audit assignment planning

Audit planning: Why is it important and what are the best practices for success?

Audit planning is the essential first step in the audit process, the foundation of a successful audit. Plan effectively, and your entire audit workflow will be made smoother and swifter. Get the process right, and your fieldwork, analytics, issue management and reporting will be more robust, comprehensive and accurate. Planning enables you to identify the key risks and controls your audit should cover, ensuring nothing is missed. The benefits cannot be underestimated. “Fail to plan and plan to fail” is a well-known maxim: but what should the audit planning process be? What does best practice look like? There are numerous factors to consider when planning an audit; here, we look at what they are, examine the benefits of the audit planning phase, and explore what audit planning software  should deliver to help.

What Is Audit Planning?

Internal audits and control are vital, but they can be costly and complex without the proper structure. Whether you are auditing for your internal control purposes or complying with external regulations like Sarbanes-Oxley , effective audit planning enables you to bring order to the process and focus on the right risks to drive strategic insight. Audit planning should be your first step when starting an audit. Done effectively, it will drive efficiency across your entire audit workflow; it should encompass the audit’s scope, nature, and timing. Planning your audit ensures that all areas of the process are covered and given appropriate attention. It can also help you identify any potential problems or obstacles with the auditing process, map out activity so that it is carried out in a timely way, and manage your audit workflow for maximum efficiency.

Why Is It Important?

Businesses today face numerous and evolving risks. Effective audit planning ensures that you measure the right risks — and as a result, derive the strategic insights you need to manage and mitigate the threats your business faces. In a world of ever-increasing governance, risk and compliance obligations, your audit process cannot be a tick-box exercise. It’s a real-world measurement of your ability to manage your business processes and policies and the controls you put in place to measure them. Your audit process needs to deliver value to your board and top executives; effective audit planning will allow you to achieve this.

Benefits of Audit Planning

Taking the necessary steps will:

• Identify priority areas to ensure you focus where it matters.
• Make audit workflows and processes more efficient.
• Help you to identify — and engage at an early stage — key process owners, and your “first line of defense” reduces costs by minimizing duplicate work.
• Identify where manual and repetitive internal controls work can be automated, increasing robustness and assurance.
• Enable you to pinpoint and capture the metrics you need to measure and manage enterprise risk across your organization.
• Drive optimum scheduling and project management.
• Audit planning helps you approach the audit process. You may be transitioning from paper-based, spreadsheet-led auditing processes to a more integrated, risk-driven approach. You may already use technology solutions to support your audits.

Whatever your approach, planning minimizes wasted time and duplication and brings crucial focus to the audit process.

What Is Best Practice in Audit Planning?

So you’ve identified audit planning as the holy grail for a successful audit. What happens next? — you may be wondering how to do it, what the essential steps are and whether you can draw on a best practice example to help you.

5 Best Practice Steps

• Assemble your team. Who needs to be involved in the audit planning phase? Ensure you include the right people — those with a comprehensive understanding of the audit and control process and the right skillsets and experience.
• Assess the risks you face. What is the scope of your audit? Your planning needs to capture all the areas that need to be audited to ensure a comprehensive approach. What are your high-priority risks, either because they’re particularly material or more frequently occurring? Review previous years’ audits and identify any new risks that have arisen since the last one.
• Decide on your audit approach. This will be determined by how you manage audits (using software or manual processes, or a combination of both), how you categorize the risks identified in step 2, and the resources at your disposal.
• Brief your audit team — ensure they are clear on their roles, your process, timescales and next steps.
• Create a risk-based audit plan for your entire audit universe, including an activity schedule, to ensure a smooth and comprehensive audit process.

Best Practice and Audit Planning Tools

Best practice audit planning will cover the steps above, giving you complete oversight of your risk landscape and the controls that your organization uses to manage its risks. Many businesses are turning to audit planning tools and audit management software to manage this planning process and the broader audit. Employing software can bring structure and rigor to the audit, including your audit planning process; good audit workflow software supports planning, scheduling and project management, and document management — capturing a library of past audits and templates that minimize rework and maximize consistency. The latest audit software can be used offline or via apps, enabling you to conduct planning and fieldwork on-site. Harness technology to send requests and reminders to members of the audit team, and speed reviews and sign-offs. From planning through to the entire audit, the innovation and technology characterized by Diligent’s audit solutions are making the modern audit process quicker, simpler and more reliable. You can keep up to date with all the latest innovations in audit planning, audit processes and audit technologies — as well as other governance, risk and compliance hot topics, in Diligent’s GRC Newsletter . You can sign up for the newsletter here .

Solutions Solutions

• Board Management
• Enterprise Risk Management
• Audit Management
• Market Intelligence

Resources Resources

• Research & Reports

Company Company

Your data matters.

