Introduction to audit planning.

An audit plan specifies on how you intend to conduct a particular audit. It describes the
activities you intend to carry out in order to achieve your audit objectives.

The objective of the auditor is to plan the audit so that the audit is conducted effectively.
Audit planning

Is the arrangement of audit work to be performed in respect to a particular audit

management

Benefits of audit plans

It helps the auditor obtain sufficient appropriate evidence for the circumstances
Helps keep audit costs at a reasonable level
It helps the auditor obtain sufficient appropriate evidence for the circumstances
It helps to keep audit costs at a reasonable level.
It helps to avoid misunderstandings with the client.
It helps to ensure that potential problems are promptly identified
It helps to know the scope of audit program by an Auditor.
Understating the client

FACTORS TO CONSIDER WHILE PLANNING AN AUDIT OF A FIRM

Consider the background of the clients business, and attempt to ascertain any problem for that
sector of industry or commerce, which may affect the audit work. This is more important in
case of a new client and is done during the initial visit.

Consider an outline of the plan of the audit including the extent to which he may wish to rely
upon internal controls and extent to which work can be allocated to interim of final audit
stages where appropriate.

Review matters raised in the audit of the previous years, by examining the audit files and
discussing points with staff previously involved in the audit to ascertain those facts which
may have relevance to the current year.

Assess the effect of any changes in legislation or accounting practice on the financial
statements of the client.
Review any management or interim accounts the client may have prepared as these may
indicate areas of concern in his audit.

Meet the senior management of the client to identify problem areas e.g. variances between
structure etc.

Discuss the management the extent to which the clients employees will assist in the audit
work.

The auditor will need to determine the number of audit staff required, their experience and
special skills they need to possess and the timing of their audit visits.

Process of Audit Planning

It includes following procedures

Knowledge of client's business

Development of audit strategies or overall plan (who, when and how)
Preparation of audit programme
Strategy of audit planning

The auditor should establish an overall audit strategy that sets the scope, timing, and direction
of the audit and guides the development of the audit plan.

In establishing the overall audit strategy, the auditor should take into account:

a. The reporting objectives of the engagement and the nature of the communications
required by standards.

b. The factors that are significant in directing the activities of the engagement team.

c. The results of preliminary engagement activities and the auditor's evaluation of the
important matters in accordance with paragraph 7 of this standard, and The nature,
timing, and extent of resources necessary to perform the engagement

Risk-based auditing
Auditors are required by ISA 315, Understanding the Entity and its Environment and
Assessing the Risks of Material Misstatement, or its local equivalents to assess and develop
responses to risks.

This process requires that auditors:

Gain an understanding of the company's business and the environment in which it

operates.

Use that understanding to identify the business risks facing their clients.

Assess the risks of material misstatement arising from the business risks.

Design suitable responses to the risks of material misstatement, ie decide what audit
work to do.

Business risks are risks that could affect an entity's ability to achieve its objectives and
execute its strategies.

Since the objective of the vast majority of businesses is to maximize profits, business risks
are essentially risks which if, if left unmanaged, could reduce the company's profits and
eventually could mean that the company is not a going concern.

In the current economic circumstances it seems clear that, for many companies, there are
more business risks and therefore increased risks of going concern problems which must be
addressed by auditors.

Business risks can increase the risk of material misstatement as follows:

There may be specific numbers in the financial statements which may be misstated as
a result of a business risk. For example, poor economic conditions in an industry
could increase the risk that customers will not be able to pay their debts. This means
that for the supplier there is a risk that receivables are overstated.
 There may be many numbers that could be affected. For example, the management of
a listed company facing scrutiny of its profits may be tempted to manage its earnings
by the use of creative accounting techniques.

If the company is facing going concern problems that require disclosure or

adjustments in the financial statements but the company fails to do so, this will result
in misstatements.

A thorough risk analysis is obviously a crucial part of the audit process in the current
economic circumstances, focusing parti

Audit Risk is the risk that an auditor expresses an inappropriate opinion on the financial
statements.

Audit risk may be considered as the product of the various risks which may be encountered in
the performance of the audit. In order to keep the overall audit risk of engagements below
acceptable limit, the auditor must assess the level of risk pertaining to each component of
audit risk.

