Larry D Hubbard
The Internal Auditor
. Altamonte Springs:
. Vol. 57, Iss. 4; pg. 20, 2 pgs
Copyright Institute of Internal Auditors, Incorporated Aug 2000
Proper planning helps to ensure that auditors and management share the same agenda and that each engagement adds value to the client.
NEWCOMERS TO THE PROfession often don't fully understand the value of audit planning. "Why not just do it?" they ask. "Why don't we just walk in the door and
start ticking?" Unfortunately, no audit department has enough time or resources to do everything that could be done, which means that we must predetermine what is
most important and what steps will be most likely to ensure success.
Macro-level planning, a process that is usually conducted by audit management, identifies the audits that will be performed within the organization, while micro-level
planning focuses on how to plan an individual audit. The importance of macro planning and its implications are relatively obvious. In this instance, we'll examine
micro-level planning: how to scope the audit, acquire management cooperation, and ensure that the right skills are available.
SCOPING THE AUDIT
The process of deciding which areas, cycles, functions, activities, systems, or other entities to audit is often linked to a risk assessment process. Sometimes auditors are
uncertain about how this process relates to the overall COSO risk assessment formula, which focuses on objectives, risks, and controls. In fact, the COSO model is
relevant from both internal auditing and management perspectives and objectives.
For example, the objectives for an audit could relate to internal auditing's aims for performing the audit, such as, "Ensure the audit provides a value-added service to
management." The risks could correspond to those aims: "Management may not think auditors have the technical abilities to add value to their operations" or "The audit
may not focus on items of importance." Addressing these issues might be considered as internal auditing's objectives.
Another approach to micro-level risk assessment might focus on management's objectives, such as "Increase market share." The audit could evaluate the controls