Internal audit checklist: What to include before, during, and after an audit

Describe your business process. Moxo builds it.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Most audits don't fail in the fieldwork. They fail in the weeks before it, when nobody can agree on scope, the document requests go out late, and half the evidence lands in someone's inbox instead of a system you can track. By the time testing starts, you're already behind.

The Internal Audit Foundation's 2026 Pulse report found that the share of audit functions reporting budget cuts rose from 11% to 19% in a single year, while 86% of chief audit executives now own at least one area outside audit. Smaller teams, wider scope. That math only works if the process itself is tight.

A good internal audit checklist is how you get that. Not a generic to-do list, but a working map of what happens before, during, and after an audit, so nothing depends on memory or a heroic last-minute scramble. This guide walks through all three phases, then shows you how to turn the checklist into something that actually runs.

Key takeaways  

An internal audit checklist works across three phases. Planning and preparation come before, control testing and evidence collection during, and reporting and follow-up after.

Pre-audit preparation sets the tone. Scope, risk assessment, team assignment, and the document request list shape how smoothly the rest of the audit runs.

Fieldwork lives or dies on documentation. Control testing and audit documentation should be systematic enough that every finding traces back to reliable audit evidence and a clean audit trail.

The post-audit phase is where value shows up. Logging audit findings, agreeing corrective actions, and running follow-up testing turn an audit into measurable improvement, whether you are running a SOX audit checklist or a broader compliance audit checklist.

What is an internal audit checklist?

An internal audit checklist is a structured list of everything an audit needs to cover, organized around the three phases of the engagement: before fieldwork, during it, and after. It sets scope, names owners, defines the evidence you will gather, and fixes the criteria you will test against, so each audit runs the same way instead of being rebuilt from scratch every cycle. An audit preparation checklist, a fieldwork checklist, and a follow-up checklist together make up the full internal audit checklist.

Why your business needs one comes down to consistency and defensibility. Without a checklist, audits rely on whoever ran the last one to remember how it went. Scope drifts, evidence requests slip, and the audit trail gets reconstructed after the fact, which is where findings get challenged. A checklist keeps audit preparation, documentation, and corrective actions consistent from one engagement to the next and gives a stretched team a repeatable structure when scope expands faster than headcount.

A checklist defines what should happen in an audit; whether it actually happens depends on how the audit is run.

For a broader view of where checklists end, and platforms begin, our guide to internal audit software solutions covers the tooling landscape. The rest of this guide walks through the three phases in order.

Pre-audit checklist: planning and preparation

Everything downstream depends on this phase. The goal of audit planning is simple: by the time fieldwork starts, everyone knows what's being tested, who's responsible, and what evidence is needed. Here's the audit preparation checklist worth running before a single control gets tested.

1. Define scope and objectives. Decide what's in and what's out. A vague scope is the single most common reason audits run long, because the team keeps discovering work nobody agreed to.

2. Run a risk assessment. Rank the areas that matter most by likelihood and impact, then weight your testing toward them. With audit teams stretched thin, you cannot test everything equally.

3. Assign the team and define roles. Map who leads, who tests, who reviews, and who signs off. Assign by role, not just by name, so a person being out doesn't stall the whole engagement.

4. Notify stakeholders. Tell process owners the audit is coming, what you'll need, and when. Surprises create friction; a heads-up gets you cooperation.

5. Build the document request list. List every policy, report, and record you'll need up front, with an owner and a due date for each. This one list saves more time than anything else on the page.

6. Set the timeline. Agree on fieldwork dates, review checkpoints, and the reporting deadline so the whole audit has a shared clock.

If you only fix one thing about your audit preparation, make it the document request list. Late evidence is what pushes fieldwork into overtime, and it almost always traces back to a request that went out without a clear owner or deadline. For the upstream view of how these steps connect, our guide to the internal audit process maps the full sequence end to end.

One more habit worth building into audit planning: write down the criteria you'll test against before you start, not as you go. When the standard is fixed up front, two auditors testing the same control reach the same conclusion, and a process owner can't argue that the goalposts moved. That small discipline is what keeps a compliance audit checklist defensible when someone pushes back on a finding later.

