Blog

How to Conduct An Internal Audit in 10 Steps (2026 Guide)

Learn how to conduct an internal audit in Switzerland with 10 clear steps to assess risks, controls, compliance, and reporting.

Services fiduciaires
Blog Assurance Genevoise Image

Introduction

An internal audit helps a company test whether its processes, controls, records, and compliance practices work as intended. It is not just a box-ticking exercise. It is one of the most practical tools a business has to catch problems early, reduce risk, and build confidence in its own operations.
In Switzerland, internal audit is especially valuable for companies that need stronger governance, accurate financial reporting, and solid audit readiness. For larger companies subject to an ordinary audit, Swiss law goes further. Under the Swiss Code of Obligations, the statutory auditor is required to review the existence of an internal control system. Companies that exceed two of the following thresholds over two successive financial years fall under ordinary audit rules: CHF 20 million balance sheet total, CHF 40 million in sales revenue, or 250 full-time positions.
Even for companies below those thresholds, a well-run internal audit process signals maturity, reduces exposure, and prepares the business for growth or external scrutiny.
This guide walks you through how to conduct an internal audit in 10 clear, practical steps — built for Swiss SMEs, international companies operating in Switzerland, and finance teams preparing for their next review.

What Is an Internal Audit?

An internal audit is a structured review of how a business manages risk, controls its operations, protects its assets, follows rules, and reports financial information. If you want to understand how to conduct an internal audit, you first need to understand what it is designed to check.
  • Business processes
  • Roles and responsibilities
  • Internal control systems
  • Documentation
  • Approval flows
  • IT systems and access rights
  • Compliance procedures
  • Decision-making processes
Think of it as a health check for your business. It shows what works, what does not, and where risks may be hidden.

Internal Audit vs External Audit

Internal audits and external audits are often confused. They serve different purposes.
Main purpose
Internal AuditImprove internal processes and reduce risk
External AuditGive an independent opinion on financial statements
Clients
Internal AuditCompanies
External AuditShareholders, regulators, lenders, and third parties
Scope
Internal AuditProcesses, controls, risks, systems, and compliance
External AuditMainly financial statements and accounting records
Timing
Internal AuditCan be done regularly during the year
External AuditUsually done after the financial year ends
Outcome
Internal AuditFindings, recommendations, and improvement actions
External AuditAudit opinion or audit report
The differences between an internal audit and external audit
A strong internal audit process can also prepare a company for an external audit. It helps identify control gaps, missing documents, or reporting issues before the external auditor reviews them.

Internal Audit vs Internal Control

Internal audit and internal control are closely related, but they are not the same.
Internal controls are the rules, procedures, and safeguards a company uses to manage risk and ensure accurate reporting.
Internal audit checks whether those controls work in practice. For example, a company’s internal control system may include:
  • Purchase approval limits
  • Invoice verification steps
  • Payroll authorization controls
  • Restricted system access rights
  • VAT review procedures
  • Segregation of duties between recording and approval tasks
The internal audit tests whether employees follow these controls. It also checks whether the controls are strong enough to prevent errors, detect fraud, and support reliable reporting.

Internal Audit Examples for a Swiss SME

To make this concrete, here are common internal audit scenarios for a Swiss SME:
  • A 30-person company in Geneva reviews its payroll process to confirm that salary changes are properly authorized and that social contribution calculations are correct.
  • A trading company audits its supplier payment process to check for duplicate invoices, missing approvals, and payments to unauthorized vendors.
  • A professional services firm reviews its VAT declarations to ensure the correct rates are applied and that all supporting documentation is in order before the next filing deadline.
  • A holding company prepares for its ordinary statutory audit by reviewing its internal control system documentation and testing key financial controls in advance.
  • A tech startup audits its accounting software access rights to ensure that only authorized users can post entries, approve payments, or export financial data.

Swiss Audit Requirements

Switzerland follows a tiered audit system under the Swiss Code of Obligations. The type of audit a company needs depends mainly on its size, legal status, and shareholder requirements.
For businesses learning how to conduct an internal audit, these rules matter because they define how strong the company’s documentation, controls, and financial review processes need to be.

Ordinary Audit

An ordinary audit is required when a company exceeds two of the following three thresholds over two consecutive financial years:
Balance sheet total
ThresholdCHF 20 million
Annual sales revenue
ThresholdCHF 40 million
Full-time equivalent employees
Threshold250
Sample of an ordinary audit
Under an ordinary audit, the statutory auditor must review the existence and functioning of the company’s internal control system. This makes a documented and tested control framework essential, not optional.
In practice, companies subject to ordinary audit should be able to show:
  • Clear financial approval procedures
  • Documented accounting and reporting controls
  • Defined roles and responsibilities
  • Evidence that key controls are tested
  • Records that support major transactions and decisions

Limited Audit

Companies that do not meet the ordinary audit thresholds are generally subject to a limited audit.
A limited audit is a lighter review. It focuses on whether the financial statements appear plausible, mainly through management inquiries, analytical procedures, and selected checks. It does not involve the same level of control testing as an ordinary audit.
Companies with fewer than 10 full-time employees may opt out of the limited audit if all shareholders agree. This is known as opting out.

