Internal Audit:
A Practical Guide to Assurance, Control, Risk and Better Governance

Internal audit is an independent and objective assurance and advisory activity used to help an organisation evaluate and improve its governance, risk management and internal control arrangements.

At its simplest, internal audit asks:

Are the organisation’s controls, processes, systems and governance arrangements working properly, and what needs to improve?

That makes it useful for businesses, charities, public bodies, professional firms, property organisations, manufacturers, technology companies, healthcare providers, education organisations and any organisation that needs stronger oversight, better controls and clearer assurance.

The Institute of Internal Auditors describes internal audit as an activity that helps organisations accomplish their objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management and control processes. The IIA’s Global Internal Audit Standards are now the worldwide professional standards for internal auditing and are organised around purpose, ethics and professionalism, governance of the internal audit function, management of the function, and performance of internal audit services.

Used properly, internal audit is not simply a compliance exercise. It is a practical governance tool that helps leaders, boards, trustees and audit committees understand whether the organisation is well controlled, whether risks are being managed, and whether management actions are actually working.

What is internal audit?

Internal audit is a structured review of an organisation’s activities, controls, systems and governance arrangements.

It provides assurance to senior management, the board, trustees or audit committee that important risks are being managed properly.

It may examine:

1. Financial controls
2. Operational processes
3. Governance arrangements
4. Risk management
5. Compliance
6. Cyber security
7. Procurement
8. Payroll
9. Fraud controls
10. Data protection
11. Project management
12. Safeguarding
13. Business continuity
14. Health and safety
15. Supplier management
16. Contract management
17. Performance reporting
18. Culture and conduct
19. Value for money
20. Strategic risk management

Internal audit is different from day-to-day management review.

Management is responsible for running the organisation and operating controls. Internal audit provides independent assurance on whether those controls are designed properly and working effectively.

In simple terms:

Management owns the controls.

Internal audit tests and reports on them.

History and development of internal audit

Internal audit developed from the need for organisations to check whether internal controls, records, processes and management systems were working as intended.

Historically, internal audit often focused heavily on financial controls, transaction checking and compliance. That included checking whether payments were authorised, records were accurate, procedures were followed and assets were protected.

Over time, the role expanded significantly. Modern internal audit now looks beyond finance and compliance. It can examine governance, culture, operational effectiveness, technology, cyber security, major projects, risk management, business continuity, data quality, regulatory compliance, customer outcomes and strategic change.

The development of professional standards has been central to this shift. The IIA’s Global Internal Audit Standards were released in 2024 and became effective on 9 January 2025, providing a refreshed framework for effective internal auditing.

In the UK, the Chartered Institute of Internal Auditors also published an updated Internal Audit Code of Practice, effective from January 2025, aimed at strengthening internal audit practice across financial services, private and third sector organisations. The Code is principles-based and intended to be applied proportionately according to the size, risk profile and complexity of the organisation.

Internal audit has therefore moved from being seen as a checking function to being a wider assurance function. Its purpose is not only to find errors, but to help organisations understand whether their governance, risk and control arrangements are strong enough to support their objectives.

Internal audit, external audit and internal control

Internal audit is often confused with external audit and internal control.

They are related, but they are not the same.

Internal audit

Internal audit is an internal assurance function. It reviews risks, controls, processes and governance arrangements across the organisation.

It reports to management and usually to the board, trustees or audit committee.

It is intended to help improve control, assurance and governance.

External audit

External audit is usually performed by an independent audit firm appointed to give an opinion on the financial statements.

External audit is mainly concerned with whether the accounts give a true and fair view and comply with the relevant financial reporting framework.

External auditors may consider internal controls where relevant to their audit work, but they do not provide the same broad assurance over the whole organisation as internal audit.

Internal control

Internal controls are the policies, procedures, checks, approvals, systems and behaviours that help the organisation manage risk and achieve objectives.

Examples include:

1. Approval limits
2. Bank reconciliations
3. Segregation of duties
4. Password controls
5. Stock checks
6. Budget monitoring
7. Payroll review
8. Procurement procedures
9. Safeguarding processes
10. Contract review
11. Data backups
12. Health and safety checks

Internal audit reviews whether those controls are suitable and working.

In simple terms:

Internal controls are what management puts in place.

Internal audit tests whether those controls are adequate and effective.

Why internal audit matters

Internal audit matters because organisations need independent assurance.

Management teams are often close to the processes they run. That can make it harder to see weaknesses, control gaps, poor practice, duplication, inefficiency, fraud risk or cultural problems.

Internal audit provides a structured challenge.

