How to Create an Audit Plan. An audit is the highest level of assurance a CPA firm can provide that the financial statements adhere to generally accepted accounting principles (GAAP) or some other reasonable accounting basis.
Auditors will plan the audit in broad strokes at the start of the engagement, but much of the plan will be developed as the audit is carried out. Planning is an essential component of the audit process that assists auditors in adhering to generally accepted auditing standards (GAAS).
How to Create an Audit Plan
To be able to create an audit plan it must to do the following:
- Analyze business risks. Auditors should be on the lookout for anything that could jeopardize management’s ability to achieve its goals. Audit procedures should consider the business’s operating environment as well as business risks.
- Examine the accounting policies and procedures to ensure that they are appropriate. Auditors will want to spend enough time developing an understanding of significant accounting policies in use at the company when designing an audit plan. Accounting policies cover procedures such as revenue recognition, capitalization, inventory accounting, consolidation, impairment, and valuation.
- Determine which areas may require special audit attention. Particular attention should be paid to areas that are highly complex or have a high likelihood of error. Auditors can use their assessment of the company’s business risks as well as accounting policies and procedures to determine where additional attention is required.
- Set materiality thresholds. When an item is material, it is of significant importance. Materiality is frequently measured in relation to the size of the company being audited. As a result, many audit firms will set their materiality threshold as a percentage of total assets or a percentage of revenue.
- Create a set of expectations for the analytical procedures. Analytic procedures such as trend and ratio analysis assist auditors in determining the reasonableness of financial statements. A trend analysis seeks out anomalies that occur over time. Ratio analysis compares the financial condition and performance of a company to industry averages.
- Create audit procedures. Audit procedures are classified into two types: tests of internal controls and substantive testing. Internal control tests are intended to assess the effectiveness of a company’s controls in preventing or detecting material misstatements. In general, the more effective a company’s control system, the less substantive testing is required. Substantive tests are direct examinations of transactions that occurred during the period or balances on the financial statements.
- Rethink the strategy. Throughout the audit, auditors should reassess the audit plan. If material concerns arise, or if analytical procedures reveal additional risks, auditors may be required to adjust or expand procedures in order to issue a clean opinion.
Requirements For Audit Engagement Topics
Once we have the audit universe and risk assessment in place, the chief audit executive must prioritize the audits. Requirements determining potential audit engagement topics for the audit plan are as follows.
- The internal audit activity’s plan of the engagements should be made according to the documented risk assessment, which is undertaken at a minimum every year.
- The input of the senior management and the board must be considered in this process.
- The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions.
- The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.
To reduce risk and improve efficiency, the chief audit executive must take a closer look at the risk assessment data. The chief audit executive needs to make decisions for applying audit function resources based on the significance of risk and exposure related to the achievement of organizational strategy and objectives. In validating the risk priorities, in addition to the analysis of risks and responses discussed above, other factors to establish the priority of engagements include financial impact, asset liquidity, management competence, quality of internal controls, degree of change or stability, time of last audit engagement, complexity, employee and government relations.
In conducting audit engagements, methods and techniques for testing and validating exposures should also be reflective of the risk impact and likelihood of occurrence.
The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. “Appropriate” refers to the mix of knowledge, skills, and other competencies needed to perform the plan. “Sufficient” refers to the number of resources needed to accomplish the plan. Resources are effectively deployed when they are used in a way that optimizes the achievement of the approved plan. This can explain why some organizations make resource allocation an annexure to the audit plan.
Resource management involves consideration of:
- Staffing plans or financial budgets;
- The knowledge, skills, and other competencies of internal audit staff;
- The knowledge, skills, and other competencies required to perform the engagements; and
- The number and quality of auditors required.
It is the chief audit executive s responsibility to communicate to senior management and the board what resources are available as well as any resource limitations that could potentially affect the scope of proposed engagements or execution of the engagement work schedule.
Certainly, the least desirable course of action, if resources are limited, would be to eliminate proposed engagements. The chief audit executive should consider alternatives such as co-sourcing to acquire temporary expertise, reassessing how information technology could be employed, or rescheduling engagements to coordinate them with regulatory bodies. The merits of these and other plausible options should be discussed with senior management and the board.
The way internal audits are conducted is evolving. A control-focused approach is currently used by many internal audit leaders. However, new market conditions favor the adoption of risk-centric mindsets, and companies can only remain key players in the field of risk management by making the necessary adjustments.
The audit plan is essential for systematically analyzing risk. Any variable event that would impede a company’s ability to achieve its established business goals and objectives is defined as a risk.
Auditors can begin the risk assessment process by evaluating the risk universe, or all of the potential events and threats that apply to an organization, regardless of probability or impact. This evaluation should cover all business units, operations, and processes. The auditor must also comprehend the company’s business model in relation to the industry in which it operates.