| If you're like most auditors out there, creating an audit | | | | work program should broadly follow the flow and |
| work program from scratch is a daunting task, even | | | | methodology of a typical risk-based internal audit |
| under the best of circumstances. Striking the balance | | | | engagement. In terms of methodology, most internal |
| between summary and detail while at the same time | | | | audits generally follow an iterative series of steps that |
| trying to satisfy the idiosyncratic likes and dislikes of | | | | approximate the following: |
| your boss can be truly challenging to say the least. | | | | 1. Understand and document the processes and |
| Rest assured, however...you're not alone. Creating an | | | | procedures of the function or area being audited. |
| effective audit work program takes years of practice | | | | 2. Define the objectives of the area or function being |
| and experience. Fortunately, there are many auditors | | | | audited. |
| out there that have traveled down this path before | | | | 3. Define the risks or threats to the achievement of |
| and can lend you the benefit of their expertise, saving | | | | those objectives. |
| you valuable time and needless frustration. Having said | | | | 4. Understand the controls in place to mitigate the risks |
| this, there is one thing that most senior auditor-types | | | | to an acceptable level or the control weaknesses that |
| will agree on: Having an effective framework and | | | | exist in support of the risk. |
| some sound advice at your fingertips can go a long | | | | 5. Test the controls for adequate design and operating |
| way towards consistently generating high-quality | | | | effectiveness and/or quantify the impact of control |
| risk-based internal audit work programs. | | | | weaknesses or gaps. |
| Let's start with a general discussion about the purpose | | | | 6. Report your findings and offer recommendations for |
| and objective of an audit work program in order to | | | | control and/or operating efficiency improvements. |
| clarify the goals that you are hoping to achieve. An | | | | 7. Monitor and report managerial mitigation efforts for |
| internal audit work program is used to guide you or | | | | control weaknesses identified that were outside of |
| your staff through the audit process and ensure | | | | management's risk tolerance level. |
| thorough and complete coverage and documentation | | | | These processes or steps generally fall into one of |
| of the audit itself. In general, it should illustrate the | | | | four buckets or stages typically associated with the |
| overall work performed, the work paper references | | | | internal auditing process; Planning, Fieldwork, Reporting, |
| for any applicable support papers, the person who | | | | and Follow-Up. Aligning the activities within your audit |
| performed the work, the person who approved the | | | | program with these categories and steps will help to |
| work, and any applicable summarization notes needed | | | | ensure thorough and diligent completion of the entire |
| to clarify points and/or results along the way. As a | | | | audit cycle. |
| general guide, the individual steps or actions to your | | | | Remember, too, that the audit work program is only a |
| audit will be laid-out down the left-hand column of your | | | | guide and is not intended to be a static document. The |
| program and the work paper references, auditor initials | | | | activities and tests that you perform throughout the |
| approvals, and any summary notes will be represented | | | | audit cycle are bound to deviate from the original plan |
| by subsequent columns, creating a matrix or table-like | | | | based on the results of your audit work. Don't be |
| effect for your program. For this reason, many work | | | | afraid to stray off the path as long as you evaluate |
| programs are often created in table or spreadsheet | | | | your activities in light of your overall objectives, maintain |
| formats like Microsoft Word or Excel. | | | | perspective on your resource limitations, and |
| Next, let's address the general framework and | | | | communicate the nature of your activities to your |
| methodology of the generic audit program. Your audit | | | | supervisor or manager. |