Internal Audit Planning: A Comprehensive Guide
I. Audit Planning
This stage involves developing a preliminary understanding of the areas to be audited and examining the matters in detail during the evaluation and/or execution stages. It also includes a full identification of processes, risks, and controls in place. This helps to identify matters of interest for a particular exam and understand the information needs of those responsible for the processes being audited.
Planning Audit Work
Planning audit work should include defining the areas to be audited, the frequency and timing of reviews, and work teams with their respective budgets of hours and costs.
This audit work planning is an activity that should take place annually. However, the following aspects should be taken into consideration:
- A long-term review plan should be defined first, considering the firm’s size and diversity of operations, which may make it impossible to carry out a full review in a single year. This requires a plan based on defining the frequency and schedule of revisions.
- The basis for formulating this plan is to analyze the underlying strategic risks facing the organization.
- The annual plan must consider the framework provided by the long-term review objectives, the evolution of the business, administration priorities, and changes in risks during the fiscal year under review.
- The planning process should involve mainly the upper levels of the Comptroller (Comptroller, Department Head, Supervisor, and Advisor). It should consider contributions and guidance from senior management and other managers involved, such as headquarters operations, risk, and credit.
- Planning is an ongoing process that doesn’t end with formulating a plan. Due consideration should be given to changing facts or circumstances and their impact on future planning years.
To carry out the aspects described above, you must complete the following steps:
1. Increased Process Knowledge (Mega Process) and Preliminary Investigation
The preliminary examination identifies areas of greater interest to guide audit efforts. This examination should include relevant economic, political, and cultural aspects relevant to the organization, as well as its most significant features, such as: Objectives of the Organization, Strategies and Policies, characteristics of its resources, and future projects, and Organizational Culture. An important aspect of this phase is the general review of risks and controls, systems, and administrative practices, which form the basis for defining areas of risk.
Risk areas relate to matters relevant to the institution’s proper functioning, where there are grounds to argue that there is a high probability of finding faults or because their significance may impact the organization. Factors such as the amounts involved, the risks of planned audits, the impact or sensitivity of the matter, and the interests of directors and the audited unit can be considered in this selection process.
The preliminary investigation considers the following steps:
- Preliminary Data Collection
- Identification of Areas, Processes, and Strategic Risk Assessment
- Control Environment Assessment
1.1 Compilation of Background Information
This consists of gathering background information to understand the different areas to be audited in their original form. It primarily involves collecting the Strategic Business Plan, Budget and Management Reports, earlier Audit Reports, productive and Information Systems information, Journal of external audit work, procedure manuals, Organization charts, etc.
All documentation must be collected to evaluate the process and obtain a thorough knowledge of all areas to be audited, noting also relevant matters to consider during the audit. This phase will develop an understanding of the control environment and identify high-level controls.
The aim is to understand the complete operation or business area to be audited, engaging in dialogue with the different managers involved to understand their plans and projects, changes in systems, and any other matter that impacts internal control in operation. It ultimately aims to identify, update, and confirm the risk factors of each area.
1.2 Identification of Areas, Processes, and Strategic Risk Assessment
Based on all the information gathered in the earlier stages, it’s crucial to identify the risks present that can affect the achievement of the company’s objectives.
To this end, a matrix shall be developed to identify risks for each process to proceed with quantification.
Preparing this grid or matrix requires the following tasks:
- A description of each risk to be evaluated, identifying its relevance and a preliminary assessment.
- Each risk should be evaluated for its significance or impact (high – medium – low) and the probability of occurrence of undesirable events (high – medium – low).
- Analyze the weighting of each identified element.
- Define a scale associated with different levels of risk.