On this episode of the Risk & Accounting Advisory podcast, Neal Beggan, Risk Advisory Leader continues the Risk In Review series as we explore internal audit plans and a few common mistakes that often occur during the development of the annual internal audit plan. Lori Daniels and Christine Homack, both Senior Managers in Cherry Bekaert’s Risk Advisory practice, specializing in internal audit and risk management, unpack the importance of establishing a sound audit plan and internal controls framework can ensure your organization is protecting against fraud and misuse, creating organizational efficiency, financial stability, integrity, and meeting any regulatory compliance requirements. Our risk professionals examine all aspects of internal audit planning including when to start planning, carry over audits to be considered, incidents that require special projects or reporting, inclusion of senior management in the audit planning process, linking your audit plan to your organization’s strategic plan and goals and finally, utilizing a risk assessment.
Cherry Bekaert’s Risk Advisory practice is focused on helping our clients protect value, power performance, and build resilience with mature internal controls and risk management practices.
If you need assistance with your internal audit function, developing a comprehensive internal audit plan, or having a risk assessment conducted, please reach out to our risk advisors.
View All Risk & Cybersecurity Podcasts
NEAL BEGGAN: Hello and welcome to the Risk and Accounting Advisory Podcast. My name is Neal Beggan, leader of the Risk Advisory practice here at Cherry Bekaert. Today on our Risk and Review Podcast, we will look at a few common mistakes, commonly known as pitfalls, in developing the annual internal audit plan.
NEAL BEGGAN: With me today are Lori Daniels and Christine Homack, leaders in Cherry Bekaert's Risk Advisory and Government and Public Sector practices, respectively. Lori and Christine, thanks for joining me.
LORI DANIELS: Great to be here.
CHRISTINE HOMACK: Thanks for having us, Neal.
NEAL BEGGAN: As always, we will begin with a series of five questions for the Risk and Review Podcast. We will cover the five most common pitfalls organizations encounter and provide some best practices to avoid these mistakes.
NEAL BEGGAN: Developing a sound audit plan and a healthy internal control environment helps ensure organizations are protecting against fraud and misuse, creating organizational efficiency, and providing financial stability and integrity. It also ensures they meet regulatory compliance requirements. With that said, let's get started.
NEAL BEGGAN: Lori, if it's all right, I'm going to begin with you. Can you set the stage with the first common pitfall, in your opinion?
LORI DANIELS: One of the most common issues I've seen with clients and in my own experience leading internal audit departments is not starting the planning process early enough in the calendar. Whether you follow a calendar year, fiscal year-end, or mid-year fiscal year, not starting early enough prevents you from having a full fiscal year to execute your plan.
NEAL BEGGAN: Once the focus on developing the next plan has begun, Christine, what is another misstep you've seen over your career?
CHRISTINE HOMACK: This occurs even for organizations that start months in advance: not considering the current year plan and its progress. Are there process audits we need to carry over? Were some audits not done, and why weren't they completed? Has an incident occurred that requires a special project with immediate attention?
CHRISTINE HOMACK: It's important to treat the audit plan as a plan and remain flexible and responsive to changing needs. Part of that process is educating your audit committee about responsiveness and the communication required of the chief audit executive or internal audit consultant, particularly under Red Book and Yellow Book standards, including Red Book standard 2010.
NEAL BEGGAN: Completely agree. We're already at question three of five, which may be the quickest we've ever done, but I like the rapid-fire format, so let's keep going. You mentioned management's role in this process. Lori, can you touch on the next pitfall: not involving senior management?
LORI DANIELS: Absolutely. Red Book standard 2010 speaks to proactive planning, which includes the management team and the executive level so you get their perspectives on what's important and the risks they see. That input doesn't mean they drive the internal audit plan, but they are on the front lines of operations and can provide timing and scheduling insights.
LORI DANIELS: Internal audit often oversees everything and may not see the operational details, so management input is important. For example, you do not want to audit a finance department during a busy period like when they're filing a 10-Q or a 10-K.
