Policies
General
Published on
Internal Audit Procedure Free Template
Here is the complete Internal Audit Procedure document (PRC-ALL-003), aligned with SOC 2 Trust Criteria CC4.1 and CC4.2, and ISO/IEC 27001:2022 Controls A.5.30 and A.5.31:
1. Document Control
Document Title: Internal Audit Procedure
Document Identifier:
PRC-ALL-003Version Number:
v1.0Approval Date:
<24 June 2025>Effective Date:
<24 June 2025>Review Date:
<24 June 2026>Document Owner:
<Head of Internal Audit>Approved By:
<Audit and Risk Committee>
2. Purpose
The purpose of this Internal Audit Procedure is to define the method and requirements for conducting independent and objective evaluations of ’s internal controls, risk management practices, and compliance with policies, procedures, and applicable standards. Internal audits are a key mechanism for ensuring the effectiveness of governance, identifying control weaknesses, and supporting continuous improvement across business and IT functions.
This procedure supports SOC 2 Trust Services Criteria CC4.1 (monitoring of control activities) and CC4.2 (internal audit function), and aligns with ISO/IEC 27001:2022 controls A.5.30 (Independent Review) and A.5.31 (Compliance with Security Policies and Standards).
3. Scope
This procedure applies to all departments, business units, IT systems, and processes subject to internal controls at . It includes corporate governance, finance, operations, information security, privacy, and compliance-related functions.
All employees, contractors, and service providers involved in business operations may be subject to audit review. This procedure also governs audits in preparation for SOC 2, ISO 27001, ISO 9001, and other compliance certifications.
4. Policy Statement
shall maintain a formal, risk-based internal audit program that:
Independence: Ensures internal audit staff are organizationally independent of the operations they review.
Planning: Establishes an annual audit plan based on risk assessments, business priorities, and compliance requirements.
Execution: Uses documented procedures and standardized templates for conducting audit engagements.
Documentation: Maintains comprehensive audit records, including working papers, findings, and evidence.
Reporting: Issues formal audit reports to management and the Audit and Risk Committee, including observations, risk ratings, and corrective actions.
Follow-up: Tracks remediation of findings through closure and revalidation testing.
Continuous Improvement: Updates audit practices based on industry standards, feedback, and regulatory developments.
All business units must cooperate fully with audit requests and provide timely access to systems, personnel, and documentation.
5. Safeguards
Control ID | Safeguard Description |
|---|---|
AUD-01 | An annual risk-based audit plan is approved by the Audit and Risk Committee. |
AUD-02 | Auditors are not assigned to review processes where they have operational responsibilities. |
AUD-03 | Each audit follows a standardized engagement lifecycle (Planning → Fieldwork → Reporting → Follow-up). |
AUD-04 | Audit findings are assigned risk ratings (e.g., Low, Medium, High, Critical) and corrective action owners. |
AUD-05 | A central Audit Tracker logs all findings, due dates, and resolution status. |
AUD-06 | All supporting audit evidence is retained in a secure repository for at least 3 years. |
AUD-07 | Progress on unresolved issues is reviewed monthly and escalated if overdue. |
AUD-08 | All high-risk or repeat findings are escalated to the Board or Risk Committee. |
6. Roles and Responsibilities
Head of Internal Audit: Manages the audit function, sets annual objectives, and reports to executive leadership.
Internal Auditors: Plan, execute, and document audit engagements in accordance with internal methodologies.
Audit and Risk Committee: Approves the audit plan, receives audit reports, and oversees corrective actions.
Process Owners: Collaborate with auditors, respond to findings, and implement corrective measures.
Information Security Team: Assists with audits of technical controls, logs, and risk mitigations.
Legal/Compliance Teams: Review audit findings for legal or regulatory implications and support enforcement.
7. Compliance and Exceptions
Compliance with this procedure is monitored through the completion of the annual audit plan, tracking of findings, and adherence to remediation timelines. Audits are themselves subject to quality assurance reviews and periodic external assessments.
Exceptions to the internal audit scope or schedule must be formally documented and approved by the Head of Internal Audit and, where applicable, reported to the Audit and Risk Committee with justification.
