The task of internal audit planning can be overwhelming and involve many individuals. Sometimes it is difficult to even know where to begin. In this article, we will break down a few of the common questions when it comes to an internal audit, elaborate on the key steps to the internal audit planning phase, and reference resources and guidance that can be of use.
What is An Internal Audit? How is it Different From an External Audit?
Let’s start with the very basics, with a question such as what exactly is an internal audit? By definition, an internal audit is the process of evaluating an organization’s internal controls and performance. It is performed by individuals independent of the business functions or processes under evaluation. The individuals performing the audit can be employees of the organization or an outsourced third-party entity. The goal of an internal audit is to provide the results of the audit to the organization’s leading members so that key decisions to satisfy the organization’s business objectives can be made. A well-planned and executed internal audit can provide insights and identify process efficiencies across multiple business functions. An internal audit can also detect control issues within the organization prior to an external audit by a third party and can be corrected.
The key difference between an internal and external audit is the intended audience. An internal audit is focused on providing reports directly to management and the function can serve in the capacity of internal consultants. Whereas an external audit’s audience leans towards investors, shareholders/key stakeholders, regulators, and clients outside of the organization. Additionally, as the names imply, internal audits are normally performed by internal personnel of the organization or those acting on behalf of the organization, and external audits are performed by independent third parties outside of the organization.
Should You Keep an Internal Audit In-House or Outsource? What Are the Advantages and Disadvantages?
One of the first questions that should be asked is “Who is going to perform the internal audit?” Internal audits require a lot of resources and can be costly for many organizations. Here are the advantages and disadvantages of having an internal audit team in-house versus outsourcing the function to a third party:
- Organizational Knowledge
An advantage to keeping the internal audit function in-house, is that they typically have knowledge of the organization and its business and may be more welcomed by the business function(s) in which they are being audited. A disadvantage, although internal employees are expected to be objective and independent during the audit, internal personnel’s audit findings may be unintentionally biased given their relationship with other employees of the organization.
An advantage to outsourcing the internal audit function is that it can provide cost savings, as the organization would not need to hire and retain full-time employees to support the function. Rather, the internal audit function would operate on a contracted basis, and typical overhead costs, such as employee benefits, would also need to be figured into the cost of keeping the audit in-house. The rate per hour in-house may be lower than outsourcing, however, a cost analysis of what third-party entities charge versus all the costs associated with hiring, training, and retaining internal employees would be beneficial.
With outsourcing, you can identify specialists for each type of internal audit to be performed. This could yield greater insights into the internal audit results given the specialists’ focused approach. However, you also run the risk of contracting with an audit vendor that doesn’t perform to the standards or metrics set.
It is important to set expectations of what is to be achieved and how their performance will be measured at the start. In regards to quality, an advantage of having internal employees perform the audit is that it’s assumed that employees of the organization are closer to the business functions and know which questions to address to achieve higher quality. However, having a fresh set of eyes on a process can often lead to finding gaps and efficiencies.
There are a host of other factors when it comes to the determination of whether to have an in-house internal audit function or outsource, but taking into account these key considerations in regard to knowledge, costs, and quality can significantly help in the decision-making process.
What Should an Internal Audit Plan Include?
An internal audit plan can consist of multiple internal audits throughout the year. It does not have to be one internal audit project. An internal audit program may entail many separate audits. This makes the planning phase of an internal audit that much more important to ensure each internal audit’s goals are considered in an audit program as a whole.
What Are the Phases of the Internal Audit Process?
Below are the key phases, steps, and questions to be considered during the internal audit planning process.
Define the Audit Plan
The types of internal audits that are to be performed are defined in this step. There may be other audits to be conducted besides internal controls over financial reporting, such as compliance, operational, or performance audits. A plan of how the audits will be broken down by function, location, product, or department should also be included.
Breaking down the organization into smaller audits can help identify and streamline internal audit projects. Focusing on smaller sections of an organization, regardless of how it is divided, helps in narrowing the scope and objectives of the audit engagement.
