Definition

A risk-based 3-year internal audit plan maps the full audit universe — all processes, systems, entities, and risk domains — against a composite risk score, then sequences engagements to provide Audit Committee assurance on the highest risks each year while ensuring the universe is covered within three years. It incorporates regulatory expectations from IIA Standard 2010 (Planning), SAMA CSF 3.3 audit plan requirements, and aligns coverage to enterprise risk register updates at least annually.

Why it matters

The pressure on Internal Audit programmes is shifting in specific, observable ways:

• IIA Standard 2010 and SAMA periodic assessment criteria require a documented, risk-ranked audit plan approved by the Audit Committee; absence triggers regulatory observations and EQA deficiencies.
• A 3-year horizon enables coverage of slow-burn risks (e.g. third-party concentration, legacy IT decommission) that annual plans routinely defer, reducing blind spots for DIFC/SAMA regulators.
• Boards and regulators in KSA and UAE increasingly request assurance maps showing coverage of emerging risks (AI governance, ESG reporting, CBDC) — a 3-year plan provides the structure to incorporate them systematically.
• Risk-based plans deliver 25–40% higher audit committee satisfaction scores than activity-based plans (IIA North America CAE survey 2023) by aligning audit output to strategic priorities.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Enterprise risk register — risk ID, inherent/residual rating, risk owner, and last-reviewed date for each entity/process in the audit universe.
• Prior audit coverage log — last audit date, opinion, and open findings count per audit universe entry.
• Regulatory change tracker — new or amended regulations (e.g. NCA CSCC 2024, PDPL amendments) requiring new or expanded audit coverage.
• Business strategy document — new business lines, geographies, or technologies planned in the 3-year window requiring pre-launch audit.
• Audit resource model — available audit days per year by skill set (cyber, finance, operations) to validate plan feasibility.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0-30: CAE facilitates audit universe workshop with ERM, CISO, CFO, and Compliance to list all auditable entities and assign preliminary risk scores (1–5 scale, likelihood × impact).
• Day 31-60: Score each universe entry on four dimensions: inherent risk, regulatory sensitivity, change velocity, and time since last audit; calculate composite score; rank and allocate to Year 1/2/3.
• Day 61-90: Draft 3-year plan with Year 1 engagements fully resourced and Years 2–3 provisionally scheduled; map each engagement to IIA Standard domains and SAMA CSF sections.
• Day 90+: Present plan to Audit Committee for approval; obtain sign-off and document in board minutes.
• Ongoing: Review and update plan semi-annually against risk register changes; formally re-present to Audit Committee if >20% of planned engagements are deferred or substituted.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Audit universe coverage: 100% of universe entities audited within the 3-year rolling cycle.
• High-risk universe entries audited in Year 1 ≥80%.
• Plan-to-actual execution rate (engagements completed as planned) ≥85% per year.
• Audit plan approved by Audit Committee before financial year start — target 100% of cycles.
• Universe refresh incorporating new risks within 60 days of enterprise risk register update.

A the next two quarters working plan

MAST Consulting Group runs this Internal Audit work in four moves. Each move is short, evidence-producing, and signed off by a Lead Practitioner before the next begins.

• Frame (week 1). Confirm scope, regulators in play, and the decisions the work has to enable — referenced against the audit universe. Without that framing, the rest becomes a documentation exercise the audit committee will not read.
• Diagnose (weeks 2–4). Walk through audit universe and three-year audit plan as they exist today. Capture not just gaps but the design decisions behind every existing control — those are usually where audit findings hide.
• Design (weeks 5–8). Make the contested choices early and pre-clear them with the IIA International Professional Practices Framework. Document the rationale; Internal Audit reviewers care more about reasoned decisions than perfect ones.
• Operate (weeks 9–12). Move evidence collection into Power BI for audit analytics and issue trackers that the auditees actually use. A control that depends on a separate GRC tool nobody opens will fail within two cycles.

Pitfalls we keep seeing

Across MAST Consulting Group's Internal Audit portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: follow-up that loses momentum after 90 days. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: a universe that lists processes but not the underlying risks. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: plan utilisation skewed to easier engagements. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: quality-assurance and improvement programme that is paper-only. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Internal Audit engagements because the integrations are cheap and the evidence is defensible:

• Power BI for audit analytics — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• issue trackers that the auditees actually use — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• TeamMate+ / Workiva / Galvanize for audit lifecycle — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Internal Audit programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this playbook is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Internal Audit programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.