Internal audit: what it is and how to run it in 4 steps
Learn how internal audit strengthens controls, protects cash, and improves business performance.
Written by Lena Hanna—Trusted CPA Guidance on Accounting and Tax. Read Lena's full bio
Published Wednesday 4 March 2026
Table of contents
Key takeaways
- Conduct internal audits at least once a year to identify inefficiencies, reduce risks, and ensure compliance with regulations and insurance requirements before problems escalate into costly issues.
- Follow the four-stage audit process systematically: plan by defining scope and conducting risk assessments, complete fieldwork through document review and staff interviews, write clear reports with specific recommendations, and follow up to ensure improvements are implemented.
- Focus your audit efforts on the highest-risk areas first, such as financial records, fraud prevention controls, and operational processes, then expand to IT security and compliance audits as your business grows.
- Maintain accurate, accessible financial data using accounting software to streamline the audit process and create clear audit trails for every transaction.
What is an internal audit?
An internal audit is an independent review of your business's finances, processes, and systems to identify risks and areas for improvement. The results stay within your company and are used to strengthen operations.
Internal auditors often work for the company, but you can bring in outside consultants to help. Either way, the findings remain internal, unlike external audits, which are conducted by third parties and shared with outside stakeholders like investors or regulators.
Common internal audit examples include:
- Risk management audits: identify how your company can reduce operational risks
- Compliance audits: verify adherence to insurer policies, such as cyber insurance requirements for firewalls or network access
Here's how internal and external audits compare:
Internal audits vs external audits:
- Internal audits: conducted by employees or consultants; results stay within the company; typically focus on operations and risk
- External audits: conducted by independent audit firms; results shared with investors, lenders, or regulators; typically focus on financial records
All publicly traded companies must undergo external financial audits annually, which require opinions from certified public accountant (CPA) firms.
Why are internal audits important for small businesses?
Internal audits help improve efficiency, reduce risks, and stay compliant. They give you a chance to step back and examine your processes before problems escalate.
Key benefits of internal audits:
- Identify inefficiencies: spot redundant steps or bottlenecks in your workflows
- Reduce risk: uncover vulnerabilities before they become costly problems
- Ensure compliance: verify you're meeting financial regulations and insurance policy requirements
For example, an internal audit of your fraud prevention controls would compare your documented procedures to actual workflows, identify gaps, and recommend improvements you can act on immediately.
Key areas of focus in internal audits
Internal audits examine the effectiveness of internal controls, compliance with regulations, and the accuracy of financial reports, often using established guidelines like the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control–Integrated Framework to improve confidence in data.
- Financial records: verify the accuracy of your numbers, review data entry processes, and assess who has access to financial systems
- Operational processes: map workflow steps, identify who completes each task, and spot redundancies or inefficiencies
- Fraud prevention: evaluate controls against internal fraud (employee theft) and external threats like phishing or cyberattacks. Learn more about risks of internal fraud.
- Risk management: assess your biggest business risks and review your crisis preparation and mitigation strategies
Types of internal audits
The type of internal audit depends on what you're examining. The four main types are operational, compliance, financial, and information technology (IT) audits.
- Operational audits: evaluate internal processes to assess efficiency and resource use
- Compliance audits: verify adherence to laws, industry regulations, and internal policies
- Financial audits: examine the accuracy of financial reports and the effectiveness of internal controls
- IT audits: assess cybersecurity, data protection, network access, and team training, with associations like the Information Systems Audit and Control Association (ISACA) helping companies address IT governance and risk management.
Each type addresses different business risks. Many small businesses start with financial or compliance audits, then expand to operational or IT audits as they grow.
The internal audit process
The internal audit process follows four stages: planning, fieldwork, reporting, and follow-up. Here's how to conduct each stage:
1. Plan your internal audit
Planning sets the scope and direction of your audit. Start by identifying what you want to examine and why.
Key planning steps:
- Conduct a risk assessment: identify the most significant risks facing your business
- Define the audit scope: decide which processes, records, or systems to examine
- Design your approach: choose the methods and tools you'll use to gather information
For example, if you're concerned about internal fraud, focus on financial statements and money handling. If efficiency is the issue, audit your operational workflows.
