Chapter 07. Internal Audit Planning and Strategy

07.02. Defining Objectives and Scope of Audits

Credit: Photo by fauxels from Pexels, used under the Pexels License.

Key Questions

Briefly reflect on the following before we begin:

  • How do internal auditors establish clear and measurable audit objectives?
  • What factors influence the scope of an internal audit, and how is this scope determined?
  • How can preliminary assessments aid in defining the objectives and scope of audits?
  • Why is it essential to communicate audit objectives and scope to stakeholders?

In internal audit planning and strategy, defining clear and measurable audit objectives is foundational to conducting effective audits. This section delves into the intricacies of setting audit objectives and delineating the scope of audits, both of which are essential steps that lay the groundwork for a successful audit engagement. Establishing clear and measurable audit objectives guides the audit process and ensures that efforts are directed toward achieving specific outcomes. These objectives are benchmarks against which audit findings and recommendations are evaluated, providing clarity and focus throughout the audit engagement.

Determining the scope of audits involves defining the depth and breadth of areas to be examined within the audit engagement. It entails identifying the key processes, functions, or activities to be reviewed, as well as defining any boundaries or limitations that may impact the scope of the audit. Discussions around scope limitation and audit focus help optimize audit resources and ensure that audit efforts are directed toward areas of highest risk and significance. Preliminary assessments define the scope by providing insights into potential focus areas and helping auditors prioritize their efforts. Communicating audit objectives and scope to stakeholders ensures transparency and alignment, confirming that all relevant parties understand the goals of the audit and the areas that will be examined. Moreover, aligning audit objectives with risk and control frameworks ensures that audit efforts are targeted toward addressing critical risks and evaluating the effectiveness of internal controls. This alignment enhances the relevance and value of audit findings, enabling organizations to mitigate risks and strengthen their control environment.

Internal Audit in Action

Background

RetailGiant Canada, a national retail company, plans to significantly expand its operations by opening new stores in previously untapped markets. The internal audit function recognized the need to conduct an audit focusing on the expansion strategy’s viability, risk management practices, and operational readiness.

Challenge

The challenge was to define precise audit objectives that would provide valuable insights into the strategic and operational aspects of the expansion while setting a scope that was comprehensive yet manageable within resource constraints.

Action Taken

  • Establishing Clear Objectives: The audit team, led by the CAE, identified key objectives for the audit, including assessing the effectiveness of market analysis processes, the robustness of supply chain expansion plans, and the adequacy of risk management practices related to expansion.
  • Determining the Scope: The scope was carefully designed to include reviews of strategic planning documentation, interviews with key stakeholders involved in the expansion, and analyses of risk assessment and mitigation strategies. It was decided to focus on selecting pilot locations for a more in-depth examination.
  • Preliminary Assessments: Before finalizing the scope, the audit team conducted preliminary assessments to identify critical areas that required immediate attention or could significantly impact the expansion’s success.
  • Communicating with Stakeholders: The objectives and scope of the audit were communicated to relevant stakeholders, including senior management and the board, to ensure alignment and gather additional inputs.
  • Alignment with Risk Frameworks: The audit objectives were closely aligned with the company’s overall risk and control frameworks, ensuring that the audit would provide insights relevant to strategic decision-making and risk management.

Outcome

The audit provided RetailGiant Canada with critical insights into the strengths and weaknesses of its expansion strategy, identifying areas where risk management practices could be enhanced and operational plans needed adjustments. The focused scope allowed the audit team to delve deeply into the most significant areas, providing valuable recommendations that helped RetailGiant Canada refine its approach to future expansions.

Reflection

This scenario illustrates the importance of clearly defining audit objectives and scope to ensure internal audits are both practical and efficient. By aligning the audit with organizational strategies and risk priorities, RetailGiant Canada’s internal audit function delivered actionable insights that supported strategic objectives and improved risk management practices.

Establishing Clear and Measurable Audit Objectives

Establishing clear and measurable audit objectives is fundamental to the success of any audit engagement because they serve as the guiding principles that direct the audit process, ensuring that auditors focus on areas of most importance to the organization. Clear objectives provide a framework for auditors to assess the effectiveness of controls, identify improvement areas, and ultimately provide valuable insights to stakeholders.

