Step-by-step internal audit checklist

Key Takeaway: A defensible internal audit checklist maps each test step to a specific risk, control owner, control attribute, and testing method. Build it from the COSO 2013 five components and the 2024 IIA Global Internal Audit Standards rather than copying a template. Pilot the checklist on one process before scaling across the organization.

The 2024 IIA Global Internal Audit Standards (effective January 9, 2025) replaced the prior IPPF structure and introduced mandatory Topical Requirements for AI, cybersecurity, and third-party risk that must now be reflected in audit programs. Internal auditors who build checklists from scratch — anchored to risk, process, and the COSO 2013 framework — produce more defensible work than those who rely on templates that test controls without testing for control.

Optro's "Planning an audit from scratch: A how-to guide" details how to build an effective internal audit plan from the ground up through best practices, resources, and insights rather than relying on templated audit programs. Use the checklist below to start planning an audit, and download the full guide for help creating a flexible, risk-based audit program.

Earn 8 CPEs at GRC Now 2026 | July 8-9

SAVE MY VIRTUAL SPOT

What an internal audit covers

An internal audit is an independent review of an organization's operations, governance, internal controls, and risk management processes to improve effectiveness and efficiency. Internal auditors conduct interviews, inspect evidence, test controls, and read policies to understand the environment and validate whether controls and processes are working as designed.

How internal audits differ from external compliance audits

The essential difference between internal audits and compliance audits, sometimes called external audits, is who performs the audit. Internal audits are typically performed by auditors employed by the business. Compliance audits are conducted by independent, third-party, or external auditors, often certified in the framework being audited.

External regulatory compliance audits have a specific scope and aim — PCI DSS, for example, zooms in on credit cardholder data. Internal audits have the benefit of a looser scope, allowing an organization to focus on priority areas or areas that may not be examined in a formal compliance audit.

The benefits of an effective internal audit

Internal audits provide many benefits to an organization, giving management and leadership another lens to improve operations.

A quality management system (QMS) is a structured framework of policies, processes, and procedures used to plan and implement an organization's key business areas. The internal audit's role within a QMS is to evaluate effectiveness, verify adherence to standards like ISO 9001:2015, and identify areas for improvement. A QMS internal audit checklist typically covers ISO 9001 clauses four through ten: context of the organization, leadership, planning, support, operation, performance evaluation, and improvement.

Internal audits also give advantages to organizations pursuing external audits by preparing stakeholders and process owners ahead of fieldwork. Findings from internal audits can be addressed quickly, and observations give management greater insight into the business, people, technology, and processes. Impetus from internal audit reports can encourage optimization, saving the organization in costs and ultimately improving customer satisfaction.

Internal audit checklist: planning an audit from scratch

The six steps to preparing an audit program from scratch are:

1. Initial audit planning
2. Involving risk and process subject matter experts
3. Applying frameworks for internal audit processes
4. Preparing for a planning meeting with business stakeholders
5. Preparing the audit program
6. Audit program and planning review

1. Initial audit planning

All internal audit projects should begin with the team clearly understanding why a given project was put on the audit plan. The following questions should be answered and approved before fieldwork begins:

• What key enterprise risk or concern does the audit address?
• Why did the audit committee, executive, or other key manager go out of their way to enlist internal audit's assistance?
• How does the process support the organization in achieving its goals and core business objectives?
• What is the overall audit schedule, and how does this project fit into the plan?
• Was this process audited in the past, and if so, what were the results of the previous audit(s)?
• Were audit findings or nonconformities investigated and remediated according to the action plan?
• Have significant changes occurred in the process recently or since the previous audit?
• What is the project's scope, and what specific requirements need to be met for a successful outcome?

Prior to engaging from an audit standpoint, validate that the audit is still relevant. Check in with the business leader before the audit kick-off to determine whether there have been changes — in the team or the risk the audit addresses — that affect the urgency or necessity of the audit.

Participants in the project should review the prior audit report and results to refresh their understanding of the environment, scope, and project parameters. The team may also want to review any standards, frameworks, and regulatory requirements relevant to the project or program. Reporting on internal audit objectives should be delivered to top management periodically — quarterly or biannually is common depending on the size and complexity of the business.

