Table of Contents

AUDIT PLANNING MEMO: SAMPLE 1......................................................................................................................................... 3

AUDIT PLANNING MEMO: SAMPLE 2......................................................................................................................................... 9
AUDIT PLANNING MEMO: SAMPLE 3....................................................................................................................................... 14

2 Source: www.knowledgeleader.com
 AUDIT PLANNING MEMO: SAMPLE 1

From: (Insert Name)

Date: (Insert Date)

Subject: Audit Planning Memorandum

The purpose of this audit plan is, first, to contribute to the effectiveness of the audit and, second, to contribute to
the audit efficiency. This memorandum should be completed and approved as part of initial audit planning. When
completing this document, there may be occasions when matters already documented in other work papers are
relevant. There is no need to rewrite such material if a specific reference can be made.

This memorandum is structured so that planning documentation common to all projects is presented. All items
should be read and considered on every project. When a section is not applicable, indicate "N/A" with a brief
explanation of why it is not applicable.

The planning memorandum is divided into three sections:

• Administration and Job Setup
• Risk Assessment
• Approach

The project profile should be used as the starting point for project planning.

ADMINISTRATION AND SETUP

INITIAL AUDITEE CONTACT

Company Management
List the names and titles of the company's management with whom the audit year will have substantial contact in
the course of the audit and the project sponsor.

Name Title

(Insert Text)

Planning Conference with Management

A meeting with company management should be held to discuss objectives, etc. A typical agenda for the initial
meeting may include the following:
• High-risk areas are identified.
• Auditee’s concerns (e.g., recurring problems, unreasonable policies, and procedures) are discussed.
• The auditee’s expectations of the project outcome are determined to ensure that specific concerns they have
are built into the project.
• Changes since the last audit (e.g., system, operations, personnel) are identified.

3 Source: www.knowledgeleader.com
• Functions and related management control objectives to be tested are agreed upon.
• The auditee's participation is discussed.
• The audit approach is explained.
• Possible efficiencies and cost savings are identified.
• The project sponsor’s role is defined.
• Protocols for obtaining management comments are in place.
• Timing of the review (including submission of the draft report and the anticipated date of the closing meeting) is
determined.

Management in Attendance

(Insert Text)

Internal Audit Personnel in Attendance

(Insert Text)

Manager

AUDIT TEAM AND EXTERNAL ASSISTANCE

Ensure that the audit team is appropriately leveraged in terms of experience given the relative complexity of the
project. Also, consider the need for systems personnel or other specialist assistance.

Any work requiring systems specialty knowledge or other specialist assistance should be coordinated with the
appropriate auditors in the planning phase of the engagement to ensure that such work is done timely and
efficiently, avoiding effort duplication.

IT Auditor Assistance
List below the planned IT auditor applications that should be used on the engagement. All application requests
should be cleared through the appropriate manager.

(Insert Text)

Signoff (Administration and Setup)

Engagement Manager Other

4 Source: www.knowledgeleader.com
 RISK ASSESSMENT

RISK INDICATORS
The project profile and the opening meeting held with management should provide a basis for the risk assessment
process. When evaluating the risk level of the project, the following items should also be considered:

Regulatory Requirements
Statutory and regulatory requirements impacting the project should be considered and assessed in terms of their
relevance to the project. Consideration should also be given to the potential consequences of noncompliance with
statutory and/or regulatory requirements and our role in detecting such noncompliance. Our work should be
planned to address this risk.

Documentation

(Insert Text)

Prior Audits
Previous Audit History

Prior Audit Date:

Key Issues Raised

(Insert Text)

Follow Up on Previous Audit Concerns

Review previous reports, management responses, exceptions noted last audit period, pre-audit file comments,
etc. List items that require follow-up or special attention during the current audit (e.g., recommendations not
implemented).

Matters for Follow-Up Working Paper Reference

(Insert Text)

Extent of Change
Document any significant current events, issues and considerations and how such conditions will impact the
overall audit approach (restructuring, new products, changes in operations, management, changes in compliance
requirements and other regulations, environment, etc.). Consider management's position on operational change
as well as other prior events and issues, which has a carry-over impact on the current audit project.

5 Source: www.knowledgeleader.com
 (Insert Text)

Political Sensitivity and Technical Difficulty of Projects

Projects that require a high level of technical competence and/or considered politically sensitive (e.g., involving
sensitive contracts and the tendering process or allocation of funds) should be treated as high risk. Document any
issues assessed as “high risk” below.

