Internal audit 101: Standards, process, and 2026 priorities

Key Takeaway: Internal audit is governed by the IIA Global Internal Audit Standards, which took effect January 9, 2025 and reorganize the profession around 15 guiding principles. For 2026, cybersecurity remains the top audit priority, with GenAI governance and ISO/IEC 42001 emerging as new audit subjects. Practitioners must refresh their charter, methodology, and risk assessment against the new framework.

The internal audit profession has changed over the past couple years. The IIA's new Global Internal Audit Standards replaced the prior IPPF structure, NIST CSF 2.0 reshaped cyber control testing, and 32% of CAEs now also own enterprise risk management. This guide walks through what internal audit is, how the process runs end-to-end, and which standards and risk priorities every practitioner should be working against today.

Earn 8 CPEs at GRC Now 2026 | July 8-9

SAVE MY VIRTUAL SPOT

What is internal auditing?

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations — the canonical definition maintained by The Institute of Internal Auditors. At its core, an internal audit is an unbiased review of a company's internal systems, processes, and procedures that compares actual operations against documented processes, standards, and business requirements.

Internal auditing examines and assesses company records, workflows, systems, and financial documents. Through the function, teams identify compliance concerns, complete risk assessments, investigate fraud, and uncover data inaccuracies in financial reporting. The audit team's ultimate goal is to serve as a highly valued business partner to every segment of the organization.

Common focus areas for the internal audit function include operational risks, environmental compliance, procedural efficiency, effectiveness of systems, fraud management, health and safety compliance, and regulatory compliance.

How the 2024 IIA Global Internal Audit Standards changed the profession

The IIA Global Internal Audit Standards were issued January 9, 2024 and became effective January 9, 2025, replacing the prior IPPF structure with 15 guiding principles organized into five domains: purpose, ethics and professionalism, governing the function, managing the function, and performing engagements. CAEs must now demonstrate conformance during external quality assessments and update the audit charter, methodology, QAIP, and engagement workpapers to map directly to the new principles.

Under the new Standards, the CAE is explicitly accountable for measuring and reporting the performance of the internal audit function to the board. The charter must be approved by the board and reviewed at least annually — and it is the first document an external quality assessor will request.

Why internal audit matters across industries

Internal auditors work across health care, technology, education, financial services, and government. All sectors benefit from audit teams that examine business operations, improve the effectiveness of risk and controls, surface emerging issues, and identify opportunities for efficiency.

Based on an effective risk-based auditing approach and an approved audit plan, organizations should treat internal audit as a normal, ongoing component of business. Whether functioning as a broad assessment or covering a single area, the main goal is to provide independent assurance over the effectiveness of risk, controls, and business operations.

How internal audit differs from external audit

Internal and external audits share the objective of analyzing an aspect of an organization and forming an opinion, but the two engagements differ in mandate, audience, and standards.

The internal audit team (in-house, co-sourced, or outsourced) performs audits on behalf of the organization to add value and improve operations. The team is led by the Chief Audit Executive, who typically reports administratively to management (often the CFO) while preserving independence through a functional reporting line to the audit committee of the board. Internal auditors follow the IIA Global Internal Audit Standards and often hold the Certified Internal Auditor (CIA) designation or Certified Information Systems Auditor (CISA) from ISACA.

In an external audit, the company engages an outside audit firm to opine on financial reporting. External audit staff may be required to hold the Certified Public Accountant (CPA) designation. Internal audit results are used by management to improve operations; external audit results are used by outside investors and regulators.

Internal audits vs. compliance reviews

Practitioners and stakeholders frequently conflate the two, but the scope differs. A compliance review is narrower — it tests adherence to a specific regulation, policy, or control (for example, BSA/AML or GDPR) and typically produces a pass/fail determination against a defined rule set. An internal audit is a broader independent assurance engagement covering risk, controls, governance, and operational effectiveness, producing risk-rated findings, root-cause analysis, and management corrective action plans. Both can coexist, but only internal audit is governed by the IIA Global Internal Audit Standards.

What types of internal audits are there?

While most engagements cover the effectiveness of risks and internal controls, the internal audit function also performs reviews across compliance, environmental, security and technology, performance, financial, operational, and special projects and investigations. Audit services may also address the safety and security of team members.

Compliance audit

Compliance audits assess adherence to relevant laws and regulatory requirements. Depending on the sector, noncompliance can produce fines, lawsuits, or material financial impact. Examples of regulations to track include the U.S. Foreign Corrupt Practices Act and Europe's General Data Protection Regulation. A compliance audit may also evaluate control processes and the overall control environment.

