Planning for Uncertainty: The Rise of the Flexible Audit Plan
The Mandela effect describes the shock we feel when deeply held common memories turn out to be false. Many believe “Mr. Monopoly” sports a monocle (he never did) or that Ingrid Bergman says “Play it again, Sam” in Casablanca (actually it’s “Play it, Sam. Play ‘As Time Goes By.'”)
Would it surprise you that the IPPF does not require an annual audit plan? Actually, the words “annual” or “annually” appear only twice in the Standards — once related to confirmation of independence (1110) and once regarding a documented risk assessment (2010). There are another 25 mentions in Implementation Guidance, but only two about audit plans that “typically are prepared annually” — but may also be multi-year — and “may be assessed annually.”
Letting go of this mistaken memory, what else should follow? That an annual plan is the best way to add value, that it’s what the client wants, that it’s the best way to keep auditors focused and fully deployed, that it provides a useful basis for measuring (our) success?
Truth is, a hard-baked annual plan tied neatly into quarterly bundles no longer serves our organizations particularly well, if indeed it ever did.
And so, as we wind down 2022 and think about the year ahead, let’s explode such myths and ask how we can do a better job of serving the needs of our clients in 2023 and beyond.
What Does the IPPF Say About Audit Plans?
According to the IPPF: “The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.” This means identifying organisational objectives, priorities, plans, and risks. The critical requirement is this: “The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.”
In other words, follow the risks as they and our understanding of them change, paying attention to those that are “off-screen.” Your plan is to help you get ready but it should not be seen as a binding contract — neither is its primary purpose to keep your team fully occupied.
I wonder how much longer we can say audit plans are “typically” prepared annually. I see such practices disappearing fairly quickly.
The Appeal of Old Habits
Why are we so wedded to an annual plan? Here are some common excuses:
- It’s what we’ve always done.
- We think the client benefits from it.
- The audit committee expects it.
- It helps organize our resources.
- We can measure and report progress against it.
- It’s reassuring like a security blanket.
This old habit is closely associated with other shortcomings of a traditional audit approach, such as the long-form and late-arriving report, measuring our success by inputs, and justifying the plan by the resources we have rather than vice versa. Richard Chambers tells this joke: Q. How many internal auditors does it take to change a light bulb? A. How many did it take last year?
It also contributes to disenchanted professionals who feel they are going through the motions with a grinding sense of deja vu.
Planning Is Essential
That’s not to say we can dispense with planning. It’s absolutely vital and in some cases required by regulators. I learned this phrase recently from a blog by Alan Laiken: “Planning is bringing the future into the present so that you can do something about it now.” But the further we reach into the future, the more uncertain things become — and uncertainty is the origin of risk (“Risk is the effect of uncertainty on objectives” — ISO 31000).
We have to continuously reassess risks to remain relevant. At SWAP we have moved to a six-month audit plan but I can see this becoming something even shorter. Aside from directly delivering greater value to the client, a more agile approach offers many benefits. It gets you in front of the top table more often, establishing an ongoing dialogue and underscoring your relevance. Auditors are re-energized as they recognize their importance. And resources previously expended on the onerous task of annual audit planning can be used much more directly in the service of enhancing and protecting value.
Planning Is a Process
We need to be brave and challenge convention. We may have to persuade our stakeholders — on the basis that it’s about a better outcome. Audits should be delivered when it’s time. We can learn to focus on and measure what’s important, namely being able to give assurance and advice when it’s timely to do so.
Planning is a continuous process, not a once and done. Paul Sobel talks about planning as a process of anticipation and waiting for the right time, keeping your conceived engagements in the hopper “audit ready” by a process of real-time prioritization. We must constantly revisit the objectives, strategies, internal and external conditions, threats, and opportunities, looking both backwards and forwards, reviewing the prior three months, planning the next three months, anticipating the three months beyond that.
To achieve this, technology helps considerably. Using digital tools and a dashboard, I think of our plan now as a “drag and drop” holding bay.
Sample Audit Planning Dashboard in AuditBoard
Adapting to the Moment
Among other things, being a trusted advisor means:
-
You’re not measuring your value in terms of engagements completed or reports delivered in accordance with the plan.
-
Your advice is timely. As Richard Chambers would say, don’t tell me there was a storm yesterday (hindsight) or even there’s a storm today (insight). Help me understand what to expect tomorrow and how to prepare (foresight).
-
You are continuously re-assessing risk and prioritizing your services in real time.
I was going to say we should create a “chameleon audit plan” — namely, one that adapts to suit its environment. But actually that’s another common misconception. Chameleons only change colour to match their mood and temperature. A better analogy is a cuttlefish, which is able to change according to its surroundings — not that we’re about blending in, we’re about standing out!
If you are ambitious, courageous, interested in increasing impact and adding value, and truly becoming a trusted advisor — be a cuttlefish.
David Hill is the former CEO of SWAP Internal Audit Services based in the UK. David has nearly 40 years of audit experience, and is a former member of the Global Guidance Committee. Connect with David on LinkedIn.