Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. These audits ensure compliance with laws and regulations and help to maintain accurate and timely financial reporting and data collection. Internal audits also provide management with the tools necessary to attain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.

Internal Audit is a department or an organization of people within a company that is tasked with providing unbiased, independent reviews of systems, business organizations, and processes. The role of Internal Audit is to provide senior leaders and governing bodies of an organization an objective source of information regarding the organization’s risks, control environment, operational effectiveness, and compliance with applicable laws and regulations.

The reviews performed by Internal Audit are often called internal audits. An internal audit may be used to assess an organization’s performance or the execution of a process against a number of standards, policies, metrics, or regulations. These audits may include examining a business’s internal controls around corporate governance, accounting, financial reporting, and IT general controls. Internal audits may also entail evaluating the effectiveness/efficiency of critical business operations such as supply chain management. Those individuals working in Internal Audit are called internal auditors. Internal auditors may cover all areas of an organization or specialize based on their skill-sets.

The aim of internal audits is to identify weaknesses within the organization’s processes and control environment internally so that they can be fixed as quickly as possible to prevent harm to the organization or its stakeholders. Accordingly, the internal audit plan for an organization should be driven by risk basis or, in other words, be designed to examine those areas that present the greatest risk to the company. The internal audit plan should also include a component of the strategic needs of an organization.

Internal auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.

Internal vs External Audits: How are They Different?

I think the simplest way to explain the difference between internal and external audits is to compare the who, what, and why’s associated with the two types of audits. Some of the key differences are highlighted in the following table.

Who Performs the Audit?

  • Internal Audits – Internal Auditors, typically employees of the company.
  • External Audits – External Auditors, typically members of a certifying body or a CPA firm.


Who is the Audit Reported to?

  • Internal Audits – Board of Directors, and members of management.
  • External Audits – Shareholders and members outside of the company.


What Does the Audit Cover?

  1. Internal Audits – Internal Controls related to:
  2. Governance
  3. Risk Management
  4. Process Improvement
  5. External Audits – Financial Reports, and Internal Controls related to Financial Reporting


Why is the Audit Performed?

  • Internal Audits – To assess and improve the effectiveness of governance, risk management, and control over critical processes. To provide the board and management with information and assurance related to their duties.
  • External Audits – To validate, or provide reasonable assurance, the material accuracy of financial reports from the organization to its stakeholders.


When are Results Reported by the Audit?

  • Internal Audits – May report at any frequency designated by the Board.
  • External Audits – Annually.

As you can see, there is a difference between an internal and external audit. Both are checking whether the organization is performing certain activities or controls correctly. However, internal audit results are reported in-house while the results from external audits are reported to individuals inside and outside of the organization. When the two cover the same scope, I like to say that an internal audit is a pre-test and external audit is the final. The organization can use the results from the internal audit to identify its weaknesses and work to correct or strengthen them in preparation for the external audit where the results will be shared publicly.

You will notice that the scope and objectives of the two types of audits also differ. Internal audits typically smaller, focused audits that (collectively over a year) will cover a broader range of scope. This allows the company’s Board and management to get more frequent/timely information that they may use to govern and improve the organization. To contrast, a business will typically have one big external audit each year. The objective of the external audit is to ensure compliance to the company's established management systems requirements.

The last area of difference that I would like to highlight is in regards to scope of responsibilities between internal and external auditors. Internal auditors function as a consultant who performs the assessment and then advises the organization’s management on how to address the risks identified. External auditors do not have any responsibility to the organization. External auditors’ only responsibility is to assess.

Internal audits in the company usually happens once every year, months before the external audit by SGS Philippines.

The audit usually takes 3 days to a week depending on the number of departments to be covered. For instance, this year’s internal audit took place and was finished within a week because there are a number of departments and department processes that was needed to be checked.

The whole process of the internal audit is as follows:

  1. First thing the TQM department does is to create the full scope and structure of the audit plan to be followed. The main objective of the audit plan is to verify and validate the compliance of the Integrated Management System or the IMS for the ISO 9001:2015 requirements and ISO/IEC 27001:2013 requirements. Audit plans are usually for the CEO’s approval. The only instance that an audit plan won’t be approved if when the CEO or the executives are not available for the exact audit date therefor it will be moved to a different date to cater to everyone involved.
  2. Once approved the audit plan has been approved, the TQM manager then conducts an auditor’s meeting to explain the coverage for the audit and to verify each department and the clauses they are assigned to. Auditors are usually the other members of the TQM department, including the manager as well since the manager is the main auditor.
  3. There will be times when an auditor needs a schedule change due to prior responsibilities therefore the main auditor or the manager conducts a meeting beforehand for revisions on the audit plan, change of schedule. The reason for the change of schedule should be justified to be accepted.
  4. The auditees are sent reminders about the audit a month before exact audit date by the main auditor for them to clear their schedules and finish their tasks ahead of the audit date to avoid miscommunication and delays of the plan.
  5. An auditor’s checklist is a list used to describe a document that is created during the audit planning stage. This document is essentially a list of the tasks that must be completed as part of the audit. This document is created and managed by the senior auditor, who is responsible for the overall audit. The checklist contains a list of questions based on the ISO standard (9001 & 27001). These questions are supposed to be answered by the auditees during the audit and if one or two of the auditees cannot answer the questions prepared, further assessment will be done.
  6. Another set of reminders are sent a week before the actual audit date.
  7. When the day of the actual audit comes, the first thing the senior auditor does is to meet all participants for the opening meeting. The minutes of the opening meeting include the scope of the audit, the date delegations of each department, what parts of the department will be audited, basically each process of the whole audit. After the opening meeting, the auditors then conduct the actual audit in which they check department processes through random sampling up to 5 people to ask questions and to comply the requirements needed for the audit. The audit may take a whole day depending on how many parts of the department are being audited.
  8. Before the day ends, a wrap-up meeting with the auditors happen to verify each one’s audit findings.
  9. After each department has been audited, be it a week since the start of the audit or more, a closing meeting happens to present all the audit findings the TQM members has discovered. If the finding is considered a Minor NC, the finding is sent to auditee for them to create an action plan and to find solutions to it. The TQM department will not provide solutions for them rather they will find the solutions themselves.