The Institute of Internal Auditors requires that the chief audit executive establish risk-based plans that drive internal audit activity. Audit planning is a process that identifies all business areas; assesses the risk of each using a standard methodology; and uses available audit and financial resources to determine which audits will be performed during a year.
Once planning is complete, a written internal audit plan should be developed and communicated to management. The plan should include background information; a summary of the risk rating methodology and staffing allocations; and audit plan details.
Include a summary of the document's purpose to explain to readers what an internal audit plan is and what makes it useful. The St. Louis Federal Reserve Bank indicates that the audit plan can be used by executive management to oversee both the business's and the audit department's performance during the year.
Include the internal audit department's mission statement and objectives.
Explain how the audit plan was developed. It is usually based on a standardised risk assessment; discussions with management; evaluations of prior audit results; inclusion of audits mandated by regulatory bodies or parent companies; and management requests.
Provide a summary of the company's background, regulatory environment and current operations as an aid to readers unfamiliar with the business.
Describe the methodology used by the audit department to assign risk to individual audit areas or businesses. Risk rating will usually involve assessments of quantitative risk areas such as credit or financial risk, along with evaluations of less tangible risk areas such as staffing, strategic importance and legal risk.
Describe the structure of the internal audit department, providing organisation charts as needed. Include explanations of available time, documenting hours available for audit work during the year and explaining the difference between available hours and working hours (i.e., most audit departments exclude vacation, holiday and administrative time from available hour calculations).
Document significant changes in the internal audit department's structure or personnel since the last audit plan, or changes that are planned for the coming year.
Provide a summary of the backgrounds of key audit personnel, if appropriate.
Provide a brief description of each audit planned for the year, including scheduled audit hours and general audit scope.
Include a list of all auditable areas and document the department or business's risk rating, date of the last audit, audit result, hours used during the audit, and planned dates and audit hours for future audits. This list demonstrates how risk ratings and prior audit history influence the future audit schedule.
Compare the previous year's audit resource allocation to each auditable area to the coming year's allocation using a pie chart or bar graph, to demonstrate how audit focus will change. Provide an explanation for significant deviations.