During-audit checklist: fieldwork and evidence collection

This is where the plan meets reality. The work now is to test controls, capture audit evidence, and document everything in a way that holds up under review. Sloppy audit documentation is what gets findings challenged later, so the checklist leans heavily on consistency.

7. Test controls against the plan. Run your control testing exactly as scoped. If you deviate, note why, because an unexplained change in approach is itself a finding waiting to happen.

8. Collect and label audit evidence. The IIA recognizes four categories of evidence: documentary, system and data, observational, and testimonial. Capture which type each piece is, where it came from, and when, so it remains sufficient and reliable.

9. Document interviews and walkthroughs. Write up what you observed while it's fresh. Memory is not audit evidence.

10. Track exceptions in real time. Log every exception as you find it instead of saving them for the end. A running list keeps you from losing the small ones.

11. Maintain the audit trail. Every test, every document, and every sign-off should leave a record of who did what and when. A clean audit trail is the difference between a finding you can defend and one you can't.

The unglamorous truth is that fieldwork quality is mostly about discipline in capture. When evidence is scattered across email, drives, and spreadsheets, reviewers waste hours just reconstructing what happened. Pulling that collection into a single tracked flow is the whole idea behind an audit evidence collection workflow, and it's where most of the time savings in an audit actually live.

It also pays to separate what you observe from what you conclude. Audit documentation should record the fact first, the test that produced it, and only then your judgment about whether the control was held. Reviewers can disagree with a conclusion, but they can't argue with a clean record of what was tested and when. That separation is also what makes the audit trail useful months later, when nobody remembers the detail and the evidence has to speak for itself.

Post-audit checklist: reporting and follow-up

The value in the audit shows up in what happens next: clear audit findings, agreed-upon corrective actions, and proof that the fixes actually held. Skip this phase, and you'll audit the same gaps again next year.

12. Document findings clearly. Each finding needs the condition, the cause, the impact, and a recommendation. A finding nobody can act on is just an observation.

13. Get management response. Every finding should have an owner who agrees to the corrective actions and a date by which they'll be done. Without an owner, nothing moves.

14. Track remediation. Follow open items to closure. This is where most audit programs leak value, because the report gets filed and the fixes quietly stall.

15. Run follow-up testing. Confirm the corrective actions worked. An agreed fix is a promise; follow-up testing is the proof.

16. Set up continuous monitoring. For high-risk controls, move from once-a-year checks to ongoing monitoring so issues surface as they happen, not at the next audit.

Remediation tracking is the step most teams underinvest in, and it's the one that compounds. A finding with an owner, a due date, and a follow-up test is a closed loop; everything else is a list that grows. If your team is rethinking how this whole cycle runs, our overview of how to automate internal audit processes covers the handoffs in more detail.

Two metrics tell you whether the post-audit phase is working: how long findings stay open, and how many repeat from one cycle to the next. If corrective actions close quickly and the same audit findings don't resurface next year, the loop is healthy. If open items pile up or the same gaps keep returning, the problem usually isn't the auditing; it's that remediation has no owner and no clock attached to it.

How to make your audit checklist operational

A checklist on paper still leaves the hard part to you: chasing the document requests, reminding owners, collecting evidence, routing approvals, and tracking remediation by hand. That coordination work is exactly what eats a stretched audit team's hours.

The fix is to stop treating the audit checklist template as a reference and start treating it as a workflow. Each item becomes a step with an owner, a due date, and an automatic reminder. Evidence gets uploaded to the step it belongs to instead of an inbox. Approvals are routed to the right reviewer. And every action is logged, so the audit trail builds itself as you go.

That shift matters most under the conditions the IIA described: smaller teams covering a wider scope. When the process carries the coordination, your auditors spend their time on judgment, the part of control testing and analysis that actually needs a human, instead of on logistics.

