By: Arif Zaman is a Group Internal Audit Manager, ACCA, CIA, CPA, CISA, CFE, CCSA, CRMA, CRBA and CGA.



One would think that the most important step of the internal audit process is conducting the audit. Experience and research shows otherwise, since there is a long and rigorous process to arrive at the audit execution phase. This takes me to our point of discussion in this article, which is that the most important step in the process is the planning phase. The whole internal audit process is heavily reliant on proper planning taking place.

The Chief Audit Executive (CAE) must effectively manage the internal audit activity to ensure it adds value to the organization[1]. Value can be added to the organization and its stakeholders when internal audit considers strategies, objectives, and risks to enhance governance, risk management, and control processes and objectively provides relevant assurance on how effective they are functioning. These aspects normally come up during the annual planning phase of the internal audit process.

[1] International Standards for the Professional Practice of Internal Auditing – 2000 – Managing the Internal Audit Activity

Annual planning

The CAE must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals[1]. The purpose of annual audit planning is to ensure that the audit is relevant to the organization’s needs and is adding value towards the achievement of the preset objectives. It also helps in better utilization of the limited audit resources.


There is a common belief that the annual audit planning process is time-consuming and costly, when in reality all internal auditors agree that the benefits exceed by far the cost and time spent on it. As per a famous saying, “By failing to prepare, you are preparing to fail”. In the following points, I will share with you the details of the steps that are covered as part of the annual internal audit planning process.

[1] International Standards for the Professional Practice of Internal Auditing – 2010 – Planning



Step 1. Audit Universe

Before embarking on the risk assessment, it is important to break down the organization into auditable areas. This should include all the businesses, regions and functions that make up the organization in a systematic order. And it could be done through any of the following approaches:

Geography: the subsidiaries and sister companies can be categorized by geographic regions.

  • Industry: if the organization is operating in diverse industries and sectors, then it can be classified by industry or sector.
  • Function, Process, Service or Product: the organization can be classified either by function, process, service or product.


The audit universe is a collaborative effort between the key business stakeholders and the internal audit function. The Internal Audit Department (IAD) needs to update the audit universe for any structural changes that have taken place within the organization. Upon completion of audit universe, the IAD is ready to proceed with the annual risk assessment phase, since it has clarity on which areas or functions it needs to assess for risk and controls.

Step 2. Risk Assessment

 The IAD’s activity plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process[1].

The risk assessment is the most challenging stage in the annual planning process. The first element that needs to be assessed by the auditor, is the organization’s risk maturity.

Risk Mature Organization: if the organization clearly has three lines of defense for the management of risks, controls, compliance, fraud, quality, then input needs to be collected from all these functions as part of the risk assessment process.

In a risk mature organization these functions are operating as intended. Moreover, they have a defined risk appetite (the amount of risk an organization is willing to accept to achieve its objectives), risk registers (detailing business risks) and a robust ethical framework in place, to strengthen the overall control environment.

 Risk Immature Organization: if none of the aforementioned lines of defense are specified, then a more detailed risk assessment needs to be conducted, since the IAD would not have the points of reference to rely on in the collection of risk-related information.

In this situation, which is applicable to many organizations, it is recommended that the IAD collect risk input from each functional head. There are several tools that can be used in this process, such as surveys/questionnaires, holding meetings/interviews, reviewing management reports, etc.

The IAD needs to record all the key risks and map them against each auditable area in the audit universe.

Despite the risk maturity of the organization, the IAD is also expected to review other sources of information, such as:

  • Industry/Sector Risks
  • External Factor (Internal Auditors can use techniques like PEST, SWOT)
  • Compliance/Regulation Risks
  • Previous Internal Audit Reports and if possible
  • Management reports from 2nd line of defense such as risk function, compliance function, fraud function reports, etc.
  • Any other input from the internet e.g. knowledge leader, board executive, etc.

In carrying out the risk assessment there are certain standard requirements that the IAD must take into consideration. The risk assessment must be documented, the Internal Auditors must have sufficient knowledge to evaluate risk of fraud[2] and key information technology risks[3]. Moreover, the Internal Audit activity must evaluate the effectiveness and contribute to the improvement of the risk management processes[4].

 Step 3. Alignment of Risks with the Strategic Goals and Objectives

The IAD must be alert to the significant risks that might affect objectives, operations, or resources[5].

Once the IAD has identified business risks, these should be aligned with the organization’s strategic goals and objectives and must be assessed in terms of their probability of occurring (likelihood) and consequences (impact), to arrive at an overall rating. There are many ways to rate risks, either qualitatively (High, Medium or Low), or through quantitatively, through the assignment of an overall grade to each risk (residual risk).

 Step 4. Risks Prioritization 

 Based on the rating, most of the high risks and a few medium risks would be prioritized. We also include some medium and low risks, since there is a certain level of subjectivity involved in risk assessment, which is determined by the IAD based on professional judgement.



1] International Standards for the Professional Practice of Internal Auditing 2010.A1 – Planning

[2] 2010.A2 – Proficiency

[3] 1210.A3 – Proficiency

[4] 2120 – Risk Management

[5] 1220.A3 – Due Professional Care

Step 5. Formalize Internal Audit Plan

Once the previous phases are complete, then the IAD has a clear idea of the risky areas that are of importance to the organization and its management. Based on that, the process to formalize the Annual Internal Audit Plan would start. It could sometimes cover a span of more than one year. The plan would specify which areas will be audited during the year, detailing the execution period/s (normally on a quarterly basis).

The formalized audit plan would be presented to the Board Audit Committee for review and recommendations. Input from senior management and the Board must be considered in this process[1]. IAD should identify the pervasive audit needs requested by the Board or senior management and take them into account, based on the available resources and the Internal Auditors’ professional judgment. The Chief Audit Executive must also communicate the impact of resource limitations[2] if any.

The annual audit plan could vary as per the organization’s needs and requirements. The IPPF only specify certain criteria and guidelines for the annual planning process, which sets the minimum requirement for the annual audit planning process. Some organizations add audits based on criteria other than risk. Such criteria might include areas subject to change, mandatory audits or audits requested by management. The steps highlighted above could be used as a guide to facilitate the annual audit planning process.

The IAD’s credibility and value are enhanced when they are proactive and their evaluations offer new insights and consider future impact. The purpose of audit planning is to make the IAD more effective in contributing to the improvement of the organization’s governance, risk management, and control process, through the use of a systematic, disciplined, and risk based approach[3].

[1] 2010.A1- Planning

[2] 2020 – Communication and Approval

[3] 2100 – Nature of Work