Skip to main content
AFSL 222640 · Global Mutual Funds Pty Ltd
Auditor
{"internal audit"
"ASX corporate governance"
"ASIC INFO 221"

Internal Audit Function for ASX-Listed Companies in Australia: A 2026 Governance Guide

Understand when Australian companies need an internal audit function, what ASIC INFO 221 requires, and how to ensure independence and quality in 2026.

MyMoney® Editorial5 July 2026 8 min read

For Australian listed companies and large proprietary entities, the internal audit function has moved from a governance nicety to a boardroom imperative. With ASIC sharpening its focus on audit quality and the ASX Corporate Governance Council reinforcing its "if not, why not" disclosure framework, understanding what an internal audit function does — and when your organisation needs one — is essential for directors, audit committee members, and CFOs in 2026.

Understanding the Internal Audit Function

An internal audit function provides independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. Unlike external auditors, who focus on the truth and fairness of financial statements, internal auditors examine the full breadth of an organisation's risk management, internal controls, and governance processes.

The function operates within the widely adopted "Three Lines of Defence" model. Management forms the first line, risk and compliance functions the second, and internal audit the third — providing the board and audit committee with an independent view of whether the first two lines are working effectively.

In Australia, the primary regulatory guidance for internal audit comes from ASIC's Information Sheet 221 (INFO 221), which assists directors and audit committees in deciding whether to establish an internal audit function and how to maintain its quality and independence.

Who Needs an Internal Audit Function in Australia?

There is no universal statutory requirement under the Corporations Act 2001 for all Australian companies to maintain an internal audit function. However, the obligation varies significantly depending on company type and listing status.

ASX-Listed Entities

Under the ASX Corporate Governance Principles and Recommendations (4th Edition), listed entities are subject to an "if not, why not" disclosure requirement. If a listed company does not have an internal audit function, it must explain why and describe how it manages, evaluates, and continually improves its risk management and internal control processes in the absence of one.

For entities in the S&P/ASX 300 Index, ASX Listing Rule 12.7 mandates the existence of an audit committee. This committee must have at least three members, all non-executive directors, with a majority being independent and an independent chair who is not the board chair.

APRA-Regulated Entities

Banks, insurers, and superannuation funds regulated by the Australian Prudential Regulation Authority (APRA) face more prescriptive requirements. APRA's Prudential Standard CPS 510 requires that APRA-regulated entities maintain an internal audit function that is independent of management and reports directly to the board or its audit committee.

Large Proprietary Companies

Large proprietary companies — those meeting at least two of the thresholds of $50 million or more in consolidated revenue, $25 million or more in gross assets, or 100 or more employees — must prepare and lodge audited financial reports with ASIC. While not mandated to have an internal audit function, many do so as a matter of good governance and risk management.

Key Features of an Effective Internal Audit Function

Whether you are establishing an internal audit function for the first time or reviewing an existing one, several characteristics distinguish high-quality internal audit from a compliance checkbox exercise.

  • Independence from management — The internal audit function must report directly to the audit committee, not to the CEO or CFO. This reporting line is fundamental to objectivity and is emphasised in both ASIC INFO 221 and APRA's prudential standards.
  • Unfettered access — Internal auditors must have unrestricted access to all business lines, support functions, records, and personnel. Any limitation on access undermines the function's effectiveness.
  • Risk-based audit planning — The annual audit plan should be driven by a rigorous risk assessment, not by historical habit. Emerging risks such as cybersecurity, artificial intelligence governance, and sustainability reporting should feature prominently in 2026 plans.
  • Qualified and experienced staff — Internal auditors should hold relevant qualifications such as the Certified Internal Auditor (CIA) designation from the Institute of Internal Auditors (IIA), or equivalent professional credentials.
  • Quality assurance and improvement program — ASIC INFO 221 recommends that organisations maintain a quality assurance program, including periodic external reviews of the internal audit function, to ensure it meets professional standards.
  • Clear charter and mandate — The internal audit charter, approved by the audit committee, should define the function's purpose, authority, scope, and responsibilities. It should be reviewed annually.

Common Mistakes and Red Flags

Many organisations establish an internal audit function in name only, without the structural independence or resources needed to make it effective. Boards and audit committees should be alert to the following warning signs.