Environmental audit

These audits assess the impact of a company's actions and operations on the environment and compliance with environmental laws. With more boards, investors, and consumers focused on the ESG characteristics of a company, this is a high-priority area for many internal audit teams. As global sustainability reporting standards such as IFRS S1 require new disclosures, the environmental audit scope is expanding rapidly.

Security and technology audit

Security and technology audits evaluate IT systems and underlying infrastructure to assess the accuracy and security of data, information, and intellectual property. They typically include IT general controls testing, change management review, and assessment of system backup and recovery processes. Cybersecurity testing should align to the NIST Cybersecurity Framework 2.0 (released February 2024), and ISMS audits should reference ISO/IEC 27001:2022 — the transition deadline from the 2013 version was October 31, 2025.

Performance audit

These audits evaluate whether the company is meeting internal targets and key performance indicators set by management. When teams are missing goals, performance audits can uncover the underlying issues driving cost overruns or blocking execution.

Financial audit

These audits confirm or recalculate internal financial reporting as it pertains to the overall business, budgets, assets, or special projects. They may also check the accuracy of billing, expenses, or reimbursements.

Operational audit

Operational audits assess a company's control mechanisms and their overall effectiveness, efficiency, and reliability.

Special projects and investigations

Special projects and investigations are "special purpose" audits performed at the request of management, frequently involving fraud and forensic investigations.

What are the 5 stages of an internal audit?

The internal audit lifecycle — sometimes framed as "prepare, perform, report, and close" — follows five stages: (1) planning and risk assessment, (2) scoping and audit announcement, (3) fieldwork and testing, (4) reporting findings, and (5) follow-up and remediation tracking. Each stage is governed by the internal audit charter and aligned to the IIA Global Internal Audit Standards.

Internal auditors are guided by the internal audit charter, which defines purpose, authority, responsibility, and position within the organization. The charter must enumerate reporting lines (functional to the audit committee, administrative to management), independence requirements, access to records and personnel, and conformance with the IIA Standards.

The function conducts a risk assessment to identify and prioritize high-risk areas, focusing on the most important auditable activities. The risk assessment drives the audit plan, a listing of audits to be performed. When an audit launches, the team will scope the audit and perform fieldwork, generating an understanding of current processes and risks. After fieldwork, teams issue a formal audit report to line management, senior management, and the audit committee. Finally, recommendations and management corrective action plans are tracked through follow-up to confirm remediation.

1. Building the internal audit team

Start with building the internal audit team. Candidates should bring strong analytical and critical thinking skills along with the ability to receive and share information clearly. Auditors should be fair, objective, discreet, ethical, and strong collaborators. Attention to detail matters because auditors spend much of their time drilling into complex data and need to identify issues most people would overlook. Internal auditing also suits highly self-motivated practitioners, as auditors frequently do most of their fieldwork independently even when assigned to project teams.

A typical function includes the Chief Audit Executive (owns the charter, audit plan, and functional reporting to the audit committee), supported by audit directors and managers (engagement oversight, report quality), senior auditors (scoping, fieldwork lead, finding development), and staff auditors (testing, evidence collection, workpaper preparation). Specialists in IT audit, data analytics, and SOX may sit within or alongside the function.

2. Risk assessment and audit planning

Internal auditors perform a risk assessment at least annually — though leading functions now refresh it quarterly or continuously for cybersecurity, third-party, and geopolitical risk domains that shift faster than the annual planning cycle. The risk assessment identifies the audit universe, scores it against various risk factors, and selects which areas to include in the audit plan. The plan defines requirements, objectives, schedule, and roles. A kick-off meeting launches each audit, followed by multiple communication checkpoints throughout the process.

Trigger events — M&A, new regulation, a major incident, an ERP change — should automatically prompt a mid-year plan revision, with rationale documented in audit committee materials.

3. Audit scoping and fieldwork

The scoping process aligns expectations between the internal audit team and the auditee on purpose and scope. Auditors may begin with indirect assessment techniques, such as reviewing manuals, policies, and existing documentation. Fieldwork may also include transaction testing, observations, and analyses — some targeted, some randomized — to test controls and systems.

A core objective of fieldwork is gathering audit evidence across four categories: documentary (policies, contracts, invoices, approvals), system and data (database extracts, log files, ERP transaction populations), observational (walkthroughs, demonstrations of a process being performed), and testimonial (interview notes, management representations). Evidence must be sufficient, reliable, relevant, and useful — a standard codified in the IIA's engagement documentation requirements.

During the engagement, new information may require the original scope to be adjusted. Auditors should listen carefully for what is being said — and what is not being said — and follow those threads. After confirmation, the internal team shares findings with the auditee, along with recommendations, and works to define a remediation path. These findings are included in the audit report.

