Proper planning is an essential step in any internal audit assignment. Internal auditors often refer to the documentation of previous internal audit assignments or the planning of the previous audit of the process is copied. When a process is audited for the first time and no documentation of previous assignments is available, Doctor Google is often consulted. Ready-made checklists for an internal audit plan are then available in a few mouse clicks.
The danger of this method is that internal audit no longer takes into account the (changing) circumstances, the context and the objectives of the audited organization. As a result, an internal audit becomes a "check-the-box" exercise that offers little or no added value for the organization.
In this article we offer a step-by-step plan that can serve as a guideline for drawing up an internal audit plan, for both recurring and never-previously-audited processes.
Step 1: Understand the objectives and context of the audit
Before the team can start the internal audit assignment, it is important to understand why the process or project was included in the audit plan.
Ask the following questions:
- Why was the process / project approved in the audit plan?
- How does the process / project contribute to the achievement of the company's objectives?
- What risks does the audit cover?
- Has the process been audited in the past and what were the results?
- Have there been significant changes to the process recently or since the last audit?
Step 2: Get help
An internal auditor is often confronted with internal business processes or domains where he himself has insufficient background and knowledge of. He cannot be an expert in all facets of the business that may be subject to an internal audit. Moreover, the environment in which the company is located is constantly changing. To ensure that the audited process and key controls are well designed, taking into account all relevant risks, it is recommended to engage external expertise.
Relevant articles from business magazines or blog posts (from, for example, the IIA) can be a good source to further explore missing knowledge. Calling in a professional is also an option.
As a result, an internal auditor does not have to be an expert to offer a high-quality internal audit.
Step 3: Look beyond the control activities
A controlled process is more than well designed and executed control activities. A comprehensive audit program takes into account all elements of the COSO framework (COSO 2013 Internal control - Integrated framework). Therefore, when drawing up the audit plan, also take into account the control environment, risk assessment, information & communication and monitoring activities.
Step 4: Make a list
In order to draw up a good audit plan, it is important to gain insight into the process to be audited, the applications that support the process and the relevant reports that are used to monitor the process.
Therefore, make a list of documents and data that you would like to receive prior to the audit for an initial investigation:
- The internal guidelines, procedures, work descriptions and organization charts with regard to the audited process;
- Reports used to monitor the efficiency and effectiveness of a process;
- Access to the most important applications in the process;
Step 5: A prepared man or woman is worth two
After the initial investigation, there is an internal meeting with the audit team. In this meeting, the understanding of the process and the important steps is shared and validated. A description or visualization of the process with the most important process steps, the input and outputs and the internal control elements forms the basis of this meeting. The validation of the process by the expert can also provide additional input.
After the internal validation, the understanding of the process is confirmed with and by the business stakeholders in a planning meeting. Good preparation allows the team to demonstrate that it is informed and ready to begin the audit.
Step 6: Prepare the audit program
Now that the internal audit team has gained insight into the process to be audited and the associated risks, it can draw up an audit program. An audit program contains the following points:
- The goals of the process;
- The risks within the process;
- The controls that mitigate these risks;
- The main attributes of the controls:
- Is the control preventive or detective?;
- Frequency with which the check is carried out;
- Does the audit mitigate a risk of fraud?;
- Is the check performed manually or by a system?;
- An initial estimate of the risk;
- The procedures that will be used to test the controls:
Step 7: Check, check, double check
An audit program is best checked and approved by several people before it is finalized. This is certainly the case for processes that have not yet been audited in the past.
This ensures that the stakeholders agree with the program and that no ambiguities arise during the fieldwork.
The following persons are preferably involved in the validation of the audit program:
- Internal audit manager
- Subject matter expert
- Head of Internal Audit
- Management's point of contact for the audit
By following these 7 steps, an audit schedule can be successfully drawn up. In this way, the internal audit team can start well prepared with the fieldwork.
Do you need help with drawing up your internal audit plan? Do not hesitate to contact us.
Jolien Vromant, Certified Internal Auditor – 7 October 2020