The Institute of Chartered Accountants of India (ICAI) Standard on Internal Audit (SIA) 220 provides guidance on internal audit planning, focusing on a risk-based, systematic, and stakeholder-oriented approach. Internal audit planning ensures that audit activities align with organizational objectives, governance priorities, and risk profiles. Planning is conducted at two levels: an entity-wide plan, usually approved by the Board or Audit Committee, and specific plans for individual assignments aligned with the overall audit plan. For companies under the Companies Act, 2013, the Audit Committee or Board, in consultation with the internal auditor, must formulate the audit plan, covering scope, methodology, periodicity, and functioning. Key features of planning include understanding the business model, regulatory environment, and compliance obligations; identifying risks; defining the audit universe; prioritizing audits based on risk; and preparing an audit program outlining controls and audit procedures.
SIA 220 also highlights the planning process, requiring knowledge of the business and its environment, discussions with management and stakeholders, and independent risk assessment. The audit universe lists all auditable units to ensure comprehensive coverage, while resource allocation matches audit needs with available competencies and identifies skill gaps. Technology deployment and data analytics are integral to planning efficiency. Documentation of all planning steps—including risk assessment, stakeholder inputs, and the final approved audit plan—is essential to comply with the standard. Updates to the plan may be required due to regulatory or organizational changes, ensuring audits remain aligned with organizational objectives and high-risk areas.
The Institute of Chartered Accountants of India
Standard on Internal Audit
(SIA) 220
Internal Audit Planning
Introduction
1.1 Effective internal audit planning ensures that audit activities are strategically aligned with the organization’s objectives, risk profile, and governance priorities. In an increasingly complex and dynamic business environment, internal audit planning must evolve beyond a traditional checklist approach to become a continuous, risk-based, and stakeholder-focused exercise.
1.2 Internal audit planning is conducted at two levels:
a. An internal audit plan for the entire entity is prepared for a given period of time (usually a year) and presented for approval to the highest governing body responsible for internal audits, normally, the Board of Directors, or the Audit Committee.
b. A number of specific internal audit plans may be prepared for individual assignments to be undertaken covering some part of the entity and presented to the Chief Internal Auditor. Such plan should be prepared in line with the internal audit plan to the entity as a whole.
1.3 In the case of Companies under Companies Act, 2013, it is a legal requirement for the Audit Committee or its Board of Directors to formulate the internal audit plan of the company. Companies (Accounts) Rule 13(2) of Companies Act, 2013 provides as under:
“The Audit Committee of the company or the Board shall, in consultation with the Internal Auditor, formulate the scope, functioning, periodicity, and methodology for conducting the internal audit.”
The Audit Committee or the Board takes the active support of the Chief Internal Auditor/External Service Provider, to develop the Audit Plan, in consultation with the Executive Management.
1.4 Internal audit planning has the following features:
a. It understands the business model, organisational structure, regulatory environment and compliance obligations.
b. It aligns the audit goals with the organisations risk appetite.
c. It identifies potential risks from internal and external sources.
d. It is undertaken prior to the beginning of the plan period (generally, the financial year).
e. It is directional in nature and considers all the Auditable Units (i.e., locations, functions, business units and legal entities including third parties, where relevant), along with the periodicity of the assignments to be undertaken during the plan period.
f. It is normally prepared by the Chief Internal Auditor (or the Engagement Partner, where an external service provider is appointed to conduct internal audits).
g. The outcome of this exercise is an “Internal Audit Plan” (or the “Audit Engagement Plan,” if outsourced).
h. The audit programme shall be developed as an integral component of the internal audit planning process. The audit programme shall include documentation identifying potential risk scenarios (‘what could go wrong’) along with the corresponding controls required to mitigate or prevent such risks. It shall also outline the audit procedures and activities to be performed.
1.5 Scope: This Standard deals with the internal auditor’s responsibility to prepare the Internal Audit Plan.
2. Effective Date
2.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
3. Objectives
3.1 The objectives of an Internal Audit (Engagement) Plan are to:
a. Ensure that the Internal Audit plan is in line with the objectives of the internal audit function, as per the internal audit charter of the entity (and terms of engagement, where it is an outsourced engagement) and also in line with the overall objectives of the organisation.
b. Align the organisation’s risk assessment with the effectiveness of the risk mitigation steps implemented through internal controls.
c. Confirm and agree with those charged with governance the broad scope, methodology and depth of coverage of the internal audit work to be undertaken in the defined time-period.
d. Ensure that overall resources are adequate, skilled and deployed with focus in areas of importance, complexity and sensitivity.
e. Ensure compliance with laws and regulations.
f. Ensure timely detection of irregularities.
g. Ensure that the audits undertaken conform at all times with the applicable pronouncements of the Institute of Chartered Accountants of India.
h. Ensures that the audit is being conducted systematically in accordance with Internal audit plan.
4. Requirements
4.1 There needs to be a formal audit charter approved by the Board and Audit Committee which clearly defines the scope, authority and responsibility.
4.2 The Planning Process (Refer Para. A1, A7- A8)
The planning exercise shall follow a laid down process, the outcome of which shall be a written document containing all the essential elements required to help achieve the objectives of the plan as outlined under Paragraph 3 above. Technology deployment shall form essential elements of the internal audit plan.
The internal audit plan shall be reviewed and approved by the highest governing body responsible for internal audits, normally, the Board of Directors, or the Audit Committee. Internal audit plans shall be updated due to regulatory changes or organizational developments.
4.3 Knowledge of the Business and its Environment (Refer Para. A2)
Knowledge of the entity, its business and operating environment shall be undertaken to determine the types of internal audit assignment which could be conducted.
