The IIA Releases New Practice Guide: Developing a Risk-based Internal Audit Plan
With the pace of change accelerating and risks shifting in nearly inconceivable ways, proactive chief audit executives are assessing risks continuously and responding nimbly by adjusting audit plans. This practice guide provides practical examples and a flexible yet systematic approach to developing internal audit’s risk assessment and plan of engagements. The guide offers information equally useful to CAEs and internal audit managers leading or assisting with the development of a new internal audit plan for the first time, as well as CAEs and other internal auditors assigned to support the refreshment of internal audit’s comprehensive risk assessment and audit plan.
To add value and improve an organization’s effectiveness, internal audit priorities should align with the organization’s objectives and should address the risks with the greatest potential to affect the organization’s ability to achieve those objectives. This is the essence of internal audit planning based on an assessment of risks, as described in Standards 2010 – Planning, 2010.A1, 2010.A2, and 2010.C1.
This practice guide will help CAEs and internal auditors create and maintain a risk-based internal audit plan. The guide describes a systematic approach to:
- Understand the organization.
- Identify, assess, and prioritize risks.
- Coordinate with other providers.
- Estimate resources.
- Propose the plan and solicit feedback.
- Finalize and communicate the plan.
- Assess risks continuously.
- Update the plan and communicate updates.
IIA members are invited to download this guidance and all guidance as a benefit of membership. Nonmembers may purchase Supplemental Guidance by visiting the IIA Bookstore.
