When JPMorgan Chase received a $250 million civil money penalty from the Office of the Comptroller of the Currency, the enforcement action did not cite a failure of audit technology or a shortage of auditors.
It cited the bank’s failure to maintain adequate internal controls and internal audit oversight over its fiduciary business.
The root cause was an internal audit work program that did not cover the right risks with the right procedures at the right depth—exactly the kind of gap that standardized internal audit work program templates are designed to prevent.
Key Takeaways
| Key Takeaways |
|---|
| An internal audit work program template converts the annual audit plan into step-by-step fieldwork instructions that auditors can execute consistently across engagements. |
| The 2024 Global Internal Audit Standards (effective January 2025) require work programs to document the nature, timing, and extent of audit procedures for every engagement. |
| Cybersecurity appears on 71% of 2026 audit plans, making a cyber-specific internal audit work program template essential for most organizations. |
| Each of the 12 industry-specific templates in this article maps audit objectives to specific controls, testing procedures, sample sizes, and IIA Standards references. |
| Internal audit functions aligned with organizational strategy report funding sufficiency rates 30 percentage points higher than those only somewhat aligned. |
| AI-assisted audit procedures are moving from experimentation to production, with 41% of audit functions planning AI implementation by end of 2026. |
| A well-structured internal audit work program template reduces fieldwork time by 20–30% while improving finding consistency and workpaper quality. |
An internal audit work program template is the operational blueprint that translates your annual audit plan into executable fieldwork. It specifies what to test, how to test it, how much to sample, and what evidence to collect for every audit engagement.
The 2024 Global Internal Audit Standards (GIAS), effective January 9, 2025, formalize this requirement under Domain V: Performing Internal Audit Services, mandating that work programs document the nature, timing, and extent of procedures — a requirement that every internal audit work program template must now satisfy.
Yet according to the 2026 IIA Pulse of Internal Audit report, internal audit functions are being asked to do more with less: budget cuts rose from 11% to 19% between 2024 and 2025, while those reporting increases dropped from 34% to 23% — making efficient internal audit work program templates more critical than ever.
This article provides 12 industry-specific internal audit work program templates spanning financial services, healthcare, manufacturing, technology, retail, energy, government, higher education, insurance, construction, nonprofit, and cybersecurity.
Each of these internal audit work program templates includes audit objectives, key controls to test, specific procedures, sample sizes, and cross-references to IIA Standards and relevant regulatory frameworks.
Whether you are building your first internal audit work program template or modernizing an existing library, these practitioner-ready examples will accelerate your fieldwork planning and improve engagement quality.
What Is an Internal Audit Work Program and Why Does It Matter?
An internal audit work program template is a detailed document that specifies the procedures an auditor will perform during a specific engagement. It serves as the bridge between the risk-based audit plan (which identifies what to audit) and the workpapers (which document what was done).
The IIA’s Global Internal Audit Standards organize requirements across five domains, and Domain V (Performing Internal Audit Services) is where the internal audit work program template lives.
A properly constructed internal audit work program template contains seven core elements: audit objective, scope boundaries, risk and control matrix, detailed procedures, sample selection methodology, evidence requirements, and reporting criteria.
The internal audit work program template standardizes these elements so that different auditors executing the same program produce consistent results. This consistency is critical because the IPPF framework requires that the Chief Audit Executive establish policies and procedures to guide the internal audit activity, and the work program template is the primary vehicle for that standardization.
The distinction between an audit plan and an internal audit work program template matters. The audit plan is strategic: it answers “what audits will we conduct this year and why?”
The internal audit work program template is tactical: it answers “how will we execute this specific audit, step by step?” Your enterprise risk management framework informs the audit plan, and the work program translates that plan into fieldwork.
Seven Core Components of an Internal Audit Work Program Template
| Component | Description & Purpose |
|---|---|
| 1. Audit Objective | Defines what the engagement will evaluate and the criteria for success. Linked to the annual audit plan and organizational risk assessment. |
| 2. Scope & Boundaries | Specifies the period under review, business units, processes, systems, and geographic locations included (and excluded). |
| 3. Risk & Control Matrix (RACM) | Maps key risks to controls, control owners, and control types (preventive, detective, corrective). The RACM drives procedure design. |
| 4. Detailed Procedures | Step-by-step instructions for each test: inquiry, observation, inspection, re-performance, or analytical procedures. Includes specific attributes to evaluate. |
| 5. Sample Selection | Defines population, sample size methodology (statistical or judgmental), sampling interval, and selection method for each test. |
| 6. Evidence Requirements | Specifies what constitutes sufficient, reliable evidence for each procedure: screenshots, confirmations, reconciliations, system reports, etc. |
| 7. Reporting Criteria | Defines the rating scale (e.g., Satisfactory/Needs Improvement/Unsatisfactory), finding classification, and root cause analysis requirements. |
Each of the 12 internal audit work program templates that follow incorporates all seven components.