Documentation

(Insert Text)

Other Factors
Consider the impact of other factors, including:
• What materiality of the area is under review?
• Will the audit results be certified to any external body?
• Will there be external audit reliance?
• Is there a high risk of fraud?
• Has management expressed any concerns about the area under review?

Documentation

(Insert Text)

RISK ASSESSMENT (HIGH, MEDIUM OR LOW): OVERALL CONCLUSION

Documentation

(Insert Text)

Signoff (Risk Assessment)

If the risk level, assessed as a result of the planning phase, differs from the risk indicated on the project profile,
the reasons for the change should be documented. The director’s signoff on the revised risk assessment is
required below.

Insert Position Title Insert Position Title

6 Source: www.knowledgeleader.com
Documentation

Internal Audit Director/Chief Audit Executive

APPROACH

Once determined, the detailed work to be performed should be documented in the standard work program format.
When determining the approach to the project, the following issues should be considered:

SCOPE OF THE WORK TO BE PERFORMED

• Determine what specific functions to review. For business process review projects, it may not be necessary to
flow chart and process map all functions in the audit area. Select functions that are critical to the business unit
achieving its objectives. Where processes are cross-functional, define the extent of work to be performed in
other business units.
• For business units with more than one geographic location, determine (and justify) where the audit work should
be performed and what arrangements need to be made to complete testing outside (Main Location).
• Where the project involves detailed transaction testing, a statistically based sampling approach should
generally be used. The justification for the sampling method and parameters selected should be documented
in the appropriate sampling approach memo.

Documentation

(Insert Text)

AUDITEE ASSISTANCE
Describe below the nature of any significant assistance that may be provided by the auditee's staff and the effect
on the audit work to be performed. Attach the request list if applicable.

Assistance from Auditee Effect on Audit Work

INTERNAL CONTROL EVALUATION

Prepare an internal controls questionnaire to assist in risk evaluation and/or prepare an outline of desirable
control techniques compared to those in place to reduce risk of error or other inaccuracies related to the
accomplishment of management control objectives under audit.

The degree of testing of such controls and techniques is based on the auditor’s judgment depending on the risk.

Summarize the internal control evaluation approach to be used for this audit area below:

(Insert Text)

7 Source: www.knowledgeleader.com
OPERATIONAL AND FUNCTIONAL STRUCTURE
Generally, process maps or flow charts should be used for each audit area. Indicate which method should be
utilized:
• Process Maps
• Flow Charts
• Other (Describe)

(Insert Text)

SAMPLING
The primary sampling applications employed in the audit will be:

Application Technique*

*(E.G., MUS [Attribute, judgmental/mathematical or judgmental/nonmathematical])

Justification for the sampling approach should be documented in the appropriate sampling memo filed at (Insert
Location).

Signoff (Approach)

Insert Position Title Insert Position Title

8 Source: www.knowledgeleader.com
 AUDIT PLANNING MEMO: SAMPLE 2

To:

From:

Date:

Subject:

AUDIT OBJECTIVES

The objective of this review is to evaluate the adequacy of the design of the new controls implemented or planned
to be implemented in (Insert Department Name) and evaluate the effectiveness of any existing controls that,
based on sample testing, have consistently been in operation during the audit sample period. These procedures
will be performed for all processes determined as in-scope (see below). This review should be performed for
operations of (Company). Compliance with federal and state (Company) regulations should not be included in the
review (covered by a separate party) nor will comply with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX)
(tested under separate arrangement).

CHANGES SINCE PRIOR-YEAR AUDIT

Internal audit last performed an operational review of (Insert Location) (Insert Department) on (Insert Date).
Internal audit conducted a fraud investigation in the area of (Insert Department) on (Insert Date) and performed
follow-up testing for the action plans that resulted from that investigation on (Insert Date). Procedures were
performed for (Insert Department) about the testing of internal controls over financial reporting (i.e., Section 404)
for the controls deemed in-scope, as determined by the Section 404 scoping exercise.

Since (Insert Date), (Company) has been aggressively implementing the strategic growth plan (the plan). The
goals of the plan are to regain and exceed the company's historical growth rate, diversify its business and acquire
new, middle-market clients.

As of (Insert Date), the company hired a total of XX new managing directors as part of the plan, the majority of
which are based in (Insert Location). As of that same date, there were XX full-time equivalent (FTE) employees,
an XX% increase since (Insert Date) and XX% increase since (Insert Date). Total (Insert Product) has increased
XX% from $XX at (Insert Date) to $XX at (Insert Date).

