This blog is Part 1 of a four-part weekly series on building an effective audit calendar. Throughout this series, we will walk through the end-to-end journey of developing and executing an audit calendar — from planning to execution, reporting, and continuous improvement.

For any internal audit function, the audit calendar (or audit plan) is more than a schedule of engagements. It is a strategic tool that aligns audit activities with organizational priorities, risks, and resources. A well-planned audit calendar enables the Chief Audit Executive (CAE) to deliver assurance where it matters most, advise the board and management along with valuable insights, and support management in monitoring compliance with regulatory expectations.

Planning the annual audit calendar is not just about choosing areas to review. It involves understanding the business landscape, identifying key risks, assessing audit coverage, and ensuring the right balance in resource requirement with expectations. In summary below, we explore the typical activities involved in developing an audit calendar and the areas a CAE should consider during the planning process — with practical examples along the way.

Step 1: Understanding Organizational Strategy and Objectives:

Audit planning begins with strategy. A CAE should review the company’s business plan, strategic priorities, and performance objectives for the coming year. This ensures that audit activities are aligned to the business requirement and objectives.

• Strategic priorities: Is the organization expanding into new markets, launching products, or investing heavily in technology?
• Financial objectives: Are there revenue, cost-saving, or efficiency targets that present risk exposures?
• Transformation initiatives: Are there mergers, acquisitions, restructuring, or digital transformation programs underway?

Example: If the company is investing heavily in e-commerce, the CAE might schedule audits on website payment security, data privacy compliance, and digital customer experience controls.

Step 2: Conducting Risk Assessment:

The cornerstone of audit planning is risk assessment. The CAE must evaluate the risk universe—financial, operational, compliance, and emerging risks—affecting the organization.

1. Take leads from priorities set in Enterprise Risk Management Framework – e.g., the corporate risk register lists “cybersecurity” as a top risk.
2. Engage with leadership – discussions with the CFO may highlight concerns about credit risk and liquidity.
3. Analyze external factors – new data protection laws are coming into effect.
4. Assess past audit results – recurring issues in procurement fraud.

Example: A manufacturer expanding its global supply chain might add supplier vetting and geopolitical trade risks to the audit calendar.

This concludes Part 1 of our four-part series. In Part 2, we’ll dive deeper into the subsequent steps of audit calendar planning — including execution strategies, stakeholder communication, and monitoring mechanisms. See you all next week!

Disclaimer: The views expressed are solely those of the author and do not represent those of the publishing organization

About the author:

– Amit Sharma

is the Vice President and Head of Audit – APAC at EXL, with over 24 years of experience in internal audits, risk management and compliance. As part of his commitment of giving back to the auditing profession, he also serves on the IIA India Delhi Branch Board of Governors and is the Chairperson of the Publications & Research committee of IIA India Delhi Branch.