As a consultant, I review internal audit departments at multiple financial services organizations each year while conducting Quality Assurance Reviews. While my goal for these reviews is to help the internal audit become more efficient and effective, I also focus on providing reasonable assurance that the departments are following the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, which provide guidance for how to run an audit shop.
In many recent reviews, I’ve noticed an increase in the number of financial institutions that don’t fully understand the difference between internal audit and quality control. As an internal auditor, it’s essential to understand the differences between these two essential functions and ensure that they are separated appropriately. While the two terms are sometimes erroneously used interchangeably, they have significant differences that can impact roles in the organization.
What Is Internal Audit, Exactly?
Let’s start by clearly defining Internal Audit. The Institute of Internal Auditors (IIA) defines internal audit as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Internal audit involves evaluating and testing an organization’s financial, operational, and compliance risks and controls. Internal auditors provide recommendations to management for corrective action to improve the organization’s performance. The scope of internal audit covers all aspects of the organization’s operations, including financial reporting, information technology, human resources, and operations.
The department ideally reports to the audit committee from a functional standpoint and a member of senior management, typically the CEO, from an administrative perspective. Its main objective is to provide reasonable assurance that the organization’s controls are effective and risks are appropriately managed.