Perform Risk Assessment and Prioritize
The risk assessment phase in internal audit planning is critical to understanding the objectives of the business in order to align those objectives to the internal audit plan. Once a risk assessment has been performed, prioritize the identified internal audits to be executed. The risk assessment may also identify gaps where additional audits may need to be performed that were not considered initially. Typically, internal audit planning takes place on an annual basis, and an audit calendar is created to prioritize and plan internal audits based on the risks identified.
Designate Resources and Define Timeline
Resources will need to be identified for each internal audit and a determination of whether they have the sufficient skill set to perform the specified audit is needed. A timeline will also be prepared. Certain audits need to be performed at specific times throughout the year.
As previously discussed above, considerations should be made on whether to have internal resources or outsourced resources working on the engagements, or a combination of the two. Some internal audits may require Subject Matter Experts (SMEs) that may not be readily available internally to an organization. Identifying and assigning the correct resources and defining the timeline of the audits greatly helps with resource planning.
Prepare for the Audit
Once the internal audit engagements, risks, and resources have been identified, lots of preparation activities can take place. A few thought-provoking questions to ask:
- Has necessary guidance been reviewed for each audit, such as industry standards, regulations, company policies, and procedures?
- Is this a first-time audit or has this process been audited in the past?
- Have there been any significant changes to this division/process/function of the organization recently?
- Have the results of past audits been reviewed?
Create an Audit Plan
Define the scope and objectives for the audit. Understand the key reports, policies, and procedures for the process being audited and generate a plan for what is to be tested within each process. The phase of creating the audit plan is a daunting task.
There are many inputs and the more information you are able to identify during this planning phase, the easier it will be to create and execute the audit plan. The greater detail and preparation in the audit plan will make way for an effective and efficient audit. Also, within this step is it important to ensure you have access to the systems to properly evaluate the process(es) and to create request lists for documentation to be provided.
Review Audit Plan and Set-Up Planning Meetings with Management
Within an organization, the Board or Audit Committee provides oversight of the internal audit function. It is important to get input from the Board or Audit Committee, and organization management, while reviewing the audit plan to ensure all considerations and risks have been taken into account. After the audit plan has been reviewed, initial planning meetings with key business points of contact can be scheduled. It is important that personnel within the business functions that are to be involved in each audit be notified in advance and made aware of the audit purpose and objectives so that they can prepare as well.
What is the Value of Developing an Internal Audit Plan?
The internal audit planning process provides a multitude of benefits to an organization, including identifying focus areas for the audit. Much of the risk assessment phase during planning identifies key risks that may have been addressed already. Fine-tuning the internal audit planning process year after year can expose risks that pose a major threat to an organization.
The planning phase is also an opportunity to alert organization executives of these risks and communicate the audit plan so that business and strategic objectives remain aligned. Effective internal audit planning can significantly reduce inefficiencies in the execution of the audit later down the line and in turn decrease costs. Spending the time to establish a clear audit plan enhances the purpose and objective of the audit engagement.
What Guidance is Available for Internal Audit Planning?
The Institute of Internal Auditors (IIA) provides authoritative guidance through the International Professional Practices Framework (IPPF), which sets internal audit standards globally. Additionally, the COSO Internal Control-Integrated framework can be helpful while assessing current controls in an organization’s environment which impacts the internal audit planning phases. It is the responsibility of the internal auditor to identify and follow guidance and frameworks throughout the internal audit process.
The internal audit planning phase is a critical aspect of an organization’s internal audit function. A successful internal audit can help an organization in its external audits. Linford & Company has extensive experience in providing compliance audits. For information on the audit services that Linford & Company can provide to your organization, please see the following links:
This article was originally published on 2/16/2021 and was updated on 10/25/2023.
Jessica Kiel joined Linford & Company, LLP in 2023 and she came with over twelve years of experience in internal controls, SOX, controls over Financial Reporting (ICFR), SOC1, SOC 2, Third Party Assurance, and attestations/examinations based on PCAOB or AICPA standards. Jessica began her career with Deloitte in 2011 where she served in a leadership role for the last eight years. Jessica graduated from Southern Illinois University-Carbondale with a Bachelor’s of Science in Accounting and a Masters of Accounting.