Internal audit planning best practice
A blog by our EQA review team | 4 September 2017
EQA reviewers find it helpful to begin their reviews by gaining an appreciation of the risk maturity of the organisation and an assessment of how well internal audit is involved in the issues that matter to the organisation.
Reviewers are then able to consider whether the internal audit function has the right competencies, the ability to work independently, a set of effective processes, and a sound approach to performance measurement and continuous development
Invariably it make sense to start with the internal audit plan and work outwards simply because this shows how well internal audit links into all aspects of governance, risk management and control. If the planning process is sound and is making a difference to the organisation, the rest of the EQA tends to drop into place without too many issues.
The key feature to consider is the way internal audit tunes into the organisation’s strategic risks, in particular the extent to which internal audit cover management’s risk mitigation. There should be a flow or story line between the risk, the response and assurance. In this respect, management’s risk responses become the audit universe so even small audit functions with only one or two people can be just as effective as larger internal audit teams.
A clear matching of audits to risks, bearing in mind internal audit is unlikely to have time to cover them all, can often lead to a useful discussion at the audit committee about the extent of audit resources and the skills available. It’s also a good starting point to introduce assurance mapping and/or highlight where internal audit can review the 1st and 2nd lines of defence.
Good practice EQA reviewers have seen includes:
- Preparing an internal audit functional strategy that provides a bridge between the internal audit charter and plan.
- Designing an internal audit plan that has explicit alignment to strategic risks and justifies the choice of audits on the basis of their importance and value. Illustrating % coverage of strategic risks.
- Looking at areas of governance, the performance of risk management and other critical issues as separate audits or as part of every audit.
- Working closely with other assurance providers to maximise assurance coverage - avoiding duplication of effort and gaps in assurance.
It is worth updating the audit universe and associated strategy to provide a longer term view of how the internal audit team will meet key stakeholder (audit committee) assurance needs.
Our advice is to keep it simple: Try to avoid giving the audit committee layers of detailed working papers and highlight the balance between the different types of audit work you do. It’s a challenge but well worth the effort.
Further reading
