Internal Audit: What It Is, Different Types, and the 5 Cs

Internal Audit

Investopedia / Paige McLaughlin

What Is an Internal Audit?

Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. These types of audits ensure compliance with laws and regulations and help to maintain accurate and timely financial reporting and data collection. Internal auditors are hired by companies who work on behalf of their management teams. These audits also provide management with the tools necessary to attain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.

Key Takeaways

  • An internal audit offers risk management and evaluates the effectiveness of many different aspects of the company.
  • Types of internal audits include financial, operational, compliance, environmental, IT, or for a very specific purpose.
  • Internal audits provide management and the board of directors with a value-added service where flaws in a process may be caught and corrected prior to external audits.
  • Similar to external audits, internal audits are conducted through planning, auditing, reporting, and monitoring steps.
  • Internal audits may enhance the efficiency of operations, motivate employees to adhere to company policy, and allow management to explore specific areas of its operations.

Understanding Internal Audits

Internal audits play a critical role in a company’s operations and corporate governance, especially now that the Sarbanes-Oxley Act of 2002 holds managers legally responsible for the accuracy of their company's financial statements. SOX also required that a company's internal controls be documented and reviewed as part of its external audit.

In addition to ensuring that a company complies with laws and regulations, internal audits also provide a degree of risk management and safeguard against potential fraud, waste, or abuse. The results of internal audits provide management with suggestions for improvements to current processes not functioning as intended, which may include information technology systems as well as supply-chain management.

Internal audits may take place on a daily, weekly, monthly, or annual basis. Some departments may be audited more frequently than others. For example, a manufacturing process may be audited on a daily basis for quality control, while the human resources department might only be audited once a year.

Audits may be scheduled, to give managers time to gather and prepare the required documents and information, or they may be a surprise, especially if unethical or illegal activity is suspected.

Types of Internal Audits

Compliance Audit

A company may be required to adhere to local laws, compliance needs, government regulations, external policies, or other restrictions. To demonstrate compliance with these rules, a company may task an internal audit committee to review, compile appropriate information, and provide an overall opinion on the status of the compliance requirement.

Internal Financial Audit

Public companies are required to perform certain levels of external financial auditing where a completely independent third party provides an opinion on the company's financial records. Companies may want to dive further into audit findings or perform an internal financial audit in preparation for an external audit. Many of the tests between an internal or external auditor may be similar; the nature of independence separates the two types of audits for financial audits.

Environmental Audit

As companies become continually more environmentally conscious, some take the steps of reviewing the business' impact on the planet. This results in an internal audit covering how a company safely sources raw materials, minimizes greenhouse gases during production, utilizes eco-friendly distribution methods, and reduces energy consumption. Companies leveraging triple bottom line reporting may perform internal environmental audits as part of annual reporting.

Technology/IT Audit

An IT audit may have different objectives. The internal audit may be the result of an external lawsuit, a company complaint, or a target to become more efficient. An internal audit focused on technology reviews the controls, hardware, software, security, documentation, and backup/recovery of systems. The goal is likely to assess general IT accuracy and processing capabilities.

Performance Audit

An internal audit focused on performance pays less attention to the processes and more on the final result. The company will have likely have set performance objectives or metrics that may be tied to performance bonuses or other incentives. As a result, an internal auditor assesses the outcome of an objective that may not be easily quantifiable.

For example, a company may wish to have expanded its use of diverse suppliers; the internal auditor, independent of any purchasing process, will be tasked with analyzing how the company's spending patterns have changed since this goal was set.

Operational Audit

An operational audit is most likely to occur when key personnel leaves or when new management takes over an entity. The company may want to assess how things are done and whether resources are being used more efficiently. During an operational internal audit, the auditor will review whether current staff and processes fulfil the mission statement, value, and objectives of a company.

Construction Audit

Development, operating, real estate, or construction companies may perform construction audits to ensure not only appropriate physical development of a building but appropriate project billing along the life of the project. This mostly includes adherence to contract terms with the general contractor, sub-contractors, or standalone vendors as necessary.

This may also include ensuring the company has remit the appropriate payments, collected the appropriate payments, and internal project reports regarding project completion are correct.

