Mastering Audit Planning for Success

Benjamin Franklin, once said, ‘By failing to prepare, you are preparing to fail.’ So is the case with delivering an internal audit. Audit planning plays a very crucial role in the success of audit and in an auditor’s ability to provide valuable insights to clients. Let’s break down what an audit planning phase entail.

Researching: Gather as much as information about the upcoming audit. This could be by way of reading prior audit reports in similar areas, understanding the client’s industry background, industry specific terminologies, best practices or referencing industry regulators’ reports. In addition, an auditor can also learn about the specific audit area (say, procurement), its key risks and internal controls to mitigate the same.

Reviewing initial information: Make it a point to request some initial information prior to the start of fieldwork. This information could be policies, procedures, checklists, job descriptions, financial delegations, access rights, registers and so on. It is important that the auditor reviews such information carefully.

Preparing RACM: Prepare a Risk and Control Matrix (RACM) to help in navigating all phases of internal audit. When prepared well, the RACM acts as a guiding document in planning, conducting fieldwork and reporting. It should ideally contain the below fields:

• Business objectives specific to the area being audited
• Risks that prevent from achieving business objectives
• Risk rating (Impact and Likelihood)
• Actual controls in place (as mentioned in policies / procedures)
• Type of control (Manual? Automated? Non-existent?)
• Test required? (Is there a need to test? If the controls are non-existent, there is no requirement to test for adequacy and effectiveness)
• Test type (Inquiry and Confirmation, Observation, Inspection, Re-performance, and Data analysis)
• Work program (What audit tests can help achieve internal audit objectives? What should be the sample size?)
• Work program reference (reference to work program / papers)
• Control design (is the control adequately designed?)
• Control effectiveness (is the control operating as intended?)
• Observation reference (reference to observation in audit report)

It is important to keep in mind that an RACM is a dynamic document which should be updated throughout the audit process. For example, the actual controls maybe updated later from information gathered in interviews / discussions.

Preparing for interviews: Prepare a list of interview questions in advance which can be a mix of both open and closed ended questions. Some of the initial discussions can be around roles and responsibilities, KPIs, team structure, walk-through of systems used, any current risks / system limitations / opportunities for improvements and various reports produced for monitoring.

Obtaining advice: Schedule periodic discussions with seniors to obtain insights, advice and identify any gaps early in the audit so that there is still sufficient time to steer into the right path.

Ensuring that each work program is designed to achieve the internal audit objectives and provide scope coverage is essential. By doing the above steps and following good document retention practices, the audit is very likely to be a successful one. Remember, preparation is the key to any success!

#internalaudit #internalcontrols #riskbasedinternalaudits #riskandcontrols #riskandcontrolmatrix #RACM #auditplanning