It helps answer:

1. Are controls working?
2. Are risks being managed?
3. Are policies being followed?
4. Is governance effective?
5. Are systems reliable?
6. Are assets protected?
7. Is information accurate?
8. Are projects properly controlled?
9. Are legal and regulatory duties being met?
10. Are recommendations being implemented?
11. Are weaknesses being escalated?
12. Are there recurring control failures?

The Financial Reporting Council’s 2024 UK Corporate Governance Code requires boards to monitor the company’s risk management and internal control framework and review its effectiveness at least annually. The 2024 Code also strengthens reporting expectations around material controls, including controls over reporting.

Internal audit can provide important evidence to support those reviews. It does not replace board responsibility, but it can help boards understand whether controls are effective in practice.

When to use internal audit

Internal audit is useful whenever an organisation needs assurance over important risks, controls or governance arrangements.

Good uses include:

1. Reviewing financial controls
2. Testing payroll processes
3. Checking procurement compliance
4. Reviewing cyber security controls
5. Testing business continuity arrangements
6. Reviewing safeguarding processes
7. Assessing project governance
8. Checking contract management
9. Reviewing stock control
10. Testing fraud prevention controls
11. Reviewing risk management
12. Testing data quality
13. Reviewing health and safety systems
14. Checking compliance with policies
15. Reviewing grant management
16. Assessing value for money
17. Testing management reporting
18. Reviewing supplier dependency
19. Assessing governance arrangements
20. Following up previous audit recommendations

Internal audit is especially useful when the organisation wants independent evidence rather than informal reassurance.

It is less useful if treated as a box-ticking exercise or if management is unwilling to act on findings.

Internal audit in different industries

SMEs and owner-managed businesses

Many SMEs do not have a formal internal audit function. That does not mean internal audit thinking is irrelevant.

Smaller businesses often rely on trust, informal processes and owner oversight. That can work for a while, but it can create weaknesses as the business grows.

Common SME audit areas include:

1. Cash controls
2. Sales invoicing
3. Credit control
4. Purchase approvals
5. Bank reconciliations
6. Payroll
7. Stock control
8. Customer contracts
9. Supplier payments
10. VAT and tax processes
11. Cyber security
12. System access
13. Owner dependency
14. Management reporting
15. Fraud risk

For SMEs, internal audit does not need to mean a large department. It may involve periodic independent reviews of key controls, especially around cash, payroll, purchasing, systems and compliance.

The aim is practical: reduce risk, improve control and protect the business.

Manufacturing

Manufacturing businesses can use internal audit to review production, procurement, quality, stock, safety and supply chain controls.

Typical internal audit areas include:

1. Stock records
2. Raw material controls
3. Production planning
4. Machine maintenance
5. Quality control
6. Scrap and rework
7. Supplier approval
8. Health and safety
9. Environmental compliance
10. Product recall procedures
11. Purchase order controls
12. Warehouse security
13. Costing systems
14. Energy usage controls
15. Customer delivery performance

For manufacturing, internal audit should connect financial controls with operational reality.

A weak stock process is not only an accounting issue. It may affect production, cash flow, customer service, margin and fraud risk.

Retail and ecommerce

Retail and ecommerce organisations face risks around stock, payments, online systems, returns, customer data and fraud.

Typical internal audit areas include:

1. Stock shrinkage
2. Refund controls
3. Payment processing
4. Website order controls
5. Customer data protection
6. Returns management
7. Supplier rebates
8. Promotions and discounting
9. Cash handling
10. Marketplace compliance
11. Cyber security
12. Delivery partner performance
13. Pricing controls
14. Inventory valuation
15. Customer complaint handling

For ecommerce, internal audit should not focus only on finance. It should also consider website resilience, payment controls, data protection, fulfilment, platform dependency and customer experience.

Professional services

Professional services firms need strong controls around client acceptance, deadlines, quality, billing, confidentiality and professional risk.

Typical internal audit areas include:

1. Client onboarding
2. Engagement letters
3. Anti-money laundering procedures
4. File review
5. Deadline management
6. Billing and work in progress
7. Client money controls
8. Conflicts of interest
9. Data protection
10. Professional indemnity processes
11. Staff supervision
12. Training records
13. Complaints handling
14. Quality management
15. Cyber security

For accountants, solicitors, consultants, architects and advisers, internal audit can help protect reputation and reduce professional risk.

It can also identify whether processes are consistent across teams, offices or partners.

Charities and voluntary organisations

Charities need internal audit because trustees need assurance that funds are used properly, risks are managed and beneficiaries are protected.