Components audit risk

Inhertent risk ,Control risk, Deduction risk

Inherent Risk Inherent risk is generally considered to be higher where a high degree of
judgment and estimation is involved or where transactions of the entity are highly complex.
Or is the risk of a material misstatement in the financial statements arising due to error or
omission as a result of factors other than the failure of controls (factors that may cause a
misstatement due to absence or lapse of controls are considered separately in the assessment
of control risk).
Control Risk. is the risk of a material misstatement in the financial statements arising due to
absence or failure in the operation of relevant controls of the entity.

Organizations must have adequate internal controls in place to prevent and detect instances of
fraud and error. Control risk is considered to be high where the audit entity does not have
adequate internal controls to prevent and detect instances of fraud and error in the financial
statements.

Detection Risk .is the risk that the auditors fail to detect a material misstatement in the
financial statements.An auditor must apply audit procedures to detect material misstatements
in the financial statements whether due to fraud or error. Misapplication or omission of
critical audit procedures may result in a material misstatement remaining undetected by the
auditor. Some detection risk is always present due to the inherent limitations of the audit such
as the use of sampling for the selection of transactions.

Detection risk can be reduced by auditors by increasing the number of sampled transactions
for detailed testing.

Audit Risk = Inheren Risk x Control Risk x Detection Risk

How to Follow Risk Assessment Procedures in an Audit

When performing an audit, you use risk assessment procedures to assess the risk that material
misstatement exists. This step is very important because the whole point of a financial
statement audit is finding out if the financial statements are materially correct..

How exactly do you assess audit risk?

You follow various risk assessment procedures:

Recognizing the nature of the company and management,

Interviewing employees,

Performing analytical procedures,

Observing employees at work, and inspecting company records.

Business risks can increase the risk of material misstatement as follows:

There may be specific numbers in the financial statements which may be misstated as
a result of a business risk. For example, poor economic conditions in an industry
could increase the risk that customers will not be able to pay their debts. This means
that for the supplier there is a risk that receivables are overstated.

There may be many numbers that could be affected. For example, the management of
a listed company facing scrutiny of its profits may be tempted to manage its earnings
by the use of creative accounting techniques.

If the company is facing going concern problems that require disclosure or

adjustments in the financial statements but the company fails to do so, this will result
in misstatements.

A thorough risk analysis is obviously a crucial part of the audit process in the current
economic circumstances, focusing parti

After you run through all applicable risk-assessment procedures, you use the results to figure
out how high the chance is that your client has material financial-statement mistakes. Not
every mistake is important.

Recognizing the nature of the company: Here are some crucial questions to ask the client
during your risk assessment procedures:

Whats the companys market overview? For example, if the client is a bank, in
how many states does it operate?

Who (if anyone) regulates the client? Many businesses dont have an outside
regulatory agency, but any publicly traded company is required to file its financial
statements with the Securities and Exchange Commission (SEC).
 Whats the companys business strategy? Most business strategies are to maximize
shareholder value by increasing profitability and serving the community in which
theyre located. The answer may lead you to more probing follow-up questions.

Examining the quality of company management: Inept management thats lackadaisical

about following or enforcing company policies and procedures encourage that attitude
throughout the organization. You evaluate management attitude through interviews. Another
means is noticing high employee turnover, which can indicate employees are seeking other
employment because upper management fails to maintain a quality system of reporting.

If key personnel such as the president, chief financial officer, and chief executive officer have
been with the company for many years, thats usually an indication of quality management.
Another good sign is if prior audits have required few, if any, accounting adjustments and
there have been no financial statement restatements. Heres why:

Accounting adjustments are given to the client if a mistake or an aggregate of

mistakes is material.

Financial statement restatements are more serious.

Asking employees for information: When asking for information, you should talk to many
different employees in the organization besides management. To get a well-rounded idea of
the business, talk with individuals holding different levels of authority, from low-level clerks
all the way up to the board of directors.

You need to look at problems that can prevent a company from reaching its desired
objectives. Each of your clients functioning departments has different objectives and risks,
and understanding them can help you identify potential sources of inadvertent errors or fraud
that may affect the financial statements. Here are two real-life examples to consider:

A payroll department objective is the accurate and timely processing of employee

payroll payments. A risk associated with this objective is issuing inaccurate payroll
payments.
 A tax department objective is to meet all legal and regulatory tax return filing
obligations. Risks associated with this objective include filing returns that arent
materially correct and missing the filing deadline.

Analyzing processes and paperwork: Put simply, analytical procedures test to see if
relationships exist in both financial and nonfinancial data.

Here are three common analytical procedures you do while assessing audit risk:

Trend analysis: You compare current financial figures to the same figures in the prior
year.

Ratio analysis: Some common ratios are the current ratio, and inventory turnover.

