Why Is Internal Audit Planning Critical To An Effective Audit?

Internal Audit Planning

The task of internal audit planning can be overwhelming and involve many individuals. Sometimes it is difficult to even know where to begin. In this article we will break down a few of the common questions when it comes to an internal audit, elaborate on the key steps to the internal audit planning phase, and reference resources and guidance that can be of use.

 

Internal vs. External Audits

What is an Internal Audit & How is it Different From an External Audit?

Let’s start with the very basics, with a question such as what exactly is an internal audit? By definition, an internal audit is the process of evaluating an organization’s internal controls. It is performed by individuals independent of the business functions or processes under evaluation. The individuals performing the audit can be employees of the organization, or an outsourced third-party entity. The goal of an internal audit is to provide the results of the audit to the organization’s leading members so that key decisions to satisfy the organization’s business objectives can be made. A well planned and executed internal audit can provide insights and identify process efficiencies across multiple business functions.

The key difference between an internal and external audit is the intended audience. An internal audit is focused on providing reports directly to management and the function can serve in the capacity of internal consultants. Whereas an external audit’s audience leans towards investors, shareholders/key stakeholders, and clients. Additionally, as the names imply, internal audits are normally performed by internal personnel of the organization, and external audits are performed by independent third parties outside of the organization.

 

In-house or outsourcing internal audits

Should You Keep an Internal Audit In-House or Outsource? What are the Pros & Cons?

Internal audits require a lot of resources and can be costly for many organizations. Before we get into specific internal audit planning steps, one of the first questions that should be asked is who is going to perform the internal audit? Here are some pros and cons to having an internal audit team within the organization vs. outsourcing the function:

  • Organizational Knowledge – A pro to having internal personnel perform the internal audit is that they usually already know the background of the business and might be more welcomed by the business function(s) under audit. Internal employees are typically more passionate about the organization’s business purpose. On the other side, although they are supposed to be objective and independent during the audit, internal personnel’s audit findings might be unintentionally biased given their relationship with other employees of the organization. It can be difficult to put the “blinders” on.
  • Costs – A pro to outsourcing the internal audit function is that it can provide cost savings as the organization would not have to hire and retain full-time employees to support the function. Rather, the internal audit function would operate on a contracted basis and typical overhead costs, such as dedicated office space, would be freed up for other resources. A cost analysis of what third party entities charge versus all the costs associated with hiring, training, and retaining internal employees would be beneficial.
  • Quality – With outsourcing, you can identify specialists for each type of internal audit to be performed. This could yield greater insights into the internal audit results given the specialists’ focused approach. However, you also run the risk of contracting with an audit vendor that doesn’t perform to the standards or metrics set. It is important to set expectations of what is to be achieved and how their performance will be measured at the start. A pro for having internal employees perform the audit, in regard to quality, is that it’s assumed that employees of the organization are closer to the business functions and know which questions to address to achieve higher quality. On the flip side, not having a fresh set of eyes on a process can often lead to missed gaps or inefficiencies.

There are a host of other factors when it comes to the determination of whether to have an in-house internal audit function or outsource, but taking into account these key considerations in regard to knowledge, costs, and quality can significantly help in the decision making process.

 

Internal audit plan steps

What Are the Steps for Internal Audit Planning?

An internal audit plan can consist of multiple internal audits throughout the year. It does not necessarily have to be just one internal audit project, and normally an internal audit program entails many separate audits. This makes the planning phase of an internal audit that much more important to ensure each internal audit’s goals are considered in an audit program as a whole. Below are the key phases, steps, and questions to be considered during the internal audit planning process.

