By: Ayman Abdelrahim, MQM, CIA, CCSA, CFE

Ayman Article

Since I joined the profession of internal auditing nearly two decades ago, I read books about the preparation of a risk based  internal audit plan, the advantages of this approach, its importance and practical applications, but I was always asking is this the right way to build the plan? … Is there a better way. Also, I always asking myself the following question While the internal audit definition determines the objective of the internal audit is to add value to the organization and improve its operations, why the internal audit plan is based on risk?!!, So the plan must being prepared based on adding value rather than being built on risk ??!

In June 1999, internal auditing definition was changed, where the term “add value” was introduced for the first time and the internal audit objective was set to “add value and improve an organization’s operations.” Since then, the definition has not changed and we have not seen any books or articles talking about preparing of an audit plan based on value addition. In this article, I will introduce my thoughts on the importance of preparing an audit plan based on adding value and moving away from the traditional method of preparing the plan or as it is said “think outside the box”.

Added-Value Concept

Internal auditing standards defined “add value” as the following “The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes”. The concept of adding value is not limited to internal auditing, the basis of successful business management models are built on companies need to achieve added value to their products and services in order to ensure that it will achieving customer satisfaction and achieving greater returns.

The term “adding value” may differ from one person to another; some may see it as a business development, while others have limited traditional view as see it only limited to providing the results of the examination and verification carried out. On the other hand, the changes in the definition of internal auditing which happened in 1999 replaced the objective from “examination and verification” to “add value and improving the operations”. That means moving from a limited view to a wider view and looking from the company’s lens when selecting area for audit. This will ensure that internal audit speaks the same common language within the company and become part of it.

Delivering on the Promise

In 2015, the Institute of Internal Auditors issued a CBOK report under the name of “Delivering on the Promise – Measuring Internal Audit Value and Performance”. The report addressed the concept of adding value. The results of the report shows that (9) activities were adding value to the organization. The most value to the organization came from “assuring on the adequacy and effectiveness of the internal control system”. The second most value was “Recommending business improvement” which is unusual for internal audit because internal audit consideration usually limited to a control perspective only.

Evolution of internal audit maturity

Over the decades, the internal audit profession and the process of preparing the plan have evolved. The maturity of the audit plan process has been directly linked to the audit methodology and approach followed. The following is a simple analysis of these phases:

  • Initial Audit Phase – Inspection: Auditing practices at this phase are characterize by direct reliance on simple auditing practices aimed to ensure compliance with the criteria set without looking further. The audit plan at this phase very simple, depend on the size of the company’s activities and covered all organization’s activities. At this phase, the internal audit ability to influence the company is very limited.
  • Mature Audit Phase – Process based Audit: Audit practices at this phase are characterize by direct audit of process design; and ensure the adequacy and effectiveness of controls. The audit plan at this phase is simple, depends on the volume of operations and includes comprehensive operational coverage. The internal audit ability to influence the company is limited to operations only.
  • Developed Audit Phase – Risk Based Audit: The audit practices at this phase provide assurance about the effectiveness of risk management. The plan is characterize by risk factors that influence the choice and prioritization of audit engagements. At this phase, the internal audit ability to influence the company is much greater than the previous phase, but only limited to internal audit perspective.
  • Advanced Audit Phase – Added-value based audit: Audit practices at this phase are characterize by future-focused and insight, as required by the new internal audit principles, and preparation of the plan is based on the success factors of the company, taking into consideration the risk assessment and not relying solely on it. At this phase, the internal audit ability is very influential in the company so that will become as a trusted advisor.

With this simple analysis, you can know which phase your internal auditing practices have reached, also you can set a goal for the development and progress to new phase to make a greater impact on your organization.


Risk based audit plan

If you asked any professional internal auditor about the best ways to prepare an internal audit plan, the first thing that comes to mind to answer your question is a risk-based plan. Although there is no uniform way to build the plan, different practices are similar only to the name, there are no correct approach and wrong approach, but each method depends on the judgment and meet the requirements of internal audit and stakeholders in some cases.

Perhaps the most effective approach to risk-based planning is the internal audit standards as it clearly stated in the standard No. 2010 (Planning) that a risk-based audit plan must be develop. I believe that standard 2010 may not be consistent with the previous standard No. 2000, related to managing the internal audit activity, which stated the importance of internal audit effectiveness to ensure the addition of value. How can a value be added if the audit plan is based on risks without taking into account the internal audit objective of adding value? !!

An audit plan based on adding value

The internal audit plan is the cornerstone that determines whether internal audit is effective or not, selecting influential auditing engagements that serve the company and achieve the required from the internal audit is one of the most difficult decisions to be made by the CAE.

A value-added plan must take into account value-creation activities that encourage positive outcomes as well as value-protection activities that deter the negative events. Production, sales and after-sales activities are some of the activities that add value to the company’s products. However, Inspection, quality control, risk management and compliance are examples of value-protecting activities. In order to achieve a comprehensive plan, the activities that add value to the company and the activities that protect it must be balanced within the audit plan, it is not necessary that the higher risk activities are the most important to the company. Here are the basic steps to setting up an audit plan based on adding value:

  • Review value-adding strategy of the company and considered it as one of the inputs to during the preparation of the plan.
  • Take the stakeholder opinion regarding the identification of activities that add value to the company and the activities that protect the value.
  • Identify the audit universe and classify it into activities that value-creation and value-protecting activities.
  • Divide the audit universe by type of evaluation (risk management, control, governance).
  • Identify the factors on which the audit priorities will be assessed (factors must consider the importance to the company and the importance to the audit).
  • Determine the evaluation criteria for the factors that will rely upon in priority setting.
  • Take the stakeholder opinion regarding the method of preparing the plan and the factors to be relied upon.
  • Evaluate the audit universe, prioritize auditing universe, select audit engagements and get the approval of the plan.

Finally, I am convinced that a risk-based plan is necessary to prioritize the audit, but it is time to changing the traditional way of preparing the internal audit plan that extend for two decades and walk a step forward towards achieving the main objective of internal audit which is ” add value and improve an organization’s operations”. In addition, move to a new level of maturity may open the door for internal audit to be more effective.