Internal audit checklist: what to prepare before your next review

Describe your business process. Moxo builds it.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

An internal audit checklist is a structured document that defines the scope, controls, evidence requirements, and review steps an organization must complete before an audit engagement.

It ensures every control is tested, every piece of evidence is collected, and every finding is documented and resolved before external auditors arrive.

Jefferson Wells' 2024 Internal Audit Report found that over 66% of internal audit teams feel they lack the capabilities to fully support their company's needs.

The gap is rarely knowledge of what to audit. It is the coordination required to execute the checklist across departments, systems, and timelines when every control has a different owner and a different evidence requirement.

This article covers the checklist and the five sequential phases of audit preparation, scoping, risk assessment, evidence collection, testing, and remediation, and shows why turning the checklist into a structured workflow is the key to the coordination challenge.

Key takeaways

The five phases of internal audit preparation are scoping, risk assessment, evidence collection, testing and review, and remediation. Each phase depends on the one before it. Compressing any phase creates downstream problems.

The hardest part is not the checklist itself but the coordination. Collecting evidence from control owners across 10+ departments, tracking what is outstanding, and assembling the complete package before the deadline is where 66% of audit teams say they fall short.

Turning the checklist into a workflow with clear ownership and deadlines eliminates the last-minute scramble that derails most audits.

The five phases of internal audit preparation

Internal audit preparation follows five sequential phases, and compressing any of them creates problems in every phase that follows.

Phase 1: scoping and planning, defines what you are auditing, which frameworks apply, and who owns each part of the engagement. A vague scope here distorts every phase after it.

Phase 2: risk assessment and control mapping, prioritizes where to focus and connects each risk to the control meant to mitigate it, so testing effort lands on what matters most rather than spreading evenly across low-risk areas.

Phase 3: evidence collection, gathers documentation from control owners across departments to prove each control operated during the audit period. It is the most time-consuming phase and the one most likely to slip the timeline.

Phase 4: testing and review, evaluates whether controls are designed and operating effectively, then classifies findings by severity so remediation can be prioritized.

Phase 5: reporting and remediation, documents findings, assigns corrective actions to owners with deadlines, and tracks them to completion before fieldwork begins.

The phases are sequential, but evidence collection and testing usually overlap, as early evidence lets testing begin while the rest is still arriving. What ties all five together is coordination: each phase hands off to the next across a different team, and the audit stalls wherever a handoff has no clear owner.

Scoping and planning: Define what you are auditing

Scoping defines the departments, processes, controls, and time period the audit covers. Planning determines the team, timeline, methodology, and resources.

Checklist items:

  • Define audit objectives and applicable frameworks (SOC 2, SOX, ISO 27001, HIPAA)
  • Identify in-scope processes and departments
  • Assign audit team roles
  • Set the preparation timeline
  • Schedule stakeholder kick-off meetings.

The most common scoping failure is vagueness. When scope is defined as "IT controls" instead of "access management controls for production systems during Q1-Q3 2026," every subsequent phase inherits that ambiguity. Control owners do not know what evidence to produce.

Testers do not know what to test, and the audit expands unpredictably. Scoping is best run as a structured workflow with assigned owners and sign-off gates, so scope is locked before evidence collection begins.

Risk assessment and control mapping: Prioritize what matters

Risk assessment identifies the highest-risk areas within your scope. Control mapping connects each risk to the controls designed to mitigate it.

Checklist items:

  • Rank risks by likelihood and impact
  • Map each risk to its corresponding controls
  • Document control owners
  • Classify controls (preventive vs detective, manual vs automated)
  • Determine testing methods for each.

The failure pattern is a risk assessment built in spreadsheets that is disconnected from the testing plan. The risk register says "access management" is high-risk. The testing plan tests access reviews. But nobody mapped which specific control addresses which specific risk, so gaps stay invisible until the auditor finds them, which is where a rigorous controls testing methodology matters.

Evidence collection: The phase where most audits fall behind

Evidence collection is gathering documentation from control owners across departments to demonstrate controls are designed and operating effectively. It is consistently the most time-consuming phase and the one most likely to derail the timeline.

Checklist items:

  • Identify the specific evidence required for each control
  • Assign requests to named control owners (not teams) with clear instructions and deadlines
  • Track submission status in real time
  • Validate completeness as evidence arrives
  • Follow up on overdue items with escalation to management.

The operational reality: evidence requests sent via email get responses after two to three follow-ups. When evidence arrives, it is often incomplete, in the wrong format, or covering the wrong time period.

Each rejection triggers another collection cycle, and the audit team spends more time chasing evidence than reviewing it.