2. Involve risk and process subject matter experts

Performing an audit based on internal company information is helpful for assessing the operating effectiveness of the process's controls. Use experts within the company in addition to outside subject matter experts; this can be especially helpful in large organizations where resources in different divisions, countries, or departments share the same expertise and can provide support or insight while maintaining their independence.

For internal audit to keep pace with the business's changing landscape and to ensure key processes and controls are designed correctly, seeking out external expertise is a best practice for forward-thinking internal auditors. Internal auditors can find this subject matter expertise in many ways.

In addition to risk advisory practices, many internal audit consulting firms offer consulting practices that help customers improve their process performance. For instance, if you're auditing your customer service department, engaging with a director or partner from a consulting firm specializing in customer service provides perspective on how leading companies perform that process and surfaces emerging risks or industry trends that you might have overlooked.

To foster talent, skills, and development, internal audit professionals should stay current on trends, topics, and themes in their industry. Other useful resources to learn about emerging risks and process best practices include:

• The Wall Street Journal, Harvard Business Review, or other leading business periodicals
• Newsletters and updates from The IIA, AICPA, ISACA, ISO, NIST, and similar organizations
• Online resources like Deloitte's Internal Audit Perspectives, EY's Insights, KPMG's Insights & Resources, The Protiviti View, and RSM Insights, which highlight how specialist firms address different business risks

These resources can be leveraged to identify relevant risks, inform internal audit procedures,  and encourage continuous improvement in your internal audit program. Having the right people and talent in place to perform the necessary audit activities is critical to your program’s success, and pulling in additional resources during an audit can be challenging. By lining up your SMEs ahead of time, you can smooth out your audit workflow and reduce friction.

3. Frameworks for internal audit: IIA Global Internal Audit Standards and COSO ICIF

The 2024 IIA Global Internal Audit Standards (released January 9, 2024; effective January 9, 2025) replaced the prior International Professional Practices Framework (IPPF) structure. The new standards organize guidance around five Domains and 15 Principles, and introduce mandatory Topical Requirements for specific risk areas — including cybersecurity, third-party risk, and AI — that must be reflected in audit programs providing assurance over those topics. Checklists should be updated to map test steps to the new standards and to capture the chief audit executive's confirmation that the audit was performed in conformance.

In addition to the IIA, organizations like ISACA provide guidance around internal audit processes.

When internal auditors create audit programs that test for control, versus testing controls, the function improves significantly. Controls, or control activities, are only one of the five components of internal control. While used extensively for Sarbanes-Oxley (SOX) compliance purposes, the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) 2013 Internal Control — Integrated Framework can also be used by internal auditors to create a more comprehensive audit program. In addition to identifying and testing control activities, internal audit should identify and test the other components of a well-controlled process: control environment, risk assessment, information and communication, and monitoring. Before applying a specific framework, the internal audit team and leadership should evaluate its suitability as they map to the business.

COSO's ICIF focuses on fraud, internal controls, and financial reporting, while covering subjects like the overall control environment, information and communication, and risk management. Since COSO's ICIF was designed to address SOX, which is a U.S. statute, publicly traded companies based in the U.S. may benefit the most from employing this framework as part of their internal audit program.

• Review COSO's Internal Control — Integrated Framework components, principles, and points of focus at COSO's ICIF guidance.

4. Preparing for a planning meeting

Obtaining information and data about the process to be audited can happen with a combination of research and interviews. Prioritizing how data is acquired is up to the internal audit team. Great internal auditors know that doing more work before meeting with process and control owners will minimize disruption to the audit customers and set a positive tone for the audit.

The following steps should be performed to prepare for a planning meeting:

• Start by collecting and reviewing as much of the internal information (highlighted above) as possible.
• Meet with your subject matter experts to confirm the process's biggest risks and best practices.
• With this information and your pre-planned, COSO-based questions, an initial questionnaire can be created to facilitate the planning meeting.

Preparing the questionnaire after performing the initial research sets a positive tone for the audit and demonstrates that internal audit is informed and prepared. Instead of asking how the process works, the in-charge internal auditor can validate their high-level understanding by sharing their initial research and due diligence. It is easier for an audit customer to confirm internal audit's understanding of the process and add color where needed, as opposed to reiterating information that is already documented.

