My understanding is that all internal audits are supposed to be done based on a risk-based plan. What are the risks to the organization? If they identify procurement under $25,000 as a high-risk area, they should be doing internal audits in that area.
On December 1st, 2009. See this statement in context.