Special Investigations

Many of the audits above may be recurring and performed each year. In some cases, it might make sense for an internal audit committee to evaluate a special circumstance that will occur only once. This may entail gathering a report on the efficiency on a recent merger, the hiring of a key employee, or a complaint from staff. When selecting the individuals for the special investigation audit, a company must be especially mindful to select members with appropriate expertise and independence.

Depending on the structure of the organization, the internal audit may be prepared by the board of directors of by upper management.

Internal Audit vs. External Audit

Internal and external audits have the same objective. Both types of audits analyze an aspect of a company to determine a specific opinion. However, there are many differences between the two types of audits.

In an internal audit, the company is often able to select its own audit team. As such, the team represents the interests of the company's management team. This may be advantageous to specifically place certain employees with very niche experience on the team. In an external audit, the company can often select the external audit firm; however, the company often does not have a say in the specific employees put on their external audit.

There may be some requirements regarding the external audit staff depending on the audit. For example, in an external financial audit, a Certified Public Accountant (CPA) must certify the financial statements. In an internal audit, there is no requirement that any member of the audit team must be a CPA.

The end goal of either audit is an audit report; however, audit reports are used for very different reasons. An internal audit report is usually used by internal management to improve the operations, processes, or policies of the company. An external audit report is often required for an outside reason and is more often used heavier by members outside of the company.

Finally, the nature of the engagement will be very different. During an internal audit, the employees of a company may often freely give advice, discuss unrelated matters with the company, or may have a very fluid consulting agreement. During an external audit, a very defined scope is often set, and the external auditor will often take great care to ensure they do not exceed their audit boundaries.

Internal Audits
  • A company is usually able to select its own internal audit lead and team members

  • Members of the audit team often do not need to have specific titles or licenses

  • Audit reports are primarily used by internal management to improve company operations

  • Internal audits may be less formal with blurred structure as the auditor provides casual guidance

External Audits
  • A company or board can usually pick the audit firm but not audit team members

  • Members of the audit team may be required to hold specific titles or license as part of the audit agreement

  • Audit reports are primarily used by external parties to satisfy a reporting requirement

  • External audits are often more formal with defined boundaries and disallowed services

Internal Audit Process

Internal auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.

Step 1: Planning

Before any audit procedures are performed, the internal auditors often start by developing the audit plan. This sets the audit requirements, objectives, timeline, schedule, and responsibilities across audit team members. The audits may review prior audits to understand management expectations for presentation and data collection.

The audit plan often has a checklist to ensure members of the team adhere to broad expectations. The internal audit team may also preemptively plan to meet with management throughout the audit to communicate the status and any struggles of the audit. The planning stage often ends with a kick-off meeting that launches the audit and communicates the initial information needed.

Step 2: Auditing

Many of the auditing procedures used by internal audits are the same as external auditors. Assessment techniques ensure an internal auditor gathers a full understanding of the internal control procedures and whether employees are complying with internal control directives. To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques, such as reviewing flowcharts, manuals, departmental control policies or other existing documentation.

Auditing fieldwork procedures can include transaction matching, physical inventory count, audit trail calculations, and account reconciliation as is required by law. Analysis techniques may test random data or target specific data, if an auditor believes an internal control process needs to be improved.

The internal audit may have started with a defined scope; as the internal audit team gathers and analyzes information, it may become necessary to redefine the purpose and extent of the audit. This includes re-evaluating the original timeline or resources allocated to the audit.

Step 3: Reporting

Internal audit reporting includes a formal report and may include a preliminary or memo-style interim report. An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. Similar to an interim financial statement, an interim audit communicates a partial set of information useful for laying the road for the remaining portion.

Often, a company may deliver a draft copy of the final audit report and host a pre-close internal audit meeting with management. This may allow management to provide rebuttals, additional information that may change findings, or provide commentary on their feedback regarding the audit findings.

The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings, and suggestions for improvements to internal controls and control procedures. The final report may also communicate next steps in terms of changes to be implemented, future monitoring processes, and what future reviews will entail.

Step 4: Monitoring

After a designated amount of time, an internal audit may call for follow-up steps to make sure the appropriate post-close audit changes were implemented. The details and process for these monitoring and review steps is often agreed to at the delivery of the final audit.

