(ii) Materiality

This factor takes into account the likely impact of something going wrong in a particular area. Basically, the impact is measured in dollar terms but may also in some cases reflect intangible factors, where appropriate.

The dollar values used to assign this factor were based on the scale used for Risk Management projects.

(iii) Inherent/Control Risk

Inherent risk is the intrinsic risk of material errors/problems occurring in an area disregarding the effectiveness of controls set up to mitigate the risk. The control risk component is an evaluation of the adequacy and effectiveness of controls in place to offset the inherent risks in a particular area.

Note that these factors are interdependent. For example, even though an area has a high inherent risk, if controls in place are well designed and applied, there is less concern from an audit perspective.

(iv) Audit Judgement

This factor takes into account anticipated changes to systems, staffing, procedures etc. which will impact upon a particular area.

Each of the scores for each factor was then given a weighting to reflect the relative importance of each factor.

The sum of each of these factors multiplied by the relevant weighting provides the initial priority score for a particular unit.

IThe Plan also reflects the fact that audits not performed in any one year become more important in the next. For each year since they were last audited, a "year loading" factor of 15% compounded is automatically applied to most of the auditable units in the database. The effect of including this loading is that an auditable unit, not audited within 5 years has its initial priority score doubled thereby allowing lesser priority tasks to be incorporated into the Plan.

3. Special Arrangements

As mentioned above not all units included in the Plan are selected on an aged priority score basis. The exceptions are:-

(i) Mandatory Annual

To meet statutory and/or commercial requirements some audits have to be undertaken each year regardless of their aged priority score. To accommodate this frequency flags have been set up in the system which override the selection of units on an aged priority score basis.

(ii) Cost Centres (Budgetary Units)

There are approximately 200 academic and administrative departments and research centres in the database the majority of which have a similar risk rating. Without special treatment then these units would climb up the priority list in a block necessitating audit attention in a particular year, to the exclusion of most other projects. To prevent this, the system randomly selects 20% of cost centre (budgetary units) each year.

(iii) One-off Audits

One-off audits such as, special assignments and system post-implementation reviews are handled again through the use of the frequency flag in the system which enables an auditable unit to be undertaken in a particular year and then excluded from subsequent years plans.

4. Estimating available audit resources

In setting up the database an estimate was also made of the duration that an audit of each unit would take. A separate calculation was also made of the total available weeks that could be spent on audit activities, for each year of the Triennium.

5. Generating the Plan

MAPS generates the first years plan by sorting audits in order of importance and then scanning through the list one audit at a time. The program then accumulates the budgeted time on a project-by-project basis in priority order until the cumulative total matches available staff resources, beyond that, no other projects will be covered in that year.

The same exercise is performed for years two and three of the Triennium. The system is totally automated, the Director, Audit & Risk Management simply needs to enter the "Year Beginning", for the first year of the triennium and then the total available working weeks for each of the three years.

Reports

The following reports are generated each time the Planning Program plan is run: -

  • A listing of auditable areas in initial priority order with the number of times each area is to be reviewed in the Triennium.
  • A listing of auditable areas in alphabetical order.
  • Yearly plans for years 1, 2 and 3 of the Triennium, in priority order.
  • A listing of areas not covered in the current Triennium.

[back to top]

B. Time Recording and Allocation Module

This module of the system allows staff to enter their attendance times and when absent, the reason for that absence. Each auditor enters times on a daily basis with the system then requiring that the total hours worked be allocated to particular auditable units. The total hours charged to particular audit assignments can then be collated and compared against the budgeted time for that assignment.

[back to top]

C. Reports Management Module

This module performs the following functions:-

  • assigns report numbers to jobs at the commencement of an audit
  • establishes a process for tracking the status of all audits undertaken from the commencement of the audit, through to the preliminary and final report stages and finally, to sign off and acceptance of the report by management
  • provides a structured basis for the follow-up of outstanding reports
  • provides a link between electronic and paper based versions of all reports issued
  • provides an ongoing process for ensuring that information held in the Master Risk database is reviewed on an on-going basis.

[back to top]