Internal audits play an important role in risk mitigation, security governance, and information assurance in an organization. This research presents a processual model to conceptualize the audit function in an organization by addressing three fundamental questions about internal audits: what, why and how? The proposed model suggests that internal audits are an integral part of overall security governance and thus of an information assurance program in an organization.