Permission (General)
Overview
Authorized users (e.g., MTO coordinator) can determine what a user can view and work on inside the application through user group assignment during the onboarding process, i.e., onboard a user as part of the 3rd party vendor or Authorized Requestor (AR) user group. The MTO team can also control user access to specific case files while working on the audit cases inside the application.
Key functions
Authorized users (e.g., MTO coordinator, MTO audit team) can manage the following permission settings:
- Access to application and audit cases for 3rd-party vendor users
- Access to application and audit cases for AR users
- Access to cases that have been deactivated or deleted
Access to application and audit cases for 3rd party vendor users:
The dashboard is the default view when a 3rd-party vendor user logs into the application. In terms of case access, while navigating the audit case view, the vendor user is only able to view cases assigned to them. Apart from the above, the 3rd party vendor user can only view User profile, Help and Home.
Only after an audit case is pushed to state ‘Ready to execute’ by the MTO audit team, will the 3rd-party vendor user gain access to the detail case files. A 3rd-party vendor user can view all case files available in the ‘Execution and Closing’ phase; they can upload new files and delete any files uploaded by themselves. Lastly, when an audit case is moved to state ‘Ready to finalize’, the user will no longer have access to the audit case.
The table below summarizes permissions of the 3rd party vendor within the application and Firm Admin Portal (FAP).
|
|
Feature |
3rd party vendor |
|
|
|
Global Navigation |
View Home |
Yes |
|
|
View Templates |
No |
|
|
|
View Help |
Yes |
|
|
|
View User profiles |
Yes |
|
|
|
View Dashboard tab |
Yes |
|
|
|
View Audit projects tab |
No |
|
|
|
View Population tab/ Authorized requester |
No |
|
|
|
View Population tab/ Applicant |
No |
|
|
|
View Performance reports tab |
No |
|
|
|
|
External Compliance Audit (ECA) / Audit progress - only Execution and Phasing phase and Schedule of that user |
Yes |
|
|
ECA section full view |
No |
|
|
|
Self-Serving Risk Assessment (SSRA) |
No |
|
|
|
Risk Evaluation (RE) |
No |
|
|
|
Pre-Audit Risk Assessment (PARA) |
No |
|
|
|
Audit project |
Can view audit projects |
No |
|
|
Can manage audit projects |
No |
|
|
|
Population /AR profile/ Applicant profile |
Import from file (Incremental AR profile/ Annual transaction) |
No |
|
|
View AR population list + AR profile |
No |
|
|
|
Manage AR: Batch action (suspend/ terminate/ flag/ unflag/activate) AR in AR population + Edit AR profile |
No | |
|
|
View applicant population list + applicant profile |
No |
|
|
|
Manage Applicant: Batch action (flag/unflag) applicant in applicant population. Edit applicant profile |
No |
|
|
|
Performance reports |
View and download: all reports except for Total number of audits by staff resource |
No |
|
|
View and download all reports |
No |
|
|
|
Audit case management |
Can view all audit cases |
No |
|
|
Can view all assigned audit case |
Yes |
|
|
|
Can create sample pool, create/edit/sign off audit list in Initiation phase |
No |
|
|
|
Can assign and set due date for audit case |
No |
|
|
|
Can update audit case status (Activate on hold audit case /Put On hold audit case) for assigned audit case |
No |
|
|
|
Can submit Deactivate/Delete audit case |
No |
|
|
|
Can manage the submission of audit case status (Deactivate/Delete) |
No |
|
|
|
Reactivate the Deactivation rejected/ Deletion rejected audit case which are assigned |
No |
|
|
|
Can update audit case work state (Initiation, Preparation...) + generate audit case |
No |
|
|
Audit case detail |
|
View audit case detail |
Yes |
|
Authorized portal tab in audit case detail |
Sending an invitation to AR |
Yes |
|
|
Revoke AR access |
|
||
|
Create requests |
Yes |
||
|
Delete any requests by users |
Yes |
||
|
Edit description in a request by users |
Yes |
||
|
Assign team members and clients to a request |
Yes |
||
|
Assign due date to a request |
Yes |
||
|
Change status of a request to "New" or "Ready for review" |
Yes |
||
|
Change status of a request to "Completed" or "Follow-up" |
Yes |
||
|
Upload to and download files from a request |
Yes |
||
|
Delete files uploaded by users |
Yes |
||
|
Add comments to a request |
Yes |
||
|
Delete comments posted by users |
Yes |
||
|
Edit comment in request by users |
Yes |
||
|
WP tab in audit case detail |
Add new WP/attachment (for not assigned internal auditor) |
No |
|
|
Add new WP/attachment |
Yes |
||
|
Edit work state management (depends on the Person in Charge of the work state) |
Yes |
||
|
Delete subphase/ phase/ WP/ attachment |
No |
||
|
Change a working paper's editing permission |
No |
||
|
Properties tab in audit case detail (audit case profile) |
View audit profile except for Audit profile |
Yes |
|
|
View audit profile full view |
No |
||
|
Change assigning |
No |
||
|
|
Common tool permission |
Create CT |
Yes |
|
|
Can remove (unlink or delete) attachments added by others |
No |
|
|
|
Can remove (unlink, close, or delete) common tools added by others |
No |
|
|
|
Business records management permissions |
Can submit archive request |
No |
|
|
Can approve own archive request |
No |
|
|
|
Can approve and reject archive request by others |
No |
|
|
|
Can view archived audit cases |
No |
|
|
|
Firm template management |
Can manage firm templates |
No |
|
|
FAP |
Can access and edit all info in FAP |
No |
Access to the application and audit cases for AR users:
The AR portal contains requests made by the MTO auditor/3rd-party vendor user in terms of documentation or information required from the AR. These requests can only be assigned to a user once they have been provided with access to the portal. This can be done by the MTO audit team through manual invitation, or, by the system when cases are pushed to state ‘Ready to execute’.
Additionally, within the working paper view, the MTO auditor/3rd-party vendor user can choose to share specific files with the AR user. Apart from this, the AR users can only view case files if they are attached within requests present in the AR portal.
Lastly, the MTO auditor user can revoke AR portal access; once done, AR user will no longer be able to access the application.
Access to cases that have been deactivated or deleted:
Users within the MTO audit team can deactivate/delete a case. After this, all users will lose access and the ability to update any data in the audit case immediately. In addition,
- 3rd party vendor: If the user is removed as an assignee from an audit case, they will be redirected to dashboard when trying to perform any action on that audit case.
- Authorized requester: Once a case is deactivated/deleted, their access to the AR portal is revoked, and they will no longer have access to the application. Similarly, if they are removed as a user from the FAP, they will be forced to log out if they try to perform any action in the AR portal.