TeamMate Protocol for Performance Audits and Special Examinations

November 2015

Word Version

Introduction
Purpose
1. Mandatory use of TeamMate
2. Ownership of the TeamMate file
3. Naming conventions for Project Code and Project Name
4. Team communication
5. Security
6. TeamMate folders

7. Replication / merging / synchronisation / conflicts resolution
8. Tracking information requested from the entity
9. Managing electronic documents
10. Referencing paper / hard copy documents in TeamMate
11. File naming convention
12. Format of working papers
13. Sign-offs in Audit file
14. Electronic approvals in TeamMate
15. Substantiation with TeamMate

Note: In this document when we refer to “the entity,” it can also apply to multiple entities.

Introduction

This protocol has been designed to help performance audit and special examination teams use TeamMate efficiently and consistently. It was developed in accordance with professional standards and Office policies, as well as best practices. Teams are encouraged to discuss this protocol at a planning team meeting (i.e. Kick-off meeting) and may adapt it to their needs as long as they comply with professional standards and Office policies.

Purpose

The purpose of this protocol is to outline the recommended operating principles that engagement teams should agree to follow when using TeamMate.

1. Mandatory use of TeamMate

Office policy requires the use of TeamMate for all audits. Teams should work within TeamMate from the beginning to the end of the engagement.

Team members should document their work on an ongoing basis and all engagement documentation that supports findings and conclusions must be filed in TeamMate in the appropriate folder, linked to an audit procedure or working paper, and labeled according to a naming convention (see 11—File Naming Convention).

The TeamMate file must be completed within the deadlines set out in Office policies. See Assembly of the final audit file (OAG Audit 1171).

The finalized TeamMate engagement file should contain only those documents that are needed to understand the procedures performed, the evidence obtained, and the conclusions reached. All other documents should be considered “transitory,” and should not be retained in the engagement file. If the team wants to keep some of them for knowledge management purpose, they should be stored in PROxI under the appropriate knowledge of business folder.

Best practices

Documenting an audit procedure

Teams should respond to each step of an audit procedure when documenting responses in the TeamMate Results section. That is, if the audit procedure contains steps 1 through 4, the Results section should be organized to show a separate response to parts 1 through 4. If the response to a particular audit procedure is N/A, an explanation should be provided as to why the audit procedure is not applicable. Team members should also include hyperlinks to relevant working papers in their responses to procedure steps.

Teams should make full use of a Program (PRG) in TeamMate to document results. In some specific circumstances where the Results section includes many details, consideration should be given to documenting the details in a hyperlinked working paper with a summary / conclusion recorded in the Results section of the audit procedure.

Tips

“Issues” functionality

Use the Issues functionality in TeamMate to quickly gather significant results and assess their relevance.

Outlook reminder for archive date

Ensure that a team member creates reminders in the responsible team members’ Outlook calendars relating to TeamMate file archive dates. You can also do the same for other key T-Minus dates.

2. Ownership of the TeamMate file

Upon creating a new TeamMate Project, the creator becomes the Project Owner of that file. This role may be reassigned after additional team members are added.

A Project Ownership team should be defined. This team will be granted the Administrator / Project Owner access rights and should be comprised of at least one Project Owner (the administrator), a Project Manager and a Project Lead. Identifying a Manager and a Lead allows others to identify the key contact persons for the project in the TeamMate Explorer Window. As a general rule, the Project Lead should be a PX and the Project Manager a DX.

 

Members of the Project Ownership team are responsible for adding new users and assigning roles. The Quality Reviewer (QR) and internal specialists should have appropriate access to the engagement file.

The Project Owner is responsible for setting up the file and making sure it is updated according to new methodology in a timely manner and throughout the engagement when there are any changes communicated by the Direct Engagement Practice Team (DEPT) or from the Professional Practices Group. The engagement Principal (PX) is ultimately responsible for the engagement file.

Each engagement file has the following generic IDs included as defaults. The generic IDs are mandatory and must not be deleted. Note that the DEPT Group Account must be added when you create your Project.

