If you haven’t had a course or training session about writing an internal audit plan, the idea of creating one could seem extremely daunting. Even if you took a class or had training in the past, perhaps that training was so long ago that you can’t recall the best way to proceed.
Internal Audit Planning Process
The definition of an internal audit plan is a list of all the audit engagements that need to be conducted over a period of time. The most common form of an internal audit plan is the annual internal audit plan. How to best develop your internal audit plan depends on the size of your organization, industry-specific requirements and other regulations.
In large companies, there are often positions such as chief audit executive. A person in this role is charged with interviewing managers and key employees and delegating tasks to the management staff and members of the audit committee. The number and rankings of staff interviewed may be different for every company.
Interviewing Staff Members
The purpose of interviewing and speaking with staff members is to find pain points. In addition, members of the audit team must focus on any risks that their interviewees foresee for the company.
For instance, an upcoming change in regulations of which managers might be aware is important to know about on a larger scale since employees should be appropriately trained or risk getting dinged for noncompliance by a regulatory body. These penalties could require that a formal plan be instituted to bring the company up to standard or could entail heavy fines.
Another example of something staff members might be able to suggest would be changing software systems that could pose a cybersecurity problem. High-level management might not be aware of things that those dealing with these systems on a daily basis would observe.
Submitting an Audit Report
Once the interviews have been completed, the board of directors (or the person in charge of operations) should receive a report from the audit team. To create this report, the audit leadership team must analyze all of the results of the various interviews they conducted.
During the assessment, the team should be looking for any common themes or concerns that were mentioned repeatedly. In addition, they must consider the source of each complaint and that individual’s level of expertise. For instance, some companies only have one IT employee, so her complaint about cybersecurity could be the only one. Due to her level of expertise, however, the audit team would know that this is a serious problem that needs to be addressed.
Internal Audit Plan Completion
Once all major interviews have been completed, the audit team should do a check of industry regulations for compliance. Depending on the size and scope of a business, this process alone could be a full-time position. Interfacing with regulatory bodies is crucial for continued licensing, funding and business operations.
Each of these concerns needs to be accounted for in your audit. This remains true even if your company does not need to make any changes to processes. Many regulatory bodies do not change from year to year, but they need to be acknowledged to maintain compliance.
How to Write an Audit Plan for Business
With your interviews completed, you can begin to develop your audit plan. The more complex the business, the more complex your plan needs to be. Internal audit program examples or internal audit plan examples may vary based on your company's needs. For the following explanations, high-level topics are considered, but note that most companies will need to break these down on a deeper level specific to their industry.
- Existing Regulations: These are easily found on a regulatory body’s website, in mailings and in other information accessible by upper-level management. If any changes have been made to these regulations, each regulatory body should notify you about the changes and provide you with a deadline for full compliance.
- Employee Concerns: Staffing, wages, errors in production or service and anything else that relates to your workforce should be measured. Many companies do not do a full audit of employee satisfaction or even check to ensure that they are paying competitively. When these areas are not given the attention that they deserve, you risk unhappy employees who do not do their best work. A lack of attention to detail due to staff being overworked and underpaid can be a considerable risk to your company.
- Customer Concerns: Customer satisfaction surveys, complaint or compliment rates and client engagement are all ways to measure your customer satisfaction. Asking your customers what they need and providing for those needs is critical in any business.
- New Regulations: Some industries, such as health care or education, can go through many changes when it comes to what is and isn’t required. Keeping up to date with new regulations and ensuring that your company has a proper pathway to compliance is critical.
Compiling Major Audit Sections
Once you have each major section of your audit sorted, you or whomever the board of directors or upper-level management has delegated to conduct the audit will break those sections down further. Each pain point will then be graded on its risk to the company. For example, providing new uniforms for your technicians is a low risk to your company. By contrast, not keeping up with the personal protective equipment is a high risk to your company.
Types of Risk
In general, there are three types of risk that your company can encounter. These are low risk, medium risk and high risk.
- Low Risk: These policies, such as office comfort, office equipment or checking up on unchanged regulations, are all examples of low risk. While your company doesn’t need to focus on these, doing so could make your employees happier or safer.
- Medium Risk: Known regulation changes are an excellent example of medium risks. Perhaps you know that your employees need to complete a chemical safety course annually along with other basic warehouse training. While you don’t have to change anything to remain compliant, you still need to focus on maintaining your compliance. Falling behind could end up costing your organization certifications or could result in fines in the long run.
- High Risk: New regulations, possible catastrophic failures and customer data security are all high risk. These issues are imperative and will need immediate action. While most regulatory bodies offer you a time frame before they begin to uphold their new regulations, cybersecurity issues may need to be treated as an emergency that is handled as soon as possible. Failure to comply with these regulations could get your business shut down.
Evaluating Risk Levels
Some issues can appear as a high, medium or low risk depending on the severity of the issue. For example, employee retention can be a huge problem that you need to address immediately, or it may be something that is a growing problem that should be monitored. Perhaps you have overly restrictive policies that your competitors do not. One hospital in Ohio, for instance, lost much of its emergency staff when they enacted a tattoo ban for employees, and this particular area had a large volume of health networks in a relatively small area, so employees left that hospital for less restrictive ones.
Employee retention may also be caused by large issues such as benefits and pay. Ensuring a competitive wage while maintaining business growth can be difficult in lean times. This means that you have to weigh the cost-to-benefit analysis for these changes. If change is possible and will net you larger profits, then it behooves you to change your processes.
Finally, you should be able to write down problems, solutions and changes that your company needs to make. In many organizations, the results of these audits may be placed online with an easily scanned index. Sharing your audit results should be an impartial and open process that weighs the good against the bad and suggests a course of action.