Step-by-Step Internal Audit Checklist

What can internal auditors do to prepare a more comprehensive scope for their internal audit projects? And where can internal auditors find the subject matter expertise needed to create an audit program “from scratch”? 

AuditBoard’s “Planning an Audit From Scratch: A How-To Guide” details how to build an effective internal audit plan from the ground up through best practices, resources, and insights rather than relying on templated audit programs.

One of the guide’s highlights is a comprehensive checklist of audit steps and considerations to keep in mind as you plan any audit project. Use the checklist below to start planning an audit, and download our full Planning an Audit From Scratch: A How-To Guide for tips to help you create a flexible, risk-based audit program.

What Is an Internal Audit?

An internal audit is a fundamentally independent function that evaluates an organization’s operations, internal controls, and risk management processes to improve the organization’s effectiveness and efficiency. Internal auditors will conduct interviews, inspect evidence, test controls, and read policies to understand the environment and validate that controls and processes are working — and working well.

The Difference Between Internal and External Audits

The essential difference between internal audits and compliance audits, sometimes called external audits, is who performs the audit. Internal audits, as the name indicates, are performed by internal auditors who are employed by the business. Compliance audits are conducted by independent, third-party, or external auditors, often certified in the audit that is being performed.

The Benefits of an Effective Internal Audit

Internal audits provide many benefits to an organization, giving management and leadership another lens to look at the organization. A Quality Management System (QMS) is a structured framework of policies, processes, and procedures used to plan and implement an organization’s key business areas. The internal audit’s role in the context of a Quality Management System focuses on evaluating the effectiveness of the organization’s QMS, ensuring adherence with requirement standards like ISO 9001, and identifying areas for improvement to enhance overall quality and efficiency.

While external regulatory compliance audits are essential, they often have a specific scope and aim — PCI DSS, for example, zooms in on credit cardholder data. Internal audits have the benefit of a looser scope, allowing an organization to focus on priority areas or areas that may not be examined in a formal compliance audit.

Internal audits give advantages to organizations pursuing external audits and preparing stakeholders and process owners for future audits. Findings from internal audits can be addressed quickly; observations can give management greater insight into the business, people, technology, and processes. Impetus from internal audit reports can encourage optimization, saving the organization in costs and ultimately improving customer satisfaction.

So, how can an organization plan for a successful internal audit? Read on for our checklist!

Internal Audit Checklist: Planning an Audit From Scratch

The steps to preparing an audit program from scratch are 1) initial audit planning, 2) involve risk and process subject matter experts, 3) frameworks for internal audit processes, 4) preparing for a planning meeting with business stakeholders, 5) preparing the audit program, and 6) audit program and planning review.

1. Initial Audit Planning

All internal audit projects should begin with the team clearly understanding why a given project was put on the audit plan. The following questions should be answered and approved before fieldwork begins:

• What key enterprise risk or concern does the audit address?
• ​​Why did the Audit Committee, executive, or other key manager go out of their way to enlist internal audit’s assistance?
• How does the process support the organization in achieving its goals and core business objectives?
• What is the overall audit schedule, and how does this project fit into the plan?
• Was this process audited in the past, and if so, what were the results of the previous audit(s)?
• Were audit findings or nonconformities investigated and remediated according to the action plan?
• Have significant changes occurred in the process recently or since the previous audit?
• What is the project’s scope, and what specific requirements need to be met for a successful outcome?

Prior to engaging from an audit standpoint, take the time to validate that the audit is still relevant. Check in with the business leader prior to the audit kick-off to determine if there have been any changes — in the team or the risk the audit addresses — that affect the urgency or necessity of the audit. 

Additionally, participants in the project should review the audit report and audit results to refresh their understanding of the environment, scope, and project parameters. The team may also want to review any standards, frameworks, and regulatory requirements relevant to the project or program. Reporting on internal audit objectives should be delivered to top management periodically — quarterly or biannually is common depending on the size and complexity of the business.

2. Involve Risk and Process Subject Matter Experts

Performing an audit based on internal company information is helpful for assessing the operating effectiveness of the process’s controls. Leverage experts within the company in addition to outside subject matter experts; this can be especially helpful in large organizations where you might find resources in different divisions, countries, or departments with the same expertise who can provide support or insight while maintaining their independence.

For internal audit to keep pace with the business’s changing landscape and to ensure key processes and controls are also designed correctly, seeking out external expertise is a best practice for forward-thinking and contemporary internal auditors. Internal auditors can find this subject matter expertise in many ways.

In addition to their risk advisory practices, many internal audit consulting firms have consulting practices that help their customers improve their process performance. For instance, imagine you’re auditing your customer service department. Engaging with a director or partner from a consulting firm specializing in customer service not only provides perspective on how leading companies perform that process, but can also cast a light on emerging risks or industry trends that you might have overlooked. 

