ABSTRACT
As I have discussed in past articles, internal audit efforts must be risk-based and contribute to the long-term assurance needs of the organization and its board. A formal risk-assessment audit must be completed at least annually and the results of that assessment should direct audit priorities. Periodic updates throughout the year are also highly recommended. Over time, a focus on short-term results (quarterly financial results, meeting current regulatory requirements, etc.) has driven the priorities of management and consequently the organization toward a short-term perspective. Similarly, internal auditing’s efforts has commonly moved toward this short-term focus, boiling down priorities to whichever audits the company needs to complete in the immediate quarter or two. During the challenging business environment period some would say it is not a good time to refocus sights on the long-term horizon. I disagree. For example, knowing what the organization want to achieve in the next two to five years, and what does it need to do to get there, is critical to success! Certainly, each organization will have different goals, objectives, issues, and challenges, and no single “standard” long-term internal audit plan will work; but I took a shot at it anyway, and present the results in this article.
Disclosure statement
No potential conflict of interest was reported by the author.
Further Readings
Practice Guide: Developing the Internal Audit Strategic Plan. Retrieved from
20 Questions Directors Should Ask About Internal Audit. Retrieved from
SWANSON on Internal Auditing—Raising the Bar. Retrieved from
https://www.itgovernanceusa.com/shop/product/swanson-on-internal-auditing-raising-the-bar
Federal Financial Institutions Examination Council. Retrieved from
Effectively Implementing the Government Performance and Results Act. Retrieved from
http://www.gao.gov/archive/1996/gg96118.pdf
Improving Mission Performance Through Strategic Information Management and Technology. Retrieved from http://archive.gao.gov/t2pbat3/151707.pdf
Additional information
Notes on contributors
Dan Swanson
Dan Swanson is a 40-year internal audit and information security veteran, who was formerly the director of professional practices at the global office of the Institute of Internal Auditors. Swanson has completed audit and security projects for more than 35 different organizations, spending almost 10 years in government auditing, at the federal, provincial, and municipal levels, and the rest in the private sector, mainly in the financial services, transportation, and health sectors. He has completed more than 100 IT audits and a dozen comprehensive audits of the information technology function. He is the author of more than 150 articles on internal auditing and other management practices. In 2010 Dan published his first book, Swanson on Internal Audit: Raising the Bar. Over the past five years Dan has also been series editor for Auerbach’s IT Audit and Internal Audit book initiative with 24 books having been published to date, and with 8 more currently in development. https://www.crcpress.com/Internal-Audit-and-IT-Audit/book-series/CRCINTAUDITA. He can be reached at [email protected].