IIA Delhi Branch

New Member / Renewal
Login

Fresh Reads

Upcoming Webinar: Transforming Internal Audit for Agility and Resilience
ANNUAL CONFERENCE 2025

Building an Effective Audit Calendar: Key Considerations for the Year Ahead – Part II

September 5, 2025 ldmiiadb No Comments

This blog is Part 2 of our four-part weekly series on building an effective audit calendar. Last week, in Part 1, we discussed the importance of understanding the company’s strategy and conducting a comprehensive risk assessment as the foundation for audit planning.

This week, in Part 2, we will build on that foundation and explore the subsequent activities involved in developing an audit calendar — from defining the audit universe to prioritizing and selecting audits that provide the most value to the organization.

Step 3: Defining the Audit Universe:

Before finalizing the audit schedule, the Chief Audit Executive (CAE) should clearly define the audit universe – a comprehensive inventory of all potential auditable areas / entities within the organization. This ensures no critical area is overlooked and provides a structured way to assess coverage.

Typical components of an audit universe include:

  • Business units and subsidiaries
  • Core processes (procurement, sales, payroll, treasury etc.)
  • IT systems and applications (ERP, HR systems, financial reporting apps etc.)
  • Compliance areas (tax, data privacy, health & safety etc.)
  • Strategic projects and initiatives (new factory setup, ERP migration, sustainability initiatives etc.)

Practical Example: For a bank, the audit universe might include:

  • Credit risk management
  • Branch operations
  • AML/KYC compliance
  • IT security controls
  • Digital banking platforms

By building this inventory, the CAE creates a master list of possible audits from which annual plans can be selected, ensuring transparency and completeness.

Step 4: Prioritizing and Selecting Audits:

Given the limitations of time, budget, and staffing, not all areas can be included in the annual audit plan. The CAE must therefore prioritize audits using an objective criteria.

Common prioritization factors include:

  • Risk rating (likelihood and impact of risk)
  • Regulatory requirements (mandatory reviews or certifications)
  • Time since last audit (long gaps may require fresh reviews)
  • Financial or reputational significance (impact on revenue, brand, or compliance)
  • Management or board requests (strategic importance to stakeholders)

Practical Example: In a healthcare company, audits of patient data privacy (to ensure compliance with HIPAA or GDPR) and billing accuracy (to prevent fraud and regulatory penalties) may take precedence over a routine review of HR policy compliance. These areas carry far greater regulatory and reputational risks and therefore demand priority.

Wrapping Up Part 2:

By systematically defining the audit universe and applying robust prioritization, , the CAE ensures that the internal audit function channelise its limited resources towards the areas of greatest importance to the organization’s success and resilience.

This concludes Part 2 of our four-part series. In Part 3, we’ll dive deeper into the next steps of audit calendar planning — including resource planning, coordinating with other assurance providers, and communicating a practical audit plan with stakeholders. See you all next week!

Disclaimer: The views expressed are solely those of the author and do not represent those of the publishing organization

About the author:

– Amit Sharma is the Vice President and Head of Audit – APAC at EXL, with over 24 years of experience in internal audits, risk management and compliance. As part of his commitment of giving back to the auditing profession, he also serves on the IIA India Delhi Branch Board of Governors and is the Chairperson of the Publications & Research committee of IIA India Delhi Branch.

 

Prev Post

Next Post