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our  privacy policy  to learn more.

• PROFESSIONAL LIABILITY SPOTLIGHT

The importance of audit planning

• Firm Practice Management
• Strategic Planning
• Audit & Assurance

What is the purpose of audit planning if the audit may not ultimately follow the carefully thought out plan? As may be inferred from Dwight D. Eisenhower's words—"Plans are worthless, but planning is everything"—the value of audit planning is not derived solely from the resulting audit plan. Often overlooked, the real benefit of audit planning is gained from the process itself. In painstakingly documenting endless client details, auditors achieve more than just compliance with professional standards—they also develop more efficient engagements and help reduce professional liability risk.

Consider the importance of planning in this claim scenario:

The senior on a CPA firm's largest audit engagement received a request from the client's CFO for a copy of "any communications the firm has sent relating to internal - control - related matters identified during the current - and prior - year audits and copies of internal control documentation completed by the firm." Operating under the assumption that the client was finally going to address its many pesky control deficiencies, the senior happily sent an email with the requested documents.

A short time later the firm received notification of a lawsuit from the client. The complaint asserted that the audit firm had failed to detect an embezzlement scheme perpetrated by the accounts payable clerk. It further indicated that the firm's failure to detect a breakdown in internal controls allowed for the payment of fictitious vendor invoices.

The firm's legal counsel hired an expert to review each year's engagement workpapers. One hopeful yet disturbing issue arose: The firm had informed the client of a significant deficiency in internal controls in its prior - year management letter. Had the deficiency been corrected, the embezzlement scheme likely would have been discovered. The disturbing point—the significant deficiency was not mentioned in current - year engagement planning documentation, neither in risk assessment nor in the design of planned audit procedures. It appeared as though the prior - year documentation had simply been copied to the current - year file with updated completion dates. No additional audit procedures addressed the issue, and the scheme continued for an additional six months beyond issuance of the current - year audit report.

As exemplified above, use of the "same as last year" (SALY) mentality can be a major pitfall in audit planning. SALY disregards the advantages of the planning thought process, focusing instead on getting the job done quickly. Many planning pitfalls, including relying too heavily on checklists or compartmentalizing each step of the audit, result from trying to save time in the present without consideration of the rest of the engagement. Conversely, an engagement that is effectively planned could eliminate over - or under - testing , lead to more relevant documentation, and help reduce the likelihood of audit failure or a potential professional liability claim, saving time in the long run.

AUDIT PLANNING STANDARDS AND RISK MANAGEMENT

Audit planning is not a simple process. It involves consideration of client industry and regulatory factors, client operations and administration, availability and assignment of firm resources, engagement timing, and much more. Fortunately, the hard work of proper planning may not only enable more efficient audit execution, but it also provides auditors with important risk management techniques. Complying with all applicable professional standards when delivering services helps reduce professional liability risk. Consider the professional liability lessons that can be gleaned from these particular sections of the AICPA Statements on Auditing Standards:

• Timing ( AU - C §§ 300.02 and 300.A2): Planning can easily be misconstrued as a discrete phase of an audit, taking place only when scheduled. Instead, it should be viewed as a continuous process that begins upon completion of the prior audit and ends with completion of the current engagement. The information learned during planning should be applied throughout the engagement to achieve appropriate conclusions. In our scenario, planning for the current engagement should have started with the control deficiency identified in the prior audit and addressed the issue throughout the audit process.
• Risk assessment ( AU - C §315): Gaining an understanding of the client and its environment presents an opportunity for the auditor to view the client's business and the engagement from a perspective other than the debits and credits underlying the financial statements. A holistic view of the various industry, regulatory, internal, and external factors may allow for linkages that might otherwise be lost in the minutiae of performing the engagement. Identifying areas of greatest risk early in an audit can allow for additional testing or analysis, reducing the likelihood of error that may result in a professional liability claim. As exemplified in the claim scenario, accounts affected by the internal control deficiency should have been deemed high - risk , and testing should have been tailored to address the concern.
• Team composition ( AU - C §300.05): Assignment of the engagement team and scheduling of resources may seem like simple logistical issues. Nevertheless, the level of experience on the team, use of experts, and scheduling of who will review and when are all variables that can significantly alter the engagement approach and affect its success. Assigning complex or difficult areas of an audit to the appropriate level of expertise, depth of experience, or extent of review is an important step in reducing the likelihood of an error.

Further, the resources should not be limited solely to the engagement team. Colleagues, peers, professional associations, technical standards, prior - year audits, and other engagements can all provide valuable insight. Utilizing all resources available to the engagement team may develop a more informed audit approach. For example, in the scenario above, the current - year testing of accounts affected by the significant deficiency could have been assigned to a more experienced team member or subjected to additional review.

