The internal auditor is, in a way, an internal consultant to the company. He/she serves the Audit Committee to which he/she reports functionally. The Chair of the Audit Committee must have a good understanding of the resources and methods of the audit in order to make the most judicious use of them at the level of the Board of Directors and General Management.
The annual internal audit plan is the result of the allocation of resources to specific areas. The audit resources include the staff of the audit team and the financial resources of the department; the territory includes all entities and activities of the company. One of the responsibilities of the Chief Audit Executive is to apply audit expertise to the business units and activities that need it most.
Several approaches to resource allocation are used today: (1) risk-based allocation of audit resources and (2) allocation of audit resources from a multi-year business coverage perspective. The first approach, based on risk analysis, has the advantage of focusing the attention of internal auditors on what really matters to the company: sensitive subjects, strategic or operational issues, events impacting the course of business. The second approach, designed to cover all of the company’s activities, has the advantage of applying a uniform control to the entire territory, regardless of the activity profile.
The Audit Committee must, in consultation with Senior Management, choose an approach. Which approach will produce a higher level of confidence in the control of the company’s activities? Which approach is complementary to other control functions (management control, external audit, IT controls, etc.)? Which approach has a favorable cost/benefit ratio for the company?
The annual internal audit plan can also include cross-functional thematic assignments. These engagements have the advantage of focusing auditors’ and management’s attention on the same activity (e.g., procurement, cash management, etc.) in different entities and drawing common lessons. Internal auditors can also dive into the company’s digital databases, apply certain algorithms (“data analytics”) and analyze in detail certain dysfunctions.
The annual internal audit plan may be modified by the mobilization of auditors in a pre-acquisition mission (analysis of a company targeted in an acquisition project) or in a fraud investigation mission. The latter two types of assignment cannot be anticipated and are inserted into the schedule as they arise.
Establishing and managing the annual audit plan is therefore a complex exercise. The Chair of the Audit Committee must be familiar with the various procedures in order to guide both the members of the Audit Committee and the Chief Audit Executive towards a mix of assignments that best meets the expectations of the Audit Committee and the company’s Senior Management.