Audit checklist as a document Audit checklist as a workflow
You chase owners for evidence Owners get assigned steps and reminders
Evidence lives in email and drives Evidence attaches to the step it supports
You build the audit trail manually The audit trail is captured automatically
Remediation tracked in a side spreadsheet Corrective actions tracked to closure in the flow

How Moxo orchestrates audit workflows from planning to remediation

Moxo is a process orchestration platform built for work that needs both automation and human accountability, which describes an audit precisely. You build the three-phase checklist once as a template, and each run becomes a live flow you track from scoping through to closed remediation.

Planning. Pre-audit steps get assigned to named roles rather than individuals, so coverage holds even when someone is out. The document request list becomes a set of file-request steps, each with an owner, a due date, and automatic reminders, so evidence arrives on time without you chasing it.

Fieldwork. Evidence uploads are attached to the specific step they support. An AI Intake Validator can pre-fill routine fields from earlier steps with a confidence score, and an AI Compliance Screener can check submissions against your criteria; on low confidence, it defaults to 'revision needed' and routes to a human so nothing gets waved through silently. If a submission fails review, a Jump step loops it back for rework without breaking the flow. This is the same execution layer behind auditable process mapping, where controls and evidence are captured as work happens.

Reporting and follow-up. Findings and corrective actions live as tracked steps with owners and due dates, so remediation is followed to closure instead of being filed and forgotten. Data tables can hold registers like controls or vendors and trigger a follow-up flow automatically when a record changes. Because every action is captured, you get compliance-grade audit logging across dozens of action types, exportable the moment an external auditor asks.

None of this removes the auditor from the audit. Humans stay accountable for the judgment that matters while the coordination runs itself. To see how the pieces fit, you can build a flow in minutes or explore how human and AI steps combine on Moxo's product page.

See what running your audit in Moxo looks like [ Get started for free ]

An audit checklist becomes powerful when it runs as a workflow

An internal audit checklist gives every engagement the same backbone: plan and prepare before, test and document during, report and follow up after. Get the pre-audit phase right, and the rest gets easier; treat audit evidence and the audit trail as things you capture as you go, not reconstruct at the end; and judge the audit by whether corrective actions actually closed. The structure holds whether you're running a SOX audit checklist or a broader compliance audit checklist.

The limit of any checklist is that it still leaves the coordination to you. Moxo closes that gap by turning the checklist into a workflow, where steps carry owners and reminders; evidence attaches where it belongs; and the audit trail builds itself, so a smaller team can cover a wider scope without the year-end scramble.

If you want to see your own audit process running as a structured flow, the fastest way is to build one and watch it work.

Your audit process, built and running in Moxo. Get started for free.

FAQs

What is an internal audit checklist?

An internal audit checklist is a structured list of the tasks an audit covers across three phases: planning and preparation before the audit, fieldwork and evidence collection during it, and reporting and follow-up after. It keeps scope, audit documentation, and corrective actions consistent from one engagement to the next.

What should an internal audit include?

At a minimum, scope and objectives, a risk assessment, a document request list, control testing, audit evidence with a clear audit trail, documented findings, agreed corrective actions, and follow-up testing to confirm the fixes worked. The specific controls change by audit type, but that backbone stays the same.

How do you prepare for an internal audit?

Define the scope, run a risk assessment, assign the team by role, notify stakeholders, and build a document request list with an owner and due date for each item. Strong audit preparation, especially that request list, is the single biggest factor in whether fieldwork stays on schedule.

What are the phases of an internal audit?

There are 3 phases of an internal audit:

  1. Before – includes audit planning, scoping, risk assessment, and team assignment
  2. During –  includes fieldwork, control testing, evidence collection, and audit documentation
  3. After – includes findings, management response, remediation, follow-up testing

A good internal audit checklist is organized around these phases.

Is a SOX audit checklist different from a compliance audit checklist?

The structure is the same; the content differs. A SOX audit checklist focuses on internal controls over financial reporting, while a broader compliance audit checklist covers whichever regulations or standards apply to you. Both run through the same plan, test, and follow-up phases, and both benefit from a complete audit trail.

Describe your business process. Moxo builds it.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.