CIO.com

audit program (audit plan)

By Ben Lutkevich

What is an audit program?

An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.

The goal of an audit program is to create a framework detailed enough for any outside auditor to understand. It should contain the following information:

• the official examinations that have been completed;
• conclusions reached; and
• the reasoning behind each conclusion.

The framework explains the audit's objectives, scope and timeline. The audit program should also describe how working papers -- the documented audit evidence -- will be collected, reviewed and reported.

Objectives of audit programs

When developing an audit program, the internal auditor and the associated audit team members should first outline the audit's objectives, goals and obligations.

Audit program objectives help direct planning of the audit report and are based on the policies, procedures and guidelines unique to the company. These objectives may relate to how the audit committee will maintain efficiency, professionalism and a specific code of conduct during the audit procedure.

In addition to relevant regulatory compliance mandates, objectives for audit programs should consider and incorporate the following:

• management priorities
• business intentions
• system requirements
• business structure
• legal and contractual mandates
• customer and other interested parties' expectations
• risk management vulnerabilities
• corrective actions from previous audits

Preparing an audit program

Audit program details are based on an organization's unique needs. Plan preparation will consider the relevant regulatory deadlines, staff requirements, the reporting structure and overall goals.

Audit goals take into account how a company will maintain regulatory compliance using risk assessment and management procedures. The audit program also includes a timeline detailing when specific aspects of the program take place and how to prioritize them.

Audit program planning is usually a continual and iterative process. During planning and development, companies build on lessons learned from previous audits. They also implement new best practices that alleviate risk and maintain compliance.

Audit development guidelines and best practices vary by industry. Local and regional auditing certifications are available, as are internationally recognized ones, such as the following:

• the Certified Internal Auditor designation offered by the Institute of Internal Auditors;
• the Certified Information Systems Auditor designation offered by the Information Systems Audit and Control Association; and
• International Register of Certificated Auditors membership.

Types of audit programs

A number of different types of audit programs exist.

Standardized audit programs

These audit programs are available for many different industries and are used proactively to help organizations create their own internal compliance framework and internal audit program.

For example, the International Federation of Accountants publishes financial audit standards called the International Standards on Auditing. A standardized audit program is different from a fixed audit program, which is defined as an audit program that cannot be changed during the course of an audit.

Tailored audit programs

Tailored audit programs incorporate procedures designed to match the needs of the auditing entity. These programs are customized to reference specific areas, such as business procedures, financial statements, legal documents and assets. Tailored programs target specific requirements, letting companies more easily identify compliance lapses and develop internal controls to offset them.

Compliance audit programs

A compliance audit program outlines how an organization adheres to regulatory guidelines. The details of these programs vary, depending on whether an organization is public or private, what kind of data it handles, if it transmits or stores sensitive financial data and similar factors. Audit programs can be internal or external audits. Compliance audits are often carried out by an external auditor.

The following are examples of compliance audit programs:

• The Sarbanes-Oxley Act requires that electronic communication be backed up and secured with disaster recovery infrastructure.
• The Payment Card Industry Data Security Standard (PCI DSS) mandates financial services companies that transmit credit card data to comply with its requirement.
• Publicly traded U.S. companies must report results of internal control audits to the Securities and Exchange Commission.

Advantages of an audit program

Audit plans offer advantages related to the following aspects of an audit.

• Scope. A preestablished plan limits the scope of the audit work.
• Cost effectiveness. A plan also limits the overall costs of an audit.
• Communications. An established framework for carrying out an audit helps prevent misunderstandings between the client and auditor. Audit plans clearly communicate how the audit will be done, who the auditors are and when the audit will occur.
• Trust. Audit processes that are clearly stated and accounted for help the client trust the auditor will do the job correctly.
• Evidence. Audit plans help auditors obtain evidence for their findings.
• Efficiency. Plans help teams carry out work efficiently and mitigate potential problems.

Disadvantages of an audit program

Audit plans also have disadvantages and challenges.

• Generality. Some clients may have special needs that a preformatted audit strategy ignores or doesn't fully address. Revising the plan takes time and might undermine the client's trust in the auditor.
• Update. Strategies and standards that underlie an audit plan can go out of date and require the plan to be updated. For example, if the PCI Security Standards Council, or PCI SSC, changes PCI DSS compliance requirements, then audit plans surrounding the PCI DSS must be updated to encompass the changes.
• Rigidity. A plan sets goals and agreed-upon procedures for what the audit staff must accomplish. Audit staff may not be compelled to go beyond the requirements laid out in the plan or use procedures that don't apply to the plan's goals. They might also be discouraged from using creative or critical thinking when following the automated procedures in the plan.

IT general controls audits are a good place for organizations to start looking to take a broad survey of their IT capabilities. Explore this ITGC audit template and downloadable checklist to help assess various risks to IT operations and company infrastructure.