Get MTD for Income Tax ready
80% off your first 6 months + a £25 voucher offer

Get a £25 voucher when you send your first quarterly update to HMRC through Xero by the 7 August 2026 deadline. Voucher offer ends 7 August. Terms apply

Guide

Internal audit: what it is, types and how to do one

Learn how internal audit helps improve your operations, manage risk, and support compliance.

A group of people at a small business conducting an internal audit

Written by Jotika Teli—Certified Public Accountant with 24 years of experience. Read Jotika's full bio

Published Wednesday 22 April 2026

Table of contents

Key takeaways

  • Prioritise internal audits as a proactive tool to spot risks, prevent fraud, and improve efficiency before small problems become costly ones.
  • Follow a four-phase process when conducting an internal audit: plan the scope, gather evidence, document findings, and follow up to make sure recommendations are actually put into practice.
  • Choose the right type of internal audit for your biggest concern, whether that's financial accuracy, operational efficiency, regulatory compliance, or IT security, so your review delivers the most relevant results.
  • Assign someone independent from the area being reviewed to carry out the audit, whether that's a team member from another department or an external consultant, to get reliable and objective findings.

What is an internal audit?

Internal audit is an independent review of your business's finances, processes, and systems to identify risks and find opportunities to improve. The results stay within your company and help strengthen operations. This practice is so crucial that public companies without an internal audit function are advised to review the need for one at least annually.

Your employees or hired consultants typically conduct internal audits. Unlike external audits, these assessments focus on helping your business run more efficiently rather than satisfying outside stakeholders.

Common internal audit examples include:

  • Risk management audits: Identify how your company can reduce vulnerabilities
  • Compliance audits: Check adherence to insurer policies, such as cyber insurance requirements for firewalls or network access

How external audits differ:

  • Who conducts them: Someone outside the company, typically an audit firm
  • Who receives results: Outside stakeholders such as investors
  • Primary focus: Financial records rather than operations
  • Requirements: Publicly traded UK companies must file audited accounts with Companies House within six months of their accounting reference date, or face late filing fees where the penalty is £750 and can rise up to £7,500

Why are internal audits important for small businesses?

Internal audits help small businesses improve efficiency, reduce risks, and maintain compliance. They provide an objective view of your operations that's hard to achieve when you're focused on day-to-day tasks.

In the UK, a business qualifies as a small company if it meets at least two of three criteria related to turnover, balance sheet, and number of employees. Specifically, for accounting periods starting on or after 6 April 2025, the thresholds are an annual turnover no more than £15 million, a balance sheet up to £7.5 million, or 50 or fewer employees.

Key benefits include:

  • Risk reduction: Spot vulnerabilities before they become costly problems
  • Efficiency gains: Find ways to improve processes that save time and money
  • Compliance assurance: Meet regulatory and insurance policy requirements
  • Decision support: Get reliable data to guide business strategy

For example, an internal audit may review a company's internal control systems, which fundamentally ensure the safeguarding of assets, for preventing fraud. The auditors review the company's controls, compare them to actual workflows, and identify potential risks. Then, the business can use the results from the audit to improve its controls.

Types of internal audits

The specific focus area determines the internal audit type. The four main types are:

  • Operational audits: Evaluate process efficiency and resource utilisation
  • Compliance audits: Ensure adherence to laws, regulations, and internal policies
  • Financial audits: Examine financial record accuracy and control systems
  • Information technology (IT) audits: Assess cybersecurity, data protection, and technology controls

Key areas of focus in internal audits for small businesses

Internal audits examine your business's control systems, regulatory compliance, and financial accuracy. Small businesses typically focus audits on four key areas:

  • Financial records: Accuracy of numbers, data entry processes, access controls, and reporting procedures
  • Operational processes: Workflow efficiency, role clarity, redundancy identification, and opportunities to improve
  • Fraud prevention: Internal theft risks, cybersecurity threats, and protective control systems
  • Risk management: Business vulnerabilities, crisis preparation, and risk mitigation strategies

Key roles in an internal audit

Internal audit teams typically include three key roles, each with specific responsibilities that ensure thorough and objective assessments.

