logo
Sign UpSign InTry for free
Internal Audit Software

Internal audit software for the third line

Internal audit software is the category of tooling that supports the IIA-aligned internal audit lifecycle - annual risk-based audit plan, engagement scoping, fieldwork, finding rating, reporting, and follow-up. This page shows the lifecycle as a BPMN 2.0 process map and covers how to pick a platform that the third line, the second line, and the audit committee can all read.

Jack Finnegan, Founder & CEO, BA Copilot

By Jack Finnegan ยท Updated 21 May 2026

Map an audit engagementBrowse compliance hub
What it is

What internal audit software actually is

Internal audit software is the category of tooling that supports the internal audit cycle defined by the Institute of Internal Auditors (IIA) in the 2024 Global Internal Audit Standards (the mandatory component of the 2024 IPPF, effective 9 January 2025, superseding the 2017 IPPF). The cycle has four broad phases: annual risk-based audit planning, engagement-level scoping and execution, finding management and reporting, and follow-up on remediation.
Common products in the category include Optro (formerly AuditBoard, rebranded March 2026; US-led, strong on SOX), TeamMate+ (Wolters Kluwer, used by Big 4 and many large internal audit functions), Workiva (broader GRC with internal audit modules), the Diligent One Platform (formerly HighBond; the line originated with ACL Services, which acquired Rsam and rebranded to Galvanize before Diligent acquired it in 2021), and ServiceNow IRM (audit module on the wider Now platform). Smaller functions often run internal audit out of a Confluence + Jira + Excel stack with custom workflows.
The problem today

Audit reports nobody reads, findings nobody follows up

The familiar pattern: an audit engagement produces a 40-page report, finds 12 medium and 3 high findings, hands the report to the audit committee, and tracks remediation in a spreadsheet a junior auditor refreshes monthly. Six months later, half the medium findings are overdue, the spreadsheet has not been opened, and the same root cause shows up again in a separate engagement because the underlying control was never re-tested.
The fix is structural visibility: treat the audit cycle as a process (not a document workflow), show finding ageing and remediation status on a dashboard the audit committee actually opens, and make the engagement reports themselves shorter and clearer by attaching the BPMN control flowchart that proves the team did the walkthrough.
Four pillars

Four pieces of a working internal audit function

Risk-based annual plan

Build the plan against the firm risk universe rather than the legacy rotation. The 2024 Global Internal Audit Standards (effective 9 January 2025) push hard on this - rotation-only plans are no longer defensible.

Engagement execution

Scoping, fieldwork, walkthroughs, control testing, evidence collection. The 2024 Global Internal Audit Standards (Domain V: Performing Internal Audit Services) govern how this work must be performed; the legacy 2017 IPPF Performance Standards (2000-series) covered the same scope.

Finding rating and reporting

A consistent rating scale (high / medium / low - or critical / significant / moderate) plus clear reporting that the audit committee, the second line, and management can all action.

Follow-up and remediation

Track remediation through to closure with evidence. Findings without follow-up are the biggest single weakness regulators flag in IA function reviews.

Process Map

The internal audit lifecycle as a process map

The end-to-end engagement lifecycle, with the critical-finding escalation branch that most diagrams hide in a footnote.

Open in editor

The internal audit lifecycle as a process map

The IIA-aligned internal audit lifecycle rendered as a BPMN 2.0 process. Annual risk-based audit plan, engagement scoping, fieldwork, finding rating, reporting, and follow-up.

  1. Build the annual audit plan against the firm risk universe.
  2. Scope each engagement - objectives, criteria, scope boundaries, fieldwork plan.
  3. Conduct fieldwork: walkthroughs, control testing, sampling, evidence collection.
  4. Rate findings against the rating scale (e.g. high / medium / low or critical / significant / moderate).
  5. If a finding is critical, escalate to the audit committee chair on a short cycle. Otherwise include in the report.
  6. Issue the engagement report and track remediation through follow-up.
What this diagram shows: The lifecycle starts once the annual audit plan is approved. Each engagement is scoped (objectives, criteria, fieldwork plan), then fieldwork runs (walkthroughs, control testing, sampling, evidence). Findings are rated against the scale; the gateway routes critical findings straight to the audit committee chair before report finalisation, while non-critical findings flow directly to the engagement report. After the report, the follow-up task tracks remediation through to closure - the step most informal audit cycles skip and most regulators emphasize.
FAQ

Frequently asked questions

What is internal audit software?

