Internal auditors and external auditors each play an important role in the governance of an organization. Both groups have mutual interests regarding the effectiveness of internal financial controls, and both adhere to ethical codes and professional standards set by their respective professional bodies. Additionally, both types of auditors operate independently of the activities they audit, and they're expected to have extensive knowledge about the business, industry, and strategic risks faced by the organization they serve. Yet, with all of their similarities, internal auditing and external auditing are two distinct functions that have numerous differences.
The IIA defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." Internal auditors in the public sector place an added emphasis on providing assurance on performance and compliance with policies and procedures. Concerned with all aspects of the organization - both financial and nonfinancial - the internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes.
In contrast, external auditing provides an independent opinion of a company's financial statements and fair presentation. This type of auditing encompasses whether the statements conform with Generally Accepted Accounting Principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period of time are represented accurately, and whether the financial statements have been affected materially (i.e., whether they include a misstatement that is likely to influence the economic decisions of financial statement users). External auditing's approach is mainly historical in nature, although some forward-looking improvements may be suggested in the auditors' recommendations to management based on the analysis of controls during a financial statement audit.
These definitions alone pinpoint the key distinctions that separate the two audit approaches. However, internal auditing is much broader and more encompassing than external auditing. Its value resides in the function's ability to look at the underlying operations that drive the financial numbers before those numbers actually hit the books. For instance, when considering "sales" as a line item in a set of financial statements, the external audit focuses primarily on the existence, completeness, accuracy, classification, timing, and posting and summarization of sales numbers. The internal audit goes beyond these assertions and looks at sales operations in a much broader context by asking questions regarding the target market, sales plan, organizational structure of the sales department, qualifications of sales personnel, effectiveness of sales operations, measurement of sales performance, and compliance with sales policies. These questions probe the very core of sales operations and can greatly impact the sales numbers recorded in financial statements. For example, assuming a sales number of US $6 million, the external auditor has merely to render an opinion regarding the validity of that number. The internal auditor, however, is in a position to ask whether the number really should have been US $12 million, if the right market had been targeted, and if operations had been effective in the first place.
Internal auditors represent an integral part of the organization - their primary clients are management and the board. Although historically internal auditors have reported to the chief financial officer or other senior management staff, the trend today is for internal auditing to report directly to the audit committee, which helps strengthen auditor independence and objectivity. Most internal audit functions follow this reporting relationship, which is consistent with The IIA's Standard 1110 on organizational independence.
The chief audit executive's (CAE's) appointment is normally meant to be permanent, unless he or she resigns or is dismissed. In some quasi and intergovernmental organizations, CAEs are given tenured positions - five-year appointments, for example - to enhance independence.
Conversely, external auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and by their main client, the board of directors. External auditors are appointed by the board, and they submit an annual report to the company's shareholders. The appointment is meant to extend for a specified time - external auditors can be re-appointed at the company's annual general meeting. In some jurisdictions, there are limits on an external auditor's length of service, often five or seven years.
Mandatory Versus Voluntary
In general, internal audit functions are not mandatory for organizations. Instead, their installment is left up to individual organizations' discretion. Recent legislation, however, has made internal auditing mandatory in some cases. Companies listed on the New York Stock Exchange must have an internal audit function, whether in-house or outsourced. Also, effective January 2008, listed issuers on Bursa Malaysia, the exchange holding company in Malaysia, must have an internal audit function reporting directly to the audit committee.
An external audit is legally required for many companies, particularly those listed on a public exchange. External audits of some government agencies are also legislated, requiring government auditors to submit the audit report to their respective legislature.
Qualified and Knowledgeable
The necessary qualifications for an internal auditor rest solely on the judgment of the employer. Although internal auditors are often qualified as accountants, some are qualified engineers, sales personnel, production engineers, and management personnel who have moved through the ranks of the organization with a sound knowledge of its operations and have garnered experience that makes them aptly qualified to perform internal auditing. However, more and more internal auditors currently hold The IIA's Certified Internal Auditor designation, which demonstrates competency and professionalism in the field of internal auditing. Because of their continuous investigation into all of the organization's operating systems, internal auditors who remain in the same organization for many years eventually should have a comprehensive and current knowledge of the organization and its operations.
External auditors are required to understand errors and irregularities, assess risk of occurrence, design audits to provide reasonable assurance of material detection, and report on such findings. In most countries, auditors of public companies must be members of a body of professional accountants recognized by law - for example, the Institute of Chartered Accountants in England and Wales, Institute of Chartered Accountants of Barbados, American Institute of Certified Public Accountants, or Canadian Institute of Chartered Accountants. Because external auditors' scope of work is narrowly focused on financial statement auditing, and they come into the organization only once or twice a year, their knowledge of the organization's operations is unlikely to be as extensive as that of the internal auditors.
Evolution of Auditing
Business growth, globalization, and corporate scandals have changed the thrust of the internal audit profession in recent years. In its early years, internal auditing focused on protection-oriented objectives and emphasized compliance with accounting and operational procedures, verification of calculation accuracy, fraud detection, and protection of assets. Gradually, new dimensions were added that ranged from an evaluation of financial and compliance risks to an assessment of business risks and corporate governance. These changes have increased the gap between the disciplines of internal and external auditing.
Yet, despite their differences, internal auditing and external auditing no longer work in competition, as was the case before the U.S. Sarbanes-Oxley Act of 2002 was enacted, when a company's external auditors would sometimes compete with in-house audit departments for internal audit work. Regulations like Sarbanes-Oxley now prohibit the external auditor from providing internal audit services to the same company.
Today, internal and external auditors can benefit from their complementary skills, areas of expertise, and perspectives. They should meet periodically to discuss common interests, strive to understand each other's scope of work and methods, discuss audit coverage and scheduling to minimize redundancies, jointly assess areas of risk, and provide access to each other's reports, programs, and workpapers. In fulfilling its oversight responsibilities for assurance, the board also should require internal and external auditors to coordinate their audit work to increase the economy, efficiency, and effectiveness of the overall audit process.
A Common Purpose
Despite some similarities, a world of difference exists between internal auditing and external auditing. Nonetheless, both audit types, and the respective services they provide, are essential to maintaining an effective governance structure. With a greater understanding of each other's unique perspective, the two audit groups can maximize their aggregate contribution and help ensure organizational success.