The audit plan should cover or reference the following:
a) the audit objectives;
b) the audit scope, including identification of the organizational and functional units, as well as processes to be audited;
c) the audit criteria and any reference documents;
d) the locations, dates, expected time and duration of audit activities to be conducted, including meetings with the auditee’s management;
e) the audit methods to be used, including the extent to which audit sampling is needed to obtain sufficient audit evidence and the design of the sampling plan, if applicable;
f) the roles and responsibilities of the audit team members, as well as guides and observers;
g) the allocation of appropriate resources to critical areas of the audit.
The audit plan may also cover the following, as appropriate:
- identification of the auditee’s representative for the audit;
- the working and reporting language of the audit where this is different from the language of the auditor or the auditee or both;
- the audit report topics;
- logistics and communications arrangements, including specific arrangements for the locations to be audited;
- any specific measures to be taken to address the effect of uncertainty on achieving the audit objectives;
- matters related to confidentiality and information security;
- any follow-up actions from a previous audit;
- any follow-up activities to the planned audit;
- coordination with other audit activities, in case of a joint audit.
The audit plan may be reviewed and accepted by the audit client, and should be presented to the auditee. Any objections by the auditee to the audit plan should be resolved between the audit team leader, the auditee and the audit client.