TeamMate generic IDs

Team member Role
Administrator, IT Project Owner
Administrator, Records Project Owner
DEPT Reviewer
Auditor General Reviewer

The TeamMate file is a team file. Individual team members are responsible for their work but collectively the team is responsible for the whole file. Everyone is responsible for:

  • keeping the file up-to-date by loading information promptly,
  • knowing what’s in the file,
  • minimizing and resolving conflicts as they occur,
  • maximizing the efficient use of TeamMate as a required engagement management tool.

3. Naming conventions for Project Code and Project Name

New TeamMate Projects must be named in accordance with the following standard naming conventions for performance audits and special examinations:

For Performance Audits:

  • Project Code for entity audits: English and French Main Entity Acronym - Product Code
    • Ex. CRA-ARC - 008633
  • Project Code for Government Wide audits: GW-PG - Product Code
    • Ex. GW-PG - 009936
  • Project Name: PX Last Name - Report Title - Tabling Year
    • Ex. Salvail - Professional Services Contracting - 2012

For Special Examinations:

  • Project Code: English and French Main Entity Acronym—Product Code
    • Ex. CBC-SRC - 009743
  • Project Name: PX Last Name - SE - Reporting Year
    • Ex. Affleck - SE - 2012

4. Team communication

Being proactive about communicating and sharing information on TeamMate file content and the engagement process adds considerable value to the management of the file. When documents received by one team member for his/her line of enquiry are relevant to another team member’s line of enquiry, inform him/her of this immediately.

Teams can communicate and share TeamMate file information in a variety of ways, including (but not limited to): team meetings, using notes and / or using Team Review Mode.

Best practices

Team meetings

Conduct regular team meetings to share information on the progress of the engagement, key findings, security issues and other information.

TeamTalk Notes

When appropriate, use TeamTalk Notes to address questions or concerns, to assign tasks to other team members, and / or to review work. It is everyone’s responsibility to check notes regularly to minimize backlogs. Notes should be specifically assigned to an engagement team member.

Teams can use a priority system such as “A,” “B,” or “C” (where “A” indicates a critical note that needs immediate attention, “B” indicates a note of a less critical nature, and “C” indicates a note that is not critical). The creator of the note should include the categorization in the subject line of the note so that all notes can be sorted by importance when viewed through the note viewer window.

Team Review Mode

Team Review Mode allows two team members to use the same computer during the review process. To turn on Team Review Mode, chose Review | Team Review Mode.

5. Security

In order to maintain the confidentiality of engagements and to prevent information leaks, it is an Office requirement that proper security procedures are followed throughout all phases of the engagement.

  • Team meetings should include a discussion / reminder about security (e.g. during the Kick-off meeting).
  • Only information up to and including Protected B is allowed on the network. This means that only Unprotected (public), Protected A and Protected B information can be saved in TeamMate.
  • Protected C and classified (confidential or secret) information must not be saved in TeamMate. (See 10—Referencing Paper / Hard Copy Documents in TeamMate)
  • Top Secret information is not allowed on OAG premises.
  • It is the responsibility of the entity to classify its information / documents in terms of its security level.
  • It is everyone’s responsibility to know the sensitivity level of information they are handling. For further information on protective measures for all documents, please refer to the Office’s Security Quick Reference Card on the INTRAnet.

6. TeamMate folders

6.1 Folder structure

Folders A to F are TeamMate mandatory folders and constitute the Control File. There should be minimum alteration to these folders and related audit procedures and steps because they contain the required methodology that needs to be followed to meet Office policies and professional standards.

For the planning phase, as well as the examination phase, separate folders can be created for each line of enquiry.

For the additional folders created, teams should choose a folder structure and adhere to it—teams can modify it as appropriate during the engagement, but this should be a team decision.

6.2 Folder owners

Since subject-based folders present a risk that multiple people will attempt to record information in the same folder at the same time, it is recommended that each folder has an owner. The owner should be the person who will likely use the folder the most.

The folder owner should be responsible for adding information to the folder obtained by more occasional users and should also keep the folder organized by helping to resolve conflicts and managing folder information.

