The Chief Audit Executive (CAE) Briefing is now a FREE course for all CAEs. If you are the CAE in your organization, or you report to a CAE in a large organization, you may register for this course at:
https://jasonmefford.mykajabi.com/offers/ezsxLzjQ
If you are NOT a CAE, this course is not for you.
Sign up to receive the CAE Briefing directly to you in-box at: http://meffordassociates.com/caebriefing/
As promised, this week’s video discusses some of the questions I get about the annual audit planning process.
Since much of the questions come around developing a risk-based plan that aligns with the organization’s ERM risk assessment, you may find these upcoming free webinars I am doing helpful:
Establishing or Improving a Risk-Based Audit Approach
Wednesday, October 16, 2019 · 10:00 AM PDT
https://www.bigmarker.com/crisk-academy/Establishing-or-Improving-a-Risk-Based-Audit-Approach
Deeper Dive: Risk-Based Audit Approach with Questions and Answers (Q&A)
Thursday, October 31, 2019 · 9:00 AM PDT
https://www.bigmarker.com/crisk-academy/Deeper-Dive-Risk-Based-Audit-Approach-with-Questions-and-Answers-Q-A
Have a great rest of your week 🙂
Transcript
00:00
hey welcome everybody to another edition
00:02
of the chief out of the executive
00:04
briefing hey this week as promised I’m
00:08
going to talk a little bit about your
00:10
annual audit planning process because
00:13
this is one of the areas where I get a
00:15
lot of people reaching out to me and
00:17
asking questions so some of the most
00:20
common questions kind of relate to you
00:23
know doing a risk-based audit plan we’ve
00:26
got other groups in the organization
00:27
that are doing risk assessments do we
00:30
need to do one too should they be
00:32
combined how does that all work so let
00:35
me talk to you about how it probably
00:37
should go now in the standards there is
00:41
discussion that in order or while you
00:43
were developing our annual audit plan we
00:46
need to base it on a risk assessment now
00:50
a lot of auditors misinterpret that to
00:53
think they are the one who has to do the
00:57
risk assessment it just says that it
00:59
needs to be based on a risk assessment
01:02
and so here’s the reality you’re
01:04
probably going to be in one of two
01:06
buckets either you have a mature
01:09
enterprise risk management group and
01:12
they are doing their own risk assessment
01:15
or that may not exist and you are doing
01:19
the risk assessment for the organization
01:21
you usually find that auditors are
01:24
either in one of those two categories so
01:28
if you’re in the category where you’re
01:31
the one actually performing the risk
01:33
assessment great you’re doing the risk
01:35
assessment for your organization as part
01:38
of your audit plan and you share that
01:41
and work with others in management to be
01:44
able to do that so that’s perfect if you
01:48
have an enterprise resource or a risk
01:51
management group that is doing a risk
01:54
assessment you should be involved in
01:57
that if not if you’re not invited or
02:01
participating in that you still want to
02:04
get the results of those risk
02:06
assessments because you should be using
02:08
that as a primary basis for determining
02:11
your audit
02:12
plan for the year okay so you know again
02:15
it’s best if you can be involved in that
02:18
process if not use what they have
02:22
already done you don’t need to
02:23
necessarily go out and do a whole new
02:26
risk assessment yourself now I know some
02:29
people will look at that and say well
02:30
but but they’re kind of doing it for a
02:32
different reason they’re not really okay
02:35
so if we stop and take a step back
02:37
what’s on your annual audit plan should
02:40
represent projects that are helping your
02:44
organization to meet their key
02:47
objectives that’s the same thing
02:49
erm should be doing okay so again if if
02:54
you take a look at your audit plan what
02:56
is on there every one of those things
02:59
that are on there unless it happens to
03:01
be a requirement from your industry or
03:03
your regulators for certain things you
03:06
need to do or request from your audit
03:09
committee or management everything else
03:11
that’s on there should tie back directly
03:14
to a key objective that the organization
03:18
is trying to accomplish so a lot of
03:21
times people say well I’m doing a risk
03:23
based on a plan so I’ll take a look at
03:25
the plan and sure enough the things that
03:27
are in their 10k risk factors if they’re
03:30
publicly traded and the things that are
03:33
on there erm risk assessment are often
03:36
not covered on the audit plan and they
03:40
should be if we’re really trying to do
03:43
an annual audit plan that is based on
03:45
helping your organization achieve its
03:47
objectives then you need to be focusing
03:50
on those objectives so there should be
03:54
an alignment in what’s on your audit
03:56
plan with what your erm group is doing
04:00
as well now I know there’s a lot of
04:03
confusion sometimes around risk based
04:05
auditing I’ve been teaching this for
04:07
years written a book done certifications
04:10
on it and people still don’t seem to get
04:12
it so so one of the things that I want
04:15
to share with you is a risk based audit
04:18
plan does not mean risk ranking a list
04:22
non risks okay that is not what a
04:25
risk-based audit plan is about if you’re
04:29
interested in learning more I’m actually
04:30
doing a couple of free webinars about
04:33
risk based audit this month so I’ve
04:36
included that below there’s one on the
04:39
sixteenth and one on the 31st so if
04:42
you’re interested in learning more about
04:43
that sign up come to the webinars or
04:47
just email me and I’m happy to explain a
04:51
little bit more just don’t have enough
04:53
time in today’s video so with that again
04:56
try to make sure that your audit plan is
04:59
aligned with the real risks of your
05:03
organization and like I said if you’re a
05:06
RM Group is doing a risk assessment try
05:09
to leverage that and don’t do your own
05:11
complete risk assessment but use that as
05:14
the basis for determining your annual
05:18
audit plan so have a great week and I
05:20
will talk to you this next week