RSA Archer Audit Management 5

Overview Guide
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
http://www.emc.com/support/rsa/index.htm.
Trademarks
RSA, the RSA Logo, RSA Archer, RSA Archer Logo, and EMC are either registered trademarks or trademarks of EMC
Corporation ("EMC") in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This
software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Third-party licenses
This product may include software developed by parties other than RSA.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2014 EMC Corporation. All Rights Reserved. Published in the USA.
June 2014
Overview Guide

Contents

Preface 4
About This Guide 4
RSA Archer Documentation 4
RSA Archer Audit Management Data Dictionary 4
Support and Service 5
Other Resources 5
Chapter 1: Solution Overview 6
RSA Archer Audit Management Solution Overview 6
Business Need 6
RSA Archer Audit Management Solution Features 6
RSA Archer Audit Management Solution Components 7
RSA Archer Audit Management Solution Architecture Diagram 8
Solution User Groups and Access Roles - Primary Users 9
Solution User Groups and Access Roles - Secondary Users 9
Chapter 2: Solution Components 11
Audit Planning Subsolution 11
Audit Entity Application 11
IA Engagement and Assessment Results Application 11
Plan Entity Application 12
Audit Plan Application 12
Audit Engagements Subsolution 12
Audit Engagement Application 12
Audit Program Library Application 13
Audit Workpaper 13
Staffing Management Subsolution 13
Expense Reports Application 13
Contacts Application 14
Base Availability Application 14
Timesheet Task Application 14
Training Application 14
Degrees and Certifications Application 14
Schedule Management Subsolution 14
Appointment 15
Quality Management Subsolution 15
Internal Audit Customer Survey Questionnaire 15
Internal Audit Department Annual Review Application 15
Internal Audit Quality Assurance Review Checklist Questionnaire 15
Question Library Application 16

3
Overview Guide

Preface

About This Guide

This guide contains information that helps RSA® Archer™ GRC administrators
understand the RSA Archer Audit Management™ solution. It provides information
about the solution, any subsolutions, and the applications.
This guide assumes the reader is knowledgeable about the GRC industry and
RSA Archer GRC.

RSA Archer Documentation

You can access the RSA Archer documentation from the RSA Archer Exchange
and RSA Archer Community.

Documentation Location

Platform On the RSA Archer Community at:

https://community.emc.com/community/connect/grc_
ecosystem/rsa_archer

Solutions, Applications, On Content tab on the RSA Archer Exchange at:

and Content https://community.emc.com/community/connect/grc_
ecosystem/rsa_archer_exchange

RSA continues to assess and improve the documentation. Check the RSA Archer
Community and RSA Archer Exchange for the latest documentation.

RSA Archer Audit Management Data Dictionary

The RSA Archer Audit Management Data Dictionary contains configuration
information for the solution.
You can obtain the Data Dictionary for the solution by contacting your RSA Archer
Account Representative or calling 1-888-539-EGRC.

Preface 4
Overview Guide

Support and Service

Customer Support www.emc.com/support/rsa/index.htm
Information

Customer Support E- archersupport@rsa.com

mail

Other Resources
RSA Archer Community enables collaboration among GRC clients, partners, and
product experts. Members actively share ideas, vote for product enhancements, and
discuss trends that help guide RSA Archer product roadmap.
https://community.emc.com/community/connect/grc_ecosystem/rsa_archer
RSA Archer Exchange is an online marketplace dedicated to supporting GRC
initiatives that delivers on-demand applications with service, content, and
integration providers to drive the success of RSA Archer clients.
https://community.emc.com/community/connect/grc_ecosystem/rsa_archer_
exchange
RSA Solution Gallery provides information about third-party hardware and software
products that have been certified to work with RSA products. The gallery includes
Secured by RSA Implementation Guides with instructions and other information
about interoperation of RSA products with these third-party products.
https://gallery.emc.com/community/marketplace/
RSA SecurCare Online (SCOL) provides unlimited access to a wealth of resources
on the Web, 24 hours a day. The secure system provides members access to a
support knowledgebase, to download current platform patches and bug fixes, to sign
up for notifications, to manage your support cases and more.
https://knowledge.rsasecurity.com/cleartrust/ct_
logon.asp?CTAuthMode=BASIC&language=en&CT_ORIG_
URL=https%3A%2F%2Fknowledge.rsasecurity.com%3A443%2F&ct_orig_
uri=%2F

5
Overview Guide

Chapter 1: Solution Overview

RSA Archer Audit Management Solution Overview

Use the RSA® Archer® Audit Management solution to do the following:
l Manage your complete audit lifecycle in one tool, from audit planning to
execution and wrap-up.
l Govern audit-related activities, such as reporting to management and the audit
committee.
l Integrate with other risk and control functions.
l Use a consistent, standards-driven, risk-based audit approach to drive greater
efficiency in the execution of the audit plan.
l Perform risk-based prioritization of your audit universe.
l Manage resource scheduling and staffing on engagements.
l Perform audit engagements and audit testing, manage workpapers, and create
audit reports.
l Track findings, remediation plans, and exception requests.
l Improve the efficiency of your audit department.
l Complete better-scoped, risk-based audits more effectively, increase reliance of
work by regulators and external auditors, and decrease external audit fees.