The consistency across internal audit work program templates means your audit team can move between engagements without relearning a new format, and your risk register integrates seamlessly with the RACM in each work program.
Top Areas on 2026 Internal Audit Work Programs
Figure 1: Cybersecurity dominates 2026 internal audit work program templates at 71%, followed by financial reporting controls (65%), third-party risk (58%), and business continuity audits which have risen sharply post-CrowdStrike.
Gen AI governance audits appear on 42% of plans, reflecting the rapid emergence of AI-specific audit requirements.
Anatomy of an Effective Internal Audit Work Program Template
The difference between an internal audit work program template that drives quality findings and one that produces superficial results lies in the specificity of procedures. A weak procedure reads: “Review access controls.”
A strong procedure reads: “Obtain the Active Directory user listing as of [date]. Compare against the HR termination report for the same period. Identify any terminated employees with active accounts.
For each exception, determine the last login date and document whether access was used post-termination.” The internal audit work program template must enforce this level of specificity.
The COSO Internal Control Framework provides the control taxonomy most internal audit work program templates reference. Its five components (Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring Activities) organize the controls you will test.
For each control, the internal audit work program template specifies the testing approach: design effectiveness testing (does the control address the risk?) and operating effectiveness testing (did the control operate consistently during the period?).
Audit Procedure Types and When to Use Each
| Procedure Type | Description | Best Used For | Evidence Strength |
|---|---|---|---|
| Inquiry | Interview control owners to understand how processes and controls operate | All engagements; always paired with corroborating procedures | Moderate — alone it is the weakest form of evidence |
| Observation | Watch a process or control being performed in real-time | Warehouse operations, cash handling, physical security, IT operations | Moderate to High — confirms process operation at a point in time |
| Inspection | Examine documents, records, or tangible assets | Financial reconciliations, contract reviews, system configurations | High — provides direct evidence of control operation |
| Re-performance | Independently execute a control or calculation to verify accuracy | Automated controls, complex calculations, reconciliation procedures | Highest — directly tests whether the control produces correct results |
| Analytical Procedures | Compare data relationships to identify anomalies or unexpected patterns | Revenue trends, expense ratios, transaction volume analysis, fraud detection | Moderate to High — effective for identifying areas requiring further testing |
When designing procedures in your internal audit work program template, follow the evidence hierarchy: always start with re-performance or inspection for key controls, use observation for physical processes, and supplement with inquiry.
Never rely on inquiry alone in any internal audit work program template. The 2024 Global Internal Audit Standards explicitly require that evidence be sufficient (enough to support findings), reliable (from credible sources), relevant (connected to the objective), and useful (contributes to achieving engagement goals).
Internal Audit Budget and Staffing Trends
Figure 2: Budget cuts rose from 11% to 19% between 2024 and 2025, while budget increases dropped from 34% to 23%.
These pressures make standardized internal audit work program templates essential for maintaining quality with fewer resources.
12 Industry-Specific Internal Audit Work Program Templates
The following internal audit work program templates are structured for immediate adaptation. Each template provides audit objectives, key controls, specific procedures, sample guidance, and standards references.
Customize the scope, sample sizes, and thresholds to your organization’s risk profile and risk appetite.