In terms of fostering talent, skills, and development, internal audit professionals should stay abreast of current trends, topics, and themes in their industry. Other great resources to learn about emerging risks and process best practices include:

• The Wall Street Journal, Harvard Business Review, or other leading business periodicals
• Newsletters and updates from The IIA, AICPA, ISACA, ISO, NIST, and other similar organizations

Online resources like Deloitte’s Internal Audit Perspectives, EY’s Insights, KPMG’s Insights & Resources, The Protiviti View, and RSM Insights can highlight how their firm’s specialists address different business risks

Source: The IIA Competency Framework for Internal Audit Professionals

These resources can be leveraged to identify relevant risks, inform internal audit procedures,  and encourage continuous improvement in your internal audit program. Having the right people and talent in place to perform the necessary audit activities is critical to your program’s success, and pulling in additional resources during an audit can be challenging. By lining up your SMEs ahead of time, you can smooth out your audit workflow and reduce friction.

3. Frameworks for Internal Audit: The International Professional Practices Framework (IPPF) and COSO ICIF

Collecting guidance from the Institute of Internal Auditors (IIA), the International Professional Practices Framework (IPPF) contains both mandatory and best practice recommendations. The IPPF aims to support the overall mission, “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” The core elements of the IPPF are: Core Principles for the Professional Practice of Internal Auditing, Definition of Internal Auditing, Code of Ethics, and International Standards for the Professional Practice of Internal Auditing.

In addition to the IIA, organizations like ISACA can also provide guidance around internal audit processes.

When more internal auditors create audit programs that test for control, versus testing controls, our industry will improve by leaps and bounds. Controls, or control activities, are only one of the five components of internal control. While used extensively for Sarbanes-Oxley (SOX) compliance purposes, the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 2013 Internal Control — Integrated Framework can also be leveraged by internal auditors to create a more comprehensive audit program. In addition to identifying and testing control activities, internal audit should seek to identify and test the other components of a well-controlled process: control environment, risk assessment, information and communication, and monitoring. Before applying a specific framework, the internal audit team and leadership should evaluate its suitability as they map to the business.

COSO’s ICIF focuses on fraud, internal controls, and financial reporting, while covering subjects like the overall Control Environment of the organization, Information, and Communication, and Risk Management. Since COSO’s ICIF was designed to address SOX, which is a U.S. statute, publicly traded companies based in the U.S. may benefit the most from employing this framework as part of their internal audit program.

• Review COSO’s 2013 Internal Control components, principles, and points of focus here.

4. Preparing for a Planning Meeting 

Obtaining information and data about the process to be audited can happen with a combination of research and interviews. Prioritizing how data is acquired is up to the internal audit team. Great internal auditors know that doing more work before meeting with process and control owners will help minimize disruption to the audit customers and should set a positive tone for the audit.

The following steps should be performed to prepare for a planning meeting:

• Start by collecting and reviewing as much of the internal information (highlighted above) as possible. 
• Meet with your subject matter experts to confirm the process’s biggest risks and best practices. 
• With this information and your pre-planned, COSO-based questions, an initial questionnaire can be created to facilitate the planning meeting.

Preparing the questionnaire after performing the initial research sets a positive tone for the audit and proves that internal audit is informed and prepared. Instead of asking how the process works, the in-charge internal auditor can validate their high-level understanding by sharing their initial research and due diligence. It is easier for an audit customer to confirm internal audit’s understanding of the process and add color if necessary, as opposed to reiterating information that has been available and already documented.

The objective of the planning meeting is to obtain a high-level understanding of the goals and objectives of the process or department and the key steps to the process. The planning meeting is usually held with the most senior manager of the process, the in-charge auditor of the project, and at least one more auditor to take detailed notes. If you really want to impress, consider inviting your subject matter expert to the planning meeting. Having the subject matter expert in the meeting can prove that the audit project is to be seen and leveraged as free benchmarking, and not just some compliance exercise the audit customer is required to participate in. 

5. Preparing the Audit Program

Once internal audit has confirmed their understanding of the process and risks within the process, they will be prepared to create an audit program. They should be keen to capture significant activities of everyone (employees and third parties) involved in the process, the flow of assets (tangible or intangible), and any activities and controls that prevent or detect mistakes and errors from happening. 

An audit program should detail the following information:

Summary and Purpose of the Audit Program

Since internal audit reports are usually designed for the consumption of leadership and management, providing an executive summary of the audit program and outcomes gives the audience a snapshot of the audit and results.

