Monday, January 5, 2009

Annual Audit Planning – Part One

A new year means it's a great time to talk about annual audit planning.

Acknowledging that audit planning is an oft-reinvented wheel, the process we developed at RSA has some nice innovations that I've not seen or heard of elsewhere. Still feeling the lingering effects of the holiday spirit, I thought I'd share them.

This post begins a several part overview on interesting and useful annual planning techniques. The below diagram lays it out visually.



I'm a big believer in operating a well-controlled audit function. That means, like everyone else, being able to establish goals, work toward those goals, and, at various points, being able to report on how well the goals are being achieved. However, if you've paid any attention to this blog, you'll also know I'm a big believer in matching the audit process to the organization's rate of change.

Accomplishing both objectives requires techniques that demonstrate stability while encouraging flexibility.

Not a new concept. Indeed President and Supreme Allied Commander, Dwight Eisenhower said it best when he declared,

“In preparing for battle I have always found that plans are useless, but planning is indispensable.”
Keeping President Eisenhower's point in mind, our process had the following components:

Audit Universe with Risk Factors – On a massive spreadsheet, and using Excel's database management tools, we listed every significant business unit, function, key project/initiative, and core system. We also mined CobiT, ISO, and other ISACA sources for IT-specific components like change management, disaster recovery, information security, and networking. Using our prior knowledge of these area's control environments, as well as direct interviews, we rated each element in the Universe in terms of it's pure business risk, rate of change, perceived quality of leadership, and other risk factors. This was our first line of risk assessment.

We also coded each potential audit.

Coverage Targets – There are always more audits to be done than resources allow. So, it's crucial to find a way to balance competing priorities and to understand the implicit choices being made. The Coverage Target concept addresses this need by explicitly defining, before the audit plan is built, the degree of resource we intend to focus on various areas and risks. For example, at RSA we used five sets of targets (you can certainly use more, but the complexity increases).

  1. Key Risk Themes (this is good stuff and I'll probably blog about it on it's own later)
  2. Organizational Unit
  3. Approach Types (described more fully in my post on Audit Approaches - The Speed of Change Model)
  4. Financial, Operational, or IT (probably the most classic)
  5. Group Risk Category (this was a requirement of our World Group Office and won't mean much to anyone outside of RSA – so I'm not going to talk about it.)

We'd establish, beforehand, the mix of audit resource that would be devoted to servicing the components of each of these areas. Using the codes that were applied to each potential audit, this created a multi-dimensional guide for our audit plan.

It is probably easiest to use the Organizational Unit coverage target to illustrate. You see, based on all the things we knew about the organization, informed by regular and direct conversations with senior leadership, we'd establish something like the table below.


It is instantly obvious that for this planning year we intended to focus most heavily on the Business Insurance unit. The exact balance was a strategic choice and the use of these kinds of planning tools allowed us to execute against this choice.

Another example might be:

With a well-rounded set of coverage targets in place, selecting areas to audit from the Audit Universe goes further than just adding up risk points or some other calculation.

And, once we'd defined these set of targets, before choosing even one audit for the actual plan, we'd get the Audit Committee's approval and management's agreement.

With these authorizations, we'd have both structure *and* flexibility.

As long as we used our resources to match these targets, we could adjust the specific audits to handle on-the-ground changes. We could also be very frank, very early, with management about the kind of attention their areas would receive. We didn't have to be overly specific, but we could tell them, with a fairly high degree of certainty, the number of audits we'd be conducting in their areas.

Finally, using the coverage target approach, we take a process frequently criticized for it's subjectivity and give it a level of objectivity. This can be extraordinarily helpful when building partnerships with your business units.


--Next time... the Audit Bin (disconnecting the risk analysis from the scheduling)

1 comment:

BroomVroom said...

Just wanted to thank you for putting up an excellent blog on “Audit Planning”. As I am currently working toward establishing an audit universe and assessing risks across all risk factors and entities, this was very timely and relevant for me.