The difference between external audit, internal audit & compliance
Updated: May 24, 2021
External auditors are required to be independent of the organizations they provide audit attestation services to. They provide an audit opinion of the accuracy of the financial statements prepared by the organization, and are often mandated by law.
These auditors analyze the accuracy of reported information and review the documentation and controls to support the related transactions, based on materiality thresholds. External auditors are primarily focused on historical financial data.
When performing their independent attestation services, external auditors follow guidelines and principles such as the Generally Accepted Auditing Standards (GAAS), Generally Accepted Accounting Principles (GAAP), and International Financial Reporting Standards (IFRS).
The audited financial statements prepared by the external auditors serve as the bedrock of the modern financial system. Without them, investors and stakeholders would not have the same level of confidence in any organization’s reported financial figures.
Without audit firms such as PwC, KPMG, E&Y, or Deloitte, an organization could easily fabricate their financial results to paint the picture they choose, and these number would have very little utility to an outsider considering investing in this company’s stock or a financial institution deciding whether to allot addition debt to finance an acquisition.
An organization could decrease inventories and overstate expenses if their desired goal was to pay less taxes or they could inflate sales by recognizing revenues in the incorrect period to appear more profitable for investors. However, with independent auditors following prescribed accepted guidelines, the chance of a material misstatement is greatly reduced, though not eliminated.
Thus, audited financial statements provide investors and stakeholders with a level of security that allow them to make better informed decisions on where to allocate scarce resources. This also ensures that the audited financial statements are more accurate and comparable to prior periods and industry peers.
Internal auditors are typically employed by the organizations they audit, unlike external auditors, who are independent service providers. There are however other arrangements available such as co-sourcing and outsourcing of the audit function to third party service providers.
According to The Institute of Internal Auditors (The IIA), International Professional Practices Framework (IPPF), the definition of internal auditing is: “an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Internal auditors work on behalf of the board of directors, management, and stakeholders to add value to controls, mitigate risks, and improve the governance process. Compared to external auditors, who serve third parties by attesting to the reliability of reported financial information based of the reliability and sufficiency of supporting documents, internal auditors have a broader role. Though they are deemed to be independent, as well, they not only look at historical figures, but also help management to make future-oriented decisions.
Internal auditors are primarily interested in preventing and detecting errors, irregularities, and other deficiencies that may impede an organization’s ability to meet its business objectives. Frequent areas of review for internal auditors are: financial assurance, controls assurance, information technology, compliance to regulations, laws, and policies, and improving the efficiency of operations.
Valued internal auditors serve as trusted business advisors to senior management and often are deeply embedded in the most important business activities.
Regulatory compliance activities are designed to ensure that an organization follows all applicable laws (local and international) relevant to its business. The requirements of applicable laws vary depending on the type of business and industry.
Examples of regulatory compliance requirements include the Sarbanes Oxley Act, the European Union’s General Data Protection Regulation (GDPR), or the Foreign Corrupt Practices Act. Corporate compliance is focused on ensuring that internal policies and procedures are being followed.
Overall compliance activities provide assurance of the design and operation of control activities/procedures. Compliance specialists are not focused on the efficiency and effectiveness of business processes, but instead whether processes comply with rules and standards.
The Compliance function within many organizations is imbedded within the Legal department. Many areas of concern for compliance team include: anti-money laundering, anti-bribery, third party risks, , conflicts of interest, and politically exposed persons.
Over the past few decades, the sheer volume and complexity of new local and internal legislation and the related penalties have made compliance activities a key focus of senior management. As failure to comply may lead to financial sanctions, legal penalties and reputational risks, it has become more imperative to adequately manage and stay ahead of the constantly shifting regulatory landscape.
Q4 consult can help you with your internal audit and compliance need. Contact us to see how we can tailor our services to best help you meet your objectives and mitigate your risks.