Internal Control System in Switzerland

Swiss law does not prescribe one specific internal control system framework. However, companies subject to an ordinary audit must show that an internal control system exists and works in practice.
This means the company should have:
  • Written control procedures
  • Clear responsibility owners
  • Approval and review steps
  • Proper segregation of duties
  • Access controls for financial systems
  • Evidence of regular checks or testing
  • Documentation that supports audit trails
A weak or undocumented internal control system can create problems during an ordinary audit. It can also expose the business to reporting errors, fraud risks, tax issues, and operational gaps.
Fiduciaire Genevoise supports Swiss companies in building, reviewing, and improving internal control systems. Its expert team provides clear consultation and instruction about documentation and processes to ensure the company’s compliance.

Benefits of an Internal Audit for Businesses

A well-executed internal audit delivers real, measurable value. Here is what Swiss companies consistently gain from the process:
  • Early risk detection: Identify control gaps, process weaknesses, and compliance issues before they become costly problems.
  • Stronger financial controls: Improve the accuracy and reliability of financial reporting, reducing the risk of errors or misstatements.
  • Audit readiness: Companies that run regular internal audits are far better prepared for statutory audits, investor due diligence, or regulatory reviews.
  • Better corporate governance: A structured audit process supports board oversight, management accountability, and transparent decision-making.
  • Swiss compliance confidence: Regular audits help companies stay aligned with Swiss VAT rules, employment law, data protection requirements, and sector-specific regulations.
  • Process improvement: Beyond compliance, internal audits often surface inefficiencies, duplicated work, and outdated procedures that cost time and money.
  • Fraud prevention: Segregation of duties, access controls, and regular reconciliations — all tested through internal audit — are among the most effective fraud deterrents available to SMEs.

How to Conduct An Internal Audit in 10 Steps

Here is a practical, step-by-step internal audit process you can apply to any department, function, or risk area in your Swiss company.

Step 1. Define the Audit Objective

Every internal audit should start with a clear purpose. Without a defined objective, the audit loses focus and the findings become hard to act on. Common audit objectives include:
  • Review financial controls and reporting accuracy
  • Check VAT or payroll compliance
  • Assess purchasing and procurement procedures
  • Review cash flow controls and bank reconciliation
  • Prepare for a statutory audit or external review
  • Test cybersecurity controls and data access rights
  • Improve governance reporting and board documentation

Step 2. Set the Audit Scope

The scope defines which department, time period, process, entity, or risk area will be reviewed. A focused scope produces sharper findings. Trying to audit everything at once usually produces nothing useful. Common scope areas include:
  • Accounting and bookkeeping
  • Sales invoicing and revenue recognition
  • Supplier payments and procurement
  • Payroll and HR records
  • VAT declarations and tax filings
  • Internal approvals and authorization workflows
  • Inventory management
  • Bank reconciliation
  • Compliance documentation and regulatory filings

Step 3. Identify Key Risks

Risk assessment is the backbone of a risk-based internal audit. Before you start testing, you need to know where the real exposure is. Common risks to assess include:
  • Incorrect or incomplete financial statements
  • Missing or unmatched invoices
  • Late or incorrect tax filings
  • Unauthorized payments or expense claims
  • Weak or missing approval processes
  • Poor documentation and missing audit trails
  • Overreliance on a single employee for critical tasks
  • Non-compliance with Swiss regulations or sector-specific rules
In 2026, internal audit priorities are shifting. Deloitte Switzerland highlights agentic AI governance as a major emerging topic. Companies are now expected to audit how AI tools make decisions, access data, and interact with financial systems. Other rising priorities include technology risk, geopolitical exposure, regulatory change, and operational resilience. A modern internal audit plan should reflect these realities alongside traditional financial and compliance risks.

Step 4. Review Existing Internal Controls

Before testing, map out what controls already exist. For each process in scope, ask:
  • Who approves transactions?
  • Who records them in the system?
  • Who reconciles the accounts?
  • Who reviews management reports?
  • Are duties properly separated between different people?
  • Are system access rights limited to what each role actually needs?
  • Are exceptions and overrides documented and reviewed?
This mapping exercise often reveals controls that exist on paper but are not followed in practice — one of the most common findings in Swiss SME audits.