8. Enforcement
Failure to cooperate with internal audits or remediate confirmed findings in a timely manner may result in escalation to executive management. Repeated non-compliance may trigger disciplinary action, including access restrictions or employment termination for employees.
Vendors and third parties found in violation of contractual audit requirements may face financial penalties or loss of business relationships.
9. Related Policies/Documents
POL-ALL-016: Internal Audit Charter
PRC-ALL-001: Risk Assessment Procedure
PRC-ALL-004: Corrective and Preventive Action Procedure
SOC 2 Trust Criteria: CC4.1, CC4.2
ISO/IEC 27001:2022 Controls A.5.30, A.5.31
Audit Plan Template
Audit Tracker and Issue Log
Evidence Collection Checklist
10. Review and Maintenance
This procedure shall be reviewed annually or upon significant changes to audit strategy, governance structure, or applicable regulatory requirements. The Head of Internal Audit is responsible for coordinating updates and version control.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 29 29" xmlns="http://www.w3.org/2000/svg"><g d="M 0 14.5 C 0 7.665 0 4.246 2.123 2.123 C 4.246 0 7.664 0 14.5 0 C 21.335 0 24.754 0 26.877 2.123 C 29 4.246 29 7.664 29 14.5 C 29 21.335 29 24.754 26.877 26.877 C 24.752 29 21.336 29 14.5 29 C 7.665 29 4.246 29 2.123 26.877 C 0 24.752 0 21.336 0 14.5 Z M 6.868 11.447 L 6.868 22.132 M 12.974 16.026 L 12.974 22.132 M 12.974 16.026 C 12.974 13.497 15.024 11.447 17.553 11.447 C 20.082 11.447 22.132 13.497 22.132 16.026 L 22.132 22.132 M 12.974 16.026 L 12.974 11.447 M 6.882 6.868 L 6.868 6.868" fill="transparent" height="29px" id="jPxaj6xUb" width="29px"><path d="M 0 14.5 C 0 7.665 0 4.246 2.123 2.123 C 4.246 0 7.664 0 14.5 0 C 21.335 0 24.754 0 26.877 2.123 C 29 4.246 29 7.664 29 14.5 C 29 21.335 29 24.754 26.877 26.877 C 24.752 29 21.336 29 14.5 29 C 7.665 29 4.246 29 2.123 26.877 C 0 24.752 0 21.336 0 14.5 Z" fill="rgb(98, 100, 102)" height="29px" id="HpoDilQXr" width="29px"/><path d="M 0 0 L 0 10.684 M 6.105 4.579 L 6.105 10.684 M 6.105 4.579 C 6.105 2.05 8.155 0 10.684 0 C 13.213 0 15.263 2.05 15.263 4.579 L 15.263 10.684 M 6.105 4.579 L 6.105 0" fill="transparent" height="10.68421052631579px" id="RHyMZG0zD" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="round" stroke-width="2.29" stroke="rgb(255, 255, 255)" transform="translate(6.868 11.447)" width="15.263157970026917px"/><path d="M 0.014 0 L 0 0" fill="transparent" height="1px" id="AeX1Dw3MI" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.05" stroke="rgb(255, 255, 255)" transform="translate(6.868 6.868)" width="1px"/></g></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 29 29" xmlns="http://www.w3.org/2000/svg"><g d="M 0 14.5 C 0 7.665 0 4.246 2.123 2.123 C 4.246 0 7.664 0 14.5 0 C 21.335 0 24.754 0 26.877 2.123 C 29 4.246 29 7.664 29 14.5 C 29 21.335 29 24.754 26.877 26.877 C 24.752 29 21.336 29 14.5 29 C 7.665 29 4.246 29 2.123 26.877 C 0 24.752 0 21.336 0 14.5 Z M 6.868 22.132 L 13.27 15.73 M 13.27 