Internal Audit Basics: What, Why, and How to Do Them (5 Audit Checklists)

internal auditCan you prove your team’s performance?

How do you know for certain that nothing is being missed?

The answer is simple; you perform an internal audit.

We here at Process Street know how difficult it can be to keep track of your internal workings. Short of documenting and tracking everything (which can be a hassle) it’s easy to lose track of the risks posed to your organization.

That’s ignoring how hard it can be to track whether your teams are performing their duties correctly.

That’s why this post will dive into everything you need to know about internal audits. These are practices that let you get an objective assessment of various elements of your company, such as this ISO 9001 process.

We’ll cover:

Let’s dive in.

What is an internal audit?

An internal audit is an independent assessment of how effective an organization’s risk management, processes, and general governance is.

They’re a team’s way to perform their own quality measurement and management. The evidence gathered and the conclusion reached should be unquestionable and free of outside influence.

To this end, it’s vital that the person or team in charge of carrying out the internal audit is both independent and objective. In other words, the auditing party should be free of any kind of influence from the team or department being assessed.

The goal is to get accurate information about the team’s performance, governance, and risks. Thus if the auditor’s independence or objectivity comes into question at any point, it needs to be reported to management.

To clear up a quick distinction that catches many off guard:

  • External audits – performed by external auditors, usually from an outside firm or agency
  • Internal audits – performed (typically) by members of the company

Just because the internal auditors need to be “independent” doesn’t mean that you’ll be hiring an auditing firm to take on the job. As long as they can be considered free of influence from the team they’re assessing, using in-house auditors is perfectly valid for internal audits.

If internal auditors are used, they will usually report directly to the board of directors or senior management to avoid the risk of being influenced by other teams or managers.

Unfortunately, that only covers the broad topic of what internal audits are. The truth is that, while all internal audits keep to these rough guidelines, the specifics vary greatly depending on the type of audit being performed.

Speaking of which…

Types of audits

what is an internal audit
(Source by The Official CTBTO Photostream, used under license CC BY 2.0)

Broadly speaking, there are five types of internal audit:

  • Compliance audits
  • Management (performance) audits
  • IT audits
  • Operational audits
  • Environmental audits

All of these are examples of internal audits in that they can be performed in-house as long as the person or team carrying it out is trained in the field.

However, each of these takes the view of assessing elements of the company and focuses on a particular area. This makes it easier to handle the auditing procedure, as the scope is evident from the very beginning and not everything has to be considered at once.

Internal audit #1: Compliance audits

Compliance audits are focused on the company’s compliance with applicable laws, guidelines, regulations, policies, and procedures. While assessing this won’t necessarily improve the company’s financial or material performance, it’s necessary to avoid running afoul of devastating breaches of the law.

Sure, you might have to use your internal auditor’s time on assessing whether you meet GDPR compliance regulations. This could be (financially at least) better spent having them perform a risk assessment.

That very attitude towards GDPR checks led to Marriott International being fined £99,200,396 (around $115 million).

For obvious reasons, I can’t list every law and regulation that could be relevant to you. I don’t have the legal know-how!

However, that’s what internal auditors and legal advisors are for.

Internal audit #2: Management (performance) audits

Management audits (sometimes known as “performance audits”) are much more inwardly-focused than compliance audits. These focus on assessing whether a team or the company as a whole is hitting its targets in relation to the goals set by both management and senior figures.

For example, a team may have met their target in terms of their manager but that doesn’t mean that they’ve been able to meet the objectives of the main shareholders or founders.

Think of this as a high-level dual assessment of the performance of teams and the ability of team managers to meet demands.

Internal audit #3: IT audits

it audit
(Source by Torkild Retvedt, used under license CC BY-SA 2.0)

As you might have gathered, IT audits focus on the infrastructure, technology, and systems you have in place.

If it’s related to IT, the IT audit will assess it.

Data security measures, digital processes, the tools you use, and so on, it’s all evaluated in terms of performance, security, related risks, and efficiency via your internal IT audit.

Internal audit #4: Operational audits

Operational audits have the widest focus of any of the internal audit types, as they are concerned with assessing the efficiency and effectiveness of the internal controls of your business.

In other words, it looks at the policies and procedures of your entire organization.

The auditor will typically focus on high-risk areas to tackle that which presents the biggest threat to the company should things go wrong.

Internal audit #5: Environmental audits

Environmental audits are probably the most niche of the internal audit types, as they focus solely on the environmental impact of the company.

The main method of measuring a “reasonable” environmental impact is to compare it to the environmental regulations in place which your company has to meet.

Benefits of internal audits

Have you ever wondered how your team is performing? Do you have any concerns about your managers’ abilities to meet shareholder expectations? Are there laws and regulations which could be crippling to your business if not rigorously met and adhered to?

All of these problems and more are solved by using internal audits to assess your business.

IT audits ensure that your sensitive data is kept under lock and key, operational audits help to check that everything is as efficient as possible and that processes are being followed, and compliance audits make sure that you won’t run afoul of outside regulations.

