Internal Audit in Switzerland: Definition, Tasks & Goals Explained

Internal audit is one of the most effective tools a company has for staying in control of its own operations. By independently reviewing processes, risks, and controls from within, it gives management a clear, unfiltered view of what is working, and what isn’t.

This article explains what internal audit is, how it differs from the statutory external audit required under Swiss law, what the legal obligations are for Swiss companies, and how SMEs can put internal audit to practical use.

What is internal audit, and how does it differ from external audit?

Internal audit is an independent function within an organisation that assesses the effectiveness of risk management, internal controls, and governance processes. Its purpose is to help the organisation achieve its objectives by identifying weaknesses and recommending improvements before they become costly problems.

This is fundamentally different from the external statutory audit (Revisionsstelle), which is performed by a licensed third-party auditor and focused primarily on whether the financial statements comply with Swiss law. The external auditor reports to shareholders; internal audit reports to management and the board.

The Institute of Internal Auditors (IIA), which globally represents more than 260,000 members and has awarded over 200,000 Certified Internal Auditor (CIA) certifications, defines internal auditing as an “independent, objective assurance and advisory service designed to add value and improve an organisation’s operations,” In practice, this means helping the organisation accomplish its objectives by systematically evaluating its governance, risk management, and control processes.

IIA Switzerland (SVIR) represents the profession locally, with around 3,000 members and over 160 leading companies, and mandates adherence to international standards for all its members.A practical way to draw the distinction: external audit asks whether the numbers are right. Internal audit asks whether the processes are right, and what risks the organisation is not yet seeing.

Is internal audit legally required in Switzerland?

In Switzerland, the legal audit obligation (Revisionspflicht) applies to external statutory audits, not to the internal audit function itself.

Under Art. 727 of the Swiss Code of Obligations (OR), companies must appoint an external auditor if they exceed two of the following three thresholds in two consecutive financial years: total assets of CHF 20 million, annual revenue of CHF 40 million, or 250 full-time employees on average. These companies require an ordinary audit (ordentliche Revision).

Under Art. 727a OR, companies that do not meet those thresholds are subject to a limited audit (eingeschränkte Revision). Companies with fewer than 10 full-time employees on an annual average may opt out of the limited audit entirely with unanimous shareholder consent (the so-called “opting out”). 

Given that nearly 90% of Swiss companies are micro-enterprises with fewer than 10 employees, according to the Federal Statistical Office (FSO), this exemption applies to the vast majority. In fact, the audit rate for Swiss AGs and GmbHs has dropped from around 64% in 2005 to less than 20% today, largely as a result of opting out.

The internal audit function itself is not legally mandated for most Swiss companies. The only exception applies to entities regulated by the Swiss Financial Market Supervisory Authority (FINMA) (e.g., banks, insurers, and securities dealers), who are required by FINMA circulars to maintain an internal audit function. FINMA Circular 2017/1 “Corporate Governance – Banks”, for example, explicitly states that every institution must establish an internal audit function reporting to the board or its audit committee.

For non-regulated companies, the requirement is implicit rather than explicit. Under Art. 728a OR, the external auditor conducting an ordinary audit must examine the existence and effectiveness of the company’s internal control system (ICS). Above a certain size, having structured internal controls is therefore a de facto requirement, and building them proactively is much easier than constructing them under regulatory pressure.The Swiss Code of Best Practice for Corporate Governance, published by Economiesuisse, explicitly recommends the establishment of an internal audit function for publicly listed and economically significant Swiss companies, reporting to the audit committee or the chairman of the board of directors.

What are the core tasks of internal audit?

Internal audit covers four main areas: risk management, internal controls, compliance, and operational performance.

In practice, this means reviewing whether risk identification processes are working and whether the organisation actually responds to the risks it identifies. It means testing whether financial controls are preventing errors and fraud.

It also means checking whether the company is meeting its legal and regulatory obligations under Swiss law. And finally, evaluating whether processes are operating efficiently, or whether there are gaps costing the business time and money.

Internal audit activities are commonly categorised as: financial auditing (finances and accounting), operational auditing (personnel, IT, and core processes), management auditing (oversight of executive management), and compliance auditing (adherence to laws and regulations).

What are the goals of internal audit?

The overarching goal of internal audit is to give leadership the information they need to govern well.

