Pulling together a well rounded Internal Audit Annual Plan.

At the start of the year, we released our Guidance document on the Annual Planning process along with accompanying templates. You can visit our Guidance Hub for all the details on the Annual Planning process. Our Guidance document provides and overview of the end to end Annual Planning process, of which the Internal Audit Annual Plan is one of the stages.


The Internal Audit Annual Plan is a central document. It outlines the plan for the current year, where audit activity is going to be performed, and how this contributes to the bigger picture. It will be referred to numerous times throughout the year by the audit committee, executive, and audit team alike. Given this, its important that the document not online is easy to understand, but also provide sufficient detail for a multitude of audiences.


In this post, we will step through some of the key elements which should be included in your Internal Audit Annual Plan to ensure it meets the needs of various users, but reflects the high quality work of the internal audit team.


Firstly, how did we get here?

Internal Audit end to end Annual Planning process

The end to end Annual Planning process.


As mentioned earlier, we have been walking through the annual planning process. You can see the end to end process in our Guidance Hub. We are currently at point 7 on the Annual Planning process diagram. To get to this point, we have considered our Internal Audit Charter and Internal Audit Strategy, reviewed our Audit Universe, understood and challenged the organisational strategy and any other external information, and have held multiple discussions with various stakeholders. Now that we have done each of these various steps, we have a finalised Annual Plan which has been collectively agreed with the senior management of the business. Finally, the plan will be presented to the Audit Committee for their ultimate approval before becoming the go to document for the rest of the internal audit team.


So what information needs to go into our Internal Audit Plan?

Similar to the Internal Audit Strategic Plan, the opportunities are endless for what you may or may not want to include in the Internal Audit Plan. Above all, there are a number of key rules to remember:

  • Keep it simple – don’t bury the reader in too much detail
  • Tell the story – explain what the document is, what we did to get here, and the benefit to the organisation
  • Be engaging – make sure the plan captures the readers attention and tells them something new, not what they already know. Audit is to add value as well as provide assurance.


Specific items which should be included in the Annual Plan include:

  • Audit Purpose (details from the Audit Charter and Audit Strategy);
  • Overview of the planing process;
  • Details of the Audit Universe;
  • Overview of current resourcing;
  • Overview of the audit plan (with more details included in the appendix); and
  • Overview of audit activity across the organisation, such as type of audits performed across each business area and historical audit activity across the business.


Each of our templates have been developed to be consistent, meaning you can take your favourite parts from the Internal Audit Strategic Plan or other annual planning documents and simply paste them into the Annual Plan.


When presenting the annual plan, be creative! Pages of text can often all blur into one and lose the readers attention. A few suggestions to add some flare to your audit plan include:

  • Use of graphs to tell the story;
  • Colours! Don’t make your plan a rainbow, but the use of colours can help brighten up pages and call out key areas;
  • Use infographs. For instance, if you have a business which operates internationally (or even across multiple locations in a country), dot where audit activity is going to be performed on a map. Alternatively, if its all based in one building, use an image of an office tower and highlight it to show audit activity across each area of the business (i.e 20% of the building shaded blue for HR, 40% of the building shaded green for IT, etc).
  • Provide background detail. Spelling out why we’re doing the audits can help ease any concerns or resistance with management about why audit needs to come into their area; and
  • Include team photos. Use this as an opportunity to promote the team and help build relationships between audit and the business.

An overview of our Internal Audit Plan template is included below as a guide to how your plan can be laid out.

This is only an extract of some pages from the template. To download an editable version of the Internal Audit Plan, please CLICK HERE.


The template uses a combination of both text and graphics. This is to not only keep the reader engaged, but to also help explain the process in a simple way without providing large amounts of text.

In addition to the above, you may wish to include some of following items in your plan. Some of these are already included in this template, with other topics included in other templates such as the Annual Strategic Plan.

  • Overview of the audit universe;
  • List of previous audit activity;
  • Details of possible future risk areas and their inclusion in the annual plan;
  • Overview of the audit team and current resourcing; and
  • Maturity map – showing where we are now and where we want the business to be with regards to governance and controls.

