The audit planning process begins with the development of an enterprise-wide model of all possible auditable areas. The audit universe, as it's known, includes major organizational units, processes, systems and control structures of the organization. This model is never finished, but is critical to ensure all the major areas have been considered.
The audit bin is the collection of audits that could/should be done at some point. They are extracted from the audit universe based on risk, opportunity, common sense and management request.
Internal Audit routinely analyzes the following to develop the universe and audit bin:
- Comprehensive Annual Financial Report, budget and other important documents
- Table of Organization
- Engineering’s Project Dashboard and top 25 projects
- Strategic Plan, key initiatives and Lean value stream assessments
- IT roadmap and project tracker
Internal Audit also takes the following actions:
- Obtain director and senior leader input
- Reference major industry-recognized governance models, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and Control Objectives for Information and Related Technologies (COBIT).
- Interview Board of Water Commissioners
Key Risk Framework
In the development of Denver Water’s audit plan, Internal Audit used a Key Risk Framework developed by Denver Water's divisions. Each division, as part of the Enterprise Risk Management process, maintains an understanding of their top operational risks. Additionally, Internal Audit interviews each Board of Water Commissioner to understand their concerns and risks, and then incorporates them into the risk assessment. Having a key risk framework allows Internal Audit to evaluate risk on organization-specific terms.
Each of the items in the Audit Bin is risk-assessed based on six criteria. The criteria are:
- Financial exposure
- Business exposure
- Management request
- Reputational exposure
(Note: More complete definitions are available.)
Using the results of the risk assessment, the Audit Bin is sorted from highest risk to lowest risk. Then, the top 40 potential audit areas are extracted into a workable set. Audits are selected from the top 40 to fit the coverage targets.
An effective audit plan should cover a broad enough view of the organization’s control environment to support an enterprise-wide audit opinion. As such, it is important that an effective mix of audit areas be included in the plan. Ensuring broad coverage is done using organizational coverage targets. These coverage targets help Internal Audit avoid spending too much time in any one area of the organization.
Audits on Plan
Applying the coverage targets to the set of top 40 audit areas yields the set of audits on the audit plan. The plan represents the set of audits, including several alternates that the Internal Audit team intends to complete each year. The plan is reviewed by the CEO and approved by the Board of Water Commissioners in the fall of each year. The Chief Internal Auditor has broad discretion, however, to revise the plan and advise the Board of changes.
This plan does not include any investigative work that might be prompted by the Ethics Hotline or from other sources, but it does anticipate some staff time being used for these purposes.
The final step of the planning process is to agree to the timing of each engagement with the subject area and create a workable audit schedule. Determining the exact scope of each audit is an iterative and exploratory process that involves substantial discussion with the management of the subject area.