Since the chair of the audit committee is the functional boss of the director of internal audit, he/she must be involved in overseeing the company’s audit needs and resources. This is done in 5 areas: (1) the design of the work plan; (2) the definition of the scope of responsibility; (3) the focus on risks; (4) the full coverage of the enterprise’s activities; and (5) the combination of human and technological resources.
Internal auditors typically design an annual work plan. Planning for a shorter period (three to six months) is not very useful given the length of the internal auditing cycle, which extends over several months. Planning for a longer period (say, three years) is also not very helpful given the changing nature of business and the corporate world. Anyhow, a good practice is to look at the schedule in the middle of the next year to see if the work plan needs to be revised for the second half of that year.
The first thing to think about is the scope of the audit universe. This universe includes all activities that fall under the responsibility of internal audit. This is a sensitive issue when, for example, auditing subsidiaries over which the company has joint control, or service activities are performed on the premises of third parties, or activities are conducted by a supplier or customer.
The audit committee and senior management expect internal auditors to focus on the areas of highest risk. This is called “risk-based auditing“. Applying this principle, the auditors will undertake, with or without the support of the risk manager, a detailed analysis of the risks and produce a risk map based on probability and impact. In consultation with management, the auditors will identify the assignments in the “hottest” quadrant of this map.
In contrast to the “risk-based auditing” approach mentioned above, the audit committee may wish to cover all the company’s activities (i.e., the entire universe) regardless of their degree of risk. This holistic approach ensures that a certain level of control is achieved everywhere across the company and avoids that low-risk areas are unaudited.
Facing this “demand” for internal auditing, is the “supply” represented by the human and technical resources. The audit committee and the auditors consider the combination of (1) people, (2) method and (3) technology to ensure the optimal treatment of the areas to be audited. Regarding the people, the number of staff as well as the level of competence and experience are taken into consideration. Human resources can be supplemented by using internal experts (“guest auditors”) or external consultants. In terms of method, the nature and scope of the engagement, the type of reports and follow-up of recommendations will be considered. Finally, the use of audit technologies like “data analytics” will boost the auditors’ impact on the company’s control environment.
The matching of the auditing “supply” with the “demand” expressed by the audit committee makes it possible to elaborate the annual planning of the missions. By following the path described above, all parties should be satisfied that the areas – that are both significant and risky – are adequately covered within the resources available.