Typical internal audit areas include:

1. Grant compliance
2. Restricted fund controls
3. Donation processing
4. Gift Aid
5. Safeguarding
6. Volunteer management
7. Expenses
8. Payroll
9. Reserves management
10. Trustee governance
11. Fundraising compliance
12. Service delivery
13. Impact reporting
14. Data protection
15. Financial controls

For charities, internal audit should consider both financial stewardship and mission delivery.

It should help trustees answer:

1. Are funds being used as intended?
2. Are restricted funds controlled properly?
3. Are safeguarding arrangements effective?
4. Are volunteers properly managed?
5. Are funder requirements being met?
6. Is the charity financially sustainable?
7. Are key risks being escalated?

Public sector and local government

Internal audit is a core part of public sector governance.

In England, the Accounts and Audit Regulations 2015 require relevant authorities to undertake an effective internal audit to evaluate the effectiveness of their risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.

Typical public sector internal audit areas include:

1. Financial controls
2. Procurement
3. Contract management
4. Governance
5. Risk management
6. Grant funding
7. Housing services
8. Adult social care
9. Children’s services
10. Payroll
11. Cyber security
12. Data quality
13. Fraud prevention
14. Project governance
15. Value for money

For public bodies, internal audit supports accountability, transparency and effective use of public money.

Property and construction

Property and construction organisations can use internal audit to review projects, assets, leases, costs, contractors, compliance and risk.

Typical internal audit areas include:

1. Lease management
2. Rent collection
3. Service charge controls
4. Contractor procurement
5. Project cost control
6. Planning obligation tracking
7. Health and safety
8. Insurance records
9. Utilities management
10. Maintenance controls
11. Tenant arrears
12. Capital expenditure approvals
13. Contractor payments
14. Site access controls
15. Property compliance

For construction projects, internal audit can review whether cost approvals, variations, contractor performance, health and safety controls and programme reporting are robust.

This can help prevent cost overruns, disputes and weak governance.

Technology and software

Technology businesses and digital teams need internal audit over systems, cyber security, data, product governance and change control.

Typical internal audit areas include:

1. Cyber security controls
2. Access permissions
3. Change management
4. Backup and recovery
5. Incident response
6. Data protection
7. Supplier assurance
8. Software development controls
9. User access reviews
10. AI governance
11. System availability
12. Patch management
13. Cloud configuration
14. Product release controls
15. Business continuity

For technology businesses, internal audit should not be treated as a blocker to innovation. It should help make growth safer, more resilient and more reliable.

Healthcare and social care

Healthcare and social care organisations require strong assurance because quality, safety, safeguarding and continuity are central.

Typical internal audit areas include:

1. Safeguarding
2. Medication management
3. Care records
4. Staff training
5. Recruitment checks
6. Incident reporting
7. Complaints
8. Data protection
9. Financial controls
10. Agency staff costs
11. Business continuity
12. Quality assurance
13. Regulatory compliance
14. Service user funds
15. Health and safety

In care settings, internal audit should support professional judgement. It should not become a paperwork exercise detached from service user safety and dignity.

Education and training

Education providers can use internal audit to review funding, safeguarding, learner records, quality assurance and operational controls.

Typical internal audit areas include:

1. Safeguarding
2. Learner records
3. Funding claims
4. Attendance records
5. Payroll
6. Procurement
7. IT access
8. Data protection
9. Course quality
10. Employer placements
11. Assessment controls
12. Health and safety
13. Asset controls
14. Complaints
15. Governance

For education and training, internal audit should link compliance, funding, safeguarding and learner outcomes.

The main types of internal audit work

1. Financial control audits

Financial control audits review the processes that protect money, records and financial reporting.

They may examine:

1. Purchase ordering
2. Supplier payments
3. Bank reconciliations
4. Payroll
5. Credit control
6. Sales invoicing
7. Expense claims
8. Cash handling
9. VAT processes
10. Budget monitoring

The aim is to check whether financial controls are properly designed and operating effectively.

2. Operational audits

Operational audits review how activities are performed.

They may examine:

1. Efficiency
2. Process consistency
3. Quality
4. Timeliness
5. Resource use
6. Bottlenecks
7. Duplication
8. Handovers
9. Customer service
10. Performance measures

The aim is to improve how the organisation works.

3. Compliance audits

Compliance audits review whether the organisation is following laws, regulations, policies, contracts or funder requirements.

They may examine:

1. Data protection
2. Health and safety
3. Employment processes
4. Grant conditions
5. Regulatory rules
6. Procurement policy
7. Safeguarding requirements
8. Anti-money laundering rules
9. Environmental obligations
10. Contract terms

Compliance audits are especially important in regulated sectors.