ADDITIONAL PLANNING CONSIDERATIONS

In addition to the professional liability risk management considerations that can be gleaned from the professional standards, two additional suggestions should be kept in mind.

• Invest the time: Proper planning is an investment in time that is intended to pay dividends in later phases of the engagement. Identifying a potential issue or complex audit area at the start of the planning process could save time later in the audit. That additional effort, while it may seem difficult in the moment, could save time as deadlines approach. Errors are more likely to occur when timing is compressed, causing work to be rushed. If planning can alleviate even a portion of the demand for time during the busiest periods of the year, exponential gains in efficiency and reduction of professional liability risk can be realized.
• Be flexible: Planning is a guide for work to be performed, not a step - by - step instruction manual. Flexibility creates a positive tone that can be established in planning and carried through to issuance. The audit plan and strategy developed at the start of the engagement should be updated and adjusted based upon information gathered throughout the engagement. Maintain a focus on achieving the correct end result, rather than simply finishing the audit. Flexibility also allows the audit plan to be quickly modified when unexpected risks arise, thus reducing professional liability exposure that would exist if adjustments were not made.

Daniel Gartland is a risk control consultant at CNA.

Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com .

This article provides information, rather than advice or opinion. It is accurate to the best of the author's knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

Where to find May’s flipbook issue

The Journal of Accountancy is now completely digital. 

SPONSORED REPORT

Manage the talent, hand off the HR headaches

Recruiting. Onboarding. Payroll administration. Compliance. Benefits management. These are just a few of the HR functions accounting firms must provide to stay competitive in the talent game.

FEATURED ARTICLE

2023 tax software survey

CPAs assess how their return preparation products performed.

The global body for professional accountants

• Search jobs
• Find an accountant
• Technical activities
• Help & support

Can't find your location/region listed? Please visit our global website instead

• Middle East
• Cayman Islands
• Trinidad & Tobago
• Virgin Islands (British)
• United Kingdom
• Czech Republic
• United Arab Emirates
• Saudi Arabia
• State of Palestine
• Syrian Arab Republic
• South Africa
• Africa (other)
• Hong Kong SAR of China
• New Zealand
• Our qualifications
• Getting started
• Your career
• Test Campaign 1
• PT and JB component test
• Apply to become an ACCA student
• Why choose to study ACCA?
• ACCA accountancy qualifications
• Getting started with ACCA
• ACCA Learning
• Register your interest in ACCA
• Learn why you should hire ACCA members
• Why train your staff with ACCA?
• Recruit finance staff
• Train and develop finance talent
• Approved Employer programme
• Employer support
• Resources to help your organisation stay one step ahead
• Support for Approved Learning Partners
• Becoming an ACCA Approved Learning Partner
• Tutor support
• Computer-Based Exam (CBE) centres
• Content providers
• Registered Learning Partner
• Exemption accreditation
• University partnerships
• Find tuition
• Virtual classroom support for learning partners
• It’s renewal time for your students!
• Find CPD resources
• Your membership
• Member networks
• AB magazine
• Sectors and industries
• Regulation and standards
• Advocacy and mentoring
• Council, elections and AGM
• Tuition and study options
• Study support resources
• Practical experience
• Our ethics modules
• Student Accountant
• Regulation and standards for students
• Your 2024 subscription
• Completing your EPSM
• Completing your PER
• Apply for membership
• Skills webinars
• Finding a great supervisor
• Choosing the right objectives for you
• Regularly recording your PER
• The next phase of your journey
• Your future once qualified
• Mentoring and networks
• Advance e-magazine
• An introduction to professional insights
• Meet the team
• Global economics
• Professional accountants - the future
• Supporting the global profession
• Download the insights app

Can't find your location listed? Please visit our global website instead

• Internal audit
• Learn about internal audit
• Back to Learn about internal audit
• A brief guide to internal auditing

A brief guide to assignment planning

• A brief guide to assessing risks and controls
• A brief guide to assignment quality
• A brief guide to assignment reporting
• A brief guide to follow up
• A brief guide to relationship management
• A brief guide to audit governance
• A brief guide to standards and responsibility
• A brief guide to strategic audit planning and resourcing
• A brief guide to working with other providers
• A brief guide to audit committees
• Guidance for Heads of Internal Audit
• Guidance for Audit Committee Chairs on working with the Head of Internal Audit
• Introduction
• Standard 1100 Independence and objectivity
• Standard 2200 Engagement planning
• Standard 2300 Performing the engagement
• Standard 2400 Communicating results
• Standard 2050 Coordination and reliance
• Financial Reporting Council (FRC) International Standards on Auditing (UK)
• Benefits of coordination
• Facilitating coordination
• Guidance on auditing planning for Internal Audit

It takes careful planning to ensure all the key controls are in place and operating effectively for an audit to provide reasonable assurance.

