Internal audit is fundamentally about asking whether a department is aware of its risks, whether it's aware of the extent to which its risks are controlled, and whether the verification of those controls is working. Audits can be oriented towards cost savings, but more often they're oriented towards whether risks are being mitigated. They are often preventative. They're not primarily or exclusively focused on cost savings.
That's why we recommend that audits be based on a risk-based audit plan. In other words, focus first on whether current controls are necessary and effective. There are other mechanisms that are equally suited--and in some cases better suited--to pursue other kinds of questions, but control is really a focal point for an audit.