What Is an Audit Program?
An audit program is a set of polices and procedures that dictate how auditing is to be implemented. It usually involves audit software as well as internal work that is manually performed by an auditor. These measures are generally employed to determine what, and how much, evidence must be collected and evaluated — as well as who will collect and evaluate it, and when this should be done.
Organizations typically prepare audit programs based on the operational planning activities of the evidence collected and evaluated by an auditor. The audit program is prepared and, if need be, revised in accordance with this evidence. It is documented in the audit working papers, which are the official record that contains the planning and execution of the audit agreement. While the formality of an audit program largely depends on the size of the organization, all programs require certain elements in order to be effective.
Risk assessment is one of the most critical components of an audit program. Through this process, risks for specific areas of the business are identified and analyzed. Auditors are encouraged to conduct risk assessment on a consistent basis to keep pace with changes to internal control and various work processes. An organization's level of risk is considered a key aspect in determining how often audits should be performed.
An effective audit program also includes an audit cycle, which simply refers to the frequency of audits. As mentioned above, this frequency is normally determined by conducting risk assessment. There are some factors that could impact the audit cycle, mainly time and audit staff. Even with this knowledge, it is advisable for organizations to not allow such factors to reduce the periods at which audits are performed, especially for areas susceptible to great risk. Doing so could leave the organization vulnerable to substantial risks that have yet to be identified.
Another essential component of an audit program is audit planning. Although strategies are generally devised with respect to individual organizations, a well-rounded plan is often viewed as one that covers scheduling, audit staff needs, reporting, and the overall goals of the audit. Many organizations find that this planning is most efficient when the results of risk assessment are combined with the resources needed to determine the timing and frequency of audits.
Due to the nature of the process and the sensitive information involved, computer software used to facilitate audits should be strictly limited to auditing departments. Fortunately, many of the software applications on the market offer password security and other mechanisms for protection. In addition to security, it is recommended that audit software be continuously evaluated to determine its reliability and overall efficiency.
Written by Contel Bradford