4. Reporting findings

The major deliverable is a formal report, sometimes preceded by a preliminary or interim report. An interim report may include sensitive or time-critical data senior management needs immediately. Some audit teams share a draft of the final report with the leadership team for additional feedback before it is finalized. The final report summarizes the procedures and techniques used, describes the findings, and recommends improvements. It typically includes next steps, recommended changes, and monitoring processes, and may be presented in this format — or an abbreviated one — to the audit committee.

5. Follow-up

After a defined interval, internal audit follows up to confirm recommendations were enacted and findings remediated. Tracking the management action plan closure rate and the percentage of high-risk findings remediated on time is part of the CAE's performance reporting obligation under the 2025 IIA Standards.

What are the five C's of internal audit?

Audit team reports frequently follow the "five C's" of audit communication; a thorough finding will address each. The five C's are criteria, condition, cause, consequence, and corrective action.

1. Criteria — what issues were identified and why the audit was requested. Are related internal or external audits expected? Who requested this audit, and why? Did the initiative originate inside internal audit or elsewhere?
2. Condition — how the issue relates to a company goal or expectation. Is a policy broken? A goal unmet? Is safeguarding required? Is the team investigating a possible anomaly?
3. Cause — why the issue surfaced. Was it flagged by an internal audit report? Who raised it, what processes broke down, and what could have prevented it?
4. Consequence — the outcomes of the issue. Do new governance processes need to be implemented? Are there finance, regulatory, or external implications? How should the board be informed?
5. Corrective action — what the company will do to fix the problem. What follow-up exists for management, what monitoring will take place going forward, and what solutions have been put in place?

Common internal audit findings

During the internal audit process the same patterns surface repeatedly. The following are among the most common observations.

Segregation of duties

Tasks and process flows must have proper checks and balances. For example, the person responsible for collecting payments should not also create the deposit and reconcile the books and source documents.

Lack of detailed policies and procedures

Departmental business transactions and related internal audit controls should be clearly documented, periodically reviewed, and updated. Written policies and procedures can be referenced and revised as needed.

Lack of formal approvals

Evidence should be captured and maintained to document independent approvals, reconciliations, and departmental financial statements. The individuals responsible for approvals should be identified, and access controls should match the appropriate roles.

Absence of supporting documentation

Transactions should be supported by relevant documentation. For purchases, this means backup for requisitioning, competitive bidding and proposals, purchase orders, invoices, and approvals.

Top internal audit risk priorities for 2026

Cybersecurity remains the #1 risk priority for internal audit in 2026, followed by geopolitical uncertainty, per the IIA's Risk in Focus 2026 report. Climate change and digital disruption — including AI — are the fastest-growing risk categories. Audit plans should also reflect the 32% of CAEs who now own enterprise risk management, increasing the pressure to integrate the audit universe with the ERM risk register.

GenAI in particular should be treated on two tracks: as an auditable risk domain (model risk, data leakage, bias, third-party AI vendors, shadow AI) and as a productivity lever inside the function (workpaper drafting, control testing, anomaly detection). Benchmark organizational AI governance against ISO/IEC 42001:2023, the international standard for AI management systems, and document human-in-the-loop controls before using GenAI in evidence evaluation or report drafting.

Common factors that may hinder internal audits

Internal auditors are skilled at identifying risk for the organization but are not immune to risks themselves. Common risk factors affecting the function include talent shortages, remote work, internal relationship dynamics, evolving skill needs, and technology tool gaps.

Talent shortages

Attracting and retaining internal audit staff has become an ongoing capacity challenge for many organizations. Hiring budgets have grown in some cases, but filling open positions remains difficult. Companies need to bring in talent with flexibility around the requirements of today's workforce. Strict rules about facetime and office hours are becoming obsolete and a barrier to recruiting. Instead, emphasize individual growth, learning, and work-life balance.

Remote work

Today's distributed workforce has made internal auditing more complex than ever. Fieldwork that once required a few localized site visits may now require traveling to multiple locations — or conducting interviews entirely by video. On the plus side, teams that are comfortable with remote information gathering can use video conferencing and digital documentation to streamline data collection and lower the time and cost required to support the audit.

Relationship barriers

Distributed workforces have also created relationship barriers across teams. Without informal in-office moments, teams may have fewer trusted relationships to lean on, which complicates some audit conversations and investigations. Fewer touchpoints between audit and stakeholders may require deliberate effort to maintain ties.

Evolving skill needs

While critical thinking has always been core to the auditor's skill set, the supporting skill list is growing quickly. Current needs include risk assessment, cybersecurity, data mining, and analytics expertise. Today's teams also need to stay current on new cyber threats and new technologies — including GenAI tooling and AI governance frameworks like ISO/IEC 42001.