Key controls reviewed as part of an internal audit must be operating effectively to provide reasonable assurance over the management of risk. It takes careful planning to ensure a thorough enough understanding of the risk environment to identify those key controls that need to be in place.

Effective assignment planning considers everything from the assessment of risk, work required, resources available and deadlines, to effective team and stakeholder engagement.

The key output of the planning stage is a  terms of reference  document clearly stating the scope, audit objectives/risks, resources, timing and ideally any prior information needs which will assist in the smooth delivery of the audit.  

The advance warning of information needs also assists in reducing the pressure upon management when handling the impact of an internal audit while continuing with their day-to-day job, and alleviates some of the concerns occasionally raised by management when notified of an audit.

Your assessment of risk may include a review of:

• organisation / department / system objectives
• policy and procedural documentation
• risks, related risk appetite, exposure, acceptance and key controls as reported on risk registers / board assurance framework
• key risk indicators and key performance indicators
• organisation information from the intranet, material incidents reported, and self-assessment reports
• reports from risk oversight functions, external auditors, and regulators, etc
• previous audit reports, known weaknesses and progress on resulting actions
• management concerns and those of the audit team with their knowledge of that risk / area / process / system / legislation and regulation
• recent and planned changes such as key staff / systems / process / legislation and regulation / risk, etc

Your assessment of work required may include consideration of:

• volumes and values of transactions / budgets to determine sample size
• work locations and the number of business areas / senior managers involved
• the time it will take to create or update existing audit process / risk documentation
• whether reliance can be placed upon assurance provided and planned by other assurance providers
• testing methodology to be used - for example, whether it will be highly manual or employ computer-assisted audit techniques (CAATs)
• timing to achieve optimal assurance and internal reporting deadlines

Your assessment of resources may include:

• availability, experience, skills, specialist technical knowledge required and base location
• need for co-sourcing, availability, cost and budget available
• selection of a suitable person to lead the audit

Effective stakeholder engagement may include:

• an assessment of all likely stakeholders, including regulators
• face-to-face meetings with key stakeholders to understand their roles, recent and planned changes, their key drivers, their views and key concerns and for you to explain how the audit will be undertaken, by whom, when and to ‘sell’ the value of the assurance that’s being provided
• agreement over who in the business will ‘own’ the audit report
• agreement over how they wish to be updated on the progress and findings

Your assessment of limitations may include:

• limitation of any sampling methodology vs testing entire populations
• any limitations which may be placed upon your ability to fulfil your role, for example the absence of right to audit clauses in third party provider contracts
• exclusion of specific areas of scope, for example the technical IT security surrounding systems may be subject to another specialist IT audit
• statement re the limitations of audit and the provision of reasonable assurance
• statement re the approved budget for the assignment, especially if this is less than the internal audit team originally proposed to management and audit committee
• extent to which the validity of supporting documentation may be verified back to source
• statement re the responsibility for the operation of the system of internal control residing with management

The resulting terms of reference document should be circulated to key stakeholders, discussed and approach agreed with the auditee and ideally the senior management team member responsible for the area under review.  

A clear terms of reference should provide guidance to the audit team in respect delivery, help ensure stakeholders have a common understanding of the assignment and assist manage any expectation gaps.

IIA IPPF Standard 2200 – engagement planning

IIA IPPF Standard 2300 – performing the engagement

Related links

• IIA global website
• IIA UK website
• ACCA Careers
• ACCA Career Navigator
• ACCA Learning Community
• Your Future
• ACCA-X online courses

Useful links

• Make a payment
• ACCA Rulebook
• Work for us
• Supporting Ukraine

Using this site

• Accessibility
• Legal & copyright
• Advertising

Send us a message

Planned system updates

View our maintenance windows

• Virtual Classes
• Self-Paced Classes
• ----------------------------
• Guaranteed-To-Go
• Course Catalogs
• Certificate Programs
• GSUSA Centers
• On-Site Training

Have any questions?  Chat , call 888-744-GRAD or  email  us

• Acquisition & Contracting
• Cloud & Networking
• Communication & Professional Skills
• Cybersecurity
• Data & Analysis
• Emerging Technology
• Financial Management
• Grants Management
• Federal Human Resources Training
• Leadership & Management
• Personal Property Management
• Project Management
• Apply for Enrollment
• Apply for Graduation
• Leadership Certificate Programs
• Request Progress Report
• Request Waiver
• Government Audit Training Institute
• Contract for Training at your Location
• Customized Course Design and Development
• GSA Contract Holder Information
• OnDemand Courses
• Virtual Instructor-Led Course
• GSUSA Coronavirus Update
• Student Forms
• Course Search
• Registrar's Office
• Holiday Inn Hotel Discount
• Center for Leadership & Management
• Our History
• Mission and Core Values
• Accreditation and Approvals
• W. Edwards Deming Outstanding Training Award
• A Career with GSUSA
• OIG Radio Show
• GSUSA News and Events
• Reaching GSUSA
• Login or Register

Planning Audit Assignments (AUDT8451)

Planning Audit Assignments

Description:.

