A good audit planning process should also act as a platform to showcase what audit can do and build closer relationships with key stakeholders, writes James C Paterson on the ACCA blog.
For the past 10 years I have been running a course on audit planning. It’s two days long and we often start with heads of audit and audit managers explaining their planning process. Common planning steps include consulting managers and the audit committee, up-dating the audit universe and considering areas of concern for Internal Audit and/or a regulator. After that, differences start to emerge, from:
- “Cross-checking against the key risk register” to “We can’t rely on the risk register”
- “Co-ordinating with other functions and external audit” to “We do our most of our plan independent of others”
- “Calculating priority based on number of years since the last audit” to “We have a blend of factors we use to calculate priorities, and we adjust these if we don’t think the plan is right”.
Then greater differences emerge when we discuss the length of any audit cycle, or what items are in/out of the scope of the audit universe, and what the weighting factors are for the audit universe risk ranking.
It then dawns on many that their audit planning process is effectively a hotchpotch of historical steps, overlaid with specific priorities, where specific factors and weightings cannot be justified other than by explaining that:
- They were used in the past
- They seem to give a reasonable result that stakeholders are happy with
- They weren’t challenged in the last EQA.
The net result of this is that some audit functions are auditing “the risks that matter”: i.e. strategic risks, major projects and programmes and key third-party dependencies, whereas others are auditing mostly basic compliance, control and other standard processes.
We then discuss key finding areas from recent IIA External Quality Assessments and learn that many audit functions fall down against the IIA standard for planning and IIA requirements around co-ordination with others. The requirements include:
- Audit plans should be aligned with the strategies, objectives and risks of the organisation etc. and adjusted at intervals, (IIA IPPF 2010), and
- There should be co-ordination with other assurance functions, and reliance on others where appropriate, (with a clear process for the basis of reliance on others) (IIA IPPF 2050).
Thus the reason there are short-comings in audit plans is because they are mostly based on stakeholder opinions and an audit universe, which is then retrospectively tied back to key risks etc. Most decent EQAs nowadays can tell this is how the plan was prepared, and may have concerns about why some items are in/not in the audit plan.
Remember: You can’t get a good plan by pressing entering data into a model and pressing a compute button, and you don’t have a good audit plan just because everyone is happy with it!
You can read the rest of this article on the ACCA website
I contacted [James] for advice as to how Assurance Mapping techniques could be applied in my own authority. Not only were his ideas very constructive, his approach was very professional yet carried out in a friendly, easy going manner which greatly helped my understanding of the issues involved. James was then always happy to deal with any follow up queries I had and he helped to fine tune and discuss the approach with the rest of my team who similarly very quickly formed the same positive view of James’s style and manner. We have recently introduced this new approach into my authority and the results and comments to date have been very encouraging, thanks in no small way to James’s advice and assistance. I would have no hesitation recommending James to anyone.
James has helped me and my team in a number of areas, examples being improving the way we conduct and report on our audits and helping with our assurance mapping. This has all been done in a positive and supportive manner, helping the team to embed learning from these sessions.