Step-by-Step Internal Audit Checklist

Vice Vicente

Vice Vicente

March 21, 2023

Step-by-Step Internal Audit Checklist

What can internal auditors do to prepare a more comprehensive scope for their internal audit projects? And where can internal auditors find the subject matter expertise needed to create an audit program “from scratch”? AuditBoard’s “ Planning an Audit: A How-To Guide ” details how to build an effective internal audit plan from the ground up through best practices, resources, and insights rather than relying on templated audit programs.

One of the guide’s highlights is a comprehensive checklist of audit steps and considerations to keep in mind as you plan any audit project. Use the checklist below to start planning an audit, and download our full “ Planning an Audit: A How-To Guide ” for tips to help you create a flexible, risk-based audit program.

What is an Internal Audit?

An internal audit is a fundamentally independent function that evaluates an organization’s operations, internal controls, and risk management processes to improve the organization’s effectiveness and efficiency. Internal auditors will conduct interviews, inspect evidence, test controls, and read policies to understand the environment and validate that controls and processes are working — and working well.

The Difference Between Internal and External Audits

The essential difference between internal audits and compliance audits , sometimes called external audits, is who performs the audit. Internal audits, as the name indicates, are performed by internal auditors who are employed by the business. Compliance audits are conducted by independent, third-party, or external auditors, often certified in the audit that is being performed.

The Benefits of an Effective Internal Audit

Internal audits provide many benefits to an organization, giving management and leadership another lens to look at the organization. A Quality Management System (QMS) is a structured framework of policies, processes, and procedures used to plan and implement an organization’s key business areas. The internal audit’s role in the context of a Quality Management System focuses on evaluating the effectiveness of the organization’s QMS, ensuring adherence with requirement standards like ISO 9001, and identifying areas for improvement to enhance overall quality and efficiency.

While external regulatory compliance audits are essential, they often have a specific scope and aim— PCI DSS , for example, zooms in on credit cardholder data. Internal audits have the benefit of a looser scope, allowing an organization to focus on priority areas or areas that may not be examined in a formal compliance audit.

Internal audits give advantages to organizations pursuing external audits and preparing stakeholders and process owners for future audits. Findings from internal audits can be addressed quickly; observations can give management greater insight into the business, people, technology, and processes. Impetus from internal audit reports can encourage optimization, saving the organization in costs and ultimately improving customer satisfaction.

So, how can an organization plan for a successful internal audit ? Read on for our checklist!

Internal Audit Checklist

The steps to preparing for an internal audit are 1) initial audit planning, 2) involve risk and process subject matter experts, 3) frameworks for internal audit processes, 4) initial document request list, 5) preparing for a planning meeting with business stakeholders, 6) preparing the audit program, and 7) audit program and planning review.

1. Initial Audit Planning

All internal audit projects should begin with the team clearly understanding why a given project is part of the internal audit program. The following questions should be answered and approved before fieldwork begins:

  • Why was the audit project approved to be on the internal audit plan?
  • How does the process support the organization in achieving its goals and objectives?
  • What enterprise risk(s) does the audit address?
  • What is the overall audit schedule, and how does this project fit into the plan?
  • Was this process audited in the past, and if so, what were the results of the previous audit(s)?
  • Were audit findings or nonconformities investigated and remediated according to the action plan?
  • Have significant changes occurred in the process recently or since the previous audit?
  • What is the project’s scope, and what specific requirements need to be met for a successful outcome?

Additionally, participants in the project should review the audit report and audit results to refresh their understanding of the environment, scope, and project parameters. The team may also want to review any standards, frameworks, and regulatory requirements relevant to the project or program. Reporting on internal audit objectives should be delivered to top management periodically — quarterly or biannually is common depending on the size and complexity of the business.

2024 Focus on the Future Report

2. Involve Risk and Process Subject Matter Experts

Performing an audit based on internal company information is helpful for assessing the operating effectiveness of the process’s controls. However, for internal audits to keep pace with the business’s changing landscape, and to ensure key processes and controls are also designed correctly, seeking out external expertise is increasingly becoming a best practice, even when a formal external audit is not required.