Internal audit software is the category of tooling that supports the IIA-aligned internal audit lifecycle - annual planning, engagement execution, finding management, reporting, and follow-up. Common platforms include Optro (formerly AuditBoard), TeamMate+, Workiva, the Diligent One Platform (formerly HighBond/Galvanize/ACL), and ServiceNow IRM.

What standards govern internal audit?

The Institute of Internal Auditors (IIA) maintains the International Professional Practices Framework (IPPF). The 2024 IPPF, whose mandatory component is the Global Internal Audit Standards, was released on 9 January 2024 and became effective for internal audit functions on 9 January 2025, superseding the 2017 IPPF. The 2024 Standards consolidate the prior Mission, Definition, Core Principles, Code of Ethics, Standards, and Implementation Guidance into a single document organised around 5 domains and 15 principles, and add Topical Requirements for specific risk areas. National regulators layer additional requirements on top - for banks, the Basel Committee's principles on the role of internal audit; for US-listed firms, the audit committee oversight requirements under SEC Rule 10A-3.

How is internal audit different from external audit?

External audit is performed by independent firms (Big 4 or smaller) to give an opinion on the financial statements and (for accelerated filers) on the effectiveness of ICFR. Internal audit is a function inside the firm, reporting to the audit committee, providing assurance over a much broader scope - financial controls, operational controls, IT controls, compliance, fraud, strategic risks. The two coordinate (external audit relies on internal audit work where it can) but the objectives are different.

How does process mapping fit into internal audit?

Process mapping is the artefact that proves the walkthrough was performed and lets the auditee, the audit team, and the audit committee all reason about controls in context. A BPMN diagram of the process under audit - showing the upstream input, the control point, the downstream output - is far easier to use as evidence in fieldwork and as illustration in the report than a 4-page narrative paragraph.

What is the difference between internal audit software and SOX compliance software?

SOX compliance software is the second-line, management-owned platform that runs the annual SOX 404 cycle (scoping, control documentation, testing, deficiencies, assertion). Internal audit software is the third-line, audit-owned platform that runs the broader internal audit lifecycle - including but not limited to SOX testing if that work sits with IA. The same vendors often sell both (Optro, Workiva); the workflows are different.

Does BA Copilot replace Optro / TeamMate / our IA platform?

No - BA Copilot is the modelling layer. It produces and maintains the BPMN process maps for the controls and processes under audit. It does not own the engagement workflow, the finding tracker, or the audit plan. It integrates by exporting BPMN that the IA platform can attach to engagement workpapers.

Jack Finnegan, Founder & CEO, BA Copilot
From the founder

14 Years in BPMN

I'm Jack Finnegan. I've spent fourteen years working hands-on with BPMN, as an analyst, an engineer, and a product director, where I felt every sharp edge of legacy business process platforms.

BA Copilot is the platform I wanted on every one of these projects: AI-first process management, which treats BPMN as a first-class output rather than an export afterthought.

Jack Finnegan on LinkedIn
Sources

Sources and verification

Last verified 21 May 2026 by Jack Finnegan.

Verified against: IIA Global Internal Audit Standards (2024)

References cited on this page:

  • IIA Global Internal Audit Standards (2024, effective 9 January 2025)
  • IIA International Professional Practices Framework (IPPF)
Cosmic background pattern
Decorative rectangle pattern

Make engagement evidence visible

Open the audit-engagement template, customise it to your finding rating scale, and produce the BPMN process maps that go into engagement workpapers and the final report.