Why is it so hard for Internal Auditors to plan an audit from scratch? 

‍

This is a common pain point for Internal Audit leaders. Their teams often struggle to plan new or non-routine audit projects. They treat it like SOX, or suffice with basic audit plans and generic test steps pulled from the internet or Chat GPT. The audit plans aren’t tailored to the company, and they don’t reflect how the area being audited connects with enterprise risk. 

‍

When this pain point came up again during a recent Internal Audit Collective roundtable, we realized the root cause may actually be pretty simple. 

‍

It may be less about what staff, seniors, or supervisors ARE doing, and more about what Internal Audit leaders are NOT doing.

‍

Specifically, Internal Audit leaders may not be providing sufficient context, information, instruction, or feedback to make sure audit planning effectively addresses several key questions:

‍

• Why was the audit scheduled? 
• What does the audit customer want from the audit? 
• What does “good” look like for the process being audited? 
• What other risk, assurance, and controls work is being performed in the area, and how does that impact scope? 

‍

Critical thinking is vital for effective audit planning and scoping. Creating targeted audit programs that support your organization’s success requires Internal Audit teams to move beyond rigid approaches focused solely on documenting processes, identifying risks, and testing controls. 

‍

There’s so much more to the story. 

‍

Fortunately, it’s not hard to course-correct. Following these four practices can help your team be more effective in planning audits from scratch. 

1. Understand the Audit Rationale and Scope

Internal Auditors are usually good at documenting low-level risks. Where they can struggle is in associating those risks with enterprise risks. How can they audit what matters if they don’t know why the process being audited matters to the organization?   

‍

They can’t. 

‍

That’s why Internal Audit leaders need to help their teams understand critical aspects of pre-planning such as: 

‍

• Audit rationale. Why is it part of the audit plan (e.g., management request, need related to a significant business change)? How does the audit focus tie back to enterprise risk? What outcome does the CAE want? 
• Business objectives. What is the audit customer hoping to get from the audit? While their objectives won’t necessarily dictate scope, they should inform it. In my experience, the number one reason audits tend to go long is because auditors didn’t validate what the audit customer was hoping to achieve. So, before getting started, make sure you validate your understanding of the underlying business problem the audit customer is trying to solve.
• Basic audit scope. Internal Audit leaders should provide teams with clear initial direction on scope, offering a basic map that they’ll go out and fill in with more detail. 

2. Engage the Enterprise

Risk knowledge is spread across the business. Getting a better understanding of risk requires bringing that information together. This is a core concept behind connected risk. 

‍

That’s why planning an audit from scratch includes engaging the enterprise, with research involving both internal and external stakeholders. Internal Audit leaders should direct the team toward stakeholders who can provide relevant information to help shape and scope the audit project. 

‍

The overall goals are to (1) get as complete an understanding as you can of the process or area being audited, and (2) start understanding what “good” and “great” look like.

‍

That means casting a wide net to get all the right fish — I mean, all the right information. You should:

‍

• Look at your assurance map. Who are all the stakeholders involved in the area being audited? What have they already done, if anything, that may impact the scope of your audit? Other teams may already be performing risk assessments or providing assurance. Instead of performing control testing, can you validate work already done to see if you can rely on it? 
• Talk with internal subject matter experts, including people upstream and downstream from the process being audited. As long as they’re independent, they can provide valuable perspectives on the process, including what controls are acceptable to manage the same or similar processes in other parts of the business. In particular, make sure you’re talking with Risk Management, Compliance, Information Security, and Data Governance. 
• Bring in external subject matter experts. When I was a CAE, leveraging external expertise proved to be the single most important factor in our audit projects’ success. It helped my teams increase our impact and strengthen our reputation.

‍

In today’s risk environment, consistently dedicating time to structured conversations with a broader group of stakeholders can give Internal Audit a critical advantage. These simple conversations can yield invaluable insights. 

‍

3. Don’t Just Test Controls — Test FOR Control

As I mentioned, many Internal Auditors creating risk-based audit programs start with the core goals of documenting processes, identifying risks, and testing controls. 

But there’s a big difference between testing controls and testing FOR control. The difference lies in COSO’s Internal Control — Integrated Framework, which outlines five components essential to effective internal controls.

Control testing is only one component. If teams stop there, they’re missing a huge part of the big picture. Using all five to scope an audit project allows Internal Audit to test for control — assessing how well-controlled the process is — instead of just testing control activities. 

In overview, COSO’s five internal controls components are:

• Control environment. Do they have standards, processes, and structures in place (e.g., a good tone at the top) that create a foundation for ethical action, integrity, and effective governance?
• Risk assessment. Do they have a dynamic process in place to periodically assess their own risks? Do they use that process to organize and prioritize their own risk activities?  
• Control activities. What control activities (established through policies and procedures) are in place to ensure that management’s risk mitigation directives are being carried out effectively? This is where Internal Auditors typically focus. 
• Information and communication. Do they have a process in place to ensure that processes’ data inputs and outputs are reliable, information is flowing where it’s supposed to (i.e., internal and external reporting lines), and the process is doing what it’s supposed to do?
• Monitoring activities. Do process managers and owners have ongoing self-monitoring processes that enable them to pre-audit internal controls and remediate self-identified issues?

Testing for control isn’t all or nothing. It’s just about understanding how well-controlled a process is, helping you better target and shape your audit program. 

Make sure your team embeds assessment procedures over all five areas.

4. Iterate the Audit Program

Effective audit planning isn’t a linear checklist. It’s a cyclical, iterative process. If it looks like you’re running in circles, that may actually be a good thing. 

‍

Once Internal Audit teams have all of the above inputs, they’re ready to put pen to paper. But they’re still not doing the work all on their own. This part of the process should also be collaborative. 

‍

Sure, the team can crank out v.1 of an audit program and a risk and control matrix. But v.2 requires brainstorming with the audit manager and other team members, and v.3 comes from validating the more detailed scope with the audit customer. 

‍

Then it’s imperative for teams to meet again with the CAE to validate the scope. CAEs can be a fickle bunch, and things can change. So, before kicking off fieldwork, make time for one last check to ensure everyone is on the same page. 

‍

At this point, you’re at v.4 — at minimum. 

‍

Anyway, iteration and feedback cycles don't end when fieldwork begins. Agile auditing embraces ongoing iteration and feedback to stay in lockstep with leadership’s expectations and the organization’s strategy and priorities.  

Plan for Improved Relevance, Alignment, and Value

Next time your team is planning an audit from scratch, make sure you’re setting them up for success. 

‍

Following these four simple practices can help Internal Audit teams ensure that new and non-routine audits focus on what matters, harness risk information from across the business, and stay aligned with business goals and expectations. 

‍

You’ll also reduce the delays that often take place between the end of fieldwork and issuance of the final audit report. 

‍

Plus, following these four practices achieves another hugely valuable outcome. A more efficient Internal Audit team that’s better aligned to the business will get pulled in to more special projects, have a higher number of management requests, and be much more likely to enable positive change in their organization.

‍

Did this article resonate with you? Consider asking your Internal Audit leader to send it to the entire team to review and take action on. If you'd like to discuss and benchmark your planning processes in more detail, join the Internal Audit Collective! We host regular roundtables and a dedicated community space with ongoing discussions on audit methodology topics.