The (Insert Location) (Insert Department) staff has increased over XX% since the implementation of the
company’s strategic growth plan (from XX employees to XX employees as of [Insert Date]). Before the
implementation of the plan, (Insert Department) was organized under one (Insert Position Title), (Name). Now
(Insert Department) is divided into three groups, each led by a manager:
• (Insert Group Name)
− (Insert Group Description)

(Insert Name) will be on-site in (Insert Location) for XX days in (Insert Date) to conduct training for the (Insert
Department). The director of (Insert Department) expects the managers to have their controls documented in
management’s control repository (i.e., “portal”) by the end of the (Insert Date) quarter.

(Insert Department) has added XX employees as part of the plan, bringing total (Insert Product) operations
employees to XX. (Insert Product) volume has increased by approximately XX% as of (Insert Date). (Insert
Department) has begun “straight-through” processing for (Company) clients.

9 Source: www.knowledgeleader.com
 SCOPE OF WORK

The following areas will be covered as part of this review:

• (Insert Description of Areas)

In (Insert Date), internal audit conducted an (Insert Department) review across all (Company) locations that
included the following areas:
• (Insert Areas)

As such, those areas will not be covered as part of the (Insert Location) operations review.

Areas covered by the scope of this engagement are based on the (Insert Date) risk assessment and the
(Company) risk model developed as part of the (Company) enterprise risk management (ERM) program. Internal
audit’s risk assessment methodology is risk-based. As such, the scope of internal audit’s work may rotate to
achieve coverage of the significant risk areas within the company. Factors that may affect the areas covered may
include prior-year findings by internal audit, regulator findings and expectations, industry developments and
trends, quality of internal controls (as determined by SOX testing), and strategic business changes contemplated
or being executed by (Company).

ERM CONSIDERATION

In (Insert Date), (Company) initiated an ERM implementation to identify, source and prioritize the key business
risks facing the organization. Where applicable, information collected via the execution of applicable ERM
processes will be leveraged and integrated for this review.

OBJECTIVES OR RISKS TO BE ADDRESSED

Below are the risks from the customized (Company) risk model, developed as part of ERM, that will be addressed
as part of this review. The expected scope, as part of this review, is detailed below:

FRAUD
Certain fraud prevention controls within (Insert Department), specifically those implemented in response to the
(Insert Date) fraud, will be evaluated and tested.

COMPLIANCE (NON-REGULATORY)
Compliance with relevant operational policies and procedures should be tested as part of this review. As noted
above, compliance with federal and state (Company) regulations and Section 404 of the Sarbanes-Oxley Act of
2002 will not be included in this review.

EFFICIENCY AND CAPACITY RISK

(Company)’s recent changes in strategy have resulted in additional hires, significant increases in (Insert Product)
workflow and changes in the types of (Insert Product) administered by the (Company). These changes may have
a significant impact on the efficiency and capacity of (Company)’s operations. Through observation and inquiry,
internal audit will gauge the impact of these changes on the efficiency and capacity of operations in the (Location)
(Insert Department). Also, to validate that they are still operating effectively despite the process and workflow
changes, internal audit will conduct a design review around new controls associated with the strategic
organizational changes and will conduct sample testing of controls that were not changed by the strategic growth
plan.

10 Source: www.knowledgeleader.com
BUSINESS MODEL AND CULTURE
(Company)’s recent changes in strategy had significant impact on the business model and culture throughout the
entire organization. Through observation and inquiry, internal audit will evaluate the impact of these changes on
the culture and operations in the (Location) (Insert Department).

RETENTION OF HUMAN CAPITAL

Due to the recent strategic and organizational changes throughout (Company), there is a heightened risk that
some individuals may not identify with the changes in the business model and culture and may, therefore, choose
to leave (Company). As part of the review, internal audit will specifically analyze the efforts to cross-train and
develop adequate succession or backup personnel planning where retention of human capital is of concern.

CLIENT SATISFACTION
As a result of the strategic growth plan, (Company) has developed new client relationships as part of an enhanced
focus on the (Insert Product) portfolios. These clients may expect/require a different degree of service or
efficiency than the historical client base. Additionally, new management and new procedures may increase the
likelihood of errors within (Insert Department), which could directly affect client satisfaction. Internal audit will
conduct a design review around new controls and will conduct sample testing of select existing controls where the
design and implementation of said controls have been completed and elicits a sufficient population.

