Internal Audit

Audit Planning and Execution: A Practical Guide for Internal Auditors

Effective audit execution begins long before the fieldwork starts. A well-planned audit produces better findings, more defensible conclusions, and more impactful recommendations than an improvised one. This guide covers the complete planning and execution cycle for individual audit engagements, aligned to IIA Standards.

"A poorly planned audit is like building a house without blueprints — you might end up with something, but it probably will not be what was needed."
Individual audit engagement planning and execution is the operational core of internal audit work. For each engagement, auditors must define clear objectives, scope the work appropriately, design risk-responsive procedures, gather and document sufficient evidence, and communicate findings that are accurate, objective, and actionable. This guide covers each stage of the engagement lifecycle.

Stage 1 — Engagement Planning

Preliminary Survey

Before designing audit procedures, conduct a preliminary survey to understand the auditable entity: its objectives, processes, risks, controls, personnel, and recent performance history. Sources include:

  • Process walkthroughs with operational management
  • Review of policies, procedures, and organizational charts
  • Prior audit reports and management letter points
  • Regulatory reports and external audit findings
  • Key performance indicators and management information reports

Defining Audit Objectives and Scope

Audit objectives define what the engagement will assess — they must be specific, measurable, and directly tied to the identified risks. Audit scope defines what is included and excluded — time period, locations, systems, and activities covered.

Designing the Audit Program

The audit program is the detailed instruction set for the fieldwork — a procedure-by-procedure specification of what will be tested, how it will be tested, the sample size, and what will constitute a satisfactory result.

Procedure ElementDescription
Procedure referenceUnique identifier linking to working paper
Objective addressedWhich audit objective this procedure tests
Risk addressedWhich specific risk this procedure mitigates
Test descriptionSpecific steps to be performed
Sample sizeNumber of items to be tested and selection method
Expected resultWhat a passing result looks like
Auditor assignedWho performs this procedure

Stage 2 — Fieldwork Execution

Types of Audit Procedures

  • Inquiry: Obtaining information from knowledgeable persons within or outside the entity — never the sole procedure for any significant assertion
  • Observation: Witnessing a process or activity as it occurs — provides evidence for the period of observation only
  • Inspection: Examining records, documents, or physical assets — provides direct evidence of what exists in written form
  • Recalculation: Independently verifying the mathematical accuracy of financial records or calculations
  • Reperformance: Independently executing a control procedure that was supposedly performed by the organization
  • Analytical procedures: Evaluating financial or non-financial information through analysis of plausible relationships — identifying anomalies that require investigation

Working Papers — Standards and Structure

Working papers are the documented evidence of audit work performed. They must be:

  • Sufficiently complete that another qualified auditor could understand what was done without speaking to the preparer
  • Indexed and cross-referenced to the audit program and the audit report
  • Reviewed and signed by the audit manager before findings are communicated
  • Retained per the organization's document retention policy — typically 7 years minimum

Stage 3 — Communicating Findings

Audit findings must be discussed with management before the report is issued — this is both a professional requirement and a practical quality control. Management may have information that explains an apparent finding, or may accept the finding and commit to remediation. Either way, the conversation must happen before the report is finalized.

The Elements of a Well-Constructed Finding

  • Condition: What the auditor found (the fact)
  • Criteria: What should exist (the standard, policy, or control objective)
  • Cause: Why the gap exists between condition and criteria
  • Consequence: The risk or impact of the condition — why it matters
  • Recommendation: What management should do to close the gap

Key Takeaway

Audit planning and execution discipline is what separates internal audit functions that find meaningful issues from those that produce predictable, low-impact reports year after year. Invest in the planning phase — a strong audit program, risk-specific procedures, and clear objectives produce findings that management cannot dismiss and boards cannot ignore.

Read: Audit Reporting →