Audit
Programs
AuditNet Links
AuditNet Library
Sarbanes-Oxley
Page
AuditNet
Newsletter
Ask
the Auditor
Audit
Jobs
Partner
Discounts
Search the Site
Our
Sponsors
Advertise
Sign
the Guestbook
AuditNet
Home Page
AuditNet®
5 SIGNS THAT YOUR AUDIT PLANNING APPROACH IS FAILING
by Bruce McCuaig CA, CCSA, CIA
This is the time of year that many audit departments start to think about planning for the year ahead. The current years audit coverage is well under way, general business conditions are known and audit resource levels for the year ahead can be anticipated with some degree of certainty.
Audit plans vary from year to year but they are all designed to meet the needs of the business and effectively deploy scarce audit resources while leaving flexibility for the unknown.
What is the difference between a good audit plan and one that is little more than a list of audits? In many audit departments audit planning has become routine. The same approaches are used year after year and the symptoms of bad planning, when they appear, are ignored or attributed to other causes.
One way to begin planning for next year is to assess the current year and
past years plans. Here are some common signs that may indicate your planning
process needs work.
CAN YOU ANSWER THE “WHY ARE YOU HERE” QUESTION?
Imagine your lawyer or doctor paying a surprise visit to your home to offer
you unsolicited advice. That is what it must feel like to a business manager
when an internal auditor arrives unannounced and unexpectedly to conduct an
audit.
Even if the value of your department’s professional services is not in question, building an audit plan and scheduling your audits without consulting closely with business managers to understand the issues they are facing and the value you can offer is symptom of a fundamental problem with your planning approach. If your auditors are being asked this question when they arrive, it is a sign of planning failure.
Audit services, like any other professional service, should be driven by
demand, not supply. Auditors, like any other professional, should engage
closely with their clients to understand their needs and offer relevant
assurance services at the appropriate time.
If your audit is a surprise ( and wasn’t intended to be) surprising your
client is a sign of bad planning, usually an approach that did not involve
the audit client.
The solution is to clearly define and reach agreement on what locations you
will be auditing, what specific assurance services you will be providing,
when they will be provided and what value you will be adding.
ARE MANAGEMENT SPECIAL REQUESTS EXCESSIVE?
Most audit departments provide in their plans for management special
requests. Unanticipated projects do arise during the course of the year in
response to emergencies or special situations. However many audit
departments routinely find themselves scheduling 20% to 30% or more of their
resources on unanticipated special work requested by management. If your
average commitment, over time, for management special requests exceeds 10%
you have a planning failure.
When management continuously overrides your audit plan with excessive special requests, they are telling you that your plan is wrong, that you are directing your audit resources to the wrong areas or at the wrong time and that they are better at allocating your resources than you are. They may be right.
The solution is to engage senior management more extensively in your planning discussions, to listen closely to their concerns and to ensure they understand the strategy behind your audit plan and the implications of changing your plans to accommodate special requests. In some businesses, annual planning is too infrequent. Consider building mid year revisions into your plan or switch to a rolling 12 month plan with frequent reviews. The notion of an annual audit plan is important for budgeting and performance reviews, but it may not serve the assurance needs of your organization.
CAN YOU DEFEND WHAT IS NOT IN THE PLAN?
Can you illustrate to your audit committee and senior management the entire
universe of possible assurance topics in your organization and explain why
you have selected only the projects you have proposed in your plan and left
everything else out?
In most cases, annual audit coverage will never exceed 5% of the possible assurance universe. This means that deciding what to leave out is more important than deciding what to audit.
The solution is defining an assurance universe not just in terms of
business units or locations, but in terms of detailed processes and business
objectives across the organization. It should allow you to express your
audit plan as a percentage of the entire population of processes and
business objectives. You will need to risk rate each process and business
objective in terms of its importance to the organization.
Your audit universe should map very closely to your company’s organization
chart, lines of business or process structure. You should be auditing the
business management has created and is responsible for.
HAVE YOU ASKED FOR MANAGEMENT’S RISK ASSESSMENT?
Some audit departments consider their risk assessment skills superior to
managements and choose to perform their own risk assessments in place of
managements.
The definition of internal auditing, according to the IIA Professional Practices Framework, is to evaluate and improve the effectiveness of risk management, control and governance processes. A logical step in the planning process is to gather any risk assessments prepared by management. If they have prepared risk assessments, your assurance strategy must include an evaluation of that assessment to determine its reliability, a much different process than a regular audit. Risk assessment is a key element of the original 1992 COSO framework. The 2004 COSO ERM framework provides significant guidance in how to conduct a risk assessment.
The solution is to include the reliability of management risk assessments as one of your audit planning criteria. Management with a track record of reliable, comprehensive risk assessments should receive much less audit coverage. Management who do not perform risk assessments should be featured prominently in your audit plan and in your executive and board reporting. Auditors who do not evaluate management’s risk assessment are not conforming to IIA standards.
DOES YOUR PLAN PROVIDE THE BASIS FOR A RELIABLE, ENTITY WIDE OPINION?
Senior executives and audit committees need and deserve a reliable opinion
on the status of risk management, control and governance for the
organization as a whole just as they do for internal controls over financial
reporting. The job of a Chief Audit Executive is to provide such an opinion
and to support it with evidence year in and year out. A list of audit
findings is not enough. The audit plan must be designed to gather the
evidence to support that opinion. The risk and control criteria used by the
auditing profession to support an opinion on internal control effectiveness
are in the COSO frameworks. An entity wide opinion on internal control
effectiveness expressed without specific reference to a control framework is
little more than a guess.
The solution is to plan the audit coverage, based among other things, on the evidence required to support a control effectiveness opinion. That means that each audit should be selected based in part on how it will contribute to the bigger picture. For example, consideration must be given in audit planning to the evidence required to document the Control Environment COSO element. How can “Tone at the Top” and all the other “soft” controls be described and tested? Which audits will provide evidence of “tone at the top” controls and their effectiveness? Similar audit evidence must be gathered to support all the COSO elements to support an entity wide opinion on control effectiveness.
The difference between an audit plan and a list of audits is that an audit plan should be carefully designed to ensure that all stakeholders have continuous, reliable information on the status of the organizations risks, controls and governance processes, conform to the IIA standards and add value to the organization. If your plan does not designed to achieve these results, it is little more than a list.
If you find yourself wondering at the end of each reporting period what to report to senior executives and management, the chances are you are working from a list, not a plan. If you were working from a plan, you would know in advance what conclusions you intended to report. Your audit results would merely provide the evidence you need to support your conclusions.
Take some time to review your audit planning process. It could be the
difference between an average audit department and an outstanding one.
Written by Bruce McCuaig CA, CCSA, CIA, Principal Consultant, Collaborative Assurance & Risk Design with Paisley Consulting, the Cokato Minnesota business accountability solutions provider. Contact: bruce.mccuaig@paisleyconsulting.com
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®