15.73 L 6.868 6.868 L 11.109 6.868 L 15.73 13.27 M 13.27 15.73 L 17.891 22.132 L 22.132 22.132 L 15.73 13.27 M 22.132 6.868 L 15.73 13.27" fill="transparent" height="29px" id="BMYJ3m9Zl" width="29px"><path d="M 0 14.5 C 0 7.665 0 4.246 2.123 2.123 C 4.246 0 7.664 0 14.5 0 C 21.335 0 24.754 0 26.877 2.123 C 29 4.246 29 7.664 29 14.5 C 29 21.335 29 24.754 26.877 26.877 C 24.752 29 21.336 29 14.5 29 C 7.665 29 4.246 29 2.123 26.877 C 0 24.752 0 21.336 0 14.5 Z" fill="rgb(98, 100, 102)" height="29px" id="XCYDVGb_3" width="29px"/><path d="M 0 15.263 L 6.401 8.862 M 6.401 8.862 L 0 0 L 4.24 0 L 8.862 6.401 M 6.401 8.862 L 11.023 15.263 L 15.263 15.263 L 8.862 6.401 M 15.263 0 L 8.862 6.401" fill="transparent" height="15.26315860125893px" id="yHn1Yx9Mu" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="round" stroke-width="2.29" stroke="rgb(255, 255, 255)" transform="translate(6.868 6.868)" width="15.26315860125887px"/></g></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 29 29" xmlns="http://www.w3.org/2000/svg"><g d="M 0 14.5 C 0 7.665 0 4.246 2.123 2.123 C 4.246 0 7.664 0 14.5 0 C 21.335 0 24.754 0 26.877 2.123 C 29 4.246 29 7.664 29 14.5 C 29 21.335 29 24.754 26.877 26.877 C 24.752 29 21.336 29 14.5 29 C 7.665 29 4.246 29 2.123 26.877 C 0 24.752 0 21.336 0 14.5 Z M 21.895 8.395 L 17.4 8.395 C 15.807 8.395 14.512 9.68 14.5 11.273 L 14.369 28.849 M 11.447 17.516 L 18.778 17.516" fill="transparent" height="29px" id="UJMnPMszi" width="29px"><path d="M 0 14.5 C 0 7.665 0 4.246 2.123 2.123 C 4.246 0 7.664 0 14.5 0 C 21.335 0 24.754 0 26.877 2.123 C 29 4.246 29 7.664 29 14.5 C 29 21.335 29 24.754 26.877 26.877 C 24.752 29 21.336 29 14.5 29 C 7.665 29 4.246 29 2.123 26.877 C 0 24.752 0 21.336 0 14.5 Z" fill="rgb(98, 100, 102)" height="29px" id="yIfVOFQtI" width="29px"/><path d="M 10.448 0 L 5.953 0 C 4.359 0 3.064 1.285 3.053 2.879 L 2.921 20.454 M 0 9.121 L 7.331 9.121" fill="transparent" height="20.45415789582844px" id="GiChiTJAr" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="round" stroke-width="2.29" stroke="rgb(255, 255, 255)" transform="translate(11.447 8.395)" width="10.447631995251367px"/></g></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 29 29" xmlns="http://www.w3.org/2000/svg"><g d="M 0 14.5 C 0 7.665 0 4.246 2.123 2.123 C 4.246 0 7.664 0 14.5 0 C 21.335 0 24.754 0 26.877 2.123 C 29 4.246 29 7.664 29 14.5 C 29 21.335 29 24.754 26.877 26.877 C 24.752 29 21.336 29 14.5 29 C 7.665 29 4.246 29 2.123 26.877 C 0 24.752 0 21.336 0 14.5 Z M 21.368 14.5 C 21.368 18.293 18.293 21.368 14.5 21.368 C 10.707 21.368 7.632 18.293 7.632 14.5 C 7.632 10.707 10.707 7.632 14.5 7.632 C 18.293 7.632 21.368 10.707 21.368 14.5 Z M 22.91 6.105 L 22.895 6.105" fill="transparent" height="29px" id="nHsR4L2PG" width="29px"><path d="M 0 14.5 C 0 7.665 0 4.246 2.123 2.123 C 4.246 0 7.664 0 14.5 0 C 21.335 0 24.754 0 26.877 2.123 C 29 4.246 29 7.664 29 14.5 C 29 21.335 29 24.754 26.877 26.877 C 24.752 29 21.336 29 14.5 29 C 7.665 29 4.246 29 2.123 26.877 C 0 24.752 0 