Clear audit objectives are specific, outlining the intended outcomes and deliverables of the audit. They should precisely define what the audit aims to achieve, such as evaluating compliance with regulatory requirements, assessing the effectiveness of internal controls, or identifying opportunities for process improvement. By clearly defining the objectives, auditors can align their efforts with the organization’s strategic goals and priorities. Measurable audit objectives are essential for assessing the success and impact of the audit. Measurability enables auditors to quantify the expected results and outcomes of the audit, allowing for meaningful evaluation and comparison. Measurable objectives may include criteria such as the percentage of compliance achieved, the number of control deficiencies identified, or the cost savings realized through process improvements. By establishing measurable objectives, auditors can demonstrate the value of their work and track progress toward achieving audit goals.

Moreover, clear and measurable audit objectives facilitate stakeholder buy-in and support. When stakeholders understand the purpose and expected outcomes of the audit, they are more likely to actively engage with the audit process and provide necessary resources and cooperation. Effective communication of audit objectives helps build trust and confidence among stakeholders, enhancing the overall effectiveness and impact of the audit. Furthermore, clear and measurable audit objectives provide a basis for planning and executing the audit. They inform the development of audit programs, procedures, and testing methodologies, ensuring that audit activities are aligned with the intended goals and objectives. By adhering to clear objectives throughout the audit process, auditors can maintain focus, optimize resource utilization, and achieve meaningful results.

Determining the Scope: Depth and Breadth of Audits

Determining the scope of an audit involves defining the extent and range of audit activities, which directly influence the effectiveness and comprehensiveness of the audit. The scope encompasses the depth and breadth of audits, ensuring that auditors cover the necessary areas comprehensively to meet the established audit objectives. Here’s a closer look at how to determine the scope of audits, focusing on their depth and breadth.

The depth of an audit refers to how thoroughly individual areas, processes, or controls are examined. It involves deciding on the level of detail and rigour with which these elements will be assessed. Depth is influenced by several factors, including the risk associated with the audit area, previous audit findings, changes in operations or systems, and the significance of the process to the organization’s objectives. A deeper audit might involve detailed testing of transactions, in-depth analysis of processes, and extensive examination of controls to ensure their effectiveness. On the other hand, the breadth of an audit determines the range of areas, functions, or systems that will be covered. It encompasses the variety and number of aspects to be audited within the organization. The audit’s objectives typically guide the breadth of the organization’s risk landscape and the need for a holistic understanding of governance, risk management, and control processes. A broader audit scope may cover multiple departments, processes, or geographic locations to provide a comprehensive view of the organization’s operations and risks. Balancing the depth and breadth of audits is crucial for ensuring that the audit is efficient and effective. Auditors must allocate resources to thoroughly examine high-risk areas (depth) while guaranteeing the audit covers all relevant aspects of the organization’s operations (breadth). This balance is achieved through careful planning, risk assessment, and prioritization of audit areas.

Several factors influence the determination of audit scope, including:

  • Organizational Objectives and Strategy: Understanding the organization’s goals and strategic priorities helps align the audit scope with what is most significant to the organization.
  • Risk Assessment: A comprehensive risk assessment identifies areas of high risk that may require more in-depth or broader coverage.
  • Regulatory Requirements and Compliance Needs: Certain laws, regulations, or standards may dictate the need for specific areas to be audited.
  • Stakeholder Expectations: Expectations from the board, management, and other stakeholders can influence the audit’s depth and breadth.
  • Resource Availability: The availability of resources, including time, personnel, and technology, impacts the depth and breadth of an audit.

While we aim to cover as much ground as possible when planning an audit, there are practical limitations to what can be achieved within a single audit. Recognizing and addressing scope limitations and effectively focusing the audit efforts are essential for ensuring the audit remains valuable and impactful. Here are vital considerations for managing scope limitation and audit focus:

Resource Constraints

One of the most common limitations to the scope of an audit is the availability of resources. This includes the number of skilled auditors available and their time and budget constraints. Resource constraints require auditors to prioritize areas of the audit to focus on high-risk or high-impact areas, ensuring the most efficient use of available resources.

