“The essence of strategy is choosing what not to do” according to management guru Michael Porter. This is the dilemma of audit leaders when creating the audit plan.
Do you make an informed choice about your audit plan, follow a routine or roll with the flow trusting it will all come together in the end? We ask you to take five minutes to consider the value of dual planning, dovetailing long and short term to add significant value to your organisation.
We explore the concept of audit planning at both a strategic and tactical level.
Audit time is valuable. How do you make the most of yours?
Fail to plan – plan to fail
It’s an old adage because it’s true.
Having no plan is like using a satnav without entering a destination, you might know which road you are on but not where it is in relation to where you want to get to.
There are different levels of planning; strategic and tactical. Strategically, internal audit has transitioned from its image of the corporate policeman to that of a trusted advisor – a different vision, set of skills and relationships. This change enabled a shift of tactical activity from compliance and financial controls based engagements to risk-based auditing a more balanced suite of engagement including operational, project, strategic and cultural audits.
Is past tense right? Have all audit leaders transitioned? Perhaps only those that have embraced the need to plan for strategic change ahead of tactical.
|Strategic Plan||Annual Plan|
|Scope||Significant, large-scale initiatives at organisational level||High priority risks, business change, developments, governance, legal and regulatory compliance|
|Purpose||Support organisational objectives, effective governance and continuous improvement||To form an annual opinion on the effectiveness of internal control through the provision of objective assurance|
|Timescales||Typically 3-5 years||Typically annual but can also be bi-annual, quarterly or rolling|
|Monitoring examples||Balanced scorecard, budgetary control, resource management||Regular review of key performance indicators and personal objectives|
|Inputs||Strategic objectives, mission statement, external factors||Corporate risk register, annual budget, change/project programme, management requests|
|Nature of Content||Complex, uncertain, requiring change||Risk-based, detailed, thematic|
|Typical content||Audit methodology, quality assurance framework, audit universe||Specific audit engagements – assurance and consultancy|
Only 56% of UK stakeholders view internal audit as adding significant value according to 2018 research by PwC. It also found that globally 14% of audit functions could be classed as ‘evolvers’, advanced in the adoption of technology. Adapting to emerging technologies and assurance needs is a pre-requisite for internal audit. 75% of stakeholders thought the evolvers added significant value to their organisations.
It didn’t happen by chance. The evolvers developed a strategy to fuse organisational needs, technological capabilities and internal audit talent; a robust framework from which value adding audit engagements could be delivered.
Long term – a structured approach
As audit leaders you expect your organisation to have a clear strategy; to have evaluated its environments, considered its position and what it needs to do to remain viable and meet stakeholder expectations.
Global IIA offer a structured approach to creating a strategic plan in their practice guide.
This approach is brought to life with practical examples by Steve Stanbury, director of internal audit at City, University of London in an Audit Leaders webinar available on-demand.
Maintaining relevance in a rapidly changing world is critical to internal audit too. A strategy and strategic plan are essential tools. A strategic plan helps audit leaders to deliver value within budget constraints and make a real difference to all elements of its remit, governance, risk management and internal controls.
How do you choose what not to do without a plan? Are you intentional in your actions?
The 2019 Risk in Focus report found that there was a notable inconsistency between organisation’s priority risks areas and where internal audit focuses its time. Is this because auditor skills are outdated? Is there a reluctance to co-source? Or perhaps internal audit is out of touch with their organisation’s needs?
Strategic planning forces audit leaders to look ahead. Which course and qualifications to invest in for the team? Which relationships to prioritise and nurture? What methodologies to adapt?
All of these have a lead time. Internal audit cannot wait for its stakeholders to realise what assurance they need, it needs to be thinking about tomorrow, today.
Short term - one size does not fit all
Twenty years ago an annual plan was commonplace, a schedule of audits agreed by the audit committee at the start of the year and then delivered with progress tracked at each committee meeting. This single approach is no longer relevant for everyone with audit leaders preparing bi-annual, quarterly and sometimes rolling plans.
Heads of internal audit need to demonstrate their value to the organisation, often with less resource and/or increased assurance pressures.
The decision as to what to do or not do, should be driven by what is right for your organisation not what is right for internal audit? If you cannot deliver what the organisation needs you need to go back to your strategy, back to the audit committee for open and honest discussion as to how the needs can be met.
Detailed guidance is available as there is much to consider. The structure of the audit plan and the types of engagements undertaken are influenced by key factors including:
It is rare in today’s chaotic world that organisations are stable, most are transitioning in some form or another; new systems, transforming business models, cost efficiency re-engineering, responding to regulatory change, digitalisation or just survival.
This must be the start point for any programme of audit engagements. Organisational need is the driving factor. What are the priority objectives? What is critical to sustainability? Whilst this will guide a genuinely risk-based audit plan in terms of content, there is still the issue of how to deliver the assurance.
- Could a block of time be allocated to a project or change programme to be used for dynamic assurance rather than defined engagements?
- Consultancy time as a member of a steering group or advising a programme manager may be more effective than traditional assurance.
- Providing regular ‘milestone’ assurance for major projects looks effective on a plan, dynamic even, but is time better invested upfront in the design phase rather than wait until the horse has bolted to say the bolt on the stable door is ineffective?
Auditors are used to the concept of risk-based auditing; working with a risk register, looking at the principal risks in an annual report. But are they relevant? How robust is the risk management process?
Organisations are likely to experience volatile risks in intensely competitive environments, heavily impacted by external factors, going through rapid growth, volatile autocratic leadership or involved in a recent merger/acquisition.
Planning a year ahead when risks are changing monthly will not deliver meaningful assurance to the audit committee. Internal audit must be as dynamic as the organisation. This is different to having a protocol to deal with changes to the risk environment and adapting the audit plan.
- What would a fully agile plan look like, working in quick sprints, adapting and evolving?
- Does the structure of your plan align with the risk maturity of the organisation?
- What does the audit committee need to agree, individual audit activities or the risk themes that assurance will be provided against? Does the conversation need to change?
An audit universe provides a picture of the organisation from a risk perspective that enables risk-based auditing and also the informed reporting of any known assurance gaps.
It is an investment of time if you don’t have one. It may seem outdated. Yet without one is internal audit not dependent on the perspectives of others regarding principal/business risks when forming its audit plan?
Guidance on how to produce a universe is available and in our digital age this doesn’t have to be on a spreadsheet!
- Consideration of inherent risk may lead to different assurance priorities to the business assessment of risk.
- Is there a value for positive assurance? Should there be an audit cycle for business critical processes regardless of risk rating?
- Is hybrid planning the way forward, a mix of traditional waterfall and agile audit engagements?
When choosing what not to do it is imperative for audit leaders to understand what other assurance is available to the audit committee. Having a unified view using assurance maps enables internal audit to effectively prioritise its resource avoiding duplication and gaps in coverage.
- Should internal audit present its plan in isolation or integrated with other assurance providers?
- Is there merit in a long term assurance plan for risks of a static nature supplemented by a dynamic risk-based plan?
There is no right or wrong answer when it comes to the audit plan. There is no blueprint, just typical component parts as they are unique to the needs of the organisation. Audit leaders, it’s time to think outside of the usual parameters to ask yourself if you are truly meeting the needs of the organisation or playing it safe based on what you’ve always done and the limitations of the current team. Is your satnav programmed? Have a good journey, watch out for the potholes!!
Planning is bringing the future into the present so that you can do something about it now
Alan Lakein, Management Author