21.336 0 14.5 Z" fill="rgb(98, 100, 102)" height="29px" id="Qh1IiqaXA" width="29px"/><path d="M 13.737 6.868 C 13.737 10.662 10.662 13.737 6.868 13.737 C 3.075 13.737 0 10.662 0 6.868 C 0 3.075 3.075 0 6.868 0 C 10.662 0 13.737 3.075 13.737 6.868 Z" fill="transparent" height="13.736842105263158px" id="pIfl6CNpA" stroke-dasharray="" stroke-linecap="butt" stroke-linejoin="miter" stroke-miterlimit="10" stroke-width="2.29" stroke="rgb(255, 255, 255)" transform="translate(7.632 7.632)" width="13.736842105263158px"/><path d="M 0.015 0 L 0 0" fill="transparent" height="1px" id="iMbHyTc64" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="round" stroke-width="3.05" stroke="rgb(255, 255, 255)" transform="translate(22.895 6.105)" width="1px"/></g></svg>)
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 29 29" xmlns="http://www.w3.org/2000/svg"><g d="M 14.5 24.65 C 17.124 24.65 19.64 24.391 21.972 23.915 C 24.886 23.32 26.342 23.025 27.67 21.317 C 29 19.607 29 17.645 29 13.721 L 29 10.929 C 29 7.005 29 5.042 27.67 3.334 C 26.342 1.626 24.886 1.328 21.972 0.735 C 19.512 0.241 17.009 -0.005 14.5 0 C 11.876 0 9.36 0.26 7.028 0.735 C 4.114 1.33 2.658 1.626 1.33 3.334 C 0 5.043 0 7.005 0 10.927 L 0 13.723 C 0 17.645 0 19.607 1.33 21.317 C 2.658 23.025 4.114 23.322 7.028 23.915 C 9.36 24.391 11.876 24.65 14.5 24.65 Z M 20.245 12.779 C 20.03 13.657 18.885 14.287 16.595 15.55 C 14.104 16.923 12.859 17.609 11.851 17.343 C 11.515 17.257 11.201 17.1 10.93 16.884 C 10.15 16.253 10.15 14.943 10.15 12.325 C 10.15 9.706 10.15 8.397 10.93 7.766 C 11.194 7.553 11.51 7.395 11.851 7.306 C 12.859 7.041 14.104 7.727 16.595 9.1 C 18.886 10.361 20.03 10.992 20.245 11.871 C 20.317 12.17 20.317 12.48 20.245 12.779 Z" fill="transparent" height="24.650083927490723px" id="EzlQ8mHtw" transform="translate(0 2.175)" width="29px"><path d="M 14.5 24.65 C 17.124 24.65 19.64 24.391 21.972 23.915 C 24.886 23.32 26.342 23.025 27.67 21.317 C 29 19.607 29 17.645 29 13.721 L 29 10.929 C 29 7.005 29 5.042 27.67 3.334 C 26.342 1.626 24.886 1.328 21.972 0.735 C 19.512 0.241 17.009 -0.005 14.5 0 C 11.876 0 9.36 0.26 7.028 0.735 C 4.114 1.33 2.658 1.626 1.33 3.334 C 0 5.043 0 7.005 0 10.927 L 0 13.723 C 0 17.645 0 19.607 1.33 21.317 C 2.658 23.025 4.114 23.322 7.028 23.915 C 9.36 24.391 11.876 24.65 14.5 24.65 Z" fill="rgb(98, 100, 102)" height="24.650083927490723px" id="cNFz0c6MM" transform="translate(0 0)" width="29px"/><path d="M 10.095 5.529 C 9.88 6.407 8.735 7.037 6.445 8.3 C 3.954 9.673 2.709 10.359 1.701 10.093 C 1.365 10.007 1.051 9.85 0.78 9.634 C 0 9.003 0 7.693 0 5.075 C 0 2.456 0 1.147 0.78 0.516 C 1.044 0.303 1.36 0.145 1.701 0.056 C 2.709 -0.209 3.954 0.477 6.445 1.85 C 8.736 3.111 9.88 3.742 10.095 4.621 C 10.167 4.92 10.167 5.23 10.095 5.529 Z" fill="transparent" height="10.149409924588017px" id="obhAcineG" stroke-dasharray="" stroke-linecap="butt" stroke-linejoin="round" stroke-width="2.17" stroke="rgb(255, 255, 255)" transform="translate(10.15 7.25)" width="10.149275000000182px"/></g></svg>)