Aligned with Standards 2200 through 2220
Planning is part of internal auditing’s systematic, disciplined, and risk-based approach and is mandated by the International Standards for the Professional Practice of Internal Auditing. Planning internal audit engagements involves considering the strategies and objectives of the area or process under review, prioritizing the risks relevant to the engagement, determining the engagement objectives and scope, and documenting the approach. This practice guide contains the engagement planning steps necessary to fulfill Standard 2200 – Engagement Planning through Standard 2220 – Engagement Scope and related assurance (.A) and consulting (.C) implementation standards.
Engagement planning generally includes the following steps:
- Understand the context and purpose of the engagement.
- Gather information to understand the area or process under review.
- Conduct a preliminary risk assessment of the area or process under review.
- Form engagement objectives.
- Establish engagement scope.
- Allocate resources.
- Document the plan.
This practice guide also explains how internal auditors can use a risk and control matrix and heat map to prioritize the risks, then use the results to form the engagement objectives and scope in conformance with the Standards. Established engagement objectives and scope enable internal auditors to focus efforts on the significant risks in the area or process under review, develop the engagement work program, and communicate clearly with management and the board. Access the new supplemental guidance now.