What can internal auditors do to prepare a more comprehensive scope for their internal audit projects? And where can internal auditors find the subject matter expertise needed to create an audit program “from scratch”?
AuditBoard’s “Planning An Audit From Scratch” guide explores how to build an effective internal audit plan from the ground up through best practices, resources, and insights. One of the guide’s highlights is a comprehensive checklist of audit steps and requirements to keep in mind as you plan any audit project, which you can view below.
Internal Audit Planning Checklist
INITIAL AUDIT PLANNING
All internal audit projects should begin with the team clearly understanding why the project was put on the audit plan. Answers to the following questions should be answered and approved before fieldwork begins:
- Why was the audit project approved to be on the internal audit plan?
- How does the process support the organization in achieving its goals and objectives?
- What enterprise risk(s) does the audit address?
INITIAL DOCUMENT REQUEST LIST
Requesting and obtaining documentation on how the process works is an obvious next step in preparing an audit. Besides asking for access to process master data to analyze for trend highlights, the following requests should be made before the start of audit planning:
- All policies, procedure documents, and org charts
- Key reports used to manage the effectiveness, efficiency, and process success
- Access to key applications used in the process
- Description and inventory of process master data, including all data fields and attributes
RISK AND PROCESS SUBJECT MATTER EXPERTISE
Performing an audit based solely on internal company information is helpful to assess the operating effectiveness of the process’ controls. However, for internal audit to keep pace with the business’ changing landscape and to ensure key processes and controls are also designed correctly, seeking out external expertise is becoming more of a requirement.
At least one of the following should be used to evaluate the design of the process audited:
- Subject Matter Expert (SME) from a Big 4 or other consulting firm
- Membership to the most relevant trade association
- Recent articles from WSJ.com, HBR.com, or other leading business periodicals
- Relevant blog posts from The Protiviti View, RSM’s Blog, or the IIA’s blogs
COSO’S 2013 INTERNAL CONTROL - INTEGRATED FRAMEWORK
To create a more comprehensive audit program, view COSO’s 2013 Internal Control components, principles, and points of focus here.
PREPARING FOR A PLANNING MEETING
The objective of the pre-planning meeting is to obtain a high-level understanding of the goals and objectives of the process or department and the key steps to the process. The following steps should be performed while planning for an audit project:
- Outline, by either narrative, flowchart, or both, key process steps, highlighting information inflows and outflows, and internal control components
- Validate draft narratives and flowcharts with subject matter expert used (if any)
- Create an initial pre-planning questionnaire, with internal audit’s draft answers, to facilitate a pre-planning meeting with key audit customers
PREPARING THE AUDIT PROGRAM
Documenting the process details in a narrative or flowchart will make it much easier to determine audit procedures and to create an audit program. An auditor’s program should detail the following information:
- Process Objectives
- Process Risks
- Controls Mitigating Process Risks
- Control Attributes, including:
- Is the control preventing, or detecting, a risk event?
- Control frequency (e.g. daily, weekly, monthly, quarterly, etc.)
- Does the control mitigate a fraud risk?
- Is the control manually-performed, performed by an application, or both?
- An initial assessment of the risk event (e.g. high, medium, or low)
- Testing Procedures for Controls to be Tested During the Audit, including:
- Inquiry, or asking how the control is performed
- Observation, or physically seeing the control be performed
- Inspection, or reviewing documentation evidencing the control was performed
- Re-performance, or independently performing the control to validate outcomes
AUDIT PROGRAM AND PLANNING REVIEW
Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork:
- Internal Audit Manager or Senior Manager
- Subject Matter Expert
- Chief Audit Executive
- Management’s Main Point of Contact for the Audit (i.e. Audit Customer)
AUDIT MANAGEMENT TOOLS
Leveraging internal audit software will also help you streamline and organize your entire audit. In addition to must-have features like built-in workflow and real-time dashboards, ask yourself questions about usability and configurability. Some questions you should ask include:
- Does the tool feel intuitive and easy to use, or do you have to click multiple times to get where you need to go?
- Does implementation take a few weeks, several months, a year?
- Speed: does the tool work and load quickly or does it lag at times?