Audit plan: a requirement of International Standards on AuditingIn accordance with the IIA's 2010 standard, «the chief audit executive must establish an audit plan based on a risk-based approach in order to define priorities consistent with the organization's objectives».
«To draw up the audit plan based on a risk-based approach, the head of internal audit consults senior management and the Board, and takes cognizance of the strategy, the main operational objectives, the associated risks and the risk management processes. The chief audit executive should review and adjust the plan as necessary to respond to changes in the organization's activities, risks, operations, programs, systems and controls» (interpretation of the standard).
What to consider
- The risks
.png "Image_carto_risks-(1).png")
When drawing up an audit plan, international standards require the adoption of a risk-based approach. To this end, the auditor must identify the main risks to which the company is exposed. A risk map is certainly an important input, provided it is up-to-date and also takes account of external threats and emerging risks. The auditor's knowledge of the company's businesses also enables him to assess the risks associated with its activities and the achievement of its objectives, and to take these into account as part of the audit plan.
Linking risks to processes will make it easier to draw up an audit plan.
- Process breakdown
When the company has a process map (following the implementation of a quality approach, for example), the internal auditor can use this tool to divide up his audit themes, while remaining realistic. In fact, an audit theme that is too broad (e.g. a human resources audit for an entity of 1,000 people) is likely to drag on during its execution. It would be better to divide this overly broad theme into mini-themes, for example by activity: recruitment, payroll, appraisal, administrative management, etc.
.jpg "cartographie-process-(1).jpg")
- results of previous audits
When drawing up the audit plan, it is important to take into account the results of previous audits, and in particular those processes or activities which have recorded a large number of anomalies or are at risk. Failure to follow up on the recommendations of a previous audit may also lead to the question of whether a follow-up audit should be carried out and included in the audit plan.
- management needs
The internal auditor consults with the company's management and other executives to identify any audit needs. This presupposes, however, total trust on the part of management to point out where things are going wrong. Managers don't usually want internal audit to come back to them on matters they have asked for themselves. The auditor needs to be open to the subject, and tactful and resourceful in gathering information on needs, so as to be able to advise management (consulting assignments).
– regulatory aspects
When the company operates in a regulated sector, the internal auditor must take regulatory risks into account in his or her audit plan. This approach ensures that the company complies with laws and regulations, and can achieve its objectives with confidence.
In this sense, it goes without saying that the internal auditor must have a perfect command of the legal and regulatory texts governing the company's operations.
– projects or programs to come, in progress or completed
The internal auditor must take into account the conduct of future projects (to assess the risks associated with success), ongoing projects and completed projects (for post-project evaluation).
Discover our internal audit offers
Steps in drawing up an internal audit plan
.jpg "Plan_audit_etapes-(2).jpg")
The internal auditor can carry out the following work to draw up the audit plan:
- Interviews with management and line managers
- Interviews with the Chairman of the Board of Directors or the Audit Committee, if any
- Review of previous years' audit results
- Consideration of identified and unidentified risks (review of risk mapping ratings)
- Review of the incidents, anomalies and non-conformities database
- Review of external mission reports: statutory auditor, regulatory authority, etc.
- Review of internal mission reports: permanent control, quality audit, etc.
- Elaboration of priority audit themes (beware of overly broad themes) based on process mapping (e.g. audit of the recruitment process, audit of personnel files, audit of the supplier invoice processing and payment process, etc.).
- Estimate the duration of each audit topic and the number of auditors (it is preferable to have a team of at least two auditors per assignment). Avoid planning assignments that are likely to drag on, demotivating the team and disrupting the work of operational staff;
- Taking into account existing resources within the audit department: depending on the human and financial resources available, the internal auditor draws up a workload plan. The planned workload (model available on request), This enables you to draw up a schedule for carrying out audit assignments, taking into account days not worked (public holidays, vacations) and days devoted to administrative tasks (meetings, training, etc.).
Take into account your available resources
There's no point in drawing up an audit plan that you're sure can't be carried out, given the human, material and financial resources made available for the audit.
Auditor independence begins with financial independence. The auditor must ensure, when preparing his plan, that he has the financial resources to carry out his assignments, and that there are no restrictions on their performance.
Similarly, depending on the audit topics included in the plan, the auditor must ensure that he has the necessary skills to carry out these assignments. If this is not the case, he must budget for the use of qualified service providers to carry out specific assignments.
The auditor can also schedule additional training to acquire the skills needed to carry out the assignment.
The audit plan: content
The audit plan is a confidential document and must remain in the ‘drawers’ of the internal audit department. There is no standard content for an audit plan.
We recommend the following plan, in PowerPoint format (ask us for an audit plan template):
- introduction and background to the plan
- development process (see 10 steps)
- list of audit themes with risk level (color-coded, for greater clarity)
- audit schedule (in the form of a Gantt chart, for example) including non-audit activities (training, meetings, etc.)
- planned budget
- use of service providers (cabinet) or not
Governance approval of audit plan
Once the audit plan has been drawn up, the auditor presents it to the company's senior management for comment. The plan is then presented to the Board of Directors (or Audit Committee, if one exists) for approval.
Audit assignments may be launched after approval by the Board.
Updating the audit plan
The audit plan may be updated during the course of the assignment or in the event of significant events (pandemic, project launch, acquisitions, etc.).
The internal auditor «must report periodically to senior management and the Mission Council on the extent to which the audit plan has been implemented» (IIA).
Conclusion
When preparing the audit plan, the internal auditor must take into account the risks and the needs of management and the Board of Directors. It is important to avoid overly broad audit themes and lengthy assignments. The audit plan must take into account the resources available to the auditor (human, financial, material, etc.). The auditor can call on external service providers to carry out (or co-source) certain tasks.
About Moore Senegal
Moore Sénégal is a human-scale auditing and consulting firm offering services tailored to the needs of businesses. We have proven expertise in’support for internal audit departments : implementation, tools, training, auditing software, joint auditing or subcontracting.