Reasonableness: Does what youre seeing make sense based on other facts? For
example, does the depreciation expense appear accurate when you consider the book
value of all fixed assets on the balance sheet?

Observing the client at work: One common type of observation is to watch the staff take a
count of physical inventory. Visiting the companys business locations is another. Doing so
gives you the opportunity to view the companys operations beyond whats in the books and
records and to find out about the companys internal controls.

Examples of inappropriate audit opinions include the following:

Issuing an unqualified audit report where a qualification is reasonably justified;

Issuing a qualified audit opinion where no qualification is necessary;
Failing to emphasize a significant matter in the audit report;
Providing an opinion on financial statements where no such opinion may be
reasonably given due to a significant limitation of scope in the performance of the
audit.
Application

Audit risk model is used by the auditors to manage the overall risk of an audit
engagement.
Auditors proceed by examining the inherent and control risks pertaining to an audit
engagement while gaining an understanding of the entity and its environment.

Detection risk forms the residual risk after taking into consideration the inherent and
control risks pertaining to the audit engagement and the overall audit risk that the auditor
is willing to accept.

Other assurance service

To help clients succeed by managing risk

Every organization has a unique way of defining success that can be stated in a mix of
common business objectives such as acquiring customers,

safeguarding assets, increasing operating profits,

retaining customers,

providing accurate financial reports,

Complying with laws and regulations.

Risks are stumbling blocks along the path to achieving those objectives.

A control is any action taken by management, the board, and other parties to manage risk
and increase the likelihood that established objectives and goals will be achieved.
Management plans, organizes, and directs the performance of sufficient actions to provide
reasonable assurance that objectives and goals will be achieved.

Importance of Materiality and Risk

Materiality and risk underlie the application of all generally accepted auditing standards,
Must consider materiality and risk in:

1. Planning
 2. Evaluation of F/S

3. Thus handbook requires the auditor to consider

4. Circumstances of the company

5. The users of the F/S

6. The auditor makes a preliminary judgment about materiality levels in planning

the audit

7. May ultimately differ from materiality levels used in evaluating audit findings

AUDIT PROGRAM

Definition

An audit program is a set of policies and procedures that dictate how an evaluation of a
business is done.. These types of programs are used to check up on things like a business'
performance, finances, economy, and efficiency, and are generally tailored to a specific
business or purpose.

The auditor can handle audit of many concerns at the same time. Every aspect of financial
activities require audit program. The combination of all such programs is considered as
master audit programme. The auditor can make changes from time to time in order to meet
the requirements of nature and size of business.

Purpose

Audit programs are important because they standardize the data collection and evaluation
process. By setting out a specific list of steps to be followed and data to be collected, the
program ensures that auditors collect all the information they need in an efficient manner
while under appropriate supervision.

Keeping the process standardized also means that all the data collected can be used to make
useful comparisons between businesses, departments, and previous years' inspections, since
the same set of data is collected each time. Additionally, having a program like this in place
makes sure that any problems are discovered promptly and reported to the correct person.

Kinds of Audit Programmes

1. Standard Audit Programme

This type of audit programme is preprinted and suitable for all purposes. It saves time and
gives added assurance that no important procedure will be overlooked while in the opinion of
some others, this type of audit programme is too much mechanical. Due to complexities in
the business conditions system of accounting and internal control system, it is not possible to
follow a standard audit programme.
2.Modified Standard Audit Programme
These type of audit programme contain the usual audit procedures, common to most business
and provide space for other specific procedures applicable to the business under examination.
This modification of the audit steps and the insertion of the steps that are peculiar to the audit
in questions, make the audit programme a modified standard audit programme.
3. Tailor-Made Audit Programme
This is individually written programme prepared specially for each audit. It is known as tailor
made because a tailor cuts the cloth according to the body of every person. The auditor
should take care of such a programme so that no important steps is overlooked or missed. It
lists the procedures to be followed on any specific engagement indication any departure from
normal practices and specifying the extent of the test of transaction

