OUR LADY OF THE PILLAR COLLEGE CAUAYAN

COLLEGE OF ACCOUNTANCY
OPERATIONS AUDITING

MODULE 3E:
RISK ASSESSMENT IN AUDIT PLANNING- Writing and updating strategic
and annual plans
A comprehensive strategic and annual plan of IA activity is crucial to the success of internal audit. Having identified
and assessed risks across the audit universe the next step in the process is to develop plans to address the areas of
highest importance. Planning ensures a systematic approach to IA activities and requires knowledge and
competence in a wide range of areas, such as risk assessment and internal control.

Strategic plan

The purpose of the strategic plan is to document the judgements made about “audit needs” – the internal auditor’s
judgement of the systems, activities and programmes that should be subject to audit to provide reasonable
assurance to management about risks and the effectiveness of internal control. The plan must contain:

• Clearly expressed objectives and performance indicators for what the IA function will achieve in the next 2-4
years, linked as appropriate to the strategy for the organization.

• The methodology used to prepare the strategy and how the IA unit has assessed risks that impact the
organization’s objectives.

• How the IA unit will address the areas of most significance over a period of years. It will usually be necessary to
identify cycles of coverage for different elements of the audit universe. Some systems and processes may need to
be examined every year. Others may only need to be examined every three to five years and so on.

• The resources required and available to meet these needs and the impact of resource constraints on the ideal
level of audit coverage.

• An internal risk assessment of those events which may impact the achievement of objectives in the audit strategy
and mitigating actions to address such risks. (For example, staffing shortfalls; skills shortages and training and other
actions needed to address these risks.).

• Plans for the coordination of work with other sources of assurance (e.g. external audit).

• The approach for following up recommendations made.

• The higher or longer-term goals the IA function wants to achieve but may not achieve in the short term.

Annual audit plan

The annual audit plan translates the strategic plan into the audit assignments to be carried out in the current year.
It should define the purpose (title and objectives) and duration of each audit assignment and allocate staff and
other resources accordingly. The plan should provide a basis for agreeing the assignments to be undertaken and
the timing of each assignment with the relevant managers. As these need to be geared to the budgetary resources
available it is usually preferable for the audit plan to mirror the budgetary period.

In developing the annual plan, the IA should consider several inputs in order to get a realistic work plan that
provides added value to the organization:

• The strategic audit plan assumptions and whether these are still valid in the light of audit findings.

• The latest annual plan (if appropriate), taking consideration the main findings from previous audits that
indicating changes in risk.

1|Page
 OUR LADY OF THE PILLAR COLLEGE CAUAYAN
COLLEGE OF ACCOUNTANCY
OPERATIONS AUDITING

• Organizational and timing constraints. (For example: changes in departmental Organization; locations that
cannot be reached in the winter months; major periods of leave or office closure – Christmas, Easter, Summer,
implementation of new IT systems; high workload periods.)

• The resources that should be reserved for future unplanned work (see below) to avoid frequent reshuffling of
the annual plan.

• Optional program of audits to take the place of postponed audit missions and/or a lower volume of unplanned
work than forecasted.

Plans should be prepared before the year begins. Not all audits will be completed within a planning year so the plan
for the coming year must take into account work that crosses the year-end.

Keeping plans up to date – regular monitoring of risk

Risk is not a static concept. It changes over time. In addition, events that actually happen (e.g. a major reduction
on budget) will generate new risks for the organization. (For example, the achievement of a major capital project,
which was low risk when funds were available, may be high risk because of a budget revision.)

Auditors must therefore monitor significant events that occur during the year (e.g. by reviewing new official
documents, external reports, media coverage and change in the legal framework) and the impact these may have
on the audit plan. (For example, a change of minister with very different views on the highest priority projects in
the budget.)

Annual review of the strategic plan

Planning is a dynamic process. New systems, more up-to-date information and other developments affecting the
organization may result in a reconsideration of audit needs assessment. For this reason both the audit risk
assessment and the strategic audit plan should be reviewed annually. The plan should be completely reassessed
towards the end of the cycle.

In reviewing the strategic audit plan, the IA should consider:

• Changes that have occurred to the organization, its activities, objectives or its environment. This may affect the
risks that it faces in achieving its objectives and consequently the relative risk of each auditable system.

• Results of IA assignments undertaken in the previous year may lead to the original assessment of risk and priority
being revised. These may indicate the need for a redirection of audit effort, for example, by revisiting a particular
system or by examining a related system.

• Whether budgets are still appropriate and will ensure the delivery of an efficient IA service.

2|Page
 OUR LADY OF THE PILLAR COLLEGE CAUAYAN
COLLEGE OF ACCOUNTANCY
OPERATIONS AUDITING

Dealing with additional requests for audits during the year

No plan is perfect. Changes are inevitable and may arise for many reasons:

• The organization may be reorganized;

• New senior managers may have different views on the priority to be given to particular activities;

• A major fraud may be detected identifying higher levels of risk in a particular area;

• The Minister may request an earlier review of subjects planned for later in the strategy.

The IA also need to maintain a balance between responding positively to such requests and the need for the overall
programme of work to provide an adequate level of assurance in relation to the main risks identified. For each
request for ad hoc work there should be a discussion with senior managers of the benefits of responding to the
request and the impact this will have on the annual work plan. The results of this discussion should be documented.

Where the IA agrees to undertake an assignment not included in the annual work plan the remainder of the work
should be reprogrammed and a revised work plan submitted to managers. As a general rule the annual plan should
not be updated more than once a quarter.

Many IA units reserve a proportion of their resources for handing unplanned or ad hoc work.

3|Page