How to Write an Audit Plan for an Internal Audit (With Template)

An audit plan for an internal audit is the document that turns your audit programme into action. It tells auditors where to go, what to look at, who to speak with, and how long they have. Without one, internal audits tend to wander. With a well built plan, even a first time auditor can walk into a process area with confidence and come out with meaningful findings.

This article walks you through every element of a practical audit plan, explains the decisions behind each section, and gives you a template structure you can adapt immediately. Whether you are planning a single process audit or a full system audit across multiple departments, the same logic applies.

What Is an Audit Plan and Why Does It Matter?

An audit plan is a specific document prepared for an individual audit event. It is different from your audit programme, which is the annual schedule of all planned audits across the year. The plan zooms in on one audit and gives everyone involved the information they need to prepare and participate.

ISO 19011 describes the audit plan as something that should be communicated to the auditee in advance. That communication requirement exists for a good reason. When auditees know what is being audited and when, they can have the right people available, locate relevant records, and engage properly with the process. Surprise audits might feel more authentic, but they usually produce worse outcomes because key personnel are unavailable and records cannot be retrieved quickly.

A good audit plan also protects the auditor. It sets the scope and objectives clearly so that the audit does not expand uncontrollably on the day. Scope creep is one of the most common problems in internal audits, particularly when auditees start raising issues that fall outside the planned areas. Having a written plan gives you a professional way to acknowledge those issues and redirect the conversation.

For more on how the audit plan fits within your broader planning structure, see our article on how to plan an internal audit programme.

The Core Elements of an Internal Audit Plan

Every audit plan should contain the same foundational elements, regardless of which ISO standard you are auditing against. The level of detail may vary depending on the size of the audit, but these sections should always be present.

Audit Objectives

This section answers the question: what is this audit trying to achieve? Objectives should be specific and meaningful, not generic statements that could apply to any audit. Common objectives for an internal audit include determining whether the management system conforms to the requirements of the standard, evaluating whether the system is being effectively implemented, and identifying opportunities for improvement.

You can have more than one objective. If your organisation recently implemented a new procedure, one objective might be to verify that the procedure is being followed in practice. If a previous audit raised a corrective action, another objective might be to verify that the corrective action has been implemented and is effective.

Vague objectives like to check the system give auditors no real direction. Specific objectives like to determine whether purchasing controls under Clause 8.4 are being applied to critical suppliers tell the auditor exactly what matters.

Audit Scope

The scope defines the boundaries of the audit. It should specify which processes, departments, sites, or clauses are included. It should also be explicit about what is excluded, particularly if only part of the management system is being audited.

For example, a scope statement might read: This audit covers the design and development process (Clause 8.3) and the control of externally provided services (Clause 8.4) at the Brisbane facility. It does not include production or service delivery processes.

Being precise about scope prevents misunderstandings on the day. It also means your audit conclusions are properly bounded. You cannot draw conclusions about the whole system if you only audited two processes.

Audit Criteria

Audit criteria are the requirements against which conformity is assessed. For an ISO 9001 internal audit, the criteria typically include the relevant clauses of ISO 9001:2015, the organisation's own documented procedures and policies, and any applicable legal or regulatory requirements.

List the specific clauses or documents being used as criteria. This makes it clear to the auditee what standard they are being measured against and helps auditors prepare their questions and checklists appropriately.

Audit Date, Time and Duration

Include the date of the audit, the expected start and finish times, and where the audit will be conducted. If the audit spans multiple days or locations, map this out clearly. Auditors often underestimate how long interviews and document reviews take. Build in buffer time, particularly for opening and closing meetings, which can run longer than expected when auditees have questions.

A common mistake is allocating all available time to interviews and observations, leaving no time for the auditor to review notes, draft findings, and prepare for the closing meeting. Reserve at least thirty to forty five minutes at the end of each audit day for this.

Audit Team Members and Roles

Name the auditors involved and their roles. In a small internal audit, this might be one person. In a larger audit, you might have a lead auditor and one or more team members, each responsible for different process areas. If an observer or technical expert is attending, note that here as well.

The independence requirement is worth flagging in this section. Auditors must not audit their own work. If the person conducting the audit also manages the process being audited, that is a conflict of interest. The plan should reflect that assignments have been made with independence in mind.

Auditee Contacts

List the names and roles of the people who will be interviewed or who are responsible for the areas being audited. This helps with logistics and ensures the right people are available. It also signals to the auditee that the audit is organised and professional.

Audit Schedule or Timetable

This is the most detailed section of the plan. It breaks the audit day into time slots and assigns each slot to a specific activity, process area, or interview. A typical internal audit timetable might look like this:

• 08:30 to 09:00 Opening meeting with management representative and process owners
• 09:00 to 10:30 Document review: quality manual, procedures, and recent records
• 10:30 to 12:00 Interview with production supervisor and observation of production process
• 12:00 to 12:30 Lunch break
• 12:30 to 14:00 Interview with purchasing officer, review of supplier evaluation records
• 14:00 to 15:00 Auditor review of notes and preparation of findings
• 15:00 to 15:30 Closing meeting

The timetable does not need to be rigid. Experienced auditors adjust on the fly as conversations reveal areas worth exploring further. But having a plan means you have something to return to when the audit starts drifting.

Resources and Logistics

Note any practical requirements for the audit. This might include access to specific systems, the need for a meeting room, safety inductions required before entering a work area, or any personal protective equipment needed for site visits. Sorting these details in advance prevents wasted time on the day.

Confidentiality Statement

A brief statement confirming that information gathered during the audit will be handled confidentially and used only for audit purposes is good practice. This reassures auditees and sets the right professional tone from the start.

Audit Plan Template Structure

Below is a practical template structure you can adapt for your organisation. Copy the headings and populate each section before your next internal audit.

