Skip to main content
Image coming soon

The Global Internal Audit Plan for a Big 4 Network

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Global Internal Audit Plan for a Big 4 Network

Build the annual internal audit plan that covers member-firm independence, network risk, partner conduct, and ISQM 1 response in one defensible document.

The Global Board and the Network Risk Committee read one document a year from internal audit. It has to cover member-firm independence testing, network-level risk, ISQM 1 root-cause response, partner conduct cases, and third-party assurance, and it has to defend itself to a chair who will ask why one territory got two reviews and another got none.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A Global Chief Internal Auditor at a Big 4 network is not auditing a single legal entity. The function answers to the Global Board, reports to the Network Risk Committee and the Network Leadership Team, and has to deliver assurance across member firms in 150-plus territories, each with its own local regulator (PCAOB, FRC, AFM, ACPR, JFSA, ASIC) and its own quality monitoring regime. The annual plan that ties all of that together has to do five things in one document. First, map the network risk taxonomy to the new IIA Global Internal Audit Standards so the QAIP self-assessment holds up. Second, scope independence and engagement-quality testing across member firms with conflicting local independence rules. Third, integrate with the firm's ISQM 1 root-cause response so internal audit is not duplicating engagement quality review work but is testing the system of quality management itself. Fourth, hold a defensible position on partner conduct case handling, whistleblower intake, and the firm's response to high-profile audit failures. Fifth, cover third-party and outsourced-services assurance (offshore delivery centres, audit tooling vendors, AI-assisted work paper review) at a level the Risk Committee chair can defend to external regulators if asked. The plan that does all five in one defensible coverage map is what the year hinges on.

What you walk away with

  • A network internal audit plan that covers member-firm independence, ISQM 1 response, partner conduct, and third-party assurance in one coverage map.
  • A risk taxonomy mapped to the IIA Global Internal Audit Standards that the QAIP self-assessment can rest on.
  • A defensible resourcing model that explains why each territory got the hours it got, written for a Risk Committee chair.
  • An integration model with ISQM 1 root-cause response that prevents duplication with engagement quality review.
  • A year-two pivot template for when a member firm has a public quality event and the plan has to flex.
  • A board-ready presentation pack for the Global Board and the Network Risk Committee.

The 12 modules

Module 1. The Network Risk Taxonomy
Build the network risk taxonomy that sits underneath the annual plan. Strategic, financial, regulatory, conduct, quality, technology, third-party, people, and reputation risks at the network level, mapped down to member-firm risk registers. The taxonomy is the spine the IIA Global Internal Audit Standards QAIP self-assessment leans on, and the language the Risk Committee chair uses when challenging coverage. Worked example from a Big 4 network risk register.
Module 2. IIA Global Internal Audit Standards Mapping
Walk the new IIA Global Internal Audit Standards (effective from the current cycle) and map each Domain to your function's operating model. Governance of the function, methodology, resourcing, technology, quality assurance and improvement programme. The mapping is the document an external quality assessor reads first. Templates for the Domain-by-Domain self-assessment and the gap remediation plan.
Module 3. Member-Firm Independence and Engagement Quality Testing
Scope independence and engagement-quality testing across member firms where local independence rules diverge (SEC and PCAOB independence in the US, FRC in the UK, AFM in the Netherlands, JFSA in Japan, ASIC in Australia). The module covers sample selection across territories, partner-rotation testing, non-audit services pre-approval testing, and the reporting line into the Network Independence function. A worked plan for a five-territory independence sweep.
Module 4. ISQM 1 Root-Cause Response and Internal Audit Coverage
ISQM 1 puts root-cause analysis on the firm. Internal audit's job is not to duplicate engagement quality review but to test that the system of quality management actually responds to the root causes the firm finds. The module covers the boundary between EQR, monitoring, and internal audit, the testing approach for root-cause response, and how the plan reports on it without stepping on the Network Quality Leader's role.
Module 5. Partner Conduct, Whistleblower, and Case Handling Assurance
After the high-profile audit failures of the past cycle, partner conduct case handling, whistleblower intake, and disciplinary closure are the most scrutinised processes in any audit network. The module walks the assurance scope across intake, triage, investigation, partner disciplinary panels, and reporting to the Risk Committee. Includes a sample testing plan and a redacted case-file walk-through structure.
Module 6. Third-Party and Outsourced Services Assurance
Offshore delivery centres, audit tooling vendors (the firm's own engagement platform, the data-analytics vendor, the AI-assisted work paper review tool), and shared services. Each is a third party from the perspective of network risk. The module builds the third-party assurance scope, the SOC report reliance approach, and the in-territory inspection model when a vendor cannot produce an independent assurance report.
Module 7. Technology and AI in the Audit Practice
Internal audit's coverage of the firm's own use of AI in audit delivery. Model governance for AI-assisted work paper review, prompt and output testing, documentation for regulators who want to see how AI changed an audit conclusion, and the IT general controls over the engagement platform. Aligned to the IAASB ISA 540 (revised) and ISA 315 (revised) expectations the firm has to meet.
Module 8. Network Cyber and Information Security Assurance
Cyber assurance at the network level: how to scope it across territories with different local data protection regulators (GDPR, UK DPA, APPI, CPS 234, Singapore PDPA) without duplicating local internal audit work. The module covers identity and access on the global engagement platform, client data segregation, breach notification readiness, and the reporting line into the Network CISO.
Module 9. Plan Resourcing, Skills, and Co-Source Model
The resourcing model that explains why each territory got the hours it got. Skills inventory across the global IA team, co-source partner selection where specialist capability is needed (forensic, IT, regulatory), secondment programmes with member-firm internal audit, and the budgeting case to the Network CFO. Includes a defensible resourcing memo template for the Risk Committee.
Module 10. The Board and Risk Committee Reporting Pack
What goes to the Global Board, what goes to the Network Risk Committee, and what stays inside the function. The module builds the reporting pack: the one-page coverage map, the heat map, the in-flight reviews, the closed findings, the management action tracker, and the executive summary that the Risk Committee chair will read aloud. Includes the question-anticipation script.
Module 11. The QAIP Self-Assessment and External Quality Assessment
The Quality Assurance and Improvement Programme that the IIA Standards require, including the periodic external quality assessment. The module walks the self-assessment, the documentation pack the external assessor reads, the typical findings (independence of the function, methodology rigour, technology, resourcing), and the remediation plan that closes them before they appear in the EQA report.
Module 12. The Year-Two Pivot When a Member Firm Has a Quality Event
A plan that cannot flex is not a plan. The module covers the playbook for when a member firm has a public quality event (regulator inspection finding, public censure, partner disciplinary case, client loss), the immediate re-scoping of in-flight reviews, the Risk Committee communication, and the next-cycle plan adjustment. Includes a worked pivot from a real network quality event timeline.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1-2 give you the taxonomy and the IIA Standards alignment underneath the plan.
Modules 3-5 cover the three regulator-facing pillars: member-firm independence, ISQM 1 response, partner conduct.
Modules 6-8 cover third-party, technology, AI, and cyber assurance at network level.
Modules 9-12 build the operating model: resourcing, board reporting, QAIP, and the year-two pivot.

