Calculating the Right Audit Coverage
Chief Auditors (CAEs) are struggling with the effectiveness of their audit planning process; we are frequently asked about the best way to carry out a risk assessment, to prepare an audit plan and to agree the plan with your Audit Committee. Although CAEs spend a lot of time doing their annual risk assessment and their audit planning process, they lack confidence that they are including the right activities in their plan. This is because of the massive increase in complexity that they are facing.
The five elements increasing the complexity of audit planning are:
- New activities are being added to audit’s responsibilities, yet nothing is being taken away;
- The proliferation of data (specifically risk information) makes it difficult to know what truly matters;
- The rise of other controls and assurance functions within most organisations requires more coordination in the audit planning process;
- A growing proportion of the audit plan is now considered non-discretionary by management or regulators;
- Unclear or competing stakeholder expectations are confusing audit departments.
Faced with Finite Resources, CAEs Need to Make Smart Tradeoffs
Each of these trends are complex and challenging when considered in isolation. Put together they create severe demands on the CAE that must be managed during the audit planning process. This may seem like the age old challenge of trying to do more with less. As a result many CAEs are trying to improve auditor productivity. This is always a useful aim, but simply improving productivity will not remove the complexity challenge or increase the level of confidence that the right things are in the plan. The economic reality is that there are finite resources; CAEs must decide the best way to put these resources to use. Smart decisions and trade-offs are required.
What are Audit Departments Getting Wrong?
CAEs are making three critical mistakes:
- CAEs fail to use a well-balanced set of inputs to drive the creation of the audit plan. CAEs should use both a bottom up and a top down risk assessment that is consistent year on year and can be explained to your Audit Committee;
- CAEs do not understand the opportunity costs of changing their coverage of the risk universe. CAEs must understand the relative risks of traditional process audits or cycle based audits when compared to non-traditional assignments. With such variety of options, it’s harder to compare and complicates trade off decisions;
- CAEs fail to gain consensus on the scope and focus of the audit plan with key stakeholders. CAEs should get greater involvement from executive management and the Audit Committee in the decision making process. Leading CAEs provide great context for a robust debate and active agreement on the audit plan.
What is CEB Doing for ADR Members?
ADR meetings in 2012: Sign up and attend one of our upcoming meetings where we will present the results of our 2012 research on how best to make the choice between breadth, depth and frequency of audit coverage.
ADR research in 2012: Take part in our 2012 research by completing our Audit Operations Survey to benchmark their approach to managing the department and audit planning. This will take 20 minutes to complete.
Utilise existing ADR research: Access the ADR topic centre focused on Audit planning and leverage best practice research into audit planning and methodology. Learn from the 2010 Audit Operations Benchmarking Survey results based on the data from 147 audit departments.
Join the Professional Practices Discussion Forum: Network with 562 peers who actively participate in the Professional Practices Discussion Forum