An audit plan is important to help a company identify how to succeed in its goal. As internal auditors try to spend less money all the time, they must show how they help the company succeed. Performance metrics show how well internal audit works and if it’s in line with what the company wants to achieve.
What Sets a Good Metric for Your Audit?
Key performance indicators (KPIs) are numbers that show how well a person, group, or company is doing at reaching important goals. When goals are clear and we keep an eye on the right KPIs, it helps prove that what the internal audit team is doing helps the company reach its big-picture goals.
Planning
- Announcement Memo Sent on Time (X days before Fieldwork)
- The risks included in the audit match up with what the business wants to achieve.
- Percentage of Planned Audits Addressing High-Risk Areas
- Percentage of Risks Audited / Identified
- Planning Phase Completed on Schedule? (Y/N)
- Percentage of Audit Plan Completed
- Number of Unplanned Engagements
- The last time a process was audited
- Percentage Audits Completed on Schedule
- Customer Satisfaction Results
- Percentage of Surveys Returned
- Year After Year Score Analysis
Fieldwork
- Compare the planned fieldwork hours to the actual hours spent.
- Weekly Update Check-ins Scheduled with Management
- How much fieldwork was completed on schedule?
Reporting
- Final Report Issued Timely (set a target)
- Number of Issues Reported
- Number of Total Issues Identified
- Percentage of Issues Closed as of Final Report Issuance
- Number of Repeat Findings
- Number of Repeat Findings
- Number of Open High-Risk Issues
Issue Follow-Up
- Issues Agreed Upon by Management?
- Issues Remediated by Due Date
- Number of Past Due Issues
- Number of Times Due Date is Changed
How to Track Metrics in Your Audit Plan?
- Meet with managers each week to talk about any problems found, how the work is going, and what goals have been reached.
- Aim to finish your report soon after you finish your fieldwork, within 30 days.
- Look at how many surveys customers sent back and if their scores are getting better each year.
- Figure out what percent of the risks you looked into matched up with your risk assessment.
Does Your Audit Plan Adequately Address Critical Risk Areas?
A good audit plan covers more than just meeting rules like Sarbanes-Oxley (SOX). It looks at risks across the whole company.
Recommended Audit Projects for Cybersecurity
- Data Encryption
- Access Management Policies and Controls
- Data Penetration Testing with Vendors
- Business Continuity Plan (BCP)
- Patch Management Policies
- Employee Information Security Training
Culture and Ethics Audit Projects
- Digital Ethics
- How consumer information is managed and protected across the enterprise.
- Succession Planning
- Gender and Racial Discrimination
Recommended Audit Projects for Data Privacy
- General Data Protection Regulation (GDPR) Enforcement
- Consumer Consent
Data Governance Recommended Projects
- Data Quality
- Ways to ensure data is accurate and reliable when moving it, managing it during company purchases, and setting standards for its quality.
- Data Analytics
- Rules for using data analysis tools, keeping data safe and who owns it, and controlling who can access it.
Recommended Audit Projects for Third- Party Risk
- Background Checks
- Third-Party Risk Management
- Contract Management
- Right-to-audit Clauses
- Monitoring and Compliance
What is an Audit Follow-up?
After making plans and tracking progress with KPIs, audits need follow-up to ensure things are on track. This is important for the audit’s impact. Auditors need to decide how much assurance they want to provide. They should give enough time for organizations to fix issues found in audits.
When following up, auditors should stay unbiased and independent. They check if actions are taken to address the problems found. If auditors want high assurance, they need to plan and execute follow-up audits rigorously, just like the original audit. Sometimes, due to limited resources, auditors might opt for a less intense review, mainly focusing on the original findings and progress updates.
Sometimes, auditors won’t give any assurance in the follow-up report. This means they’re only reporting what the organization claims about their progress.
1. Review of Audit Report
Carefully read the audit report first to understand what the suggestions are about and how they impact things. Make sure the report is clear, correct, and makes sense. Look for proof and reasons behind the suggestions. If you find any mistakes or things that don’t match up, tell the auditor or their team. You can ask for explanations or fixes if needed before agreeing to the report.
2. Recommendation Priorities
You need to decide which suggestions are most important, urgent, and doable. Think about the risks, advantages, and expenses of doing or not doing each one, as well as the time and resources you have. Talk to the people who are affected, like managers, employees, or customers, to hear what they think. Then, rate each suggestion as high, medium, or low priority, and make a plan to deal with them.
3. Progress Monitor
The third thing to do is to keep an eye on how well the suggestions are being put into action and see what changes are happening. Make a schedule and set goals for each suggestion, and make sure everyone knows what they’re supposed to do. Tell the people who need to know about the plan and what’s expected, and help them out along the way. Keep checking on how things are going and fix any problems that pop up.
4. Verification of Results
The final step is to verify the results of the implementation of the recommendations and evaluate their effectiveness and sustainability. It’s advisable to collect and analyze data and evidence that demonstrate the achievement of the objectives and the improvement of the quality. Check the results against the starting point and standard measurements, and evaluate how much the changes have affected and contributed value.
