Audit Resource Management System (ARMS)

ARMS is a PC based computer system written using Microsoft Access.

The conceptual framework and computer implementation of this system has been developed by the Internal Audit Office and Information Technology Services of The University of Melbourne and all Intellectual Property rights remain the property of the University.

ARMS provides an annual audit plan of audit tasks to be conducted by the Internal Audit Office in the following year. The plan is submitted to the last Audit and Risk Committee of the year (usually November) with the University's Risk Register for approval.

Overview

ARMS is comprised of four main program modules which are fully integrated with each other. The main program modules are:

1. Auditable Units Risk Data Base: Provides the ability to include identified auditable units/areas in the data base, assign risk ratings and update the master data base table.
2. Planning: Provides a three year rolling audit plan on a risk priority basis.
3. Time Recording and Charging: Provides a time recording system and enables times worked to be allocated to specific audit jobs and monitored against budget.
4. Management Reports: Provides an easy means of extracting information from the ARMS database to assist in monitoring the progress of audit jobs and track the status of all audit reports.

1. Auditable Units Risk Data Base Module

The Auditable Units Risk Data Base Module of ARMS is a list of the identified auditable units/areas in priority order. This priority order is achieved by calculating a priority score as follows:

1.1 Calculating Initial Priority

The initial audit priority score or risk rating is calculated by assigning three simple risk factors and one compound risk factor to each auditable unit. The simple risk factors are rated using a 1 to 5 scale with 5 indicating the highest risk. The compound risk factor reflects the interdependence between inherent and control risk. This compound risk factor is calculated using a two dimensional table with each factor rated using a 1 to 5 scale with 5 indicating the highest risk.

The risk factors used are as follows:

• Assurance - takes into account results from previous audit reviews with areas where problems have been identified receiving a higher risk score.
• Materiality - takes account of the value of financial transactions processed by an area but a high materiality factor was also assigned to reflect intangible factors where appropriate.
  • 1 = < $100,000
  • 2 = $100,000 - $500,000
  • 3 = $500,000 - $2,000,000
  • 4 = $2,000,000 - $10,000,000
  • 5 = > $10,000,000
• Audit Judgement - this factor allows ARMS to take into account anticipated changes to systems, staffing, procedures etc. impacting upon a particular area.
• Inherent/Control Risk - The inherent risk is the intrinsic risk of material errors/problems occurring within an auditable area disregarding the effectiveness of controls in place. The control risk component is an evaluation of the quality and effectiveness of controls in place to offset the intrinsic risks. These factors are independent. For example even though an area has a high inherent risk, if controls are well designed and applied, there is less concern from an audit perspective.

Each of the scores for each factor are given a weighting to reflect their relative importance. The sum of each of these factors multiplied by the relevant weighting provides the initial priority score. The weightings used are set out below:

Weightings assigned to factors

Inherent / Control risk table

1.2 Calculating the Final Audit Priority for Each Auditable Area

ARMS ensures that audits not performed in any one year become a higher priority in the next. For each year since they were last audited, a "year loading" factor of 15% compounded is automatically applied to each auditable area, except for divisional audits. The effect of this loading is that an auditable area which is not covered within 5 years has its priority rating almost doubled thereby allowing lesser priority tasks to be incorporated into the plan.

1.3 Divisional Audits

Audits at academic and administrative divisions are not selected on the basis of their risk based score but are selected via consultation with the Deans/Administrative General Managers.It is envisaged that divisional areas will be audited atleast every three years.

1.4 Mandatory Annual Flag

For statutory and other reasons some audits need to be completed each year. These audits are given a particular flag in the system which ensures that they will be incorporated into the plan on an annual basis.

1.5 Planned Audits to be Undertaken During the Year

It is also planned to undertake a number of targeted and management requested audits throughout the year. Wherever possible, these targeted and management requested audits have been linked back to the ARMS list of auditable areas. This will ensure that the 'last date audited' field is changed so that the audit priority is not distorted by the 'year loading' factor.

1.6 Allocation of Available Resources to Audit Projects

ARMS provides for the available staff resources to be allocated to audit projects. A set number of available weeks is allocated each year. The program has accumulated the budgeted time on a project- by-project basis in priority order until the cumulative total matches available staff resources.

2. The Planning Tool

The planning modules

The planning modules of the ARMS software provides the following functionality:

• The ability to generate yearly prioritised audit plan from the table of auditable units. The table of auditable units is determined by the Director, Internal Audit in consultation with the University's senior administrative officers. As part of the process of determining the table of auditable units five risk types are assigned which the system uses to generate a risk priority score. Timeframes for each audit are also assigned at this time.
• The system has an "Audit Frequency" field in the Master Risk Database which may be assigned against each auditable unit as follows:
  • 1 = Annual, Enables mandatory annual audits to be flagged.
  • 2 = Alternate Year, 3 = Once in 3 Years, Enables audits to be flagged so they are scheduled for every second or third year and included in the annual plan before allocating time for other audits in order of aged priority.
  • 4 = Aged Selection
  • 9 = Year 1 Only, Enables some audits to be flagged as "Year one only Audits", allowing special one off and or management requested audits to be included.

If no data is entered in this field, the auditable unit is then part of the Random Sampling features of the program.

Timeframes for each audit project are assigned and are used to monitor performance against the annual plan.

3. Time Recording & Allocation

The system is used as a time recording and attendance system. Audit staff are able to enter their times of attendance daily. The system requires all attendance time entered to be allocated to audit projects. At any time the system has the ability to generate an on-screen time sheet. A further report is available which shows the allocation of time against auditable unit.