Internal audit is one of the most powerful tools available to Malaysian organisations — yet many companies treat it as a tick-box exercise rather than a value-creating function. Whether you are an SME preparing for your first structured audit or a listed company looking to sharpen your internal audit process, this checklist will give you a clear, actionable framework.
This guide follows the internationally recognised Institute of Internal Auditors (IIA) Standards, adapted for the Malaysian regulatory environment under Bursa Malaysia Listing Requirements and the Companies Act 2016.
Who is this for? This checklist is designed for Audit Committees, CFOs, Internal Audit Managers, and business owners in Malaysia who want to run a structured, credible internal audit process — whether in-house or through a co-sourced arrangement.
Phase 1 — Audit Planning
Good audits are built on good planning. The planning phase determines the scope, risk focus, and resource allocation for the entire engagement. Rushing this phase is the single most common reason audits fail to deliver value.
Audit Planning Checklist
- Obtain and review the organisation's latest Risk Register or Enterprise Risk Assessment
- Identify the audit universe — all auditable entities, processes, and business units
- Develop a risk-based Annual Audit Plan approved by the Audit Committee
- Define the audit scope, objectives, and key risks for each engagement
- Prepare and issue an Engagement Letter or Audit Notification to management
- Allocate audit resources — team members, budget, and timeline
- Conduct a preliminary review: prior audit reports, policies, SOPs, org charts
- Identify key stakeholders and schedule opening meeting with auditee management
- Prepare audit programme with specific audit steps and testing procedures
Phase 2 — Fieldwork & Testing
Fieldwork is where auditors gather evidence to support their conclusions. This phase requires a structured approach to data collection, interviews, observation, and document review. The quality of your fieldwork directly determines the quality of your findings.
Fieldwork Checklist
- Conduct opening conference with auditee — confirm scope, timeline, and logistics
- Request and obtain all required documentation (contracts, invoices, approvals, etc.)
- Interview relevant personnel — process owners, department heads, front-line staff
- Walk through key business processes to understand actual operations vs documented procedures
- Perform substantive testing — sample transactions for compliance and accuracy
- Conduct control testing — verify that key controls are designed and operating effectively
- Document all audit evidence in working papers with clear cross-referencing
- Identify and document observations, exceptions, and potential findings
- Obtain management's initial response or explanation for each finding
- Evaluate materiality and risk rating for each finding (High / Medium / Low)
Phase 3 — Audit Reporting
The audit report is the primary deliverable — it communicates your findings, conclusions, and recommendations to management and the Audit Committee. In Malaysia, listed companies are required to disclose audit committee activities in their Annual Reports, so the quality and completeness of internal audit reporting directly affects public accountability.
Reporting Checklist
- Draft the audit report with executive summary, findings, root cause analysis, and recommendations
- Assign a risk rating to each finding — consistent with the organisation's risk appetite
- Issue draft report to auditee management for review and factual confirmation
- Obtain management's action plans with responsible owners and target completion dates
- Conduct closing conference to discuss findings and agreed action plans
- Finalise and issue the audit report to the Audit Committee and relevant stakeholders
- Ensure report complies with IIA Standards — objective, clear, concise, and timely
- Maintain audit report in the audit management system or secure repository
Phase 4 — Follow-Up & Monitoring
Many organisations conduct audits but neglect the follow-up. This is a critical failure — findings that are not tracked and resolved create recurring risks and weaken the credibility of the internal audit function. A robust follow-up process is what distinguishes a mature audit function from a compliance exercise.
Follow-Up Checklist
- Establish a tracking system for all open audit findings and agreed action plans
- Send reminders to process owners as target completion dates approach
- Verify implementation of corrective actions — do not accept self-reporting alone
- Escalate overdue or unresolved high-risk findings to the Audit Committee
- Conduct periodic status updates (e.g., quarterly) to the Audit Committee
- Close findings only after sufficient evidence of implementation is obtained
- Track repeat findings — recurring issues indicate systemic control weaknesses
Common Internal Audit Mistakes in Malaysian Companies
Over 15 years of auditing across multiple industries, these are the most common pitfalls I encounter:
- Audit plan not aligned to risk — Auditing low-risk areas annually while high-risk processes are never reviewed.
- Insufficient audit independence — Internal auditors reporting to the CFO or CEO instead of directly to the Audit Committee.
- Poor documentation of findings — Observations without root cause analysis, criteria, or impact assessment make reports weak and unactionable.
- No follow-up process — Findings are issued but never tracked, resulting in the same issues recurring year after year.
- Treating audit as a compliance exercise — Internal audit should add value, not just check boxes. Audit insights should feed into strategic decision-making.
- Inadequate audit coverage — Not rotating audit areas across the audit universe means large areas of risk go unexamined for years.
Important note for listed companies: Under Bursa Malaysia's Listing Requirements, the Audit Committee must meet at least 4 times per year and the Annual Report must include a summary of internal audit activities. If your internal audit function is not providing substantive, risk-based coverage, this is a governance gap that regulators and institutional investors will notice.
When Should You Consider Outsourcing or Co-Sourcing Internal Audit?
Not every Malaysian company can afford a full in-house internal audit team. Co-sourcing — where you bring in an external expert to supplement your existing team or manage the entire function — is increasingly popular among mid-size companies, family-owned businesses, and organisations expanding into new regions.
Consider engaging an external internal audit consultant if your organisation:
- Does not have a dedicated internal auditor and needs audit coverage for the Audit Committee
- Is expanding operations into new countries (ASEAN, Middle East, Europe) and needs regional audit capability
- Has received a qualified opinion or repeat findings from external auditors
- Is preparing for a listing on Bursa Malaysia and needs to establish an internal audit function
- Needs specialised expertise for a specific audit — such as a governance review, ESG audit, or financial investigation