For the past 10 years I have been running a course on audit planning. It’s two days long and we often start with heads of audit and audit managers explaining their planning process. Common planning steps include consulting managers and the audit committee, up-dating the audit universe and considering areas of concern for Internal Audit and/or a regulator. After that, differences start to emerge, from:

  • “Cross-checking against the key risk register” to “We can’t rely on the risk register”
  • “Co-ordinating with other functions and external audit” to “We do our most of our plan independent of others”
  • “Calculating priority based on number of years since the last audit” to “We have a blend of factors we use to calculate priorities, and we adjust these if we don’t think the plan is right”.

Then greater differences emerge when we discuss the length of any audit cycle, or what items are in/out of the scope of the audit universe, and what the weighting factors are for the audit universe risk ranking.

It then dawns on many that their audit planning process is effectively a hotchpotch of historical steps, overlaid with specific priorities, where specific factors and weightings cannot be justified other than by explaining that:

  1. They were used in the past
  2. They seem to give a reasonable result that stakeholders are happy with
  3. They weren’t challenged in the last EQA.

The net result of this is that some audit functions are auditing “the risks that matter”: i.e. strategic risks, major projects and programmes and key third-party dependencies, whereas others are auditing mostly basic compliance, control and other standard processes.

We then discuss key finding areas from recent IIA External Quality Assessments and learn that many audit functions fall down against the IIA standard for planning and IIA requirements around co-ordination with others. The requirements include:

  • Audit plans should be aligned with the strategies, objectives and risks of the organisation etc. and adjusted at intervals, (IIA IPPF 2010), and
  • There should be co-ordination with other assurance functions, and reliance on others where appropriate, (with a clear process for the basis of reliance on others) (IIA IPPF 2050).

Thus the reason there are short-comings in audit plans is because they are mostly based on stakeholder opinions and an audit universe, which is then retrospectively tied back to key risks etc. Most decent EQAs nowadays can tell this is how the plan was prepared, and may have concerns about why some items are in/not in the audit plan.

Remember: You can’t get a good plan by pressing entering data into a model and pressing a compute button, and you don’t have a good audit plan just because everyone is happy with it!

  • Update the audit universe

    Having spent years working with different organisations in this area, I recognise that an audit universe is an important way to keep track of what audits have/have not been done; but my first question is how broad is the definition of your audit universe. Here is a summary of a more traditional vs. increasingly more progressive, audit universe items.

    Select image to enlarge (opens in a new tab)

    If one of the items in this table is important and currently missing from your existing audit universe then the first step to moving in the right direction is to update your audit universe accordingly. This may mean that some areas get mentioned twice, but I believe it is better this than to have diluted a key area by spreading it across a range of processes and locations and as a result miss its importance to the organisation/key objectives in the next year or so.

    The general goal with an audit universe is to align it, as much as possible, with the risk assurance universe of the organisation; i.e. there should be no key risks, objectives, or other major areas, that cannot be clearly pinpointed.

    If the risk register of the organisation is found wanting, a good approach is to take key organisational priorities/objectives, key projects and then those at the next level and look to see what risks follow; alongside this use “hot topic” risk lists (e.g. from consulting firms or the IIA), or the published risks of similar organisations, to check you aren’t missing anything important.

    You don’t need a perfect risk process to create a fairly good audit plan.
     

  • Clarify the audit planning process

    When we carry out internal audits we normally expect the departments we audit to have clear processes in place, with the necessary controls to ensure key risks do not arise. The same rules need to apply to audit planning. We need to document and follow a clear process that explicitly satisfies IIA standards and explains the basis of any additional steps (e.g. audit universe/weightings vs regulatory requirements).

    The table below sets out an indicative high-level audit planning process:

    Select image to enlarge (opens in a new tab)

    Notice that:

    • The audit planning process regards an audit universe as one input to the planning process, not as the driver of the plan
    • Internal incidents and issues and external issues and “hot spot” audit areas are important, to avoid doing the audit plan in a bubble that is devoid of real-world insights
    • Other assurances are a crucial ingredient: after-all what is the point of auditing an area that is already being checked by someone else, especially if that someone else has high standards and can be relied upon? This means having an assurance map is an important component of a good audit plan, discussed below
    • The role of IA is key because auditing known areas of concern, or suspected areas of concern, is a common trap. This may seem rather controversial, but it’s the easiest thing in the world to audit a known/suspected area of concern, on a matter that’s not actually that important, and will not really add much value. Senior managers may want it, but the result could easily be that Internal Audit is not looking at even more important areas
    • Being clear on an “exam question” and level of assurance is important. This is a lean/agile point, and helps Internal Audit to focus on what really matters, and be clear when the assignment needs to be done (e.g. to report to a project steering group by a certain date), and to size assignments properly (not too big, not too small). Using terms such as audit versus review or health-check communicate differences in depth (see the final table in this article)
    • Don’t be afraid to propose advisory assignments where this is appropriate, and make this explicit to stakeholders (often senior managers like advice whereas audit committee members may be less desirous of this)
    • Be prepared to use the audit planning process to suggest direct assurance from others, or to raise awareness of improvement possibilities in the risk management process. Key problem areas with the risk management process that can emerge from good audit planning discussions include: 