Access to Information

Access to necessary information can limit the scope of an audit. Restrictions might be due to confidentiality concerns, legal limits, or operational barriers. Auditors need to plan for these limitations by identifying alternative sources of information or adjusting the audit scope to cover areas where data is accessible.

Expertise

The complexity of certain areas may require specialized knowledge or expertise that the audit team needs to gain. This limitation might narrow the audit’s scope to areas where the team has the requisite knowledge or prompt the inclusion of external experts in the audit plan.

Time Constraints

The time available to complete an audit can significantly impact its scope. Tight deadlines necessitate focusing on key risk areas and processes rather than a comprehensive evaluation of all aspects of the organization. This requires strategic planning to maximize the audit’s impact within the available timeframe.

Risk Assessment

The risk assessment process can lead to scope limitation by identifying and prioritizing areas of highest risk for detailed examination. While this ensures that the audit focuses on the most critical areas, it may also mean that lower-risk areas receive less attention or are excluded from the current audit cycle.

Stakeholder Expectations

Stakeholder expectations can both broaden and limit the audit scope. Understanding what stakeholders expect from the audit helps align the audit focus with their concerns. However, it might limit the scope if expectations are too narrowly defined or focus on specific areas.

The Role of Preliminary Assessments in Defining Scope

Preliminary assessments serve as the foundational step in the audit planning process and involve gathering initial information and insights about the audit subject to guide the development of the audit plan. These assessments are typically conducted at the outset of the audit planning phase and involve various activities such as reviewing documentation, conducting interviews with key stakeholders, and analyzing relevant data.

One of the primary purposes of preliminary assessments is to identify critical risks associated with the audit subject. By conducting a thorough evaluation, auditors can gain insights into potential risks that may impact the organization’s objectives, operations, or financial health. This risk identification process ensures that audits are targeted toward areas of highest-risk exposure, where the most significant value can be added. Additionally, preliminary assessments help auditors understand the control environment within the audit subject. This involves assessing the effectiveness of existing controls in mitigating identified risks. By evaluating control strengths and weaknesses, auditors can determine areas where additional audit focus may be required to assure management.

Another critical aspect of preliminary assessments is identifying areas for further examination. Based on the assessment findings, auditors can pinpoint specific areas or processes that warrant deeper scrutiny during the audit. This ensures that audits are targeted toward areas of significance to the organization, with the highest potential for detecting errors, inefficiencies, or fraud. Furthermore, preliminary assessments inform the development of the audit scope. The insights gathered during the assessment phase help auditors define the boundaries of the audit, determining which areas or processes will be included and excluded from the audit scope. This ensures that audits address the most significant risks and objectives while considering practical constraints such as time and resource limitations.

Communicating Objectives and Scope to Stakeholders

Effective communication of audit objectives and scope to stakeholders is vital in the audit planning process and is a crucial skill for students to master as future internal auditors. It involves clear, targeted, and strategic communication to ensure all stakeholders understand an audit’s purpose, focus, and limitations, which sets the foundation for cooperation and facilitates a smooth audit execution.

Firstly, auditors need to identify the key stakeholders. These often include senior management, the board of directors, department heads, and sometimes external regulators. Each stakeholder’s interests and concerns regarding the audit must be understood to tailor communications effectively. This approach helps address specific needs and alleviate apprehensions about the audit process.

Once stakeholders are identified, developing a structured communication plan is essential. This plan should detail the timing and methods of communication, such as meetings, emails, or formal reports, and ensure that all communications are scheduled at appropriate times throughout the audit process. Clear articulation of the audit objectives is crucial; stakeholders must understand what the audit aims to achieve, how these objectives align with the organization’s broader goals, and the expected benefits of the audit. This clarity not only manages expectations but also demonstrates the strategic value of the audit.

