Still locking into an annual audit plan? Stop. Risks move too quick to be addressing last year’s concerns as many as six, ten, or more months after the fact. Would you plan your whole week’s wardrobe based on the weather report at the start of the week and not waiver from it? Probably not. The same can be said about audit planning. The risk landscape is constantly changing, so audit plans need to change along with them.
It’s time to get away from conducting a once-a-year risk assessment and turning that into an all-important, unchanging annual internal audit plan. Instead, forward-thinking internal audit departments are constantly reassessing the risks that matter and updating the audit plan in real time to audit what matters right now. They are looking at risk in shorter increments and working to tailor the audit plan to address the risks that are more immediate and can impact the organization today, rather than conducting internal audits that seemed important at the start of the year.
When I started in internal audit many years ago, and as I rose through the ranks to become a chief audit executive, we spent so much time and energy translating our yearly assessment of risk into an Annual Audit Plan (capitalized because there was something all-encompassing and special about that plan). That annual plan was vetted throughout the organization, discussed with senior executives, and presented to the audit committee for approval.
Once approved, members of the internal audit team put their heads down and worked hard to complete the audit plan in the given calendar or fiscal year. No matter what happened we did our utmost to try to complete the originally submitted plan, as if what we thought at the beginning of the year remained equally important, regardless of whether risks and circumstances had changed as the year went on. We even managed to, unintentionally, train the audit committee that one of their responsibilities was to hold us accountable for completing that plan as originally presented.
I remember some long days just before and immediately after the Christmas holiday trying to get everything on the Annual Audit Plan done. Sometimes I wondered why it felt rather unimportant to tick off the remaining items on the plan, but we did it anyway. The internal audit team also dreaded the inevitability that some items would spill into the next calendar or fiscal year.
Since those days, I’ve now long held that the annual internal audit plan is a relic that needs to be cast aside, and I’m not the only one. “I genuinely believe this approach is outdated and results in the emphasis on quantity of effort rather than quality of outcomes,” says David Hill, CEO of SWAP Internal Audit Services.
Sadly, though, many internal audit departments still undertake the annual process of conducting a once-a-year risk assessment in the fourth quarter and using it as the basis for the annual audit plan, which they follow, unwavering, for the next twelve months. Some CAEs are even held accountable as part of their performance metrics to complete that annual plan, regardless of how circumstances and risks have changed through the year.
Why We Do an Annual Audit Plan
Don’t get me wrong, there is still merit in planning out the next year for the internal audit function. How else would we be able to justify our financial and personnel resource budget? We translate our risk assessment to an annual plan, do the math, and that tells us how many people we’ll need, how much external support we can expect, and what types of training we may have to obtain.
If the plan calls for more resources than internal audit can procure, it may need to scale back the plan to “right size” it to the resource allotment or ask for more resources. That makes logical sense, and it is a sound way to justify the budget. In most corporate environments there’s an annual budgeting exercise, so internal audit follows suit and does annual planning as well. It circulates the plan though the organization, gets executive buy-in, and gets the audit committee’s blessing. Done, right? Not so fast.
While annual audit planning is fine and might even guide the internal audit department through the first few months of the year, it’s not a great blueprint for the entire year. That’s because things change, and in today’s dynamic, risk-evolving world, things are changing faster than ever. That means internal audit needs to remain flexible and not lock itself into a rigid, backwards looking, heads-down execution of that annual audit plan.
It’s likely you already know that intuitively, but sometimes there are external forces such as regulators, the audit committee, and the CEO and senior management who still might pressure internal audit to uphold the traditional annual audit planning process. They may even hold internal audit to certain metrics against completion of that pre-baked annual plan. And, let’s be honest, we can be a little lazy if we’re not forced to react to changing dynamics, and just live with the plan for the entire year. But is that serving our organizations and the board in the best way possible? Is a one-a-year planning process the best way for internal audit to add value to the organization?
So, What Should We Do Instead?
There’s no easy answer to what internal audit should do to make audit plans more flexible and proactive, but it should no longer accept a “set it and forget it” mindset. Instead, a flexible open-minded approach will center on considering good inputs to influence changes internal audit may consider to the audit plan. That will rely on a deep understanding of the risks of the organization; a comprehensive appreciation for the company’s strategic plan; a broad intake mechanism for current events, economic events, and industry sector dynamics; and a finger on the pulse of the organization and how it is navigating change events. If internal audit doesn’t have good input mechanisms as to how to rethink risk assessment, and propose changes to the audit plan accordingly, it must start by establishing or enhancing those inputs first.