Template 1: Financial Services — Credit Risk Audit
| Component | Financial Services — Credit Risk Audit Work Program |
|---|---|
| Audit Objective | Evaluate the design and operating effectiveness of credit risk controls across loan origination, underwriting, and portfolio monitoring. |
| Key Controls to Test | Credit policy compliance, loan approval authority limits, credit scoring model validation, concentration limit monitoring, loan loss provisioning, past-due reporting. |
| Procedure Examples | 1) Select 25 new loan originations from the period; verify credit score, DTI ratio, collateral valuation, and approval authority against policy. 2) Re-perform the allowance for loan losses calculation for the quarter. 3) Test concentration limits by comparing portfolio composition to board-approved thresholds. |
| Sample Guidance | Originations: 25 per quarter (statistical, stratified by loan type). Provisioning: 100% re-performance. Concentration: analytical review of full portfolio. |
| Standards References | GIAS Domain V, Standard 11.1–11.4. OCC Comptroller’s Handbook: Loan Portfolio Management. Basel Committee: Principles for the Management of Credit Risk. |
| Regulatory Context | OCC, FDIC, Federal Reserve examination procedures. SOX Section 404 for listed institutions. CECL (ASC 326) for loss provisioning. |
This financial services internal audit work program template addresses the most scrutinized area in banking.
The OCC’s Semiannual Risk Perspective consistently cites credit risk management as a supervisory priority, making robust audit coverage essential for regulatory readiness.
Template 2: Healthcare — HIPAA Compliance Audit
| Component | Healthcare — HIPAA Compliance Audit Work Program |
|---|---|
| Audit Objective | Assess the design and operating effectiveness of controls protecting patient health information (PHI) under HIPAA Privacy and Security Rules. |
| Key Controls to Test | PHI access controls, minimum necessary standard enforcement, Business Associate Agreements (BAAs), breach notification procedures, HIPAA training completion, physical safeguards for PHI. |
| Procedure Examples | 1) Obtain user access listings for all systems containing ePHI; verify role-based access aligns with job responsibilities for a sample of 30 users. 2) Select 15 patient records; verify minimum necessary standard compliance for each access event. 3) Test BAA completeness: confirm 100% of vendors with PHI access have current, signed BAAs. |
| Sample Guidance | User access: 30 users (stratified by department). Patient records: 15 (judgmental, high-risk departments). BAAs: 100% coverage for Tier 1 vendors; sample of 20 for Tier 2. |
| Standards References | GIAS Domain V. HIPAA Privacy Rule (45 CFR Part 160 and 164, Subparts A and E). HIPAA Security Rule (45 CFR Part 164, Subparts A and C). HITECH Act. |
| Regulatory Context | HHS Office for Civil Rights (OCR) enforcement. State-specific healthcare privacy laws. CMS Conditions of Participation. |
Healthcare internal audit work program templates must account for both federal HIPAA requirements and state-specific privacy regulations.
The risk assessment process should inform which departments and systems receive the most intensive testing based on PHI volume and sensitivity.
Template 3: Technology — SDLC and Change Management Audit
| Component | Technology — SDLC/Change Management Audit Work Program |
|---|---|
| Audit Objective | Evaluate the effectiveness of controls over the software development lifecycle (SDLC) and change management process for production systems. |
| Key Controls to Test | Change approval workflows, segregation of duties between development and production, code review requirements, testing and QA gates, emergency change procedures, rollback procedures. |
| Procedure Examples | 1) Select 30 production changes from the period; verify each has documented approval, testing evidence, and post-implementation review. 2) Test SoD: confirm no developer has production deployment access. 3) Review 10 emergency changes for proper after-the-fact authorization and root cause documentation. |
| Sample Guidance | Production changes: 30 (statistical, stratified by application criticality). SoD: 100% of developer accounts tested against production access. Emergency changes: all from the period, or 10 if population exceeds 25. |
| Standards References | GIAS Domain V. COBIT 2019: BAI06 (Manage Changes). NIST SP 800-53: CM family controls. SOX ITGC requirements. |
| Regulatory Context | SOX Section 404 for listed companies. PCI-DSS Requirement 6 (for payment systems). FDA 21 CFR Part 11 (for regulated software). |
Template 4: Retail — Inventory and Shrinkage Audit
| Component | Retail — Inventory/Shrinkage Audit Work Program |
|---|---|
| Audit Objective | Evaluate inventory controls across the supply chain from receipt through point-of-sale, with focus on shrinkage prevention, accuracy, and valuation. |
| Key Controls to Test | Receiving inspection and count procedures, inventory valuation methodology, cycle count program, shrinkage monitoring and investigation, write-off authorization, physical security. |
| Procedure Examples | 1) Observe 5 receiving events; verify count, inspection, and system entry accuracy. 2) Select 50 SKUs; perform independent count and compare to system quantity. 3) Analyze shrinkage rates by location and department; identify locations exceeding the 1.5% threshold for deep-dive testing. |
| Sample Guidance | Receiving observations: 5 events across high-volume locations. SKU counts: 50 (stratified by value tier). Shrinkage analysis: all locations with analytical review. |
| Standards References | GIAS Domain V. ASC 330: Inventory. COSO Monitoring Activities component. |
| Regulatory Context | SEC reporting requirements for inventory valuation (listed retailers). Industry benchmarks from National Retail Federation for shrinkage rates. |
This retail internal audit work program template focuses on the highest-risk area for retail operations.