A well-functioning internal audit function gives management and the board confidence that controls are working, material risks are being managed, and the company is operating within its own policies and external legal requirements. It identifies issues before they escalate and creates a feedback loop for continuous operational improvement.

For Swiss SMEs specifically, this translates into concrete outcomes: fewer costly accounting errors, better compliance with the Swiss Data Protection Act (DSG), improved financial reporting quality, and the operational discipline needed to scale safely.

What are the key principles of internal audit?

The IIA’s Global Internal Audit Standards (released in January 2024 and effective from 9 January 2025) organise the profession around 15 guiding principles across five domains. These replace the former framework (the 2017 IPPF) and represent the current benchmark for internal audit practice in Switzerland and internationally.

Since their release, the standards have been translated into 25 languages and downloaded nearly 600,000 times, according to the IIA; a clear sign of the profession’s global reach and the standards’ practical importance.

The principles most relevant to day-to-day internal audit practice are:

• Independence and objectivity: Auditors must remain free from management influence over their findings
• Integrity: The function must be conducted with honesty and professional discipline
• Competence: Auditors must have the knowledge and skills to assess what they review
• Risk-based approach: Audit activity should be prioritised by risk severity, not routine or tradition
• Effective communication: Findings must be reported clearly and lead to action

IIA Switzerland mandates conformance with these standards for all its members.

Who conducts internal audit and what are they not allowed to do?

In larger organisations, internal audit is run by a dedicated in-house function led by a Chief Audit Executive (CAE), who reports directly to the board or audit committee. In practice, dedicated internal audit departments typically appear in Swiss companies with roughly 500 to 1,000 or more employees.

In smaller organisations, the function is more often outsourced or co-sourced; meaning an external specialist handles audit activities, either independently or alongside internal staff.

One requirement is non-negotiable: independence. Internal auditors cannot review processes or activities they are themselves responsible for. They must have direct access to the board, and their findings must not be filtered or suppressed by management.

There are also clear limits on what internal audit can do. It cannot make management decisions or authorise transactions, as doing so would undermine its independence. It cannot guarantee that no fraud or error exists; it provides reasonable assurance within the scope of each review. And it is not a substitute for the external statutory auditor; the two functions are complementary, not interchangeable.

How does the internal audit process work?

Internal audit follows a four-phase cycle, whether applied as a one-off engagement or as part of an annual audit plan.

1. Planning: The auditor defines scope and objectives, conducts a preliminary risk assessment, and agrees on the approach with management. Effective planning ensures effort is concentrated where risk is highest.
2. Fieldwork: Evidence is gathered through document review, interviews, data analysis, and control testing. This is where control weaknesses and operational gaps are identified and verified. Modern audit practice increasingly uses data analytics to review entire transaction populations rather than relying on sampling alone, leading to more reliable findings.
3. Reporting: Findings are documented in an audit report with clear recommendations for corrective action. Management responds by agreeing with findings, proposing remediation steps, and committing to timelines.
4. Follow-up: The auditor revisits agreed actions to verify they have been implemented. Without follow-up, audit reports generate recommendations that are filed and rarely acted on.

A professional audit engagement typically includes an entrance meeting with management before fieldwork begins and an exit meeting to align on findings before the final report is issued. This keeps management informed throughout and reduces the risk of surprises.

How should Swiss SMEs approach internal audit?

Most Swiss SMEs do not need a full-time internal audit department. With over 624,000 SMEs in Switzerland making up 99.7% of all companies, according to the Federal Statistical Office, the vast majority operate at a scale where formal internal audit would be disproportionate.What these companies do need is regular, focused oversight that catches problems early without adding unnecessary cost or complexity.

What matters more than formal audits is having the right systems and controls in place from the start. This includes clean bookkeeping processes, proper segregation of duties where possible, and a reliable accounting partner who can spot errors and flag risks as part of their ongoing work.

For companies approaching the ordinary audit thresholds under Art. 727 OR, building internal controls before those thresholds are crossed is a pragmatic step. By the time an ordinary audit is required, a functioning internal control system should already be in place, not something constructed under regulatory pressure.

The IIA’s current standards also recognise the needs of smaller functions, providing specific guidance for small internal audit teams and public sector organisations. This makes the standards relevant even for SMEs that are just beginning to formalise their oversight structures.

For more on how Swiss SMEs can structure their financial oversight and reporting, see Nexova’s guide to accounting solutions for Swiss SMEs and our overview of GmbH-specific accounting and audit requirements.