The Internal Audit Checklist (Scope, Controls Testing, and Documentation)

The first internal audit I ever watched up close went sideways for a reason that had nothing to do with accounting.

The auditor was sharp. The process owner was cooperative. But two weeks in, nobody could agree on what the audit was actually supposed to cover. The auditor thought it was a controls review. The CFO thought it was a fraud sweep. The process owner figured it was a friendly chat about improving things. So the engagement drifted, the workpapers came out thin, and the final report landed with a thud because half the people in the room felt blindsided.

That audit didn’t fail because of bad testing. It failed because nobody pinned down scope, documented as they went, or followed a repeatable sequence. Every one of those is a checklist problem.

I’m Yuval, CEO of Glitter AI. I spend a lot of time with finance and assurance teams who want internal audit to be predictable instead of improvised. So here’s the full internal audit checklist, organized by phase, with a free downloadable version you can assign owners to and reuse every engagement. Jump to the downloads section if you just want the template.

Turn your audit program into a guide anyone on the team can follow

Teach your co-workers or customers how to get stuff done – in seconds.

Start for Free

Replay video

0:00 / 0:00

What an Internal Audit Checklist Actually Does

An internal audit checklist is the structured list of steps an internal auditor works through to plan, test, document, and report on a process or control environment. An external audit preparation checklist is about gathering evidence for outside auditors. An internal audit checklist is different. It drives the engagement itself, from defining scope all the way to closing out remediation.

The point isn’t to make the work robotic. It’s to keep the parts that quietly sink engagements from getting skipped: agreeing on scope before testing, mapping risks to controls, documenting evidence so a reviewer can follow it, tracking findings to closure. The underlying risk is significant: according to the ACFE’s 2024 Report to the Nations, organizations lose 5% of annual revenue to fraud on average, and frauds go undetected for a median of 12 months - gaps that disciplined internal audit processes exist specifically to close. A good checklist turns “we’ll figure it out as we go” into a process that produces the same quality whether your strongest auditor runs it or your newest one does.

Here’s the principle I’d tape to the wall: an internal audit is only as strong as its weakest workpaper. A test isn’t done when you’ve looked at the sample. It’s done when someone who wasn’t there can open your audit trail, follow it from objective to evidence to conclusion, and land on the same answer without asking you a single question.

The Full Internal Audit Checklist by Phase

I’ve grouped this the way an engagement actually unfolds: six phases, in order. Each one has a clear exit before you move to the next. Skipping ahead is exactly how audits drift.

1. Engagement Planning and Scope

This is the phase teams rush, and it’s the one that determines whether everything after it holds together.

• Confirm the audit is on the approved annual audit plan, not a side request
• Write the audit objective in one sentence everyone can agree on
• Define the in-scope processes, locations, systems, and audit period
• Write down what is explicitly out of scope and why
• Issue the engagement notification and request preliminary documents
• Confirm the team, budget, and timeline
• Hold a kickoff with process owners so there are no surprises later

If you can’t state the objective and scope in plain language that the process owner agrees with, you are not ready to test anything.

2. Risk Assessment

Scope follows risk. The internal audit scope should concentrate effort where a control failure would genuinely hurt the business, not where the evidence happens to be easy to pull.

• Document the process objectives and the key risks to them
• Build a risk-and-control matrix mapping each risk to its controls
• Rate each risk by likelihood and impact
• Mark which controls are key versus secondary
• Confirm your planned coverage actually matches the rated risks
• Review prior findings and any open remediation items

This is also where a process audit mindset helps: you’re not just checking documents, you’re testing whether the process reliably produces the outcome it’s supposed to.

Turn your audit program into a guide anyone on the team can follow

Teach your co-workers or customers how to get stuff done – in seconds.

Start for Free

Replay video

0:00 / 0:00

3. Process Understanding and Walkthroughs

Before you test a control, you have to actually understand the process it lives in.

