Internal Audit Preparation Checklist

Retrieve the last two years of internal audit reports, the management-letter comments from the external auditor, and any open remediation items in the issue tracker. Flag repeat findings — they raise the inherent risk rating for the area and usually mean the prior action plan didn't stick.

Sit with the process owner and walk an end-to-end transaction. Update the narrative and flowchart in the workpaper file. Identify the key controls (preventive vs. detective, manual vs. automated) that map to the financial-statement assertions in scope.

Document the in-scope locations, processes, and period under review. Set performance materiality (typically 50–75% of overall) and the threshold for clearly trivial misstatements. Reference the enterprise risk assessment to confirm the area's ROMM rating.

Send the engagement letter to the process owner and their executive sponsor. Cover scope, period, fieldwork dates, reporting timeline, and the IIA standards under which the audit is conducted. Request countersignature before fieldwork begins.

Allocate hours by phase (planning, fieldwork, reporting, follow-up) in the workflow tool — Caseware, AuditBoard, or TeamMate. Assign the in-charge senior, staff testers, and the partner/CAE reviewer. High-risk areas get a second-level review built into the plan.

Push the prepared-by-client list through Suralink or the firm's PBC portal at least two weeks before fieldwork. Each item needs an owner, due date, and format spec (PDF vs. native Excel). Stale PBC requests are the #1 reason fieldwork extends.

Hold a weekly PBC status call with the controller. Items missing 5 business days before fieldwork get escalated to the executive sponsor — don't let the team arrive on Day 1 with half the schedules outstanding.

Extract the full population from the source system (NetSuite, Sage Intacct, the AP sub-ledger). Tie totals to the trial balance before sampling — a population that doesn't reconcile invalidates every test built on it.

Pick attribute or monetary-unit sampling based on the test objective. Document the confidence level, expected error rate, and sample size in the workpaper. For key-control testing, the standard is 25 for daily controls, 5 for monthly, 2 for quarterly.

Set up the lead schedules and supporting workpaper sections in Caseware or CCH ProSystem fx Engagement before fieldwork. Use the firm's standard indexing scheme so the partner reviewer doesn't have to hunt for cross-references.

Walk one transaction through each key control end-to-end with the control performer. Document the who, what, when, and evidence reviewed. A walkthrough is not a test — it confirms design; operating-effectiveness testing happens next.

Run the controls test against the selected sample. Document attributes tested, source evidence reviewed, and the conclusion (effective / ineffective). For automated controls, IPE testing is required — confirm the report logic and parameters.

Tie balances to source documents — vendor invoices, bank confirmations, contracts. For accruals, recompute. For estimates, evaluate management's methodology and key assumptions against an independent expectation.

Each exception captures: condition, criteria, cause, effect, and recommendation (the 5 C's). Quantify the financial impact where possible. Distinguish control deficiencies from significant deficiencies from material weaknesses per the firm's rating matrix.

The CAE or audit partner clears every workpaper coaching note before exit. No unanswered review comments at sign-off — they're the audit-quality finding waiting to surface in peer review.

Material weaknesses get escalated within 24 hours of identification — don't wait for the draft report. Notify the CAE, the audit committee chair, and (if the company is an SEC issuer) coordinate with the external auditor on potential ICFR implications under SOX 404.

A material weakness in one control often points to weaknesses elsewhere. Reassess the scope: do other periods, locations, or related processes need extended testing? Document the fraud-risk evaluation under SAS 99 / AU-C 240 considerations.

Use the firm's standard report template — executive summary, scope, opinion (satisfactory / needs improvement / unsatisfactory), findings ranked by severity, and recommendations. Tie each finding back to its workpaper reference for the reviewer.

Hold a closing meeting with the process owner before the report goes to senior management. No surprises at the audit committee — every finding has been discussed, the facts are agreed, and management has drafted an action plan with named owners and target dates.

Cover the opinion, key findings, themes vs. prior periods, and any disagreements with management. Audit committees expect ranked findings with root cause — not a recitation of the report.

Add each open finding to the issue tracker with target remediation date. Schedule the follow-up validation: 90 days for high-rated findings, 180 days for moderate. Closed findings require evidence of remediation — management's word alone is not sufficient.