By Gary Drake and Michael Kerrigan

Many large and successful companies have recently suffered accounting scandals that, in some cases, threatened their very existence. Surprisingly, these firms' fraudulent practices occurred under the watchful eye of leading public accounting firms.

The loss of billions of dollars in shareholder wealth has led to sweeping legal changes. New regulations, such as the USA Patriot Act (2001) and the Sarbanes-Oxley Act of 2002, redefine proper accounting, financial controls, and reporting requirements. When fraud occurs, these laws now hold a company's senior managers and board of directors personally liable.

If you are an audit firm in this new environment, the new laws hold you more accountable, too. You can face severe penalties for failure. As a result, you might need to take another look at how your firm conducts audits.

Analyze the company and the industry

When planning an audit, you need to begin by looking at your client's business and its industry. You can prevent inaccurate or fraudulent accounting practices only after you truly understand your clients' business risks.

It's important to use multiple sources to stay abreast of political and economic events that can affect your clients. You can monitor industry-specific trends through industry conferences and trade publications.

When major events occur, you need to quickly assess the potential effects on your client's business and on the audit process, and then you need to review your findings with your client's management team.

You also need to collect information about the client company's internal practices. Arrange to meet with your client's management team to review any process or system changes that might affect the audit. Determine the potential impact of major corporate events such as:

• Restructurings
• Management changes
• Product shifts
• Large increases in sales
• Significant employee turnover
• New business initiatives

Consider using technology to help you identify areas of risk. For example, you might use database tools to identify specific events that need closer monitoring, such as a sharp increase in customer returns or small transactions.

Analyze the business unit

When targeting a specific business unit, your audit team needs to gather various levels of data about the business. Good sources of information include:

• Organizational charts
• System and process flow charts
• Employee profiles
• Customer profiles
• Supplier profiles
• Vendor profiles
• Supporting documentation for current initiatives

You can also use questionnaires to gather company data from the management team and company employees. Questionnaires help you initiate discussions with company personnel and can help you identify risks so that you can further tailor the auditing process.

Identify the deliverables

Recent regulatory changes have had a huge impact on reporting requirements. Because of these changes, you must now identify, in advance, exactly what your completed audit will deliver.

For example, if your audit focuses on compliance reviews, it needs to include the filing of regulatory documentation. But if you are performing a more traditional audit, you need to focus more on policies, financial controls, and GAAP compliance. Knowing the expected deliverables for your audit can help you determine its focus, timing, level of detail, and expected duration.

Identify the audit scope

After you have assessed the organization and defined the audit's deliverables, you can start creating the scope document. This document clearly defines:

• Roles and responsibilities
• Personnel requirements
• System requirements
• Audit procedures
• Milestone dates

The scope document also helps define how much the client will be involved in the audit.

To avoid confusion during the audit, summarize the scope document for your client's management team.

Identifying the exact scope of the audit keeps you from being distracted with issues that do not immediately relate to the current audit. In the course of the audit process, make note of issues that fall outside the current scope so that you can address them later.

Develop a project plan

A successful audit requires a thorough project plan. Developing a plan forces you to analyze the audit's scope and deliverables. This analysis, in turn, helps you define detailed task lists, potential project phases, time frames, and resulting resource needs.

• Establish milestones  

  Project milestones can help you monitor the audit process. Setting up milestones is especially important for large-scale audits that might depend on multiple constituents.

• Include project and schedule details  

  Your plan should include detailed tasks, roles and responsibilities, and critical dependencies. It should also highlight checkpoint meetings and critical target dates.

• Identify documentation standards  

  Defining standards for how your team will document the audit is another important part of the project plan. You need to plan a central location for housing sample templates, completed testing scripts, and other documents.

  In addition, you can ensure a smoother review and approval process by using a project management tool that helps you manage workflow and define your approval hierarchy.

• Change the plan as needed  

  Distribute the audit project plan to the key people involved for review and potential revision. After the audit begins, this document becomes dynamic. As issues arise during the audit, you need to update the project plan to keep it current.

For an example of an audit project plan, click "Audit preparation process" in the More information section of this article.

Conduct ongoing planning and analysis

At the end of an audit, it's wise to conduct reviews of the audit team's performance. You can use such reviews to re-evaluate the approach and scope of the audit and to identify areas for improvement. It's also wise to take time to archive your completed project plans and supporting documentation so that you can use this information in subsequent audits.

Successful audit planning does not end when the audit does. As regulations change, you must continually adjust your auditing methods.

About the authors   Gary Drake is a managing associate and Michael Kerrigan is a principal with Beacon Consulting Group, Inc., in Boston, Massachusetts. Beacon specializes in providing operational and strategic consulting services to the investment management industry.