Not to mention the incidental benefits of performing regular checks on your team, such as:

  • Increased productivity
  • More chances to collaborate
  • Regular tests of your infrastructure and documentation
  • Greater unity across departments and positions
  • Definitive proof of performance and compliance
  • Stakeholder/founder satisfaction through transparency

Productivity will naturally increase both as a result of operational audits and your team knowing that you care about their performance in general. Audits demonstrate that you’re keeping an eye on things and won’t hesitate to address problems where they appear.

Having said that, bear in mind that morale can decrease (later affecting productivity and motivation) if teams think that you don’t trust them. Thus you need to make it clear that the idea of these audits is to work with them and to help them improve their work and to make issues easier for them to deal with.

Collaboration is a natural result of any teams having to work together. This could be as simple as your marketing team working with the auditors to show their performance in meeting targets or something more complex involving multiple teams working towards a common goal.

Your company infrastructure and documentation will be directly assessed through IT and operational audits, while also playing a role in the conclusions drawn in all other audits. For example, a management audit doesn’t just test managers – it inherently tests how well their deployed processes are working.

However, perhaps the most tangible benefit of internal audits is the ability to show results with evidence to back them up.

Whether you’re addressing senior management, your founder, the board of directors or key stakeholders, internal audits allow you to show them precisely what’s going on in your company.

Not only that, but the fact that you’re carrying out internal audits in the first place demonstrates that you’re staying on top of things and monitoring the situation in case action is needed. It inspires confidence because, even if nothing needs to be done, at least you can show them that you know that nothing needs to be done.

Internal auditing examples

As I’ve stated above, the precise auditing process you need to follow will vary depending on the type of internal audit you’re carrying out. The general setup of your organization will also affect how the audit works, so no two audits are truly identical.

However, to get you started, here are a few examples of internal audit processes from the team here at Process Street:

As you might have noticed, many of these auditing processes are based on ISO guidelines. In other words, you don’t have to rely on our word for whether these processes are effective or not – the information is based on the recommendations of the International Organization for Standardization (ISO).

All of the checklists above are free and ready-to-use but can also be edited to your needs to adapt them for your organization.

ISO 19011 Management Systems Audit Checklist

The ISO 19011 checklist is your go-to resource for auditing management systems, including the auditing process itself. This makes it a great starting resource for anyone who hasn’t documented their auditing processes (or processes in general) before!

ISO 14001 Environmental Management Self Audit Checklist

The ISO 14001 checklist is an internal audit process focused on assessing (or deploying) your environmental management system. This uses the ISO 14001:2015 requirements as a baseline to measure against.

ISO 9004:2018 Self-Audit Checklist

Our ISO 9004 checklist is a general quality management check which is fantastic to start with if you’ve never performed an internal audit before. It’s a little higher-level in its focus than the other internal auditing processes, which makes it great for kicking things off.

ISO 9001 Internal Audit Checklist for Quality Management Systems

On the other hand, the ISO 9001 checklist we have is highly detailed and laser-focused on quality management procedures (namely the processes and policies in place). This is the scalpel with specific instructions to our ISO 9004 checklist’s general introduction to the practice.

GDPR Checklist for Businesses

Finally, we have a GDPR checklist designed to help you check that your business meets the data protection standards that are now mandatory. While this checklist will not make you GDPR certified, it’s a good starting point for an investigation.

For more help with internal auditing and everything related to ISO standards, check out our other materials on the topic below:

Use Process Street to run your internal audits

With all of this talk of internal audits and documenting processes, it’s easy to get lost in where you should start.

Don’t worry, we’ve got you.

Process Street is a powerful piece of business process management software that lets you document your standard operating procedures (SOPs) as versatile process templates.

These templates are made up of a task list that your team can follow to get their duties done efficiently and accurately. Each task can then be populated with rich text, images, videos, sample files and emails, subtasks, and much more!

It’s everything your team needs to complete their tasks in a single location.

Checklists can then be run from your templates to track the progress of an individual instance of the process. These let the person going through the process record their progress, tick off tasks as they’re completed, fill in information related to their instance in form fields, and so on.

Combine all of that with our powerful features such as conditional logic to create branching checklists, approval steps to halt a checklist until approval is given, assigning employees to tasks based on their person or role in the company, and automations to get rid of your busy work, and you have the best piece of process documentation software on the market.

The checklists given above as examples of internal audits are all instances of our premade template library too. These let you import ready-made processes to your account to avoid the hassle of documenting them yourself!

So stop worrying about compliance and audits – sign up for a free trial of Process Street today.

How does your team monitor their internal auditing process? Let us know in the comments below!

Get our posts & product updates earlier by simply subscribing

Ben Mulholland

Ben Mulholland is an Editor at Process Street, and winds down with a casual article or two on Mulholland Writing. Find him on Twitter here.


Leave a comment

Your email address will not be published. Required fields are marked.

Get a free Process Street account
and take control of your workflows today.

No Credit Card Required