While it’s true that no internal audit will ever go exactly according to plan, it is also true that audit planning is a necessary and important part of the overall audit process. A haphazard approach to the risk and audit planning process can (and likely will) waste time and money and fall far short of organizational goals. Adherence to audit planning best practices—including diligent planning— leads to success.
Unplanned or insufficiently planned audits can easily spiral out of effective control. Without the guideposts defined and communicated in a detailed audit plan, team members can overcomplicate the process by conducting unnecessary or overly-detailed examinations that turn out to be immaterial. Or worse, they might end up neglecting some critical or regulatory-required aspect of an audit.
Conversely, a well-thought-out, well-organized and well-executed audit plan will help avoid those common and costly pitfalls. A solid plan keeps risk and audit professionals on track and contributes to a successful and enlightening audit that will satisfy the board of directors, C-suite executives and government regulators.
A Communications Tool for Audit Planning
The overarching goals of productive audit planning are to define the scope and objective of the audit in macro and micro terms and to communicate details to team members and other interested (and authorized) parties.
The KnowledgeLeader Audit Planning Memo is one tool that contributes to both of these goals. This tool includes three fully customizable sample memos in one audit planning template. Each of the three memos can be thought of as a separate but congruous sample of what audit planning best practices should look like.
This valuable tool is designed to be used at every stage of the audit process from initial planning through final assessments after an audit has been completed.
Focus on Best Practices
Our Audit Planning Memo, as with all the resources we publish, helps risk and audit managers focus on best practices. Some of the broad topics that are included are as follows:
- General “Approach” of the Audit
- Administration and Job Assignment
- Ongoing Risk Assessment
Under those general topics, details are fleshed out and documented. The highlighted topics below are indicative of some of the content suggestions found in this tool:
- Management Hierarchy
- The names, titles and coverage areas of all managers and company officers overseeing and supervising the audit should be made known to the entire audit team. Just as important, any managers who are not authorized to participate in the audit should be identified as well.
- Audit Boundaries
- A primary function of the audit planning process is to define the scope of the audit. Establishing the boundaries of an audit will avoid wasting time on superfluous examinations and duplicating efforts. It is important to define as precisely as possible what work should be done. Flow charts and process maps can be helpful in this effort.
- Audit Objectives
- A clear statement of objectives at the outset of the planning process will focus team attention and provide ongoing clarity throughout.
- Meeting Schedules
- Periodic planning meetings should be scheduled prior to audit launch as well as status and progress update meetings throughout. Team members should know ahead of time who is expected to participate and what data they’ll be expected to provide. Personnel should be able to voice concerns, relate important discoveries and suggest improvements. And, the budget should be monitored.
- Third-Party Service Providers
- Any outside legal counsel, third-party accounting professionals, contactor tech support or extra staff brought in to assist in the audit should be disclosed.
- Identify Experts
- Audit and risk personnel should know where they can find answers to pressing questions they might have before and during an audit. “Experts” should be available, and there should be open lines of communication.
- Regulatory Compliance
- Company management is not the only one who will demand a comprehensive, professional and accurate audit. Depending on the industry, significant and specific laws and regulations may need to be followed. Any audit process's regulatory goals and reporting requirements must be spelled out from the beginning. To neglect them is to risk further scrutiny and possible penalties.
- Safeguard Sensitive Information
- A strict protocol for the safeguarding of proprietary technology (software and processes), information (company secrets and plans) or politically sensitive (financial or ongoing contract negation) material should be established and enforced.
- Audit the Audit
- Some people, even people in trusted positions, may have ulterior motives. Savvy risk professionals will note instances of high fraud risk in any areas under the audit and monitor them closely.
No Reason to Start From Scratch
Hammering out an audit plan that reflects audit planning best practices, meets company needs and satisfies regulators is no easy task. Putting together a team, assessing risks, choosing the right approach, assigning tasks and keeping all the right people in the loop is as big a job and almost as important as conducting the audit itself. A significant number of staff hours and a healthy percentage of the budget are going to be consumed by the audit planning process. If audit planning is going to be done right, it’s going to take time and effort.
Thankfully, there’s no reason to start from scratch. The KnowledgeLeader portal is a constantly growing library of tools, articles and professional quality training that remains unrivaled in the industry. And it’s all geared specifically to risk and audit professionals to use from initial audit planning through to reporting audit results.
At KnowledgeLeader, we know the value of a good checklist. Our subscribers have access to hundreds of topic-specific checklists (including audit checklists) in dozens of relevant categories. That said, we also know that best audit planning practices go beyond simply checking boxes on standardized forms.
All of our templates, checklists, memos and guides are dynamic, customizable tools. We designed them to be specific enough to provide risk and audit professionals with the framework they need for reference while being flexible enough to be adaptable to specific organizational needs.