You’ve finished your risk assessment and proposed your audit plan. The hard parts are done, right?

Nope. Sorry. Not anymore.

Nowadays, with risks emerging and changing so quickly and Internal Audit teams operating at historically high levels, audit committees and management are asking for more last-minute changes to the audit plan. 

So, how are leading Internal Audit teams anticipating and responding to last-minute changes to their audit plans? A recent “Advancing Internal Audit” roundtable hosted by Internal Audit VP and Internal Audit Collective member Ashes Basnet focused on how teams are evolving planning processes to meet their organizations’ changing needs. 

During the previous roundtable, our conversation honed in on audit planning, with many teams revealing that they were no longer completing 100% of their audit plans. Ashes shared, “It’s something my team has struggled with, but not necessarily because we don't have the resources. We have the resources. But there’s a more fluid nature to the risk. In some cases it’s resource constraints, or ad hoc requests from the business. In a recent case, we had a major activity that’s pending regulatory approval that’s going to take my staff and team away from doing the things we had on the plan.”

Whether these changes come during the audit committee’s formal signoff on your audit plan or months down the road, you need options. Here’s how Internal Audit leaders from a range of industries and organization sizes are handling last-minute changes to their audit plans.

1. Build In Greater Flexibility

Embedding more flexibility into planning typically happens through two avenues — people or processes.

People

The most common people-related approach to building in flexibility we heard was scheduling resources to preset utilization thresholds. Many teams develop their audit plans based on a blended utilization rate of 75–80%, factoring in ~20–25% for time off, administrative tasks, and other non-working time.  

‍

This approach bakes in a time cushion that offers some flexibility. 

‍

However, even when these benchmarks are proactively built into audit plans, they aren’t always enough. Newly added projects or existing projects that go over time/budget can quickly chip away at that 75–80%. 

Process

To be clear, when we talk about using process to add flexibility, we’re not talking about risk-based audit planning. That’s table stakes. 

For most Internal Audit teams, embedding more flexibility via process means a rolling audit plan, where you’re updating your audit plan on a more frequent basis. 

These teams aren’t trying to plan their audits 365 days out. The idea is that more frequent updates can help reduce the impact to your schedule and resource plan. For example, different cadences can help Internal Audit:

• Improve alignment with the business. A Professional Practices Director (PPD) from a tech company explained that his team updates their audit plan twice a year and does “sanity checks” on off quarters. “Our Product and Engineering teams do their strategic planning twice a year. So we're trying to match their cadence, because a lot of the changes are being driven out of Product and Engineering.”
• Improve alignment with the audit committee. An Internal Audit leader at an insurance organization takes a quarterly approach that aligns with the frequency with which they present their audit plans to the audit committee. “Every quarter we go through the formal roll-forward of our risk assessment, taking time to consider the information gathered through different management meetings held throughout the quarter along with any internal/external events that could impact the risk assessment. Then we update the plan. Very rarely does something come off that was previously communicated to the audit committee as being on the plan… often we’re just highlighting what’s newly added.” Ultimately, he explained, “We want to show the audit committee that we’ve had a thoughtful step back on the plan once a quarter and are adapting the plan throughout the year accordingly.”

Many teams, however, stick with annual planning — but in most cases, they’re adapting as needed based on ERM cycles and quarterly meetings with management. For example:

• A CAE at a medical equipment manufacturer reported that his team’s plan changes around 30% over the course of the year. He clarified, “We’re not as mature as we’d like to be. I’m in an opportunity-rich environment… pretty much every area we pick to audit, we find things. So that’ll obviously evolve over time.” 
• Ashes’ organization, operating in the insurance sector, prioritizes enterprise risks using a P1–P5 scale — based on risk ratings and importance to the business — that drives each quarter’s activities. He explained, “Oftentimes I get a seat at the table to hear from all the leaders on what's happening for that quarter. How are they continuing to manage that risk? Has anything changed? How has mitigating activity changed, if at all? If something comes up that’s truly disruptive, we would change the plan. But often the plan doesn't change, even though we’re involved in the quarterly process.”

2. Enhance Resource Management 

Many larger Internal Audit teams dedicate a leader to proactive resource management. 

Admittedly, not every team can afford to dedicate a resource. But for teams who can, it obviously makes a huge difference in their ability to flex their audit plans as needs evolve. 

As a Director of Strategy and Operations at another insurance organization explained, “Anytime there's even a thought of a proposed change to our plan, that all comes through me to recalculate our workforce administration. I'm the one doing the analysis to make sure we have the people resources and capacity available where we need them. I'm the dedicated resource that’s calculating where the team is at from a productivity capacity and utilization standpoint.”  

The role isn’t a small lift. Not in the least. 

Every week, she’s asking leadership to forecast their engagements and reporting, and watching for any plan changes emerging from continuous monitoring and update meetings. She’s the one responsible for investigating and answering “yes we can” or “no we can’t” for her 19-person team. 

