Definition

audit program (audit plan)

By

Ben Lutkevich, Site Editor
Ben Cole, Executive Editor
Aislyn Fredsall

What is an audit program?

An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.

The goal of an audit program is to create a framework detailed enough for any outside auditor to understand. It should contain the following information:

the official examinations that have been completed;
conclusions reached; and
the reasoning behind each conclusion.

The framework explains the audit's objectives, scope and timeline. The audit program should also describe how working papers -- the documented audit evidence -- will be collected, reviewed and reported.

Objectives of audit programs

When developing an audit program, the internal auditor and the associated audit team members should first outline the audit's objectives, goals and obligations.

Audit program objectives help direct planning of the audit report and are based on the policies, procedures and guidelines unique to the company. These objectives may relate to how the audit committee will maintain efficiency, professionalism and a specific code of conduct during the audit procedure.

In addition to relevant regulatory compliance mandates, objectives for audit programs should consider and incorporate the following:

management priorities
business intentions
system requirements
business structure
legal and contractual mandates
customer and other interested parties' expectations
risk management vulnerabilities
corrective actions from previous audits

Graphic of ITGC controls. — IT general controls, or ITGC, audits incorporate objectives that span a variety of IT departments.

Preparing an audit program

Audit program details are based on an organization's unique needs. Plan preparation will consider the relevant regulatory deadlines, staff requirements, the reporting structure and overall goals.

Audit goals take into account how a company will maintain regulatory compliance using risk assessment and management procedures. The audit program also includes a timeline detailing when specific aspects of the program take place and how to prioritize them.

Audit program planning is usually a continual and iterative process. During planning and development, companies build on lessons learned from previous audits. They also implement new best practices that alleviate risk and maintain compliance.

Audit development guidelines and best practices vary by industry. Local and regional auditing certifications are available, as are internationally recognized ones, such as the following:

the Certified Internal Auditor designation offered by the Institute of Internal Auditors;
the Certified Information Systems Auditor designation offered by the Information Systems Audit and Control Association; and
International Register of Certificated Auditors membership.

Types of audit programs

A number of different types of audit programs exist.

Standardized audit programs

These audit programs are available for many different industries and are used proactively to help organizations create their own internal compliance framework and internal audit program.

For example, the International Federation of Accountants publishes financial audit standards called the International Standards on Auditing. A standardized audit program is different from a fixed audit program, which is defined as an audit program that cannot be changed during the course of an audit.

Tailored audit programs

Tailored audit programs incorporate procedures designed to match the needs of the auditing entity. These programs are customized to reference specific areas, such as business procedures, financial statements, legal documents and assets. Tailored programs target specific requirements, letting companies more easily identify compliance lapses and develop internal controls to offset them.

Compliance audit programs

A compliance audit program outlines how an organization adheres to regulatory guidelines. The details of these programs vary, depending on whether an organization is public or private, what kind of data it handles, if it transmits or stores sensitive financial data and similar factors. Audit programs can be internal or external audits. Compliance audits are often carried out by an external auditor.

The following are examples of compliance audit programs:

Graphic comparing external and internal audits. — Outside auditors often conduct compliance audits to see if an organization is complying with industry standards or government regulations.

The Sarbanes-Oxley Act requires that electronic communication be backed up and secured with disaster recovery infrastructure.
The Payment Card Industry Data Security Standard (PCI DSS) mandates financial services companies that transmit credit card data to comply with its requirement.
Publicly traded U.S. companies must report results of internal control audits to the Securities and Exchange Commission.

Advantages of an audit program

Audit plans offer advantages related to the following aspects of an audit.

Scope. A preestablished plan limits the scope of the audit work.
Cost effectiveness. A plan also limits the overall costs of an audit.
Communications. An established framework for carrying out an audit helps prevent misunderstandings between the client and auditor. Audit plans clearly communicate how the audit will be done, who the auditors are and when the audit will occur.
Trust. Audit processes that are clearly stated and accounted for help the client trust the auditor will do the job correctly.
Evidence. Audit plans help auditors obtain evidence for their findings.
Efficiency. Plans help teams carry out work efficiently and mitigate potential problems.

Disadvantages of an audit program

Audit plans also have disadvantages and challenges.

Generality. Some clients may have special needs that a preformatted audit strategy ignores or doesn't fully address. Revising the plan takes time and might undermine the client's trust in the auditor.
Update. Strategies and standards that underlie an audit plan can go out of date and require the plan to be updated. For example, if the PCI Security Standards Council, or PCI SSC, changes PCI DSS compliance requirements, then audit plans surrounding the PCI DSS must be updated to encompass the changes.
Rigidity. A plan sets goals and agreed-upon procedures for what the audit staff must accomplish. Audit staff may not be compelled to go beyond the requirements laid out in the plan or use procedures that don't apply to the plan's goals. They might also be discouraged from using creative or critical thinking when following the automated procedures in the plan.

IT general controls audits are a good place for organizations to start looking to take a broad survey of their IT capabilities. Explore this ITGC audit template and downloadable checklist to help assess various risks to IT operations and company infrastructure.

This was last updated in February 2023

Continue Reading About audit program (audit plan)

How to conduct a cybersecurity audit based on zero trust

How to conduct an IoT audit for compliance

What does your backup and recovery audit checklist need?

Tips to prepare for a network disaster recover audit

What is BCDR? Business continuity and disaster recovery guide

Dig Deeper on Risk management and governance

Cloud Computing

Explore CASB use cases before you decide to buy
CASB tools help secure cloud applications so only authorized users have access. Discover more about this rapidly evolving ...
10 cloud vulnerabilities that can cripple your environment
Enterprises can be devastated by security-related weaknesses or flaws in their cloud environments. Find out where you are most ...
Learn the basics of industry cloud platforms
Healthcare, finance and other specialized industries can ask a lot of cloud services. Find out more about industry cloud ...

Mobile Computing

Simplify mobile app development for the enterprise
Without the right resources, mobile app development can be challenging. Find out how to start the process and the best tools to ...
4 types of mobile security models and how they work
Learn about the different mobile security models that organizations can choose from and how vendors combine cloud-based threat ...
The ultimate guide to mobile device security in the workplace
Mobile devices provide connectivity for employees to access business data and communicate with colleagues, but these unique ...

Lenovo, AMD broaden AI options for customers
Lenovo is expanding its partnership with AMD to bring more options for servers and HCI devices aimed at AI. It also launched an ...
Infrastructure for machine learning, AI requirements, examples
Infrastructure for machine learning, deep learning and AI has component and configuration requirements. Compare hardware and how ...
Dell partners with Intel, releases file storage for Azure
With the recent Intel and Azure partnerships, Dell continues to expand its on-premises options for AI while expanding its Apex ...

Sustainability
and ESG

Green IT audit: What it is and how to prepare
A green IT audit uses standards to help companies understand the ways an organization's tech practices affect the environment. ...
Businesses need to prepare for SEC climate rules, EU's CSRD
While the SEC's new climate rules and the EU's CSRD are both facing delays, businesses still need to identify methods for ...
A green IT assessment: Why it's important, what to include
A company's technology systems and devices can have a profound effect on sustainability efforts. Learn how a green IT assessment ...

Close