Historically, audit plans have been based on a calendar or physical year. At the end of each year, internal audit (IA) conducts risk assessments and maps out the audits for the following year. The plan is presented to the audit committee for approval and followed throughout the year.
It is static and rigid, unable to address risks as they arise during the year, and IA is judged on completion of a plan rather than the identification and evaluation of risks that may impact business objectives.
A dynamic audit plan takes a longer-range view and adapts to changing business cycles, regulatory demands and economic environments. Migrating from a static to a dynamic plan requires three key steps.