Practice Guide: Developing a Risk-based Internal Audit Plan
The IIA Standards require the chief audit executive (CAE) to develop an internal audit plan based on a documented risk assessment undertaken at least annually. Yet the Standards also require adjusting the plan in response to changes affecting the organization. With the pace of change accelerating more than ever, proactive CAEs are assessing risks continuously and quickly adjusting audit plans in response. This practice guide provides practical examples and a flexible yet systematic step-by-step approach to updating internal audit’s risk assessment and plan of engagements.
This Practice Guide is provided as a service to members of The IIA. To learn more about the value of an IIA membership, visit our Membership page.
In today’s unprecedented environment, effective internal auditing requires thorough planning coupled with nimble responsiveness to quickly changing risks. To add value and improve an organization’s effectiveness, internal audit priorities should align with the organization’s objectives and should address the risks with the greatest potential to affect the organization’s ability to achieve those objectives.
Ensuring alignment between internal audit priorities and the organization’s objectives is the essence of Standards 2010 – Planning, 2010.A1, 2010.A2, and 2010.C1, which task the chief audit executive (CAE) with the responsibility of developing a plan of internal audit engagements based on a risk assessment.
This practice guide will help the CAE and internal auditors create and maintain a risk-based internal audit plan. The guide describes a systematic approach to:
- Understand the organization.
- Identify, assess, and prioritize risks.
- Coordinate with other providers.
- Estimate resources.
- Propose plan and solicit feedback.
- Finalize and communicate plan.
- Assess risks continuously.
- Update plan and communicate updates.
Item Number: 10.1327.dl