Organizations can employ Subject Matter Experts (SMEs) from the Big 4 (Deloitte, EY, PwC, and KPMG) and other consulting providers to supplement risk management and internal audit programs. These consultants can provide additional guidance, insight, and clarity on specific regulatory requirements, information security, and business processes. When contracting with consultants, be sure to disclose any other consulting relationships you may have with that firm or company, as there may be independence considerations that the consulting firm has to take into account.

In terms of fostering talent, skills, and development, internal audit professionals should stay abreast of current trends, topics, and themes in their industry. The following resources can help audit professionals understand the present landscape and augment their knowledge:

  • Recent articles from WSJ.com , HBR.org , or other leading business periodicals
  • Newsletters and updates from the AICPA , ISACA , ISO , NIST , and other similar organizations
  • Relevant blog posts from Deloitte Insights ,  EY Insights , The Protiviti View , RSM’s Blog , or The IIA’s blogs

Image: The Institute of Internal Audit (IIA) Competency Framework for Internal Audit Professionals

audit assignments

Source: The IIA Competency Framework for Internal Audit Professionals

These resources can be leveraged to identify relevant risks, inform internal audit procedures,  and encourage continuous improvement in your internal audit program. Having the right people and talent in place to perform the necessary audit activities is critical to your program’s success, and pulling in additional resources during an audit can be challenging. By lining up your SMEs ahead of time, you can smooth out your audit workflow and reduce friction.

3. Frameworks for Internal Audit: The International Professional Practices Framework (IPPF)

Collating guidance from the Institute of Internal Auditors (IIA), the International Professional Practices Framework (IPPF) contains both mandatory and best practice recommendations. The IPPF aims to support the overall mission, “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” The core elements of the IPPF are the: Core Principles for the Professional Practice of Internal Auditing , Definition of Internal Auditing , Code of Ethics, and International Standards for the Professional Practice of Internal Auditing .

In addition to the IIA, organizations like ISACA  can also provide guidance around internal audit processes.

4. Frameworks for Internal Audit Processes: COSO ICIF

Although a risk-based approach to internal auditing can and should result in a bespoke internal audit program for each organization, taking advantage of existing frameworks like the Committee of Sponsoring Organizations of the Treadway Commission’s ( COSO ) 2013 Internal Control — Integrated Framework to inform your program can be a win for your internal audit team and avoid reinventing the wheel. Before applying a specific framework, the internal audit team and leadership should evaluate itssuitability as they map to the business.

While used extensively for Sarbanes-Oxley (SOX) statutory compliance purposes, internal auditors can also leverage COSO’s 2013 Internal Control — Integrated Framework (ICIF) to create a more comprehensive audit program.  COSO’s ICIF focuses on fraud, internal controls, and financial reportin g , while covering subjects like the overall Control Environment of the organization, Information, and Communication, and Risk Management. Since COSO’s ICIF was designed to address SOX, which is a U.S. statute, publicly traded companies based in the US may benefit the most from employing this framework as part of their internal audit program.

  • Review COSO’s 2013 Internal Control components, principles, and points of focus here .

5. Initial Document Request List

The Document Request List or Evidence Request List, often abbreviated to “Request List” or “RL” is one of the central documents of any audit. The Request List is an evolving list of requests which may cover everything from interview scheduling, evidence requests, policy and procedures, reports, supporting documentation, diagrams, and more with the purpose of providing auditors with the information and documents they need to complete the audit program for the designated projects or processes.

