While the internal and external audit functions are complementary and may need to work closely together, their purposes and areas of focus differ. The Institute of Internal Auditors (IIA) emphasizes that the two functions do not compete or conflict; rather, they both contribute to effective governance.
Internal auditors take a holistic view of their organization’s governance, risk, and control systems (in other words, primarily non-financial information), while external auditors are either concerned with the accuracy of business accounts and the organization’s financial condition or, in some industries, the organization’s compliance with laws and regulations.
Knowing how external auditing works can help internal auditors better prepare for an audit and make sure their organizational reporting and other documentation meets requirements. It can also provide helpful talking points when explaining internal audit’s function to management, the board, or other stakeholders.
According to the IIA’s Global Perspectives and Insights report on the roles of internal and external audit, there are a number of key differences to recognize:
Extending far beyond just the sphere of financial and compliance controls, internal audit exists to evaluate the organization’s entire risk and control landscape, risk management effectiveness, and ramifications for organizational strategy and performance.
“At its simplest, internal audit identifies the risks that could keep an organization from achieving its goals, alerts leaders to these risks, and proactively recommends improvements to help reduce the risks.”
– The Institute of Internal Auditors
The internal audit function should ideally be improvement-oriented—How can our governance and risk management processes be more effective in managing risk and supporting organizational objectives? External audit has no responsibility to evaluate GRC activities or suggest improvements, other than reporting internal control problems or identifying corrective actions needed to address noncompliance issues that may come up in their audit work.
Internal auditors assess organizational health holistically, determining whether business practices are supporting strategic objectives and identifying risks that could impact those objectives. External auditors, on the other hand, focus on whether the organization’s business accounts accurately and fairly represent its financial performance. Auditors from government or regulatory agencies look for any compliance deficiencies or violations. Internal audit work is forward-looking and proactive; external audits look at past record-keeping or proof of compliance.
The internal audit function is preventative and ongoing, providing insights and suggestions to management encompassing all governance, risk, and control processes, whereas an external financial audit tends to happen annually, or least once every five years, with a scope limited to financial statements. For compliance audits, the scope is determined by the regulatory body conducting the audit.
Internal audit, as part of its role in providing governance assurance, reports directly to senior management, the board of directors, the audit committee, and/or other groups within the organization’s own governance boundary. External auditors, as part of a wholly independent third party, report to a different audience which may include company members, shareholders, investors, customers, or regulators that are not part of the organization’s internal governance structure.
Internal auditors may come from a variety of professional or academic backgrounds, while external auditors are certified accountants (for financial audits) or compliance professionals or government employees (for compliance audits). In some cases, potential or existing customers may request an audit to verify that an organization is meeting their requirements.
For internal auditing, objective and independent assurance is a key principle, so despite the fact that internal auditors have a vested interest in their organization, they should still be independent from the activities they audit.
How can internal auditors maintain objectivity when they are employees of the organization they’re auditing? IIA guidelines clarify objectivity as “no personal or professional involvement with or allegiance to the area being audited.” This is encouraged by reporting lines to the audit committee and/or senior management or board rather than the business area(s) being audited.
While the purpose, focus, and outcomes of their fieldwork vary, internal and external auditors often share information to avoid duplication and improve audit coverage. External auditors may also choose to leverage internal audit’s wide-ranging understanding of the organization’s risk and control environment. Internal audit departments can pave the way for better communication and coordination by making sure their risk assessments, workpapers, reports, and other documentation are prepared and in an easy-to-use format.
The Quantivate Audit Solution is designed to streamline internal audit management and improve external audit readiness by integrating risk, policy, and issue data in one management system. Learn more about how to manage the audit lifecycle with risk in mind.