She’s also, however, responsible for her team’s methodology, leading practices, standards and updates, QA, customer service, analytics, skills assessments, AuditBoard forms, templates, dashboards, and overall functionality, and basically everything else that falls outside the confines of a risk-based engagement. 

In other words, dedicating a leader to resource management certainly will be a game-changer for anticipating and responding to last-minute audit plan changes. But CAEs should stay mindful that such roles can themselves be a spectacularly heavy lift. 

Plus, as Ashes pointed out, audit planning and capacity planning must go hand in hand. “If you don’t know your audit plan, you’re not going to be able to accurately do your capacity planning.”

3. Leverage Your Assurance Map 

Many teams are using connected risk — in which Internal Audit, Risk, and Compliance teams communicate, coordinate, and collaborate to improve risk management across the enterprise — to help them flex their audit plans. 

If you have an assurance map, you can use it to determine whether assurance work from other risk management teams can help provide the coverage needed. 

If you don’t have an assurance map, here’s a solid reason to create one. After all, as the tech company PPD called out, “You always end up with more audit projects than you have the bandwidth for.” 

Accordingly, his team starts by clearly conveying to the audit committee what Internal Audit wants to do and why, what they have capacity for, and what projects will be sidelined as a result. 

Of course, the audit committee can ask to change that plan, moving other projects up the list. 

That leaves his team with several options: Working harder, deferring planned projects, staff augmentation or outsourcing, or… connected risk. Lately, his team is pursuing the last option more often, reaching out to the company’s other risk management teams to find out if they have similar projects planned or in progress. If yes, “Maybe they expand scope and we pull back on scope, because the project needs to get done but we don’t have the bandwidth. We can still contribute, but perhaps the assurance coverage can be supported more heavily by other risk teams,” he explained. “Depending on the topic and the level of effort, we can coordinate on areas of focus. There are usually options available.” 

It’s worth noting: This connected risk approach is a direct response to audit committee requests. 

The tech company’s audit committee has been asking for more visibility on and clarity on:

• How audit plans incorporate the enterprise and business risk assessments
• How assurance maps are used to define the audit universe, identify auditable entities, and group them in terms of risk coverage
• How risk and assurance coverage is coordinated with second-line teams

As business leaders across industries look to strengthen risk management, your team is likely to face similar requests. Why not get ahead of the game while sourcing new options for responding to last-minute audit plan changes?

4. Use Technology to Vet, Validate, and Refine Audits

Technology offers another way to respond to unexpected audit plan changes. 

Before agreeing to assign the resources for a full audit, work with your data team to pull together more information about the risk. Then, provide this information — as well as Internal Audit’s recommendation to proceed with the audit or not — to the audit committee.

This approach can also be used to refine the audit scope, making sure you’re looking at the right areas to help you assess the risk more effectively. 

Diego Calderon, Senior Director of Audit & Risk Management at a manufacturing company, regularly leverages data analytics to help the organization monitor key risks and plan risk-based audits. “We have around 60 different data points across financial and operational elements that we review annually and quarterly,” he explained. The team regularly refreshes and analyzes these data points, often in real time while executing an audit project. “But we don’t just want to include things that are informative. We want to include things that are truly risk indicators. That’s why, in most cases, we collaborate with the second line to define the data points and thresholds,” explained Diego. 

This year, the audit committee gave Diego’s team a fresh mandate: To be more proactive in fraud detection.  

Rather than start with a 500- or 1,000-hour audit, however, they’re starting by getting the information they need to target their audits more effectively.

While the team had made fraud a focus in past audits, Diego said, “There wasn’t a trigger to really identify it. So we thought that — by having a better basis from an information perspective — it will give us more clarity on where we can target fraud.” Accordingly, ahead of annual planning, the team is developing a comprehensive but focused fraud risk assessment and framework for getting the input they need to prioritize specific fraud scenarios. That will enable them to design specific analytics and tools that will help them detect fraud on a more proactive basis. 

If the audit committee says something is important, that’s reason enough to investigate. 

However, some thoughtful due diligence and pressure-testing before jumping in can be valid — especially when it helps Internal Audit come back with more well-informed recommendations on how to do an audit that will provide genuine value.  

Data analytics can also help Internal Audit identify and prioritize audit areas by providing a line of sight into what’s going on in various parts of the organization. As the medical equipment manufacturer CAE shared, “There’s the old adage of ‘where there’s change, there’s risk.’ So we’re very simply looking for change as a proxy for risk in those conversations, to help seed where we would focus some of our efforts and resources.” 

Driving Internal Audit Forward — Together 

Whatever their industry, risk profile, or team size, every Internal Audit team faces similar challenges when audit committees make last-minute changes to the audit plan. 

Providing a platform for airing these types of challenges — and more importantly, for sharing ideas for solving them — is one of the most crucial ways the Internal Audit Collective provides value. When I participate in roundtables like this one, I remember exactly why we’re all here. 

Are you looking for ways to advance your Internal Audit function? Join the Internal Audit Collective, start participating in roundtables, and help us understand how we can help you move forward. If you’re specifically focused on improving audit planning, check out Linh Truong’s August 12th webinar, open to the general public.