Audit program (audit plan)

An audit program, also called an audit plan, is an action plan that documents what procedures an
auditor will follow to validate that an organization is in conformance with compliance regulations.

The goal of an audit program is to create a framework that is detailed enough for any outside auditor to
understand what official examinations have been completed, what conclusions have been reached and
what the reasoning is behind each conclusion. The framework should explain the audit's objectives, its
scope and its timeline. The audit program should also describe how working papers -- the documented
evidence of the audit -- will be collected, reviewed and reported.

Objectives of audit programs

When developing an audit program, the internal auditor and its associated audit team should start with
outlining the audit's objectives, goals and obligations.

Audit program objectives help direct planning of the audit report and are based on the policies,
procedures and guidelines unique to the company. These objectives may relate to and outline how the
auditors will maintain efficiency, professionalism and a specific code of conduct during audit procedure.

In addition to relevant regulatory compliance mandates, objectives for audit programs should consider
aspects such as management priorities, business intentions, system requirements, business structure,
legal and contractual mandates, the expectations of customers and other interested parties, potential
risk management vulnerabilities, and any corrective action taken based on previous audits.

Preparing an audit program

Audit program details are specific to individual organizations based on their unique needs, but audit plan
preparation will consider the audit's relevant regulatory deadlines, staff requirements and reporting
structure, and overall goals. In particular, these goals will consider how the company will maintain
regulatory compliance via risk assessment and management procedures. The audit program should also
include a timeline detailing when specific aspects of the audit program should take place and how they
should be prioritized.

Audit program planning is usually a continual and iterative process. During audit planning and
development, companies can build on lessons learned from previous audits by implementing newly
learned best practices that alleviate risk and maintain compliance. Audit development guidelines and
best practices vary by industry, but local and regional auditing certifications are available, as are
internationally recognized audit certifications. These certifications include Certified Internal Auditor and
Certified Information Systems Auditor, and membership in the International Register of Certificated
Auditors.

Types of audit programs

Different types of audit programs include standardized audit programs, tailored audit programs and
compliance audit programs. Standardized audit programs, which are available for many different
industries, can be used proactively to help an organization create its own internal compliance
framework and internal audit program. For example, the International Federation of Accountants
publishes financial audit standards called the International Standards on Auditing. A standardized audit
program is different than a fixed audit program, which is defined as an audit program that cannot be
changed during the course of an audit.

What are the essential characteristics of modern, digitized organizations' audit programs?

Tailored audit programs are different from standardized audit programs in that they cater audit
procedures to match specific needs of the auditing entity. These audit programs are "tailored" to
reference specific areas such as business procedures, legal documents and assets. By targeting these
specific requirements through tailored audit programs, the company can more quickly identify potential
compliance lapses and develop internal controls to offset these vulnerabilities.

A compliance audit program outlines how an organization will adhere to regulatory guidelines. The
details of compliance audit program will vary depending upon factors such as whether an organization is
a public or private company, what kind of data it handles and if it transmits or stores sensitive financial
data. For instance, Sarbanes-Oxley Act requirements state that electronic communication must be
backed up and secured with disaster recovery infrastructure, while financial services companies that
transmit credit card data are subject to Payment Card Industry Data Security Standard (PCI DSS)
requirements. In the Unites States, publicly traded companies must report results of internal control
audits to the Securities and Exchange Commission (SEC). In each case, an organization's audit program
outlines how the company will maintain compliance with regulatory compliance rules.

Difference Between Audit Plan and Audit Programme

Audit Plan refers to the scheme formulated by the auditor that comprises of strategy or approach, that
is followed for carrying out audit. On the other hand, audit programme implies a range of verification
procedures, which are applied to the final accounts, to acquire audit evidence, and thus helping auditor
in providing an informed opinion.

While conducting the audit, the auditor requires evidence, in support of his opinion. A collection of
evidence is the beginning of the auditing process. And to do so, an auditor, drafts a proper sketch of
work, along with the techniques. Audit Plan and Audit Programmes are the two major tools used by the
auditor for this purpose.

To a layperson, there is no difference between these two, but the fact is there is a fine line of
demarcation amidst audit plan and audit programme, which we’ve compiled in the given article. Have a
look.