4. Governance audits

Governance audits review how decisions are made, recorded, challenged and monitored.

They may examine:

1. Board reporting
2. Committee structure
3. Delegated authorities
4. Risk management
5. Conflicts of interest
6. Policy approval
7. Decision logs
8. Trustee oversight
9. Audit committee effectiveness
10. Management information

The aim is to test whether governance arrangements support good decision-making.

5. IT and cyber audits

IT and cyber audits review systems, data, access, resilience and security.

They may examine:

1. Access controls
2. Password policies
3. Multi-factor authentication
4. Backup testing
5. Disaster recovery
6. Change control
7. Supplier hosting
8. Patch management
9. Incident response
10. Data retention

Cyber risk is now a business risk, not just an IT issue.

6. Project audits

Project audits review whether projects are controlled properly.

They may examine:

1. Project governance
2. Budget control
3. Risk management
4. Issue logs
5. Assumptions logs
6. Change control
7. Benefits tracking
8. Reporting
9. Procurement
10. Stakeholder communication

Project audits are useful where delivery, cost or accountability matters.

7. Value for money audits

Value for money audits review economy, efficiency and effectiveness.

They may ask:

1. Are resources being used well?
2. Are costs reasonable?
3. Are outcomes being achieved?
4. Are alternatives available?
5. Is the service sustainable?
6. Are performance measures meaningful?
7. Is there avoidable waste?
8. Are benefits being realised?

This is especially important in public bodies, charities and organisations with limited resources.

8. Advisory reviews

Internal audit can also provide advisory work.

This may include:

1. Reviewing a new system before implementation
2. Advising on control design
3. Supporting risk workshops
4. Reviewing a new policy
5. Advising on project governance
6. Helping improve process design
7. Reviewing business continuity arrangements
8. Advising on assurance mapping

Advisory work should not compromise independence. Internal audit can advise on controls, but management must own decisions and implementation.

The internal audit cycle

1. Understand the organisation

Internal audit should begin with an understanding of the organisation’s objectives, risks, structure, activities and control environment.

This includes:

1. Strategy
2. Risk register
3. Board reports
4. Financial information
5. Policies
6. Previous audit reports
7. External audit findings
8. Regulatory requirements
9. Management concerns
10. Incident reports

Internal audit should not operate in isolation. It should understand what the organisation is trying to achieve.

2. Prepare a risk-based internal audit plan

A risk-based internal audit plan focuses audit work on the areas that matter most.

It should consider:

1. Strategic risks
2. Financial risks
3. Operational risks
4. Legal and regulatory risks
5. Fraud risks
6. IT and cyber risks
7. Previous audit findings
8. Management concerns
9. External audit findings
10. Board and audit committee priorities
11. New systems or projects
12. Changes in the organisation

CIPFA guidance notes that internal audit should take a risk-based approach by identifying objectives, risks and controls, evaluating whether controls address the organisation’s risks, identifying over-control or under-control, and recommending management action.

3. Agree the scope of each audit

Before each audit starts, the scope should be agreed.

The scope should define:

1. Area being reviewed
2. Objectives
3. Risks covered
4. Processes included
5. Period covered
6. Locations included
7. Exclusions
8. Key contacts
9. Expected timing
10. Reporting arrangements

A clear scope helps avoid misunderstanding.

4. Identify risks and controls

The auditor should identify the key risks in the area being reviewed and the controls that should manage those risks.

For example, in payroll:

Risks may include:

1. Incorrect payments
2. Payments to leavers
3. Unauthorised changes
4. Poor segregation of duties
5. Tax errors
6. Data protection failures

Controls may include:

1. Payroll approval
2. Starter and leaver checks
3. Exception reports
4. Access restrictions
5. Reconciliation to HR records
6. Management review

The audit should test whether the controls are suitable and working.

5. Gather evidence

Internal audit findings should be evidence-based.

Evidence may include:

1. Documents
2. System records
3. Reports
4. Reconciliations
5. Contracts
6. Policies
7. Meeting minutes
8. Sample testing
9. Interviews
10. Data analysis
11. Observation
12. Walkthroughs
13. Screen captures
14. Audit trails
15. Control logs

Evidence matters because audit findings must be credible.

6. Test controls

Control testing examines whether controls are operating as intended.

Testing may include:

1. Reviewing a sample of transactions
2. Checking approvals
3. Testing reconciliations
4. Reviewing exception reports
5. Checking system access
6. Comparing records
7. Testing compliance with policy
8. Reviewing timeliness
9. Checking completeness
10. Looking for unexplained changes

The depth of testing should reflect the risk.

