HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Home/ Insights/ Internal Audit
Internal Audit

Building an Annual Audit Plan That Board Members Actually Read

Kamran Iqbal, CIA, CISA, CFE, CRMA June 2026 7 min read
The annual audit plan is the primary vehicle through which internal audit communicates its strategy to the board and audit committee. Yet most audit plans are structured in ways that make them difficult to read, hard to challenge, and nearly impossible to use as a governance tool. This is a missed opportunity — and it is entirely avoidable.

What Most Audit Plans Look Like

A typical annual audit plan presented to an audit committee contains a list of planned engagements, often sorted by business unit or risk category, with some combination of planned hours, budget, and schedule. There may be a short narrative introduction and a summary of the risk assessment methodology used. The document is technically complete but strategically uninformative.

Board members reading this plan face an immediate challenge: they cannot tell why these particular audits were selected, what risks they are designed to address, what the audit committee is being asked to approve or challenge, or what would change if resources were different. They are being asked to endorse a document without the information they need to do so meaningfully.

What Board Members Actually Need to See

Effective audit plans communicate four things clearly:

The risk logic: For each planned engagement, a brief explanation of the risk rationale — why this area warrants audit attention this year. This does not need to be lengthy; two or three sentences that connect the engagement to the organisation's current risk profile is sufficient. But it must be present, and it must be meaningful rather than boilerplate.

The coverage trade-offs: No audit function has enough resources to cover everything. A good audit plan explicitly shows what is not being covered this year, and why. This gives the audit committee the information they need to challenge prioritisation decisions and to understand the residual risk they are accepting as a governance body.

The assurance provided: Different engagements provide different levels of assurance. A detailed operational audit provides a different level of comfort than a high-level advisory review. The audit plan should be transparent about this, so the audit committee understands what the function's coverage actually means in terms of governance assurance.

The resource picture: The relationship between the planned workload and available resources — and the implications of any gaps — should be visible. If the function is carrying a planned workload that requires sustained overtime, or is relying on co-sourcing for specialist skills, the audit committee should know this and understand its implications.

Structure for Impact

Consider structuring the audit plan document in three sections. The first section is an executive summary of no more than two pages — the key messages, the most significant risk areas being covered, and the most significant areas not being covered. The second section presents the full engagement list with risk rationale for each. The third section provides supporting detail: the risk assessment methodology, resource analysis, and schedule.

This structure means that board members who read only the first section understand the essential story. Those who want to engage with the detail can do so. Those who want to challenge a specific prioritisation decision can locate the relevant engagement in the second section and see the risk logic behind it.

An audit plan that board members do not read is not fulfilling its governance function, regardless of how technically sound the underlying analysis is. Communication is part of the professional obligation — not an optional extra.

Making the Plan Challengeable

One mark of a genuinely strong audit plan is that it invites challenge. When the audit committee can see the risk logic clearly, they can disagree with it — and that disagreement is valuable. It surfaces differences in risk perception between the audit function and the board, creates an opportunity for informed dialogue about organisational priorities, and ultimately produces a better plan.

CAEs who present unchallengeable plans — either because the logic is opaque or because the relationship with the audit committee does not support robust challenge — are missing one of the most valuable governance conversations available to them. Bring the plan to the audit committee as a starting point for discussion, not as a finished product awaiting approval. The plan that emerges from that conversation will be better, and the audit committee will be more genuinely engaged with the function's work throughout the year.

Share

Request Training

CTC Global delivers expert-led training on Internal Audit topics for corporate teams across all sectors.

Request Training Proposal View All Services

Related Publications

Deepen your knowledge with our practical books, revision kits, and toolkits.

Book
Internal Audit Quality Assurance in PracticeA comprehensive guide to building and sustaining audit quality programmes.
Book
Audit Interviews That WorkA practical guide to audit interviews that surface real insight, not managed answers.
 Browse All Publications →

About the Author

Kamran Iqbal is a seasoned internal audit and risk professional holding CIA, CISA, CFE, and CRMA credentials. He leads CTC Global's training and consultancy practice across Pakistan and the UAE.

View Full Profile →

Continue Reading

More practical insights from CTC Global on Internal Audit and related topics.

← Back to All Articles & Insights