Business Need
Internal Audit (IA) professionals serve a high profile set of stakeholders that
include senior management, the board of directors, and external auditors. These
stakeholders expect that IA not only demonstrate a broad and deep knowledge of
the organization and the risks that it faces, but also that IA teams remain dynamic
and flexible in the face of changing business conditions, coordinate effectively with
other risk and assurance functions, and remain independent and objective while
demonstrating a high level of professional proficiency. Internal auditors also have a
requirement to work offline on a laptop.

RSA Archer Audit Management Solution Features

RSA Archer Audit Management contains the following features:
l Offline Access. Offline access enables you to conduct audit engagements in an
offline mode on a laptop. Working offline does not require a connection to the

Chapter 1: Solution Overview 6

Overview Guide

RSA Archer GRC Platform. You can add and update records just as if you were
working directly in the GRC Platform. Data is stored in a local RSA Archer
instance on the laptop and then synchronized to the GRC Platform later.
l Scheduler. Scheduler works with the Appointment application. This allows you
to schedule and monitor resources for audit engagements by appointment. Data
from the Timesheet Task application are reported against the Appointment
application.

RSA Archer Audit Management Solution Components

Audit Planning subsolution
l Audit Entity application
l Audit Plan application
l IA Engagement and Assessment Results application
l Plan Entity application

Audit Engagements subsolution

l Audit Engagement application
l Audit Program Library application
l Audit Workpaper application

Staffing Management subsolution

l Expense Reports application
l Contacts application
l Base Availability application
l Timesheet Task application
l Training application
l Degrees and Certifications application

Schedule Management subsolution

l Appointment application

Quality Management subsolution

l Internal Audit Customer Survey questionnaire
l Internal Audit Department Annual Review application
l Internal Audit Quality Assurance Review Checklist questionnaire
l Question Library application

Chapter 1: Solution Overview 7

Overview Guide

RSA Archer Audit Management Solution Architecture Diagram

The following figure shows the relationships between the subsolutions, applications,
and questionnaires that make up the RSA Archer Audit Management solution.

Chapter 1: Solution Overview 8

Overview Guide

Solution User Groups and Access Roles - Primary Users

The following table lists the primary users for the RSA Archer Audit Management
solution. For specific access rights assigned to each group, see the Data Dictionary.
Depending on your company's audit needs, these roles and responsibilities may
vary.

Role Description

Audit Includes members of the Audit Committee and enables users to fulfill
Executive their oversight responsibilities by viewing real-time information about
Management the status of IA, and report the status to the Board of Directors.

Audit Oversees and participates in defining the audit universe, performing and
Managers approving audit entity risk assessments and audit plans, planning the
audit engagement, and executing audit engagements. These users can
include the Chief Audit Executive, Audit Director, Audit Manager, and
Audit Lead.

Audit Lead Performs audit engagements, documents testing in workpapers, creates

findings and audit reports, and oversees the work of audit staff by
reviewing their work and creating review comments. The Audit Lead
also tracks time and expenses spent on engagements.

Audit Staff Works on audit engagements, documents testing in workpapers, drafts

reports, and generates findings, remediation plans, and exception
requests. They also track time and expenses spent on engagements. This
role can include the lead auditor and internal auditors.

Solution User Groups and Access Roles - Secondary Users

The following table lists the secondary users for the RSA Archer Audit
Management solution. For specific access rights assigned to each group, see the
Data Dictionary. Depending on your company's audit needs, these roles and
responsibilities may vary.

Role Description

Audit Provides create, read, update, and delete access rights for other users.
Administrator These users may also modify the RSA Archer Audit Management
solution to fit the organization’s needs.

External Reviews past IA audit engagements or the performance of the IA

Auditor organization as a whole. These users include various levels of staff and

Chapter 1: Solution Overview 9

Overview Guide

Role Description

management from an external audit firm.

