White paper : Well-founded Audit Planning

Purpose

Internal auditors play a key role in enhancing and protecting organisational value and helping organisations accomplish their objectives. They achieve this through well-founded audit planning. The core pillars of consultation, analysis and research are used to deliver forward audit plans that feed into individual engagement plans.

Background

Management is looking for internal audits that help them to reduce risk (where appropriate), improve the business, and be assured that appropriate governance, risk management and control arrangements are in place and working effectively. They expect the Chief Audit Executives (CAE) to drive a program of audits that are relevant to them, timely, and genuinely add value. They also expect the CAE to ensure that the internal audit team delivers the forward audit plan on time as promised.

In the past, CAEs developed annual and longer term audit plans (three and / or five year) on a ‘cyclical’ basis, with audit topics identified within resourcing availability on a functional basis from historical information. This approach used a set of one- dimensional risk factors, was often done in isolation of the business, and assumed a relatively static organisation. The correlation between risk rankings and the audit plan was often weak.

Contemporary audit planning requires the CAE to identify audit topics on a strategic, cross-organisational and functional basis, drawing on enterprise risk management information. The forward audit plan needs to be developed in consultation with the business to provide timely, relevant, responsive and risk-based coverage, with the integration of internal audit with risk management and strategic planning. Whilst most audit topics in the forward audit plan are focused on assurance, there is increasing provision for consulting (or advisory) topics.

The forward audit plan is usually approved by the audit committee, and the audit committee typically requires a covering business paper that convincingly articulates the robustness of the planning effort, through the three pillars of consultation, analysis and research.

This white paper is intended to aid with a) developing well founded audit plans and b) structuring the business papers and communication needed to convince stakeholders to adopt those plans.

In terms of professional auditing standards:

• The CAE is required to establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals (standard 2010). The plan must be based on a documented risk assessment; undertaken at least annually; recognising the input and expectations of senior management, the board and other stakeholders; and may include both assurance and consulting engagements (standards 2010. A1, 2010.A2, and 2010.C1).
• The CAE must also ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan (standard 2030).
• Internal auditors are required to develop and document a plan for each engagement, including the objectives, scope, timing and resource allocations (standard 2200)

This white paper focuses on the risk-based forward audit plan (as illustrated in Exhibit 1), noting that separate planning is required both at the engagement level and to ensure the capability of the people undertaking these audits.