Your risk monitoring approach should incorporate continuous data analytics for shrinkage patterns alongside periodic fieldwork.
Template 5: Manufacturing — Quality and Safety Compliance Audit
| Component | Manufacturing — Quality/Safety Audit Work Program |
|---|---|
| Audit Objective | Assess controls over product quality assurance, workplace safety compliance, and environmental regulatory adherence across manufacturing facilities. |
| Key Controls to Test | Incoming material inspection, in-process quality checks, final product testing, non-conformance handling (CAPA), OSHA compliance, environmental permit adherence. |
| Procedure Examples | 1) Select 20 production batches; verify QC inspection records, acceptance criteria, and traceability documentation. 2) Review all CAPAs opened in the period; verify root cause analysis, corrective action, and effectiveness verification. 3) Inspect 3 facilities for OSHA compliance: PPE usage, machine guarding, LOTO procedures. |
| Sample Guidance | Production batches: 20 (stratified by product line). CAPAs: 100% review. Facility inspections: 3 locations (judgmental, risk-based). |
| Standards References | GIAS Domain V. ISO 9001:2015 Quality Management. ISO 45001:2018 Occupational Health & Safety. ISO 14001:2015 Environmental Management. |
| Regulatory Context | OSHA standards and inspection priorities. EPA permits and reporting. FDA cGMP for regulated products. |
Template 6: Government — Grants Management Audit
| Component | Government — Grants Management Audit Work Program |
|---|---|
| Audit Objective | Evaluate controls over federal grant administration including eligibility determination, cost allowability, reporting accuracy, and subrecipient monitoring. |
| Key Controls to Test | Grant eligibility verification, cost allocation methodology, matching/cost-sharing compliance, time and effort reporting, subrecipient monitoring, single audit compliance. |
| Procedure Examples | 1) Select 40 grant expenditures; test allowability, allocability, and reasonableness per 2 CFR 200. 2) Verify time and effort certifications for 20 employees charging to federal grants. 3) Confirm subrecipient single audit reports received and reviewed for all subrecipients expending >$750K. |
| Sample Guidance | Expenditures: 40 (statistical, stratified by grant program). Time and effort: 20 employees. Subrecipient audits: 100% above $750K threshold. |
| Standards References | GIAS Domain V. 2 CFR Part 200 (Uniform Guidance). GAO Government Auditing Standards (Yellow Book). OMB Circular A-123. |
| Regulatory Context | Single Audit Act. Federal awarding agency terms and conditions. Inspector General oversight. |
Internal Audit Work Program Maturity by Component
Figure 3: Risk assessment and control testing show the highest maturity in internal audit work programs, while AI-assisted audit procedures and agile methods remain predominantly basic or developing, indicating significant room for modernization.
Template 7: Energy — Health, Safety, and Environment (HSE) Audit
The energy sector HSE audit work program focuses on permit-to-work systems, process safety management (PSM), environmental compliance monitoring, emergency response readiness, and contractor safety oversight.
Key procedures include: verifying 30 permit-to-work records for completeness and authorization, inspecting 5 facilities for PSM compliance (Management of Change, Pre-Startup Safety Review), testing environmental monitoring data against permit limits, and evaluating emergency drill effectiveness through observation and documentation review.
This template aligns with OSHA PSM (29 CFR 1910.119), EPA SPCC requirements, and ISO 31000 risk management principles.
Template 8: Insurance — Claims Processing Audit
The insurance claims audit work program tests claims adjudication accuracy, reserve adequacy, settlement authority compliance, fraud detection controls, and subrogation recovery.
Core procedures include: selecting 40 claims (stratified by line of business and value) to verify coverage determination, reserve calculation, and settlement authorization; testing fraud screening indicators for 100% of large-loss claims; and analyzing claims cycle times against service level targets.
References include state insurance department examination procedures and insurance KRI frameworks.
