Larry D. Hubbard
Proper planning helps to ensure that auditors and management share the same agenda and that each engagement adds value to the client.
NEW COMERS TO THE PROfession often don’t fully understand the value of audit planning. “Why not just do it?” they ask. “Why don’t we just walk in the door and start ticking?” Unfortunately, no audit department has enough time or resources to do everything that could be done, which means that we must predetermine what is most important and what steps will be most likely to ensure success.
SCOPING THE AUDIT
Macro-level planning, a process that is usually conducted by audit management, identifies the audits that will be performed within the organization, while micro-level planning focuses on how to plan an individual audit. The importance of macro planning and its implications are relatively obvious. In this instance, we’ll examine micro-level planning: how to scope the audit, acquire management cooperation, and ensure that the right skills are available.
The process of deciding which areas, cycles, functions, activities, systems, or other entities to audit is often linked to a risk assessment process. Sometimes auditors are uncertain about how this process relates to the overall COSO risk assessment formula, which focuses on objectives, risks, and controls. In fact, the COSO model is relevant from both internal auditing and management perspectives and objectives.
For example, the objectives for an audit could relate to internal auditing’s aims for performing the audit, such as, “Ensure the audit provides a value-added service to management.” The risks could correspond to those aims: “Management may not think auditors have the technical abilities to add value to their operations” or “The audit may not focus on items of importance.” Addressing these issues might be considered as internal auditing’s objectives.
Another approach to micro-level risk assessment might focus on management’s objectives, such as “Increase market share.” The audit could evaluate the controls designed to mitigate the risks, such as “The market may be saturated” or “The competition could undercut our prices.” According to COSO, these are entity-level or management objectives, which means that management owns the process and should already have performed their risk assessment before the audit starts. In practice, however, management often hasn’t fulfilled this role; and auditors can assist in the risk identification and control processes. Many audit shops are finding that control or risk self-assessment workshops are valuable. The workshops often occur at the beginning of an audit, but they may also be performed on a stand-alone basis.
Both audit and management objectives should be integrated into the audit scope. In most cases, the audit planning process includes meetings with management, identification of applicable audit programs, and other steps to mitigate the risks related to the objectives. During the planning process, the auditor must ask management for their objectives and compare them to the audit scope to be sure that the audit work helps management to meet their objectives. An audit that does not include management’s objectives from the beginning will not generally produce information on which management will act.
The single most important factor in a successful audit is obtaining management s early cooperation in setting the audit timing, objectives, and procedures. If management believes that the auditors are there only to find errors and nitpick, they may be less inclined to cooperate freely. Therefore, the auditors should make it dear early on that they are there to add value and to partner with the management team toward achieving a common goal. Most audit groups are of the opinion that soft controls, such as ethics, communications, and commitment, which are often among the most important organizational issues, can only be evaluated with a joint, cooperative effort between internal auditing and the client.
Some audit departments are asking management to co-sign audit planning documents. Sometimes called audit plans or engagement letters, such formalities help to ensure early, joint agreement and improve the odds of a successful audit.
THE RIGHT SKILLS
Another factor in effective audit planning involves matching up the skills of the auditors to the areas that will be addressed during the audit. Nothing seems to harm an audit more than a perception by client management and personnel that the auditors know nothing about the business of the unit being audited. How can someone who knows nothing about an area possibly get up-to-date fast enough to critique or evaluate the work of employees who do a job every day? They can’t.
If the skills don’t match, auditors may be able in some instances to acquire just-in-time training; or the department may borrow expertise from other areas of the company or bring in specialists to help with the audit. All this matching of skills takes lead time. As a result, some groups set aside a planning week, often several months before the actual start of an audit. The lead or senior auditor spends time arranging the logistics of the audit and planning for the appropriate skills to be available when the audit starts. Of course, this process takes time away from the current audit the lead is performing; but many audit departments are viewing this planning week as essential.
Speed is of the essence in today’s business world, and the time required to perform audits is a consideration for all our departments. However, failing to devote enough time to planning can result in audits that are flawed and of little value or relevance. As auditors, we really are there to help; and if we are to provide the information and support that our clients need, we must be sure that we don’t give short shrift to one of the most important aspects of our work.
LARRY D. HUBBARD, CIA, CCSA, CPA, is Principal of Larry Hubbard & Associates in Bethesda, Maryland.
AUDIT PLANNING TIPS
* Ask management to co-sign the audit plan. This step encourages management’s early commitment to the rationale for the audit and the organization’s allocation of audit time.
* Focus on management objectives. Our objectives as auditors must fit within the overall context of management’s objectives; otherwise, management is much less likely to implement any recommendations from the audit.
* Explore the viability of facilitating a workshop during the audit planning process to gather information and identify risks and controls. You may not actually ask for a self-assessment of controls, but including client personnel in the planning process can enhance the audit’s applicability to management goals and objectives.
* Understand the macro-level risk assessment process well enough to know why the current audit is being performed. Starting an audit by saying, “We’re here because it’s been two years since we were last here,” is not what clients want to hear. We should be able to say why, on an overall company risk basis, it makes sense to perform the audit at that time. The micro audit plan should make such macro-level factors the underlying focal point of the audit.
* Coordinate your audit efforts with the work of other review groups, such as TQM or organizational improvement groups, security groups, environmental compliance groups, regulatory groups, and certainly the external accountants.
* Remember that you can’t spend the whole audit budget on planning the audit. Most groups seem to spend 10 to 30 percent of total time on planning, which usually ends with the development of audit programs. The remainder of the time is spent on testing information and data for compliance with management’s intended procedures.
THE IIA STANDARDS AND AUDIT PLANNING
Standard 410 of the Standards for the Professional Practice of Internal Auditing covers audit planning. It is the first of the four major steps in performance of audit work. The other steps include examining and evaluating information, communicating results, and following up.
The Standards state that planning should be documented and that the process should include:
* Establishing audit objectives and scope.
* Researching background of the audited areas.
* Determining the audit resources.
* Communicating with all who need to know about the audit.
* Performing a preliminary assessment of risks and controls within the audited areas.
* Writing the audit programs.
* Determining how and when audit results will be communicated.
* Obtaining approval of the audit planning results. Beginning auditors who want to know more about audit planning, such as what to include in meetings with management and how audit planning should be documented, can review Standard 410 on The IIA’s Web site: www.theiia.org/guidance/default.htm, then click on “Standards for the Professional Practice of Internal Auditing (Standards).”
COPYRIGHT 2000 Institute of Internal Auditors, Inc.
COPYRIGHT 2002 Gale Group