The relationship between external audit and internal audit

By Alan Simpson CA

18 April 2018

Some ICAS members may specialise in either internal or external audit, but equally, some might be involved in both areas. This article looks at some of the major differences between the two.1

The current, dynamic business environment is providing a broader range of opportunities for accountants, and not necessarily just auditors, to acquire new skills and work in a variety of different disciplines. Some auditors may end up specialising in either internal or external audit, but equally, some might be involved in both areas.

Seven differences between external audit and internal audit:

 External auditInternal audit

1. Appointments

The post of statutory external auditor is an office to which the holder is appointed by an ordinary resolution of the members in general meeting (see Companies Act 2006 section 489). In practice, members will merely give tacit approval to that of the Board and merely “rubber stamp” its decision.

Internal auditors may be employees of the organisation being audited.

Alternatively, an organisation may outsource its internal audit services from one of the accounting firms using that firm’s employees to carry out the internal audit work.

2. Duties & responsibilities

External auditor’s duties, rights and obligations are governed by statute. In the UK these are set out in the Companies Act 2006 Part 16, Chapters 1 to 7.

The chief duty of the external auditor is to carry out sufficient work to enable them to express an independent opinion to the members upon a set of the financial statements and whether these show a true and fair view.

Audit Regulations and Technical Release AAF 01/08 “Access to Information by Successor Auditors” require that a person ceasing to hold office as a statutory external auditor must make available to his successor in that office all relevant information which he holds in relation to that office.

The internal audit function's purpose, authority and responsibility is defined within their Audit Charter.

Unlike external audit, where the core task is to give an opinion on a set of financial statements, internal audit must provide an annual internal opinion on the state of the organisation’s arrangements in relation to risk management, governance and internal control.

The work of internal audit gives the audit committee and the board assurance to help them to fulfil their governance and stewardship duties to the organisation and its various stakeholders.

Internal audit may also carry out advisory and consulting work, where the aim is to support management in improving systems and controls.

3. Reporting responsibilities

External auditors are responsible to the shareholders or, in the public sector, ultimately to a legislative body such as Parliament. They are not responsible to the management of the body being audited and management do not direct the extent and scope of their audit work.

Internal audit is required to be independent of management and to report functionally to the board, normally through the audit committee.

To safeguard their independence, internal audit should not have operational responsibilities.

4. Reporting format

External auditors use formats prescribed in auditing standards when reporting their audit opinion, in legislation as a basis for their opinion, and, if applicable, Listing Rules.

External auditors’ reports are placed in the public domain via the annual financial statements required to be filed in the UK with the Registrar of Companies unless filing exemptions are adopted. For Public Interest Entities many are also available via the annual report on the entity’s website.

Internal auditors can publish their reports in any format. They are not prescribed by legislation to use a specific format or wording.

Internal audit reports are not available to the public (but are often requested by regulators). The reports are addressed to the audit committee (if one exists) the board of directors and management of the area being audited.

5. Outlook

External auditors traditionally report on historical information -  the annual financial statements of the organisation. However, as part of their work in forming an opinion upon these financial statements, they will also examine information relating to the entity’s ability to continue as a going concern such as cash flow forecasts, budgets and, depending upon whether they are required by the UK Corporate Governance Code, viability statements.

Internal auditors often look to the future in their work -  such as:

  • How does the organisation identify, measure and contains risks to the achievement of their strategy and objectives?
  • Does the organisation have adequate systems and controls in place to address change in their business environment?
  • How prepared is the organisation for  legal or legislative changes?

6. Competence & professional qualifications

In the UK and the Republic of Ireland, each person responsible for external audit work and signing audit reports in an auditing firm must be a Responsible Individual (“RI”). To become an RI, a person must be a member of, and hold a practising certificate and audit qualification awarded by, one of the following professional accountancy bodies:

  • ICAS
  • ICAI
  • ACCA

There is no general requirement in the UK for internal auditors to be a member of a professional body although, in practice, internal auditors will often be a member of the Chartered Institute of Internal Auditors, one of the CCAB bodies or a specialised industry body such as the Securities Institute (CISI).

7. Case law

There exists a body of case law concerned with the duties and responsibilities of external auditors (e.g. RBS plc v Bannerman Johnstone Maclay in 2002).

There is no equivalent body of case law dealing with the duties and responsibilities of internal audit.

Which organisations have an internal audit function?

Internal audit will generally be found in very large organisations in either the private sector, public sector or the “third sector” such as charities and NGOs, although many small entities may also choose to establish an internal audit function. There is no stated legal requirement under the UK Companies Acts for an organisation to have an internal audit function. The position in the public sector differs as many organisations there are required by statute to have an internal audit function.

Surprisingly, the Financial Reporting Council’s (FRC) UK Corporate Governance Code (April 2016), which applies to all companies with a listing of equity shares on the London Stock Exchange, does not require a company listed there to have an internal audit function.

A future article will look at the working relationship between internal and external audit.

1 This article is written primarily with reference to the United Kingdom and refers to ISAs (UK).


  • Audit and Assurance
  • Committees and boards

Previous Page