High-risk areas need stronger testing.

7. Discuss findings with management

Findings should be discussed before the final report is issued.

This allows management to:

1. Confirm facts
2. Provide additional evidence
3. Explain context
4. Challenge errors
5. Agree practical actions
6. Confirm deadlines
7. Identify responsible owners

This stage is important because internal audit should be accurate, fair and useful.

8. Report results

An internal audit report should be clear and action-focused.

It usually includes:

1. Audit title
2. Scope
3. Overall assurance opinion
4. Summary of findings
5. Good practice identified
6. Control weaknesses
7. Risk implications
8. Recommendations
9. Management responses
10. Action owners
11. Deadlines
12. Follow-up arrangements

The report should not be longer than necessary.

Good reporting helps management act.

9. Follow up actions

Internal audit should not stop when the report is issued.

Recommendations need follow-up.

Follow-up should ask:

1. Has the action been completed?
2. Was it completed on time?
3. Is evidence available?
4. Has the risk reduced?
5. Is the control now working?
6. Does further action remain?
7. Should the issue be escalated?

Unimplemented recommendations are a major weakness in governance.

10. Report to the audit committee or board

Internal audit should report significant findings to the appropriate governance body.

This may include:

1. Audit committee
2. Board
3. Trustees
4. Senior leadership team
5. Finance and risk committee
6. Governance committee

Reports should highlight:

1. High-risk findings
2. Repeated weaknesses
3. Overdue actions
4. Limited assurance reports
5. Control themes
6. Emerging risks
7. Audit plan progress
8. Resource issues
9. Independence concerns
10. Annual opinion

Internal audit should help the board understand the control environment.

Independence and objectivity

Internal audit must be independent enough to report honestly.

Independence means the internal audit function should have appropriate authority, status and access.

Objectivity means internal auditors should approach their work without bias.

The IIA’s Global Internal Audit Standards include principles around integrity, objectivity, competency, due professional care, confidentiality, board authorisation, independence and oversight.

Practical safeguards include:

1. Reporting functionally to the audit committee or board
2. Having an approved internal audit charter
3. Having unrestricted access to records and staff
4. Avoiding audit of work the auditor designed or managed
5. Declaring conflicts of interest
6. Protecting the right to report significant concerns
7. Having private meetings with the audit committee
8. Maintaining professional standards

Internal audit can work constructively with management, but it should not become part of management.

The internal audit charter

An internal audit charter is a formal document that sets out the purpose, authority and responsibility of internal audit.

It should cover:

1. Purpose of internal audit
2. Scope of work
3. Reporting lines
4. Access rights
5. Independence
6. Objectivity
7. Responsibilities
8. Relationship with management
9. Relationship with audit committee
10. Standards followed
11. Confidentiality
12. Quality assurance
13. Approval and review process

The charter matters because it gives internal audit the authority to do its work.

Without a clear mandate, internal audit may struggle to access information, report difficult findings or maintain independence.

Internal audit ratings and opinions

Many internal audit reports include assurance ratings.

Common ratings include:

1. Substantial assurance
2. Reasonable assurance
3. Limited assurance
4. No assurance

The exact wording varies by organisation.

The purpose of an assurance opinion is to summarise whether controls are strong enough to manage the relevant risks.

A good audit opinion should be based on:

1. Scope of work
2. Evidence gathered
3. Control design
4. Control operation
5. Risk exposure
6. Severity of findings
7. Management actions
8. Professional judgement

Ratings are useful, but they should not replace explanation.

A report should explain why the opinion was given and what needs to happen next.

Why internal audit is not just fault-finding

Internal audit is sometimes seen as a function that looks for mistakes.

That is too narrow.

Good internal audit should identify weaknesses, but it should also:

1. Confirm what is working well
2. Provide assurance
3. Improve control design
4. Highlight emerging risks
5. Support better governance
6. Improve accountability
7. Strengthen management information
8. Challenge assumptions
9. Identify duplicated effort
10. Encourage learning

The best internal audit functions are constructive and independent.

They do not simply criticise. They help the organisation improve.

How to create an internal audit function or process

1. Define the purpose

Start by deciding why internal audit is needed.

Possible purposes include:

1. Improve governance
2. Strengthen financial controls
3. Provide assurance to the board
4. Support trustee oversight
5. Meet regulatory requirements
6. Improve risk management
7. Review major projects
8. Reduce fraud risk
9. Improve compliance
10. Provide independent challenge

The purpose should be clear.