Process Objectives and Owners

Documenting the process objectives and tying each process to owners when completing the audit program designates accountability.

Process Risks

Along with the process objectives and owners, the risks associated with the process should also be noted.

Controls Mitigating Process Risks

Once details about the process, including risks, are documented, the audit team should identify and map the mitigating controls to the risks they address. Compensating controls can also be noted here.

Control Attributes

Control attributes are the components and characteristics of the control activity that are critical to the effective execution of that control. Asking the following questions and documenting the results are a good starting point — though some controls may have unique or uncommon attributes as well.

• Is the control preventive or detective? If the control is detective, are there corrective actions required as part of completing the control?
• How frequently does the control occur (e.g. many times a day, daily, weekly, monthly, quarterly, annually, etc.)?
• What type of risk does the control mitigate (fraud, operational, security, etc.)?
• Is the control manually performed, performed by an application, or a combination?
• How likely will the risk be realized (e.g. Highly Likely, Likely, Unlikely)?
• How impactful would the risk be if it were realized (e.g. High Impact, Medium Impact, Low Impact)?
• What evidence does the audit team need to complete audit testing procedures?

Testing Procedures, Methods, and Best Practices 

There are four ways to test controls as part of an audit. These methods must often be combined to fully and completely test a control. These four methods are:

• Inquiry, or asking how the control is performed
• Observation, or viewing the control be performed, typically in real-time
• Inspection, or reviewing documentation evidencing the control was performed
• Re-performance, or independently performing the control to validate outcomes

A comprehensive audit program may contain sensitive information about the business. Access to the full audit program(s) should be restricted to appropriate personnel and shared only when approved.

When planning an audit from scratch, keep these leading practices for testing in mind:

• For audits that can be replicated across divisions, regions, or countries, perform a pilot first. Pick a local store/process and run the audit program against it to get the bugs out and learn lessons that can be applied to the rest of the organization. Give the business a seat at the table during this pilot process so they can provide insight, identify gaps, and help you work out the kinks. 
• All controls should be tested via inquiry, or by interviewing the control owner if possible. Testing procedures for control environment and risk assessment-related activities can be completed by observation. Control activities and monitoring are best validated through inspection, and information and communication are best tested by re-performance. 
• Schedule check-ins with your SMEs to fill in any gaps and get away from the “checklist audit” mentality.
• Adopt an agile mentality. The reality is that risks scale quickly and the business can change overnight. Therefore, you don’t want to miss an opportunity to present critical information to leadership as a new, high-urgency risk is developing. Be open to cutting and pivoting, and always seek to understand the big picture. 

6. Audit Program Review

Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. Below are several best practices for reviewing your audit before it kicks off.

Chief Audit Executive Review

The Chief Audit Executive, no matter how large the internal audit department, should review prepared audit programs before fieldwork begins. The CAE can confirm the team’s process understanding by leveraging information obtained through other executives and stakeholders, and most importantly, verify if the scope and procedures of the audit project will specifically address why the audit was scheduled and requested. The last thing anyone wants — the internal auditor, audit customer, or CAE — is for fieldwork to be completed only to find out the work done does not address the key risks highlighted in the internal audit risk assessment.

Subject Matter Expert Review

If you leveraged a subject matter expert, they should also review the draft audit program. Common feedback from subject matter experts include correcting or adding more detail to testing procedures and validating whether a process appears to be designed correctly. Leveraging this subject matter expertise makes for a more informed internal auditor, and positions the project to be viewed as external benchmarking as opposed to an audit.

Process Leader Review

The draft audit program should be shared and reviewed with the process leader. This level of transparency should be positively received by the process leader, whether they want the work performed or not. Their feedback will confirm the team’s understanding of the process, and sometimes can even shorten fieldwork time because the process leader will begin to indicate which controls were not done or are not working as intended.

The Goal: Enabling Positive Change

Aggregating and analyzing internal organizational data, external subject matter expertise, and internal control-related data should provide the internal audit team a solid understanding of how the process works, the key risks managed by the process, and how the internal audit team should spend their time and resources to carry out the process. 

Internal auditors who can create and document audit programs from scratch — and do not rely solely on template audit programs — will be more capable and equipped to perform audits over areas not routinely audited. 

When internal audit can spend more of their time and resources aligned to their organization’s strategy and key objectives, internal auditor job satisfaction will increase because they will be taking on more interesting projects. The Audit Committee and C-suite may become more engaged with internal audit’s work in strategic areas. Perhaps most importantly, recommendations made by internal audit will have a more dramatic impact to enable positive change in their organizations.

Ready to build an effective audit program from the ground up? For a deeper dive into the subject with more best practices, resources, and insights, download the full ebook, Planning an Audit From Scratch: A How-To Guide.