An audit program is a set of policies and procedures that dictate how an evaluation of a business is done. This generally involves specific instructions as to what, and how much, evidence must be collected and evaluated, as well as who will collect and analyze the data and when this should be done. These types of programs are used to check up on things like a business' performance, finances, economy, and efficiency, and are generally tailored to a specific business or purpose.
Audit programs are important because they standardize the data collection and evaluation process. By setting out a specific list of steps to be followed and data to be collected, the program ensures that auditors collect all the information they need in an efficient manner while under appropriate supervision. Keeping the process standardized also means that all the data collected can be used to make useful comparisons between businesses, departments, and previous years' inspections, since the same set of data is collected each time. Additionally, having a program like this in place makes sure that any problems are discovered promptly and reported to the correct person.
There are many different types of audits, which can be categorized according to frequency or purpose. The program for each one is slightly different, and is usually tailored to fit the purpose of the inspection. For example, an audit program for an annual business-wide audit would be a lot broader and more in-depth than one for a project evaluation. Likewise, the program for a business process review, which is focused specifically on the efficiency of administrative departments in an organization, would be different from an integrated internal control framework review, which is focused on business risks. Organizations sometimes use audit program templates, but many also create their own programs based on the findings from previous inspections.
Most audit programs include instructions for risk assessment, the frequency of inspections, evaluation planning, a reporting structure, and security measures. Risk assessment is used to identify and analyze potential dangers for specific areas of the business, like failure to comply with laws or regulations, threats to a business' reputation, or financial fraud. This is usually done on a consistent basis to keep pace with changes to internal control and work processes. The level of risk found in an assessment is also used in choosing the frequency of the audit cycle, which is how often evaluations are done. Other factors that affect the frequency of reviews include the time people in a business have to perform them, as well as the number of staff a business can spare or hire to do them.
Audit programs also commonly include a reporting structure. This includes information about who a reviewer reports to if he or she finds a problem, how the report is to be made, and how long reports are kept on file. This ensures that problems don't get swept under the rug or lost in filing. Security measures are another important part of a program, since much of the data collected during evaluations is sensitive. Computer software used in this process is usually limited to auditing departments, and is almost always password protected. Businesses also review their audit software regularly to determine its reliability and overall efficiency, and change to another one if needed.
Another essential component of an audit program is planning. Although strategies are generally devised with respect to individual organizations, a well-rounded plan generally covers scheduling, staff needs, reporting, and the overall goals of the audit. Many organizations find that this planning is most efficient when the results of risk assessment are combined with the resources needed to determine the timing and frequency of inspections. Planning is generally the final step that takes place before the audit actually occurs.
Regulations and Certification
There are no worldwide laws or certifications for audit programs, but there are guidelines and best practices, such as the International Standards on Auditing (ISA), which are standards for financial audits published by the International Federation of Accountants (IFAC). In the US, some types of audit findings about companies that are publicly traded also have to be reported to the Securities and Exchange Commission (SEC), such as the way they evaluate their internal controls and whether those controls are effective.
There are many local and regional bodies awarding auditing certifications, as well as several internationally recognized certifications. Common certifications include Certified Internal Auditor (CIA) and membership in the International Register of Certificated Auditors (IRCA).