Done well, evidence requests go to control owners as magic-link tasks with structured submission forms, an automated check validates each upload against the evidence specification (correct document type, required date range, necessary fields populated), and missing items are flagged immediately so the owner corrects them in the same session.

Automated reminders fire at set intervals, and a real-time dashboard shows which departments have submitted, which are overdue, and which gaps remain, the pattern behind compliance workflow automation.

Testing, review, and remediation: close the loop

Testing evaluates whether controls are designed effectively and operated consistently during the audit period. Review assesses the severity of findings. Remediation tracks corrective actions to completion.

Testing checklist:

  • Execute test procedures per control
  • Document results with supporting evidence
  • Classify findings by severity (critical, high, medium, low, informational).

Remediation checklist: assign each finding to the control owner, set a remediation deadline, document the corrective action plan, track to completion, and re-test if the finding was critical or high.

The failure pattern: findings communicated via email, remediation tracked in a separate spreadsheet, and no single view of resolution status.

The auditor asks "what is the status of finding #14?" and three people check three different documents.

Remediation works best as a structured workflow where each finding routes to the control owner with context, a deadline, and an escalation path, and every action is logged in a compliance-grade audit trail, the discipline behind automated regulatory compliance.

Assembling the audit package: what external auditors expect

The audit package is the complete documentation set auditors review during fieldwork. Checklist items: evidence organized by control and framework, test workpapers with results, findings with severity classifications, remediation plans with completion status, risk assessment and control mapping, and executive summary.

The pain: packages assembled the week before fieldwork by pulling documents from five or more locations (SharePoint, email, Google Drive, the GRC tool, someone's desktop).

When evidence collection, testing, and remediation run through a single workflow, the package assembles itself, and every action is exportable as a complete, timestamped compliance audit trail.

How to turn your audit checklist into a live workflow on Moxo

Moxo is a process orchestration platform that turns the static checklist into a live, multi-party workflow from scoping through package delivery, built for the coordination layer where audit preparation usually breaks.

Describe the audit scope and Moxo generates the stages: planning, evidence assignment, collection, testing, remediation, and package assembly. Each checklist item maps to a named control owner, tester, or reviewer with a deadline, AI agents validate evidence completeness at submission and flag gaps before a reviewer opens the file, and escalation paths fire when deadlines pass.

You track completion in real time on a reporting dashboard, ask in plain language which controls still need evidence, and every action is logged in a compliance-grade audit trail across 65+ action types. When fieldwork begins, external auditors open the finished package through magic-link access, organized by control and framework, with no account to set up.

Running a successful internal audit checklist

Coordination, not the checklist itself. Every audit team has a checklist. The organizations that pass audits cleanly are the ones that have turned theirs into a structured preparation workflow: evidence requests with clear ownership, real-time tracking, documented remediation, and an audit package that builds itself as the process runs.

A single process orchestration layer executes the entire checklist as a live workflow, with AI handling evidence validation and reminders while humans handle risk assessment, testing, and judgment.

Put the checklist into practice with the step-by-step audit preparation guide.

FAQ

What should be included in an internal audit checklist?

Scope definition (departments, frameworks, time period), risk assessment and control mapping, evidence requirements per control with named owners and deadlines, testing procedures and methods, findings classification criteria, remediation tracking, and audit package assembly requirements. The checklist should cover all five phases: scoping, risk assessment, evidence collection, testing, and remediation.

What is the difference between an internal and external audit?

Internal audits are conducted by the organization's own team (or outsourced internal audit) to assess controls, identify risks, and prepare for external review. External audits are conducted by independent auditors (Big 4, regional firms) who provide formal opinions or certifications (SOC 2 reports, SOX attestations, ISO certifications). Internal audits are continuous improvement tools. External audits are regulatory or stakeholder requirements.

How often should internal audits be conducted?

High-risk areas and critical controls should be audited annually at minimum. Some frameworks (SOX) require annual testing. ISO 27001 requires internal audits before each surveillance visit. Best practice for mature programs is continuous internal auditing with rotating coverage, so every control is tested at least once per audit cycle.

What documents are needed for an internal audit?

Policies and procedures (current, versioned), control evidence (access logs, approval records, change tickets), financial records if applicable, governance documents (board minutes, org charts), vendor documentation (SOC reports, contracts), and prior audit findings with remediation evidence. The specific documents depend on the framework and scope.

How do I prepare for an internal audit if my processes are mostly manual?

Start by documenting your controls as they operate in practice, not as they are ideally designed. Assign a named owner to each control. For evidence collection, use structured requests with clear deadlines rather than email. Even without automation, assigning ownership and setting deadlines dramatically improves preparation quality. Then evaluate workflow platforms like Moxo to automate the coordination layer.

Describe your business process. Moxo builds it.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.