Speaker 1: Hello, welcome to Getting Started With, where our job is to make your job easier. On this episode, we are getting started with the audit plan. The audit plan? Pretty important, right? It's paramount to what we do. So in this video, we identify the basic components of an audit plan, key steps in developing an audit plan, and some strategies and tips to ensure it will gain the support of your organization. So let's get started. The audit plan itself is basically a list of projects the internal audit department will be performing for the defined period. Most plans are based on annual or fiscal calendars, but they can be for shorter or longer periods. If different timing makes sense for your organization for whatever reason, don't be afraid to go outside of what might be traditional. The chief audit executive, or the CAE, is typically responsible for the preparation and execution of the department's audit plan. But that doesn't mean no one else can help out in its development. Managers and individual contributors alike can give input based on their skill sets or areas of expertise and their knowledge of the strategic direction and risks that are important in your organization. Why do you need to make a plan? Well, aside from being a smart thing to do before starting any project, an audit plan is required by IIA standards. As with most things internal audit, the International Standards for the Professional Practice of Internal Auditing is the go-to tool and your North Star for this process. Standard 2010 states, planning expressly requires the CAE to develop an audit plan. The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity consistent with the organization's goals. Developing an audit plan doesn't just occur in one session. It needs to be a year-round activity, and you don't do it alone. Far from it. The CAE and other internal audit leaders should be meeting regularly with key stakeholders throughout the organization throughout the year. Key stakeholders should include senior management, such as the CEO, CFO, COO, and can include others in the C-suite, such as the chief risk or chief compliance officer or presidents. You should always seek perspectives outside of senior management, including the audit committee or other committees of the board, to see where your organization may have risk management gaps. This also includes speaking to other risk professionals, such as external auditors who are tasked with providing assurance over specific risk areas such as financial statements, information security, and third-party relationships. Your internal audit department should also look into having members of the team attend recurring governance or organizational committee meetings. Here's a pro tip. Before you begin developing your audit plan in earnest, consider using an annual audit survey to solicit feedback from individual contributors throughout the organization. Review the findings and meet with contributors who pose interesting viewpoints or who can provide suggestions on where internal audit can add value. Through these conversations, you'll learn where the organization needs internal audit the most. The goal is for the CAE to have a thorough understanding of the organization's strategies, key business objectives, associated risks, and risk management processes. As with most things in internal audit, communication is key and should happen as frequently as necessary. Don't be afraid to find a mentor outside of internal audit within the organization who can help you understand the risks that keep management up at night. Lastly, the IIA has many additional resources. Websites, webinars, publications, the Internal Auditor Magazine, the On the Frontlines blog, and of course, formal IIA guidance. These are excellent resources for learning what is new and trending and what other auditors are doing in the risk areas that they are tackling. You can learn from industry thought leaders on emerging risks that may not be on your organization's radar. Set milestones for completion of actions like the annual audit survey and updates to your risk universe so you have all of the information you need when you finally get down to making the plan. So, you've now talked to people throughout your organization, you've consulted external research, and even read the latest issue of the Internal Auditor Magazine. You are reading that, right? You should. It's great. Okay, it's now time to create the plan by deciding on the audit projects that will make up your plan. Here is a term to learn. Audit universe. Determine if your organization has an audit universe or sometimes referred to as a risk universe. This is a useful tool which documents all the auditable processes in your organization. These can be departments, processes, locations, product lines, or other categories. These shouldn't be picked arbitrarily just because they haven't received an audit in a while. They should fit into the risk objectives you want to address in your audit plan. Here are some types of audit engagements. Remember, you can audit anything, but you can't audit everything. Make sure you align your plan based on your organization's needs and the resources you have in place. If you don't have IT auditors or subject matter experts, it would be difficult to adequately execute these types of engagements. Pick projects that cater to your team's strengths and look to fill in the gaps by bringing in outside experts or adding headcount in the deficient areas. Besides knowledge, you'll need to consider the resources you have on hand. Consider how many audits they can execute, as well as any mandatory projects you may need to perform to comply with regulations, such as if your department must allocate a portion of its time for SOX work and testing of internal controls. Also, consider any budget limitations you have in place. That audit you had planned in New Zealand? Well, while strategically significant, it might not be in the budget. Every organization's risks lie in different places, so there is no one-size-fits-all approach, which is why communication is important. You want to consider all of the information you've gained from your sources. Bottom line? The audit planning process is part of your overall understanding of risk within your organization. Other areas to consider include following up on previous audit findings to determine if pervasive weaknesses exist within your organization and then target them. Significant changes to your organization, such as mergers and acquisitions, are also areas that could be right for performing audits to ensure new processes are operating to fulfill their objectives. Now it's time to decide what audit projects to perform and outline their general objectives, which will be important information for your team to execute audits as intended. Here are some audit topic sources. Another pro-tip is to prioritize objectives and strategic risks rather than merely auditing based on a predefined rotation. There may be processes in place already in your audit charter or other policy governance documents. Now that you've chosen your audit projects and outlined the timing, locations, and budgetary factors, you should prepare to submit your audit plan. You'll send it through your organization's approval process, which is typically senior management, the audit committee, governance committees, or even the full board in order to make it a formal governance document. The standards address this as well. Standard 2020, communication and approval. The chief audit executive must communicate the internal audit activities, plans, and resource requirements, including significant interim changes to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations. But hold up. Stop. Before you submit your audit plan, it is a good idea to solicit some feedback on your plan from others in the organization who you trust and incorporate their input into your plan when it fits. Then you can submit your plan with confidence. So you've submitted the plan for approval. Congratulations. You'll likely have to answer questions or incorporate guidance from the approving body, but eventually the plan will be approved. Once the plan is in place, it doesn't mean it's set in stone. Remember, the idea of an audit plan is to provide assurance over risk areas that are timely and relevant to the organization achieving its goals and helping to manage risks that can stop it from achieving those goals. This, more than anything, demonstrates the value internal audit adds to the organization. Some key things to keep in mind. Plan to be flexible. Know that the plan may need to change. Always be willing to consider replacing a project and re-evaluate your plan on a periodic basis. Quarterly or mid-year check-ins can provide for natural review points where you can rethink your plan and make improvements. That's pretty much it, but here's another useful tool. The IIA's IPPF Supplemental Guidance. Developing a risk-based internal audit plan provides you with a step-by-step guide that will help you be successful in developing your audit plan. Congratulations on getting started with the audit plan. Thank you for watching. There's so much more to learn. Below this video, you will see a list of suggested resources to go to next.