Internal Audit Checklist

1. Initial Audit Planning

All internal audit projects should begin with the team clearly understanding why the project was put on the audit plan. The following questions should be answered and approved before fieldwork begins:

Why was the audit project approved to be on the internal audit plan?
How does the process support the organization in achieving its goals and objectives?
What enterprise risk(s) does the audit address?
Was this process audited in the past, and if so, what were the results of the previous audit(s)?
Have there been significant changes in the process recently or since the previous audit?

2. Risk and Process Subject Matter Expertise

Performing an audit based on internal company information is helpful to assess the operating effectiveness of the process’s controls. However, for internal audit to keep pace with the business’s changing landscape and to ensure key processes and controls are also designed correctly, seeking out external expertise is increasingly becoming a best practice.

3. COSO’S 2013 Internal Control – Integrated Framework

While used extensively for Sarbanes-Oxley (SOX) compliance purposes, internal auditors can also leverage COSO’s 2013 Internal Control – Integrated Framework to create a more comprehensive audit program. In addition to identifying and testing control activities, Internal audit should seek to identify and test the other components of a well controlled process.

Review COSO’s 2013 Internal Control components, principles, and points of focus here.

4. Initial Document Request List

Requesting and obtaining documentation on how the process works is an obvious next step in preparing for an audit. The following requests should be made before the start of audit planning in order to gain an understanding of the process, relevant applications, and key reports:

All policies, procedure documents, and organization charts
Key reports used to manage the effectiveness, efficiency, and process success
Access to key applications used in the process
Descriptttion and listing of master data for the processes being audited, including all data fields and attributes
After gaining an understanding of the process to be audited through the initial document request, you should request access to master data for the processes being audited to analyze for trends and to aid in making detailed sampling selections.

5. Preparing for a Planning Meeting with Business Stakeholders

Before meeting with business stakeholders, internal audit should hold an internal meeting in order to confirm the high-level understanding of the objectives of the process or department and the key steps to the process.

6. Audit Program and Planning Review

Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork: