The goal of an audit program is to create a framework that is detailed enough for any outside auditor to understand what official examinations have been completed, what conclusions have been reached and what the reasoning is behind each conclusion. The framework should explain the audit's objectives, its scope and its timeline. The audit program should also describe how working papers -- the documented evidence of the audit -- will be collected, reviewed and reported.
Objectives of audit programs
When developing an audit program, the internal auditor and its associated audit team should start with outlining the audit's objectives, goals and obligations.
Audit program objectives help direct planning of the audit report and are based on the policies, procedures and guidelines unique to the company. These objectives may relate to and outline how the auditors will maintain efficiency, professionalism and a specific code of conduct during audit procedure.
In addition to relevant regulatory compliance mandates, objectives for audit programs should consider aspects such as management priorities, business intentions, system requirements, business structure, legal and contractual mandates, the expectations of customers and other interested parties, potential risk management vulnerabilities, and any corrective action taken based on previous audits.
Preparing an audit program
Audit program details are specific to individual organizations based on their unique needs, but audit plan preparation will consider the audit's relevant regulatory deadlines, staff requirements and reporting structure, and overall goals. In particular, these goals will consider how the company will maintain regulatory compliance via risk assessment and management procedures. The audit program should also include a timeline detailing when specific aspects of the audit program should take place and how they should be prioritized.
Audit program planning is usually a continual and iterative process. During audit planning and development, companies can build on lessons learned from previous audits by implementing newly learned best practices that alleviate risk and maintain compliance. Audit development guidelines and best practices vary by industry, but local and regional auditing certifications are available, as are internationally recognized audit certifications. These certifications include Certified Internal Auditor and Certified Information Systems Auditor, and membership in the International Register of Certificated Auditors.
Types of audit programs
Different types of audit programs include standardized audit programs, tailored audit programs and compliance audit programs. Standardized audit programs, which are available for many different industries, can be used proactively to help an organization create its own internal compliance framework and internal audit program. For example, the International Federation of Accountants publishes financial audit standards called the International Standards on Auditing. A standardized audit program is different than a fixed audit program, which is defined as an audit program that cannot be changed during the course of an audit.
Tailored audit programs are different from standardized audit programs in that they cater audit procedures to match specific needs of the auditing entity. These audit programs are "tailored" to reference specific areas such as business procedures, legal documents and assets. By targeting these specific requirements through tailored audit programs, the company can more quickly identify potential compliance lapses and develop internal controls to offset these vulnerabilities.
A compliance audit program outlines how an organization will adhere to regulatory guidelines. The details of compliance audit program will vary depending upon factors such as whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, Sarbanes-Oxley Act requirements state that electronic communication must be backed up and secured with disaster recovery infrastructure, while financial services companies that transmit credit card data are subject to Payment Card Industry Data Security Standard (PCI DSS) requirements. In the Unites States, publicly traded companies must report results of internal control audits to the Securities and Exchange Commission (SEC). In each case, an organization's audit program outlines how the company will maintain compliance with regulatory compliance rules.