Audit plan approval and audit plan changes. An internal audit risk assessment and ongoing refresh processes are in place. It is critical to identify and filter the activities that internal audit can perform to provide measurable value to the organization.
While internal audit functions must often support a number of “non-negotiable” activities (SOX and other regulatory compliance, external auditor assistance), the internal audit department has the opportunity to deliver increased risk coverage, cost savings, and measurable value to the business by identifying and performing audits across the company’s value chain.
Audit Plan Approval And Audit Plan Changes
The chief audit executive must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues including fraud risks, governance issues, and other matters needed or requested by senior management and the board.
Getting all stakeholders on the same page concerning what risks should be considered significant could be contentious, but once an agreement has been reached in this area, it will naturally lead to easier acceptance of an audit plan based on those same risk exposures and control issues.
Aligning internal audit activities with strategic and operational goals and objectives through an internal audit risk assessment helps to ensure efficient use of internal audit resources while providing management with valuable insights on risk management activities. While risk analysis and assessment are not fool proof, the processes are better than relying on intuition. Educated decisions can be made about the selection of internal audit engagements.
A general rule of thumb for engagement selection is to recommend auditing just the risk management activities for those risks that are rated as high impact but low likelihood under the assumption that they are low likelihood because of these risk-management actions. For high to medium impact and high to medium likelihood risks, audit engagement objectives should be to identify the root cause or causes of the increased impact and likelihood if not already known and to produce actionable recommendations for positively influencing the root causes once known.
The chief audit executive must communicate the internal audit activity’s plans and resource requirements including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations. Once a risk-based audit plan is developed, the chief audit executive should communicate the plan and resource requirements to senior management and the appropriate governing body for review and approval. Showing how the plan was developed and the reasons for its development can help to win approval.
Key Points To Include To Win Approval
Key points to address include:
Why the area should be audited at this time instead of later.
What the audit objectives are and how this relates to the audit scope.
How the process is currently being monitored for performance and control.
Relevant results or ongoing concerns from past audits.
Relevant current events (proposed, ongoing, or completed changes related to the process or risks).
What significant new or ongoing risks or root causes the audit is designed to address.
What resource limitations exist and what outsourcing or co-sourcing arrangements may be necessary to accommodate them.
Ultimately, the engagement plan should address and support the most effective use of internal audit resources. A risk assessment process should be conducted annually. The resulting engagement plan cannot be static. Changes in management direction, objectives, emphasis, and focus as well as other evolving factors such as emerging trends should be reflected by changes to the audit universe and the related annual engagement plan. Frequent (most likely quarterly) updating may be required, and any significant changes should be submitted to the oversight entities for review and approval.
The audit plan is presented to the board by the chief audit executive before the start of the next year. The board after deliberation approves it. However, as discussed earlier it needs to be continuously reviewed as the risk environment is continuously changing. Minor changes in the internal audit plan may be approved by the chief audit executive. However, major changes may be approved by the board only. This depends on the authorities delegated in the internal audit charter.
Audit Strategy
The audit strategy specifies how the audit will be conducted in general terms, as well as the scope, timing, and direction of the audit. The audit strategy then directs the creation of the audit plan, which includes detailed responses to the auditor’s risk assessment.
An underlying principle of audit planning under the Clarified ISAs is that the audit plan should include detailed responses to specific risks identified during the auditing process. ISA 300 requires the auditor to consider specific issues when developing an audit strategy, and it includes a list of typical issues to consider in its appendix.
Changes To The Audit Strategy And Audit Plan
Once the audit planning stage is completed, the audit strategy and audit plan are not fixed. It is critical that both are updated and changed as the audit progresses. For example, as a result of unexpected events or changes in conditions, the auditor may need to modify the overall audit strategy and audit plan, as well as the resulting planned nature, timing, and scope of additional audit procedures, based on the revised assessment of risks.
This may be the case when information comes to the auditor’s attention that differs significantly from the information available when the auditor planned the audit procedures; for example, an event may occur after audit planning has been initially completed, casting doubt on the audit’s viability. Alternatively, as a result of carrying out planned audit procedures, additional information may become available, prompting the auditor to revise the initial risk assessment or level of performance materiality for all or a portion of the audit.
Final Thoughts
Planning an audit entails more than just gaining a business understanding and assessing risks. Planning is a dynamic process that may evolve during the audit and should always respond to changes in the audited entity’s circumstances. ISA 300 compliance should result in a well-focused audit, staffed by appropriate personnel, performing relevant and appropriate audit procedures.