• Obtain or create a process narrative or flowchart
• Walk one full transaction end to end with the process owner
• Confirm the narrative matches what really happens, not the official version
• Identify control owners and the evidence each control produces
• Note every gap between the documented process and actual practice

Half the value of internal audit is just discovering that the written process and the real process drifted apart a year ago and nobody updated the docs. That’s why keeping process documentation current matters so much. When the narrative is up to date, walkthroughs take an afternoon instead of a week.

4. Controls Design and Testing

Now you assess whether the controls are designed well, then test whether they actually operated.

Design assessment:

• Assess whether each key control, if operating, would address its risk
• Identify missing controls or coverage gaps
• Evaluate segregation of duties and system access against documented roles
• Document design conclusions before testing operating effectiveness

Operating effectiveness (controls testing):

1. Define the test approach per control - inquiry, observation, inspection, or reperformance
2. Determine sample size and selection method for the population
3. Pull the population and document how you confirmed completeness
4. Select the sample and record your selection rationale
5. Test each item; record results and any exceptions
6. Investigate exceptions and confirm root cause with the owner
7. Conclude on operating effectiveness for each control

The most common mistake here is testing existence instead of operation. A reconciliation that exists tells you nothing. A reconciliation that was prepared, reviewed, and signed off on time, every period in your sample? That’s a control that operated. If you want the deeper version of this, my guide to internal controls in accounting goes through preventive versus detective controls in detail.

5. Workpaper Documentation

This is the phase that separates a defensible audit from an opinion. Every workpaper should answer three questions: what was I trying to prove, what evidence did I look at, and what did I conclude.

• Each workpaper states its purpose, source, and conclusion
• Test attributes and pass/fail criteria are defined in advance, not reverse-engineered
• Evidence is referenced and retrievable, not merely described
• Tickmarks and notations are explained in a legend
• Cross-references between workpapers tie out
• Preparer and reviewer sign-off is captured with dates

Treat your workpapers the way you’d treat any reusable audit SOP: written so the next person can repeat the work and land in the same place. If a reviewer has to come ask you what a workpaper means, it isn’t finished.

6. Findings, Reporting, and Follow-Up

The audit isn’t over when testing ends. It’s over when remediation is verified.

• Document each finding with condition, criteria, cause, and effect
• Rate findings by severity and business impact
• Validate the facts with the process owner before the report goes out
• Agree practical, owned remediation actions with target dates
• Draft the report with an overall opinion, scope, and limitations
• Review with engagement leadership and distribute to agreed stakeholders
• Log every action, track it to closure, and verify the fix actually worked
• Archive the engagement file per your retention policy

Nothing damages internal audit’s credibility faster than findings that never get fixed. The ACFE finds that a lack of internal controls is the most common contributor to occupational fraud, cited in 32% of cases - which means most fraud that internal audit is supposed to prevent is happening not because the control doesn’t exist, but because it was never properly tested, documented, or followed. The follow-up step isn’t optional bookkeeping. It’s the part that makes the whole function worth funding.

How to Make This Checklist Stick

A checklist only helps if the team actually follows the same one every time. In practice that breaks down for a boring reason: the checklist lives in one person’s head, or one person’s old workpaper folder, and the next engagement quietly does it differently.

The fix is to treat your audit methodology as documentation, not folklore. When the planning steps, the testing approach, and the workpaper standards are written down somewhere the whole team can follow, and kept current, every engagement inherits the same rigor. That’s the gap Glitter AI was built to close. You walk through your audit process once, narrating as you go, and it becomes a step-by-step guide anyone on the team can follow, instead of tribal knowledge that walks out the door the day your senior auditor does.

Turn your audit program into a guide anyone on the team can follow

Teach your co-workers or customers how to get stuff done – in seconds.

Start for Free

Replay video

0:00 / 0:00

Downloads

Download this free template to run your next engagement end to end:

Download the Internal Audit Checklist

A free Word template covering all six audit phases - planning and scope, risk assessment, controls testing, workpaper documentation, reporting, and follow-up - with Owner, Status, and Workpaper Ref columns and sign-off fields. Assign items, track progress, and reuse it for every engagement.

Download Internal Audit Checklist