How to plan internal audits. A summary guide.

Since every company is different, there is no single, right way to run an Internal Audit.

But there are common Internal Audit management pitfalls to avoid, such as:

  • Ineffective leadership which leads to unclear documentation, or an ineffective Internal Audit process.
  • Too many manual Internal Audit processes, leading to omissions and mistakes.
  • Staff that resist Internal Audits, and mistakenly believe they are snapshots rather than ongoing.
  • Findings that are presented too mildly and fail to fully trigger the corrective actions needed.

To run a successful Internal Audit, there are certain fundamentals to consider:

  1. Are Internal Audits necessary at your organization?
  2. What is the best way to plan Internal Audits?
  3. What issues may you experience when running Internal Audits?
  4. Do you need Internal Audit software?

1. Are Internal Audits necessary at your organization?

The three top reasons to conduct Internal Audits are to:

  • Prepare for external audits
  • Comply with clause 9.2 of ISO 9001 certification which states you must conduct internal audits.
  • Asses your business and improve it.

External Audits are generally limited to financial records. On the other hand, Internal Audits may cover the whole business: how the organization is governed, how risks are managed and how processes are run.

Importantly, Internal Audits recommend improvements. If done right, and corrected, Internal Audits add huge amounts of value to the organization.

2. What is the best way to plan Internal Audits?

Since Internal Audits can cover any part of a business, it is important to avoid getting bogged down in endless detail, but instead deliver maximum value.

This means creating, and working to a tight, detailed scope but which is broad enough to provide real value to your organisation.

Here are our recommended steps:

  1. Set up an Audit Committee if you do not already have one. This is a group of board level leaders that direct and support Internal Auditors throughout the whole process.
  2. Understand the organization’s objectives and strategy. Some questions to prompt the right type of thinking are:
    • How do we ensure compliance with all external (and internal) regulations and codes of conduct?
    • What risks do we face?
    • Is the way we manage the organization aligned with the organization’s objectives?
    • Do our IT systems support our objectives securely and efficiently?
    • Do we operate safely and efficiently? What are the hazards, frictions, and inefficiencies?
    • How secure is our supply chain? What risks do our suppliers bring to the organization?
    • Are we performing as we should environmentally?
  3. List the activities, functions and departments that are crucial for your organization to its objectives and strategy.
  4. List the stakeholders that are responsible for the activities, functions, and departments in scope.
  5. Design the most logical, efficient way for your Internal Auditor to investigate these activities, functions, and departments.
  6. Agree workflows, key milestones, reporting formats, and frequencies with The Audit Committee.
  7. Create a resource and time-bound plan to conduct the Internal Audit.

3. What issues may you experience running Internal Audits?

The most common issues are pushback, scope creep and complexity.

Pushback: No one likes being inspected. A common difficulty is the pushback Internal Auditors may get from staff.

This can be solved by senior management clearly communicating the remit that Internal Auditors have so they can carry out their duties.

Scope creep: Another issue may be scope creep where Internal Auditors are tempted to work on issues related, but outside of scope. In these cases, it is important to keep to scheduled tasks, but consider any strong evidence to add newly discovered issues to the scope, while being explicit that the workload will increase.

Complexity: Another difficulty is dealing with complex data. Complexity can mask real risks, and is time consuming to dig through.

There is no shortcut to dealing with complexity but a systematic and robust method to process and interpret large amounts of data is crucial and will preserve your sanity.

4. Do you need Internal Audit software?

If you have one Auditor and the Internal Audit is simple, you can use Excel, or something similar, to manage and track your data and progress.

But Internal Audits become complicated and generate lots of admin very quickly. You may want to consider Internal Audit software if there is more than one Internal Auditor, or the Audit generates a lot of data.

Internal Audit software gives clear structures to design and conduct Audits. There are tools to run Internal Audits such as automations, workflows, communication features, libraries of standards and frameworks, analytical tools, and reporting templates.

All of these help Internal Auditors focus on auditing and spend less time on administrative tasks.

Internal Audit software can also help deal with complexity which, as mentioned, can hide important risks.

You may want to consider other tools such as exploratory, predictive analytics and data visualisation to generate fact-based insights. These mean the leadership team can make conclusions and decisions faster and with more confidence.

You may also want to use technology that allows you to collect and analyse entire data sets rather than data samples. This should lead to more accurate conclusions.

Many companies want to manage all governance, risk, and compliance activities using one integrated platform. In this case you will need to carefully research and select the best GRC software for your organization.