In general, team members should not be making changes in a folder without informing the owner of the folder in order to minimize conflicts. If team members need to work in the same folder, they should use replicas.

Best practices

Folder owners and responsibilities:

A folder owner should be responsible for being the lead on managing folder information by:

  • being aware of the folder’s contents,
  • facilitating folder clean-up and maintenance as required, and
  • serving as a point of contact for sharing information on the folder’s subject.

It remains everyone’s responsibility to manage information requests by completing and updating the information in TeamMate as required.

7. Replication / merging / synchronisation / conflicts resolution

Team members are encouraged to work directly in the Master (the Project) to avoid lengthy replication. If team members need to work in the same folder (PRG), one can work in the Project and the other can work on a replica.

Before creating or merging a replica into the Project, you need to ensure that no one else is already creating or merging another replica into the Project.

Tips

Verifying team activity

To verify the activity of the team, click on Admin in the menu and select Team Activity. If no one else is shown as Active, then proceed with your replica or merge. If another team member is working in the Project, contact that person to verify if he is currently creating or merging a replica. If not, you can proceed; otherwise wait until this action is completed to create or merge your replica.

All team members should regularly synchronize (sync) their replicas with the Project and should merge their replicas back into the Project when they have finished working on the section of the Project that was replicated.

Ensure that conflicts are resolved by the appropriate person when they occur. Do not leave conflicts outstanding. If you find a conflict that was created as a result of synchronization (sync), it is important that you resolve the conflict before making further edits on the conflicted document or procedure, using the Conflict Resolver tool.

8. Tracking information requested from the entity

Teams are required to keep track of information requested from the entity, using the means that they consider appropriate. This could be done using a register or using TeamMate results fields.

The original electronic filename of the document should be included—this is especially important because the engagement team will likely rename the documents with more meaningful / descriptive names when they are added to TeamMate (see 11—File Naming Convention). Recording the original filename preserves the integrity of the information sent to the team by the entity.

Below are two suggested methods of managing the tracking of information requests. Teams are encouraged to follow or develop the methods that suit their needs.

Best practices

Management of information among team members

Method #1—Each team member manages his / her own information requests.

With this method, each team member is responsible for managing his / her own information requests. Team members should communicate with each other to ensure they do not request the same information from the entity. Each team member is responsible for keeping his / her document regists up-to-date to facilitate the follow-ups on outstanding requests.

Method #2—One team member manages the information requests for the whole team.

With this method, one person on the team is designated as the owner of the information requests, manages the requests and tracks the information received from the entity for all team members.

Best practices

Tracking information requested and received

Method #1Using a register.

Team members track the information requested and received using a register. This template can be an Excel or a Word document and is completed when an information request is sent and when the documents are received. It centralizes all information requested and facilitates follow-ups when some documents are not provided by the entity.

Method #2Using TeamMate Results fields.

Team members track information requested and received using TeamMate Results fields. The documentation requests are listed in the documentation request audit procedure(s) and when the documents are provided by the entity, they are referenced in TeamMate beside the initial request. A note is added to identify when the document was received or if the information is still missing.

Illustration:

Documentation request provided on May 13, 2013 (request at H.1.1):

Corporate risk profile—H.2.1, received May 20
Meetings minutes from March 2013—H.2.3, received May 20
Program summary—not received yet

9. Managing electronic documents

Obtain electronic versions of documents from the entity whenever possible. Decisions about the relevance of documents and whether or not they should be kept in the engagement file cannot always be made as soon as the document is received. All documents collected from external sources (e.g. entities, third parties, other public sources) should be stored until a decision can be made about whether they belong in the engagement file in TeamMate.

Early in the reporting phase, the team should undertake a final review of all received external documents outside the TeamMate file. The purpose of this review is to assess, prior to the release of the report, whether any documents received but not transferred into the engagement file could affect the conclusions reached or the content of the report. This review, and subsequent conclusions or actions, should be documented in TeamMate as part of the engagement file. In accordance with current Office policies, following that review, engagement teams must dispose of transitory documents unless it is felt that retention of these documents would enhance the knowledge of the entity.

