The internal auditor is required understand the audit risk involved in a process prior to planning a review. Audit risks, therefore, influences the audit planning methodology in a significant manner. Audit risk is composed of Inherent Risks, Control Risks and Detection risks which are explained below:
(i) Inherent Risks— Inherent risks are defined as the risks involved in the nature and volume of the business transaction; for instance, purchase negotiations involving materials with prices linked to London Metal Exchange (LME) would involve a higher risk than the purchase of material with stable prices.
(ii) #Control Risks— Control risks are the possibilities of design deficiencies in a process on account of absence of adequate internal
controls; i.e., on account of absence of controls in the process design to prevent such deficiencies; for instance, absence of maker–checker controls in recording journal vouchers would not prevent unauthorized, inaccurate or back-dated journal entries.
(iii) #Detection Risks— Detection risks are the risk that the internal auditor may not be able to detect the deficiencies in the process through substantive tests and data analysis.
Assessing the audit risks shall assist the auditor in identifying the quantity and quality of evidences that are required to be gathered and the detailing required in the analysis while performing the audit. For example, in
the event of a higher audit risk, the auditor would require to increase the level of details in the audit plan. The auditor is expected to plan the audit in a manner that reduces audit risk to an acceptably low level that is consistent with the objective of an audit.
Importance of Audit Planning
An audit plan is prepared to ensure that the auditor can formulate an effective response mechanism to each of the material risks identified in a process. The importance of an audit planning can be summarized using the
(i) Efficiency and effectiveness in conducting the review:
An efficient audit can be performed if the audit has been thoroughly planned. By defining an audit plan, the auditor can ensure that all the in-scope areas/ processes/ activities are duly covered in the audit plan and are covered during the review. The audit plan would enlist the necessary tools (data analytics, etc.) and information requirements from the management, thereby enabling efficiency. Also, for recurring
assignments, it is ensured that all the audit activities undertaken in the previous assignment are covered in the review.
(ii) Defining the nature, timing and extent of the review:
The auditor is required to identify risks associated with the processes, therefore, a
detailed audit planning enables identification of the level of details/ analytics and documentation requirements for the review. The same facilitates documentation of the audit procedures to be followed for review of each activity included in the scope of the assignment.
(iii) Requirement planning and assignment of responsibilities:
A detailed audit plan would enable the auditor to identify the resource requirements for each process/ sub-process based on the level of
complexities and the risk rating for the activities involved in the subprocess. In addition, based on the criticality of the control framework at
the client location, the auditor can identify the skill-set and level of experience expected from the person responsible for conducting the
review. On finalization of the same, the auditor can assign responsibilities within the audit team for conducting the review and obtaining management responses.
(iv) Flexibility in performing the review:
During the course of the audit,
the auditor may need to re-visit the focus of the audit/ criticality of risk areas based on the audit evidence collected and audit documentation.
An audit plan incorporates the risk rating against each activity, subprocess and process. The same enables mapping the potential risks
implication on account of the findings of the review with the risk tolerance levels of the company and therefore, assists in updating the
level of details and data analysis required for the review. By preparing a detailed audit plan, an auditor can update the activity wise time and
resource requirements, based on the findings during the progress of the review.
(v) Mapping the objectives of the assignment with the outcome:
Preparation of an audit plan would ensure that the auditor can duly focus the audit procedures on the key concerns/ pain areas of the
management. The auditor would obtain management feedback for developing the audit plan, ascertain management responsibilities with
respect to the provision of data necessary for audit execution; and would also be able to ensure that all management concerns are adequately addressed
(vi) Progress monitoring:
By preparing an audit plan, the auditor would
be able to define activity/ sub-process wise timelines for conducting review of each process. The same would facilitate identification of
deviations, if any and taking suitable corrective actions.
Key Factors in Audit Planning
The internal auditor needs to prepare an audit plan in order to ensure that all the relevant audit areas are identified and included in the audit plan in accordance with the level of details required. The following are the factors that the auditor would need to consider in defining an audit plan.
Based on the understanding of the business, the internal auditor shall be able to identify the key risk areas to be covered in a process. Thereafter, the auditor needs to consolidate the areas and fragment the sub-processes to identify an audit universe to best design and Internal Audit plan of automobile industry - Aryan Consulting