Contents of Audit Programme

1. Name
The audit programme contains the name of client. The auditor can write the name of business.
There is a need of complete address of the concern in case of public limited company.
2. Objects
The audit programme contains the objects of the business enterprise. There are various
objects of any business unit. A small business has few objects while large companies have
many objects.
3. Date
The audit programme contains the date of start of an audit. The auditor can consult the client
before fixing the audit date. It must be convenient to the management. The audit programme
can show the details of audit work date wise.
4. Duration
The audit programme contains the time limit of starting and completing the work. The
duration of audit period may be one month. The size of audit work becomes the basis of
duration.
5. Accounting System
The audit programme contains information about accounting system. The auditor can
examine the accounting system and procedure in operation. The understanding of accounting
system helps to develop the audit programme.
6. Internal Check
The audit programme contains the effectiveness of internal check system. The effective
internal check is helpful for auditors. He can apply test checking due to proper internal check
system. If the system is not good it increases the duties of audit staff.
7. Old Reports
The audit programme keeps the contents of old audit report. The auditor can pay attention to
old reports. The weakness reported in previous reports must not be repeated in present
accounting records. It is the duty of the audit staff to note the performance of management.
8. Checking Books
The audit programme contains the details of checking accounting books. The number of
books kept is stated in the programme. The books are distributed among audit clerks so that
whole data may be examined.

Advantages of Audit Programme

1. Supervision of Work
The editor can judge the efficiency of his audit team with the held of an audit program. He is
in a position to know the progress of the work. He can see at any time that what part of the
work has been completed and what remains to be done.
2. Division / Distribution of Audit Work
The division of audit works is very useful for the audit staff for maintaining the difference of
works among senior or junior clerks according to their ability and skill so that the work is
divided to get better results.
3. Systematic and Uniformity of Work
Audit program helps in setting all the things in advance. So the systematic and uniformity of
work is necessary to achieved the desire.
4. Basic Instrument of Training
Audit program is infact a training instruments for the audit staff and also very useful for the
new auditors. It provides training and guidance to him. So, it is rightly called the basic
instrument for training for the staff at the right time of need.
5. Fixation of Responsibility
Audit programmes fixed the responsibilities of the staff. If any error or fraud remains
undetected the responsibility of negligence will fall on that particular assistant who has
performed that job and no one can blame on each other.

6. Several Audit May be Controlled

The auditor controls the audit of various companies at the same time. In the absence of audit
program he cannot supervise them effectively.

7. Easy Transfer
The principle auditor can transfer to any other person easily. If one assistant is unable to
continue the work given to him it can be given to another person. Audit program guides him
that what is done and what is remaining.
8. Final Review
Before signing the report, Final Review is made and for this purpose also auditing program is
very useful and any deficiency or missing in steps can be identified and completed.
9. Useful For Future
The audit programme is very useful in the future. On completion of an audit. It serves the
purpose of audit record that may be useful for future reference. In case of auditor is appointed
for the same concern in any future time the auditor can use the same audit programmes with
some changes.
10. Progress of Audit Work
Audit programme is useful to note the progress of work. Audit programme is a timetable,
which can show the work done on any particular date. The pace of work is going on with the
passage of time. The adjustment can be made if there is more work and less time and vice
versa. In this way work can be completed in time.
11. Supervision of Audit Staff
Audit programme is beneficial for auditor. He can supervise the activities of audit staff. He
can use the audit programme as basic of supervision. Every part of audit work can be
complete as per schedule. He can control the activities of audit staff through observation and
direction when the audit work can be complete in time.

12. Audit Staff Needed

Audit programme is helpful to determine the number of persons needed to do the work. The
staff requirement is essential for every auditor. The shortage of staff means slow progress.
The exact number of senior and junior audit clerk can be determined. In this way an auditor is
able to handle the audit work properly.
13. Same Work
The benefit of audit programme is that new instructions are not issued due to change in staff.
The nature of work remains the same. The audit clerks can know their job just by reading the
written programme. The time is saved due to written instructions.
14. Time Table
The benefit of audit programme is that work is complete with in stated time period, the
saving of time means saving of labour. The saving of time means saving can control the cost
of audit due to fixed time. He can arrange audit work of other business concerns.
15. Responsibility for Poor Work
The benefit of audit programme is that auditor can fix responsibility for negligence. Audit
programme is a timetable of whole audit work to be done by auditors. Every staff member is
given some sort of duty to do the audit work. The staff is responsible for completing of work.
The performance is noted and responsibility if fixed poor work.
16. Guide To Audit Assistants
The merit of audit programme is that it serves as a guide to audit assistants. The junior audit
staff can start and complete the audit work with the help of audit programme. There is no
need to repeat the instructions every time. Moreover it serves as a guide for future. The new
audit programme can be developed can be developed on the basis of old work.
17. Dealing with New Clients
The merit of audit programme is that it helps to deal with client. The spare time of audit staff
can be used for doing with new clients. The whole year time can be divided. The auditor can
audit the accounts if various concerns under audit programme.
18. Proof for Audit Work Done
The merit of audit programme is that auditor can use it as proof for work done. In court of
law the auditor can avoid liability for negligence. Audit programme is a permanent record of
an audit process. The audit programme shows the work performed date-wise. In this way he
cannot be held responsible for carelessness.

