Once internal audit has confirmed their understanding of the process and risks within the process, they will be prepared to create an audit program. An audit program should detail the following information:
Controls Mitigating Process Risks
Control Attributes, including:
Is the control preventing or detecting a risk event?
Control frequency (e.g. daily, weekly, monthly, quarterly, etc.)
Does the control mitigate a fraud risk?
Is the control manually performed, performed by an application, or both?
An initial assessment of the risk event (e.g. high, medium, or low)
Testing Procedures for Controls to be Tested During the Audit, including:
Inquiry, or asking how the control is performed
Observation, or physically seeing the control be performed
Inspection, or reviewing documentation evidencing the control was performed
Re-performance, or independently performing the control to validate outcomes
7. Audit Program and Planning Review
Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork:
Internal Audit Manager or Senior Manager
Chief Audit Executive
Subject Matter Expert
Management’s Main Point of Contact for the Audit (i.e. Audit Customer)
Internal auditors who can create and document audit programs from scratch — and do not rely on template audit programs — will be more capable and equipped to perform audits over areas not routinely audited. When internal audit can spend more of their time and resources aligned to their organization’s key objectives, internal auditor job satisfaction will increase because they’ll be taking on more interesting projects. The Audit Committee and C-suite may become more engaged with internal audit’s work in strategic areas. Perhaps most importantly, recommendations made by internal audit will have a more dramatic impact to enable positive change in their organizations.
Want to learn more tips to help you create a flexible, risk-based audit program? Download our free "Planning an Audit from Scratch: A How-To Guide" below.