A brief guide to assurance planning
An effective assurance plan should demonstrate to the audit committee that the key controls in place are both sufficient and operating effectively to manage the organisation’s risk within its risk appetite.
Principles and approach
An effective assurance plan is:
- formed from an assessment of risk exposure and risk appetite;
- practical and achievable;
- amended on an ongoing basis to reflect changes in risk and organisational changes; and
- not limited to a one year view.
The audit committee will normally review and approve an annual audit plan.
An assessment of risk exposure will include:
- reviewing the organisation’s risk map for completeness;
- risk appetite, current risk exposure and material incidents;
- external major incidents/risks (in other words, new method of fraud);
- reported specific risk exposures/risks accepted;
- reports from risk oversight functions;
- reports from external audit and their concerns from discussion;
- reports from any relevant regulators and their views generally, as reported in the press or from discussions;
- external activity which may affect business objectives, such as competitor activity, industry issues;
- audit opinions and progress on resulting actions;
- management concerns, including the audit committee/board/risk director;
- concerns of the audit team;
- trends from audit/risk management information (in other words, about a specific department); and
- changes planned.
A practical and achievable audit plan considers:
- the tactics for providing assurance - in other words, by the key risks the organisation faces [cutting across multiple departments], by department [cutting across multiple risks], by process or by a hybrid of views;
- the sizing of audits (very large audits are cost-effective but can be untimely and lose impact, while the opposite can provide weak assurance);
- whether themed audits would be useful (a number of audits which are reported individually but which sit within an overarching assurance theme - in other words, the review of individual committee management information packs which sit within an overall theme of committee reporting);
- the impact on audit design of the assurance provided by risk oversight functions, external audit or work undertaken by consultants;
- the inherent and residual risk associated with the audits designed (to be used to prioritise coverage); and
- the adequacy of resources – this includes reviewing both the number of people and their skills to ensure sufficient resources are in place to provide reasonable assurance. Gaps can be addressed through recruitment, training or co-sourcing.