Throughout this entire process, it is important the audit remains open to challenges on what the risk areas and challenges are within the business. It because of this, that adopting a transparent approach can assist in ensuring both management and the audit committee are on-board and have bought into the current annual plan.


To download an editable version of the Internal Audit Annual Plan, please CLICK HERE.


Annual Planning can be a lengthy process, but it is critical that we don’t short cuts or downplay the important of some of the key activities, and Stakeholder Discussions is no different.

Annual Planning Process - Internal Audit Charter, Audit Universe, Internal Audit Strategy, Organisational Strategy, Stakeholder Discussions, Strategic Plan, Annual Plan, Communicating to the Audit Committee

Overview of the Annual Planning Process

Discussions with key stakeholders both internally and externally to the organisation can be invaluable when developing the Strategic Plan and Annual Plan.


In this post, we explain how our Stakeholder Discussions template can assist you in your annual planning process and what tips and tricks you can take with you when having your discussions.


For further information and guidance on the end to end annual planning process, please refer to our Annual Planning Guidance in the Guidance Hub.


Before we commence our stakeholder discussions, it is important that we have completed our pre-work. By completing steps 1 to 4 of the above mentioned Annual Planning Process, we will be able to have better and more informed discussions with our stakeholders.


Of particular importance is the Audit Universe. The Audit Universe will provide a historical log of all previously audited activities, as well as an indicative list of what can be audited next, based on our audit cycles, risk rating and general understanding of the business. All this information will help to ensure we have meaningful and valuable discussions with our stakeholders.

Preparing for the stakeholder discussions

An example list of what stakeholders you may want to attend your annual planning discussions.


Stakeholder Discussions Summary Sheet


Before we begin meeting with key stakeholders, its good to determine who those stakeholders are. For smaller organisations, this may be an easy activity and something which can be done by one person. For larger entities, it may take more of a coordinated approach as one person simply won’t have the capacity to meet with every single stakeholder.


We have built a Stakeholder Discussions Checklist, aimed at ensuring we have an idea who which stakeholders we want to meet, when we will meet with them, who met them, and references to any meeting minutes. As always, it is critical that we document what we have done, and this is no different when undertaking the annual planning process.


Our checklist includes all the usual suspects, such as the Audit Committee Chair, CEO, CFO and other Heads of Departments. Depending on your business, it may be worthwhile meeting some people external to your organisation. These could include regulators, industry groups and even the external auditor. Each of these people will see your business from a different angle and could be invaluable in developing your risk based audit plan, which also provided value and benefit to the business. You can download an editable version of our template by clicking here.

Conducting the stakeholder discussions

Meeting Agenda and Meeting Minutes for the Stakeholder Discussions held as part of the Internal Audit Annual Planning Process

Stakeholder Discussions Meeting Agenda


Obtaining time with some of the key stakeholders can be challenging. These are often busy people that will have limited time available in their diary. Because of this, it is important that meetings are booked in early and that we (and the stakeholder) are both prepared for the meeting. It is best to work as though this is your one chance to get all the information you need, and therefore, we don’t want to waste this precious time. To help, we have developed an example Meeting Agenda covering some of the topics which should be included with your stakeholder discussions. A copy of the editable template can be downloaded here.


As always, remember to document the work which has been performed.


There are a number of golden rules which I take with me to any meeting, and the stakeholder discussions are no different. These golden rules are:


1. Set an agenda and purpose of the meeting

Nobody has time to waste and further, we want to make sure we are getting as much information and answers as possible. To ensure this, we need to set an agenda and meeting purpose. Clearly state what the meeting is for, why we are doing this, and how it fits into the bigger picture.


2. Be prepared

Both you and the stakeholder should have read and prepared before the meeting. Obviously, in most situations, it is likely that the stakeholder hasn’t had time to read the information. Send them across any background information which may help early on, but follow this up just prior to the meeting to remind them to have a look. This is not only great for bringing them up to speed and encouraging them to be an active participant, but it also ensures you are prepared. Know what you want to talk about, know your facts and be ready to challenge or answer questions when necessary.


