How to use this template

The template structures the six foundational dimensions of risk-based annual internal audit planning, consistent with IIA Standards 2010 (Planning) and 2020 (Communication and Approval) and the expectations of audit committees in listed entities. The substantive instantiation depends on the organisation's size, complexity, and internal audit charter.

01

Audit universe construction

  • Define the complete audit universe: business processes, functions, entities, locations, systems within scope of internal audit's charter
  • Group audit universe items into logical audit units: processes that would form a coherent audit engagement
  • For each audit unit, document: scope, owner, applicable regulations, supporting systems, recent audit history (internal or external)
  • Identify audit universe items currently outside the rotation but that should be considered (greenfield activities, recent acquisitions, new compliance regimes)
  • Review audit universe completeness at least annually; substantive changes (acquisitions, divestitures, organisational restructures) trigger interim updates
02

Risk assessment

  • For each audit unit, assess inherent risk: nature and significance of the underlying activity, regulatory complexity, financial materiality, reputational exposure
  • Assess control environment maturity: prior audit findings, management self-assessment, recent control changes, indicators of control degradation
  • Combine inherent risk and control maturity into residual-risk assessment: typically rated high / medium / low or on a numerical scale
  • Consider qualitative factors that risk scoring alone may miss: audit committee priorities, regulatory focus areas, recent industry events, whistleblower or complaint signals
  • Document the risk assessment methodology: how scores are derived, how qualitative considerations are weighted, who is involved in the assessment
  • Refresh risk assessment at least annually; trigger-based reassessment for substantial events affecting risk profile
03

Audit selection and prioritisation

  • Define the planning horizon: typically annual plan with three-year strategic outlook
  • Apply risk-based selection: high-risk audit units audited annually or biennially; medium-risk units on three- to five-year cycles; low-risk units on longer cycles or specific-trigger basis
  • Include audits required by regulation or by audit committee mandate regardless of risk-based prioritisation
  • Reserve capacity for: unplanned audits in response to emerging issues; assurance over remediation of significant prior findings; advisory work the function provides
  • Document the basis for inclusion or exclusion of each audit; provide audit committee with visibility into what is and is not being audited and why
  • Balance the plan across coverage dimensions: business segments, geographic regions, risk categories, control types
04

Resource allocation

  • Estimate effort by audit: scoping based on audit universe size and complexity, prior audit history if available
  • Convert effort estimates into total planned hours; compare to available internal audit hours given staffing, skill mix, and non-audit obligations (training, administration, support work)
  • Identify resource gaps: audits the plan includes but resources cannot deliver in-house
  • Plan for filling gaps: external co-sourcing, audit-specific consulting engagements, internal cross-training, hiring
  • Document resource assumptions explicitly in the plan; identify what the plan depends on and what would change if assumptions do not hold
  • Plan capacity utilisation realistically: chargeable utilisation rates for audit functions typically range 65-75% depending on function structure
05

Audit committee approval

  • Prepare audit plan presentation for audit committee: audit universe summary, risk assessment methodology and outputs, proposed plan, resource allocation, dependencies and risks to plan
  • Provide audit committee with visibility into what is not being audited and why: the audit committee needs to confirm the omissions are acceptable as well as the inclusions
  • Address audit committee priorities explicitly: any topics the audit committee specifically wants addressed; how these are reflected in the plan
  • Obtain audit committee approval of the plan; document approval with the plan documentation
  • Establish reporting cadence for plan execution: each scheduled audit committee meeting receives an update on audits in progress, completed, delayed, and added
06

In-year governance

  • Track plan execution against schedule monthly or quarterly: planned vs actual completion, hours spent vs budget, findings emerging from completed audits
  • Document plan deviations with rationale: audits delayed, audits added in response to emerging risk, audits removed where coverage no longer justified
  • Communicate material deviations to the audit committee at the next scheduled meeting; do not surprise the audit committee with a plan that bears little resemblance to what was approved
  • Conduct interim risk reassessment if material risk-environment changes arise: substantial regulatory developments, major operational changes, significant control failures
  • At year-end, document plan execution vs approved plan; analyse coverage gaps and prepare next-year plan recommendations informed by current-year execution
  • Provide audit committee with year-end summary including: plan execution percentage, key findings themes, control environment posture, recommendations for following year

For deeper treatment

See the related insight Internal audit charter design for mid-sized listed companies for the foundational charter design that supports substantive annual planning.