Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > Internal Audit Planning: How Can We Do It Better?

Auditing Best Practice

Internal Audit Planning: How Can We Do It Better?

by Michael Parkinson

Executive Summary

  • Internal auditing is widely promoted as a critical component in the governance of organizations. Yet many directors and top managers are concerned that they are not getting maximum value from this resource.

  • Although in many organizations internal audit is under-resourced or under-qualified, the most common problem is that it is poorly used by the organization.

  • Poor planning leads to application of internal audit activity in the wrong places and the delivery of irrelevant reports.


Internal audit is an information service. Internal auditors do not—indeed, must not—make decisions for the managers of organizations. They are a highly skilled and expensive resource that exists to serve the best interest of the organization and yet, on the surface, they do not directly contribute to organizational performance. They examine processes and produce reports; they attempt to capture good practice and identify poor; and they design controls to address identified risks. It is the information they convey to the managers of an organization that makes internal auditors valuable.

Information is valuable when it is reliable and relevant. To be reliable it must be objectively based on evidence and well argued. The internal auditing standards provide the basis for the production of reliable information, as they require the application of appropriate techniques by suitably qualified individuals. Reliability comes from discipline and competence.

Relevance means providing information that is needed, when it is needed. Relevance can only be achieved by sound planning—planning that identifies the needs of the organization and enables the delivery of internal audit results at a time when they can be acted on. Planning is a process that must involve not only the professional input of the internal auditor, but also the strategic input of the board and top management of the organization.

Internal auditing will be ineffective if it does not ask, or is not asked, the right questions.

Gaining Context: A Strategy for Internal Audit

The top level of planning for internal audit needs to consider the users of the information that internal audit is to provide. The users might include a wide range of interests: clearly, the direct managers of areas reviewed will use the reports, but users will also include top management, the audit committee, and, in many cases, a variety of stakeholders external to the organization.

Two levels of program planning are warranted:

  • a strategy for internal audit developed as part of a wider strategy for assurance;

  • an annual program of internal audits that considers both the requirements for strategic assurance and the need for more immediate advice.

Focus on Risk

Internal audit must address the risks the organization faces. These are of two basic kinds—risk to conformance and risk to performance—and neither type should be addressed to the exclusion of the other. Setting the balance is a crucial strategic decision that must be taken at board level.

The most useful information usually relates to the most significant risks that an organization faces. Some organizations still use rotational programs (programs that consider each part of the organization in turn), but these are of limited value as the assumption is that the risks are static. Planning of internal auditing must be based on a current assessment of the organization’s risks.

An internal audit might develop ways of better addressing a risk, might provide assurance that a significant risk is being well controlled, might advise that a significant risk is not being well controlled, or might advise that risks have been misrepresented. During the internal auditor’s strategic planning process, the issue to consider is whether a particular risk is important to the organization. Whether organizational management believes the risk to be well controlled is a lesser issue. False belief—that a significant risk is well controlled—can be a dangerous assumption.

It is not the role of internal audit to second-guess management, but it can be its role to hold a mirror to management representations. Internal audit has a role to challenge assumptions and to test processes. In this context it can be healthy for disagreements about risk exposures or appropriate levels of control to be fully explored.

The chief audit executive (CAE), in consultation with the audit committee and top management, should design an assurance strategy that meets the assurance requirements of the organization and its stakeholders. This strategy should consider: mechanisms for delivery of assurance across the full set of organizational risks; the structure of the organization; reasonable restrictions on available resources; and the contribution of the full range of possible assurance providers.

While an unacceptable risk might be the responsibility of management, internal audit might have skills that can assist in addressing it. Such a risk cannot wait for attention from a routine assurance program (there may be little assurance to provide), and internal audit may have the skills and experience to contribute to the design and implementation of improved controls. The assurance strategy should, therefore, allow for the application of internal audit resources to such issues. This type of activity needs careful handling within the organization—the internal auditing standards warn against allowing the approved assurance program to be compromised by diversion of resources into management activity.

Coordinating with Other Review Bodies

The internal auditing standards require the CAE to coordinate internal audit review activities with other assurance providers. This is responsible use of resources and involves confirming the quality of the activity of other internal review activities and then appropriately relying on their results. It also involves considering the extent to which internal auditing can, without compromising the integrity of its work, support the activity of external review bodies. It must be remembered here that the scope of activity of the internal auditor is much wider than the area of interest of the financial statement auditor or any regulator.

Internal reviews that should be considered include regulatory compliance activities, control self-assessments, and quality assurance activities such as ISO 9000 processes. In a well-coordinated assurance environment the work of the internal auditor can contribute to the maintenance of an organization’s formal quality certifications. On the other hand, internal audit should not become the quality assurance program. This wastes the skills of the function and allows line managers to abrogate their supervision and management responsibilities.

A coordinated set of review programs ensures that overlap of review activity is deliberate and contributes to improved assurance rather than wastes resources. Ideally, this coordination is achieved as part of strategic planning, but some will inevitably be a response to particular circumstances.

Getting it right requires awareness and flexibility within a well-structured framework. The organization must be sure that the assurance provided by internal audit is sufficient in the context of other assurance providers and the needs of the organization, and must ensure that resources are sufficient to provide all necessary coverage.

Back to Table of contents

Further reading


  • Picket, K. H. Spencer. Audit Planning: A Risk-Based Approach. Hoboken, NJ: Wiley, 2006.


  • Parkinson, Michael. “A strategy for providing assurance: Audit committees can gain assurance from many places.” Internal Auditor (December 2004).


  • Australian National Audit Office. Public sector internal audit: An investment in assurance and business improvement. Better Practice Guide. Canberra, Australia: Australian National Audit Office, 2007. Online at:
  • Institute of Internal Auditors (IIA). “International standards for the professional practice of internal auditing.” Orlando, FL: IIA. Available from:
  • Professional Accountants in Business (PAIB) Committee. “Enterprise governance: Getting the balance right.” New York: International Federation of Accountants, 2004. Available from the IFAC website:
  • Standards Australia. “HB 158–2006: Delivering assurance based on AS/NZS 4360:2004 risk management.” Sydney, Australia: Standards Australia, 2006. Available from:

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share