2. Complete the fieldwork
Fieldwork is where you gather evidence and test your controls. This stage involves examining documents, observing workflows, and interviewing staff.
Common fieldwork activities:
- Document review: analyse financial records, policies, and procedures
- Process observation: watch workflows in action to identify gaps between documented and actual practices
- Staff interviews: talk with employees and managers about their roles and responsibilities
- Control testing: run tests to assess effectiveness, such as sending simulated phishing emails to evaluate IT security awareness
3. Write your audit report
Reporting documents your findings and recommendations. A clear audit report helps leadership understand what you discovered and what actions to take.
Your audit findings report should include:
- Summary of scope: what you audited and why
- Key findings: issues, risks, or gaps you identified
- Recommendations: specific actions to address each finding
- Priority levels: which issues need immediate attention
Share the report with your audit committee, business owners, or relevant managers so they can act on the recommendations.
4. Follow up on recommendations
Follow-up ensures your audit leads to real improvements. Without it, findings often go unaddressed.
Effective follow-up includes:
- Track progress: monitor whether recommended changes have been made
- Set review dates: schedule check-ins 30, 60, or 90 days after the audit
- Measure results: compare performance before and after changes to assess impact
- Adjust as needed: refine your approach based on what's working
Regular follow-up turns audit findings into lasting improvements.
Key roles in an internal audit
Internal audits involve several key roles, though in small businesses, one person often handles multiple responsibilities.
- Internal auditor: leads the audit process, evaluates records or processes, and maintains objectivity to minimise bias, guided by global standards for ethics and professionalism.
- Audit committee: identifies audit priorities, approves the audit plan, and reviews findings
- Management: allocates staff and resources, and implements audit recommendations
In small businesses, roles often overlap. A bookkeeper might audit financial reports, while an operations manager audits workflows. Larger companies may have a chief audit executive who reports to both the audit committee and chief executive officer.
Tips for success when implementing internal audits
A well-planned audit delivers better results and causes less disruption. Follow these tips to make your internal audit successful:
- Focus on the benefits: treat the audit as an opportunity to improve your business
- Get leadership buy-in first: management support sets the tone; when leaders prioritise the audit, teams follow
- Define scope and goals upfront: clarify what you're auditing, what you want to learn, and who's responsible for each task
- Bring in expertise when needed: if your team lacks audit experience, hire a consultant or specialist, especially for complex areas like IT or compliance
- Gather the right data: use accounting software to analyse financial reports and process mapping tools to visualise workflows
Learn more about how to prepare and handle audits.
Streamline your internal audit process with Xero
A professional evaluates the adequacy and effectiveness of your internal controls over governance and operations. The key to a successful audit is having accurate, accessible financial data.
Xero makes that easier by:
- Centralising your financial records: access real-time data for faster, more accurate audits
- Generating reports on demand: pull the reports you need without manual data gathering
- Tracking changes automatically: maintain a clear audit trail for every transaction
Ready to simplify your financial management? Get one month free and see how Xero supports your next internal audit.
FAQs on internal audits
Here are answers to the most common questions about internal audits:
How often should internal audits be conducted?
While you may determine an overall audit plan annually, the frequency of audits for specific areas depends on risk; most small businesses should conduct some form of internal audit at least once a year. High-risk areas or fast-changing processes may need quarterly reviews. Increase frequency if you're addressing compliance requirements, preparing for external audits, or actively working to reduce operational risks.
What's the difference between an internal audit and an external audit?
Internal audits focus on improving processes and reducing risks. Results stay within your company and are used to strengthen operations.
External audits focus on financial compliance and are conducted by independent firms. Results are shared with outside stakeholders like investors, lenders, tax agencies, or insurers.
What happens if you find issues during an internal audit?
Finding issues is the point of an audit and shows the process is working. Document each issue in your findings report, assign ownership, and create an action plan with deadlines. Track progress to ensure problems get resolved.
Can I conduct an internal audit myself or do I need to hire someone?
You can conduct basic internal audits yourself, especially for operational processes or simple compliance checks. For complex areas like IT security, financial controls, or regulatory compliance, consider hiring a specialist. Many small businesses start with DIY audits and bring in consultants for specific expertise as needed.
