quadruple review, part I – The one week review

The short of it

At BTC, we recently selected as our web-based electronic workpaper solution. I will be writing about our experiences with this tool in four separate blog posts, over a period of about a year. This is the first one, about our the first week using The solution is a promising one, but I already do have a couple of remarks.


There are only a limited number of true webbased internal audit workpaper solutions out there. We chose to use for the support of our five planned assurance missions in 2012. If the tool lives up to our – rather high – expectations, we’ll continue using it.

This review is only the first of four reviews on using It’s being written after approximately one week of usage and will be an introduction to the review ‘series’ of this solution that was recently acquired by ACL. It will feed you our first impressions and how well the tools answers the specific requirements we at the Belgian Development Agency have for electronic work papers.

I’ll write the second review after one month of usage. By that time, the annual audit plan for 2012 will be uploaded and we’ll be entering the stages of audit work program finalization. In essence, by mid February all specific audit activities we’ll be engaging in during 2012 should be planned in detail and reviewed. During this review I’ll be focusing on the tools available to ensure completeness of our audit approach.

The third review will be written after using the tool on one audit in the field. The field in question will be Benin, where we’ll be conducting project audits in both the South and the North. We’ll be fieldtesting in dire conditions, with sometimes limited to no internet connectivity. It will allow us to test in a very tough offline environment and see how well the exports of working programs and working paper documentation are usable and re-importable. It will also allow us to assess the tool as it supports reporting and issue follow-up.

The final review will be executed after one year of usage, both for missions at headquarters in Brussels as during missions in the field in Africa. It will allow us to assess the use of the tool in supporting a full year audit planning and based on that assessment we will decide whether or not to continue using the tool.

But why did we chose to move to electronic work papers in the first place?

I arrived a couple of months ago as CAE in an internal audit department that had been well organized by both my predecessor Dorota and her collaborator Vincent, who is now working with me. An academic party recently assessed the functioning at level three of the IIA internal audit maturity continuum. The credit for that is all theirs.

I decided to move the internal audit department from the existing paper based workflow to an electronic documentation and workflow application for the following reasons:

  • Ease of (standardized) documentation: electronic work paper systems enable easy documentation in a standardized structure
  • Consistency: the standard templates and structures and a certain rigidity of documentation requirements should result in a consistent quality of documentation. Ideally, but not solely dependent on the solution, this should lead to consistency in report quality.
  • Completeness: electronic work papers force you to go through the basics of audit planning. This, when properly executed, forces you to consider the completeness of your audit approach.

In short, we aim to take the performance of the audit department up one notch, but this would not have been possible without the excellent work of the past years.

First experiences with

In summary, I’m pleased with the performance of the tool, but there are a number of important areas of improvement which I hope the team, now they have become part of ACL, will work on.

The positive elements

Usability in different browsers – At home, I like to work in my native Mac environment, on the Safari browser. At work, I am working in a Chrome environment. Both browsers perform without any issues.

Password protection – Obvious and essential, but the login is quick, painless but adequately secured.

User configuration – Setting up new auditors and giving them specific privileges was very straightforward. Each user account is linked to an email and allows the user to enable or disable email notifications. These notifications are triggered when new to do’s assigned to them are created.

Creating new audits – One click away from the start-up screen for the account administrator, a new audit requires a name, an optional description, an audit type, the target deadline and optionally the budgetted hours. The audit types available are four types of internal control audits (Sarbox, Internal control audit, SAS 70 audit and business process reviews) and four types of workplan audits (internal audit, workplan based, royalty/licensing audits, compliance audits and other audits).
While this provides a good basis, having an even more generic activity would allow for creating “audits” for advisory projects as well. We’ve now opted to define these as “Other audit” and we’ll see where this takes us.

Audit approach structure – After creating an audit (type “workplan based internal audit”) the systems asks for the creation of audit objectives. These are then linked to a plan, which can be reviewed.
The system guides you through the creation of a workplan for each of the objectives. You start by defining the risks, which you need to assess (high, medium, low) on both impact and likelihood of occurrence. You also need to create specific audit procedures which describe how the auditors need to execute the audit (audit workprogram). By linking audit procedures to identified risks – assuming you do this diligently – you can check whether all risks are covered by audit procedures. Alternatively you can check whether you don’t plan to perform too much work if audit procedures are not attributable to risks. The audit plan needs to be signed off on by the preparer, the detail reviewer and the general reviewer. The administrator can define additional reviewers who need to sign of on this.

PBC integration – The system allows for an online creation of the PBC or prepared by client list. Each item to be requested in preparation of the audit needs to be identified separately, and can be separately tracked. Sending out the emails through the system is optional.

I’m sure I’m missing a lot of the finer points the solution has to offer, but this is a review after just one week of usage.

What I really liked about the solution is that the system forces you to consider your risks and thus really provides a completeness and relevance check on audit procedures.

Some ideas for improvement

There are a couple of remarks I have on the software. I’m sure some of them are already on the agenda of the developer, but they do annoy me. These points are based on testing in the “internal audit (workplan)” audit type definition, they may be different in other audit types.

Multiple risk entries – Whenever you’re defining risks for a new objective, you need to enter all of them all over again. No reuse of earlier risk definitions across objectives. We use a pretty standardized set of risk definitions. Having the option to define a risk register and reuse “generic” risk definitions in the different objectives would be a real time saver.

Multiple audit procedures – Identical point as above really for audit procedures. Some audit activities are pretty generic and comparable. I don’t want to invest that much time in rewriting or even copy-pasting for example a generic process assessment description which I then need to adapt. The possibility to define this once and then easily access to copy and adapt would be great.

Risk assessment requirement – I noted that I was required to enter values for impact and likelihood for each new risk I created. While a good fail-safe for complete risk evaluation, I often develop risks and workprograms before starting the audit. Risks can be added and removed, but I want to be able to enter risks without the direct obligation to assess them. A warning on the dashboard would be more than enough.

Generic activity type – We perform some supporting advisory work as well as internal audit work, and I don’t want two systems to keep my working papers. Hence, the need for a generic activity type which I can use for advisory projects. As stated above, we’ll be using the “other audits” and see how far that will take us.

Formatting – I’m a huge fan of Markdown … it is an easy to use html formatting language. Given the workpapers are in html, why not provide at least the option of using markdown instead of providing us with a very limited interface for basic rich text lay-out in the audit procedures field? +1 for the introduction of Markdown in this tool.

Header lay-out – This far, I appear to not have a color or logo choice. is basically an audit flavored document and project management tool. The reference tool (non audit) is 37Signals’ Basecamp which we considered but found slightly wanting in internal audit specifics. What Basecamp allows is customization with colors and logo’s. I would like to define a template for our working papers that show our templates conform to the guidelines our external communication department created. The colors now are blue and green … not the most pleasing for the eyes.

Working paper re-import – I have not yet figured out whether I can take an Excel workpaper export offline, fill it out and easily re-import it. If this is not possible, we’ll have to provide for some time to copy-paste our offline findings which is inefficient at best. We are on occasion offline for longer periods of time, certainly in Africa, and being able to import this easily would be a great solution.

To date and next steps

In the past 48 hours I’ve defined all audits planned for 2012 in the system. I’ve introduced an existing workprogram for field audits in one of the audits and developed a new workprogram for another.

In the coming days we’ll develop the work program for the other planned audits and start keeping time in the system. I’ll post a new blog entry on in about one month.