Business Provides access for business contacts, sometimes called auditees,

Contacts enabling them to actively participate in the audit engagement. A
Business Contact is often a business owner given read-access to audit
findings. These users create and update exception requests and
remediation plans to address findings raised by IA during the
engagement.

Chapter 1: Solution Overview 10

Overview Guide

Chapter 2: Solution Components

Audit Planning Subsolution

The Audit Planning subsolution allows you to capture all audit entities that could be
the subject of audit scrutiny, risk assess them, and determine their inclusion in a
subsequent audit plan covering a given time period, such as a quarter or year.

Audit Entity Application

The Audit Entity application provides a single, centralized location to capture
details about each area that could be the subject of audit scrutiny, such as business
processes, organizational units (such as department), specific topics (such as a
regulation such as FFIEC), IT infrastructure and applications, or other individual
areas.
Through the Audit Entity application, you can:
l Define each audit entity and create a "universe" of audit entities.
l Scope each audit entity by relating the entity to cross-referenced records in the
Enterprise, Risk, Policy, and Compliance Management solutions.
l Assign audit and business ownership to each audit entity.
l Perform audit entity risk assessments.
l Compare audit's risk assessments to management’s assessments of risk.

IA Engagement and Assessment Results Application

The IA Engagement and Assessment Results application captures historical audit
engagement and risk assessment results for the Audit Entity for purposes of
maintaining integrity, reporting, and comparing historical information.
The IA Engagement and Assessment Results application uses trending charts and
historical data from a data feed. The trending charts capture two years of data and
allow you to view and track all changes to content in specific fields. Trending
charts help you capture any changes to risk assessment questions before the
historical record is created through an Archer to Archer data feed.

Chapter 2: Solution Components 11

Overview Guide

Plan Entity Application

Once an Audit Entity is identified as a target for an audit engagement, based on
factors such as risk (from the audit entity risk assessment), regulatory scrutiny, or
strategic value, the entity is included in an Audit Plan. The Plan Entity application
allows you to associate an Audit Entity with an Audit Engagement by creating an
individual plan entity that can be edited and updated as necessary.
l The Plan Entity is a record designed to capture the name of the Plan Entity,
planned hours and expenses, as well as the type of audit engagement and
resource type.
l The Plan Entity record cross-references the Audit Entity to the Audit Plan.

Audit Plan Application

The Audit Plan application allows you to create and manage Audit Plan records.
The Audit Plan record includes a plan name, description, and estimated start and
end date. To include items in the plan, you associate records from the Plan Entity
application. The Plan Entity record creates a link between previously defined Audit
Entity records and the Audit Plan record. The Audit Plan enables you to capture and
track other information for the Audit Plan, such as plan hours and expenses. The
Audit Plan contains a workflow for review and approval, links to audit
engagements, and enables ongoing management and reporting on the Audit Plan.
This structure facilitates approving the plan by and reporting to the Audit
Committee, communicating with management, and monitoring the overall status of
the audit plan on an ongoing basis.

Audit Engagements Subsolution

The Audit Engagements subsolution allows you to manage the entire lifecycle of
performing an audit engagement.

Audit Engagement Application

The Audit Engagement application serves as Internal Audit's mechanism for
creating, managing, tracking, and reporting on individual audit engagements. The
application allows users to determine the audit engagement’s scope, schedule and
staff resources for the audit, create and manage workpapers, perform audit testing,
document findings, and draft the audit report. This can all be done in an online or
offline mode.

Chapter 2: Solution Components 12

Overview Guide

Audit Program Library Application

The Audit Program Library application provides a repository to create and house
audit programs and related audit procedures for use on multiple audit engagements.
When you select audit programs with corresponding audit procedures, RSA Archer
makes copies of the audit programs and procedures for audit engagements and
creates workpapers for documenting testing and results.
Through the Audit Program Library application, you can:
l Capture audit program and test objectives, detailed procedures, and estimated
time for testing.
l Relate audit procedures to your organization's risks and control procedures to be
tested.
l Maintain standard and consistent audit programs to be used across all audit
engagements.

Audit Workpaper
The Audit Workpaper application provides a method for documenting testing using
the steps outlined in audit programs and related procedures for a specific audit
engagement. The Audit Workpaper application is designed to mirror the Audit
Program Library, in that you can create project-specific versions of standard audit
programs and procedures and use them to document your testing. This approach
allows audit department management to maintain consistency of audit procedures
across engagements by leveraging the Audit Program Library while enabling
auditors to customize or add procedures to fit the needs of the engagement on which
they are working.

Staffing Management Subsolution

The Staffing Management subsolution allows you to manage IA team member
availability and schedules (including internal and external resources, track staff
credentials), schedule audit engagements and team resources, report on staffing and
scheduling gaps, and monitor utilization.