3. Choose your audience

Don’t make the meeting room heavy with auditors, but also don’t be over powered. Setting meetings can be tricky to capture the right balance. Too many auditors can result in limited discussion as the other person may feel threatened or intimidated. Too many of the stakeholders can almost over power the auditor. Furthermore, ensuring the right stakeholders are present. Large / bolder / stronger stakeholders may talk over more timid participants and inherently control the meeting. Its important that everyone gets an equal opportunity to speak, otherwise whats the point of even having them in the meeting. A good rule of thumb I follow for smaller meetings is that there should always be at least one more of them in the meeting.


4. Be engaging

Nobody hates a person with a boring personality. Bring a bit of life to the table and encourage discussion. Simple things such as refrain from talking in monotone, don’t sit with the arms crossed, and don’t look bored, are easy things to kick start the meeting off in the right direction. To take it that level further tho, make the meeting interactive. Using drawings, whiteboards or mind maps to help with discussion. Use open questions. Ask questions about niche areas of the business (even if you know the answer), simply to show you are invested int their business area. Meetings don’t have to be boring – so don’t let them be!


5. Follow up

Even once the meeting is done and there are no further opportunities to meet, you can still reach out to them. Fire off an email summarising the key take aways, share photos of the planning session, and detail what the next steps are. This also provides them with one last opportunity to provide anything which may be of interest to you.

Whilst not always successful, sometimes a brief survey in your follow up email can also encourage a good response. Point out what you took from the meeting, then ask them, what the meeting valuable, have we captured the main points and concerns to them, what can be done better next time, etc. These questions could provide useful answers, both for the current year annual plan, but also future year annual planning activities.


The Annual Planning process is a critical activity, and the stakeholder discussions is just as critical. Do your pre-work, have a plan, have good discussions, and follow up, to ensure you can build a well rounded and value adding risk based plan.


To gain a copy of the Annual Planning templates, simply CLICK HERE to download.


The Chartered Institute of Internal Auditors released the Internal Audit Code of Practice in January this year. The Internal Audit Code of Practice (which can be downloaded here) aims to strengthen corporate governance. Since its release, a number of organisations have begun to demonstrate their uptake of the code; one of the most obvious examples is the publishing of an audit functions Internal Audit Charter.


The Code contains a total of 38 recommendations, however as the code is voluntary, organisations are not required to implement it or uphold its principles. Nevertheless, audit functions should review the Code and perform a self assessment to determine where they may already be compliant or identify other areas which they may want to improve on or focus more attention. Ultimately, its up to the business and audit functions to decide how compliant they wish to be with the Code. Additionally, audit teams should consider the size and complexity of their organisation when undertaking their self assessment.


To assist audit teams and their self assessment, we have developed a tool which can help in determining the level of compliance against each of the 38 recommendations. Furthermore, we have included a dashboard with a couple of graphs, meaning you can copy and paste these into your audit committee update papers and show how great your audit function already is.


Of course, this is just one way which you can perform a self assessment. Any self assessment is subjective and care should always be taken to ensure your assessment against the Code is appropriate for your organisation and their risk tolerance levels.


To gain a copy of the free Code of Practice Self Assessment tool, simply CLICK HERE to download. Alternatively, you can buy and download the editable version of the tool by CLICKING HERE.


As we continue through our annual planning process, we reach the part where we need to consider the organisational strategy and external information. The reason for this is to simply understand where risks my exist in the business that need to be considered.


In our planning process, risk is identified at multiple stages; however in this step we are purely focusing on the organisational strategy and background / external information.

Organisational strategy

The organisational strategy lays out the company’s goals and objectives for the future. Additionally, it will spell out what actions the business is going to take in order for it to meet these goals. Its a critical document, and as such, its important that Internal Audit fully understands it.

Through reviewing the strategy, we should be able to understand what some of the key activities are for the year. For our review, we should also be able to understand what activities carry the most risk. When reviewing the strategy, consider the following risk categories:

  • Strategic Risk
  • Compliance Risk
  • Operational Risk
  • Financial Risk
  • Reputational Risk


Through assessing the risk attached with each activity we can have more informed discussions with key stakeholders. We should be able to develop a ‘shortlist’ of key activities as per the strategy which we may want to include on our annual plan, or at a minimum, use to discuss with key stakeholders such as heads of departments can key executives.