For example, an internal financial audit may find severe internal control deficiencies that an internal auditor believes will not pass an external financial audit. Management agreed to implement changes within the next six weeks. After six weeks, the internal auditor may be tasked with implementing a small-scope or limited review of the deficiency to see if the issue still persists.

The monitoring step of an internal audit is technically not required. Management or the board may decide to disregard internal audit findings and not implement the changes the audit report suggests.

Internal Audit Reports: The 5 C's

Internal audit reports are often known for adhering to the 5 C's reporting requirement. A complete, sufficient internal audit often ends with a summary report that communicates answers to the following questions:

  1. Criteria: What particular issue was identified, and why was the internal audit necessary? Is the internal audit in preparation for a future external audit? Who requested the audit, and why did this party request the audit?
  2. Condition: How as the issue in relation to a company target or expectation? Does the company have a policy that was broken, a benchmark that was not met, or other condition that was not satisfied? Is the company confident no issue exists, or do they believe an issue is at hand?
  3. Cause: Why did the issue arise? Who was involved, what processes were broken, and how could the issue have been avoided?
  4. Consequence: What is the outcome of the problem? Are issues limited to internal matters, or are there risks of external consequences? What is the financial implications of the issue?
  5. Corrective Action: What can the company do fix the problem? What specific steps will management take to resolve the issue, and what type of monitoring or review will occur after solutions have been put in place to ensure a fix has been implemented?

Importance of Internal Audits

Some may think internal audits are not as valuable as external audits. After all, a company may hand-pick its own internal audits who do not have full independence from the company. However, there are many ways internal audits provide value to the company and external parties:

  • Management can be more efficient about what to explore. For example, while external financial audits must test an entire financial system, a company may be concerned about whether the cash management process is being fraudulently managed; therefore, management can elect to have all audit procedures analyze cash processes.
  • Internal audits may save companies money. If a company's processes are very strong, the external audit process may not be as long as intensive, thereby reducing the external audit fee and time spent supporting external auditors.
  • The company enhances its control environment. Even if the internal audit yields no findings, employees may be aware that their work gets analyzed and reported on, thereby motivating adherence to company policy.
  • Internal audits may make companies more efficient. External audits often are not intended to make processes better; they are meant to review whether processes are accurate. This distinction is important because a company may be "just getting by" with inefficient processes that meet very minimum requirements.
  • Internal audit reports give management a head start to make corrections. Instead of having to scramble when an external audit finds a deficiency, management can take longer to think through solutions, implement the solution with care, and review whether the solution worked.
  • Certain departments may need enhanced oversight. Whether it is lack of expertise, staffing shortages, or problem with current personnel, a company may benefit from targeting a specific area and formally reviewing its workflow and processes.

What Are the Types of Internal Audits?

A company can choose to perform an internal audit for almost any reason. This may lead to an internal financial audit, operational audit, compliance audit, environmental audit, IT audit, or a special one-time circumstance.

What Is the Role of Internal Audit?

The role of an internal audit is to identify a deficiency or substantiate a proficiency. For example, a company may issue an internal financial audit to make sure its internal controls over accounts payable adhere to company policy. Alternatively, the company may launch an internal environmental audit to explore how environmental impact its eco-friendly changes had on the planet last year.

What Is the Internal Audit Process?

The internal audit process entails planning the audit, performing the audit procedures, compiling the audit report, and monitoring post-audit changes. Management may choose to expand the scope of an audit at any point of the audit if findings during the audit cause the scope to shift a different direction.

What Are the 5 C's of Internal Audit?

Internal audit reports often outline the criteria, condition, cause, consequence, and corrective action. These five areas report why the audit was performed, what caused the reason for the audit, how the audit will be performed, what the auditor aims to achieve, and what steps will be taken after the audit findings are presented.

The Bottom Line

An internal audit is a process that allows a company to self-select an audit team to carry out the review of its operations. The company can often define the scope of the internal audit. In addition, the company can often choose almost any reason to conduct an internal audit. Though internal audits are less useful for meeting external reporting requirements, they hold tremendous value for improving internal operations as well as informing management ways the company can get better.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. Congressional Research Service. "Corporate Responsibility: Sarbanes-Oxley Act of 2002," Pages 5-8.