Get a step-by-step checklist to start building dynamic, risk-based audit testing programs and stay on top of new and emerging risks in today’s volatile environment. Download the full Building Operational Resiliency: Strengthening and Modernizing Audit & Risk Practices in Response to Crisis whitepaper below, and watch the on-demand webinar to hear authors Molly Mullinger and Aaron Wright go deeper into developing agility and flexibility to position for recovery in the coming months.
For audit teams managing new projects and responsibilities that have arisen on top of their existing workloads during COVID-19, building efficiency into your testing programs is a way to maximize your team’s time and resources. One place to begin is by reevaluating your testing scope by performing a controls rationalization. Another is by building dynamic testing programs.
Teams that can create and document custom audit programs from scratch — rather than relying on templated audit programs — are better equipped to perform audits over areas not routinely audited. This maximizes internal audit’s ability to make recommendations that will have a strong impact on recovery and create positive change in the organization, leading to further potential benefits.
Additionally, dynamic testing plans enable audit teams to respond to common audit challenges — helping to free up time for teams to react to emergent deviations from normal operating activity throughout the recovery period. Use our step-by-step checklist to start building dynamic audit testing programs today, and download the full Building Operational Resiliency whitepaper below.
Internal Audit Planning During COVID-19 Checklist
1. Initial Audit Planning
All internal audit projects should begin with the team clearly understanding why the project was put on the audit plan. The following questions should be answered and approved before fieldwork begins:
- Why was the audit project approved to be on the original audit plan? Has that rationale changed in light of recent events?
- Has the process undergone significant changes based on response to COVID-19?
- How does the process support the organization in achieving its goals and objectives?
- What risk(s) does the audit address? Is that risk still relevant?
- Was this process audited in the past, and if so, what were the results of the previous audit(s)?
2. Risk and Process Subject Matter Expertise
Seeking out external expertise, especially in light of the current environment, is increasingly becoming a best practice. At least one of the following should be used to evaluate the design of the process audited:
- Industry-specific thought leadership, such as webinars and whitepapers, regarding pandemic response, including treatment of specific accounts.
- Subject Matter Expert (SME) from a Big 4 or other consulting firm.Recent articles from WSJ.com, HBR.org, or other leading business periodicals.
- Relevant blog posts from The Protiviti View, AuditBoard’s Blog, or the IIA’s blogs.
3. Initial Document Request List
- All policies, procedure documents, and organization charts, highlighting any key changes made in response to the pandemic.
- Key reports used to manage the effectiveness, efficiency, and process success, and any impacts that working remotely has had on those items.
- Description and listing of master data for the processes being audited, including all data fields and attributes.
- Access to key applications used in the process, and assessment of whether the applications were used remotely.
4. Preparing for a Planning Meeting with Business Stakeholders
The following steps should be performed to prepare for a planning meeting with business stakeholders:
- Understand which areas are predicted to be impacted by COVID-19 to drive an informed discussion with business owners.
- Outline (by narrative, flowchart, or both) key process steps, highlighting information inflows, outflows, and internal control components.
- Validate draft narratives and flowcharts with subject matter experts (if any).
- Create an initial pre-planning questionnaire to facilitate a pre-planning meeting with key audit customers, including questions regarding the impact of COVID-19 to the business.
5. Preparing the Audit Program
An audit program should detail the following information:
- Process Objectives
- Process Risks
- Controls Mitigating Process Risks
- Control Attributes, including:
- Is the control preventing or detecting a risk event?
- Control frequency (e.g. daily, weekly, monthly, quarterly, etc.)
- Does the control mitigate a fraud risk?
- Is the control manually performed, performed by an application, or both?
- An initial assessment of the risk event (e.g. high, medium, or low).
- Testing Procedures for Controls to be Tested During the Audit, including:
- Inquiry, or asking how the control is performed.
- Observation, or physically seeing the control be performed.
- Inspection, or reviewing documentation evidencing the control was performed.
- Re-performance, or independently performing the control to validate outcomes.
- Consider alternative procedures in light of the current year’s restrictions, including:
- The ability to inspect, observe, or re-perform certain control activity.
6. Audit Program and Planning Review
Before fieldwork begins, the audit program and planning procedures may be enhanced with input and/or approval from:
- Internal Audit Manager or Senior Manager
- Chief Audit Executive
- Subject Matter Expert
- Management’s Main Point of Contact for the Audit (i.e. Audit Customer)
This checklist is part of Building Operational Resiliency: Strengthening and Modernizing Audit & Risk Practices in Response to Crisis, which contains best practices for audit, risk, and compliance teams to leverage lessons learned and get ahead for recovery in the coming months. Download your copy below.