Careful planning is the foundation of success in quickly completing quality performance audits. Recognizing that audits are projects, a structured approach is presented for planning. In this approach, you will learn:

• A risk method to apply in identifying value-added subjects and issues for audit;
• How to formulate audit objectives that meet standards, make clear what an audit is to accomplish, and provide for obtaining evidence to determine the nature and extent of identified problems;
• How to apply a step-by-step process in selecting the scope of work and methodology for obtaining evidence to answer the audit objectives;
• How to document the audit plan using a design matrix, and
• Factors to consider in assigning staff to conduct the audit.

Who Should Attend?

Experienced performance auditors. Participants should be familiar with the material covered in Basic Governmental Auditing (AUDT7001G) .

Class Type:

This course is currently being offered in the following training modalities:

• Class Length:  This class is listed as a 2-day course.
• Class Length: This class is listed as a 2-day course.
• For in-person training sessions, participants are required to download the course materials to a personal device (e.g., laptop or tablet) and bring their device to class for use during classroom instruction.
• Contact our Business Development department for more information.

Learning Outcomes:

• Explain the central role of objectives in performance auditing
• Use risk assessment to identify areas of vulnerability and performance improvement for audit
• Write objectives that make clear what the audit is to accomplish; provide direction for planning and fieldwork, facilitate report writing; and meet auditing standards
• Apply a step-by-step approach in designing audits to achieve the objectives and use a matrix to document the design
• Cite factors to consider in determining staff and other resource needs

Module 1: Introduction

Module 2: Audit Selection Phase

Module 3: Survey Phase

Module 4: Planning Phase: Defining Audit Objectives

Module 5: Planning Phase: Selecting Scope and Methodology

Module 6: Determining Staff and other Resource Needs

Module 7: Planning - Practice Application

Get in Touch!

Have a Question?

We're here to help. Send us an email or call us at 1 (888) 744-4723

Step-by-Step Internal Audit Checklist

Vice Vicente

March 21, 2023

What can internal auditors do to prepare a more comprehensive scope for their internal audit projects? And where can internal auditors find the subject matter expertise needed to create an audit program “from scratch”? AuditBoard’s “ Planning an Audit: A How-To Guide ” details how to build an effective internal audit plan from the ground up through best practices, resources, and insights rather than relying on templated audit programs.

One of the guide’s highlights is a comprehensive checklist of audit steps and considerations to keep in mind as you plan any audit project. Use the checklist below to start planning an audit, and download our full “ Planning an Audit: A How-To Guide ” for tips to help you create a flexible, risk-based audit program.

What is an Internal Audit?

An internal audit is a fundamentally independent function that evaluates an organization’s operations, internal controls, and risk management processes to improve the organization’s effectiveness and efficiency. Internal auditors will conduct interviews, inspect evidence, test controls, and read policies to understand the environment and validate that controls and processes are working — and working well.

The Difference Between Internal and External Audits

The essential difference between internal audits and compliance audits , sometimes called external audits, is who performs the audit. Internal audits, as the name indicates, are performed by internal auditors who are employed by the business. Compliance audits are conducted by independent, third-party, or external auditors, often certified in the audit that is being performed.

The Benefits of an Effective Internal Audit

Internal audits provide many benefits to an organization, giving management and leadership another lens to look at the organization. A Quality Management System (QMS) is a structured framework of policies, processes, and procedures used to plan and implement an organization’s key business areas. The internal audit’s role in the context of a Quality Management System focuses on evaluating the effectiveness of the organization’s QMS, ensuring adherence with requirement standards like ISO 9001, and identifying areas for improvement to enhance overall quality and efficiency.

While external regulatory compliance audits are essential, they often have a specific scope and aim— PCI DSS , for example, zooms in on credit cardholder data. Internal audits have the benefit of a looser scope, allowing an organization to focus on priority areas or areas that may not be examined in a formal compliance audit.

Internal audits give advantages to organizations pursuing external audits and preparing stakeholders and process owners for future audits. Findings from internal audits can be addressed quickly; observations can give management greater insight into the business, people, technology, and processes. Impetus from internal audit reports can encourage optimization, saving the organization in costs and ultimately improving customer satisfaction.

