Objective
An audit plan is a plan created by an audit manager or a CAE based on the organization's risk assessment and the input of senior management on which auditing personnel follow through to achieve auditing goals. An audit plan includes auditing tasks that need to be completed within a period of time. The creation and maintenance of audit plans are performed using the Manage Audit Plans app or Consolidate Audit Plans app by an audit manager or a CAE.
SAP Audit Management provides a functionality of one-level audit planning and two-level audit planning. Using one-level audit planning, you can create audit plans in the Manage Audit Plans app directly. Using two-level audit planning, you can create an audit plan group in the Consolidate Audit Plans app and then specify in the audit plan group a full list of risks on which you plan to work and distribute them among several audit plans.
At the first step of two-level audit planning, you create an audit plan group in the Consolidate Audit Plans app. Then you assign risks to the audit plan group in the Risks section. On the base of added risks, you can create audit plans by selecting some of risks and selecting the Create Audit Plan button until you cover all risks of the audit plan group. In addition, you can add existing audit plans to the audit plan group using the + button in the Audit Plans section.
If you want to assign additional risks to audit plans of the audit plan group, select these risks of the audit plan group and press the Allocate button. The system will display a list of editable audit plans within the audit plan group, allowing you to select the audit plan to which you want to assign the chosen risks.
You can assign risks directly to audit plans of the audit plan group through the Manage Audit Plans app or Consolidate Audit Plans app and then add these risks to audit plan group by selecting the Sync button.
To create a new audit plan out of audit plan group, start the Manage Audit Plans app, and select the + button on the initial page. Provide the required attributes on the Create Audit Plan screen. When it is created, the audit plan is displayed in the Manage Audit Plans app under the Draft tab.
You can create an audit plan directly in the Manage Audit Plans app or from an audit plan group in the Consolidate Audit Plans app. All audit plans are available in the Manage Audit Plans app regardless of creation method.
Maintenance of audit plans in the Manage Audit Plans app is described below, you can do the same actions in the Consolidate Audit Plans app if the audit plan is included in an audit plan group.
In the Risks section of an audit plan you can add, remove, and search for risks. To add risks, choose the + button and a window that shows a list of risks will be opened. When you are choosing risks from the list, you can use system capabilities to prioritize risks by risk levels and other attributes.
SAP Audit Management allows you to facilitate the assignment of auditable items to an audit plan on the base of risks added to an audit plan. If a risk is added to the audit plan, then auditable items to which the risk is assigned can be directly added to the plan by selecting the risk and using the Add Auditable Items button in the Risks section.
On the Select Auditable Items screen, all auditable items assigned to the selected risk are displayed. You would need to pick one or several items, which will be audited within this audit plan and confirm your selection by selecting the Add button. Then selected auditable items will be added to the audit plan. Further, it is possible to create audits in the audit plan on the basis of auditable items assigned to the audit plan.
Auditable items that have already been added are shown in the Auditable Items section of an audit plan. You can add other auditable items from Audit Universe directly by selecting the + button. While you are choosing auditable items from the list, you can use the filtering, sorting, and grouping options to prioritize auditable items by risk levels and other attributes.
Create audits to work on risks and auditable items of an audit plan. Go to the Auditable Items section of the audit plan, then select one or more auditable items, and choose the Create Audit button. Fill in all required audit details and save it. The audit that you created will automatically contain selected auditable items and will be included in the audit plan.
In the Audits section, you can add existing audits to your audit plan or remove unwanted audits from the audit plan. An audit can be included in an audit plan if the following conditions are met:
To add an existing audit to the audit plan, you select the + button in the Audits section of the audit plan, search and choose the required audit.
The Initiate Audits, Track Ongoing Audits, and Display Historical Audits apps display information about connection of audits and audit plans. The new column, Number of Audit Plans, in the worklists of these apps shows the number of audit plans in which an audit is included. If you navigate to a particular audit from the apps, in the new Audit Plans section of the audit you will find a list of audit plans that include this audit.
Draft audits included in an audit plan can be edited through the audit plan in the Manage Audit Plans app. Navigate to a draft audit from the Audits section of the audit plan to start editing.
From an audit plan, you can edit some of basic attributes of an audit, audit team, assign/remove auditable items, risks, organizations, processes, and dimensions.