Technology solution gaps

Teams must ensure they have the right technology to do the work. Audit automation centralizes audit management, improves cross-team collaboration, and increases function efficiency. Staying current on integrations and training the team on new tools is part of the discipline.

When to co-source or outsource internal audit

Co-sourcing makes sense when the in-house team lacks specialized skills — IT audit, data analytics, SOX, cyber, ESG assurance, AI governance — or has cyclical capacity gaps. Full outsourcing is more common at organizations under roughly $500M revenue or where building a function isn't cost-justified. Decision factors include cost, independence (Sarbanes-Oxley restricts the external financial auditor from also serving as internal auditor for SEC registrants), institutional knowledge retention, and the CAE's ability to direct and supervise outsourced work under the IIA Standards. Many leading functions blend a small in-house core with a co-source rotation for technical engagements.

Manage the internal audit process with Optro

The importance of a strong audit team and process cannot be overstated. Teams should be working actively to manage risk through consistent audits and reviews, with results shared with senior management and the audit committee in a clear and timely fashion. Optro can help, whether the team is just starting out or refining its processes. Get started with Optro's internal audit management software today.

Frequently asked questions

What are the 5 stages of an internal audit?

The five stages are (1) planning and risk assessment, (2) scoping and audit announcement, (3) fieldwork and testing, (4) reporting findings, and (5) follow-up and remediation tracking. ASQ frames the same lifecycle as "prepare, perform, report, and close." Each stage is governed by the internal audit charter and aligned to the IIA's Global Internal Audit Standards.

What is the difference between an internal audit and a compliance review?

A compliance review is narrower in scope — it tests adherence to a specific regulation, policy, or control (e.g., BSA/AML, GDPR) — while an internal audit is a broader independent assurance engagement evaluating risk, internal controls, governance, and operational effectiveness. Compliance reviews typically produce a pass/fail determination against a defined rule set; internal audits produce risk-rated findings, root-cause analysis, and management corrective action plans. Only internal audit is governed by the IIA Global Internal Audit Standards.

How do the 2024 IIA Global Internal Audit Standards change day-to-day audit work?

The new Standards, issued January 9, 2024 and effective January 9, 2025, replace the prior IPPF structure with 15 guiding principles organized into five domains: purpose, ethics, governance, managing the function, and performing engagements. Practitioners must update their audit charter, methodology, QAIP, and engagement workpapers to map directly to the new principles. CAEs are now explicitly accountable for demonstrating conformance during external quality assessments.

What are the top internal audit risk priorities for 2026?

Cybersecurity remains the #1 risk priority for internal audit in 2026, followed by geopolitical uncertainty, per the IIA's Risk in Focus 2026 report. Climate change and digital disruption — including AI — are the fastest-growing risks. Audit plans should also reflect the 32% of CAEs who now own enterprise risk management, increasing pressure to integrate the audit universe with the ERM risk register.

What evidence do internal auditors collect during fieldwork?

Internal auditors collect four primary categories of audit evidence: documentary (policies, contracts, invoices, approvals), system and data (database extracts, log files, ERP transaction populations), observational (walkthroughs, demonstrations of a process being performed), and testimonial (interview notes, management representations). Evidence must be sufficient, reliable, relevant, and useful to support each finding — a standard codified in the IIA's performance standards on engagement documentation.

What should be included in an internal audit charter?

An internal audit charter must define the function's purpose, authority, responsibility, scope, position in the organization, reporting lines (functional to the audit committee, administrative to management), independence and objectivity requirements, access to records and personnel, and conformance with the IIA Global Internal Audit Standards. Under the 2025 Standards, the charter must be approved by the board and reviewed at least annually. It is the first document an external quality assessor will request.

How should internal audit approach generative AI as both an audit subject and a tool?

Treat GenAI on two tracks: as an auditable risk domain (model risk, data leakage, bias, third-party AI vendors, shadow AI) and as a productivity lever inside the audit function (workpaper drafting, control testing, anomaly detection). Benchmark the organization against ISO/IEC 42001:2023, the standard for AI management systems, and align cybersecurity testing to NIST CSF 2.0 (released February 2024). Document human-in-the-loop controls before using GenAI in evidence evaluation or report drafting.

About the authors

Scott Madenburg, CIA, CISA, CRMA, is the founder of ARCHybrid, where he serves as a market advisor, consultant, and trainer, guiding organizations and professionals in transforming their audit, risk, and compliance functions to enhance efficiency, strengthen controls, and address emerging threats. Connect with Scott on LinkedIn.