2. Agree reporting lines

Internal audit should have direct access to senior leadership and the audit committee, board or trustees.

A common structure is:

1. Administrative reporting to a senior executive
2. Functional reporting to the audit committee or board

This helps protect independence.

3. Approve an internal audit charter

The board, trustees or audit committee should approve the internal audit charter.

This gives internal audit formal authority.

The charter should be reviewed regularly.

4. Understand the risk universe

The risk universe is the full range of areas that may be audited.

It may include:

1. Departments
2. Processes
3. Systems
4. Projects
5. Compliance obligations
6. Financial controls
7. Operational areas
8. Strategic risks
9. Major contracts
10. Third-party suppliers

This helps internal audit decide where assurance may be needed.

5. Prepare the risk-based audit plan

The audit plan should be based on risk and assurance needs.

It should not simply repeat last year’s work.

The plan should consider:

1. Risk register
2. Board priorities
3. Recent incidents
4. Financial significance
5. Regulatory importance
6. Management concerns
7. Changes in systems
8. External audit findings
9. Previous internal audit findings
10. Emerging risks

The audit committee or board should approve the plan.

6. Decide whether to use in-house, outsourced or co-sourced internal audit

Internal audit can be delivered in different ways.

In-house internal audit

This means employing internal auditors directly.

It may suit larger organisations with ongoing assurance needs.

Outsourced internal audit

This means appointing an external provider to perform internal audit work.

It may suit smaller organisations or those needing specialist skills.

Co-sourced internal audit

This means combining internal staff with external specialists.

It may work well where the organisation has an internal audit function but needs support in areas such as cyber, tax, construction, procurement or data analytics.

The right model depends on size, complexity, risk and budget.

7. Set audit methodology

The methodology should explain how audits are performed.

It should cover:

1. Planning
2. Scoping
3. Risk assessment
4. Control identification
5. Testing
6. Evidence standards
7. Reporting
8. Ratings
9. Management responses
10. Follow-up
11. Quality review

A consistent method improves quality and comparability.

8. Perform audits professionally

Each audit should be planned, evidenced and reported properly.

Auditors should be:

1. Independent
2. Objective
3. Evidence-based
4. Fair
5. Clear
6. Constructive
7. Proportionate
8. Risk-focused
9. Professionally sceptical
10. Practical

The aim is not to catch people out. The aim is to improve assurance and control.

9. Track recommendations

Recommendations should be recorded and followed up.

A recommendation tracker should include:

1. Audit report
2. Finding
3. Recommendation
4. Risk rating
5. Management response
6. Action owner
7. Due date
8. Current status
9. Evidence of completion
10. Revised due date where needed
11. Escalation status

Overdue high-risk actions should be reported to the audit committee, board or trustees.

10. Review quality and impact

Internal audit should review its own effectiveness.

This may include:

1. Feedback from management
2. Audit committee feedback
3. Quality assurance reviews
4. External quality assessments
5. Delivery against audit plan
6. Timeliness of reporting
7. Implementation of recommendations
8. Contribution to risk management
9. Skills and resources
10. Conformance with standards

The IIA’s standards emphasise quality and the need to evaluate and improve internal audit practice.

Common mistakes in internal audit

Mistake 1: Treating internal audit as a compliance checklist

Internal audit should not simply check whether forms have been completed.

It should consider whether controls manage the real risks.

Mistake 2: Auditing low-risk areas because they are easy

Internal audit time is limited.

The audit plan should focus on important risks, not convenient areas.

Mistake 3: Weak independence

If internal audit reports only to the managers it audits, independence may be compromised.

A clear reporting line to the audit committee, board or trustees is important.

Mistake 4: Vague audit scopes

A vague scope leads to vague findings.

Each audit should be clear about what is included and excluded.

Mistake 5: Findings without evidence

Audit findings must be supported by evidence.

Opinion without evidence weakens credibility.

Mistake 6: Overly long reports

Long reports can obscure important findings.

Reports should be clear, concise and focused on action.

Mistake 7: Recommendations that are impractical

Recommendations should be proportionate and realistic.

A good recommendation should reduce risk without creating unnecessary bureaucracy.

Mistake 8: No management ownership

Management must own the actions.

Internal audit can recommend, but management must implement.

Mistake 9: Poor follow-up

An audit recommendation has little value if nobody checks whether it has been implemented.

Follow-up is essential.

Mistake 10: Ignoring culture

Controls may look good on paper but fail because of culture, pressure, incentives or behaviour.