INTERNAL CONTROL RISK

With many new controls being implemented, it will be important that the control design effectiveness is assessed
and that controls are appropriately documented in the portal. As part of the design review, internal audit will note
the current state of control documentation.

NATURE OF WORK

Refer to the audit work program for a list of procedures to be performed.

ESTIMATED TIMING OF WORK

Stages Dates

Planning (Insert Date)

Fieldwork (Insert Date)

Internal Status Meeting (Insert Date)

Client Status Meeting (Insert Date)

Wrap-Up/Report Writing (Insert Date)

Close Meetings/Report Delivery (Insert Date)

Management Comments Due (Insert Date)

Final Report Issued (Insert Date)

At the client status meeting, we anticipate reviewing and validating all detailed findings with client personnel so
management can begin to formulate their responses to our report recommendations.

11 Source: www.knowledgeleader.com
 SAMPLE SIZES

Sample sizes, unless otherwise noted, will comply with internal audit and SOX sample sizes for control frequency.

BUDGET FOR WORK

Name Level Project Role Budgeted Hours

(Insert Name) (Insert Level) (Insert Role) X

(Insert Name) (Insert Level) (Insert Role) X

Total Hours XX

CONSIDERATION OF IT GENERAL CONTROLS

The focus of the review concerning IT controls will be limited, focusing on understanding key processes rather
than independent validation, such as key reports used by management. Reviews of the system controls are
included in the scope of internal audit’s SOX testing.

SPECIALISTS INVOLVED

Members of the audit team have banking experience. Other specialists should be consulted as needed.

EXPECTED DELIVERABLES

The expected deliverable for this project should be a review report. Sarbanes-Oxley testing results will be
documented separately in the (Company) portal as part of the (Insert Date) (Company) Sarbanes-Oxley testing.

The final report should be sent to the auditee and included in the audit committee mailing (which includes several
members of senior management of [Company]). As part of the audit committee, we will discuss the final report,
specifically focusing on overall themes and findings rated a one (1) and two (2).

AUDITEE CONCERNS

The auditee did not identify any specific concerns related to this audit. All auditee personnel should be available
on-site or via phone during the duration of testing. Special instructions were not identified.

(Company)’s internal audit director, (Insert Name), will participate in initial scoping discussions and should provide
oversight for audit execution. Internal audit should draft and finalize the audit report. The internal audit director
should participate in client opening and closing meetings. After fieldwork, the internal audit director and audited
department should be provided a copy of the final report.

12 Source: www.knowledgeleader.com
REVIEWED AND APPROVED

By:

(Insert Name) and (Insert Position Title)

By:

(Insert Name) and (Insert Position Title)

By:

(Insert Name) and (Insert Position Title)

13 Source: www.knowledgeleader.com
 AUDIT PLANNING MEMO: SAMPLE 3

Date:

To:

Company:

Prepared By:

GENERAL INFORMATION

The internal audit team, with roles and responsibilities, includes the following people:
• (Insert Internal Audit Names and Team Roles)

DURATION OF INTERNAL AUDIT

The duration of this internal audit will be for (Insert Time Period), commencing on (Insert Date).

It is anticipated that the fieldwork, working papers and deliverable drafts will be completed by (Insert Person/Team
Completing This Work).

LOCATION OF INTERNAL AUDIT

The internal audit will be performed at (Insert Location).

It is predicted that a site visit to (Insert Location) will be conducted during this review.

BUSINESS HOURS
(Insert Hours of Operation)

KEY CONTACTS

Contact Position Company Email Phone Number

INTERNAL AUDIT OBJECTIVE AND SCOPE

INTERNAL AUDIT OBJECTIVE

The objective of this review is to (Insert Internal Audit Objective).

14 Source: www.knowledgeleader.com
INTERNAL AUDIT SCOPE AND APPROACH
The scope of this review includes an assessment of (Insert Text Here). Specifically, this review will include:
• (Insert Text Here)

DELIVERABLES
Project deliverables will consist of the following:
• (Insert List of Deliverables)

It is planned that the above deliverables will be delivered to you by (Insert Date) for your review and subsequent
discussion.

HIGH-LEVEL WORK PROGRAM

(Insert Details of Areas Being Reviewed and Items You Will Be Seeking From the Auditee).

HIGH-LEVEL WORK PROGRAM

Date Task Contact

15 Source: www.knowledgeleader.com