Audit Planning

Internal Auditor, August, 2000 by Larry D. Hubbard

Proper planning helps to ensure that auditors and management share the same agenda and that each engagement adds value to the client.

NEW COMERS TO THE PROfession often don't fully understand the value of audit planning. "Why not just do it?" they ask. "Why don't we just walk in the door and start ticking?" Unfortunately, no audit department has enough time or resources to do everything that could be done, which means that we must predetermine what is most important and what steps will be most likely to ensure success.

SCOPING THE AUDIT

Macro-level planning, a process that is usually conducted by audit management, identifies the audits that will be performed within the organization, while micro-level planning focuses on how to plan an individual audit. The importance of macro planning and its implications are relatively obvious. In this instance, we'll examine micro-level planning: how to scope the audit, acquire management cooperation, and ensure that the right skills are available.

The process of deciding which areas, cycles, functions, activities, systems, or other entities to audit is often linked to a risk assessment process. Sometimes auditors are uncertain about how this process relates to the overall COSO risk assessment formula, which focuses on objectives, risks, and controls. In fact, the COSO model is relevant from both internal auditing and management perspectives and objectives.

For example, the objectives for an audit could relate to internal auditing's aims for performing the audit, such as, "Ensure the audit provides a value-added service to management." The risks could correspond to those aims: "Management may not think auditors have the technical abilities to add value to their operations" or "The audit may not focus on items of importance." Addressing these issues might be considered as internal auditing's objectives.

Another approach to micro-level risk assessment might focus on management's objectives, such as "Increase market share." The audit could evaluate the controls designed to mitigate the risks, such as "The market may be saturated" or "The competition could undercut our prices." According to COSO, these are entity-level or management objectives, which means that management owns the process and should already have performed their risk assessment before the audit starts. In practice, however, management often hasn't fulfilled this role; and auditors can assist in the risk identification and control processes. Many audit shops are finding that control or risk self-assessment workshops are valuable. The workshops often occur at the beginning of an audit, but they may also be performed on a stand-alone basis.

Both audit and management objectives should be integrated into the audit scope. In most cases, the audit planning process includes meetings with management, identification of applicable audit programs, and other steps to mitigate the risks related to the objectives. During the planning process, the auditor must ask management for their objectives and compare them to the audit scope to be sure that the audit work helps management to meet their objectives. An audit that does not include management's objectives from the beginning will not generally produce information on which management will act.

MANAGEMENT COOPERATION

The single most important factor in a successful audit is obtaining management s early cooperation in setting the audit timing, objectives, and procedures. If management believes that the auditors are there only to find errors and nitpick, they may be less inclined to cooperate freely. Therefore, the auditors should make it dear early on that they are there to add value and to partner with the management team toward achieving a common goal. Most audit groups are of the opinion that soft controls, such as ethics, communications, and commitment, which are often among the most important organizational issues, can only be evaluated with a joint, cooperative effort between internal auditing and the client.

Some audit departments are asking management to co-sign audit planning documents. Sometimes called audit plans or engagement letters, such formalities help to ensure early, joint agreement and improve the odds of a successful audit.

THE RIGHT SKILLS

Another factor in effective audit planning involves matching up the skills of the auditors to the areas that will be addressed during the audit. Nothing seems to harm an audit more than a perception by client management and personnel that the auditors know nothing about the business of the unit being audited. How can someone who knows nothing about an area possibly get up-to-date fast enough to critique or evaluate the work of employees who do a job every day? They can't.

If the skills don't match, auditors may be able in some instances to acquire just-in-time training; or the department may borrow expertise from other areas of the company or bring in specialists to help with the audit. All this matching of skills takes lead time. As a result, some groups set aside a planning week, often several months before the actual start of an audit. The lead or senior auditor spends time arranging the logistics of the audit and planning for the appropriate skills to be available when the audit starts. Of course, this process takes time away from the current audit the lead is performing; but many audit departments are viewing this planning week as essential.