Definition

audit program (audit plan)

By

Ben Lutkevich, Site Editor
Ben Cole, Executive Editor
Aislyn Fredsall

Published: Feb 03, 2023

What is an audit program?

An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate that an organization is in conformance with compliance regulations.

The goal of an audit program is to create a framework detailed enough for any outside auditor to understand. It should contain the following information:

the official examinations that have been completed;
conclusions reached; and
the reasoning behind each conclusion.

The framework explains the audit's objectives, scope and timeline. The audit program should also describe how working papers -- the documented audit evidence -- will be collected, reviewed and reported.

Objectives of audit programs

When developing an audit program, the internal auditor and the associated audit team members should first outline the audit's objectives, goals and obligations.

Audit program objectives help direct planning of the audit report and are based on the policies, procedures and guidelines unique to the company. These objectives may relate to how the audit committee will maintain efficiency, professionalism and a specific code of conduct during the audit procedure.

In addition to relevant regulatory compliance mandates, objectives for audit programs should consider and incorporate the following:

management priorities
business intentions
system requirements
business structure
legal and contractual mandates
customer and other interested parties' expectations
risk management vulnerabilities
corrective actions from previous audits

Graphic of ITGC controls. — IT general controls, or ITGC, audits incorporate objectives that span a variety of IT departments.

Preparing an audit program

Audit program details are based on an organization's unique needs. Plan preparation will consider the relevant regulatory deadlines, staff requirements, the reporting structure and overall goals.

Audit goals take into account how a company will maintain regulatory compliance using risk assessment and management procedures. The audit program also includes a timeline detailing when specific aspects of the program take place and how to prioritize them.

Audit program planning is usually a continual and iterative process. During planning and development, companies build on lessons learned from previous audits. They also implement new best practices that alleviate risk and maintain compliance.

Audit development guidelines and best practices vary by industry. Local and regional auditing certifications are available, as are internationally recognized ones, such as the following:

the Certified Internal Auditor designation offered by the Institute of Internal Auditors;
the Certified Information Systems Auditor designation offered by the Information Systems Audit and Control Association; and
International Register of Certificated Auditors membership.

Types of audit programs

A number of different types of audit programs exist.

Standardized audit programs

These audit programs are available for many different industries and are used proactively to help organizations create their own internal compliance framework and internal audit program.

For example, the International Federation of Accountants publishes financial audit standards called the International Standards on Auditing. A standardized audit program is different from a fixed audit program, which is defined as an audit program that cannot be changed during the course of an audit.

Tailored audit programs

Tailored audit programs incorporate procedures designed to match the needs of the auditing entity. These programs are customized to reference specific areas, such as business procedures, financial statements, legal documents and assets. Tailored programs target specific requirements, letting companies more easily identify compliance lapses and develop internal controls to offset them.

Compliance audit programs

A compliance audit program outlines how an organization adheres to regulatory guidelines. The details of these programs vary, depending on whether an organization is public or private, what kind of data it handles, if it transmits or stores sensitive financial data and similar factors. Audit programs can be internal or external audits. Compliance audits are often carried out by an external auditor.

The following are examples of compliance audit programs:

Graphic comparing external and internal audits. — Outside auditors often conduct compliance audits to see if an organization is complying with industry standards or government regulations.

The Sarbanes-Oxley Act requires that electronic communication be backed up and secured with disaster recovery infrastructure.
The Payment Card Industry Data Security Standard (PCI DSS) mandates financial services companies that transmit credit card data to comply with its requirement.
Publicly traded U.S. companies must report results of internal control audits to the Securities and Exchange Commission.

Advantages of an audit program

Audit plans offer advantages related to the following aspects of an audit.

Scope. A preestablished plan limits the scope of the audit work.
Cost effectiveness. A plan also limits the overall costs of an audit.
Communications. An established framework for carrying out an audit helps prevent misunderstandings between the client and auditor. Audit plans clearly communicate how the audit will be done, who the auditors are and when the audit will occur.
Trust. Audit processes that are clearly stated and accounted for help the client trust the auditor will do the job correctly.
Evidence. Audit plans help auditors obtain evidence for their findings.
Efficiency. Plans help teams carry out work efficiently and mitigate potential problems.

Disadvantages of an audit program

Audit plans also have disadvantages and challenges.

Generality. Some clients may have special needs that a preformatted audit strategy ignores or doesn't fully address. Revising the plan takes time and might undermine the client's trust in the auditor.
Update. Strategies and standards that underlie an audit plan can go out of date and require the plan to be updated. For example, if the PCI Security Standards Council, or PCI SSC, changes PCI DSS compliance requirements, then audit plans surrounding the PCI DSS must be updated to encompass the changes.
Rigidity. A plan sets goals and agreed-upon procedures for what the audit staff must accomplish. Audit staff may not be compelled to go beyond the requirements laid out in the plan or use procedures that don't apply to the plan's goals. They might also be discouraged from using creative or critical thinking when following the automated procedures in the plan.

IT general controls audits are a good place for organizations to start looking to take a broad survey of their IT capabilities. Explore this ITGC audit template and downloadable checklist to help assess various risks to IT operations and company infrastructure.

Continue Reading About audit program (audit plan)

How to conduct a cybersecurity audit based on zero trust

How to conduct an IoT audit for compliance

What does your backup and recovery audit checklist need?

Tips to prepare for a network disaster recover audit

What is BCDR? Business continuity and disaster recovery guide

Dig Deeper on Risk management and governance

Search Cloud Computing

Beyond replacement: How AI is enhancing PaaS offerings
AI is transforming PaaS with automation and cost-efficient features, but will it eventually replace cloud platforms? Industry ...
The cloud's role in PQC migration
Even though Q-Day might be several years away, enterprises should develop a strategic plan to prepare for the future. Experts ...
Prioritize security from the edge to the cloud
Businesses can find security vulnerabilities when they push their workloads to the edge. Discover the pitfalls of cloud edge ...

Search Mobile Computing

How to detect and fix a jailbroken iPhone
Jailbroken devices can give rise to security threats for users and organizations alike. Learn how to prevent, detect and remove ...
How to choose and set up a mobile VPN for an Android phone
A tailored approach to network security is crucial when managing smartphones in the enterprise. IT teams should consider Android ...
How to choose and set up a mobile VPN for an iPhone
Many users perform work tasks on their iPhones, relying on mobile VPNs to securely access corporate resources. Learn about VPN ...

Search Data Center

Data center migration: A best practices guide
Data center migrations can be complex. Follow this best practices guide to better understand the migration process and tools to ...
Meta, Google unveil massive AI data center investment plans
Meta and Google tout aggressive AI infrastructure investments focused on data center builds and power.
10 top AI hardware and chip-making companies in 2025
Due to rapid AI hardware advancement, companies release advanced products yearly to keep up with the competition. The new ...

Sustainability
and ESG

CO2 vs. CO2e: What is the difference and why does it matter?
Understanding the differences between CO2 and CO2e can help businesses more accurately understand the emissions they generate.
How to reduce corporate e-waste and why it matters
As companies have ramped up their use of tech, the amount of e-waste has grown. Find out how to address this important problem.
17 sustainability KPIs businesses track and what they measure
Key performance indicators are … well, key to making sure a company is hitting its objectives. And, in the area of ESG, there's ...

Close