What is an Audit Plan?
Audit plan or “the annual audit plan” is the list of audit engagements that the internal audit function conducts the audit activities or assurance service in the agreed period for the coming year. The result of defining risk assessment in the performing of audit universe and auditable activities will identify what and when of possible audit engagement should be audited.
The audit engagements could be included of key information/data such are GL account, essential business processes like key process related to revenue, expense, or fixed asset of the entities, initiative of products establishment, services function establishment, and compliance requirements by the entities.
The other key input in the audit plan are:
- Recurring Auditing: such is the requirement by the stated or the section governor of the type of the entities.
- Special initiative projects
- Direct request from audit committee or any top management’s concerns areas.
The annual audit plan should be prepared and divided into different audit functions such are audit plan for Operational, Financial and Compliance, and IT audit, Special Project, and Fraud Investigation. The in-charge of these types of annual audit plans should be allocated and managed to ensure that each audit engagement is completed based upon the agreed timeline in the financial year.
However, an annual audit plan by each of the audit functions would be performed or not while it is based upon the level of control maturity or the size of the entities whether those functions are mandatory to perform or not.
The audit committee or the CAE should be balanced whether which are the key risks in their business processes should be audited first and when to conduct it and what type of annual audit plan should be prepared for discussion and approval for implementation.
The annual audit plan is also including specifically the allocated resources, budget expenses, and also training schedule (if any) as a road map to complete the audit engagement at the end of the fiscal year. Sometimes, the audit engagement might change its schedule to be performed based on the re-considering by the CAE, or requested by the audit client and sometimes, because of the lack of staffing in the internal audit itself or any other reasons in the change in the audit plan performance, the senior management will inform to his/ her related internal auditor.
It is based upon whether the size and complexity of the entities, the audit committee, or CAE should be involved in the process of preparing the audit plan to identify the auditable areas. This is also a good opportunity for the internal auditor to gather the business objectives for each of the business leaders to verify that whether their business objectives are reflected or aligned with the goal of entities or not.
This is a best practice that the completed annual audit plan should be informed to the involved business leaders at the beginning of the year by ensuring that there will be a cooperation with the line management and the agreed timing that does not interfere too much with the business operation.
After the notification or present the audit plan to the management to be audited in the next fiscal year, the internal auditor will notify the audited unit several days or weeks in advance about upcoming audit conduction. This will be done by sending out the Engagement Letter.
The multi-year audit plan is also recommended to be prepared in advance by including the strategic planning into the process. Normally, some CAEs prepare 5-year audit plans. The multi-year audit plan will be including the method, strategy related to recruiting new internal auditors, promotion, rotation program, and also competency needs.
-
- The audit plan or “annual audit plan” should prepare based on the risk-based approaches.
- Besides the key business processes related to operational risk, financial statement risks, and compliance is included, some auditable areas such are the requirement by the regulator, recurring audit engagement, some specified areas defined by the audit committer should be studied and included.
- The audit plan should also be prepared to reflect the entity’s needs.