Corrupted working papers

When a working paper in the TeamMate file is determined by IT Services to be corrupted, a note to file should be prepared on the issues related to that document. If sign-off history is lost, this should also be documented to outline the sign-off history lost and approximate dates that the sign-offs were previously performed.

Password protected documents

Electronic documents that are password protected or encrypted cannot be stored in PROxI nor in TeamMate. Teams need to unprotect these documents prior to saving them.

Entity documents

Do not make changes to the electronic documents provided by the entity. If any comments or changes are needed, these should be done in a separate document. This document should be saved in TeamMate and indicate who edited the document.

MS Office documents

When you receive MS Office 2003 or 2007 documents from the audited entity, always convert them as MS Office 2010 before saving them into TeamMate.

Tips

Using TeamImage

To analyze or comment on a PDF document without altering the content of the original document, use TeamImage.

When you import a PDF file in TeamMate, save it as a TeamImage—you cannot drag and drop the file into TeamMate directly.

To get instructions on how to use TeamImage, click on the Help menu in TeamMate to access the User Guide.

Saving emails

The method used to save an email in TeamMate depends on the nature of the message and attachments.

If there are no attachments, emails should be saved in TeamMate by using the drag and drop method (.msg). Drag the email from Outlook and drop it in TeamMate in the appropriate folder and reference it in the Results section.

For emails with attachments, save the email and attachments separately on your computer. Then drag the email containing the attachments as well as the attachments themselves from your computer and drop it in TeamMate in the appropriate folder. This method will create separate working papers in your TeamMate file; these working papers should be referenced in the appropriate Results section (i.e. hyperlinks should be created).

Saving web pages

Web pages should be loaded as separate documents as opposed to simply recording the URL, since web pages may be modified, deleted, moved, or renamed.

Web pages should be saved as a “Web archive, single file (.MHT).” This format preserves the web page as a single document, and is displayed exactly as it appears on the web site when it is opened.

10. Referencing paper / hard copy documents in TeamMate

If a document needs to be kept in paper format, or if it is Protected C, Confidential or Secret, add the name of that document to the table of contents of the engagement paper file. The engagement paper file must be labeled according to the highest sensitivity level of information it contains and should be referenced in the Referencing Hard Copies audit procedure.

Documents that are only a few pages and / or that are deemed critical can be scanned and loaded into TeamMate, provided they are Protected B or lower.

Tips

Scanning documents

Consider scanning only key elements of a large document instead of the entire copy. When scanning a few pages of a large document, include the cover page and the table of contents in the scan.

Best practices

Documents that may require scanning include

  • a regularly consulted document that is critical or core to the engagement subject and is not available in electronic form,
  • a document that is expected to be used or will be used for substantiation purposes and is not available in electronic form,
  • a document with the original signature(s) of approval.

11. File naming convention

Using a file naming convention allows for easier identification of information and for more efficient review and sign-off of working papers. This is especially important given the volume of documents collected in performance audits and special examinations.

More standardization in document titles makes it easier to find information. Below are suggested standard acronyms to add at the beginning of filenames when they are created or saved in TeamMate (adapt it as needed).

Teams are encouraged to rename filenames with a name that is descriptive and summarizes the key idea, source, context of its content.

Acronym Explanation
PBE Provided by entity—Document received from the entity.
PBI Provided by entity intranet—Document obtained via the entity’s intranet site.
PUB Public document—Document obtained from the Internet.
WIP Work in progress—Document that is a preliminary draft of ideas or analysis that may or may not prove to be a final working paper. This provides an indication to other team members of the preliminary nature of the document. WIP is strictly used as a transitory name. When the document is ready to be reviewed, the acronym WIP is removed.
AWP Audit Working Paper—Document that is prepared by teams in the course of the engagement to document findings, observations, analysis, etc.
OAG Office of the Auditor General—Document that is provided by the Direct Engagement Practice Team (DEPT) or the Professional Practice Group (PPG) (i.e. templates) and ready to be used by the engagement team.
MIN Minutes of Meetings—Minutes of meetings that were prepared from an interview with the entity.