Disadvantages of Audit Programme

1. Not Comprehensive
Auditors may have covered the whole fie but I cannot be said with certainty that all the
necessary work has been done.
2. Rigidness
Audit program looses its flexibility. While each business have a separate problems. So audit
program cannot be laid down for each type of business.

3. No Initiative
It kills the initiative of capable persons. The assistant cannot suggest any improvement in the
plan.
4. Too Mechanical
Such audit program is too mechanical that it ignores many other aspects like internal control.
5. Large Concerns / Not Suitable for Small Concerns
Audit programme is helpful in large business concerns. It has been proved that audit program
is not suitable for small business concerns.
#6. New Problems Over Looked
In the audit programme there is no chances to accept the changes with the passage of time
new problems arise that may be over looked.
7. Changes
The drawback of audit programme is that changes in it are not acceptable. The nature of
activities of concern may change. There is a need to adjust the changes in the programme. A
master programme cannot be drafted.
8. Revision
The demerit of audit programme is that there is no revision in it. The business changes from
year to year. The working may expand or contract. The audit programme requires adjusting
itself to the changing circumstances.

9. Types
The demerit of audit programme is that is not suitable for all types of business concerns. A
small business may have few books of accounts. It is not necessary to prepare audit
programming for small concerns.
10. Staff
The accounting staff can know the working of audit. The auditor applies various methods for
checking the accounting books. Having knowledge of auditing the accounting staff can devise
means to record the transaction. In this way they can avoid their responsibility.

11. Negligence
The demerit of audit programme is that it provides protection to inefficient audit assistant.
The junior auditors can protect themselves due to weakness of audit programme. The clerks
feel responsibility for the duties stated in the programme.

12. Errors
The drawback of audit programme is that it may fail to located error. The errors of principles
cannot be detected, as the double entry is complete in such case. No doubt the location of
errors and fraud is the responsibility of management. But owner depends upon auditors to
protect their rights.

Management challenges in internal audit

These are the management consequences/problems faced by the internal audit and iam going
to discuss some of them in the following:

Complex Business Models: The board and management are responsible for ensuring the
integrity of the business, while the internal auditor is responsible for validating, directly or
indirectly, whether the company's business model is sound. Internal audits confront issues
like: Will the company be able to survive, or compete in the market? Does it adhere to
sound business practices?

Risk Quantification: Risk is an integral part of any endeavor. The risk management unit and
the risk management committee are responsible for risk management, but it is the internal
auditor's task to ensure the risk management program works

Complex Financial Disclosures: The board shoulders the ultimate responsibility for the
integrity of the corporation's financial disclosure. The challenge for internal auditors is to
identify if there are discrepancies in companys financial statements, confirm whether they
are abiding by the financial reporting standards, verify whether sufficient controls are in
place, and affirm whether shareholders or potential investors or lenders have sufficient
information to make informed decisions

Monitoring and Oversight: Most organizations expect internal audits department to provide
additional input to management, the board of directors, and the audit committee in form of
monitoring and oversight; ensuring compliance monitoring and enforcement of essential
requirements

Growing Regulatory Guidelines and Compliance Demands: The global regulatory

environment is in an arena of constant change. Stipulations and guidelines are regularly
reviewed and refined to retain their effectiveness.

Overcoming Challenges
To address the rising expectations of chief stakeholders, internal audit needs to find new ways
to deploy its risk and control-based skills to help the organization achieve its strategic
objectives and enable value creation. That effort extends to activities such as:

Board of Directors and Senior Management Oversight: Internal Auditors assessment of

the role of the top management in overseeing a companys efforts should address objective
considerations, such as whether the necessary resources and tools have been dedicated to the
compliance and risk management effort, whether the tone-at-the-top is inclined towards
having tighter internal controls, and whether the board of directors and senior management,
through their words and actions, are communicating the importance of risk awareness across
the company.

Risk Identification and Assessment: The audit should examine whether the risk assessment
process synchronizes with latest changes in the organization, addresses all activities
conducted by the company, includes all applicable regulatory requirements, and documents
the methodology used to conduct the risk assessment.