Requesting and obtaining documentation on how processes work is an obvious next step in preparing for an audit. These requests should be delivered to stakeholders as soon as possible in the audit planning process to give stakeholders (with day jobs!) time to provide the right evidence. As requests come in, the internal audit team should review documented information for any follow-ups, and periodically update the request list as items get closed out. The following requests should be made to gain an understanding of processes, relevant applications, and key reports:

  • All policies, procedure documents, workflow diagrams, and organization charts
  • Key reports used to manage the effectiveness, efficiency, and process success
  • Access to critical applications used in the process; read-only if possible
  • Description and listing of master data for the processes being audited, including all data fields and attributes

From the listings received of master data, auditors can then make detailed sampling selections to test that processes and controls are being performed effectively, as designed, every time.

6. Preparing for a Planning Meeting With Business Stakeholders

Before meeting with business stakeholders, the internal audit committee should hold a meeting to confirm a high-level understanding of the objectives of the audit plan and program(s), key processes and departments, and the fundamental roadmap for the audit.

Then, after aligning some ducks internally, the audit team should also schedule and conduct a planning meeting with business stakeholders for the scoped processes. This keeps everyone on the same page, and gives business personnel the time and opportunity to coordinate audit efforts with their business units. The following steps should be performed to prepare for a planning meeting with business stakeholders:

  • Outline key process steps by narrative, flowchart, or both, highlighting information inflows, outflows, and internal control components.
  • Validate draft narratives and flowcharts with subject matter experts and stakeholders (if possible).
  • Develop an agenda or questionnaire for all meetings internally or with business stakeholders.

Preparing the questionnaire after the initial research sets a positive tone for the audit , demonstrating that the internal audit is informed and prepared. Planning, preparedness, and cooperation are critical to achieving audit objectives and gaining deeper insights.

7. Preparing the Audit Program

Once the internal audit team has completed initial planning, consulted with SMEs, and researched the applicable frameworks, they will be  prepared to create an audit program . Audit teams can leverage past audit programs to better design present and future procedures. An audit program should detail the following information:

Summary and Purpose of the Audit Program

Since internal audit reports are usually designed for the consumption of leadership and management, providing an executive summary of the audit program and outcomes gives the audience a snapshot of the audit and results.

Process Objectives and Owners

Documenting the process objectives and tying each process to owners when completing the audit program designates accountability.

Process Risks

Along with the process objectives and owners, the risks associated with the process should also be noted.

Controls Mitigating Process Risks

Once details about the process, including risks, are documented, the audit team should identify and map the mitigating controls to the risks they address. Compensating controls can also be noted here.

Control Attributes

Control attributes are the components and characteristics of the control activity that are critical to the effective execution of that control. Asking the following questions and documenting the results are a good starting point — though some controls may have unique or uncommon attributes as well.

  • Is the control preventive or detective? If the control is detective, are there corrective actions required as part of completing the control?
  • How frequently does the control occur (e.g. many times a day, daily, weekly, monthly, quarterly, annually, etc.)?
  • What type of risk does the control mitigate (fraud, operational, security, etc.)?
  • Is the control manually performed, performed by an application, or a combination?
  • How likely will the risk be realized (e.g. Highly Likely, Likely, Unlikely)?
  • How impactful would the risk be if it were realized (e.g. High Impact, Medium Impact, Low Impact)?
  • What evidence does the audit team need to complete audit testing procedures?

Testing Procedures and Methods for Controls to be Tested During the Audit

There are four ways to test controls as part of an audit. These methods must often be combined to fully and completely test a control. These four methods are as follows:

  • Inquiry, or asking how the control is performed
  • Observation, or viewing the control be performed, typically in real-time
  • Inspection, or reviewing documentation evidencing the control was performed
  • Re-performance, or independently performing the control to validate outcomes

A comprehensive audit program contains sensitive information about the business. Access to the full audit program(s) should be restricted to appropriate personnel and shared only when approved.

8. Audit Program and Planning Review

Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork:

  • Internal Audit Manager or Senior Manager
  • Chief Audit Executive
  • Subject Matter Expert(s)
  • Management’s Main Point of Contact for the Audit (i.e. Audit Customer)

Internal auditors who take a risk-based approach, create and document audit programs from scratch — and do not rely on template audit programs — will be more capable and equipped to perform audits over areas not routinely audited. When internal audit teams can spend more of their time and resources aligned to their organization’s key objectives,  internal auditor job satisfaction increases as they take on more interesting projects and have an effect on the organization. The Audit Committee and C-suite may become more engaged with internal audit ‘s work in strategic areas. Perhaps most importantly, recommendations made by internal audit will have a more dramatic impact to enable positive change in their organizations.

Complete the form to get your free copy of  Planning an Audit From Scratch: A How-To Guide .

Planning an Audit From Scratch: A How-To Guide

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn .

Related Articles

audit assignments

The global body for professional accountants

  • Search jobs
  • Find an accountant
  • Technical activities
  • Help & support

Can't find your location/region listed? Please visit our global website instead

  • Middle East
  • Cayman Islands
  • Trinidad & Tobago
  • Virgin Islands (British)
  • United Kingdom
  • Czech Republic
  • United Arab Emirates
  • Saudi Arabia
  • State of Palestine
  • Syrian Arab Republic
  • South Africa
  • Africa (other)
  • Hong Kong SAR of China
  • New Zealand
  • Our qualifications
  • Getting started
  • Your career
  • Sign-up to our industry newsletter
  • Apply to become an ACCA student
  • Why choose to study ACCA?
  • ACCA accountancy qualifications
  • Getting started with ACCA
  • ACCA Learning
  • Register your interest in ACCA
  • Learn why you should hire ACCA members
  • Why train your staff with ACCA?
  • Recruit finance staff
  • Train and develop finance talent
  • Approved Employer programme
  • Employer support
  • Resources to help your organisation stay one step ahead
  • Support for Approved Learning Partners
  • Becoming an ACCA Approved Learning Partner
  • Tutor support
  • ACCA Study Hub for learning providers
  • Computer-Based Exam (CBE) centres
  • ACCA Content Partners
  • Registered Learning Partner
  • Exemption accreditation
  • University partnerships
  • Find tuition
  • Virtual classroom support for learning partners
  • Find CPD resources
  • Your membership
  • Member networks
  • AB magazine
  • Sectors and industries
  • Regulation and standards
  • Advocacy and mentoring
  • Council, elections and AGM
  • Tuition and study options
  • Study support resources
  • Practical experience
  • Our ethics modules
  • Student Accountant
  • Regulation and standards for students
  • Completing your EPSM
  • Completing your PER
  • Apply for membership
  • Skills webinars
  • Finding a great supervisor
  • Choosing the right objectives for you
  • Regularly recording your PER
  • The next phase of your journey
  • Your future once qualified
  • Mentoring and networks
  • Advance e-magazine
  • Affiliate video support
  • About policy and insights at ACCA
  • Meet the team
  • Global economics
  • Professional accountants - the future | ACCA
  • Supporting the global profession
  • Download the insights app

Can't find your location listed? Please visit our global website instead

  • Internal audit
  • Learn about internal audit
  • Back to Learn about internal audit
  • A brief guide to internal auditing

A brief guide to assignment planning

  • A brief guide to assessing risks and controls
  • A brief guide to assignment quality
  • A brief guide to assignment reporting
  • A brief guide to follow up
  • A brief guide to relationship management
  • A brief guide to audit governance
  • A brief guide to standards and responsibility
  • A brief guide to audit planning and an internal audit strategy
  • A brief guide to working with other providers
  • A brief guide to audit committees
  • Becoming a Head of Internal Audit
  • Guidance for Audit Committee Chairs on working with the Head of Internal Audit
  • Introduction
  • Standard 1100 Independence and objectivity
  • Standard 2200 Engagement planning
  • Standard 2300 Performing the engagement
  • Standard 2400 Communicating results
  • Standard 2050 Coordination and reliance
  • Financial Reporting Council (FRC) International Standards on Auditing (UK)
  • Benefits of coordination
  • Facilitating coordination
  • Guidance on Internal Audit planning and strategy

It takes careful planning to ensure all the key controls are in place and operating effectively for an audit to provide reasonable assurance.