So, how can an organization plan for a successful internal audit ? Read on for our checklist!

Internal Audit Checklist

The steps to preparing for an internal audit are 1) initial audit planning, 2) involve risk and process subject matter experts, 3) frameworks for internal audit processes, 4) initial document request list, 5) preparing for a planning meeting with business stakeholders, 6) preparing the audit program, and 7) audit program and planning review.

1. Initial Audit Planning

All internal audit projects should begin with the team clearly understanding why a given project is part of the internal audit program. The following questions should be answered and approved before fieldwork begins:

• Why was the audit project approved to be on the internal audit plan?
• How does the process support the organization in achieving its goals and objectives?
• What enterprise risk(s) does the audit address?
• What is the overall audit schedule, and how does this project fit into the plan?
• Was this process audited in the past, and if so, what were the results of the previous audit(s)?
• Were audit findings or nonconformities investigated and remediated according to the action plan?
• Have significant changes occurred in the process recently or since the previous audit?
• What is the project’s scope, and what specific requirements need to be met for a successful outcome?

Additionally, participants in the project should review the audit report and audit results to refresh their understanding of the environment, scope, and project parameters. The team may also want to review any standards, frameworks, and regulatory requirements relevant to the project or program. Reporting on internal audit objectives should be delivered to top management periodically — quarterly or biannually is common depending on the size and complexity of the business.

2. Involve Risk and Process Subject Matter Experts

Performing an audit based on internal company information is helpful for assessing the operating effectiveness of the process’s controls. However, for internal audits to keep pace with the business’s changing landscape, and to ensure key processes and controls are also designed correctly, seeking out external expertise is increasingly becoming a best practice, even when a formal external audit is not required.

Organizations can employ Subject Matter Experts (SMEs) from the Big 4 (Deloitte, EY, PwC, and KPMG) and other consulting providers to supplement risk management and internal audit programs. These consultants can provide additional guidance, insight, and clarity on specific regulatory requirements, information security, and business processes. When contracting with consultants, be sure to disclose any other consulting relationships you may have with that firm or company, as there may be independence considerations that the consulting firm has to take into account.

In terms of fostering talent, skills, and development, internal audit professionals should stay abreast of current trends, topics, and themes in their industry. The following resources can help audit professionals understand the present landscape and augment their knowledge:

• Recent articles from WSJ.com , HBR.org , or other leading business periodicals
• Newsletters and updates from the AICPA , ISACA , ISO , NIST , and other similar organizations
• Relevant blog posts from Deloitte Insights ,  EY Insights , The Protiviti View , RSM’s Blog , or The IIA’s blogs

Image: The Institute of Internal Audit (IIA) Competency Framework for Internal Audit Professionals

Source: The IIA Competency Framework for Internal Audit Professionals

These resources can be leveraged to identify relevant risks, inform internal audit procedures,  and encourage continuous improvement in your internal audit program. Having the right people and talent in place to perform the necessary audit activities is critical to your program’s success, and pulling in additional resources during an audit can be challenging. By lining up your SMEs ahead of time, you can smooth out your audit workflow and reduce friction.

3. Frameworks for Internal Audit: The International Professional Practices Framework (IPPF)

Collating guidance from the Institute of Internal Auditors (IIA), the International Professional Practices Framework (IPPF) contains both mandatory and best practice recommendations. The IPPF aims to support the overall mission, “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” The core elements of the IPPF are the: Core Principles for the Professional Practice of Internal Auditing , Definition of Internal Auditing , Code of Ethics, and International Standards for the Professional Practice of Internal Auditing .

In addition to the IIA, organizations like ISACA  can also provide guidance around internal audit processes.

4. Frameworks for Internal Audit Processes: COSO ICIF

Although a risk-based approach to internal auditing can and should result in a bespoke internal audit program for each organization, taking advantage of existing frameworks like the Committee of Sponsoring Organizations of the Treadway Commission’s ( COSO ) 2013 Internal Control — Integrated Framework to inform your program can be a win for your internal audit team and avoid reinventing the wheel. Before applying a specific framework, the internal audit team and leadership should evaluate itssuitability as they map to the business.

While used extensively for Sarbanes-Oxley (SOX) statutory compliance purposes, internal auditors can also leverage COSO’s 2013 Internal Control — Integrated Framework (ICIF) to create a more comprehensive audit program.  COSO’s ICIF focuses on fraud, internal controls, and financial reportin g , while covering subjects like the overall Control Environment of the organization, Information, and Communication, and Risk Management. Since COSO’s ICIF was designed to address SOX, which is a U.S. statute, publicly traded companies based in the US may benefit the most from employing this framework as part of their internal audit program.

• Review COSO’s 2013 Internal Control components, principles, and points of focus here .