Internal audit should consider how controls work in practice.

Limitations and weaknesses of internal audit

Internal audit is useful, but it has limits.

It provides reasonable assurance, not certainty

Internal audit cannot check everything.

It uses risk-based sampling, professional judgement and evidence. It can reduce uncertainty, but it cannot eliminate it.

It depends on access and independence

If internal audit cannot access records, staff or systems, its work is weakened.

If it cannot report freely, its value is reduced.

It may miss emerging risks

The audit plan is normally based on known risks.

Fast-moving risks such as cyber threats, AI, regulation, funding changes or economic pressure may require regular plan updates.

It can become too backward-looking

Internal audit often reviews what has already happened.

Good internal audit should also consider emerging risks and future resilience.

It does not own controls

Management owns controls.

Internal audit provides assurance and recommendations.

This distinction matters because internal audit should not become responsible for the processes it audits.

It can be under-resourced

A small internal audit function may struggle to cover all important risks.

The audit plan should be realistic about capacity and skills.

It can create defensiveness

People may feel criticised when weaknesses are identified.

The organisation needs a culture that sees audit findings as opportunities to improve.

It does not replace management responsibility

Internal audit supports governance.

It does not replace leadership, management, supervision, policy ownership or board accountability.

Internal audit compared with other strategic and management tools

Internal audit and risk register

A risk register records risks, controls, owners and actions.

Internal audit tests whether the controls in the risk register are designed properly and operating effectively.

Use the risk register to identify priorities. Use internal audit to provide assurance.

Internal audit and risk matrix

A risk matrix scores risks by likelihood and impact.

Internal audit can focus on higher-rated risks and test whether risk scores reflect the real control environment.

Internal audit and issue log

An issue log records current problems.

Internal audit can review whether recurring issues show control failure.

Audit findings may also become issues if they require immediate action.

Internal audit and assumptions log

An assumptions log records what a plan relies upon.

Internal audit can review whether assumptions in business cases, projects or forecasts are properly evidenced and challenged.

Internal audit and business continuity plan

A business continuity plan sets out how the organisation will continue during disruption.

Internal audit can test whether the plan exists, is current, has owners, has been tested and reflects critical activities.

Internal audit and bow-tie analysis

Bow-tie analysis maps causes, consequences and controls.

Internal audit can use bow-tie analysis to understand which controls are most important and then test whether those controls are effective.

Internal audit and Balanced Scorecard

The Balanced Scorecard tracks strategic performance across financial, customer, process, and learning and growth perspectives.

Internal audit can review the reliability of performance data and whether controls support strategic objectives.

Internal audit and OKRs

OKRs set objectives and measurable key results.

Internal audit can review whether key results are based on reliable data and whether controls support delivery.

Internal audit and external audit

External audit focuses mainly on the financial statements.

Internal audit has a broader remit across governance, risk, control, operations and assurance.

The two functions should communicate where appropriate, but they are not substitutes for each other.

Internal audit and internal control

Internal control is the system of policies, processes and checks.

Internal audit evaluates whether that system is adequate and effective.

Alternatives and complementary frameworks

Risk management framework

Use a risk management framework to identify, assess and manage risks.

Internal audit can provide assurance over whether the framework works.

Assurance map

An assurance map shows where assurance comes from across the organisation.

It may include management review, compliance, external audit, internal audit, regulators and specialist reviews.

Control self-assessment

Control self-assessment allows management to assess its own controls.

It can be useful, but it does not replace independent internal audit.

External audit

External audit provides assurance over financial statements.

It complements internal audit, but does not normally cover the same breadth.

Compliance review

Compliance reviews check whether rules or policies are followed.

Internal audit may include compliance work, but should also consider risk, control and governance.

Internal control review

An internal control review focuses specifically on control design and operation.

It may be part of an internal audit assignment.

Fraud risk assessment

A fraud risk assessment identifies where fraud could occur and what controls are needed.

Internal audit can test those controls.

Data analytics

Data analytics can improve internal audit by reviewing larger populations of transactions rather than small samples.

It is especially useful for payroll, purchasing, expenses, sales, stock and system access.

Quality assurance review

A quality assurance review tests whether internal audit itself conforms to professional standards and delivers value.

A practical internal audit template

A useful internal audit assignment template should include:

1. Audit title
2. Audit reference
3. Audit sponsor
4. Audit owner
5. Area reviewed
6. Scope
7. Objectives
8. Key risks
9. Key controls
10. Audit approach
11. Evidence required
12. Testing performed
13. Findings
14. Risk rating
15. Root cause
16. Recommendation
17. Management response
18. Action owner
19. Deadline
20. Assurance opinion
21. Follow-up date
22. Final status

Example:

Audit title: Purchase ordering and supplier payment controls

Scope: Review of purchase order approval, supplier setup, invoice approval, payment authorisation and bank reconciliation controls.

