Step-by-Step Internal Audit Checklist

Step-by-Step Internal Audit Checklist

What can internal auditors do to prepare a more comprehensive scope for their internal audit projects? And where can internal auditors find the subject matter expertise needed to create an audit program “from scratch”? AuditBoard’s “Planning an Audit: A How-To Guide” details how to build an effective internal audit plan from the ground up through best practices, resources, and insights rather than relying on templated audit programs.

One of the guide’s highlights is a comprehensive checklist of audit steps and considerations to keep in mind as you plan any audit project. Use the checklist below to start planning an audit, and download our full “Planning an Audit: A How-To Guide” for tips to help you create a flexible, risk-based audit program.

What is an Internal Audit?

An internal audit is a fundamentally independent function that evaluates an organization’s operations, internal controls, and risk management processes to improve the organization’s effectiveness and efficiency. Internal auditors will conduct interviews, inspect evidence, test controls, and read policies to understand the environment and validate that controls and processes are working — and working well.

The Difference Between Internal and External Audits

The essential difference between internal audits and compliance audits, sometimes called external audits, is who performs the audit. Internal audits, as the name indicates, are performed by internal auditors who are employed by the business. Compliance audits are conducted by independent, third-party, or external auditors, often certified in the audit that is being performed.

The Benefits of an Effective Internal Audit

Internal audits provide many benefits to an organization, giving management and leadership another lens to look at the organization. A Quality Management System (QMS) is a structured framework of policies, processes, and procedures used to plan and implement an organization’s key business areas. The internal audit’s role in the context of a Quality Management System focuses on evaluating the effectiveness of the organization’s QMS, ensuring adherence with requirement standards like ISO 9001, and identifying areas for improvement to enhance overall quality and efficiency.

While external regulatory compliance audits are essential, they often have a specific scope and aim—PCI DSS, for example, zooms in on credit cardholder data. Internal audits have the benefit of a looser scope, allowing an organization to focus on priority areas or areas that may not be examined in a formal compliance audit.

Internal audits give advantages to organizations pursuing external audits and preparing stakeholders and process owners for future audits. Findings from internal audits can be addressed quickly; observations can give management greater insight into the business, people, technology, and processes. Impetus from internal audit reports can encourage optimization, saving the organization in costs and ultimately improving customer satisfaction.

So, how can an organization plan for a successful internal audit? Read on for our checklist!

Internal Audit Checklist

The steps to preparing for an internal audit are 1) initial audit planning, 2) involve risk and process subject matter experts, 3) frameworks for internal audit processes, 4) initial document request list, 5) preparing for a planning meeting with business stakeholders, 6) preparing the audit program, and 7) audit program and planning review.

1. Initial Audit Planning

All internal audit projects should begin with the team clearly understanding why a given project is part of the internal audit program. The following questions should be answered and approved before fieldwork begins:

  • Why was the audit project approved to be on the internal audit plan?
  • How does the process support the organization in achieving its goals and objectives?
  • What enterprise risk(s) does the audit address?
  • What is the overall audit schedule, and how does this project fit into the plan?
  • Was this process audited in the past, and if so, what were the results of the previous audit(s)?
  • Were audit findings or nonconformities investigated and remediated according to the action plan?
  • Have significant changes occurred in the process recently or since the previous audit?
  • What is the project’s scope, and what specific requirements need to be met for a successful outcome?

Additionally, participants in the project should review the audit report and audit results to refresh their understanding of the environment, scope, and project parameters. The team may also want to review any standards, frameworks, and regulatory requirements relevant to the project or program. Reporting on internal audit objectives should be delivered to top management periodically — quarterly or biannually is common depending on the size and complexity of the business.

2024 Focus on the Future Report

2. Involve Risk and Process Subject Matter Experts

Performing an audit based on internal company information is helpful for assessing the operating effectiveness of the process’s controls. However, for internal audits to keep pace with the business’s changing landscape, and to ensure key processes and controls are also designed correctly, seeking out external expertise is increasingly becoming a best practice, even when a formal external audit is not required.

Organizations can employ Subject Matter Experts (SMEs) from the Big 4 (Deloitte, EY, PwC, and KPMG) and other consulting providers to supplement risk management and internal audit programs. These consultants can provide additional guidance, insight, and clarity on specific regulatory requirements, information security, and business processes. When contracting with consultants, be sure to disclose any other consulting relationships you may have with that firm or company, as there may be independence considerations that the consulting firm has to take into account.

In terms of fostering talent, skills, and development, internal audit professionals should stay abreast of current trends, topics, and themes in their industry. The following resources can help audit professionals understand the present landscape and augment their knowledge:

Image: The Institute of Internal Audit (IIA) Competency Framework for Internal Audit Professionals

Source: The IIA Competency Framework for Internal Audit Professionals

These resources can be leveraged to identify relevant risks, inform internal audit procedures,  and encourage continuous improvement in your internal audit program. Having the right people and talent in place to perform the necessary audit activities is critical to your program’s success, and pulling in additional resources during an audit can be challenging. By lining up your SMEs ahead of time, you can smooth out your audit workflow and reduce friction.

3. Frameworks for Internal Audit: The International Professional Practices Framework (IPPF)

Collating guidance from the Institute of Internal Auditors (IIA), the International Professional Practices Framework (IPPF) contains both mandatory and best practice recommendations. The IPPF aims to support the overall mission, “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” The core elements of the IPPF are the: Core Principles for the Professional Practice of Internal Auditing, Definition of Internal Auditing, Code of Ethics, and International Standards for the Professional Practice of Internal Auditing.

In addition to the IIA, organizations like ISACA can also provide guidance around internal audit processes.

4. Frameworks for Internal Audit Processes: COSO ICIF

Although a risk-based approach to internal auditing can and should result in a bespoke internal audit program for each organization, taking advantage of existing frameworks like the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 2013 Internal Control — Integrated Framework to inform your program can be a win for your internal audit team and avoid reinventing the wheel. Before applying a specific framework, the internal audit team and leadership should evaluate itssuitability as they map to the business.

While used extensively for Sarbanes-Oxley (SOX) statutory compliance purposes, internal auditors can also leverage COSO’s 2013 Internal Control — Integrated Framework (ICIF) to create a more comprehensive audit program. COSO’s ICIF focuses on fraud, internal controls, and financial reporting, while covering subjects like the overall Control Environment of the organization, Information, and Communication, and Risk Management. Since COSO’s ICIF was designed to address SOX, which is a U.S. statute, publicly traded companies based in the US may benefit the most from employing this framework as part of their internal audit program.

  • Review COSO’s 2013 Internal Control components, principles, and points of focus here.

5. Initial Document Request List

The Document Request List or Evidence Request List, often abbreviated to “Request List” or “RL” is one of the central documents of any audit. The Request List is an evolving list of requests which may cover everything from interview scheduling, evidence requests, policy and procedures, reports, supporting documentation, diagrams, and more with the purpose of providing auditors with the information and documents they need to complete the audit program for the designated projects or processes.

Requesting and obtaining documentation on how processes work is an obvious next step in preparing for an audit. These requests should be delivered to stakeholders as soon as possible in the audit planning process to give stakeholders (with day jobs!) time to provide the right evidence. As requests come in, the internal audit team should review documented information for any follow-ups, and periodically update the request list as items get closed out. The following requests should be made to gain an understanding of processes, relevant applications, and key reports:

  • All policies, procedure documents, workflow diagrams, and organization charts
  • Key reports used to manage the effectiveness, efficiency, and process success
  • Access to critical applications used in the process; read-only if possible
  • Description and listing of master data for the processes being audited, including all data fields and attributes

From the listings received of master data, auditors can then make detailed sampling selections to test that processes and controls are being performed effectively, as designed, every time.

