Jan 22

Crafting an Audit Plan from Square One

Given the current unpredictable situation, audit teams should be more flexible. However, sometimes, a lack of necessary knowledge and expertise hinders ensuring the effectiveness of areas that have never undergone an audit. Unfortunately, these areas often involve processes crucial to an organization’s strategy and goals.

In such cases, auditors might start by searching online for audit guidance, but this often leads to a limited scope of testing controls, pointing out issues in the report, and quickly moving on to the next audit. This not only disappoints the audit customer but also negatively impacts the performance and reputation of the internal audit.

How can internal auditors get ready for broader internal audit projects?

Those auditors who make their audit programs instead of using ready-made checklists or templates from the internet are more prepared to conduct audits in less frequently examined areas. When the internal audit focuses more on the organization’s strategy and main goals, it leads to multiplied benefits in terms of time and resources.

Crafting an Audit Plan

We have listed seven steps to help you craft an audit plan from scratch:

Step 1 – Initial Audit Planning

Before starting any internal audit project, it’s crucial for the team to clearly understand the reasons behind including the project in the audit plan. Answer and get approval for the following questions before beginning fieldwork:

Why was the audit project added to the internal audit plan?
How does the process contribute to the organization’s goals and objectives?
What risks does the audit address for the organization?
Was this process audited before, and if so, what were the results?
Have there been important changes in the process recently or since the last audit?

Step 2 – Expertise in Risks and Processes

Conducting an audit based on information within the company is useful for evaluating how well the controls in a process are working. To stay updated on changes in the business environment and ensure the correct design of key processes and controls, it is crucial to actively seek external expertise.

To assess the design of the audited process, consider using at least one of the following:

A Subject Matter Expert (SME) from any consulting firm.
Membership in the most relevant trade association.
Recent articles from leading business publications or relevant insights from The Institute of Internal Auditors (IIA) and the like.

After using both inside and outside sources to find important risks, create an audit plan to check for these risks.

Step 3 – Apply the COSO’s 2013 Internal Control-Integrated Framework

Internal auditors, beyond Sarbanes-Oxley compliance, can use the COSO 2013 Internal Control-Integrated Framework to enhance their audit programs. In 2023, COSO provided additional guidance for organizations aiming for effective internal control over sustainability reporting (ICSR) using the widely accepted COSO Internal Control-Integrated Framework (ICIF).

Apart from examining and testing control activities, internal audits should also focus on identifying and testing other elements of a well-controlled process.

Step 4 – Request Initial Documents

To prepare for an audit, it’s crucial to gather information about the process. Before starting audit planning, make the following requests to understand the process, relevant applications, and key reports:

Request all policies, procedure documents, and organization charts.
Obtain key reports used to measure effectiveness, efficiency, and process success.
Ask for access to key applications used in the process and check if they were used remotely.
Get a description and inventory of master data for the audited process, including all data fields and attributes.

Once you have this information, request access to the master data for the audited processes. Analyzing this data helps identify trends and supports detailed sampling selections.

Step 5 – Get Ready for a Planning Meeting

Before meeting with business stakeholders, the internal audit team should have a meeting of their own. This internal meeting is to make sure everyone understands the goals of the process or department and the essential steps involved. To prepare for the planning meeting with business stakeholders, follow these steps:

Create a clear plan outlining important steps in the process, using narratives or flowcharts.
Emphasize information going in and out, and internal control elements.
Review the plan with experts if available.
Develop an initial questionnaire with the internal audit’s preliminary answers for a pre-planning meeting with key audit customers. (You may include questions about the business’s COVID-19 impact.)

Creating the questionnaire after doing some initial research sets a positive tone for the audit. This shows the internal audit team’s readiness and knowledge. After completing the research, the team should meet with their business stakeholders to ensure everyone understands the process.

Step 6 – Prepare the Audit Program

After confirming their understanding of the process and associated risks, the internal audit team can develop an audit plan. This plan should include the following details:

Process Objectives

Process Risks

Controls Mitigating Process Risks

Control Attributes, including:

Does the control stop or find a risk?
Frequency of control (like every day, week, month, or quarter)
Does the control reduce the chance of fraud?
Methods used for the control (by hand, by a computer, or both)
First evaluation of the risk (like high, medium, or low).

Procedures for testing controls in the audit, including:

Ask how the control is done.
Watch the control being done if you can.
Check documents to confirm the control was done.
Independently perform the control to double-check the results.

Step 7 – Review the Audit Programs and Plans

Audit programs, especially for new processes, should undergo thorough reviews by various individuals before starting fieldwork. Before beginning fieldwork, the initial audit program and internal audit planning procedures should be reviewed and approved by: