Audit Planning

It’s that time again. Creating or updating the audit plan for the next calendar year. Most audit groups probably create a risk-based plan — which essentially means we start with some sort of risk assessment and determine the audits that should be on the plan — then try to figure out if there are enough hours to complete the work we propose to do. There is a brief discussion among the audit leadership team. Managers and directors trying to get more hours and resources. CAEs thinking that 250 hours for an audit is an enormous amount of time — nostalgically remembering their days in public accounting when they used to be able to complete audits in record time (conveniently forgetting that those jobs were always miserably over budget). Seniors and staff wondering why everyone is huddled behind closed doors all the time — secretly hoping that there are exotic locations to travel to on the new plan and that the travel budget is reasonable.

Some groups create multiyear plans, knowing how much coverage they want to give to an area of the business on a rotational basis. Others may start with a new proposed plan each year — then meet with the risk owners to ensure a value-added plan, while still retaining their independence in setting the “right” plan at the end. Others yet may have extensive discussions with their audit committee members and senior leaders to ensure buy-in at a senior level before the plan becomes a reality.

Over the years, I’ve probably used all of the above approaches. Enterprise risk management activities have certainly made the starting point easier as the risk assessment is no longer a separate audit department exercise. The audit universe has become a risk universe, and with that, the audit plan is much more relevant and “exciting” for the audit department to execute. (Exciting might not be the right word choice, but we are talking about auditors after all).

Our proposed plans are complete for now. We’ll start socializing with the audit committee and senior leadership soon — and hopefully hit the ground running in January. Although we create an annual project list for resource planning purposes, we also keep a pretty close eye on emerging issues throughout the year and will substitute higher risk projects as they arise (all with audit committee approval, of course).

If anyone has a novel approach — such as doing away with the annual audit plan completely, creating only quarterly plans, or fully integrating the internal and external audit efforts together to create a comprehensive audit approach — please chime in. I don’t know if this is too novel, but we also build a pool of hours for "flash audits." These audits are reserved for less than full scope engagements not specified on the plan in the beginning of the year. We’ve found flash audits to be a great way to deliver value to our customers who might need audit services that are less than full scope. 

Happy planning!


Posted on Nov 1, 2010 by Kiko Harvey

Share This Article:    

  1. At our organization we've eliminated the annual plan concept and have moved to a quarterly plan. It has its plusses and minuses. It's a little crazy in a risk-based environment to think you can plan annually because things change so rapidly. Maybe if you were in an organization that did the same can o'corn audits, but not in an industry that is changing rapidly. However, quarterly planning can be an absolute bear and our process is tiresome. There must be something in the middle of an annual and quarterly plan that would work best.

  1. We continue to develop our annual audit plan but find the need to modify it as we go througout the year - - almost like "continuous" planning but anchored in December so we can track what has changed.  This year we introduced an Emerging Risk Repository where every auditor around the world can add new areas of risk at any time for evaluation by audit leadership.  Some of these entries have prompted a change to the audit plan.  Whatever you do, be sure to keep a couple of fingers on the pulse of your organization and respond quickly when needed.

  1. We have a risk based audit plan with quarterly updates. We gather input from Senior Staff every quarter and make any changes as necessary. It helps a bit that our business is very centralize and a signficant portion of revenues and profits come from one unit. Risks tend not to change as much during the year but when they do we have alloted hours for these new projects. The idea that a good audit plan has to only be risk based and strategic is not all correct in my opinion. We tend to find our biggest risks and process improvements in what we call "housekeeping audits" (i.e. Payroll, Contractors, AP etc.). There is a balance in my opinion between all these types of audits. Our plan reflects them all, risk based, strategic audits, housekeeping, and regulatory. Our audit committee feels we are providing value but also ensuring they keep their jobs!

  1.  Hi Kiko, 

    My organization has moved to strictly a quarterly planning process primarily because (as Bubsy pointed out) the audits planned at the beginning of the year were stale and no longer relevant. While historically, our policy was to have a flexible annual audit plan; practically speaking, people treated that plan as if it were carved on two stone tablets. The layers of approval, tracking, and questioning of plan changes discouraged managers from exercising those behaviors that we wanted to encourage. The quarterly deliverable has increased the workload but the result thus far has been a plan that truly address the organizations risks in a timely way.

  1. Internal Audit plan quarterly or annually must include your audit reporting to financial occurences. Internal Audit is advisable as pre-audit, mean to say every payment should be first audited, to include this you involve audit in every transaction. Financial budget to include in your plan is also to monitor the variances if occurred in expenses can be highlighted. You keep yourselves tight with your audit responsibility. You plan a regular physical inventory checking, it includes in your planning. You plan a regular visit to the branches, etc, it includes in your planning. These are periodical plans which you can manage into quarterly, yearly , etc. Unusual audit, if you anticipate you include in your audit plan. The audit is more planned to govern, if today's payment can be checked which is within the business expense or payment, that is most righful choice to include in your than to investigate later,  if false payment has been made. Other plans include audit's analyses, reportings, suggestion for improvements.

  1. Great feedback.  I like the thought of an emerging risk feedback loop from the auditors.  Maybe we'll try that.

  1. Hi Kiko, our planning process consists of determining the audit focus areas for the whole year. These areas are chosen based on risk assessment and aligned with the operational business plan and overall strategy. The audit assignments, within these areas, are then determined on a quarterly basis to ensure flexibility and relevancy of our work. This approach seems to satisfy both the audit committee, senior mgmt and our internal resource planning needs.

Leave a Reply