Thursday, January 15, 2009

Annual Audit Planning - Part Three

I'd like to make the Three-Month Rolling Plan approach complicated, but I can't.

Scheduling may be intricate, but it isn't really that complicated. You'll need to know vacations, holidays, trainings, new hires/retirements, but you should know all that anyway.

In the first two posts on Annual Audit Planning, we walked through the Audit Universe, Coverage Targets, Risk Analysis, and the Audit Bin. We got very close to scheduling and stopped.

Lets pick it up from there.

So you've got an Audit Bin. It has about 120% of the audits you might do in a year. You've determined through the risk analysis that each one should be done - and you'd do them all if you had the resources.

It's time now to build the schedule. The first thing you do is talk to your audit clients.

You may have noticed that, in my opinion, talking to your clients is always the first step. While you aren't really in the business of making audits convenient; if you can, why not? These kinds of conversations, where you show you are really listening to your audit clients, are just one of a hundred techniques for building strong business-to-audit and business-to-analyst partnerships.

For example, it is probably a poor idea to schedule an underwriting audit (the guys who write insurance policies) for a month when large portions of them come up for renewal. You probably won't get the kind of time you'd like with the Underwriting Executive and, perhaps more importantly, you'll be looking at last year's policies. Your testing of the files could very well reveal a horrible control environment that is actually a year old. No one will pin medals on your chest for determining that kind of old news. Not in this kind of change environment.

Now, mark each audit in the Bin with a preferred fiscal quarter. That makes sure you don't forget when the ideal time is to do that underwriting audit for example.

And with your Audit Bin marked with the basic idea of when to do each audit, you can use a Gantt Chart tool like the one below to lay out the actual audit work for the next three (maybe four) months. Much beyond this and the level of uncertainty makes maintaining the schedule more work than it's worth. You'll just be redoing it when things change.




Audit Schedule Example



Here is the trick. You will do this again in 30 days.

Each month, you'll select audits from the bin and place them on the schedule. We always did this as a team effort. You'll also have a look at your progress against your coverage targets. For example, if you do a bunch of IT audits in the first quarter, you may be done for the year. This will depend on the coverage target mix you agreed with the Audit Committee. Conversely, it may be June and you can see that you are behind and it is time to focus on financial audits.

I recommend an official quarterly written update against plan, with coverage target metrics.

With this reconciliation you'll be able to go in front of your Audit Committee and show them how you are executing your audit plan against the targets they approved. You'll have metrics and you'll be able to demonstrate an audit process in control.


-- Prescott B. Coleman, CIA, CISA

No comments: