How to Create an Audit Plan

by Gae-Lynn Woods ; Updated September 26, 2017

Audit plan creation can begin as early as six months before the business's audit year starts and can require considerable staff and management resources. Audit plans should consider all areas of the business and focus resources on those with the highest risk. Once you have assessed these risks, you can determine how often you perform audits and evaluate whether your staffing levels need adjustment.

Define the Audit Targets

Review the business’s organization charts to identify all business areas and support units.

Review the business’s income statement to identify all sources of revenue. Make sure they are accounted for in the organization chart.

Meet with business managers to discuss any plans to open new business or support units, or to close, consolidate or sell existing units. Follow up on any anomalies between the income statement and the organization chart.

Decide how to split your audit universe (the areas you will audit). Once you establish an audit universe, you will audit each unit or department on a risk-based cycle, usually three years. You may choose to audit business units in their entirety, from manufacturing or sales to shipping and collections, including all supporting functions such as human resources, accounting, tax, strategy and information technology. Or, you can perform smaller audits of discreet business activities such as sales or collections, or support activities such as human resources.

Risk Assessment

Establish a numeric approach to rating the risk of each unit so you can allocate scarce audit resources to the riskiest areas of the business. Factors to consider include: income and/or expense contribution; transaction volume, which might include number of items manufactured, number of employees hired or number of transactions processed through a computer system; time since the last audit and the results; and the degree of strategic significance the unit has to the overall business.

Determine a numeric cut-off for high-, medium- and low-risk units. For example, units scoring between 80 and 100 (high risk) might be audited annually; those scoring between 50 and 80 may be audited every two years; and those scoring below 50 (low risk) would be audited every three years.

Rate each unit based on its risk and assign an audit frequency. If possible, include business managers in the process to gain their perspective on each unit’s risk.

Establish how much time you will allocate to each audit, considering the manual and automated procedures you will need to perform.

Determine how many hours of audit time your staff has available and compare it to the audit time required. If the numbers do not match, request additional staff or reduce the hours per audit or the number of audits you perform each year.

Discuss the draft audit plan with the business's managers and get their approval for it and related resources.

Cite this Article A tool to create a citation to reference this article Cite this Article