• Audit Reference Number: A unique identifier for tracking purposes
• Audit Title: For example, ISO 9001 Internal Audit, Clause 8.3 Design and Development
• Standard and Version: For example, ISO 9001:2015
• Audit Objectives: List two to four specific objectives
• Audit Scope: Processes, departments, sites, and clauses included and excluded
• Audit Criteria: Clauses, procedures, and other requirements being audited against
• Audit Date(s): Date and duration
• Audit Location: Physical location or remote platform if conducted remotely
• Lead Auditor: Name and contact details
• Audit Team Members: Names and assigned areas
• Auditee Contacts: Names, roles, and availability
• Audit Timetable: Time slots mapped to activities and interviews
• Documents to Review: List of procedures, records, and other documents to be requested in advance
• Resources Required: Room bookings, system access, PPE, inductions
• Confidentiality Note: Brief statement on information handling
• Distribution List: Who receives a copy of the plan before the audit

Common Mistakes When Writing an Audit Plan

Most audit plan problems fall into a small number of categories. Knowing them in advance helps you avoid them.

Making the Scope Too Broad

Trying to audit the entire management system in one day is a recipe for a superficial audit. You end up touching everything briefly and examining nothing properly. A focused audit of two or three processes done thoroughly is far more valuable than a rushed pass through the whole system. Use your risk based audit programme to spread coverage across the year rather than cramming it into one event.

Setting Generic Objectives

Objectives like to verify conformance are technically correct but practically useless. They give the auditor no real focus. Think about what specifically you want to know coming out of this audit. Has the corrective action from last time actually worked? Is the new subcontractor management procedure being followed? Is the calibration programme keeping up with equipment additions? These are the questions that produce useful findings.

Not Sharing the Plan in Advance

Some auditors treat the plan as an internal document and only share it on the day. This defeats much of its purpose. Auditees need time to prepare. Managers need to arrange for the right people to be available. Sharing the plan at least five to seven working days before the audit is a basic professional courtesy and produces better audit outcomes.

Leaving No Time for Auditor Review

Auditors who schedule interviews back to back with no gap for note review and finding preparation often arrive at the closing meeting with incomplete or poorly worded findings. This creates unnecessary tension. Build review time into the plan as a non negotiable block.

Ignoring Logistics

Forgetting to arrange system access, not booking a meeting room, or failing to complete a site induction before the audit date are all avoidable problems that waste time and create a poor impression. The audit plan is the right place to capture and confirm these requirements.

Tailoring the Plan to Different ISO Standards

The structure of an audit plan is the same whether you are auditing against ISO 9001, ISO 14001, or ISO 45001. What changes is the criteria and the focus areas.

For an ISO 14001 environmental audit, the criteria will include environmental aspects and impacts, legal compliance obligations, and the organisation's environmental objectives. The timetable might include a site walk to observe waste management, stormwater controls, or chemical storage areas in addition to document and interview sessions.

For an ISO 45001 safety audit, the plan might prioritise hazard identification processes, worker consultation records, incident investigation files, and observations of high risk work activities. A visit to the shop floor or construction site is often essential because so much of the evidence for ISO 45001 conformance exists in practice rather than in documents.

If you are conducting a combined audit across two or three standards simultaneously, the timetable becomes more complex. You need to map each time slot to both the process being examined and the specific clauses from each standard being assessed. This requires more preparation but is efficient when done well.

How the Audit Plan Connects to the Checklist

The audit plan and the audit checklist are complementary tools, not the same thing. The plan tells you where to go and when. The checklist tells you what questions to ask and what evidence to look for when you get there.

Once your plan is finalised, use it to build or select the right checklist for each process area on the timetable. If you are auditing the purchasing process under Clause 8.4, your checklist should contain questions about supplier evaluation, approved supplier lists, purchase order controls, and verification of received goods or services. The plan defines the scope. The checklist operationalises it.

Avoid the trap of letting the checklist drive the audit at the expense of genuine inquiry. The checklist is a memory aid, not a script. If an interviewee mentions something unexpected that warrants further investigation, follow it. You can note the deviation from the planned timetable and manage it professionally.

For practical guidance on building checklists that support rather than constrain good auditing, our article on how to build an internal audit checklist covers the key principles in detail.

After the Audit Plan: What Comes Next

The plan is a preparation document. Once the audit is complete, the outputs move to the audit report. The report should reference the plan, confirming what was audited against the stated scope and objectives, and documenting findings, nonconformities, observations, and opportunities for improvement.

Any nonconformities raised during the audit will need corrective action responses from the auditee. The audit plan helps here too, because it establishes the agreed scope. If an auditee disputes a finding on the basis that the process was outside the audit scope, you can refer back to the plan to clarify what was included.

For guidance on what happens after findings are raised, our article on managing corrective actions after an ISO audit covers the follow through process in practical terms.

Building Audit Planning Skills Through Training

Writing a good audit plan is a skill that develops with practice and proper instruction. New internal auditors often struggle with scope definition, objective setting, and timetable construction because these are judgement calls that require understanding both the standard and the organisation's processes.

At Audit Workshop, the internal auditor courses for ISO 9001, ISO 14001, and ISO 45001 include practical exercises in audit planning as part of the core curriculum. Participants work through realistic scenarios, draft audit plans, and receive feedback on scope, objectives, and timetable construction. The lead auditor courses go further, covering multi site planning, combined audits, and the management of audit teams across complex programmes.

If you are building your internal audit capability from the ground up, structured training gives you a framework that saves significant trial and error in the early stages. You can explore the available courses at auditworkshop.com.

For those who want to understand the full scope of what an internal audit actually covers before diving into planning, the article on what does an internal audit actually cover is a useful starting point.