Types of planning in auditing is a critical component of both internal and external audits. A good audit planning will assist the auditor in minimizing risks, improving audit efficiency, and meeting its objectives with the least amount of effort.
Auditors must prepare a proper audit plan to ensure that all audit risks are identified and appropriate audit strategies are used to detect all concerning risk areas. A good strategic audit plan must be prepared by the auditor. All types of audit risks are identified and detected if the plan is well prepared.
Types of Planning
During the development of the risk-based internal audit plan, it is extremely necessary for the auditors that they assess the internal audit activity’s ERM (or Enterprise Risk Management) maturity level. The following maturity levels of annual audit planning and audit engagement objective setting should be considered:
- Controls-based auditing-Before the 1980s, controls-based or control-dependent internal auditing was the main method of auditing. This method is a branch of external audit procedures and consists to a greater extent of the provision of assurance of the reasonableness of different account balances and other financial details; audits of compliance with the applicable laws, regulations, policies, and procedures; and audits of specific transaction controls from the initiation stage to the reporting stage. The entire focus was to develop the understanding of the laws, regulations, policies, and procedures in the area and thereafter to identify and correct the detected exceptions and errors.
- Process-based auditing–Process-based audits were developed in the 1980s to address some lacking with controls dependent auditing such as its low value to the decision-makers. Process-based audits look at processes as a whole and evaluate their design, efficiency, and effectiveness. These audits began to stress upon the achievement of business objectives as a key gap to estimate between a current and an actual process, but the focus of an audit was often still controls-based.
- Risk-based auditing-Risk-based auditing was developed in the 1990s to establish further added value, especially as more consulting firms entered co-sourcing arrangements for internal auditing and had to justify their quoted fees. The intent was to limit the audit engagement to significant risks starting by developing a deep understanding of the entity and the risks faced by it. Relatively low-risk controls could be omitted from engagements to ensure a greater return on the investment in auditing. This auditing maturity level satisfies the mandates of the standards to be risk-based in selecting engagements, audit objectives, and specific audit tests. It is a method that is intuitive for management to understand and endorse. However, organizations that have relatively mature ERM processes can also move to a higher auditing maturity level.
- ERM-based auditing-ERM-based auditing was developed in the late 1990s as a counterpart to the organization-wide use of ERM for holistic risk-based assessment and decision making. In addition, to set project priorities based on perceived risk to key business objectives, it focuses strongly on measuring risk based on relevant KPIs, accounting for risk appetite and risk tolerance levels, and planning responses based on what enterprise risk management capabilities already exist. Rather than focusing just on mitigating risks to an acceptable level, ERM-based auditing assesses how well ERM activities are supporting organizational objectives by managing risks to an acceptable level within a risk appetite or tolerance. Thus, the focus is on the gaps in ERM effectiveness based not only on the auditor’s objective assessment of what risks are significant but also on management’s assessment of those risks.
ERM-Based Auditing Methodology
Advantages of maturing to an ERM-based auditing methodology include:
- Creating a foundation for audit judgments based on organizational strategy and objectives, risk appetite, and governance maturity;
- Developing an assurance framework for assessing the adequacy of ERM and governance activities;
- Synchronizing the auditor’s tolerance for risk with management’s tolerance for risk rather than focusing solely on the former as in prior audit methods;
- Emphasizing the critical need to base performance measurements on what will provide real incentives to accomplish organizational objectives; and
- Focusing on the organization’s future capability to assess and manage risk rather than on just its historical risk response track record.
Planning an Audit
The audit should be properly planned by the auditor. This standard outlines the auditor’s responsibilities for conducting a thorough audit planning.
Planning the audit entails developing an audit plan and establishing the overall audit strategy for the engagement, which includes, in particular, planned risk assessment procedures and planned responses to the risks of material misstatement. Planning is not a discrete phase of an audit, but rather a continuous and iterative process that may begin soon after (or in conjunction with) the completion of the previous audit and continue until the completion of the current audit.
Preliminary Engagement Activities
At the start of the audit, the auditor should perform the following tasks:
- Carry out procedures for maintaining the client relationship and the specific audit engagement,3
- Determine compliance with the requirements for independence3A and ethics, and
It should be noted that determining compliance with independence and ethics requirements is not limited to preliminary engagement activities and should be reevaluated as circumstances change.
- In accordance with AS 1301, Communications with Audit Committees, establish an understanding of the terms of the audit engagement with the audit
Steps for Internal Audit Planning
An internal audit plan may include several internal audits throughout the year. It does not have to be just one internal audit project, and a typical internal audit program includes a number of separate audits. This emphasizes the importance of the internal audit planning phase in ensuring that the goals of each internal audit are considered in the context of the audit program as a whole.
The key phases, steps, and questions to consider during the internal audit planning process are listed below:
Define Audits To Be Performed
- What types of internal audit engagements will be carried out?
- Are other audits, besides internal controls over financial reporting, to be included, such as compliance, operational, or performance audits?
- Will they be classified according to function, location, product, or department?
Internal audit projects can be identified and streamlined by breaking down the organization into smaller audits. By focusing on smaller sections of an organization, regardless of how they are divided, the scope and objectives of the audit engagement can be narrowed.
Perform Risk Assessment and Prioritize
- What are the risks that must be addressed within the organization?
The risk assessment phase of internal audit planning is critical for understanding the business objectives and aligning those objectives with the internal audit plan. Once a risk assessment has been completed, prioritize the internal audits that have been identified for execution. The risk assessment may also reveal the need for additional audits that were not previously considered. Internal audit planning is typically done once a year, and an audit calendar is created to prioritize and plan internal audits based on the risks identified.
Designate Resources and Define Timeline
- Who will be in charge of each internal audit?
- Do they have the necessary skill set to carry out the audit?
- Do certain audits have to be performed at certain times of the year?
As previously discussed, decisions should be made about whether to use internal resources, outsourced resources, or a combination of the two to work on the engagements. Some internal audits may necessitate the use of Subject Matter Experts (SMEs) who are not always readily available within an organization. Identifying and assigning the appropriate resources, as well as defining the audit timeline, greatly aids in resource planning.
Review Audit Plan and Set-Up Planning Meetings
The Board of Directors or Audit Committee of a company oversees the internal audit function. While reviewing the audit plan, it is critical to solicit input from the Board or Audit Committee, as well as organization management, to ensure that all considerations and risks have been considered.
Following the review of the audit plan, initial planning meetings with key business points of contact can be scheduled. Personnel within the business functions who will be involved in each audit must be notified in advance and made aware of the audit’s purpose and objectives so that they can prepare as well.
An organization benefits greatly from the internal audit planning process. During the planning phase, much of the risk assessment phase identifies key risks that may or may not have been addressed previously. Year after year, fine-tuning the internal audit planning process can reveal risks that pose a significant threat to an organization.
The planning phase also provides an opportunity to alert organization executives to these risks and communicate the audit plan, ensuring that business and strategic objectives remain aligned. Internal audit planning that is effective can significantly reduce inefficiencies in audit execution later on, lowering costs. Spending the time to develop a clear audit plan strengthens the audit engagement’s purpose and objective.