Internal vs. External Audit: Key Differences
The distinction between internal and external audit functions shapes how financial institutions manage risk, satisfy regulators, and maintain stakeholder confidence. Both functions examine organizational processes and financial records, but they differ fundamentally in mandate, independence standards, reporting lines, and legal authority. Understanding these differences is essential for boards, audit committees, compliance officers, and finance professionals operating under US regulatory frameworks.
Definition and scope
Internal audit is an independent, objective assurance and consulting activity established within an organization. The Institute of Internal Auditors (IIA) defines internal auditing as a function designed to add value and improve operations by evaluating and improving the effectiveness of risk management, control, and governance processes (IIA International Professional Practices Framework, 2017). Internal auditors are employees of the organization — or contractors engaged by it — and report functionally to the audit committee while reporting administratively to senior management.
External audit is an independent examination of an organization's financial statements conducted by a licensed certified public accountant (CPA) or CPA firm that has no employment relationship with the audited entity. The primary output is an audit opinion on whether financial statements are presented fairly in conformity with Generally Accepted Accounting Principles (GAAP), as established by the Financial Accounting Standards Board (FASB). For public companies, external auditors are registered with and inspected by the Public Company Accounting Oversight Board (PCAOB), created under the Sarbanes-Oxley Act of 2002.
Scope boundaries differ significantly:
- Internal audit scope — Defined by the audit committee and management; may cover financial controls, operational efficiency, IT systems, compliance programs, fraud risk, and strategic risk.
- External audit scope — Defined by auditing standards and regulatory requirements; focused primarily on financial statement assertions and, for public companies subject to Sarbanes-Oxley Section 404, the effectiveness of internal control over financial reporting (ICFR).
- Regulatory audit scope — Separate from both; conducted by agencies such as the FDIC, Federal Reserve, OCC, or CFPB, these are examinations rather than audits in the traditional sense (see Bank Examination vs. Financial Audit).
How it works
Internal audit process
The IIA's Standards describe a cyclical process anchored in a risk-based audit plan approved by the audit committee:
- Risk assessment — Internal auditors identify and prioritize risks across business units, assigning audit resources proportionally to risk exposure.
- Audit planning — Individual engagements are scoped, staffing is assigned, and objectives are documented in an engagement plan.
- Fieldwork — Auditors test controls, interview staff, review documentation, and gather evidence against defined criteria.
- Reporting — Findings, root causes, and recommendations are communicated to management and the audit committee. Management prepares a formal response with remediation commitments (see Audit Findings and Management Response).
- Follow-up — Internal audit tracks whether management has implemented corrective actions within agreed timelines.
External audit process
External auditors follow Generally Accepted Auditing Standards (GAAS) issued by the AICPA for private companies, or PCAOB Standards for public company engagements:
- Engagement acceptance — The auditor assesses independence, client risk, and engagement terms, formalized in an engagement letter.
- Planning and risk assessment — Auditors identify material misstatement risks and design audit procedures responsive to those risks.
- Internal control evaluation — The auditor assesses the design and operating effectiveness of controls relevant to financial reporting.
- Substantive testing — Auditors test account balances and transactions using sampling, analytical procedures, and confirmations.
- Completion and opinion — The auditor issues one of four opinion types — unqualified, qualified, adverse, or disclaimer — in a standardized report (see Audit Report Types in Financial Services).
A key structural difference: internal audit reports flow to management and the audit committee, while external audit reports are addressed to shareholders and, for regulated entities, filed with regulators such as the SEC under reporting requirements.
Common scenarios
Public companies — Required by the SEC to include audited financial statements in annual Form 10-K filings. Companies with a public float exceeding $75 million are also required under Sarbanes-Oxley Section 404(b) to include an external auditor's attestation on ICFR (SEC, 17 CFR Part 240). Internal audit teams at these firms typically number 5 to 50 professionals depending on company size, and their work often informs — but does not replace — the external auditor's procedures.
Banks and depository institutions — Institutions with $500 million or more in total assets are subject to the Federal Deposit Insurance Corporation Improvement Act (FDICIA) annual audit and reporting requirements, which mandate external audits performed by independent public accountants (FDIC, 12 CFR Part 363). Internal audit functions at FDIC-supervised institutions are evaluated during safety-and-soundness examinations. Additional detail on FDIC audit requirements for banks is covered separately.
Investment advisers and funds — Registered investment advisers managing client assets are subject to SEC surprise examination requirements or annual audited financial statement delivery under the Custody Rule (17 CFR §275.206(4)-2). Hedge funds, private equity funds, and mutual funds each carry distinct audit obligations reviewed under the investment adviser audit obligations framework.
Broker-dealers — FINRA rules require broker-dealers to maintain internal controls reviewed by an independent public accountant. FINRA Rule 4370 and SEC Rule 17a-5 together specify annual audit requirements for broker-dealers holding customer assets. See FINRA audit obligations for broker-dealers for the full framework.
Decision boundaries
The central classification question is whether a given audit engagement serves the organization's own governance needs (internal) or satisfies an external mandate to third parties (external). Four criteria reliably separate the two:
| Criterion | Internal Audit | External Audit |
|---|---|---|
| Independence standard | Organizational independence; no operational authority | Legal independence; no financial or employment relationship (AICPA ET §1.200; PCAOB Rule 3520) |
| Reporting obligation | Audit committee and management | Shareholders, regulators, creditors |
| Governing standards | IIA Standards (IPPF) | GAAS (AICPA) or PCAOB Standards |
| Legal enforceability | Internal policy; board charter | Statutory requirement (Securities Exchange Act §10A; FDICIA §112) |
A common source of confusion involves reliance: external auditors may rely on internal audit work under PCAOB AS 2605 and AICPA AU-C Section 610, but only after evaluating the internal audit function's competence and objectivity. This reliance does not transfer responsibility — the external auditor retains full accountability for the opinion issued.
Auditor independence rules create hard boundaries that prevent internal auditors from assuming external auditor roles for their own employers, and prevent external auditors from performing management functions that would impair their objectivity. The audit committee serves as the structural bridge between both functions, overseeing the internal audit charter and appointing the external auditor.
Organizations navigating the full landscape of financial audit types must account for both functions as complementary rather than substitutable: internal audit provides continuous, risk-responsive coverage year-round, while external audit provides a periodic, opinion-level assurance event tied to financial reporting cycles.
References
- Institute of Internal Auditors (IIA) — International Professional Practices Framework (IPPF)
- Public Company Accounting Oversight Board (PCAOB) — Auditing Standards
- AICPA — Generally Accepted Auditing Standards (AU-C Sections)
- SEC — 17 CFR Part 240, Rule 10A-3 (Audit Committee Requirements)
- FDIC — 12 CFR Part 363 (Annual Independent Audits and Reporting Requirements)
- FASB — Generally Accepted Accounting Principles (GAAP)
- FINRA — Rule 4370 and Broker-Dealer Audit Obligations
- PCAOB AS 2605 — Consideration of the Internal Audit Function