A brief guide to assignment planning
It takes careful planning to ensure all the key controls are in place and operating effectively for an audit to provide reasonable assurance.
Principles and approach
Effective assignment planning considers everything from an assessment of risk, the work required, resources available and deadlines to effective team and stakeholder engagement.
A key output is a term of reference stating the scope, audit objectives/risks, audit team and timing.
What is included
Your assessment of risk may include a review of:
- organisation information from the intranet, process documentation, material incidents reported, self assessment reports and risks, risks accepted, key controls as reported on risk registers and organisation objectives;
- related risk appetite/exposure, risk priorities and key risk indicators (KRIs)/key performance indicators (KPIs);
- reports from risk oversight functions, external auditors, regulators, etc;
- previous audit reports and progress on resulting actions;
- related audit reports and known weaknesses that may impact;
- management concerns and those of the audit team with their knowledge of that risk/area/process/system/legislation and regulation; and
- recent and planned changes to key staff/systems/process/legislation and regulation/risk, etc.
Your assessment of work required may include consideration of:
- volumes and values of transactions/budgets to determine sample size;
- work locations and the number of business areas/senior managers;
- the time it takes to update existing audit process/risk documentation;
- technical knowledge required;
- assurance provided and planned by other assurance providers;
- testing methodology to be used - for example, whether it will be highly manual or employ Computer-Assisted Audit Techniques (CAATs); and
- timing to achieve optimal assurance and internal reporting deadlines.
Your assessment of resources may include:
- availability, experience, skills, technical knowledge, base location;
- need for co-sourcing, availability, cost and budget available; and
- selection of a suitable person to lead the audit.
Effective stakeholder engagement may include:
- an assessment of all likely stakeholders, including regulators;
- face-to-face meetings with key stakeholders to understand their role, recent and planned changes, their key drivers, their views and key concerns and for you to explain how the audit will be undertaken, by whom and when and to ‘sell’ the value of the assurance that’s being provided;
- agreement over who in the business will ‘own’ the audit report; and
- agreement over how they wish to be updated on the progress and findings.