Audit Process Planning: Ensuring a Compliant, Risk-based Approach to the Audit Process

When an auditor invests sufficient time in planning an audit, it sets the stage for a successful partnership that respects and supports the auditee’s journey toward continuous improvement. A well-planned audit provides the assurance to the auditee that the auditing team is not a mere evaluation or interrogation they must survive, but a supportive service meant to assist and enhance operations. This productive approach to thoughtful scheduling and reliable information gathering transforms what could be a stressful encounter into a supportive, constructive experience that leaves employees feeling valued and supported, not degraded. Instead of reacting to issues as they arise, a proactive audit respects the organization’s hard work and recognizes its achievements. By fostering a positive, ongoing relationship that serves as a supportive guide toward compliance and quality, a quality auditing team adds value to an organization and improves business processes, setting the tone for a positive company culture and improved business processes for customers and stakeholders.  

A risk-based approach to auditing identifies higher-risk areas of concern within an organization and allocates resources to address the areas that pose the greatest threat to the business objectives. By carefully prioritizing audit work and designing the audit within a specific scope, auditors deliver quality support that meets the needs of the organization to comprehensively mitigate risk. This approach ensures auditors focus their efforts on areas that significantly impact the organization’s objectives, optimizing resource utilization and improving audit efficiency (McCafferty, 2023). For example, focusing on cybersecurity risks in healthcare or financial risks in a bank ensures that the most critical threats are addressed, enhancing overall resilience. By targeting high-risk areas, we ensure that thorough controls are implemented where they are needed most, effectively enhancing the risk management framework for the organization. The insight gained from a risk-based audit informs strategic decisions, helping management allocate resources effectively, and proactively prepare for the future. This approach also provides documentation, explanation, and assurance of the recommendations and solutions for moving forward. 

Audit evidence must be sufficient and appropriate to support the audit team's assertions. The evidence can be written, electronic, or observable, but the auditor must have the correct type of evidence and the right amount of evidence to support their claim truthfully and accurately. This approach empowers an auditor to facilitate a relevant, reliable, complete, and trustworthy audit. Written evidence, such as policies and procedures, offers a tangible record, while electronic evidence provides real-time data that can be analyzed with computer systems. Observable evidence such as process observations add a layer of practical verification. In the hierarchy of evidence, evidence provided by a third party holds more weight than evidence from the company. For example, bank statements and insurance policies will carry more weight than cash ledgers or evidence of prepaid accounts. Further, direct evidence carries more weight than indirect evidence: when the auditor confirms the inventory count, it will carry more weight than if management provides the inventory count records. Internal evidence can be influenced by internal biases. Third-party evidence is generally more reliable due to its independence. Direct evidence offers clear verification of facts, whereas indirect evidence requires further corroboration or interpretation. Similarly, on a legal case, a lawyer will provide stronger evidence than the banker on the loan, and vice versa on a financial assessment. Strong internal controls allow for smaller sample sizes, whereas weak internal controls leave more room for error. Through careful consideration of the hierarchy of evidence, audit teams create stronger arguments by assessing the material relevance, evidence objectivity, competency of the evidence provider, and evidence independence. The best source of evidence from the right person makes a substantial difference in the reliability, relevance, and completeness of the audit. 

Continuous training allows auditors to remain current on ISO, ISACA, COBIT5, ITAF, GAAS,  and CISA standards. The audit quality control plan allows for proper resource allocation, risk identification, establishment of a timeline, scope, compliance, quality, and clear objectives. Consistent audits, Standard Operating Guidelines (SOG), Standard Operating Procedures (SOP), and Field Operating Guidelines (FOG) can help ensure adherence to standards and maintain a consistent, high-quality audit process (SAFECOM, 2023). Management must remain responsible to assure compliance with laws and regulations even on financial statements and disclosures. The auditor must verify compliance with management through a REP letter and operate within the necessary and applicable laws and frameworks. Collusion, forgery, bribery, or a lack of documentation can produce noncompliance with management that proves difficult for an auditor to account for (Farhat, 2023). In addition to reviewing financial statements, the auditor must ask management questions, read the board minutes, and review correspondence with regulatory authorities. It is crucial to proactively identify potential pitfalls and conflicts. This involves anticipating problematic areas and proactively developing contingency plans to address them effectively. Effective communication with stakeholders is key. Regular communication and transparent discussion ensure that all involved parties are informed about the audit's progress as well as any issues that arise, facilitating problem-solving collaboration.

Narrow, operational control practices implement controls, whereas the broad, strategic risk management plan identifies risks. A strong control includes multiple detective, preventative, and corrective controls to comply with policies and mitigate risks (Swanagan, 2024). This approach allows for strong monitoring systems, authorization protocols, and incident response plans.

References:

Alqudah, H., Amran, N. A., Hassan, H., Lutfi, A., Alessa, N., Alrawad, M., & Almaiah, M. A. (2023). Examining the critical factors of internal audit effectiveness from internal auditors' perspective: Moderating role of extrinsic rewards. Heliyon, 9(10), e20497. https://doi.org/10.1016/j.heliyon.2023.e20497

Dodt, C. (2024, January 17). An in-depth overview of CISA domains for aspiring auditors. Infosec Institute. https://www.infosecinstitute.com/resources/cisa/certified-information-system-auditor-cisa-domains-overview-exam-material/

Farhat. (2023). Compliance with Laws and Regulations. https://www.youtube.com/watch?v=7U_MKdzI7bI

Jadhav, K. (2023). The Role of Cyber Security Audits. ResearchGate. https://www.researchgate.net/publication/367559332_THE_ROLE_OF_CYBER_SECURITY_AUDITS

McCafferty, J. (2023, September 27). Ten Factors to Consider when Setting the Scope of an Internal Audit. Internal Audit 360. https://internalaudit360.com/ten-factors-to-consider-when-setting-the-scope-of-an-internal-audit/#:~:text=The%20scope%20statement%20should%20outline,the%20timeline%20for%20the%20audit.&text=The%20proposed%20audit%20scope%20should,review%20process%20involving%20relevant%20stakeholders.

Ramos, M. (2009, November 30). Risk-Based Audit Best Practices. Journal of Accountancy, 8(1), 104-111. https://www.journalofaccountancy.com/issues/2009/dec/20091789.html

SAFECOM. (2023). Writing Guide for Standard

Operating Guidelines. https://www.cisa.gov/sites/default/files/2023-08/SAFECOM%20Writing%20Guide%20for%20SOG_final_08-2023.pdf

Swanagan, M. (2024). The 3 Types Of Security Controls (Expert Explains). Purplesec. https://purplesec.us/security-controls/