CIA vs. CPA: Roles in Financial Services Auditing
The Certified Internal Auditor (CIA) and Certified Public Accountant (CPA) credentials define two distinct professional tracks within financial services auditing, each governed by separate credentialing bodies, regulatory frameworks, and practice scopes. Understanding the functional boundaries between these roles is essential for financial institutions structuring audit functions, audit committees selecting engagements, and professionals evaluating career pathways. This page examines how the two designations differ in authority, regulatory standing, and operational deployment across financial services contexts.
Definition and scope
The CIA credential is issued by the Institute of Internal Auditors (IIA), the global professional association for internal auditing. The IIA's International Standards for the Professional Practice of Internal Auditing (IPPF) establishes the framework within which CIAs operate. A CIA functions as an employee or contractor of the organization being reviewed — performing internal audits focused on risk management, governance, and operational control effectiveness. The CIA does not issue attestation opinions on financial statements for external regulatory purposes.
The CPA license is issued by individual state boards of accountancy under authority granted by state statute, with national standards coordination managed by the American Institute of Certified Public Accountants (AICPA) and public-company audit standards governed by the Public Company Accounting Oversight Board (PCAOB). Only a licensed CPA firm — not an individual CIA — can issue an independent audit opinion on financial statements as required by the Securities and Exchange Commission (SEC) under the Securities Exchange Act of 1934 and the Sarbanes-Oxley Act of 2002.
The scope distinction is structural: the CIA credential addresses internal assurance and advisory services, while the CPA credential (specifically the CPA engaged in public accounting) addresses external attest services. For a broader orientation to financial audit types explained, the differences in scope between internal and external functions become more concrete.
How it works
The two roles operate through different engagement structures, reporting lines, and regulatory mandates.
CIA — Internal Audit Process
- Charter and independence: The internal audit function, typically staffed or led by CIAs, operates under a board-approved internal audit charter consistent with IIA Standard 1000. The chief audit executive (CAE) reports functionally to the audit committee.
- Risk-based planning: CIAs develop annual audit plans derived from an enterprise risk assessment, prioritizing audit coverage by risk exposure. IIA Standard 2010 requires risk-based planning.
- Fieldwork and testing: Internal auditors execute control testing, interview personnel, and review transaction populations using techniques such as sampling and data analytics.
- Reporting: Findings are reported to management and the audit committee. Internal audit reports are internal documents — they are not publicly filed or submitted to regulators as attestation.
- Follow-up: IIA Standard 2500 requires that internal audit functions establish a process to monitor disposition of reported findings.
CPA — External Audit Process
- Engagement acceptance: A CPA firm evaluates independence and accepts an engagement via an engagement letter consistent with AICPA AU-C Section 210 or PCAOB AS 3101 for public companies.
- Planning and risk assessment: The external auditor assesses material misstatement risk at the financial statement and assertion levels under Generally Accepted Auditing Standards (GAAS) or PCAOB standards.
- Substantive procedures: The CPA firm performs substantive testing of account balances, transactions, and disclosures.
- Opinion formation: The external auditor forms an opinion — unqualified, qualified, adverse, or disclaimer — on whether financial statements present fairly in conformity with GAAP. For public companies, PCAOB standards for financial audits govern this step.
- Report issuance: The audit report is filed publicly (for SEC registrants via EDGAR) or delivered to the governing body.
The internal vs. external audit differences page expands on how these structural distinctions affect audit committee governance.
Common scenarios
Scenario 1 — Public bank holding company
A bank holding company registered with the SEC must engage a PCAOB-registered CPA firm to audit its annual financial statements under Sarbanes-Oxley Section 404, which also requires the external auditor to attest to management's assessment of internal control over financial reporting (SOX Section 404 audit requirements). Separately, the bank's internal audit department — often CIA-credentialed staff — conducts ongoing operational and compliance audits covering BSA/AML controls, lending compliance, and IT systems.
Scenario 2 — Investment adviser
An SEC-registered investment adviser with custody of client assets is required under Rule 206(4)-2 of the Investment Advisers Act to undergo an annual surprise examination by an independent CPA. The CIA on staff conducts quarterly internal control reviews, but that internal work does not satisfy the regulatory examination requirement.
Scenario 3 — Credit union
Federally chartered credit unions with assets above $500 million are required by the National Credit Union Administration (NCUA) under 12 C.F.R. Part 715 to obtain an annual supervisory committee audit performed by a licensed CPA. CIA-credentialed staff may support internal audit functions but cannot fulfill the NCUA's external audit mandate.
Scenario 4 — Insurance company
State-regulated insurers typically must file annual CPA-audited financial statements with their state insurance department under the NAIC's Annual Financial Reporting Model Regulation (Model #205). CIA staff handle internal operational audits but are not authorized to issue the required statutory financial statement opinion.
Decision boundaries
Selecting between CIA and CPA involvement — or determining which is required — follows a set of regulatory and functional criteria:
| Factor | CIA (Internal Audit) | CPA (External Audit) |
|---|---|---|
| Credentialing body | IIA | State board of accountancy / AICPA |
| Standards framework | IIA IPPF | GAAS (AICPA) or PCAOB standards |
| Reporting relationship | Reports to audit committee internally | Independent of the audited entity |
| Regulatory mandate authority | Not used to satisfy external attestation requirements | Required by SEC, NCUA, FDIC, state insurance regulators |
| Financial statement opinion | Cannot issue | Core deliverable |
| Governance/risk/control focus | Primary function | Secondary (but addressed in ICFR attest) |
| Public company applicability | Supports but does not replace external audit | Required under SOX and SEC rules |
The auditor independence financial services framework makes clear why CPA firms engaged for external audits cannot simultaneously perform internal audit functions for the same entity without impairing independence under AICPA ET §1.295 and PCAOB Rule 3526.
Financial institutions building an audit committee role in financial services governance structure must account for both tracks: the CIA-led internal audit function provides continuous assurance and risk coverage, while the CPA-led external audit satisfies statutory and regulatory attestation requirements. These are not substitutable roles — they are complementary and, in most regulated financial entity contexts, both are required.
The audit professional certifications financial sector page provides additional detail on credential requirements, examination structures, and continuing education obligations for both tracks.
References
- Institute of Internal Auditors (IIA) — International Professional Practices Framework (IPPF)
- American Institute of Certified Public Accountants (AICPA) — Auditing Standards
- Public Company Accounting Oversight Board (PCAOB) — Auditing Standards
- Securities and Exchange Commission (SEC) — Securities Exchange Act of 1934
- Sarbanes-Oxley Act of 2002, Section 404
- National Credit Union Administration (NCUA) — 12 C.F.R. Part 715, Supervisory Committee Audits
- National Association of Insurance Commissioners (NAIC) — Model Audit Rule (Model #205)
- SEC Investment Advisers Act Rule 206(4)-2 (Custody Rule)