LR-201b · Module 3

The Internal Audit Practice

3 min read

The best way to prepare for an external audit is to audit yourself first. Internal audits are rehearsals — they find the gaps before someone with enforcement authority finds them. The cost of discovering a compliance gap internally is a remediation project. The cost of discovering it in an external audit is a remediation project plus a finding, plus potential penalties, plus reputational impact.

  1. Quarterly Compliance Review Walk the compliance matrix row by row. For each obligation: is the control operating? Is the evidence current? Is the owner actively maintaining it? Four times a year, ninety minutes per session. That is the total time investment for a practice that prevents most external audit surprises.
  2. Annual Mock Audit Once a year, simulate an external audit. Pull a sample of obligations. Request the evidence. Time the retrieval. Can you produce every artifact within 24 hours? If not, the gap is either in the evidence chain or in the organization of your repository. Fix it before a real auditor finds it.
  3. Remediation Tracking Every gap found in an internal audit gets a remediation plan: specific action, specific owner, specific deadline. Track remediation to completion. A gap found and not fixed is worse than a gap never found — it demonstrates awareness without action, which auditors view as negligence rather than oversight.

Do This

  • Conduct quarterly compliance matrix reviews — ninety minutes that prevent months of remediation
  • Run an annual mock audit with evidence retrieval timing — test the system under pressure
  • Track every identified gap to remediation completion with owner and deadline

Avoid This

  • Wait for an external audit to discover your compliance gaps
  • Conduct internal reviews without remediation tracking — identifying problems without fixing them is worse than ignorance
  • Treat internal audits as paperwork — they are the early warning system for your compliance program