Step 5. Build an Internal Audit Checklist

A structured internal audit checklist keeps the process consistent and ensures nothing is missed. Each item in your checklist should capture:
  • Process owner
  • Key documents required
  • Control objective
  • Risk level (high, medium, low)
  • Control activity description
  • Testing method
  • Sample size
  • Evidence required
  • Findings
  • Recommended action
  • Responsible person and deadline

Step 6. Collect Audit Evidence

Audit evidence is the factual basis for every finding. Without it, findings are just opinions. Common types of audit evidence include:
  • Invoices and purchase orders
  • Contracts and agreements
  • Bank statements and payment confirmations
  • Payroll files and employment contracts
  • VAT returns and supporting schedules
  • Board minutes and shareholder resolutions
  • System logs and access records
  • Approval records and authorization trails
  • Reconciliation reports and accounting exports

Step 7. Test the Controls

Testing is where you verify whether the controls actually work. You do not need to test everything — focus on high-risk areas and key controls. Common audit procedures include:
  • Walkthroughs: Follow a transaction from start to finish to understand the process end-to-end.
  • Interviews: Ask process owners how controls work in practice, not just on paper.
  • Document review: Check that required documents exist, are complete, and are properly authorized.
  • Sample testing: Select a representative sample of transactions and test each one against the control criteria.
  • Reperformance: Independently redo a calculation or reconciliation to verify the result.
  • Reconciliation: Compare two sets of records to identify discrepancies.
  • Exception testing: Look specifically for transactions that fall outside normal parameters — unusual amounts, timing, or approvers.

Step 8. Document Findings Clearly

Every finding needs to be documented in a way that management can understand and act on. A well-written audit finding includes:
  • What was reviewed
  • What went wrong or what gap was identified
  • Why it matters (the risk or impact)
  • Risk level: high, medium, or low
  • Supporting evidence
  • Root cause (why did this happen?)
  • Recommended fix or corrective action

Step 9. Prepare the Internal Audit Report

The internal audit report is the main deliverable. It should be clear, practical, and useful for management — not a dense technical document that sits unread. A well-structured report includes:
  • Executive summary
  • Scope and objective
  • Methodology
  • Key risks identified
  • Findings by priority (high, medium, low)
  • Recommendations
  • Management response
  • Action plan with owners and deadlines
  • Follow-up date

Step 10. Follow Up on Corrective Actions

An internal audit only creates real value if the company acts on the findings. The follow-up phase is where most of the actual improvement happens — and where many companies fall short. To close the loop effectively:
  • Assign a named owner to each corrective action
  • Set realistic but firm deadlines
  • Track progress against the corrective action plan
  • Retest key controls after remediation to confirm the fix worked
  • Report unresolved high-risk findings to management or the board
A corrective action plan that is tracked and closed is the difference between an audit that improves the business and one that just produces a report.

An Ultimate Checklist for A Good Internal Audit

Use this checklist as a starting point for your internal audit process. For Swiss companies, it should be adapted to your canton, industry, company size, and legal structure — a Geneva-based SA subject to ordinary audit has different priorities than a Zurich-based GmbH with 15 employees.
Audit objective
Key CheckIs the purpose clearly defined?
Risk LevelHigh
Evidence RequiredAudit mandate or planning document
Scope
Key CheckAre the boundaries documented?
Risk LevelHigh
Evidence RequiredScope statement
Risk assessment
Key CheckAre key risks identified and rated?
Risk LevelHigh
Evidence RequiredRisk register
Internal controls
Key CheckAre controls mapped per process?
Risk LevelHigh
Evidence RequiredControl matrix
Financial controls
Key CheckAre approvals and reconciliations in place?
Risk LevelHigh
Evidence RequiredApproval records, bank reconciliations
VAT management
Key CheckAre VAT rates and filings correct?
Risk LevelHigh
Evidence RequiredVAT returns, invoices
Payroll controls
Key CheckAre salaries authorized and social contributions correct?
Risk LevelHigh
Evidence RequiredPayroll files, employment contracts
Swiss accounting
Key CheckDoes bookkeeping comply with Swiss CO standards?
Risk LevelMedium
Evidence RequiredTrial balance, accounting exports
Segregation of duties
Key CheckAre roles properly separated?
Risk LevelHigh
Evidence RequiredOrg chart, access rights review
Audit evidence
Key CheckIs evidence collected and filed?
Risk LevelHigh
Evidence RequiredDocument repository
Findings documentation
Key CheckAre findings clear and risk-rated?
Risk LevelHigh
Evidence RequiredFindings log
Audit report
Key CheckIs the report complete and shared with management?
Risk LevelHigh
Evidence RequiredFinal audit report
Corrective actions
Key CheckAre owners and deadlines assigned?
Risk LevelHigh
Evidence RequiredCorrective action plan
Follow-up
Key CheckHave actions been completed and retested?
Risk LevelMedium
Evidence RequiredFollow-up testing records
Internal Audit Checklist for Swiss Companies

Which Areas Should Swiss Companies Audit First?

