Relevance of 5 C’s in Internal Audit
Make your internal audit reports clear, concise, and actionable what internal audit is and how it works to support smooth operations and effective goal attainment. The 5 Cs of Internal Audit help communicate findings, their root causes, potential impacts, and practical recommendations for improvement.
5 Cs of Internal Audit
- Criteria
- Condition
- Cause
- Consequence
- Corrective Action
Criteria
Sets the standard or benchmark against which the subject of the audit is evaluated. Criteria may be policies, procedures, regulations, contract terms, or internal targets that serve as the reference point. It addresses the following questions:
- What standard or requirement applies to the area reviewed?
- Is the audit connected to a future external audit or certification?
- Who requested the audit, and
- Why was this area selected for review at this time?
What to capture: the exact reference (policy code/section, regulation, contract clause, or target) that defines the expectation.
Condition
Describes the current state observed during the audit against the established criteria. It is a factual account of what is happening or has occurred. It addresses the following questions:
- How is the issue related to a company target or expectation?
- Was a policy broken, a benchmark unmet, or a requirement not satisfied?
- Is there evidence that an issue exists, or is there confidence that no issue is present?
What to capture: where and how often it occurred (counts, samples, dates, locations) without interpretation.
Cause
Identifies the underlying reason(s) that contributed to the observed condition. Understanding the cause helps address root issues rather than symptoms. It addresses the following questions:
- Why did the issue arise?
- Who was involved, which process step failed, and how could the issue have been avoided?
What to capture: a validated root cause (process design, training, system rule/configuration, or segregation‑of‑duties gap) supported by evidence.
Consequence:
Explains the impact or potential repercussions of the condition. This helps assess significance and risk. It addresses the following questions:
- What is the outcome of the problem?
- Are impacts limited internally, or are there potential external consequences?
- What are the financial implications of the issue?
What to capture: impact in business terms (financial exposure, compliance risk, operational delay, customer effect) to frame priority.
Corrective Action
Outlines recommended steps to address and prevent recurrence of the issue. It focuses on practical remediation and verification. It addresses the following questions:
- What can the company do to fix the problem?
- What specific steps will management take to resolve the issue, and
- What type of monitoring or review will confirm the fix is effective after implementation?
What to capture: the action, responsible owner, due date, and how completion will be verified (re‑test, exception trend, or sign‑off).
Example
- Criteria: high‑value purchases require dual approval per company policy.
- Condition: a recent sample showed some high‑value purchase orders with only one approval.
- Cause: a workflow change removed the second approval step without a compensating control.
- Consequence: increased risk of unauthorized spend and non‑compliance.
- Corrective Action: reinstate the second approval step; assign ownership; confirm closure through a short period of exception monitoring and sign‑off.