Published Wednesday 4 March 2026
Table of contents
Key takeaways
- Conduct internal audits at least once a year to identify inefficiencies, reduce risks, and ensure compliance with regulations and insurance requirements before problems escalate into costly issues.
- Follow the four-stage audit process systematically: plan by defining scope and conducting risk assessments, complete fieldwork through document review and staff interviews, write clear reports with specific recommendations, and follow up to ensure improvements are implemented.
- Focus your audit efforts on the highest-risk areas first, such as financial records, fraud prevention controls, and operational processes, then expand to IT security and compliance audits as your business grows.
- Maintain accurate, accessible financial data using accounting software to streamline the audit process and create clear audit trails for every transaction.
What is an internal audit?
An internal audit is an independent review of your business's finances, processes, and systems to identify risks and areas for improvement. The results stay within your company and are used to strengthen operations.
Internal auditors often work for the company, but you can bring in outside consultants to help. Either way, the findings remain internal, unlike external audits, which are conducted by third parties and shared with outside stakeholders like investors or regulators.
Common internal audit examples include:
- Risk management audits: identify how your company can reduce operational risks
- Compliance audits: verify adherence to insurer policies, such as cyber insurance requirements for firewalls or network access
Here's how internal and external audits compare:
Internal audits vs external audits:
- Internal audits: conducted by employees or consultants; results stay within the company; typically focus on operations and risk
- External audits: conducted by independent audit firms; results shared with investors, lenders, or regulators; typically focus on financial records
All publicly traded companies must undergo external financial audits annually, which require opinions from certified public accountant (CPA) firms.
Why are internal audits important for small businesses?
Internal audits help improve efficiency, reduce risks, and stay compliant. They give you a chance to step back and examine your processes before problems escalate.
Key benefits of internal audits:
- Identify inefficiencies: spot redundant steps or bottlenecks in your workflows
- Reduce risk: uncover vulnerabilities before they become costly problems
- Ensure compliance: verify you're meeting financial regulations and insurance policy requirements
For example, an internal audit of your fraud prevention controls would compare your documented procedures to actual workflows, identify gaps, and recommend improvements you can act on immediately.
Key areas of focus in internal audits
Internal audits examine the effectiveness of internal controls, compliance with regulations, and the accuracy of financial reports, often using established guidelines like the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control–Integrated Framework to improve confidence in data.
- Financial records: verify the accuracy of your numbers, review data entry processes, and assess who has access to financial systems
- Operational processes: map workflow steps, identify who completes each task, and spot redundancies or inefficiencies
- Fraud prevention: evaluate controls against internal fraud (employee theft) and external threats like phishing or cyberattacks. Learn more about risks of internal fraud.
- Risk management: assess your biggest business risks and review your crisis preparation and mitigation strategies
Types of internal audits
The type of internal audit depends on what you're examining. The four main types are operational, compliance, financial, and information technology (IT) audits.
- Operational audits: evaluate internal processes to assess efficiency and resource use
- Compliance audits: verify adherence to laws, industry regulations, and internal policies
- Financial audits: examine the accuracy of financial reports and the effectiveness of internal controls
- IT audits: assess cybersecurity, data protection, network access, and team training, with associations like the Information Systems Audit and Control Association (ISACA) helping companies address IT governance and risk management.
Each type addresses different business risks. Many small businesses start with financial or compliance audits, then expand to operational or IT audits as they grow.
The internal audit process
The internal audit process follows four stages: planning, fieldwork, reporting, and follow-up. Here's how to conduct each stage:
1. Plan your internal audit
Planning sets the scope and direction of your audit. Start by identifying what you want to examine and why.
Key planning steps:
- Conduct a risk assessment: identify the most significant risks facing your business
- Define the audit scope: decide which processes, records, or systems to examine
- Design your approach: choose the methods and tools you'll use to gather information
For example, if you're concerned about internal fraud, focus on financial statements and money handling. If efficiency is the issue, audit your operational workflows.
2. Complete the fieldwork
Fieldwork is where you gather evidence and test your controls. This stage involves examining documents, observing workflows, and interviewing staff.