Not all audit areas carry the same risk. For Swiss companies, these seven areas consistently deliver the highest value when audited first.

1. Accounting and Financial Reporting

Start here. Financial reporting accuracy is the foundation of everything else. Focus on account reconciliations, the month-end and year-end closing process, account documentation, and the completeness of journal entries. Errors here affect tax filings, statutory audits, and management decisions.

2. VAT and Tax Compliance

Swiss VAT compliance is a high-risk area for many SMEs. Review whether the correct VAT rates are applied to each revenue stream, whether declarations are filed on time, and whether all supporting documentation is retained. Tax risks — including late filings, incorrect deductions, and missing records — can result in penalties and interest charges. A solid understanding of VAT in Switzerland is essential before auditing this area.

3. Payroll and HR Processes

Payroll is one of the largest expense lines for most companies and one of the most sensitive. Audit employment contracts, payroll records, social contribution calculations (AHV, IV, ALV), authorization of salary changes, and the confidentiality of HR data. Payroll errors can trigger labor law issues, tax penalties, and employee disputes. To avoid mistakes and severe legal penalties, you should have a checklist for payroll management and audits.

4. Procurement and Supplier Payments

Procurement fraud and payment errors are common in companies without strong controls. Review supplier onboarding procedures, payment authorization workflows, duplicate invoice checks, and the segregation of duties between the person who approves a supplier and the person who processes the payment. This is a high-fraud-risk area in any size of business.

5. Sales and Revenue Controls

Revenue integrity matters for financial reporting, tax compliance, and investor confidence. Audit invoicing procedures, revenue recognition policies, credit note approvals, collection processes, and the completeness of customer records. Particular attention should be paid to cut-off — whether revenue is recorded in the correct period.

6. Data, Access, and Digital Processes

Digital controls are increasingly critical. Review who has access to your accounting software, ERP, or financial systems. Check whether user rights are appropriate for each role, whether system changes are logged and reviewed, whether backups are performed and tested, and whether cybersecurity policies are in place and followed. In 2026, this area also includes AI tool governance — how AI systems access, process, and act on company data.

7. Governance and Decision-Making

Governance controls are often overlooked in SME audits, but are essential for companies subject to ordinary audit or preparing for investor scrutiny. Review board minutes, shareholder resolutions, delegation of authority frameworks, and internal policy documentation. Gaps here can create legal exposure and undermine the credibility of financial reporting.

When Should You Work With an External Audit Partner?

Many Swiss SMEs do not have a dedicated internal audit function. This is common, but it does not mean internal audit is out of reach. Working with an external fiduciary or audit partner gives your business access to a structured methodology, independent judgment, and practical experience across different industries — without the cost of hiring a full-time internal auditor.
This support can help you identify control gaps, improve documentation, and prepare more confidently for Swiss audit requirements. For more guidance, read our guide on how to find reliable Swiss fiduciary and auditing services.
Consider working with an external audit partner when:
  • You are preparing for a statutory ordinary audit and need to document your internal control system
  • You have identified control gaps, but lack the internal resources to investigate them properly
  • You are going through a period of rapid growth, restructuring, or M&A activity
  • You need an independent review of financial controls, compliance practices, or governance documentation
  • You want to build a repeatable internal audit process from scratch
External audit partners oversee and direct the activities of an audit team.
External audit partners oversee and direct the activities of an audit team.

How Fiduciaire Genevoise Can Help Businesses

Fiduciaire Genevoise helps businesses prepare for internal audits with clear accounting, compliance, and control support. The goal is to make the audit process easier, more structured, and less stressful.
The team can help you:
  • Review your internal control system
  • Identify gaps in accounting or documentation
  • Prepare financial records before an audit
  • Check VAT, payroll, and reporting processes
  • Clarify roles and approval procedures
  • Improve weak or missing controls
This support is especially useful for companies subject to Swiss audit requirements, where clear documentation and functioning controls are essential.
With practical guidance, its local experts help businesses strengthen their financial processes, reduce compliance risks, and stay better prepared for future audits.

Enhance Your Company Financial Performance

Fiduciaire Genevoise answers your questions and offer solutions tailored to your needs and financial challenges. Our team ensures your compliance with Swiss regulations.

Conclusion

Internal audit helps Swiss companies understand whether their processes, controls, and compliance practices are actually working. The best approach is straightforward: define the scope, assess the risks, test the controls, document the findings, and follow up on real improvements.
Whether you are running your first internal audit or building a more structured program, the 10 steps in this guide give you a practical framework to start from. Adapt it to your company's size, industry, and legal structure — and revisit it regularly as your business grows.
Need support with internal audit, internal controls, or audit readiness in Switzerland? Contact our Geneva-based team to discuss your audit and control needs.
Author image

Élodie Rochat

[email protected]