It’s Time to Ditch the Annual Audit Plan

So says Hal Garyn in his latest article for Internal Audit 360⁰.

I agree.

Both Richard Chambers and I have been preaching that we should “audit at the speed of risk”, as well as at the speed of the business, for a long time. In fact, my last internal audit book was Auditing at the Speed of Risk with an Agile, Continuous Audit Plan (rated 4.4/5 on Amazon) and Richard wrote The Speed of Risk: Lessons Learned on the Audit Trail.

Hal explains it very well and if you haven’t already seen his piece, rush to read it!

He clearly agrees with what I said in the description of my book:

We need to stop auditing the past and turn towards auditing what matters today and will matter in the future.

This new book by Norman Marks, globally recognized as one of the most influential thought leaders in internal auditing, builds on his previous publication, Auditing that Matters

(rated 5 stars on Amazon). It explains the value and practice of updating the audit plan continuously.

Risks and business conditions change all the time, so an annual plan or even one that is updated quarterly, won’t lead to auditing what matters today. You audit what used to matter.
We need to audit at the speed of risk and the business.

That requires making sure you understand changes in risk and the business as they happen, anticipate the risks the business and its leaders will face in the coming period, and update the audit plan accordingly.

Rather than an audit plan that is annual, semi-annual, or even quarterly, it needs to be updated on a far more continuous basis – at the speed of risk. A rolling audit plan that reflects what should be audited now and soon helps an internal audit activity remain both relevant and valuable.

Norman Marks dives into practical guidance on risk assessment, what should be in the audit plan, how to communicate it, and more.

He shares detailed examples of audit plans from three of his companies, as well as many stories about specific situations and how the continuous approach led to audits that delivered huge value to executives and the board.

Norman was privileged to have a review board of distinguished practitioners and leaders of the profession, who made sure this book will lead internal auditors towards the goal of world-class performance.

Hal has some solid suggestions on how to move to a continuously updated plan:

1. Establish the annual audit plan, knowing it will undoubtedly change, on leveraging the resources available to the internal audit department (both on-staff resources and co-sourcing dollars) based on the risk assessment.
2. Present the first three to six months of your plan to the audit committee with some level of certainty on these planned projects.
3. Update the audit committee on what could or is changing as time goes on, with the rationale for what internal audit wants to add and what could be deferred.
4. Start to prepare the audit committee to expect changes in the audit plan to more of a rolling quarterly plan as time goes on.

In my experience (I had a rolling three-month audit plan at my several companies during my 20-year tenure as a CAE), both management and the board recognize the value and need of an audit plan that adapts as risks and value change.

So I join Hal (and Richard) in advising everybody to ditch the annual plan. Be agile. Adapt and make sure you are addressing the enterprise risks of today and tomorrow.

I welcome your thoughts.