All draft audits that are included in an audit plan can be edited using the Manage Audit Plans app as shown above or, alternatively, through the Initiate Audits app.
After the audit team was defined, an audit manager initiates a draft audit through the audit page in an audit plan. When an audit is initiated, the audit preparation phase for the audit will be started.
All draft audits that are included in an audit plan can be initiated through the Manage Audit Plans app as shown above or through the Initiate Audits app.
In the Calendar section of an audit plan, you can monitor the progress of audits included in the audit plan. Audits are grouped by audit group and displayed on the time scale with color indicator of audit's status.
Various types of attachments can be uploaded to an audit plan such as .pdf, .msg, .pptx, .zip, and other types. You can add either files or links to the audit plan by selecting the + button. To delete existing files or links, or change their names and addresses (for links), select the Edit button.
There is a possibility to automatically generate a report of an audit plan to get a summary of the audit plan content. The report contains general information about the audit plan and audits included in the audit plan.
An audit plan in the status, Draft, can be deleted if it is not relevant anymore.
The following figure provides you with an outline of the audit plan lifecycle.
There are following steps of audit plan lifecycle:
Submit an audit plan
When an audit plan has been finalized, an audit manager can submit the audit plan to a CAE in the Manage Audit Plans app by selecting the Submit button. Optional comments for the action can be provided.
Release an audit plan
The CAE reviews the audit plan and releases it in the Manage Audit Plans app by selecting the Release button. Optional comments for the action can be provided. The release action for the audit plan freezes all information under the audit plan, including risks, auditable items, and audits. It is not possible to assign or remove assignment of any of these objects or edit the general information of the audit plan unless you reopen it.
Reopen an audit plan
When released, the status changes to Released and additional buttons for archiving and reopening the audit plan appear in the top right corner of the audit plan. Released audit plans can be reopened and reworked so that you can include additional audit activities in the audit plan. To reopen a released audit plan, select the Reopen button and, optionally, provide your comments.
Archive an audit plan
When all planned audit activities have been completed and the audit plan has reached the end of its lifecycle, you can move it to the archived audit plan list. Select the Archive button to archive the audit plan and, optionally, provide your comments. The archive action for the audit plan freezes all information under the audit plan, including risks, auditable items, and audits. The archived audit plan can no longer be reopened or worked on.
The release, archive actions for an audit plan freezes all information under the plan, including risks, auditable items, and audits. State of objects will stay the same while viewing them in the released/archived audit plan. However, these actions do not change or restrict activities on objects that the audit plan contains. It means that a user can rework risks, auditable items, and audits included in the audit plan in separate SAP Audit Management apps.
SAP Audit Management facilitates continuous work on audit tasks throughout several audit plans by enabling rolling audit plans. During audit plan creation, you can specify whether it will be a rolling or non-rolling audit plan in the corresponding attribute.
A rolling audit plan allows you to create a successor audit plan by copying the original audit plan. A new draft audit plan will be created with a new title and time period that you define manually while copying. The copied audit plan will include the general information, auditable items, risks, and all audits of the original audit plan that are not in the following statuses: Closed or Canceled. You can edit some of general attributes, list of risks, auditable items, audits of the successor audit plan and continue working on unfinished audits.
A rolling audit plan can only be copied when it's in the Released status. There can be only one copy at a time. After release of the copy, the original released rolling audit plan will be archived automatically.
While you are copying a non-rolling audit plan, a system will give you the options to choose the items of the original audit plan that you want to copy into a new audit plan. You can select options to copy risks, auditable items, or audits.
If you decide to copy audits, the system will suggest you to choose what items of original audits to include into new audits (audit team, auditable Items, organizations, risks, processes, dimensions, work program). During copying audits you can adjust names, start date and end date of new audits.
Non-rolling audit plans can be copied in any status before archiving.
You can copy a rolling/non-rolling audit plan in the Manage Audit Plans app or from an audit plan group in the Consolidate Audit Plans app. The previous screenshots are taken from the Manage Audit Plans app.
In the Activities section, you can see events like the status changes of an audit plan (released, archived, reopened) and changes to risks, auditable items, and audits made in the audit plan. Optional comments/notes provided by the user when the new status is confirmed are captured as well. It is possible to display additional data for the log message, by selecting the Show More button under the message text. If the displayed information contains links to objects, it is possible to directly jump into the object of interest.
