LR-301e · Module 2

Internal Audit Methodology

3 min read

An internal audit follows the same methodology an external auditor would use — select a sample of obligations, request evidence, evaluate the evidence against the requirement, and report findings. The difference is that internal audit findings cost a remediation project. External audit findings cost a remediation project plus a formal finding, potential penalties, and reputational impact. The internal audit is the cheaper version of the same exercise.

Do This

Sample across all obligation categories — a biased sample misses gaps in unchecked categories
Time the evidence retrieval — if retrieval takes more than 24 hours, the repository or the organization is not ready for an external audit
Document findings with the same rigor as an external auditor — internal findings that are vague cannot be remediated precisely

Avoid This

Sample only the obligations you are confident about — the purpose is to find gaps, not to confirm strengths
Accept verbal explanations as evidence — if it is not documented, it does not exist for audit purposes
Conduct internal audits without follow-up — findings without remediation are wasted effort