Strategic audit planning

An audit needs assessment (ANA) exercise should be undertaken to inform the development of the organisation’s internal audit strategy (IAS). This ANA should be regularly updated and the IAS amended as necessary to reflect the changing assurance needs of the organisation.  

The ANA should be updated at least annually but, increasingly, organisations are seeking to achieve more organic strategies that evolve more frequently to reflect the increased speed of change which many are experiencing - particularly fuelled by technology and competition. This requires continuous monitoring of the internal and external environment, and frequent and meaningful dialogue with both senior management and the audit committee.

The ANA represents a critical ingredient in the provision of an adequate, relevant and timely internal audit. It should be used to direct internal audit resources to those aspects of the organisation that represent the greatest risk to the achievement of its objectives, and where internal audit can aid management of those risks.  

The ANA process should include:

  • review of the organisation’s risk register / board assurance framework
  • review of performance management data
  • review of previous audit opinions and progress on actions
  • review of other second and third line sources of assurance
  • external major incidents/risks and other factors such as industry issues
  • planned organisational changes or major projects
  • reports from regulators
  • discussion with senior management, audit committee and external audit

All of the above should be considered in the context of organisational risk appetite, current risk exposure and acceptance of risks.

In organisations which have moved their risk management arrangements on to reflect the board assurance framework, this is a useful tool in the ANA process. This approach starts with strategic objectives, the risks to achieving those objectives, and then typically the ‘three lines of defence’ within the organisation which aim to manage risk to within appetite.  

The first line of defence is the internal control environment recognising the policies, procedures and processes put in place by management. The second line of defence is management’s own monitoring and risk assurance processes including those escalated up through the governance framework. The third line of defence is independent assurance, providing a position statement for internal audit within organisations.   

When considering the focus of the organisation’s IAS, the board assurance framework can help internal audit identify where it can provide assistance in its ‘consulting’ role surrounding business critical risk exposure beyond risk appetite. It can also help identify where ‘independent’ assurance will add most value by focusing upon those controls which the organisation believes are managing business critical risks within risk appetite.

The IAS should prioritise reviews over a particular timeline. The timing of reviews will be driven by a number of factors such as:

  • priority for each area of coverage, in terms of the level of risk exposure and risk appetite
  • management or audit committee concerns regarding a particular area
  • degree of stability in respect of systems, staff and other organisational change
  • time since last audit and audit outcomes
  • when specific risks are considered likely to materialise and impact

The audit resources necessary to deliver individual assignments will be driven by a number of factors such as:

  • system complexity
  • factors such as number of locations, transactions and frequency
  • the assurance which can be brought forward from previous audits
  • the envisaged scope and objectives of the proposed audit

The IAS and the annual plan (year 1) within it will normally be subject to audit committee review and approval, with changes in subsequent years approved as appropriate in accordance with agreed protocol.

Resource management

Few managers have a blank cheque when it comes to budgets. Internal audit is no different.  

Internal audit will typically adopt a medium timeline for strategic planning purposes allowing the chief audit executive (CAE) to balance assurance needs and resources within a defined budget envelope to provide reasonable assurance to audit committee and senior management. Short term or specific skills gaps can be bridged through recruitment, training or co-sourcing.  

Where the budget of the department is insufficient to meet the assurance needs of the audit committee and senior management, the CAE will need to raise such concerns and explain the impact of such limitations upon the assurance they are able to provide. The audit committee can direct a review of resources and approve as required to meet its needs.

In determining and managing the resource need:

  • identify the number of individuals, skills mix and specialist skills necessary to deliver the approved IAS
  • analyse your current resources against this need to identify resource shortfalls and skills gaps based upon realistic target utilisation / efficiency levels
  • allocate audits based upon skills and experience to in-house team members
  • identify how resource shortfalls will be met - recruitment, out-source or co-source
  • ensure that planned audits are delivered in accordance with the approved budgets to identify and take timely action in respect of any deviation to keep delivery of the audit plan on-track

When managing co-sourced or out-sourced relationships to support the audit plan:

  • tender for specialist work suitably balancing cost and quality considerations
  • ensure robust and clear contracts are in place with: requirements, pricing, confidentiality, data security, ownership of intellectual copyright and working papers, dispute resolution, and exit terms
  • establish clear operating procedures and approval processes within a service level agreement to ensure that each assignment is delivered in accordance with expectation

IT solutions may enable more efficient and effective internal auditing. However, this will be dependent upon a number of factors such as the size of the audit plan, size of the respective team, geographical spread and degree of standardisation or repetition within the audit plan. 

Increasingly, internal audit is utilising a risk based approach to audit strategy, rather than simply providing coverage of the audit universe on a set cycle. Some of the value within traditional IT solutions can be limited and not justify their cost. Therefore as with any system acquisition you should undertake a detailed needs analysis and review the product offering to determine if it will meet those needs and provide value for money.  

Likewise with increased functionality within common office IT products, there is the ability to utilise existing software to automate elements of the audit documentation and facilitate analysis of large volumes of data if it can be extracted in a common format from the organisations core management information systems.

Knowledge management

The internal audit function must develop the skills, experience and knowledge within its team members. Importantly it must also ensure that as team members change, their knowledge is retained as far as possible or transferred to other team members. Effective audit management systems, notice periods, team working and knowledge sharing practices will assist in minimising associated key person risks.

The following techniques may assist in acquiring and developing in-house skills:

  • structured appraisal and performance management
  • informed training programmes at both a team and individual level
  • in-house training programmes to deliver common training needs
  • procure external training for specific specialist training needs
  • mentoring programmes
  • joint delivery of reviews with co-sourced providers to facilitate knowledge transfer
  • effective knowledge management systems.

IIA IPPF Standard 2010 – planning

IIA IPPF Standard 2030 – resource management