The internal Audit Department has to prepare its Annual Internal Audit planning for the upcoming years and then getting approval from its audit committee or Board of Directors before starting audit works.

Annual Internal Audit Planning is developing by the Chief of Internal Audit and it is normally taken into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization.

Those risks are included operational risk, business risk, program, system, and control.

Based on International Standards for the professional practice of internal audit, Annual Internal Audit Planning has to develop based on 3 points

  • Annual Internal Audit Planning activities have to be build based on the documented risk assessment which is undertaking annually. The risk assessment could be input by senior management and the Board of Directors. This is probably the first stage of how risks that probably happen in the organization are included in the audit planning and is probably the best reason and answer to the question of why Internal Audit is important for risk management. One of the risks that identify by management is identified, then management will have a discussion with the internal audit by asking them for help and pay more attention to them. However, the audit has to pay more attention to the requestor risks that input by management. The reason is that management might want to turn audit attention into other areas where the problems have been done or conduct by management themself. This is the very importance of Annual Internal Audit Planning for the success of the company as a whole added by internal audit.
  • Planning must be developed as the result of measurement of identification and consider the expectations of senior management, the board of directors, and other stakeholders for an internal audit opinion. The standard requires the internal audit department to design internal audit activities that are designed to add value to its company or client. In order to do so, internal audits must have proper risk assessment procedures, programs, and documentation. Data are the factors that drive internal audit planning activities, not an assumption. This is to make sure that all the activities that set for the whole years are internal audit departments have to complete to ensure that the risks are minimized to the lowest as acceptable and detected at the right time.
  • The chief audit executive should consider accepting proposed consulting engagement based on the engagement’s potential to improve the management of risks, and value and improve the organization’s operation. There are many technical areas depending on the different types of the business and it is obvious that internal audit does not know every single of those areas. For the areas that internal audit does not have any expertise in, internal audit should consider seeking for assistant or consultant from the expert. Such the consultant should have been clearly put in the annual internal audit planning.