Organizations that made it past the first steps of getting executive commitment and either have written or are currently writing their intent to integrate operational and IT audit into their policies and procedures might be pondering what practical application of their integration activities would look like in practice. One of the first steps in effective integration is to start developing the annual, periodic, or continuous audit plan.
Internal Audit Plan
Performance Standard 2010 from The Institute of Internal Auditors, which promulgates professional standards for internal audit practitioners, sets the basic requirements for the risk assessment and audit plan process.
A lot of ink has been spilled recently about the frequency for revisiting the risk assessment and, of course, the right answer for your organization will be to set a frequency that meets the organization’s objectives. At FORVIS, we’re strong advocates of an iterative, reactive risk assessment and audit planning process. This forward-thinking approach takes the results of completed projects and revisits the identified risks and planned audits. The iterative risk assessment approach is taken further as we drive it down into audit execution and process risk assessment, a topic covered in future articles.
Other best practices to include in a periodic refresh of the risk assessment and audit plan, which can be leveraged to help drive integration, include:
- A review of the company financial statements and consideration of changes and trends period over period
- Interviews with and the input of senior management and the board
- Planning for compliance or required coverage from applicable laws or regulations
- Linkage of IT assessments to business processes
- Planning for coverage and appropriate resourcing of planned engagements
After setting the plan and beginning execution, maintaining appropriate capacity in the plan to be responsive to management requests and react to the iteration of the risk assessment according to project results is a generally recognized best practice.
The integration of operational and IT audit at this higher-level planning stage comes from the department’s understanding of the business, the IT applications used in the business processes and functions selected for audit, and the acquisition, integration, and other strategic activities identified as requiring attention from the internal audit department. These integration projects—a consulting activity—are considered during planning and give internal auditors an opportunity to deploy their control insight to assist the organization in identifying and managing risk during significant organizational activities such as system implementations or business combinations.
For more information or to discuss your organization’s risk assessment, audit plan, or internal audit resource needs, reach out to a professional at FORVIS or submit the Contact Us form below.