The scope of the audit should be outlined comprehensively, detailing the areas that will be examined, the depth and breadth of the examination, and any limitations that might impact the audit. Discussing the scope openly helps stakeholders understand the focus areas and the rationale behind scope decisions, including any resource constraints or regions excluded from the audit. Transparent discussions about scope limitations are essential to manage expectations and mitigate potential misunderstandings about the audit outcomes.

Communication should not be one-way; fostering a two-way dialogue where stakeholders can express their thoughts, concerns, and suggestions is essential for a participative approach. Providing opportunities for feedback allows the audit process to be more inclusive and can uncover additional insights or risks that may require attention. Moreover, reinforcing the confidentiality and independence of the audit process builds trust, ensuring stakeholders feel secure in sharing sensitive information. Finally, regular updates and follow-up communications throughout the audit process are necessary to keep stakeholders informed about progress, preliminary findings, and any adjustments to the audit scope. Celebrating successes and recognizing milestones can also help reinforce the benefits and positive outcomes of the audit process.

Aligning Audit Objectives with Risk and Control Frameworks

Aligning audit objectives with an organization’s risk and control frameworks helps ensure that internal audits effectively manage risks and strengthen controls. This alignment enables the audit function to focus on critical areas for the organization’s risk management strategies and control environment, thereby adding significant value.

Exhibit 7.1 shows the steps by which such an alignment is typically accomplished. The steps are explained further in the discussion that follows the exhibit.

Flowchart showing steps to align audit objectives with risk and control frameworks.
Exhibit 7.1: Aligning audit objectives with an organization’s risk and control frameworks
  1. Understanding the Organization’s Risk Management Framework: The first step in aligning audit objectives with risk and control frameworks involves understanding the organization’s risk management framework. This includes familiarity with the processes for identifying, assessing, managing, and monitoring risks. By understanding how risks are managed, auditors can tailor their objectives to evaluate the effectiveness of these processes and the adequacy of risk responses.
  2. Identifying Key Controls: Essential controls are those mechanisms put in place to mitigate significant risks and ensure the achievement of business objectives. Auditors should identify these controls within the organization’s control framework to ensure that audit objectives include assessing whether these controls are designed effectively and operating as intended.
  3. Risk Assessment Process: Internal auditors should participate in or have access to the organization’s risk assessment results. This participation enables auditors to align audit objectives with the organization’s risk priorities, focusing on the areas of highest risk and significance. Audit objectives can then be formulated to assess the effectiveness of risk management practices and control activities related to these priority areas.
  4. Engagement with Stakeholders: Engaging with key stakeholders, such as risk management and compliance functions, can provide valuable insights into the risks considered most critical and the controls deemed most crucial for the organization. This engagement helps refine audit objectives to ensure they are focused on assessing the management of these vital risks and the effectiveness of associated controls.
  5. Integration with the Internal Control Framework: Audit objectives should be directly linked to the organization’s internal control framework, such as the COSO (Committee of Sponsoring Organizations) framework. This linkage ensures that audits assess aspects of the control environment, risk assessment, control activities, information and communication, and monitoring activities. By aligning audit objectives with the framework’s components, auditors can systematically evaluate the organization’s control environment and provide insights into areas of improvement.
  6. Prioritization of Audit Efforts: Given the limited resources available to the internal audit function, it is essential to prioritize audit efforts based on aligning audit objectives with critical risks and controls. This prioritization ensures that the audit function focuses on areas that could impact the organization’s ability to achieve its goals and manage its risks.
  7. Continuous Alignment: The risk landscape and control environments are dynamic, with new risks emerging and control changes occurring. Therefore, it is crucial for internal auditors to continuously align their audit objectives with the organization’s risk and control frameworks. This may involve adjusting audit plans and goals in response to risk profile changes or findings from ongoing monitoring activities.

Internal Audit in Action

Background

FinTech Innovations, a leading financial technology company, has recently developed a revolutionary mobile payment solution. Given the critical importance of data security and customer trust, the internal audit department conducted a focused audit on the cybersecurity measures surrounding the new product.