Common fieldwork activities:
- Document review: analyse financial records, policies, and procedures
- Process observation: watch workflows in action to identify gaps between documented and actual practices
- Staff interviews: talk with employees and managers about their roles and responsibilities
- Control testing: run tests to assess effectiveness, such as sending simulated phishing emails to evaluate IT security awareness
3. Write your audit report
Reporting documents your findings and recommendations. A clear audit report helps leadership understand what you discovered and what actions to take.
Your audit findings report should include:
- Summary of scope: what you audited and why
- Key findings: issues, risks, or gaps you identified
- Recommendations: specific actions to address each finding
- Priority levels: which issues need immediate attention
Share the report with your audit committee, business owners, or relevant managers so they can act on the recommendations.
4. Follow up on recommendations
Follow-up ensures your audit leads to real improvements. Without it, findings often go unaddressed.
Effective follow-up includes:
- Track progress: monitor whether recommended changes have been made
- Set review dates: schedule check-ins 30, 60, or 90 days after the audit
- Measure results: compare performance before and after changes to assess impact
- Adjust as needed: refine your approach based on what's working
Regular follow-up turns audit findings into lasting improvements.
Key roles in an internal audit
Internal audits involve several key roles, though in small businesses, one person often handles multiple responsibilities.
- Internal auditor: leads the audit process, evaluates records or processes, and maintains objectivity to minimise bias, guided by global standards for ethics and professionalism.
- Audit committee: identifies audit priorities, approves the audit plan, and reviews findings
- Management: allocates staff and resources, and implements audit recommendations
In small businesses, roles often overlap. A bookkeeper might audit financial reports, while an operations manager audits workflows. Larger companies may have a chief audit executive who reports to both the audit committee and chief executive officer.
Tips for success when implementing internal audits
A well-planned audit delivers better results and causes less disruption. Follow these tips to make your internal audit successful:
- Focus on the benefits: treat the audit as an opportunity to improve your business
- Get leadership buy-in first: management support sets the tone; when leaders prioritise the audit, teams follow
- Define scope and goals upfront: clarify what you're auditing, what you want to learn, and who's responsible for each task
- Bring in expertise when needed: if your team lacks audit experience, hire a consultant or specialist, especially for complex areas like IT or compliance
- Gather the right data: use accounting software to analyse financial reports and process mapping tools to visualise workflows
Learn more about how to prepare and handle audits.
Streamline your internal audit process with Xero
A professional evaluates the adequacy and effectiveness of your internal controls over governance and operations. The key to a successful audit is having accurate, accessible financial data.
Xero makes that easier by:
- Centralising your financial records: access real-time data for faster, more accurate audits
- Generating reports on demand: pull the reports you need without manual data gathering
- Tracking changes automatically: maintain a clear audit trail for every transaction
Ready to simplify your financial management? Get one month free and see how Xero supports your next internal audit.
FAQs on internal audits
Here are answers to the most common questions about internal audits:
How often should internal audits be conducted?
While you may determine an overall audit plan annually, the frequency of audits for specific areas depends on risk; most small businesses should conduct some form of internal audit at least once a year. High-risk areas or fast-changing processes may need quarterly reviews. Increase frequency if you're addressing compliance requirements, preparing for external audits, or actively working to reduce operational risks.
What's the difference between an internal audit and an external audit?
Internal audits focus on improving processes and reducing risks. Results stay within your company and are used to strengthen operations.
External audits focus on financial compliance and are conducted by independent firms. Results are shared with outside stakeholders like investors, lenders, tax agencies, or insurers.
What happens if you find issues during an internal audit?
Finding issues is the point of an audit and shows the process is working. Document each issue in your findings report, assign ownership, and create an action plan with deadlines. Track progress to ensure problems get resolved.
Can I conduct an internal audit myself or do I need to hire someone?
You can conduct basic internal audits yourself, especially for operational processes or simple compliance checks. For complex areas like IT security, financial controls, or regulatory compliance, consider hiring a specialist. Many small businesses start with DIY audits and bring in consultants for specific expertise as needed.
Disclaimer
Xero does not provide accounting, tax, business or legal advice. This guide has been provided for information purposes only. You should consult your own professional advisors for advice directly relating to your business or before taking action in relation to any of the content provided.
Start using Xero for free
Access Xero features for 30 days, then decide which plan best suits your business.