Template 9: Higher Education — Financial Aid Compliance Audit
The higher education financial aid audit work program evaluates Title IV compliance, Pell Grant eligibility verification, student loan disbursement controls, satisfactory academic progress (SAP) monitoring, and Return of Title IV Funds (R2T4) calculations.
Key tests include: selecting 35 student files to verify FAFSA verification completion, enrollment status, and disbursement timing; re-performing 10 R2T4 calculations; and testing the SAP evaluation process for a sample of 25 students on academic probation.
This template references the Federal Student Aid Handbook, compliance KRI best practices, and the 2024 IIA Standards.
Template 10: Construction — Project Cost and Progress Audit
The construction project audit work program covers cost control, change order management, progress billing accuracy, subcontractor compliance, and project schedule adherence.
Procedures include: selecting 25 invoices to verify against contract terms and approved change orders; testing percentage-of-completion calculations for 10 projects; reviewing all change orders exceeding $100K for proper authorization; and performing 3 site visits to compare reported progress against physical completion.
This template supports the risk identification tools needed for complex project environments.
Template 11: Nonprofit — Donor Restrictions and Program Audit
The nonprofit audit work program evaluates donor restriction compliance, program expenditure controls, fundraising cost ratios, grant reporting accuracy, and conflict of interest procedures.
Key tests: trace 30 restricted donations from receipt through expenditure to verify restriction compliance; verify program expense allocation methodology for 3 major programs; test fundraising cost ratio calculations against publicly reported figures; and review all grant reports submitted during the period for accuracy against accounting records.
References include IRS Form 990 requirements and the compliance KRI framework.
Template 12: Cybersecurity — IT General Controls and Security Audit
The cybersecurity audit work program addresses access management, vulnerability management, incident response, data protection, and network security.
Procedures include: testing user access reviews for all critical systems (verify quarterly reviews completed and exceptions remediated); selecting 20 critical vulnerabilities to verify remediation within SLA; testing the incident response plan through tabletop exercise observation; verifying encryption at rest and in transit for all systems containing PII/PHI; and testing firewall rule reviews and change management.
This template aligns with NIST CSF 2.0 KRI methodology, COBIT 2019, and SOC 2 Type II trust service criteria.
Sample Size Methodology for Internal Audit Work Programs
One of the most critical decisions in any internal audit work program template is the sample size. Too small, and you cannot support your conclusions. Too large, and you waste resources. The appropriate sample depends on the control type, testing objective, and population characteristics.
For controls operating on a transaction basis (e.g., invoice approvals), internal audit work program templates should specify statistical sampling when the population is large and you need defensible results.
The most common approach is attribute sampling: define the expected error rate (typically 0–2% for key controls), the confidence level (90–95%), and the tolerable deviation rate (5–10%).
These parameters produce sample sizes of 25–60 per control, depending on the combination. For automated controls that operate identically every time, a sample of one re-performance test per period (plus confirmation that the control has not been modified) is typically sufficient.
Your key risk indicators can also inform sampling decisions. If a KRI is trending adverse (e.g., increasing exception rates), increase the sample size for the related control to understand the root cause.
Conversely, if a control has produced zero exceptions across multiple audit cycles and the operating environment is stable, consider reducing the sample size and reallocating audit hours to higher-risk areas.
| Control Type | Sampling Approach | Typical Sample Size | Examples |
|---|---|---|---|
| Manual Preventive (high volume) | Statistical attribute sampling | 25–60 | Invoice approvals, purchase orders, expense reimbursements |
| Manual Preventive (low volume) | Census or large sample | 100% if <50; 25–30 if >50 | Board approvals, executive authorizations |
| Manual Detective | Judgmental or stratified | 15–30 | Reconciliations, exception reviews, supervisory reviews |
| Automated (IT-dependent) | Re-performance + change verification | 1 re-performance + 100% change log review | System-calculated limits, automated three-way match |
| Continuous Monitoring | Full population via data analytics | 100% with exception focus | Transaction monitoring, access logging, duplicate detection |
Integrating Internal Audit Work Programs with the Three Lines Model
No internal audit work program template operates in isolation. The Three Lines Model (published by The IIA in 2020) defines how internal audit relates to management’s controls and the organization’s governance.
Understanding this relationship is essential for designing internal audit work program templates that test the right things at the right level.
First-line roles (business operations and management) own and manage risks and controls. Second-line roles (risk management, compliance, quality) provide expertise, monitoring, and challenge to the first line.