  • Reporting to management, not the board — If the chief audit executive reports to the CFO or CEO rather than the audit committee, independence is compromised from the outset.
  • Insufficient resourcing — An underfunded internal audit function cannot cover the organisation's key risks. The audit committee should review the budget to ensure it is adequate and not subject to management interference.
  • Conflict of interest with external auditors — ASIC INFO 221 explicitly cautions that the external auditor should generally not also provide internal audit services to the same entity. This dual role creates a conflict of interest that can undermine both functions.
  • Audit plans that never change — A static audit plan that revisits the same low-risk areas year after year is a sign that the function is not genuinely risk-based. Plans should evolve as the organisation's risk profile changes.
  • Findings that are never actioned — Internal audit adds value only when its findings lead to genuine improvement. Audit committees should track management's response to findings and escalate unresolved issues.
  • Scope limitations imposed by management — Any attempt by management to restrict the scope of an internal audit engagement should be reported to the audit committee immediately.

Australian Regulatory Context

The regulatory landscape for internal audit in Australia is shaped by several overlapping frameworks, each with different levels of prescription.

ASIC's primary focus in 2026–27 is on financial reporting quality and external audit surveillance. ASIC has announced it will review 25 audit files during the year, selecting from listed companies, registrable superannuation entities, and managed investment schemes. While this focuses on external audit, the quality of internal controls — which internal audit helps maintain — directly affects the risk of material misstatement in financial reports.

The ASX Corporate Governance Council's Principles and Recommendations provide the governance framework for listed entities. Recommendation 7.3 specifically addresses the internal audit function, requiring listed entities to disclose whether they have one and, if not, to explain their alternative arrangements.

APRA's Prudential Standard CPS 510 (Governance) sets binding requirements for APRA-regulated entities, including the independence and direct board reporting line of the internal audit function. APRA also conducts supervisory reviews of internal audit quality as part of its broader prudential supervision activities.

The Institute of Internal Auditors Australia (IIA Australia) provides professional standards and guidance through the International Standards for the Professional Practice of Internal Auditing, which are widely adopted as the benchmark for internal audit quality in Australia.

Insourced vs Outsourced Internal Audit: What to Consider

Australian organisations have three main options for delivering internal audit services: a fully in-house team, a fully outsourced arrangement with a specialist firm, or a co-sourced model combining both.

  • In-house teams offer deep organisational knowledge and continuity, but can be costly to maintain and may develop blind spots over time.
  • Outsourced arrangements provide access to specialist expertise and fresh perspectives, and are often more cost-effective for smaller organisations. However, they require careful management to ensure the provider develops sufficient organisational understanding.
  • Co-sourced models are increasingly popular, combining a small in-house team for continuity with specialist external resources for complex or technical audit areas such as IT audit, cybersecurity, or sustainability assurance.

Regardless of the delivery model, the audit committee must retain oversight and the internal audit function must maintain its independence from management.

Questions to Ask When Reviewing Your Internal Audit Function

Boards and audit committees should regularly assess the effectiveness of their internal audit function. The following questions provide a practical starting point.

  1. Does the chief audit executive have a direct and unfettered reporting line to the audit committee?
  2. Is the annual audit plan genuinely risk-based and updated to reflect emerging risks?
  3. Does the internal audit function have sufficient resources — budget, staff, and technology — to execute its plan?
  4. Are internal audit findings tracked to resolution, and are unresolved issues escalated appropriately?
  5. Has the internal audit function undergone an external quality assessment in the past five years?
  6. Is there a clear, board-approved charter that defines the function's mandate and authority?
  7. Does the function cover non-financial risks, including cybersecurity, data governance, and sustainability?

How MyMoney® Can Help

Whether your organisation is establishing an internal audit function for the first time, reviewing an existing arrangement, or seeking specialist audit expertise for a specific engagement, connecting with a qualified auditor is the critical first step.

MyMoney® makes it simple to find experienced, credentialled auditors who understand the Australian regulatory environment — from ASX governance requirements to APRA prudential standards and ASIC compliance obligations.

Post a Brief on MyMoney® to describe your internal audit needs and receive competitive proposals from qualified audit professionals. Or Browse Auditors to explore profiles and find the right specialist for your organisation.

This article provides general information only and does not constitute personal financial advice. Consider whether the information is appropriate for individual circumstances before acting on it. MyMoney® Marketplace is operated by Global Mutual Funds Pty Ltd (ABN 20 090 555 436, AFSL 222640).

Need Professional Help?

Post a brief and let verified professionals compete with transparent, scored proposals.