Internal audit planning Sri Lanka, like in many other countries, is a crucial part of ensuring the effectiveness, efficiency, and compliance of public and private sector organizations. The planning phase of internal audits is fundamental to identifying risks, ensuring proper resource allocation, and focusing on areas that could impact the organization’s performance.
Join Internal Audit Planning one day training program by PRAG INSTITUTE
View Training Programs
Internal Audit Planning Sri Lanka
1. Regulatory Framework
Internal auditing in Sri Lanka is governed by various standards, regulations, and guidelines. Key frameworks include:
- Sri Lanka Auditing Standards (SLAuS): Adapted from the International Standards on Auditing (ISA) by the Institute of Chartered Accountants of Sri Lanka (CA Sri Lanka).
- Institute of Internal Auditors (IIA) Standards: These include the International Standards for the Professional Practice of Internal Auditing (ISPPIA).
- Public Sector Auditing: For government institutions, internal audits follow regulations set by the Department of Public Finance under the Ministry of Finance, adhering to guidelines in Financial Regulations (FR) and the National Audit Act, No. 19 of 2018.
2. Key Objectives of Internal Audit Planning
The primary objectives of internal audit planning are:
- Risk Identification and Mitigation: To identify areas with high risks and implement audit processes to mitigate those risks.
- Efficiency and Effectiveness: To ensure that organizational processes are conducted efficiently and effectively.
- Compliance: To verify that the organization is complying with applicable laws, regulations, policies, and procedures.
- Fraud Detection: To identify any signs of fraud or irregularities.
- Internal Controls: To assess the effectiveness of the internal controls in place.
3. Steps in the Internal Audit Planning Process
a. Understanding the Organization
- Mission and Objectives: The auditor must understand the mission, vision, and objectives of the organization to align the audit objectives with business goals.
- Review of Policies and Procedures: This includes a review of the organizational structure, financial systems, internal controls, and existing procedures.
- Stakeholder Engagement: Key stakeholders such as senior management, the audit committee, and heads of departments are consulted to understand their concerns and focus areas for the audit.
b. Risk Assessment
- Risk Identification: Identify potential risks in different areas such as financial, operational, compliance, and information technology.
- Risk Prioritization: Based on the likelihood and impact, risks are prioritized. High-risk areas are given priority in the audit plan.
- Previous Audit Findings: The internal audit team reviews findings from previous audits to determine whether past issues have been resolved or if they still pose a risk.
c. Setting Audit Objectives
- Define the scope and objectives of the audit. The scope may include:
- Operational Efficiency: Whether processes are functioning optimally.
- Financial Accuracy: Whether financial reports are accurate.
- Compliance: Whether operations are compliant with legal and regulatory frameworks.
- Information Security: How well the organization’s data is protected.
d. Development of the Audit Plan
- Audit Scope: Clearly define the scope of the audit based on the risk assessment and stakeholder priorities.
- Timeframe: Develop a timeline for completing the audit activities, including deadlines for each stage (planning, fieldwork, reporting, etc.).
- Resource Allocation: Determine the resources (human, technological, and financial) required for conducting the audit. Assign tasks to internal auditors based on their skills and expertise.
- Audit Methodology: Specify the methodology to be used in the audit (e.g., sampling techniques, data analysis, interviews).
- Frequency of Audits: Define how frequently audits will be conducted (annually, quarterly, etc.) for specific areas.
e. Approval of the Audit Plan
- The internal audit plan must be reviewed and approved by the organization’s Audit Committee or senior management. This ensures alignment with organizational priorities and that all necessary resources are allocated.
4. Key Components of an Internal Audit Plan
The internal audit plan document should include the following components:
- Introduction: An overview of the audit plan, its purpose, and key objectives.
- Audit Universe: A list of all areas or processes that could be audited (e.g., finance, operations, IT, HR, procurement).
- Risk-Based Prioritization: A ranking of areas by risk level and impact on the organization.
- Audit Schedule: A detailed calendar of audit activities for the year, showing which areas will be audited and when.
- Resource Plan: Allocation of personnel, budget, and tools required for the audit.
- Key Performance Indicators (KPIs): Measures for monitoring the progress of audits (e.g., number of audits completed on time, findings per audit, etc.).
- Reporting Mechanisms: Procedures for communicating audit findings to the audit committee, management, and other relevant stakeholders.
5. Types of Audits in Internal Audit Planning
- Operational Audits: Assess the efficiency and effectiveness of operational processes.
- Financial Audits: Focus on the accuracy and reliability of financial information.
- Compliance Audits: Ensure adherence to relevant laws, regulations, and policies.
- IT Audits: Evaluate the security and functionality of information technology systems.
- Follow-Up Audits: Ensure that issues identified in previous audits have been resolved.
6. Challenges in Internal Audit Planning in Sri Lanka
- Resource Constraints: Lack of sufficient personnel and financial resources can hinder the execution of the audit plan.
- Capacity Building: There is a need for continuous training of internal auditors to keep up with evolving standards and technologies.
- Management Cooperation: Ensuring full cooperation from the auditees and other departments can sometimes be a challenge.
- Timely Implementation of Audit Recommendations: Delays in implementing corrective actions based on audit findings are common.
7. Reporting and Follow-Up
- Audit Reports: Once the audit is completed, a report is prepared detailing the findings, risks identified, and recommendations for improvement.
- Management Response: Management provides a formal response to the audit findings, including an action plan to address the risks and weaknesses identified.
- Follow-Up Audits: These are scheduled to ensure that corrective actions have been implemented.
8. Tools and Technology
- Sri Lanka’s organizations, particularly in the public sector, are increasingly adopting technology in internal audits, such as Audit Management Software to improve efficiency, streamline documentation, and provide real-time reporting.