The objective of the planning meeting is to obtain a high-level understanding of the goals and objectives of the process or department and the key steps in that process. The planning meeting is usually held with the most senior manager of the process, the in-charge auditor of the project, and at least one more auditor to take detailed notes. If you really want to impress, consider inviting your subject matter expert to the planning meeting. Having the subject matter expert in the meeting reinforces that the audit project is intended as free benchmarking, and not just a compliance exercise the audit customer is required to participate in.

5. Preparing the audit program

Once internal audit has confirmed their understanding of the process and risks, the team is prepared to create an audit program. The program should capture the significant activities of everyone (employees and third parties) involved in the process, the flow of assets (tangible or intangible), and the activities and controls that prevent or detect mistakes and errors.

An audit program should detail the following:

Summary and purpose of the audit program

Since internal audit reports are usually designed for the consumption of leadership and management, an executive summary of the audit program and outcomes gives the audience a snapshot of the audit and results.

Process objectives and owners

Documenting the process objectives and tying each process to owners designates accountability.

Process risks

Along with the process objectives and owners, the risks associated with the process should be noted. Compliance-focused audit checklists (e.g., for SOX, HIPAA, PCI DSS v4.0, or ISO/IEC 27001:2022) should also map each risk to the specific framework requirement it addresses.

Controls mitigating process risks

Once details about the process, including risks, are documented, the audit team should identify and map the mitigating controls to the risks they address. Compensating controls can also be noted here.

Control attributes

Control attributes are the components and characteristics of the control activity that are critical to its effective execution. Asking the following questions and documenting the results is a good starting point — though some controls may have unique or uncommon attributes:

• Is the control preventive or detective? If the control is detective, are corrective actions required as part of completing the control?
• How frequently does the control occur (e.g., many times a day, daily, weekly, monthly, quarterly, annually)?
• What type of risk does the control mitigate (fraud, operational, security, etc.)?
• Is the control performed manually, by an application, or as a combination?
• How likely will the risk be realized (e.g., Highly Likely, Likely, Unlikely)?
• How impactful would the risk be if it were realized (e.g., High, Medium, Low)?
• What evidence does the audit team need to complete audit testing procedures?

Testing procedures, methods, and best practices

There are four methods commonly used to test internal controls, often in combination:

1. Inquiry — asking how the control is performed
2. Observation — viewing the control performed, typically in real time
3. Inspection — reviewing documentation evidencing the control was performed
4. Re-performance — independently performing the control to validate outcomes

For broader financial statement and substantive testing, three additional procedures — recalculation, confirmation (e.g., from banks or customers), and analytical procedures (ratio and trend analysis) — round out the seven generally accepted audit responsibilities standards referenced under PCAOB AS 1105 and ISA 500.

A comprehensive audit program may contain sensitive information about the business. Access to the full audit program(s) should be restricted to appropriate personnel and shared only when approved.

When planning an audit from scratch, keep these leading practices in mind:

• For audits that can be replicated across divisions, regions, or countries, perform a pilot first. Pick a local store or process and run the audit program against it to work out the bugs and capture lessons that can be applied across the organization. Give the business a seat at the table during the pilot so they can provide insight, identify gaps, and help refine the program.
• All controls should be tested via inquiry, or by interviewing the control owner where possible. Testing procedures for control environment and risk assessment-related activities can be completed by observation. Control activities and monitoring are best validated through inspection, and information and communication are best tested by re-performance.
• Schedule check-ins with your subject matter experts to fill in any gaps and avoid a "checklist audit" mentality.
• Adopt an agile mentality. Risks scale quickly and the business can change overnight. Be open to cutting and pivoting, and always seek to understand the big picture so a developing high-urgency risk gets surfaced to leadership.

6. Audit program review

Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. Below are several best practices for reviewing your audit before it kicks off.

Chief audit executive review

The chief audit executive, no matter how large the internal audit department, should review prepared audit programs before fieldwork begins. The CAE can confirm the team's process understanding by using information from other executives and stakeholders, and — most importantly — verify whether the scope and procedures of the project specifically address why the audit was scheduled and requested. The last thing anyone wants — internal auditor, audit customer, or CAE — is for fieldwork to be completed only to find out the work does not address the key risks highlighted in the internal audit risk assessment.

Subject matter expert review

If you used a subject matter expert, they should also review the draft audit program. Common subject matter expert feedback includes correcting or adding detail to testing procedures and validating whether a process appears to be designed correctly. Using this expertise makes for a more informed internal auditor, and positions the project to be viewed as external benchmarking as opposed to an audit.