    - a sense that there are missing risks (sometimes on politically sensitive issues)
    - a feeling that the risk impact is too high or too low (this can result from a weak ratings process by risk management – I favour the FMEA approach with its high, very high, extremely high and dangerously high ratings) and also risk assessments that don’t factor in inter-connections (think how the inter-connections of COVID19 were clearly underestimated)
    - a sense that net risks are too positive (e.g. ignoring contra-indications).

    Remember: the audit planning process isn’t just about the plan.

  • A two-stage planning process

    My advice is to have a two-stage planning process. First a high-level audit plan that maps clearly to the key risks/objectives, then a more detailed plan with a list of specific assignments, with their ranking (e.g. P1, P2, P3). The benefits of this approach are:

    • So that audits on the plan can be easily postponed (P2), or even cancelled (P3) and so it is also clear which must be done that year (e.g. P1, for regulatory reasons)
    • So that audit coverage against key risks etc. is clear, thus allowing the head of audit and other key stakeholders, to evaluate whether audit resources are adequate or not (IIA 2020)
    • So that any no-go areas are explicit (see the black holes in the following diagram)
    • Note that using this approach you will find that you start planning to audit risks across several departments (where key issues might be about how these departments work together, or not), not simply auditing individual locations/departments.

    Select image to enlarge (opens in a new tab)

  • Assurance coordination and mapping

    Remember a key mistake to make is not explicitly factoring in other assurances in the audit plan. This is essential, especially in our current era when we can’t afford for everyone to be doing the same things without a clear reason.

    To do this, take key risk areas (rather than processes) and try to clarify roles and accountabilities in the first and second lines of defence, and also to be clear about any recent, current or planned input from experts (consultants or regulators).

    Then try to establish a framework for determining how much Internal Audit can rely on the work of others. Note that it is a myth to assume that better/less good assurance simply depends on the line of defence.  

    Select image to enlarge (opens in a new tab)

    By developing a framework for measuring other assurances you can achieve three important outcomes:

    • Agree improvement actions in the 1st and second lines of defence, so that their assurances will be improved over time
    • Offer opportunities for direct assurances from these functions to senior management and the audit committee (by-passing the need for an immediate audit and most likely helping to focus any follow-on IA assignment)
    • A better, clearer, basis for varying the work done by IA in a given risk area, based on the extent to which reliance can be placed on other assurance activities.

    Of course, Internal Audit should always reserve the right to validate assessments of the level of assurance being given by other functions. This can be done either indirectly when auditing or by delivering a specific assurance map in an area being audited; e.g. “We will review the project, and our report will include an assurance map of the assurances being provided by different functions, together with any actions proposals emerging from this”. The table below shows an assurance map for a specific project, but this approach can be applied to the organization’s key risks as well.

    Select image to enlarge (opens in a new tab)

  • Create a flow from the plan to assignments

    Another lean/agile concept, that matches closely with IIA expectations, is to ensure that the audit plan flows into assignment plans. The next table gives an indication of how this can be done with explicit statements about the exam question, timing, depth and breadth and priority rating.  

    Select image to enlarge (opens in a new tab)

  • Concluding comments

    By following the principles outlined I hope this validates your current approach, or highlights ways to start auditing “the risks that matter.”

    As you do audit more important things you may question whether your audit team have had sufficient training and development to audit these less-routine areas with confidence and credibility in the eyes of stakeholders. Even if they have, you may nonetheless need to start using co-source providers or guest auditors to bolster the IA team; and also – where necessary - hire in different skills in the audit team (at AstraZeneca we did all three). Any good planning process will flag up these points, as well as challenge whether the audit budget is sufficient.

    Remember, a good audit planning process should also act as a platform to showcase what audit can do and build closer relationships with key stakeholders (for example by asking all Audit Committee members about their concerns not just the chair of the Audit Committee) and by reinforcing the message that Internal Audit is there to add value to senior managers.

    Finally, this is an evolving field - try to audit the risks that matter (subject to other assurances) but don’t expect to audit everything you want, just make sure it’s clear and transparent what you are and are not covering, so you can have no regrets that you didn’t make it clear.

     

    James C Paterson is a former head of internal audit, consultant, trainer (face to face and webinars) and the author of: Lean Auditing.