Expense Reports Application

The Expense Reports application stores and maintains all expense reports, which
are composed of individual records called expense slips. This application also
contains workflow for review, where a designated reviewer may approve or deny
expenses and provide review comments.

Chapter 2: Solution Components 13

Overview Guide

Contacts Application
The Contacts application serves as a central repository for contact information,
allowing you to document information about audit staff, such as their skills and
roles, as well as information about other internal and external contacts that need to
be involved in the audit process. The Contacts application is utilized across multiple
areas of the RSA Archer GRC Suite and contains information that is often
leveraged by other solutions. Updates to an individual's profile record within this
application will automatically be propagated in any records where that contact
information is displayed.

Base Availability Application

The Base Availability application allows you to capture the general availability of
each member of your audit team and view information related to the contact record,
such as position start and end dates, employment type (full, part time), and days and
hours per week the contact typically works. Records in the Base Availability
application affect the calculation in the Estimated Resource Utilization report,
which helps you effectively determine the utilization of and allocate resources to
audit engagements.

Timesheet Task Application

The Timesheet Task application allows auditors to capture their actual time spent
on audit tasks and in each phase (testing, wrap up) of an engagement. The time
reported rolls up to an audit engagement as billable or non-billable categories, such
as vacation, sick time, or training.

Training Application
The Training application allows you to capture team members' training history and
the Continuing Professional Education (CPE) credits they have obtained toward
renewing professional certifications. This application is used to help assign audit
staff with the appropriate background to specific audit engagements and tasks.

Degrees and Certifications Application

The Degrees and Certifications application allows you to capture information about
team members' education, certifications, and degrees, in order to help assign audit
staff with the appropriate background to specific audit engagements and tasks. You
can track issue and expiration dates, if Continuing Professional Education (CPE) is
required, and other information.

Schedule Management Subsolution

The Schedule Management subsolution enables you to schedule resources for audit
engagements in addition to managing appointments for all resources.

Chapter 2: Solution Components 14

Overview Guide

Appointment
This application enables management to schedule and monitor resources for audit
engagements by appointment. Managers can view scheduled appointments for all
resources. Auditors can view the appointments to which they are scheduled.
Appointments are displayed in a Gantt chart by start and end dates for billable or
non-billable time.
Timesheet tasks reported subsequently as auditors perform work on the engagement
are reported against the Appointments.

Quality Management Subsolution

The Quality Management subsolution allows you to establish a quality assurance
and improvement program designed to evaluate internal audit's conformance with
the Definition of Internal Auditing and the Standards.

Internal Audit Customer Survey Questionnaire

This questionnaire documents the results of customer surveys that are sent to the
audit customer at the conclusion of the audit engagement. The survey includes
questions on the professional proficiency of IA staff, the scope of work on the
engagement, the performance of the audit work, and the overall management of the
internal audit department. The submitter of this survey is intended to be the primary
business owner or owners on whose areas the audit focused.

Internal Audit Department Annual Review Application

The primary purpose of this survey is to assess the IA department’s adherence to
the Attribute Standards of the IIA, which focus on the purpose, authority, and
structure of the IA department.
This survey is configured with two standard sets of questions to evaluate:
l Internal Audit Department charter, policies, and the reporting structure of the IA
department.
l Internal auditor proficiency, coordination with other assurance functions,
performance of risk assessments, and overall understanding of the organization
that they serve.

Internal Audit Quality Assurance Review Checklist Questionnaire

This questionnaire is used to document the quality assurance review of both the
audit engagement and the audit team at the conclusion of the engagement. This
survey includes questions on project administration and documentation, the overall
effectiveness of the engagement, the issuance of the audit report, and other
administrative matters. The manager of the audit project is the intended submitter of
this survey, with reviews performed by an IA director or the Chief Audit Executive.

Chapter 2: Solution Components 15

Overview Guide

Question Library Application

The Question Library application supports RSA Archer Audit Management. The
application documents assessment questions linked to authoritative sources, control
standards and risks. You can use these questions as often as you like in any type of
assessment.
Through the Question Library application, you can:
l Import your existing questions, use pre-loaded question packs from the RSA
Archer GRC Content Library, or enter questions manually through the
application's web-based interface.
l Assign questions to categories and apply filter properties that you can later use to
create question display rules.
l Assign correct answers, numeric answer values and question weighting.
l Link questions to authoritative sources and control standards in the RSA Archer
Policy Management solution.
l Link questions to statements of risk in the RSA Archer Risk Management
solution.

Chapter 2: Solution Components 16