What you get with this course

  • Twelve written modules in the Art of Service learning environment.
  • Downloadable templates for the network risk taxonomy, the IIA Standards Domain mapping, the independence testing plan, the ISQM 1 coverage memo, the partner conduct assurance scope, the third-party reliance log, the QAIP self-assessment, and the Risk Committee reporting pack.
  • Worked examples drawn from publicly disclosed Big 4 network quality reports and regulator inspection findings.
  • A hand-built implementation playbook tailored to your network's territory map, current regulator inspection posture, and existing IA operating model.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours of purchase, your account in the Art of Service learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Weeks 1-2: build the network risk taxonomy and the IIA Standards Domain mapping (modules 1-2).

Weeks 3-5: scope the three regulator-facing pillars (modules 3-5).

Weeks 6-8: cover third-party, technology, AI, and cyber assurance (modules 6-8).

Weeks 9-12: build the operating model, the Risk Committee pack, the QAIP self-assessment, and the year-two pivot (modules 9-12).

End of cycle: the annual plan and the QAIP self-assessment are ready to take to the Network Risk Committee.

Before and after

Before

The annual plan is a list of reviews. The Risk Committee chair asks why a territory got two reviews and the answer is built backwards from the schedule. ISQM 1 response and engagement quality review overlap. Partner conduct assurance is a paragraph. Third-party assurance is a footnote.

After

The plan is a coverage map. Every hour is defended against a risk in the network taxonomy and a Domain in the IIA Standards. ISQM 1, EQR, and IA each have a clear lane. Partner conduct and third-party assurance each have a defined scope and a finding pattern. The Risk Committee chair reads it and leads with thanks.

What happens if you do not address this

An internal audit plan that the Risk Committee chair cannot defend back to a regulator is the document a public quality event finds first. The function loses the room. The next external quality assessment finds the gap. The remediation runs through the cycle after that, and the plan that was supposed to anticipate the network risk becomes the evidence the network missed it.

Who it is for

Built for the Global Chief Internal Auditor, the Network Chief Auditor, or the Head of Internal Audit at a Big 4, mid-tier audit network, or large multi-territory professional services partnership. Useful for the deputy who is being prepared to take the role, and for the Network Risk Committee chair who needs to read the plan the same way the CIA wrote it.

Who this is NOT for. Not for engagement-quality reviewers who only run external audit file reviews. Not for member-firm internal auditors whose remit ends at a single territory. Not for SOX or financial-controls internal auditors at a non-audit-firm corporate, where the regulatory map and the partner-conduct dimension do not apply.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly 35 to 45 hours of focused work across a quarter for the Chief Internal Auditor and the senior leads. The plan, the QAIP self-assessment, and the Risk Committee pack are real artefacts you take to the next meeting, not academic exercises.

Why $199 is the right number

The IIA's own training is general practice across all sectors and does not address the partnership network, the ISQM 1 interaction, or the partner conduct dimension. Big 4 internal training is firm-specific and treats the role as inheritable rather than buildable. A consulting engagement on internal audit plan design costs many multiples of this and still hands back a plan that has to be defended to the Risk Committee by you. This course gives you the artefacts and the worked examples to do that defence yourself.

FAQ

Is the course tied to one network's methodology?
No. It is built around the IIA Global Internal Audit Standards and the public ISQM 1, ISA, and member-firm regulator requirements. The implementation playbook is then tailored to your network's territory map and methodology.
How does this sit with the firm's Network Quality Leader and the engagement quality review function?
Module 4 is built around exactly that boundary. The point is that internal audit does not duplicate EQR or quality monitoring but tests that the system of quality management responds to the root causes the firm finds.
Does the course cover the new IIA Global Internal Audit Standards?
Yes. Module 2 walks the Domains and the QAIP self-assessment in full, and Module 11 walks the external quality assessment readiness.
Who delivers fulfilment?
The course is text-based in the Art of Service learning environment. The implementation playbook is hand-built for your network and delivered alongside course access within 24 hours.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!