The strategy of the business is often communicated to external shareholders and can contain a significant amount of risk, particularly if the strategy is not achieving results. It’s Internal Audits role to ensure that not only is the business achieving its objectives as per the strategy, but it is also maintaining any regulatory compliance and controls are still in place. Furthermore, there is an opportunity here for Internal Audit to ‘add value’; providing insight on where the strategy may not be meeting targets, or identifying new opportunities which could enhance the strategy.

External Information

There is a range of publicly information which can help you when thinking about what risks may be applicable to your organisation. Its important to not only consider what risks are relevant now, but also any emerging risks or future risks.


We have previously written about the risks identified by groups such as the Chartered Institute of Internal Auditors, the Big 4 and knowledge leadership groups such as Gartner (you can read the whole article here). Guides like these are a huge help when thinking what risks may be applicable to your organisation. Again, these takeaways can be used in discussions with key stakeholders and execs as we progress through the planning process.


Overall, its important to understand the organisational strategy and consider what external information is available which may identify any current or future risks, as all of this information will help ensure you have more meaningful discussions with key stakeholders. This will also go a long way to ensure we have satisfactorily developed a risk based plan which also has the opportunity to provide value for the business.


The purpose of this template is to help guide team members in understanding applicable risks. It should be known that this template is only a guide. There are many different sources of information and many ways to document the work performed. The audit team should do what is best and most applicable to their organisation.


It’s a document which I think isn’t given the importance it deserves, but given the Internal Audit Charter s both a requirement of the International Standards for the Professional Practice of Internal Auditing (Standards) and recently released Code of Practice, it’s something which evidently holds a lot of value.


So what is the Internal Audit Charter?


As defined by the Institute of Internal Auditors: “The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.”


Sounds pretty straight forward right. The Standards reiterate all of this with section 1000 – Purpose, Authority, and Responsibility, specifically calling out what must be included in the Charter: “The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.”


A full copy of the Standards can be downloaded here.


Recently, the Chartered Institute of Internal Auditors released a Code of Practice. The Code also requires audit functions to have an Internal Audit Charter, but goes one step further in stating that it be published and made available to the public. The Code, which can be downloaded here, says: “The primary role of internal audit should be to help the board and executive management to protect the assets, reputation and sustainability of the organisation. It does this by assessing whether all significant risks are identified and appropriately reported by management to the board and executive management; assessing whether they are adequately controlled; and by challenging executive management to improve the effectiveness of governance, risk management and internal controls. The role of internal audit should be articulated in an internal audit charter, which should be publicly available.”

Given that both the Standards and Code reference the need for an Internal Audit Charter, there must be a reason for it. A great example is the recent issues relating to financial statement audits in the UK. It’s become evidence through the Brydon Review that there was an expectation gap between what audit firms provide and what companies expect. Documents, such as the Internal Audit Charter, can help avoid these expectation gaps within a business, but also set the standard when it comes audits role, responsibilities and ways of working.

There are many ways to build your Internal Audit Charter, and its important to make sure it is fit and appropriate for your organisation. To provide a quick run down of what you can include in your Internal Audit Charter, again, look no further than the Chartered IIA. The team have pulled together a very simple list of what should be included in your Charter:

  • Mission – the purpose and function of the internal audit activity
  • Objectives – the provision and nature of assurance activities and (possibly) consulting activities
  • Role and scope of workIndependence – how is independence established and maintained
  • Access – unrestricted to records, personnel and physical property
  • Reporting – reporting lines to show independence
  • Responsibilities – don’t forget other roles such as responsibility for fraud investigations
  • Planning – approach to planning, resources and budgets
  • Quality – arrangements for quality assurance and improvement programme


A copy of the full Chartered IIA article on why the Internal Audit Charter is important, can be read here.


Our template is a bit of a hybrid. We have looked at a range of publicly available Internal Audit Charters, various templates and the requirements of both the Standards and the Code of Practice to pull together a template which attempts to pull in each of these various sources. At the end of the day tho, this template is only a guide and should be adjusted to suit your business.

>