Audit Charter vs. Audit Plan: CISA Exam Comparison
An audit charter is a high-level document establishing the internal audit function's authority, mandate, and overall scope. In contrast, an audit plan is a tactical, time-bound document detailing specific audits, resources, and schedules. The charter provides the permanent "right to audit," while the plan outlines "what" is being audited and "when."
What Exactly is an Audit Charter?
Think of the audit charter as the 'constitution' of the audit function. It is a high-level document that defines the purpose, authority, and responsibility of the internal audit activity. For the CISA exam, the most critical takeaway is that the charter grants the auditor the formal mandate to operate. It ensures you have the legal and organizational right to access records, personnel, and physical assets without being blocked by middle management.
Without a signed charter, an auditor is essentially a guest in the organization. With it, you have a documented mandate from the top. When you're reviewing scenarios on the exam, look for the charter as the foundational document that establishes independence and objectivity. It doesn't change often, as it focuses on the 'why' and 'who' of the audit function rather than the 'how'.
How Does the Audit Plan Differ from the Charter?
If the charter is the 'why' and 'who,' the audit plan is the 'what' and 'when.' While the charter is permanent and broad, the audit plan is tactical and time-bound—usually covering a single year. The plan is a living document that lists specific audit engagements, the resources required to execute them, and the projected timeline for completion.
In a CISA context, the audit plan is driven by a risk assessment. You don't just pick systems to audit at random; you prioritize them based on the risk profile of the organization. If you see keywords like 'resource allocation,' 'risk-based approach,' or 'annual schedule' in a multiple-choice question, you are almost certainly dealing with the audit plan, not the charter.
Who Needs to Approve These Documents?
This is a classic CISA trap that trips up many candidates. The approval workflows for these two documents are entirely different because they serve different purposes. The audit charter requires high-level approval—typically from the Board of Directors or the Audit Committee. This is because the charter establishes the function's independence from the management it audits.
On the other hand, the audit plan is typically developed by the Chief Audit Executive (CAE) and then presented to the board or audit committee for concurrence or final approval. While the board still has a say, the plan is a management tool used for execution. If a question asks who grants the overarching authority to audit, the answer is the board via the charter.
When Should You Update a Charter Versus a Plan?
You should rarely need to touch the audit charter. It is only updated during major organizational shifts, such as a change in the company's governance structure or a fundamental shift in the audit function's mandate. If the company merges with another entity or changes its reporting line to the board, that's when the charter gets a revision.
The audit plan, however, is updated frequently—often quarterly. If a new, critical cybersecurity threat emerges or a new regulation is passed, you don't rewrite your charter; you update your plan to include a targeted review of that specific risk. This agility allows the audit function to remain relevant in a fast-changing IT environment.
How Do These Documents Impact Your CISA Exam Score?
ISACA loves to test your ability to distinguish between governance (charter) and management (plan). Misidentifying these in a scenario can cost you points in Domain 1 (Information System Auditing Process). To master this, you need to move beyond definitions and start applying these concepts to complex, real-world scenarios where the lines feel blurred.
This is exactly why we developed Cert Sensei. We offer 1,000 expert-curated ISACA CISA practice questions that mirror the actual exam's complexity. Instead of just giving you a correct letter, we provide detailed expert reasoning for every answer and domain-level analytics. This allows you to see if you're consistently missing 'governance' questions so you can pivot your study time effectively.
What Happens if the Audit Charter is Missing?
In a real-world audit—and on the CISA exam—a missing or outdated charter is a critical finding. It means the audit function lacks formal authority, which fundamentally compromises its independence and objectivity. Without a charter, auditors may face 'scope creep' or, worse, be denied access to critical systems by a defensive system administrator.
When you encounter a question about the 'first step' in establishing an audit function, remember that the charter comes first. You cannot effectively plan audits (the plan) if you haven't first established the authority to perform them (the charter). Prioritizing the charter is the only way to ensure the audit function has the teeth it needs to drive organizational improvement.
❓ Frequently Asked Questions
Can an audit plan be changed mid-year?
Yes. The audit plan is a dynamic document. Changes are frequently made based on updated risk assessments, requests from senior management, or the emergence of new regulatory requirements. These changes are typically documented and approved by the CAE.
Does the audit charter list specific systems to be audited?
No. The charter defines the overall scope and authority of the audit function. Listing specific systems would make the document too granular and require constant updates. Specific systems are listed in the audit plan or individual engagement letters.
Is the audit charter the same as an audit engagement letter?
No. The charter is a permanent document for the entire audit function. An engagement letter is a temporary document created for a specific audit project, outlining the objectives and scope for that particular engagement only.