  • Internal audits must focus relentlessly on what is important for the business.
  • List the key objectives of your organization, and understand what can help or hinder these objectives.
  • Be wary of pushback, scope creep and complexity, and consider an Internal Audit software platform if there is more than one Internal Auditor.

If you found this article helpful, you might want to read a detailed Audit software buyer guide here.


The AdaptiveGRC platform offers a variety of modules to help manage GRC activities for your company.

In order to meet your company's specific needs, our team of experienced developers can tailor the required functionalities to deliver exactly what your company needs. If your company requires a customized module to effectively meet its needs, we can help.

Let us fit the best solution for your company. Fill out the form below.

Streamline Your GRC Activities with AdaptiveGRC
Get Results Faster.

  • Fill out the form.
  • Our consultant will work with you to determine what your company needs.
  • We will schedule a product demo to show you the required features.
  • We will gain your feedback and tailor a tool to your needs.
Fill in the form

    The Controller of your personal data is C&F S.A. with its headquarters in Warsaw, Poland. Your data will be processed in accordance with C&F S.A. Privacy Policy


    Read Gartner reviews to find out what users think about our solutions

    One of the best GRC software with very good price

    Adaptive GRC offers a great deal of flexibility in supporting GRC&AUDIT processes. The product is continuously developed and the customer receives new possibilities and functionalities. In addition, the price is very attractive in comparison to competitive products. The support team takes a flexible approach to the customer's needs.

    Sebastian B. CEO | Computer & Network Security

    Comprehensive platform for managing risk and compliance

    I used AdaptiveGRC Compliance and Risk Management modules for more than a year. Implementation went smooth, and the support team was always very helpful. I especially value the functionality AdaptiveGRC offers - all GRC processes can be managed in one tool, and there is a single database. The tool helped my organization lower operating costs and gain a better understanding of risks in the organization.

    Marcin K. Chief Information Security Officer | Financial Services

    Perfect program for compliance control

    It is amazing that thanks to AdaptiveGRC individual assessment management can be shortened from days to minutes. The tool can generate reports for different stakeholders containing only their desired assessment outcome data. I appreciate much the possibility of generating compliance specification lists for supplier contracts or internal departments.

    Jasween K. Compliance Pharmaceuticals

    AdaptiveGRC supports insurance companies in their risk and compliance management processes

    I used AdaptiveGRC to 1. support insurance companies' compliance management processes following a complex industry-specific regulation. 2. I also used AdaptiveGRC to support the process of managing and monitoring data processors as GDPR came into effect. I experienced a significant increase in efficiency in both cases.

    Verified Reviewer Insurance | Self-employed

    What's in a name...

    As the name is representative, AdaptiveGRC is a complete, interconnected GRC solution that can be adapted to organizations across industries and size. The AGRC team did a superb job designing and building a best-in-class GRC solution that addresses the challenges faced in today's uncertain and ever-changing global business climate. Working with the AGRC team has been a pleasure and the support they have provided is exceptional.

    D Scott C. Business Development | Biotechnology

    Financial institutions could benefit greatly from AdaptiveGRC

    I am happy to be able to use AdaptiveGRC in my work. This dedicated solution is very helpful for anyone that has to fill out the SREP questionnaire. The extra time I gained was priceless. The platform's design was also very appealing to me. The fact that it was so simple to use was a major plus for me. Due to its comparison capabilities with past years' forms, I was able to cut down on the amount of time it took to complete the new questionnaire. What is more, I was able to monitor the progress of the people assigned to the process.

    Anna C. Head of Fin Crimes Team | Banking

    Great support for inurance company

    My overall experience has been great. I also liked the layout of the platform. The time and control I gained is invaluable. I like the fact that it was very easy to use. It definitely allowed me to shorten the time I had to spend on filling out the SREP questionnaire. I also could easily control the status of work of my team members, check their progress, and monitor on daily basis.

    Verified Reviewer Insurance

    AdaptiveGRC - Big Player in GRC

    Easy to install and easy to configure. Out of the box solution. Cloud based or Server. AdaptiveGRC is an enterprise governance, risk management and compliance (eGRC) solution set with unique and unequalled capabilities. AdaptiveGRC can be deployed as one fully interconnected solution suite, or you can choose one or more modules.

    Leigh M. National Accounts | Consumer Goods
    This site is registered on as a development site. Switch to a production site key to remove this banner.