6. Preparing for a Planning Meeting With Business Stakeholders

Before meeting with business stakeholders, the internal audit committee should hold a meeting to confirm a high-level understanding of the objectives of the audit plan and program(s), key processes and departments, and the fundamental roadmap for the audit.

Then, after aligning some ducks internally, the audit team should also schedule and conduct a planning meeting with business stakeholders for the scoped processes. This keeps everyone on the same page, and gives business personnel the time and opportunity to coordinate audit efforts with their business units. The following steps should be performed to prepare for a planning meeting with business stakeholders:

  • Outline key process steps by narrative, flowchart, or both, highlighting information inflows, outflows, and internal control components.
  • Validate draft narratives and flowcharts with subject matter experts and stakeholders (if possible).
  • Develop an agenda or questionnaire for all meetings internally or with business stakeholders.

Preparing the questionnaire after the initial research sets a positive tone for the audit, demonstrating that the internal audit is informed and prepared. Planning, preparedness, and cooperation are critical to achieving audit objectives and gaining deeper insights.

7. Preparing the Audit Program

Once the internal audit team has completed initial planning, consulted with SMEs, and researched the applicable frameworks, they will be prepared to create an audit program. Audit teams can leverage past audit programs to better design present and future procedures. An audit program should detail the following information:

Summary and Purpose of the Audit Program

Since internal audit reports are usually designed for the consumption of leadership and management, providing an executive summary of the audit program and outcomes gives the audience a snapshot of the audit and results.

Process Objectives and Owners

Documenting the process objectives and tying each process to owners when completing the audit program designates accountability.

Process Risks

Along with the process objectives and owners, the risks associated with the process should also be noted.

Controls Mitigating Process Risks

Once details about the process, including risks, are documented, the audit team should identify and map the mitigating controls to the risks they address. Compensating controls can also be noted here.

Control Attributes

Control attributes are the components and characteristics of the control activity that are critical to the effective execution of that control. Asking the following questions and documenting the results are a good starting point — though some controls may have unique or uncommon attributes as well.

  • Is the control preventive or detective? If the control is detective, are there corrective actions required as part of completing the control?
  • How frequently does the control occur (e.g. many times a day, daily, weekly, monthly, quarterly, annually, etc.)?
  • What type of risk does the control mitigate (fraud, operational, security, etc.)?
  • Is the control manually performed, performed by an application, or a combination?
  • How likely will the risk be realized (e.g. Highly Likely, Likely, Unlikely)?
  • How impactful would the risk be if it were realized (e.g. High Impact, Medium Impact, Low Impact)?
  • What evidence does the audit team need to complete audit testing procedures?

Testing Procedures and Methods for Controls to be Tested During the Audit

There are four ways to test controls as part of an audit. These methods must often be combined to fully and completely test a control. These four methods are as follows:

  • Inquiry, or asking how the control is performed
  • Observation, or viewing the control be performed, typically in real-time
  • Inspection, or reviewing documentation evidencing the control was performed
  • Re-performance, or independently performing the control to validate outcomes

A comprehensive audit program contains sensitive information about the business. Access to the full audit program(s) should be restricted to appropriate personnel and shared only when approved.

8. Audit Program and Planning Review

Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork:

  • Internal Audit Manager or Senior Manager
  • Chief Audit Executive
  • Subject Matter Expert(s)
  • Management’s Main Point of Contact for the Audit (i.e. Audit Customer)

Internal auditors who take a risk-based approach, create and document audit programs from scratch — and do not rely on template audit programs — will be more capable and equipped to perform audits over areas not routinely audited. When internal audit teams can spend more of their time and resources aligned to their organization’s key objectives, internal auditor job satisfaction increases as they take on more interesting projects and have an effect on the organization. The Audit Committee and C-suite may become more engaged with internal audit‘s work in strategic areas. Perhaps most importantly, recommendations made by internal audit will have a more dramatic impact to enable positive change in their organizations.

Complete the form to get your free copy of Planning an Audit From Scratch: A How-To Guide.

Planning an Audit From Scratch: A How-To Guide

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.