Third-line roles (internal audit) provide independent, objective assurance to the governing body. Your internal audit work program template should test both first-line control execution and second-line monitoring effectiveness.
For example, when auditing third-party risk management, the work program should test whether business units (first line) completed vendor risk assessments, and whether the risk management function (second line) reviewed and challenged those assessments.
The risk culture of the organization also influences internal audit work program template design. In organizations with weak risk culture, work programs need more extensive substantive testing because reliance on management’s assertions is less justified.
In mature risk organizations, the work program can leverage second-line monitoring data and focus audit procedures on the effectiveness of that monitoring.
AI Adoption in Internal Audit Functions
Figure 4: AI adoption in internal audit is accelerating rapidly. Active use grew from 8% in 2022 to 25% in 2025, with projections reaching 65% by 2027.
Internal audit work program templates must evolve to incorporate AI-assisted procedures alongside traditional testing methods.
Frequently Asked Questions About Internal Audit Work Programs
What is the difference between an audit plan and an audit work program?
An audit plan is the strategic document that identifies which audits the function will conduct during the year, based on the risk assessment and available resources.
An internal audit work program is the tactical document that specifies how a specific audit will be executed: the procedures, sample sizes, evidence requirements, and reporting criteria.
The plan answers “what and why” while the work program answers “how.” The 2024 Global Internal Audit Standards require both: Domain IV covers audit planning, and Domain V covers performing services, which is where the work program lives.
How often should internal audit work program templates be updated?
Update your internal audit work program templates whenever the underlying risk landscape, regulatory requirements, or organizational processes change materially.
At minimum, perform an annual review of all templates to confirm they reflect current standards, regulations, and organizational structure. The 2024 GIAS require that work programs be tailored to each engagement, so a template is a starting point, not a static document.
Monitor key risk indicators to identify when environmental changes should trigger template updates mid-cycle.
What sample size should I use in an internal audit work program?
The sample size in any internal audit work program template depends on the control type, population size, expected error rate, and required confidence level. For manual transaction controls, typical samples range from 25 to 60 items using statistical attribute sampling.
For automated controls, one re-performance test plus change management verification is generally sufficient. For low-volume, high-impact controls (like board approvals), test the entire population.
The IIA’s guidance recommends that the sampling methodology be documented in the work program and that the rationale for the chosen approach be clear to reviewers.
How do AI tools integrate with internal audit work program templates?
AI tools are being integrated into internal audit work program templates in three primary ways. First, data analytics and AI can analyze 100% of a transaction population to identify anomalies, replacing sampling for certain tests.
Second, AI-assisted work program generation uses large language models to draft procedures based on the RACM and prior-year workpapers, which auditors then review and customize.
Third, natural language processing automates evidence gathering from contracts, policies, and correspondence. According to PwC’s 2026 research on digital transformation in audit, 41% of audit functions plan to implement AI by the end of 2026.
Do the 2024 Global Internal Audit Standards change work program requirements?
Yes. The 2024 GIAS, effective January 9, 2025, reorganize requirements into five domains and introduce more explicit requirements for work program documentation.
Domain V (Performing Internal Audit Services) requires auditors to design and document internal audit work program templates that include the nature, timing, and extent of procedures necessary to achieve engagement objectives.
The standards also emphasize the need for sufficient, reliable, relevant, and useful evidence. Internal audit work program templates should be updated to cross-reference the new standard numbers and incorporate the expanded documentation requirements.
How should the work program handle findings that fall outside the original scope?
When auditors discover significant issues outside the work program scope, the IIA Standards require communication with the Chief Audit Executive to determine the appropriate response.
Options include: expanding the current engagement’s scope (with documented approval), opening a separate advisory or assurance engagement, or escalating to management and the audit committee for awareness.
The work program should include a protocol for scope changes that documents who approves expansions, the rationale, and any resource implications.
What role does the risk and control matrix play in the work program?
The risk and control matrix (RACM) is the analytical backbone of the internal audit work program. It maps each key risk to the specific controls designed to mitigate it, identifies control owners, and classifies controls by type (preventive, detective, corrective) and nature (manual, automated).
The work program’s procedures are then designed to test each control identified in the RACM. Without a well-constructed RACM, the work program risks testing controls that do not address the most significant risks. Your risk assessment methodology should feed directly into the RACM construction.
How do you ensure quality across multiple auditors using the same template?
