Guidance

Creating and managing audit users in the Compliance Audit System

Updated 18 October 2021

Applies to England

漏 Crown copyright 2021

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: [email protected].

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at /government/publications/using-the-compliance-audit-system/creating-and-managing-audit-users-in-the-compliance-audit-system

1. Accessing the Compliance Audit System and managing audit users

Provider users who already have an Investment Management System (IMS) account will be able to log in as long as they have been given the appropriate authority by their security administrator. Independent Auditors will need a user account specific to each provider they are auditing.

1.1 If you鈥檝e forgotten your password or User ID

You can reset passwords from the sign in screen by clicking on the 鈥業鈥檝e forgotten my User ID鈥� or the password link. An email will be sent enabling the user to reset their password. This email is valid for 24 hours.

For more support, you can read the Investment Management System guidance

1.2 Compliance Audit system training video: creating and changing IMS users

2. Create a Provider Compliance Audit user

In order to create a Provider Compliance Audit user, the provider鈥檚 IMS Security Administrator must assign the 鈥淩P Compliance Audit Provider鈥� authority to the user鈥檚 IMS account in the IMS Security Module.

The Compliance Audit Provider Authority enables a user to view and amend provider contact details in the Compliance Audit module, and perform Compliance Audit tasks such as creating, certifying and deleting Independent Auditors and submitting provider responses to the Independent Auditor鈥檚 findings. Please ensure that only 鈥淎uthorities鈥� are given to the user not 鈥淩oles鈥�. Assigning 鈥淩oles鈥� will prevent them from accessing the system.

It is also possible to set up users with view-only access (to view findings, responses, etc. but not make any changes or perform tasks). This access is granted by assigning the 鈥淩P Compliance Audit Provider View-only鈥� authority. Please consider providing view-only access for any users who do not need to perform system actions. Again, no 鈥淩oles鈥� should be assigned to a user with the Compliance Audit Provider authority

Please be aware that logging into the Compliance Audit System as the Security Administrator will bring up a message stating 鈥測ou do not have any IMS services鈥�.

3. View and modify provider contact details

The main contacts details for the provider are managed from the 鈥淧rovider Contact Details鈥� screen. This can be accessed through the dashboard screen.

It is important that all of the contact details in the screen are kept up to date. In particular, if the Compliance Audit Lead contact leaves their post or is temporarily unavailable, it is important that an alternative contact is entered in their place. Please note there is an optional field for Secondary Compliance Audit lead. Completing both Primary Compliance Audit Lead and Secondary Compliance Audit Lead will reduce the risk of the provider missing important communications regarding the Compliance Audit programme.

It is recommended that all the Compliance Audit Leads have an IMS user account with the 鈥淩P Compliance Audit Provider鈥� authority. Where the lead contact is unavailable and there is no replacement member of staff with a Compliance Audit user ID, the provider Security Administrator should create a new user.

3.1 Compliance Audit System training video: update provider contact details

4. Creating Independent Auditor users

Independent Auditor appointments need to be of an organisation which is regulated by one of the four agreed bodies 鈥� ICAEW (Institute of Chartered Accountants in England and Wales), ACCA (Association of Chartered Certified Accountants), RICS (Royal Institution of Chartered Surveyors) or CIPFA (Chartered Institute of Public Finance and Accountancy).

For more information, read the Programme Management chapter in the Capital Funding Guide.

The Provider Compliance Audit lead logs into the Compliance Audit system, and is presented with the dashboard screen below. The Compliance Audit lead must complete the screens relating to the first two links on the dashboard 鈥� Provider Contact Details and Audit setup. These screens must be completed before the Provider Compliance Audit Lead can set-up an Independent Auditor.

The Independent Auditor set up screen is accessed through the 鈥業ndependent Auditor List鈥� link on the dashboard.

4.1 Compliance Audit system training video: setting up and removing independent auditors

5. Adding a new Independent Auditor

To add an Independent Auditor, click on the 鈥淎dd Independent Auditor鈥� button and follow these steps:

  1. Complete screen, filling the first name, surname and email address for the Independent Auditor. Then, read and accept conditions. By accepting the conditions and saving an IMS Account is created. A message will be displayed on screen to say that this has been completed and a system generated email is sent to the new Independent Auditor user giving details of how they access the system and enabling them to create a password for their new account.

  2. Navigate back to the 鈥淚ndependent Auditor List鈥�, by clicking on the 鈥淚ndependent Audit set-up鈥� link at the top right of the screen . The new account is displayed in the Independent Auditor list along with the Independent Auditor User ID (that the Independent Auditor will need to log in to the Compliance Audit System).

Please note, the user account created by this process can also be managed in the IMS security module and can be deleted by the provider鈥檚 IMS Security Administrator.

6. Certifying existing Independent Auditor users

In some cases, there may be Independent Auditors already present on the Independent Auditor setup page from the previous year鈥檚 audit, they will not have a Provider Certification date.

  1. Existing Independent Auditor users can be certified by selecting the relevant name from the list. This then takes the user to the same certification screen above 鈥� 鈥淐reate new Independent Auditor鈥� - which they should complete
  2. To confirm Provider Certification is complete for the 鈥淚ndependent Auditor鈥�, navigate back to the 鈥淚ndependent Auditor List鈥�, by clicking on the Independent Audit set-up link at the top right of the screen.

Only Independent Auditor individuals certified by a provider will be able to access the Compliance Audit system for that provider. Independent Auditor individuals whose accounts are subsequently deleted from Compliance Audit System or from the IMS Security Module will cease to appear in the Independent Auditor List, and there will be no record of their certification in the system.

7. Deleting an Independent Auditor user

In the Independent Auditor list screen press the 鈥淒elete鈥� button and this will remove the Independent Auditor user.

Back to top