Skip to main content

Core concepts

Mawidabp has its own vocabulary. Knowing these terms saves time when reading the rest of the documentation and when talking to the team. All the entities below relate to each other through the audit lifecycle.

Organization

Top-level entity that groups all the information: business units, users, plans, reviews, and findings. Each organization is accessed through its own URL of the form <organization>.mawidabp.com (for example, demo.mawidabp.com). A single user can belong to multiple organizations.

A corporate organization has cross-cutting access to every organization in an instance.

Organizational unit and business unit

The organizational unit is a grouper (for example: Central Processes, Branches, IT). The business unit is the concrete auditable unit (Treasury, Accounting, Loans). Audit projects are always tied to a business unit.

Period

Time window in which work is planned: monthly, quarterly, yearly, whatever the organization decides. Every risk assessment and every work plan lives inside a period.

Work plan

Set of projects to execute in a period. Each project has dates, estimated human and material resources, an associated business unit, and optional tags.

Risk assessment

Optional step before the plan. Rates each unit or process by configurable attributes (impact, probability, or whatever the organization defines). Produces a matrix and a heatmap that helps decide what to audit first.

Review

Concrete audit work on a project from the plan. Each review has a code, a period, an associated project, users (auditor, supervisor, auditee), and a workflow.

Workflow

Set of control objectives that will be reviewed inside a review. It is built by picking pieces from the best practices library.

Control objective

Concrete control point that the auditor evaluates. It has associated tests (design, compliance, and substantive), a 0-to-10 score, and supporting working papers.

Working paper

Electronic evidence attached to a control objective or to a finding. It can be any format: MS Office, PDF, image, audio, video, or Google docs. It is auto-coded (PTOC 001, PTO 001).

Finding

Umbrella term for what the auditor detects during execution. It splits into two:

  • Issue: deviation from an expected control. Requires corrective action from the auditee.
  • Improvement opportunity: suggestion that does not imply non-compliance, but adds value.

Both share the same handling: unique code, statuses, owners, dates, evidence, and dialogue between auditor and auditee.

Finding statuses

  • Incomplete (draft): the auditor is still putting it together; the auditee does not see it yet.
  • Notify: the system emails the responsible parties.
  • Being implemented: the auditee has an action plan and a committed date.
  • Implemented: the auditee submitted evidence; auditor review is pending.
  • Implemented/Audited: closed with the supervisor's approval.
  • Cancelled, Dismissed, Differs in criteria, Risk assumed: alternative final statuses, each with its own reason.

Interview

Record of the conversations with auditees at the start and at the close of a review. Optional, but useful to keep traceability of initial agreements and verbal conclusions.

Draft audit report and final audit report

The draft audit report can be created at any point during execution to start communicating findings to the auditee. To approve it, the system validates that all required fields are complete.

The final audit report can only be created from a previously approved draft and only by the supervisor. Once issued, the fields are frozen.

Auditor and auditee

Two user types with very different views:

  • The auditor (and its variants: supervisor, manager, senior auditor) walks through every module.
  • The auditee only sees the Follow-up module and the issues assigned to their profile.

Relationships between concepts

Organization → Period → Plan → Review → Control objectives → Findings
  • An organization contains business units.
  • A period groups plans.
  • A plan groups projects, and each project is tied to a business unit.
  • A review executes a project through a workflow.
  • The control objectives are scored and may produce findings.
  • Findings are managed until closure in the follow-up module.