5. Initial Document Request List

The Document Request List or Evidence Request List, often abbreviated to “Request List” or “RL” is one of the central documents of any audit. The Request List is an evolving list of requests which may cover everything from interview scheduling, evidence requests, policy and procedures, reports, supporting documentation, diagrams, and more with the purpose of providing auditors with the information and documents they need to complete the audit program for the designated projects or processes.

Requesting and obtaining documentation on how processes work is an obvious next step in preparing for an audit. These requests should be delivered to stakeholders as soon as possible in the audit planning process to give stakeholders (with day jobs!) time to provide the right evidence. As requests come in, the internal audit team should review documented information for any follow-ups, and periodically update the request list as items get closed out. The following requests should be made to gain an understanding of processes, relevant applications, and key reports:

• All policies, procedure documents, workflow diagrams, and organization charts
• Key reports used to manage the effectiveness, efficiency, and process success
• Access to critical applications used in the process; read-only if possible
• Description and listing of master data for the processes being audited, including all data fields and attributes

From the listings received of master data, auditors can then make detailed sampling selections to test that processes and controls are being performed effectively, as designed, every time.

6. Preparing for a Planning Meeting With Business Stakeholders

Before meeting with business stakeholders, the internal audit committee should hold a meeting to confirm a high-level understanding of the objectives of the audit plan and program(s), key processes and departments, and the fundamental roadmap for the audit.

Then, after aligning some ducks internally, the audit team should also schedule and conduct a planning meeting with business stakeholders for the scoped processes. This keeps everyone on the same page, and gives business personnel the time and opportunity to coordinate audit efforts with their business units. The following steps should be performed to prepare for a planning meeting with business stakeholders:

• Outline key process steps by narrative, flowchart, or both, highlighting information inflows, outflows, and internal control components.
• Validate draft narratives and flowcharts with subject matter experts and stakeholders (if possible).
• Develop an agenda or questionnaire for all meetings internally or with business stakeholders.

Preparing the questionnaire after the initial research sets a positive tone for the audit , demonstrating that the internal audit is informed and prepared. Planning, preparedness, and cooperation are critical to achieving audit objectives and gaining deeper insights.

7. Preparing the Audit Program

Once the internal audit team has completed initial planning, consulted with SMEs, and researched the applicable frameworks, they will be  prepared to create an audit program . Audit teams can leverage past audit programs to better design present and future procedures. An audit program should detail the following information:

Summary and Purpose of the Audit Program

Since internal audit reports are usually designed for the consumption of leadership and management, providing an executive summary of the audit program and outcomes gives the audience a snapshot of the audit and results.

Process Objectives and Owners

Documenting the process objectives and tying each process to owners when completing the audit program designates accountability.

Process Risks

Along with the process objectives and owners, the risks associated with the process should also be noted.

Controls Mitigating Process Risks

Once details about the process, including risks, are documented, the audit team should identify and map the mitigating controls to the risks they address. Compensating controls can also be noted here.

Control Attributes

Control attributes are the components and characteristics of the control activity that are critical to the effective execution of that control. Asking the following questions and documenting the results are a good starting point — though some controls may have unique or uncommon attributes as well.

• Is the control preventive or detective? If the control is detective, are there corrective actions required as part of completing the control?
• How frequently does the control occur (e.g. many times a day, daily, weekly, monthly, quarterly, annually, etc.)?
• What type of risk does the control mitigate (fraud, operational, security, etc.)?
• Is the control manually performed, performed by an application, or a combination?
• How likely will the risk be realized (e.g. Highly Likely, Likely, Unlikely)?
• How impactful would the risk be if it were realized (e.g. High Impact, Medium Impact, Low Impact)?
• What evidence does the audit team need to complete audit testing procedures?

Testing Procedures and Methods for Controls to be Tested During the Audit

There are four ways to test controls as part of an audit. These methods must often be combined to fully and completely test a control. These four methods are as follows:

• Inquiry, or asking how the control is performed
• Observation, or viewing the control be performed, typically in real-time
• Inspection, or reviewing documentation evidencing the control was performed
• Re-performance, or independently performing the control to validate outcomes

A comprehensive audit program contains sensitive information about the business. Access to the full audit program(s) should be restricted to appropriate personnel and shared only when approved.

8. Audit Program and Planning Review

Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork:

• Internal Audit Manager or Senior Manager
• Chief Audit Executive
• Subject Matter Expert(s)
• Management’s Main Point of Contact for the Audit (i.e. Audit Customer)

Internal auditors who take a risk-based approach, create and document audit programs from scratch — and do not rely on template audit programs — will be more capable and equipped to perform audits over areas not routinely audited. When internal audit teams can spend more of their time and resources aligned to their organization’s key objectives,  internal auditor job satisfaction increases as they take on more interesting projects and have an effect on the organization. The Audit Committee and C-suite may become more engaged with internal audit ‘s work in strategic areas. Perhaps most importantly, recommendations made by internal audit will have a more dramatic impact to enable positive change in their organizations.