4.4 Discussion with Management and Stakeholders (Refer Para. A3)
As part of the planning process, a discussion with management and other stakeholders shall be undertaken to understand the intricacies of each auditable unit subject to internal audit. In instances where management expectations conflict with the professional judgment of the internal auditor, such matters shall be resolved through dialogue, and where necessary, escalated to the Audit Committee or the appropriate governance body for resolution in accordance with the internal audit charter.
4.5 Risk Assessment (Refer Para. A4)
A risk-based planning exercise shall form the basis of the internal audit plan. The internal auditor shall undertake an independent risk assessment exercise to prioritise and focus the internal audit work on high-risk areas, with due attention to matters of importance, complexity and sensitivity.
4.6 Audit Universe and Scope of Coverage (Refer Para. A5)
An audit universe shall be prepared prior to establishing the scope of the internal audit plan. The scope shall be consistent with the goals and objectives of the internal audit function (and terms of engagement, where it is an outsourced engagement) as listed in the internal audit charter. The scope shall also be in line with the nature and extent of the assurance to be provided.
The Audit Universe and the Internal Audit Plan shall be continuously monitored during the execution phase for achievement of the objective and to identify any deviations. Certain deviations may require to be notified to the stakeholders or even require a formal modification to the plan. However, any significant modification to the plan shall be done only after consultation with those who approved the original plan. Such changes shall be formally documented including reasons for the change and communicated to all impacted stakeholders.
4.7 Resource Allocation (Refer Para. A6)
The available internal audit team shall be evaluated for strength and capabilities and skill gaps, if identified, shall be filled with required training or co-sourcing. The requirements for specialised audit such as IT, forensic, cybersecurity shall be identified and addressed in proper manner.
******
Application and Other Explanatory Material
A1. The Planning Process (Refer Para. 4.2): The internal auditor formulating the internal audit plan shall use professional judgement for the process to be followed in completing all essential planning activities. A documented planning process shall be in place which stipulates the essential inputs, steps to complete the planning and the nature of output required to conduct a comprehensive planning exercise.
A2. Knowledge of the Business and its Environment (Refer Para. 4.3):
The internal auditor shall gather all the information required to fully understand the entity’s business environment, the risks it faces and its operational challenges.
The extent of information required shall be sufficient to enable the internal auditor to identify matters which have a significant effect on the organisation’s financials. Hence, there is a need to connect the financial aspects of the business with other business elements, such as industry dynamics, company’s business model, operational intricacies, legal and regulatory environment, and the system and processes in place to run its operations.
A3. Discussion with Management and Stakeholders (Refer Para. 4.4): A key element of planning involves extensive discussion and deliberation with all stakeholders, including executive management, risk owners, process owners, statutory auditors etc. Their inputs are critical in understanding the intricacies of each assignment under consideration, in identification of important matters of relevance and to align stakeholder expectations with audit objectives.
A4. Risk Assessment (Refer Para. 4.5): The internal auditor shall undertake an independent risk assessment of all the Auditable Units identified in the Audit Universe and align this with the risk assessment conducted by the management and the statutory auditor. This is required to prioritise and focus internal audit work on high-risk areas, with due attention to matters of importance, complexity and sensitivity.
The internal auditor may also plan to undertake a dedicated audit of the company’s Risk Management Framework and processes, as a separate review or assignment.
A5. Audit Universe and Scope of Coverage (Refer Para. 4.6): Prior to defining the scope of internal audit, a complete identification of all the Auditable Units (locations, functions, business units, legal entities, including third parties where relevant, etc.) of the organisation shall be made. This list of all the Auditable Units is, generally, referred to as the “Audit Universe”. It covers every conceivable audit assignment which could be taken up for review during the plan period. The audit universe helps to ensure that the audit scope does not overlook any auditable unit. It forms the basis from which the internal audit plan is derived by consciously excluding certain units or areas from the scope, for justifiable reasons, such as low risk.
The internal audit objectives and the nature of assurance to be provided will also help to establish the scope of internal audit. On certain occasions, especially in the case of outsourced engagements, the management may define or mandate the scope and may even restrict the coverage of certain areas or transactions. When finalising the scope, it is important to clearly highlight any scope limitations included in the internal audit plan as part of the communication to approving body, such as, the Audit Committee.
A6. Resource Allocation (Refer Para. 4.7): The Internal Auditor shall prepare a detailed work schedule to estimate the time required for each audit assignment depending on the audit attention it deserves (on the basis of risk assessment) and maps this with the competencies (knowledge, experience, expertise etc.) of the resources available. The requirements are then matched with the limited resources available to:
a. finalise the scope and depth of coverage of internal audit assignments.
b. identify any critical skills/expertise gaps in internal audit team; and/or.
c. seek other means of acquiring additional resources required. (internal or external sourcing)
A7. Technology Deployment (Refer Para. 4.2): A key element of the internal audit planning exercise involves understanding the extent to which:
a. the entity has deployed information technology (IT) in its business, operations and transaction processing, and
b. the internal auditor needs to deploy IT tools, data mining and analytic procedures, and the expertise required for its audit activities and testing purposes.
This helps to design and plan the internal audit more efficiently and effectively.
A8. Documentation (Refer Para. 4.2): To confirm compliance of internal audit procedures with the SIA, all key steps undertaken in the planning process shall be adequately documented to confirm their proper completion.
Essential documentation shall be as follows:
a. Information gathered about the business and its operations, systems and processes and past or known issues.
b. Audit universe and summary of auditable units.
c. Summary of meetings and communication with key stakeholders, with a summary of their inputs.
d. Risk assessment documentation.
e. Summary of available resources, their competencies and the proper matching of their skills with the audit requirements.
f. Final internal audit plan, duly approved by the competent authorities.