Key roles include:

  • Internal auditor: Leads the audit process, evaluates systems objectively, and maintains independence from audited areas
  • Audit committee: Approves audit plans, reviews findings, and oversees how you implement recommendations
  • Management: Provides resources, facilitates access, and implements audit recommendations

Publicly traded companies or large corporations may have a chief audit executive who reports to the audit committee and the chief executive officer (CEO).

For smaller companies, different people often take on audit roles. A bookkeeper might audit financial reports, while a team manager might audit workflows.

How to conduct your own internal audit

The internal audit process follows four structured phases that ensure thorough examination and actionable results. Each phase builds on the previous one to deliver meaningful business improvements and strengthen your business.

Here's how the process works:

1. Plan your business's internal audit

Audit planning establishes the scope, objectives, and methodology for how you'll assess your business. This phase determines what you'll examine and how you'll conduct the review.

Planning steps include:

  • Assess risks: Identify your business's most significant vulnerabilities
  • Define scope: Determine which areas, processes, or systems to examine
  • Allocate resources: Assign team members and set timeline expectations
  • Select methodology: Choose appropriate audit techniques and tools

Choose your audit focus based on your primary concern:

  • Fraud concerns: Audit financial statements and money handling processes
  • Efficiency concerns: Audit your workflows and operational procedures

2. Complete the fieldwork/execution stage of the process

Executing the audit involves gathering evidence and testing controls to assess your business's current state. This hands-on phase reveals how well your systems work.

Execution activities include:

  • Document review: Examine policies, procedures, and transaction records
  • Analyse processes: Map workflows and identify inefficiencies or gaps
  • Staff interviews: Understand roles, responsibilities, and daily challenges
  • Control testing: Verify that protective measures work as intended

Testing internal controls may require practical assessments. For IT security audits, you might send fake phishing emails to employees to identify who needs more training.

3. Write a comprehensive audit findings report

Audit reporting documents findings and provides actionable recommendations to improve your business. The report translates technical discoveries into practical next steps.

Report components include:

  • Executive summary: Key findings and priority recommendations
  • Detailed findings: Specific issues discovered and their business impact
  • Assess risks: Severity levels and potential consequences
  • Action plan: Recommended changes with timelines and responsibilities

4. Follow up on implementing the internal audit recommendations

Audit follow-up ensures what you've recommended improves your business operations. This step ensures your excellent findings deliver results.

Follow-up activities include:

  • Track implementation: Monitor progress on recommended changes
  • Assess effectiveness: Measure whether changes achieve intended results
  • Plan adjustments: Modify approaches based on real-world outcomes
  • Monitor continuously: Schedule regular reviews to maintain what you've improved

Tips for success when implementing internal audits

Follow these tips to run a smooth audit process.

FAQs on internal audits

Here are answers to common questions about internal audits for small businesses.

What's the difference between internal and external audits?

Internal audits are conducted by your employees or hired consultants, and the results stay within your company to help improve operations. External audits are performed by independent audit firms, and the results go to outside stakeholders like investors. Internal audits focus on operational efficiency and risk management, while external audits primarily verify financial records.

How often should small businesses conduct internal audits?

The frequency depends on your business size, industry, and risk level. Many small businesses conduct annual internal audits, though high-risk areas like cash handling or IT security may benefit from quarterly or monthly reviews. Start with an annual audit and adjust based on what you discover.

Do small businesses need internal audits?

While not legally required for most small businesses, internal audits provide valuable insights into your operations, help prevent fraud, and identify ways to improve efficiency. They're especially useful if you're growing, preparing for external investment, or operate in a regulated industry.

Can you conduct your own internal audit?

Yes, you can conduct your own internal audit if you have the necessary skills and can remain objective. However, having someone independent review the area being audited produces more reliable results. Many small businesses use team members from different departments or hire external consultants for objectivity.

Disclaimer

Xero does not provide accounting, tax, business or legal advice. This guide has been provided for information purposes only. You should consult your own professional advisors for advice directly relating to your business or before taking action in relation to any of the content provided.

Get one month free

Purchase any Xero plan, and we will give you the first month free.