Process leader review

The draft audit program should be shared and reviewed with the process leader. This level of transparency should be positively received by the process leader, whether they want the work performed or not. Their feedback will confirm the team's understanding of the process, and sometimes can even shorten fieldwork time because the process leader will begin to indicate which controls were not done or are not working as intended.

The goal: enabling positive change

Aggregating and analyzing internal organizational data, external subject matter expertise, and internal control-related data should give the internal audit team a solid understanding of how the process works, the key risks managed by the process, and how to spend their time and resources carrying out the audit.

Internal auditors who can create and document audit programs from scratch — and do not rely solely on template audit programs — will be more capable and equipped to perform audits over areas not routinely audited.

When internal audit can spend more of their time and resources aligned to their organization's strategy and key objectives, internal auditor job satisfaction will increase because they will be taking on more interesting projects. The audit committee and C-suite may become more engaged with internal audit's work in strategic areas. Most importantly, recommendations made by internal audit will have a more dramatic impact in enabling positive change in their organizations.

Ready to build an effective audit program from the ground up? For a deeper dive with more best practices, resources, and insights, download the full ebook, Planning an Audit From Scratch: A How-To Guide.

Frequently asked questions

What should an audit checklist include?

An effective audit checklist documents the audit scope, evidence collection requirements, audit tests and methods, analysis of results, conclusions, and follow-up actions including corrective and preventive actions (CAPAs). For practitioner use, it should also map each test step to the underlying risk and control, specify the testing method (inquiry, observation, inspection, re-performance), and identify the control owner and evidence source so reviewers can validate completeness before fieldwork begins.

What are the five C's of audit?

The five C's are the standard components of an audit finding: Criteria (the standard or control expectation), Condition (what was actually observed), Cause (why the gap occurred), Consequence (the risk or impact), and Corrective Action (the remediation plan). Structuring each finding against these five elements makes observations defensible, actionable, and easy for management to track to closure.

What are the seven audit procedures?

The seven generally accepted audit procedures are inquiry, observation, inspection, recalculation, reperformance, confirmation, and analytical procedures. The first four are most commonly applied to internal control testing, while recalculation, external confirmation (e.g., from banks or customers), and analytical procedures (ratio and trend analysis) are used heavily in financial statement and substantive testing, consistent with PCAOB AS 1105 and ISA 500.

What are the seven principles of auditing under ISO 19011?

ISO 19011:2018 defines seven auditing principles:

1. Integrity
2. Fair presentation
3. Due professional care
4. Confidentiality
5. Independence
6. Evidence-based approach
7. Risk-based approach

Embed these into auditor training, conflict-of-interest declarations, and audit planning documentation — especially the risk-based approach, which was added in the 2018 revision and aligns ISO audits with the IIA Global Internal Audit Standards' risk-based assurance model.

How does an internal audit checklist differ from a compliance audit checklist?

An internal audit checklist is risk-based and flexible in scope, while a compliance audit checklist maps each test step directly to specific framework requirements — SOX ICFR controls, HIPAA Security Rule safeguards, PCI DSS v4.0 requirements, or ISO/IEC 27001:2022 Annex A controls. Compliance checklists must include explicit requirement IDs, evidence retention rules, and pass/fail criteria because the output feeds an attestation or certification. Internal audit checklists prioritize root-cause analysis and process improvement over conformance verdicts.

How should audit checklists be updated for the ISO/IEC 27001:2022 transition deadline?

All active ISO 27001 certifications must transition to the 2022 version by October 31, 2025, per IAF MD 26. Checklists must be re-mapped from the 93 consolidated Annex A controls (down from 114 in the 2013 version) across the four new control themes: organizational, people, physical, and technological. Run a gap analysis against the 11 new controls — including threat intelligence, ICT readiness for business continuity, secure coding, and cloud services — and assign a checklist steward to verify re-mapping before the surveillance audit window.

How should an audit checklist address AI and the EU AI Act?

Audit checklists should add modules for AI model validation, bias testing, training data lineage, and log retention of at least six months for high-risk AI systems as required by EU AI Act Article 26. High-risk AI obligations take effect in August 2026, and deployers must document worker notification before AI deployment. Include evidence requests for AI inventories, risk classifications, and human-oversight controls aligned with NIST CSF 2.0's AI sub-categories.

About the authors

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.