Best practices

Identifying entity specific documents

If a document is loaded in a folder that is not entity-specific and it is important to identify it as coming from a specific entity, add the entity acronym right after the acronym when adding the document to TeamMate such as “PBE-TBS-Internal Assessment.” This makes it easier to find information common to that entity.

12. Format of working papers

At the key stages of the engagement (planning, examination and reporting) define common formats for working papers to guide team members’ outputs. Working papers and project reports should link to the audit plan and audit programs.

The title of every working paper that has been created should clearly indicate that it comes from an entity-prepared document; for example, Analysis of Operations Response on project XYZ—comments by (name of OAG employee) (date).

Best practices

Common elements recommended in a working paper

While working papers do not need to follow exactly the same format, especially since different tools may be needed to analyze different kinds of information, the following common elements are recommended to be included in all working papers created by the team:

  • Statement of purpose or objective of the analysis / working paper
  • Description of the nature and extent of the work conducted
  • Indication of how the information connects to the objective(s) of the engagement (may be in the form of a conclusion when appropriate or in the context of the working paper objective)
  • Page numbers (preferably page x of y) in either the header or footer of the document
  • Filename and security level added to the header or footer of the document
  • An identification of the person who has prepared the working paper in either the header or footer of the document (Prepared by . . .)

13. Sign-offs in Audit file

In accordance with assurance standards, the work prepared by a member of the audit team must be reviewed by a more experienced team member. As a result, working papers and audit procedures prepared by a team member must be reviewed by someone other than the “preparer.”

We need to make a distinction between the documents saved in TeamMate (such as entity documents collected) and the working papers prepared in TeamMate by the team.

  • Documents saved in TeamMate (such as entity documents) can be marked as prepared by any team member and reviewed by another team member (without due regard for the level of the preparer or the reviewer). The “preparer” makes a professional judgment about the significance of the documents to the engagement file, while the “reviewer” ensures that saved documents are relevant and approriate for the engagement file.
  • The working papers prepared by a team member (such as analysis) should be marked as prepared by the audit team member and marked as reviewed by a more experienced audit team member.

It is essential that entity documents and OAG working papers (including interview notes) be signed off in a timely manner to avoid backlogs.

Tips

Saving entity documents to facilitate review

In order to facilitate the sign-off of documents provided by the entity, the received documents that are considered significant by the team can be saved in the TeamMate file by the team’s administrative assistant and being reviewed by any member of the engagement team.

Protecting a document

Use the TeamMate Freeze functionality under the Protect Schedule to protect and lock key documents once finalized. It will avoid making changes to a document that has been signed off as “reviewed.” “Frozen” documents can still be opened in read-only mode.

Right-click on the selected document, select Protect, then select the Freeze option.

14. Electronic approvals in TeamMate

In TeamMate, some procedures have been designed for multiple electronic sign offs and are used when several individuals in sequence are required to attest that a process has been completed. This applies to the Examination Approval, the Report Content Approval, and the Report Publication Approva / Approval for submission to Board.

There are two possible options for multiple sign-offs in TeamMate:

Option 1—Direct TeamMate sign-offs. The audit procedures identify the “reviewer” and contain the text of the required approval declaration. The “preparer” inserts the declaration in the appropriate Results section and the “reviewer” signs off as “reviewed.”

The “preparer,” unless otherwise specified, is the team member to whom the responsibility has been delegated by the engagement leader or audit director.

Option 2—Sign-off by email. If the “reviewer” does not have access to TeamMate, he or she can send the approval declaration text by email attaching any necessary documents.

A team member inserts the email in the Results section of the appropriate audit procedure and signs-off as “prepared” and a more experienced team member signs off as “reviewed.” Note that the email should be saved in (.msg) format to preserve the integrity of the message and any attachments.

15. Substantiation with TeamMate

Two methods can be used to substantiate in TeamMate: the first method involves the direct entry of audit evidence into the Results field, while the second method uses Substantiation Templates (see Substantiation in TeamMate available on the INTRAnet).

Need Assistance

Please contact the HelpDesk (5555) for technical assistance

Or

DEPT for methodology related questions on Performance audits / Special examinations.