Get Audit Universe Right
Getting Audit universe right will be the first step for creating internal audit plan. Internal audit can use various approaches to audit universe:
- Financial Statement approach: Using Financial statement as a base.
- Trial Balance approach: Same as Financial Statement however more granular approach.
- MIS Approach: How the MIS in the organisation structure
- Org Chart: Org chart reflects the inner working for organization
- Process Cycles for various processes.
- Business Models and so on.
It will be a good idea to base your approach on one and use the others for check and balances. E.g. use process cycles, map the same with org chart, identify key products/ services, regulations , social concerns, and you have your audit universe ready.
Do Risk Assessment
Do a risk assessment of audit universe. It can be a formal risk assessment. (Impact = Worst that can happen in terms of monetary impact, Risk= Probability of impact). You can moderate the risk assessment with following:
- Audits in past
- Audit result
- Any self assessment scores
- Fraud identified in past
- Fraud vulnerability
- Impact/ exposure in case of an incident
Once Risk assessment has been done, create a heat map from the risk assessment outcome.
It would be a good idea to define Risk rating sheet which can incorporate risk perception/ appetite of the management. it can cover:
- Financial Impact
- Regulatory impact of non compliance
- Brand Impact
- Processes, Systems, etc.
Create Internal Audit Plan
While creating internal audit plan, please remember that plan is for organization and not for a given year. i.e. create a plan for coverage for all areas that requires coverage. you may not be covering an area in a year or two. But that area need to be cover in once a while. ( 3 years or 5 years is choice of management).
One rule of thumb:
- High risk areas = once a year
- Medium risk areas = once in two year
- Low risk areas = once in three years.
One can also use 5 level scale for risk and create a 5 year plan. If you believe that it does not require coverage by Internal audit, then most probably its inclusion in audit universe is an error.
Resource based on plan and schedule based on resource.
Now the management need to think on resources. based on resources, a plan can be for 3 years or 5 years or some other period.
Depending upon the maturity of the organization, Internal audit need to review the internal audit plan on a quarterly/ half yearly/ yearly basis and do a course correction, if needed.
Call for action:
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)