Best Practices for Building an Audit Plan
Over the next five years, risk assessment and audit plans will need to respond to changing economic conditions in order to avoid obsolescence. According to a recent PricewaterhouseCoopers report, 51 percent of risk-management professionals believe audit planning that is focused on annual assessments will become more important. Audit plans that account for continued auditing will be viewed as being more valuable.
The way internal audits are being conducted is changing. Many internal audit leaders currently use some variation of a control-focused approach. However, new market conditions are favoring the adoption of risk-centric mindsets and only by making the necessary adjustments can companies remain key players in the field of risk management.
In the coming years, there are five major trends that will impact internal audits: Globalization, or the pursuit of international growth; changes in internal audit roles in relation to the implementation of new technology; new priorities in risk management, such as the growing importance of risk identification; talent and organizational issues; and technological advancement. Taking these five things into account is crucial when developing a strong internal audit plan.
Developing an audit plan to mitigate today’s risks
The audit plan is crucial as a means to systematically analyze risk. Risk is defined as any variable event that would hinder a company’s ability to achieve its established business goals and objectives.
Auditors can start the risk assessment process by evaluating the risk universe, or all the potential events and threats that are applicable to an organization, regardless of probability or extent of impact. This assessment should stem across all business units, operations and processes. The auditor also must understand the company’s business model in relation to the industry of which it’s a part.
In the early stages of developing an audit plan, it’s paramount that those leading the project have open dialog with stakeholders to ensure they have an understanding of the audit universe, business goals and all the risk events that could impede the achievement of these objectives.
Once auditors have a clear view of the company, its end goals and the inherent risks, they need to begin to consider the likelihood of these risks occurring. This will help in the development of a risk profile, which should identify specific business units, processes and activities that present the highest risks to a company and should be easy to understand from the perspective of upper management.
For the first year of operations, it’s frequently difficult to create a meaningful and accurate internal audit plan – companies won’t have a baseline by which control activities can be evaluated. With that in mind, many auditors develop risk assessment and audit plans derived from inherent risk levels, noting global trends that may affect a company, such as political, technological, legal, national and economic climate changes.
There are also inherent internal risks that need to be accounted for. For example, changes in operating systems and policies, development and launch of new products and services, transitioning into new markets, management changes and expansion into foreign countries all present risks that could impact a company’s business goals.
After a company has been operating for some time, a baseline knowledge of internal controls will begin to develop, necessitating periodic risk assessment. These evaluations will determine how reliable and effective the controls are in mitigating the likelihood of risks occurring. Based on these assessments, risks could be reclassified to improve the effectiveness and impact of an internal control.
No control should be immune from evaluation, even key controls that are thought to be effective. What worked at one time may fall into obsolescence depending on how both internal and external conditions have changed over the course of operation. Testing these key controls ensures they are still doing their job and is crucial to establishing an effective audit plan.
“The results of this risk-assessment process will enable you to develop alternative internal audit plans to address a variety of risks across your organization,” the PwC research explains. “An effective audit plan provides a systematic means to assign risks into high, moderate and low categories.”
After assessing risks, audit leaders need to work with the associated committee and senior management to establish a hierarchy of organizational risks. This will help them determine the skill sets needed to address these high-priority risks and better meet the needs of relevant stakeholders.
“Care must be taken to avoid a misalignment between the technical competencies necessary to execute the audit plan and the skill sets resident in the new function. Remember – audit to the risk, not just to available skill sets,” PwC urges.
Developing an audit plan is only a start – audit leaders need to focus on tactical execution as well. Establish current and multi-year budgets that will provide sufficient resources for internal auditors to deliver the audit plan. Launch fieldwork as soon as possible to begin conducting audits, rather than waiting to staff up or develop infrastructure. Revisit stakeholder value drivers and assess necessary skill sets. Acquire infrastructure, methodology and technologies that improve the efficiency and consistency of the audit process. Establish communication protocols to improve dialog between executive management and internal audit functions. Finally, be sure to measure and demonstrate results to relevant stakeholders.
An audit plan is only as good as those carrying it out, so it’s crucial that auditors follow through on their promises to the company.