LORI DANIELS: Also leave space for management to request consultative services—areas where they want internal audit to "kick the tires" on policy or process changes. Giving them a seat at the table helps build a trusted-advisor partnership and reduces adversarial relationships.
NEAL BEGGAN: Absolutely. The busiest-time comment could not be more appropriate. COVID disrupted predictable busy periods, so timing matters more than ever. Christine, I didn't mean to cut you off.
CHRISTINE HOMACK: To build on Lori's point, periodic check-ins as part of education and coaching with audit committees are important. Standards require communication, but regular engagement beyond scheduled meetings gives committees the opportunity to think strategically and reach out when things change.
CHRISTINE HOMACK: If something drastic occurs and a special committee meeting is needed, keep them in the loop and share your perspective about what to watch for. That ongoing communication helps keep the plan flexible and aligned with strategic goals.
NEAL BEGGAN: One of our goals, whether we're an outsourced or co-sourced function, is to be a trusted advisor year-round, not just when an audit arises. We want to be proactive about changes in standards or environment. Christine, for number four, can you talk about another pitfall you've encountered?
CHRISTINE HOMACK: A major pitfall is failing to link the internal audit plan to the organization's strategic plan and goals. Not making that connection puts internal audit and the organization at risk for irrelevance.
CHRISTINE HOMACK: This requires education with the audit committee about fiduciary responsibilities and stakeholder expectations for where internal audit fits on the continuum. With more co-sourcing and outsourcing and ongoing staffing capacity challenges, treat co-sourcing or outsourcing as a strategic partnership that is continuous throughout the year.
CHRISTINE HOMACK: Risks need to be reviewed and the plan augmented as changes occur rather than taking a rear-view approach. Conduct a risk assessment and tie it into strategic planning to ensure alignment and maintain a useful, versatile audit plan rather than one that just sits on the shelf.
NEAL BEGGAN: Spot on. All four pitfalls we've discussed so far are relevant and important. We keep this series to five questions so listeners can digest the pitfalls. As we wrap up, I'll come back to Lori to start. Christine, you can add if you'd like. Lori, what else are you seeing as a pitfall to call out?
LORI DANIELS: Oddly enough, Christine alluded to this: the risk assessment. Not basing your internal audit plan on a risk assessment is huge, and you'd be surprised how many shops still do not perform a risk assessment.
LORI DANIELS: Some form their plan on gut feel or the "same as last year" mentality and repeat familiar audits because of expectation rather than risk. Failing to have a risk assessment process violates Red Book standards, which require it as the foundation of your internal audit plan.
LORI DANIELS: Risk assessments come in many shapes and sizes; there's no one-size-fits-all template. The methodology can be consistent at a high level, but scales, risk factors, and likelihood versus impact criteria vary by organization. Decide whether to do a comprehensive risk assessment or separate IT and fraud risk assessments, and determine how to incorporate them into a single comprehensive risk assessment to drive your audit plan.
NEAL BEGGAN: Agreed. Christine, feel free to add anything.
CHRISTINE HOMACK: To build on Lori's point, consider your organization's maturity in risk assessment. Have you never done them, have they not been updated, or have you done some assessments but not others like fraud or IT? IT environments change rapidly, and mature organizations may need more frequent updates.
CHRISTINE HOMACK: Risk assessment should be a living, iterative process you continually update to mitigate risk as much as possible.
NEAL BEGGAN: Thank you both, Lori and Christine, for your insights. There will be more on future podcasts in this area and others.
NEAL BEGGAN: Listeners, stay connected to the Risk and Accounting Advisory Podcast for additional topics related to internal audit and risk management. If you have questions about your internal audit plan, please reach out to our advisors.
NEAL BEGGAN: For more information on internal audit strategy, plan development, or internal controls, visit cbh.com/risk. Please like, share, and subscribe to Cherry Bekaert's Risk and Accounting Advisory Podcast. Thank you for listening.
