3 Key Steps to Migrating to a Dynamic Audit Plan

It is static and rigid, unable to address risks as they arise during the year, and IA is judged on completion of a plan rather than the identification and evaluation of risks that may impact business objectives.

A dynamic audit plan takes a longer-range view and adapts to changing business cycles, regulatory demands and economic environments. Migrating from a static to a dynamic plan requires three key steps.

1. Adjust the risk assessment process. For a static plan, risk assessments are generally conducted once a year at the end of the plan year. For a dynamic plan, risk assessments are conducted throughout the year when and audit is completed or an economic or regulatory event has occurred.
   
   Each of these cases could impact the risk rating of the auditable entity. The impact could be positive, lowering the risk rating, or negative, raising the risk rating. Either way, IA can evaluate how events are impacting the audit universe in near real time. The audit team will become more efficient. And, the chief auditor can include other events such as a change in strategic objectives, sale/acquisition of a business unit, or other situations that may be appropriate for the size and complexity of the organization.
   
   At the end of the year, a risk assessment process will still be required, as all auditable entities need to be evaluated at least annually. But only on those auditable entities that have not been assessed during the year, which leaves more time to focus on completing the audit plan for the current year.
2. Audit plan construction and management. Migrate the audit plan from an annual plan to one that evolves over time. In order to maintain flexibility, use a three-year rolling plan in which high-risk auditable entities are audited every 12 months, medium-risk entities every 24 months and low-risk entities every 36 months.
   
   A three-year plan shows complete audit coverage for every auditable entity in the audit universe. It also supports the staffing analysis and plan to show how resource requirements ebb and flow over time. Finally, a three-year plan provides flexibility to adjust to changes in the risk ratings of the auditable entities. When risk ratings change, the impact on the plan can be visualized and the chief auditor can demonstrate how those changes are managed.
   
   The rolling three year audit plan is always a work in progress. It’s a living, breathing document that enables a proactive audit approach and the flexibility to adjust to the business environment.
3. Audit committee reporting. A dynamic audit plan requires more attention from the audit committee. Changes will need to be presented and explained each quarter, as opposed to approving the plan at the beginning of each year and tracking its progress. But the committee has more opportunities to ask questions, providing a higher level of transparency and continuously demonstrating that IA is meeting its mission and fulfilling its charter.
   
   As the IA profession and audit methodologies continue to mature, dynamic audit plans will become more prevalent within a risk-based process. They allow auditors to adjust to changing environments, drive efficiency in resource management, focus on evolving risks, and provide a higher level of transparency and oversight for the audit committee. As IA strives to become more risk focused it will be imperative to build audit plans that can ensure auditable entities are properly risk assessed and audited within an appropriate schedule. This will requires migrating from static audit plans to ones that are more flexible.