  • Define Audits To Be Performed
    • What types of internal audit engagements are to be performed?
    • Are other audits besides internal controls over financial reporting, such as compliance, operational, or performance audits to be included?
    • Will they be broken down by function, location, product, or department?
      • Breaking down the organization into smaller audits can help identify and streamline internal audit projects. By focusing on smaller sections of an organization, regardless of how it is divided, helps in narrowing the scope and objectives of the audit engagement.
  • Perform Risk Assessment and Prioritize
    • What are the risks within the organization to be addressed?
      • The risk assessment phase in internal audit planning is critical to understanding the objectives of the business in order to align those objectives to the internal audit plan. Once a risk assessment has been performed, prioritize the identified internal audits to be executed. The risk assessment may also bring to light, additional audits that may need to be performed that were not considered initially. Typically, internal audit planning takes place on an annual basis, and an audit calendar is created to prioritize and plan internal audits based on the risks identified.
  • Designate Resources and Define Timeline
    • Who will work on each internal audit?
    • Do they have the sufficient skill set to perform the specified audit?
    • Do certain audits need to be performed at specific times throughout the year?
      • As previously discussed above, considerations should be made on whether to have internal resources or outsourced resources working on the engagements, or a combination of the two. Some internal audits may require Subject Matter Experts (SMEs) that may not be readily available internally to an organization. Identifying and assigning the correct resources and defining the timeline of the audits greatly helps with resource planning.
  • Prepare. Prepare. Prepare.
    • Once the internal audit engagements, risks, and resources have been identified, lots of preparation activities can take place. A few thought-provoking questions to ask:
      • Has necessary guidance been reviewed for each audit, such as industry standards, regulations, company policies, and procedures?
      • Is this a first-time audit or has this process been audited in the past?
      • Have there been any significant changes to this division/process/function of the organization recently?
      • Have the results of past audits been reviewed?
  • Create Audit Plan
    • What is the defined scope and objectives for the audit?
    • Do you know the key reports, policies, and procedures for the process being audited?
    • Do you have access to the systems to properly evaluate the process(es)?
    • What is to be tested within each process?
      • The phase of creating the audit plan is a daunting task. There are many inputs and the more information you are able to identify during this planning phase, the easier it will be to create and execute the audit plan. The greater detail and preparation in the audit plan will make way for an effective and efficient audit.
  • Review Audit Plan and Set-Up Planning Meetings
    • Within an organization, the Board or Audit Committee provides oversight of the internal audit function. It is important to get input from the Board or Audit Committee, and organization management, while reviewing the audit plan to ensure all considerations and risks have been taken into account. After the audit plan has been reviewed, then initial planning meetings with key business points of contact can be scheduled. It is important that personnel within the business functions that are to be involved in each audit be notified in advance and made aware of the audit purpose and objectives so that they can prepare as well.

 

The value of an internal audit

What is the Value in Developing an Internal Audit Plan?

The internal audit planning process provides a multitude of benefits to an organization. Much of the risk assessment phase during planning identifies key risks that may or may not have been addressed already. Fine-tuning the internal audit planning process year after year can expose risks that pose a major threat to an organization. The planning phase is also an opportunity to alert organization executives of these risks and communicate the audit plan so that business and strategic objectives remain aligned. Effective internal audit planning can significantly reduce inefficiencies in the execution of the audit later down the line and in turn decrease costs. Spending the time to establish a clear audit plan enhances the purpose and objective of the audit engagement.

 

Internal audit plan guidance

What Guidance is Available for Internal Audit Planning?

The Institute of Internal Auditors (IIA) provides authoritative guidance through the International Professional Practices Framework (IPPF), which sets internal audit standards globally. Additionally, the COSO Internal Control-Integrated framework can be helpful while assessing current controls in an organization’s environment which impacts the internal audit planning phases. It is the responsibility of the internal auditor to identify and follow guidance and frameworks throughout the internal audit process.

Summary

The internal audit planning phase is a critical aspect of an organization’s internal audit function and I hope this article helped you understand some of the key steps and considerations in creating an internal audit plan. A successful internal audit can also help an organization in undertaking external audits. Linford & Company has extensive experience in providing compliance audits. For information on the audit services that Linford & Company can provide to your organization, please see the following links: