Internal audit provides independent, objective assurance over an organization’s risk management, internal control, governance and the processes in place for ensuring effectiveness, efficiency and economy.
Each audit plan will be different and tailored to the organization’s needs. However, there are common elements that the audit committee should expect to see when reviewing the audit plan, albeit in practice these elements might be presented in many different ways.
Overview of the Internal Audit Process:
The audit committee should expect the audit planning document to set out that the audit plan has been developed by:
taking account of the risks identified by the organization in its risk register and other documents;
using the internal auditor’s experience of the organization and the sector more generally to identify other areas of risk which may warrant attention; and
Discussing all identified risks and other relevant issues with the organization’s management to identify the potential scope of internal audit.
Risk-focused Internal Audit Coverage
Where the organization’s risk management policy allocates each risk a likelihood and impact rating between ‘high’ and ‘low’, the audit plan might for example focus on ‘high’ and ‘medium’ priority risks over a certain time period. However the internal audit is focused, the audit committee should be fully informed of:
which areas are being addressed;
how many audit days have been allocated to each area;
when the fieldwork is being undertaken; and
when the internal auditors will report their findings.
The internal audit strategy may address some areas that do not feature as a high or medium risk. These are nevertheless areas where the organization would benefit from an internal audit review, or they are being reviewed to provide assurance to the audit committee and external auditors regarding operations of the key financial and management information systems. The audit procedures, fieldwork and reporting expectations for these areas should also be identified in the audit plan.
It is important to adopt a flexible approach in allocating internal audit resources, in order to accommodate any unforeseen audit needs. The audit plan should give an indication as to how many ‘man days’ have been allowed for contingencies.
For internal audit to be as effective as possible, its recommendations need to be implemented. Specific resources should be included within the plan to provide assurance to the organization and the audit committee that agreed audit recommendations have been carried out effectively and on a timely basis.
Planning, Reporting and Liaison
The audit committee should expect the internal audit plan to identify a number of audit procedures relating to the following:
quality control review by manager;
production of reports, including the strategic plan and annual internal audit report;
attendance at audit committee meetings;
regular contact with the organization’s management;
liaison with external audit; and
internal quality assurance reviews.
The Internal Audit Team
Where the internal audit is outsourced, the audit committee (and management) should expect a brief introduction to the key individuals working on the audit. This might include partners, managers and any specialist advisers.
The audit plan should set out the timing of the fieldwork and confirm the form and timeliness of reports to management and the audit committee. For example:
a report for each area of work undertaken within X days of finishing the fieldwork;
a progress report for each audit committee meeting; and
an annual report on internal audit coverage to the audit committee (reporting to fit in with the committee meeting dates).