It’s that time again. Creating or updating the audit plan for the next calendar year. Most audit groups probably create a risk-based plan — which essentially means we start with some sort of risk assessment and determine the audits that should be on the plan — then try to figure out if there are enough hours to complete the work we propose to do. There is a brief discussion among the audit leadership team. Managers and directors trying to get more hours and resources. CAEs thinking that 250 hours for an audit is an enormous amount of time — nostalgically remembering their days in public accounting when they used to be able to complete audits in record time (conveniently forgetting that those jobs were always miserably over budget). Seniors and staff wondering why everyone is huddled behind closed doors all the time — secretly hoping that there are exotic locations to travel to on the new plan and that the travel budget is reasonable.
Some groups create multiyear plans, knowing how much coverage they want to give to an area of the business on a rotational basis. Others may start with a new proposed plan each year — then meet with the risk owners to ensure a value-added plan, while still retaining their independence in setting the “right” plan at the end. Others yet may have extensive discussions with their audit committee members and senior leaders to ensure buy-in at a senior level before the plan becomes a reality.
Over the years, I’ve probably used all of the above approaches. Enterprise risk management activities have certainly made the starting point easier as the risk assessment is no longer a separate audit department exercise. The audit universe has become a risk universe, and with that, the audit plan is much more relevant and “exciting” for the audit department to execute. (Exciting might not be the right word choice, but we are talking about auditors after all).
Our proposed plans are complete for now. We’ll start socializing with the audit committee and senior leadership soon — and hopefully hit the ground running in January. Although we create an annual project list for resource planning purposes, we also keep a pretty close eye on emerging issues throughout the year and will substitute higher risk projects as they arise (all with audit committee approval, of course).
If anyone has a novel approach — such as doing away with the annual audit plan completely, creating only quarterly plans, or fully integrating the internal and external audit efforts together to create a comprehensive audit approach — please chime in. I don’t know if this is too novel, but we also build a pool of hours for "flash audits." These audits are reserved for less than full scope engagements not specified on the plan in the beginning of the year. We’ve found flash audits to be a great way to deliver value to our customers who might need audit services that are less than full scope.
Posted on Nov 1, 2010 by Kiko Harvey
Share This Article: