top of page

The Multi-Year IT Audit Plan, Minus the Guesswork: A Playbook for Local Government Internal Audit

  • Jul 7
  • 4 min read


Your audit committee is going to ask three questions about your IT audit plan: Is it risk-based? Can you defend it? Does it cover what matters? Here's how to answer all three.


Local government internal audit shops hear a consistent question from their audit committees, elected officials, and the public: How do we know this IT audit plan covers what matters?


That question carries weight given local government’s mix of legacy systems, lean IT staff, and high-value personal data. The answer isn’t chasing every new technology or rewriting the plan after each vendor update. It’s anchoring the plan in a documented, defensible risk assessment from the start, with a clear rationale for what’s on it and what isn’t.


Here’s the playbook we use to build a multi-year IT audit plan for a county, city, school district, or special district.


Step 1: Start with risk, not with audits

The most common mistake we see is a plan organized around audit topics (“access-controls audit in FY27, backup audit in FY28, vendor-management audit in FY29”) without a risk assessment that justifies why those topics, or that order.


A defensible plan starts with a documented IT risk assessment, not a list of topics. In our methodology, every technology and process is scored across 10 risk categories, covering factors such as financial exposure, security threat, customer impact, and how recently the system changed. Each category has a consistent, defined meaning — the assessment does what NIST, COBIT, and ISO expect a risk assessment to do — so you can compare a 911 dispatch platform against a payroll system on the same terms. The scores come from interviews with multiple stakeholders, not one person’s opinion, and where ratings diverge significantly, we follow up before finalizing the score. That reconciliation is what makes the number defensible.


The result is a risk register with three tiers: High (35 and above), Medium (30 to 34), and Low (29 and below), and a clear line from each score to which audit covers it and when. In a recent mid-size-city engagement, that process scored 53 technologies and processes; the top three — patch management, disaster recovery planning, and the Accela enterprise platform — became the year 1 audit sequence, straight out of the assessment. Two IT processes outscored every application in the environment. That's the kind of result a topic-driven plan never surfaces.


Step 2: Show your work, including what you left out

Most multi-year plans only document what’s in scope. The best ones document what was considered and left out, along with the reasoning behind those decisions


A legacy permitting system slated for replacement next year might not need a full audit now, but the plan should say so and note it will be revisited once the new system is live. A payroll platform run entirely by a third-party vendor might fall outside your audit authority this cycle; flagging it shows the committee you considered it rather than missed it.


Audit committees notice this. It signals that the plan is the product of judgment, not a template and arbitrary decisions.


Step 3: Sequence around capacity, not ambition

Another common mistake is ambition — a three-year plan with 12 audits in it when the shop has bandwidth for six. By month nine, the plan is off schedule and the committee notices.


Sequence around the audit hours you have, and factor in co-sourced support if it’s available. Account for the periods when key staff are tied up with the financial audit, the single audit, or the budget process. Those aren’t weeks to schedule a major IT audit.


Step 4: Build the audit-committee one-pager

A 30-page multi-year plan is for you. A one-pager is for your committee chair. The one-pager should show, on a single sheet: the top risks, the audits scheduled against each, the year of execution, and a brief justification. Nothing else.


If you can’t fit it on one page, the plan isn’t focused enough yet.


Step 5: Design it to adapt, not just to last

A multi-year plan isn't meant to be rewritten every year, but it isn't meant to be ignored for years either.


Treat a major system migration, a new regulatory requirement, a security incident, or a finding from a recent audit as the signal to revisit sequencing. The budget cycle is a convenient time to check in, since resourcing conversations are happening anyway, but it shouldn’t be the sole trigger for a change. Maintain the plan unless a significant change in the environment warrants an adjustment.


What to do this quarter

If your current plan wasn’t built from a documented, scored risk assessment, or hasn’t been checked against one recently, this is a good time to take a fresh look. For most local governments, the FY27 planning window opens in September, making now a practical point to fold a current risk assessment into next year’s budget submission.


If you’d like to see what a fully documented, risk-aligned multi-year IT audit plan looks like, request our sample below. It’s a redacted version of a real plan we built for a midsize western U.S. city, complete with the methodology, the 10-category risk register, the three-year audit sequence, and the audit-committee one-pager intact.


Download the sample multi-year IT audit plan → www.securanceconsulting.com/services/scgrc

 
 
 

Comments


bottom of page