Consistency requires four mechanisms: (1) the internal audit work program template itself, which standardizes procedures and documentation requirements;
(2) a workpaper review process where a senior auditor or manager reviews every completed procedure for sufficiency;
(3) a Quality Assurance and Improvement Program (QAIP) as required by the 2024 GIAS, which includes both ongoing and periodic assessments; and (4) periodic template calibration sessions where the audit team discusses procedure interpretations to ensure uniform application. The IPPF framework provides guidance on QAIP design and implementation.
Common Pitfalls in Internal Audit Work Program Development
| Pitfall | Root Cause | Remedy |
|---|---|---|
| Copy-paste from prior year without updating | Time pressure and assumption that risks haven’t changed | Require a documented risk reassessment before reusing any prior-year work program. Update procedures to reflect process changes, personnel turnover, and new regulatory requirements. |
| Procedures too vague to execute consistently | Template author lacks fieldwork experience or over-summarizes | Write procedures at the “new staff auditor” level of specificity. If someone unfamiliar with the process cannot execute the step, it’s too vague. |
| Over-reliance on inquiry as sole evidence | Auditor comfort with interviewing over testing | Enforce the evidence hierarchy in the template: re-performance and inspection first, observation second, inquiry only as supplementary. |
| Sample sizes not justified or documented | Lack of statistical sampling knowledge; default to “25 items” regardless of population | Include sampling methodology guidance in every template. Document population size, sampling method, confidence level, and expected error rate. |
| No connection between RACM and procedures | RACM and work program developed separately | Build the work program directly from the RACM. Each control in the RACM should have at least one corresponding procedure in the work program. |
| Ignoring automated/IT-dependent controls | Audit team lacks IT audit skills | Include IT control testing in every work program where processes are system-dependent. Partner with IT audit specialists or upskill the team. |
| Findings not linked to root causes | Work program procedures focus on “what happened” but not “why” | Add root cause analysis requirements to the reporting criteria section of every template. |
| Audit committee receives raw templates instead of risk-based summaries | CAE presents work programs rather than risk coverage and results | Create an executive-level mapping that shows how work programs cover the organization’s top risks. Present risk coverage, not procedure lists. |
Looking Ahead: Internal Audit Work Program Trends for 2026–2028
Internal audit work program templates are undergoing their most significant transformation in decades, driven by three converging forces.
First, the 2024 Global Internal Audit Standards are raising the bar for work program documentation, evidence quality, and quality assurance.
As organizations complete their transition to the new standards (effective January 2025), work program templates will need to demonstrate compliance with Domain V’s explicit requirements for the nature, timing, and extent of procedures.
Expect peer review and external quality assessment findings to increasingly focus on work program rigor.
Second, AI and automation are fundamentally changing what internal audit work program templates can accomplish.
According to Deloitte’s Internal Audit Hot Topics 2026, agentic AI systems can now automate labor-intensive processes including developing risk and control matrices, generating testing strategies, and drafting observations.
The internal audit work program template of 2028 will likely include “AI-executed” procedures alongside traditional manual procedures, with human auditors focusing on judgment-intensive steps: evaluating root causes, assessing management’s remediation plans, and providing strategic recommendations.
The 42% of audit plans already including Gen AI governance reviews signals that audit functions are not just adopting AI, they are auditing it.
Third, continuous auditing is replacing periodic engagement-based internal audit work program templates for certain risk areas. With 100% population testing via data analytics, the traditional model of selecting a sample and extrapolating findings is becoming less relevant for transaction-level controls.
The work program of the future will integrate real-time monitoring dashboards, exception-based testing triggered by automated alerts, and periodic deep-dive engagements for areas requiring professional judgment.
The ERM software market, projected to reach $11.97 billion by 2030, is increasingly offering integrated audit management modules that embed work program templates, automate workpaper generation, and provide real-time KRI dashboards for audit planning.
For Chief Audit Executives building their 2027 audit plans, the imperative is clear: invest in standardized, risk-based internal audit work program templates today, then layer AI and analytics capabilities on top of that foundation.
Organizations that skip the standardization step and jump straight to technology will find themselves automating inconsistency. Build the template library first, then transform it.
Need help building or modernizing your internal audit work program templates? Our team works with Chief Audit Executives, audit committees, and risk leaders across industries to develop audit methodologies that meet the 2024 Global Internal Audit Standards.
Explore our risk management services or contact us directly to discuss your specific requirements.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.