ANNUAL AUDIT PLAN
It's that time of year again when Chief Audit Executives are developing next year's audit plan. In the current economic climate, CAEs are feeling the pressure of needing to do more with their limited resources. Governance and the Audit Committees' concerns on how well the organization is addressing its risks continue to grow; and their expectations for Internal Audit teams are constantly growing, including becoming more risk-based, aligning with key stakeholders' expectations, as well as streamlining the audit processes and operations. It can seem like the Internal Audit Team doesn't have enough hours in the day to meet these expectations on top of their normal audit activities. Needless to say, planning next year's audit plan seems more daunting than ever.
So how does a CAE determine what to place on the audit plan? Please do not do a Stand-Alone, Annual, "this is what we think we should audit" exercise and then run it by the Audit Committee and senior executives for their approval. Instead, ask your organization's key executives for input on what they feel the focus should be. They have the best knowledge and insight of where their issues/risks are.
If you don't already hold one-on-one meetings with the organization's key executives, this is a great time to start. Actually, these are meetings you and your managers (depending on your staff size) should schedule on a regular basis, preferably monthly. During these meetings you should focus on building a rapport with them as well as gaining an understanding of what "keeps them up at night" (risk). You should also bring up topics such as what is happening in the industry, past issues in their areas, etc. for discussion.
From these meetings, prioritize the biggest issues that can keep the company from achieving its business objectives. From the priority list, you can start to develop your annual audit plan. The risks with the highest priorities should be listed as place holders for the first quarter, the next highest priorities are listed as place holders in the second quarter, etc. Also included in the audit plan would be the basic items you have to audit (e.g., compliance issues), requests for help from other departments for process and control improvements, and significant areas that are identified on any continuous auditing/monitoring reports.
The reason the risks are listed as place holders each quarter is to allow for flexibility in the plan to address the most critical risks. Risks are constantly changing as businesses and marketplaces change. You may learn from the monthly meetings with the key executives that a particular risk has become a greater concern since the original audit plan was created. Having a rolling four quarter audit plan, with the next quarter relatively cast in concrete and subsequent quarters flexible, will allow risks with the greatest concerns to be audited sooner. The risks that were originally given a place holder for the quarter will shift to the following quarter or later, depending on how much of a priority it is compared to the other risks on your list.
This rolling audit plan will give Internal Audit a step in the right direction to address Governance and the Audit Committees' growing concerns on how well the organization is addressing its risks; and their constantly growing expectations for Internal Audit teams, including becoming more risk-based, aligning with key stakeholders' expectations, as well as streamlining the audit processes and operations.