Various professionals take the issue of risk control seriously, advising companies on ways to run efficient operations. Internal auditors and external reviewers help firms establish sound policies. Audit plans are blueprints that auditors-in-charge draw up to make sure testers complete tasks in accordance with regulations. These include Institute of Internal Auditors guidelines and Public Company Accounting Oversight Board rules.
An audit plan is a step-by-step, methodical approach that enables reviewers to focus on important areas under review. Planning steps run the gamut, from engagement preparation and staff appointment to testing financial accounts and internal processes. An audit supervisor, or lead auditor, writes up the plan, working under the supervision of a corporate audit director.
The engagement preparation phase of an audit plan attracts the attention of various individuals. Besides auditors, segment chiefs in an area under review pitch in with auditing activities. An audit supervisor reviews engagement goals and discusses resource allocation with corporate leaders. Audit resources include personnel, testing worksheets and technological equipment, such as software and mainframe computers.
Auditors participating in an engagement generally have the intellectual wealth necessary to perform tasks satisfactorily. Adequate expertise helps reviewers sift through corporate processes and pay attention to major risk areas. For example, a lead auditor preparing a review of an insurance operation may ensure that the audit team includes actuaries, risk managers and professionals with regulatory acumen.
Communicating with corporate leadership ahead of time ensures management approval of fieldwork tests, a nod that improves collaboration from rank-and-file personnel. During preliminary meetings, auditors-in-charge discuss with senior executives various issues. These include the auditing time frame, resource allocation, reporting guidelines and risk mitigation.
Control tests enable auditors to figure out how a company conducts business, with a focus on processes that the firm uses in its daily operations. A control is a set of rules and procedures that a department head puts into place to prevent losses. These may result from technological malfunctions, error and fraud. Operating losses also may result from adverse regulatory actions, such as fines and temporary suspensions.
Evaluating exposures allows auditors to set risky processes apart from low-risk areas. Risk appraisal draws on financial management and regulatory compliance, indicating to top leadership business segments that have the greatest exposures. After reviewing and testing corporate processes, auditors rank them as “tier 1,” “tier 2” and “tier 3,” depending on the loss expectation. An alternative ranking pattern is “high,” “medium” and “low.” Corporate reviewers generally discuss “high” and “medium” exposures with department heads, leaving the mitigation of “low” risks to segment chiefs.
Communicating test results to management is an important element in an audit plan. Lead auditors summarize these results in a report and share it with corporate leadership, investors and regulators.