An Internal audit program typically includes:
- A program of audits for the next 1 or 3 years.
- Definition when exactly will each internal audit be conducted.
- For each internal audit, define responsibilities, frequency, audit methods, and audit criteria.

An Internal audit program is a different document from an Internal audit plan, these two should not be confused.

Examples:
The Internal audit program includes the following elements:
- Frequency and timing: you will perform one internal audit during the year, by the end of November.
- Responsibilities: you nominate John Smith as the internal auditor, and require him to send all reports directly to the CEO.
- Audit methods: documentation review, personal observation, and interviews with employees.
- Audit criteria: ISO 27001, internal security policies and procedures, and security requirements from interested parties.