Key controls reviewed as part of an internal audit must be operating effectively to provide reasonable assurance over the management of risk. It takes careful planning to ensure a thorough enough understanding of the risk environment to identify those key controls that need to be in place.

Effective assignment planning considers everything from the assessment of risk, work required, resources available and deadlines, to effective team and stakeholder engagement.

The key output of the planning stage is a  terms of reference  document clearly stating the scope, audit objectives/risks, resources, timing and ideally any prior information needs which will assist in the smooth delivery of the audit.  

The advance warning of information needs also assists in reducing the pressure upon management when handling the impact of an internal audit while continuing with their day-to-day job, and alleviates some of the concerns occasionally raised by management when notified of an audit.

Your assessment of risk may include a review of:

  • organisation / department / system objectives
  • policy and procedural documentation
  • risks, related risk appetite, exposure, acceptance and key controls as reported on risk registers / board assurance framework
  • key risk indicators and key performance indicators
  • organisation information from the intranet, material incidents reported, and self-assessment reports
  • reports from risk oversight functions, external auditors, and regulators, etc
  • previous audit reports, known weaknesses and progress on resulting actions
  • management concerns and those of the audit team with their knowledge of that risk / area / process / system / legislation and regulation
  • recent and planned changes such as key staff / systems / process / legislation and regulation / risk, etc

Your assessment of work required may include consideration of:

  • volumes and values of transactions / budgets to determine sample size
  • work locations and the number of business areas / senior managers involved
  • the time it will take to create or update existing audit process / risk documentation
  • whether reliance can be placed upon assurance provided and planned by other assurance providers
  • testing methodology to be used - for example, whether it will be highly manual or employ computer-assisted audit techniques (CAATs)
  • timing to achieve optimal assurance and internal reporting deadlines

Your assessment of resources may include:

  • availability, experience, skills, specialist technical knowledge required and base location
  • need for co-sourcing, availability, cost and budget available
  • selection of a suitable person to lead the audit

Effective stakeholder engagement may include:

  • an assessment of all likely stakeholders, including regulators
  • face-to-face meetings with key stakeholders to understand their roles, recent and planned changes, their key drivers, their views and key concerns and for you to explain how the audit will be undertaken, by whom, when and to ‘sell’ the value of the assurance that’s being provided
  • agreement over who in the business will ‘own’ the audit report
  • agreement over how they wish to be updated on the progress and findings

Your assessment of limitations may include:

  • limitation of any sampling methodology vs testing entire populations
  • any limitations which may be placed upon your ability to fulfil your role, for example the absence of right to audit clauses in third party provider contracts
  • exclusion of specific areas of scope, for example the technical IT security surrounding systems may be subject to another specialist IT audit
  • statement re the limitations of audit and the provision of reasonable assurance
  • statement re the approved budget for the assignment, especially if this is less than the internal audit team originally proposed to management and audit committee
  • extent to which the validity of supporting documentation may be verified back to source
  • statement re the responsibility for the operation of the system of internal control residing with management

The resulting terms of reference document should be circulated to key stakeholders, discussed and approach agreed with the auditee and ideally the senior management team member responsible for the area under review.  

A clear terms of reference should provide guidance to the audit team in respect delivery, help ensure stakeholders have a common understanding of the assignment and assist manage any expectation gaps.

IIA IPPF Standard 2200 – engagement planning

IIA IPPF Standard 2300 – performing the engagement

Related links

  • IIA global website
  • IIA UK website
  • ACCA Careers
  • ACCA Career Navigator
  • ACCA-X online courses

Useful links

  • Make a payment
  • ACCA Rulebook
  • Work for us
  • Supporting Ukraine

Using this site

  • Accessibility
  • Legal & copyright
  • Advertising

Send us a message

Planned system updates

View our maintenance windows