Bottoms-Up Audit Planning: Risk-Based Auditing From Planning to Scoping

Not all risk-based approaches are created equal: does your bottom-up planning start with risks in mind? The traditional audit planning process starts with understanding the risk profile of your audit universe, all auditable entities, then building a plan based on risk ratings for the predetermined entities. As an alternative, a bottom-up approach starts with the risks and asks which entities are impacted by those risks, leading to a more accurate scoping for the audit plan.

This article will delve into several benefits and challenges you should consider when moving to or employing a bottom-up approach and explain how technology can help you achieve your goal of more accurate audit planning.

Committing More Time to Planning

A bottom-up approach generally takes more time during the assessment, but that time is recaptured during the audit. In traditional planning, the risk assessment is used to determine high-risk entities. The auditors are left to figure out the specific risks during their walkthroughs to start the audit. By committing the time to understand the risks during the assessment, auditors kick off their project knowing which risks are in scope, and they dive directly into determining which controls to test. Spending the time upfront leads to fine-tuned scoping for the audit team.

Compiling a Risk Library

Internal audit teams need to maintain a risk library for an effective bottom-up assessment. Conducting a bottom-up risk assessment requires a granular view of risks, not the high-level, categorical risks often used in the traditional approach. One key consideration is to compile and maintain an ongoing risk library based on the risks the team has considered in the past and emerging risks that may impact the organization in the near future. Keeping the library updated is critical to future planning efforts and will likely reduce the time it takes to complete the assessment as more is known about each risk.

Updating the Assessment Methodology

With the changes in approach, internal audit management should also consider changes to the overall assessment methodology – especially assessment frequency. Since the risks are more granular and the audits are more focused, the scope of each audit will be very specific. The audit teams will spend less time in discovery at the beginning of the audit, and they will not spend unnecessary time auditing low areas, as is often the case when auditing end-to-end processes. Now, the team can focus on emerging and other highly rated risks. Updating the methodology to conduct more frequent assessments, or even moving to continuous risk assessments, enables an audit plan that includes the most critical risks to the organization at all times. For those organizations that have to show risk overage for lower-rated risks, these can be put on rotation while always prioritizing more impactful risks.

Relying on Technology

Technology is the key to achieving a successful, effective bottom-up approach to audit planning and scoping. To reach your goal, you will need a system of record for your risk library, a way to enforce your assessment methodology, and a systemic process for mapping risks to the impacted entities. By having these pieces in place, your team will easily be able to capture current risks, rate the risks while considering the impacted entities, and then formulate an audit plan based on the intersection of high-rated risks and auditable entities that seamlessly flow into audit project planning. Technology creates efficiencies that enable more granularity, increased accuracy in scoping, and more efficient auditing.

Audit the Right Risks at the Right Time

Instead of only focusing on doing more, we can focus on doing better. Bottom-up audit planning leads to projects stakeholders find more valuable and opens the opportunity to do more interesting projects that may not have come up in the past. With this update to the planning methodology, you will have a better view of the risks across your auditable entities without needing additional time and resources. You can conduct more meaningful and successful audits that dive deeper into the most critical risk and deliver better insights to the organization.