Key risks: Unauthorised purchases, duplicate payments, supplier fraud, poor segregation of duties, inaccurate records.

Testing performed: Sample review of supplier setup, purchase orders, invoice approvals and payment runs.

Finding: Supplier bank details can be amended by the same user who prepares payment runs, with no independent review.

Risk: Increased risk of supplier payment fraud or error.

Recommendation: Introduce independent approval of supplier bank detail changes and produce a monthly exception report.

Management response: Agreed.

Action owner: Finance Manager.

Deadline: 30 September 2026.

Assurance opinion: Limited assurance over supplier change controls.

Questions to ask when planning internal audit

Governance questions

1. Who does internal audit report to?
2. Is there an approved internal audit charter?
3. Does internal audit have sufficient independence?
4. Does the audit committee approve the plan?
5. Are audit findings reported clearly?
6. Are high-risk findings escalated?
7. Are recommendations tracked?
8. Does the board receive meaningful assurance?
9. Are audit resources sufficient?
10. Is internal audit reviewed for quality?

Planning questions

1. What are the organisation’s objectives?
2. What are the biggest risks?
3. What has changed recently?
4. What concerns management?
5. What concerns the board or trustees?
6. What did previous audits find?
7. What incidents have occurred?
8. What areas have never been audited?
9. What systems or projects are new?
10. Which areas need assurance most?

Audit scope questions

1. What process is being reviewed?
2. What risks are being tested?
3. What controls should exist?
4. What period is covered?
5. What locations are included?
6. What systems are included?
7. What is excluded?
8. Who owns the process?
9. What evidence is available?
10. What outcome is expected?

Control questions

1. What could go wrong?
2. What controls prevent it?
3. What controls detect it?
4. What controls correct it?
5. Who performs the control?
6. How often is it performed?
7. Is it documented?
8. Is there evidence?
9. Is it reviewed?
10. Does it actually reduce the risk?

Evidence questions

1. What evidence supports the finding?
2. Is the evidence complete?
3. Is the evidence reliable?
4. Has the evidence been checked?
5. Does the sample support the conclusion?
6. Is the exception isolated or recurring?
7. Has management provided explanation?
8. Is further testing needed?
9. Is the finding fair?
10. Would the conclusion withstand challenge?

Reporting questions

1. Is the finding clear?
2. Is the risk explained?
3. Is the root cause identified?
4. Is the recommendation practical?
5. Is the risk rating proportionate?
6. Has management agreed the action?
7. Is the action owner named?
8. Is the deadline realistic?
9. Does the report highlight key themes?
10. What needs escalation?

Follow-up questions

1. Has the action been completed?
2. Is there evidence of completion?
3. Has the control improved?
4. Has the risk reduced?
5. Is the deadline overdue?
6. Has management requested more time?
7. Is the delay justified?
8. Should the issue be escalated?
9. Does the recommendation need revising?
10. Has the same weakness appeared elsewhere?

The best way to think about internal audit

Internal audit is not just checking.

It is structured assurance.

A good internal audit process should be:

1. Independent
2. Objective
3. Risk-based
4. Evidence-based
5. Practical
6. Clear
7. Proportionate
8. Constructive
9. Followed up
10. Linked to governance

A weak internal audit says:

“We checked the process and found some errors.”

A strong internal audit asks:

“Are the controls good enough, are they working, what risk remains, and what must management do next?”

The key question is not simply:

Has internal audit completed the work?

The better question is:

Has internal audit provided useful assurance that helps the organisation manage risk, improve control and strengthen governance?

Conclusion: internal audit turns control testing into practical assurance

Internal audit remains useful because organisations need more than confidence. They need evidence.

A board, trustee group or management team may believe that controls are working, risks are managed, policies are followed and systems are reliable. Internal audit tests whether that belief is justified.

Used badly, internal audit becomes a compliance routine that produces reports but does not change behaviour.

Used properly, it becomes a practical governance tool. It helps organisations understand weaknesses, improve controls, protect assets, strengthen risk management, support better decisions and provide assurance to those charged with oversight.

The real value is not in issuing an audit report.

The real value is in the assurance, challenge and improvement that follow.

A strong internal audit process helps an organisation move from saying, “We think this is under control,” to asking, “What evidence do we have, what risks remain, and what action is needed?”