I was asked in a meeting the other day about the difference between external auditing and internal auditing. It reminded me of the time when I made the switch from external auditing to internal auditing. At the time, I had hoped there was a book I could read that would lay out the differences for me. I’m sure there is such a book out there, but I haven’t found it. Now having some years under my belt as an internal auditor (at this point in my career I actually have more internal audit experience than external audit experience), here is what I will say. I will give you the ‘PC’ answer! (just kidding for all my external auditor friends!).
Let’s start with the similarities.
-Regardless of the type of audit, the starting point is always the objectives and goals of the organization.
-The next consideration is ‘What is the risk to achieving objectives?’
-The auditor (both internal and external) is going to plan the audit effort around the areas that pose the largest risk to achievement of objectives.
-There are various organizational objectives but one of them will always be reliable financial reporting including financial statements. Other objectives fall in the categories of strategic, operations and compliance, which we will discuss in more detail below.
-The different types of risk typically correspond to the objective categories: strategic risk, operational risk, compliance risk and financial statement risk. We will also discuss these in more detail below.
The overall audit thought process for both types of auditors is similar.
-Once risk is identified, these are first viewed as being inherent risks or risks that would exist in an uncontrolled environment.
-Then controls that would help mitigate the risk are identified and tested.
-Once controls are identified and tested, auditors assess if the existing controls are sufficient and effective to mitigate the risk.
-The risks that still exist in a controlled environment are known as residual risk. The auditors responsibility is to make a judgment on the significance of these residual risks and to communicate this to management.
- Ultimately it is management who decides on whether to accept the residual risks. There can be situations when the auditors and the board do not agree on the significance of the residual risks.
Let’s now talk about differences.
I guess the first most obvious difference is in the name – external vs. internal. External auditors are ‘external’ to the organization – not employees. Internal auditors are typically internal to – employees – of the organization. However, there is such a thing as outsourced internal audit services whereby the types of services typical of an internal audit department are performed by third parties.
The types of work performed by external vs. internal auditors differ. The differences are primarily in the type of objective and the type of risk assessed by the auditors.
-The type of risk that is addressed by external auditors is financial statement risk. As noted in the generally accepted auditing standards (GAAS), the external financial statement audit is performed to obtain reasonable assurance about whether the financial statements are free of material misstatement.
-The external auditor is primarily interested in the objective of reliable financial reporting specific to external financial statements. The objectives of the financial statements are typically in the following categories: existence, completeness, presentation and disclosure, rights and obligations and valuation. In the US, the standard for financial statement reporting is generally accepted accounting principles (GAAP).
-The risk specific to financial statements is that financial statement balances are materially misstated (i.e. balance does not exist, is not complete, is not properly valued or the organization is not the owner) or financial statement disclosures are not complete or accurate.
The role of the internal auditor is different. Although we do look at financial statement risk, we also consider many other things.
-The Institute of Internal Auditors (IIA) International Professional Practices Framework (or known as the ‘Red Book’) in its Standards states the following:
2130 - The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:
- Reliability and integrity of financial and operational information
- Effectiveness and efficiency of operations
- Safeguarding of assets, and
- Compliance with laws, regulations and contracts
2130.A2 – Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization
2130.A3 – Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.
From an internal auditing viewpoint, the objectives and goals vary. The COSO ERM framework describes an organization’s objectives in the following four categories:
-Strategic – high level goals, aligned with and supporting its mission
-Operations – effective and efficient use of its resources
-Reporting – reliability of reporting
-Compliance – compliance with applicable laws and regulations
If you were in a company where the primary objective is preservation and enhancement of the bottom line, the objectives and the way to maximize shareholder value are pretty straightforward. However, in a nonprofit organization, there are multiple bottom lines, with profit or revenue being only one of the objectives (despite the misnomer of ‘non-profit’) amidst other mission-centric objectives such as how to bring the greatest good to the ultimate beneficiaries, which in World Vision’s case, we consider to be both the children we serve and the donors who help us in that mission.
Once the stated objectives and goals are thought through, it is helpful to think through the many different buckets of risk. Here are some typical buckets of risk:
-Financial (e.g. liquidity concerns, etc)
-Operational (people, process, technology)
As stated above in the audit thought process, once risks are identified, controls specific to these risks are assessed, with audit effort planned around the high risks. There are various quantitative and qualitative methods for assessing risk. From a financial statement risk standpoint, the risk is typically assessed based on a materiality (significance) threshold using a certain basis (e.g. revenue, assets). For other types of risk such as operational, compliance or strategic, the method for assessing level of risk can be somewhat qualitative and judgmental. We will explore risk analysis and risk assessment in further detail in a future blog post.
That’s a brief overview of the differences for now. Anyone else want to offer their input?
Merry Christmas everyone!