In our last post, we discussed the December audit work crunch. We suggested that starting this year’s plan on 1/1 and completing it on 12/31 is not optimal for the customers of that process (the board and management), nor for the producers of the deliverable (audit departments). The notion of an annual audit plan is fully etched in stone for most auditors and audit departments. Boards have come to expect this – not because it’s optimal from their perspective, but because it’s what has always been done. Similarly, most audit departments consistently plan to a 12-month calendar year. What else could they do?
The shortest, easiest answer is: Think Outside the Calendar!
It is incumbent upon auditors to provide assurance coverage across their organizations. Most departments use a modified risk-based approach. They typically use a multi-year coverage framework to ensure that they are covering the highest risk areas most frequently, while providing some minimal (adequate) level of coverage to areas of lower risk. There are a variety of approaches employed to accomplish this: entity-based, process-based, cross-functional, risk-focused, etc. None of these approaches require a January-December mindset.
Auditors do need a plan, and they do need to convey to the board (and management) what will be covered when, so that they can accommodate the effort. Most departments also leave some flexibility in their plan to address new concerns that arise (20-30% of total hours is common). But what if the planning occurred on a rolling basis instead of annually?
To implement such a change, the Chief Audit Executive would need to establish principles for coverage with the audit committee. Something like “cover all high risk areas once every 12 months; medium risk once every 18 months; and low risk every 24 months.” Then the team plans Q1 and Q2 of the upcoming year to address half of the highest risk areas, one third of the medium risk areas, and one fourth of the lowest risk areas. The department begins to execute the plan.
By the end of Q1, the audit department can establish a plan for Q3 (since Q2 was already planned at the beginning of the year). This plan would include another quarter of the highest risk areas, one sixth of the medium areas, and one eighth of the low risk areas. The process then repeats with the end of each quarter representing a “mini” planning session to address just the plan for a quarter 3-6 months out. Note that a “rolling plan?” could be implemented on a six-month instead of three-month basis instead, so long as the plan keeps on rolling and doesn’t stop at year end to recommence on 1/1.
There are obvious benefits to such an approach in terms of audit flexibility. If an area appears to be higher risk than anticipated, its frequency can be increased immediately, rather than waiting for year-end. Additional reviews could also be added to drill down on entities that are more complex than anticipated – with a shorter ramp-up time required.
From a board perspective, since approximately 1/4 of jobs would end in each quarter, the CAE would be discussing significant results consistently every quarter. In a standard model, audit findings are also discussed as they arise, but with so many jobs ending in Q4 (typically >50% of a company’s plan), the board is overwhelmed and issues may not be given the priority they deserve.
We’ve been able to help clients implement rolling audit planning systems and the bottom line is that there can be growing pains. While the practices are more effective for the board, management, and auditors, the requirement to think about risk prioritization on a more frequent basis may not be “natural” for any of them. A comprehensive roll-out should include personal meetings with senior leaders, and broader training/communications for board, auditors, and management.
Please reach out to me: email@example.com if you’d like to have a conversation about how your company could move to a smoother audit deliverable model. You will reap the benefits and may actually get your Christmas shopping done on time next year!