Challenge

The challenge was to define audit objectives that would assess cybersecurity risks and controls specific to the new mobile payment platform. As such, the scope of the audit had to encompass technical, operational, and regulatory compliance without overextending the audit team’s capabilities.

Action Taken

  • Establishing Audit Objectives: The objectives were set to evaluate the effectiveness of cybersecurity controls, compliance with relevant data protection regulations, and the platform’s resilience against emerging cyber threats.
  • Determining the Scope: The audit scope included an assessment of encryption protocols, authentication mechanisms, incident response plans, and compliance with PCI DSS standards. Special attention was given to areas identified as high risk through preliminary risk assessments.
  • Preliminary Assessments: A series of preliminary assessments using automated scanning tools and interviews with the IT security team helped refine the focus areas and scope of the audit.
  • Stakeholder Communication: The audit plan, including objectives and scope, was shared with key stakeholders, such as the product development team and senior management, to ensure understanding and gather input.
  • Alignment with Risk Frameworks: The audit was designed to align with FinTech Innovations’ broader risk management framework, ensuring that findings would directly contribute to strengthening the company’s overall risk posture.

Outcome

The cybersecurity audit provided FinTech Innovations with a detailed understanding of the strengths and potential vulnerabilities of the new mobile payment solution’s security measures. The audit’s focused scope allowed for a deep dive into critical areas, leading to recommendations that significantly strengthened the platform’s cybersecurity posture and ensured regulatory compliance, enhancing customer trust and product viability.

Reflection

This scenario emphasizes the significance of defining targeted audit objectives and a precise scope, especially in areas as critical and complex as cybersecurity. For FinTech Innovations, this approach ensured that the audit effectively supported the organization’s strategic goals of innovation and customer trust by providing detailed insights and recommendations for enhancing cybersecurity measures around a critical new product.

Key Takeaways

Let’s recap the concepts discussed in this section by reviewing these key takeaways:

  • Establishing clear, measurable audit objectives is crucial; they provide a roadmap, focus efforts, and align with the organization’s strategic priorities.
  • Defining the scope of an audit involves determining the depth and breadth of areas examined, considering resources, subject complexity, and the organization’s risk appetite.
  • Auditors must recognize scope limitations due to factors like time, resources, and audit subject nature, balancing thoroughness with practicality to focus on high-risk areas.
  • Effective communication with stakeholders about audit objectives and scope builds trust, aligns expectations, and ensures the audit targets areas of most significant risk exposure.

Knowledge Check

Review Questions

  1. Why is establishing clear and measurable audit objectives important, and how do they impact the audit process?
  2. Describe how determining the depth and breadth of audits can influence the effectiveness of the internal audit function.
  3. What are some critical considerations for managing scope limitation and audit focus?
  4. How does conducting preliminary assessments aid in defining the scope of an audit?
  5. Why is it essential to communicate the objectives and scope of an audit to stakeholders, and what should this communication achieve?

Essay Questions

  1. Describe the importance of aligning audit objectives with the organization’s risk and control frameworks. Include in your answer how this alignment influences the planning, execution, and outcome of the audit.
  2. Explain the role of preliminary assessments in defining the scope of an audit, including how these assessments can identify areas requiring in-depth examination and how they contribute to the overall efficiency and effectiveness of the audit process.

Mini Case Study

Imagine you are the lead internal auditor for a large manufacturing company. As part of your annual audit planning process, you are tasked with developing a risk-based audit plan for the upcoming fiscal year. The company operates in a highly competitive industry, and management is keen on ensuring that internal audit activities are aligned with the organization’s strategic objectives and risk management framework. In this scenario, you need to apply the principles of risk-based auditing to develop an effective audit plan that addresses the organization’s key risks and priorities.

Required: Based on the principles of risk-based auditing, outline the key steps you would take to develop a risk-based audit plan for the manufacturing company. Include specific considerations for identifying and assessing risks, prioritizing audits, integrating risk-based planning with the overall audit cycle, and updating the plan based on emerging risks.

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Internal Auditing: A Practical Approach Copyright © 2024 by Amit M. Mehta is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book