Many organisations want to conduct internal audits but don't know where to start. An audit checklist or template provides structure. Rather than beginning from scratch, you can adapt existing templates to your specific circumstances, adjust them for your risks, and have a clear process for what needs to be checked.
Building an effective audit function doesn't require massive investment. It does require clear documentation of what's being checked, why it's being checked, and how results are being recorded.
What Audit Checklists Should Include
A good audit checklist is specific to what you're auditing. A checklist for inventory control includes different items than a checklist for IT security. But all checklists share common characteristics. They specify exactly what's being tested. Rather than vague items like "Check controls", a checklist says "Review bank reconciliation for the last three months and verify that reconciliations were completed within five business days of month end".
They indicate what evidence you're looking for. Are you looking for a report? An email? A documented approval? Knowing what constitutes evidence prevents ambiguity.
They document findings in a consistent way. When you find something that doesn't match the expectation, you record it the same way every time. This makes it easier to spot patterns and trends.
They identify when issues are significant enough to report. Not every minor variance requires escalation. A checklist indicates which findings must always be reported, which can be recorded and monitored, and which are minor.
Sample Audit Checklists by Area
Financial Controls Audit Checklist
A financial controls checklist typically covers transaction processing, reconciliations, and approvals. Items might include: Are purchases over the approval limit being approved at the appropriate level? Do bank reconciliations happen monthly and are variances investigated? Is access to the general ledger restricted to appropriate staff? Are journal entries reviewed and approved before posting? Do expense reports match receipts?
IT Security Audit Checklist
IT controls are particularly important now. Items might include: Is access to systems logged and reviewed regularly? When staff leave, is their access revoked promptly? Are system patches applied within the organisation's specified timeframe? Are backups tested regularly? Are passwords changed regularly and do they meet complexity requirements?
Payroll Audit Checklist
Payroll controls are critical because they involve cash and legal obligations. Items might include: Are timesheets properly approved by management before payroll processing? Are pay rates matched to authorised employment documentation? Are deductions correctly calculated? Are statutory filings being completed on time? Are payroll records kept for the required period?
Inventory Audit Checklist
Inventory checklists focus on physical security and record accuracy. Items might include: How frequently is physical inventory counted? Are discrepancies between records and physical counts investigated? Who has access to store inventory? Are obsolete items identified and written off? Are inventory records reconciled to the general ledger monthly?
How to Use Templates Effectively
Starting with a template is fine. But you must customise it for your organisation. A retail template won't work unchanged for a professional services firm. You need to modify the checklist to reflect your specific risks.
Review checklists annually. If you discover that a checklist item never reveals anything, consider whether it's still needed. If you encounter issues that your checklist should have caught but didn't, add items to catch similar issues in future.
Use checklists to train new auditors. A consistent checklist means that two different people will conduct audits the same way. This improves reliability and comparability across time.
Document your findings. When you complete an audit checklist, you're creating a record that demonstrates you conducted the audit. This record is valuable if questions arise later about whether the organisation was managing risks appropriately.
Building Audit Documentation
Audit documentation isn't just the checklist. It also includes the evidence you gathered, your conclusions about what the evidence means, and any findings or recommendations.
Evidence might be a reconciliation report, an email showing approval, a screenshot showing system access, or a physical observation. Whatever you gather, keep it or document it. This creates an audit trail.
Conclusions are your professional judgment about whether the control is working. Just because you see an approval doesn't mean the approval was proper. Did the person have authority? Was the timing appropriate? Did they actually review what they were approving?
Findings are issues where controls didn't work as expected. A finding might be: "Payments above the £5,000 approval limit were being paid without proper approval. In the sample of 20 payments over £5,000, 3 were paid with only one approval when the policy requires two." This specific finding is more useful than "Approval controls are weak."
Recommendations are your suggestions for improving controls. Recommendations should be practical and consider the organisation's constraints. Recommending an expensive system change when a procedural adjustment would work is not helpful.
Using Technology
Many organisations use spreadsheets to manage audit checklists. This is fine for small organisations. As audit volume grows, spreadsheets become unmanageable.
Audit software tools can help manage large audit programmes. However, the software is a tool. The real work is designing meaningful checklists, conducting thorough testing, and forming professional judgments about what the evidence means.
Some organisations use simple document templates that staff populate during audits, then store the completed documents in a shared drive. This creates an audit trail without requiring software investment.
Getting Started
If your organisation has never conducted internal audits, start simple. Pick an area where you have concerns or where failure would have a significant impact. Create a basic checklist of things you want to verify. Conduct the audit. Document what you found. Use what you learn to improve the checklist for next time.
Many organisations are surprised by how straightforward auditing is once they have a clear checklist. The main barrier isn't complexity. It's simply starting.