Role Accountability and Responsibility: During this part of the evaluation, it is important
to consider the credibility, qualifications, and experience of key personnel who have been
assigned the critical tasks. Internal auditors are charged with the responsibility of assuring the
board of directors that management, financial systems, and processes are working effectively.

Policies and Procedures: Internal Auditors assessment should focus on the companys
process for ensuring that policies and procedures are comprehensive, reviewed and updated
on a periodic and reasonably frequent basis as well as accessible and understandable. This
should also verify that the company has a process in place for communicating important
changes between periodic updates.

Internal Controls: Consideration of whether or not there is a system of adequate internal

controls should be second nature to any internal auditor. The considerations are much the
same as they would be in any other auditable area: separation of duties, access limitations,
second review processes and proper documentation of review and approval

Self-Monitoring and Remediation: Internal auditors evaluation of a companys self-

monitoring and remediation activities should begin with verifying that the monitoring
program incorporates requirements specifically mandated by laws or regulations, and that it is
appropriately aligned with Compliances risk assessment.

Reporting and Record Keeping: how the company manages the myriad of reporting and
record keeping requirements faced by financial services companies. This requires validating
that all such applicable requirements have been identified, responsibilities are assigned, and
controls are put into place to ensure required information is retained and retrievable for
prescribed periods.

Need of the hour is an internal audits framework that provides a strategic model, for internal
auditors and stakeholders, to understand the elements necessary to achieve a high quality and
effective internal audit function.

Internal Audits Framework

Ever growing complex regulations have had significant implications on Internal Audits
function changing the environment within which the rules for security, reliability, and
permissible margin of inaccuracy were formed. Internal auditors, today, need to adopt an
integrated auditing approach while evaluating the internal controls, processes and procedures
of an organization.

Structure and Resources: Before embarking upon the auditing process, internal auditors
establish the structure of the internal audit function and assess the key internal audit
personnel to be audited, and their respective roles and responsibilities. Where the function is
outsourced, the focus includes the terms of the outsourced arrangement and how this is
monitored.

Independence: The board should ensure that the independence of the internal audit function
is maintained. The internal auditor should maintain dual reporting relationship to
management and the organization's most senior oversight group. The internal auditor should
report to executive management for assistance in establishing support, and administrative
interface; and typically to the audit committee for strategic direction, reinforcement, and
accountability.

Approach: The approach taken by internal audit should be clear and may be one, or a
combination of risk-based focus on the high-risk areas of the institution; and review-based
focus on reviews of various parts of the institution. The board should endorse the approach
and it should be scalable to future change, such that it adapts agilely to issues requiring
internal audit involvement.

Segregation of Duties: Segregation of Duties ensures that no one person is solely

responsible for the entire process end-to-end, without effective checks and balances. For
example, key authorization processes should have appropriate checks and balances. The
person, who documents the transaction, should not be the same person who conducts the
transaction. These simple checks and balances ensure effective controls and reduce
organizational error rates.

Policies and Procedures: Written policies and procedures codify management's criteria for
executing an organization's operations. They document business processes, personnel
responsibilities, departmental operations, and promote uniformity in executing and recording
transactions. Thorough policies and procedures serve as effective training tools for
employees. Having a documented repository of your standard operating procedures at the
operational, financial, manufacturing unit levels, ensures consistency of processes and
reduces audit failures.

Internal Audit Plan: The internal audit plan, which usually details the proposed internal
audit work for the next 12 months, should be documented and endorsed by the board.
Importantly, the plan should be consistent with the type of approach to be taken and should
be adequate for the scale and complexity of the institutions operations.

Audit Data: The internal audit should capture audit-related data on a single database for the
entire enterprise, so that all data mining, benchmarking, and trend analysis processes are
significantly improved.

Reviews and Approvals: When a process is performed within a department, there should
always be another level of review and approval performed by a knowledgeable individual
independent of the process. The approval should be documented to verify that a review was
done. Review and approval are controls that help management gauge whether operational and
personnel goals and objectives are being met..

Reporting: Internal auditor should report findings to the Audit Committee (or board)
regularly. Serious issues should be elevated to senior management and the Audit Committee
(or board) without delay. The reporting infrastructure is not just a way to create visibility into
the status of key processes and activities, it also enables the management and the auditors a
way to get possibly real-time visibility into the key indicators of your organization. Reporting
of key Corrective Actions and Preventive Actions, Process KPI's, employee training status to
key processes, supplier and partner scorecards, quality maintenance reports on critical
equipments and plants is a simple example of a well-designed management reporting system.