After 25 years in internal audit, I have come to the conclusion that excellent audit planning is essential to ensuring an effective audit. What is a successful audit? A good measure is whether both audit management and the auditee feel good about the end results.
Benjamin Franklin famously said: "By failing to prepare, you are preparing to fail." Indeed, one of the most common causes of unsuccessful audits is inadequate planning. Too often, audit staff commitments to current engagements become an obstacle to planning the next engagement. I would submit that delaying an audit is preferable to not investing the proper amount of time into planning for it.
So what, exactly, comprises effective internal audit planning? I would say the following activities are key components:
1. Research the Audit Area
It is essential to understand the business process or function to be audited. If not familiar with it, thoroughly research the process or function to fully understand the subject matter. Review internal procedures, search the internet for resources, and seek help from subject matter experts.
2. Maintain Open Communications Throughout the Planning Process
The sooner the audit team reaches out to the auditee, the better. There is a certain amount of trepidation involved in any audit. Working with an auditee prior to the audit helps ease concerns the auditee may have. Communicating in person is always preferable. If this is not possible, telephone calls are the next best thing. Avoid communicating by email if possible.
3. Conduct Process Walk-Throughs
Armed with a working understanding of the process or function, conduct a face-to-face walk through with the auditee. Identify key business objectives, methods employed to meet objectives, and applicable rules or regulations. A walkthrough may include a tour of facilities. You may gather background information relative to the nature, purpose, volume, size, or complexity of automated systems, processes, or organizational structure. You might scan documents or records for general condition. All these activities provide opportunities to interface with the auditee and build rapport before the formal entrance conference.
4. Map Risks to the Organization, Process, or Function
Ask the auditee what his concerns are, what "keeps him up at night." Through research and interviews, identify risks to meeting business objectives and controls employed to mitigate those risks. Rate risks with the auditee based on probability of occurrence and potential impact. Consider control design, gaps, or mitigating factors to determine if the control system effectively mitigates risks.
5. Obtain Data Prior to Fieldwork
This has become a principal focus for us recently. We emphasize data in our initial requests for information. We perform data analytics before we begin field work. Identifying anomalies to confirm a condition or weakness early helps us target testing and optimize sample selections.
Results of Improved Audit Planning
Our emphasis on audit planning has yielded worthwhile results. And I will say improving audit planning has been an investment. We now begin our audit planning eight weeks prior to the Entrance Conference. In prior years we historically spent 20 to 25 percent of our audit budget on planning. Audit planning now comprises approximately 35 to 40 percent of the total budget. The following are some of the dividends:
• Improved credibility and relationships with our stakeholders
• More in-depth and significant issues
• An increased number of process improvements
• Reduced field work time
Audit planning is the audit phase in which we can best influence audit results. It is a key but too easily overlooked component of the audit process. It is something that needs to be emphasized and institutionalized into a habit. This habit ultimately leads to audit success.
Wade Brylow was previously the director of internal audit for Northrop Grumman's Technology Services sector. The opinions and ideas expressed here are those of the author and do not represent the opinions, positions, or policies of Northrop Grumman or any other organization.