Complete the form to get your free copy of  Planning an Audit From Scratch: A How-To Guide .

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn .

Related Articles

Audit Planning: Meaning, Process, Activities

The audit plan determines the audit’s scope, how the auditor checks the client’s accounting system and internal control system, determines the program or type of audit, and sets the audit procedures to carry out the entire audit.

What is Audit Planning?

An audit plan is a detailed strategy that sets the nature, timing, scope, and boundaries for the auditor to carry out the entire audit procedure.

An audit plan contains the nature, timing, and extent of audit procedures (including risk assessment procedures) to be performed by engagement team members to obtain sufficient appropriate audit evidence.

Meaning of Audit Planning

Planning the audit includes establishing the overall audit strategy for the engagement and developing an audit plan, which includes, in particular, planned risk assessment procedures and responses to material misstatement risks.

Planning is not a discrete phase of an audit but a continual and iterative process that might begin shortly after (or in connection with) the completion of the previous audit. It continues until the completion of the current audit.

A good plan and actual control of the work as per the plan will prove to be valuable evidence that the audit has been carried out according to generally accepted auditing practices if the plan and controls exercised are adequately documented.

Audit control seeks to ensure that the work is carried out as intended.

The auditor exercises control over the quality of the audit by effectively supervising the work of his assistants, coordinating work performed by others, and adequately documenting the audit matters.

The auditor should develop and document an audit plan that includes a description of:

• The planned nature, timing, and extent of the risk assessment procedures;
• The planned nature, timing, and extent of tests of controls and substantive procedures; and
• Other planned audit procedures must be performed so that the engagement complies with PCAOB standards.

Role and Timing of Planning

Adequate planning benefits the audit of financial statements in several ways, including the following:

• Helping the auditor to devote appropriate attention to important areas of the audit.
• Helping the auditor identify and resolve potential problems on a timely basis.
• Helping the auditor o rganize and manage the audit engagement is performed effectively and efficiently.
• Assisting in selecting engagement team members with appropriate levels of capabilities and competence to respond to anticipated risks and the proper assignment of work to them.
• Facilitating the direction and supervision of engagement team members and the review of their work.
• Where applicable, assist in coordinating work done by auditors of components and experts.

Audit procedures should be discussed with the client’s management, staff, and audit committee to coordinate audit work, including internal audits .

However, all audit procedures remain the responsibility of the external auditors.

Planning the Audit

Audit planning involves the development of an overall strategy or game plan for the expected conduct and scope of the audit —matters such as the integrity of management, errors and irregularities, and illegal acts. The auditor should plan the audit with professional skepticism about such.

The amount of planning required in engagement will vary with the size and complexity of the client and the auditor’s knowledge of and experience with the client.

As expected, considerably more effort is needed to adequately plan an initial audit than a recurring audit.

Preliminary Engagement Activities

The auditor should perform the following activities at the beginning of the audit:

• Perform procedures regarding the continuance of the client relationship and the specific audit engagement,
• Determine compliance with independence and ethics requirements, and
• Establish an understanding of the terms of the audit engagement with the audit committee.

Planning Activities

The nature and extent of planning activities depend on the company’s size and complexity, the auditor’s previous experience with the company, and changes in circumstances that occur during the audit.

When developing the audit strategy and audit plan, the auditor should evaluate whether the following matters are important to the company’s financial statements and internal control over financial reporting and, if so, how they will affect the auditor’s procedures:

• Knowledge of the company’s internal control over financial reporting obtained during other engagements performed by the auditor;
• Matters affecting the industry in which the company operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes;
• Matters relating to the company’s business, including its organization, operating characteristics, and capital structure;
• The extent of recent changes, if any, in the company, its operations, or its internal control over financial reporting;
• The auditor’s preliminary judgments about materiality, risk, and, in integrated audits, other factors relating to the determination of material weaknesses;
• Control deficiencies previously communicated to the audit committee or management;
• Legal or regulatory matters of which the company is aware;
• The type and extent of available evidence related to the effectiveness of the company’s internal control over financial reporting;
• Preliminary judgments about the effectiveness of internal control over financial reporting;
• Public information about the company relevant to the evaluation of the likelihood of material financial statement misstatements and the effectiveness of the company’s internal control over financial reporting;
• Knowledge about risks related to the company is evaluated as part of the auditor’s client acceptance and retention evaluation; and
• The relative complexity of the company’s operations.