While some propose a continuous risk assessment, that doesn’t mean that internal audit is thinking about changing the audit plan every day, or even every week or month. But it should have its finger on the pulse of what is going on both inside and outside the organization such that the CAE’s instincts and experience lead him or her to conclude that changes to the original plan are warranted.
I have found that most audit committees welcome discussions around how and why internal audit wants to change the audit plan. They may ask some probing questions, and, assuming you’ve done your homework, agree to what you want to change. The stronger your relationships are with audit committee members, the more they will grow to learn to trust you, and the more you will be able to introduce the needed flexibility to making what was once a static plan into more of a dynamic activity. “As an audit committee chair, I like to see flexible, responsive plans that cover the committee’s assurance needs and that can be flexed and modified as the organization’s risk profile and risk appetite change,” says John Chesshire of JC Audit Training Ltd.
All Audit Project Are Not Created Equal
While internal audit may have sound rationale to deferring certain planned projects and substituting other projects in their place because of changing risk dynamics, all audit projects are not created equal. Regardless of the competencies and talents of the internal audit staff, and the availability of co-sourcing dollars for augmentation, audit projects are not fungible. You just can’t swap one project for another without considering the effect on the staff, budget, and the company.
Meanwhile, internal audit also needs to get the company on board with the changes it wants to make. “Your ability to move closer to a continuous, rolling audit plan can be either hindered or facilitated depending on the culture of the organization and the risk savvy of your CAE,” says Rupert Bamberger, executive director of change at SWAP Audit Services.
The skills, competencies, and knowledge needed to swap out planned audit project “A” with a now needed project “B” can have significant ripple effects, especially with relatively small audit staffs. The internal audit department must have a contingency mindset and have a keen sense of what the staff competencies are and are not. Still, even if there are co-sourcing dollars available (or a budget exception can be approved) internal audit can’t just hire any consultancy firm that it hasn’t fully vetted. So, since most internal audit functions don’t have a large staff, a broad, subject-matter expertise talent bench, or have strong co-sourcing relationships already established, having a flexible audit plan is just a nice intellectual exercise that is unrealistic when it comes time to pivot. In other words, without considering dynamic resource planning beyond the existing staff, and strongly considering co-sourcing, internal audit will be stuck with good ideas and limited ability to execute on them.
Co-Sourcing and Audit Plan Flexibility
The time to establish a good, strong co-sourcing relationship with one or more third parties is when they are needed the least. Yes, the best time to develop a relationship with outside internal audit resource providers is when the pressure of needing to execute a project is not present. Not everyone will agree with me, but my experience has been that it is best to have co-sourcing relationships with at least two, if not three, different firms. And have a relationship with a local person for each firm that you know and trust, so that when you do need them you are contacting someone who you know will do their best to deliver what you need and, most importantly, tell you if they are not the best firm for what you are looking for.
With these co-sourcing “arrows in the quiver,” so to speak, internal audit is ready to be more confident in swapping projects in and out of the audit plan to be more flexible and responsive to risk, and be able to deliver, which is what matters most.
So, a solid co-sourcing budget that can accommodate flexibility is important to being able to adapt the audit plan to changing risks, since internal audit will need varying levels of external resources as the flexible plan and on-staff competencies dictate.
Steps to More Flexible Audit Planning
At the risk of oversimplifying a complicated, intricate, and iterative process, here are some steps to consider once internal audit has established crucial information gathering and intake mechanisms, and is reasonably confident in its ability to pivot to a dynamic risk environment.
- Establish the annual audit plan, knowing it will undoubtedly change, on leveraging the resources available to the internal audit department (both on-staff resources and co-sourcing dollars) based on the risk assessment.
- Present the first three to six months of your plan to the audit committee with some level of certainty on these planned projects.
- Update the audit committee on what could or is changing as time goes on, with the rationale for what internal audit wants to add and what could be deferred.
- Start to prepare the audit committee to expect changes in the audit plan to more of a rolling quarterly plan as time goes on.
Importantly, don’t get ahead of the audit committee and their tolerance for change. Just guide them over time as they build confidence in the CAE’s understanding of changing risk dynamics. And, critically, don’t forget that there will be projects that populate the audit plan that you might not believe are all that risky, but your company, your audit committee, or your regulators expect you to conduct such audits regardless.
Just like a trained meteorologist can predict the weather with some level of certainty in the short-term, they will continually update the long-range predictions based on new and incoming data, you should do the same with your audit plan. 
Hal Garyn is Contributing Editor at Internal Audit 360°, and Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.
If you take IPPF standard 2010- Planning- under ‘Interpretation’, the changes to the annual plan are accommodated there. Meaning, the plan can be changed anytime based on the changes in the organization’s business, risks, operations, programs, systems, and controls. But I agree with you that the Annual Plan maybe something of the past.