Why independence is the whole point
Internal audit is a relatively modern function. As organizations grew too large for any owner to oversee directly, a need arose for someone inside the organization — but independent of the people running it day to day — to check whether the controls, risks, and governance were actually working. The Institute of Internal Auditors, founded in 1941, professionalized the role, and its definition has become the standard: internal auditing is an independent, objective assurance and consulting activity that evaluates and improves the effectiveness of risk management, control, and governance. The word repeated in every formulation is independent.
The modern framing is the Three Lines Model. The first line is management, which owns and operates the controls. The second line is risk and compliance, which monitors and supports them. The third line is internal audit, which provides independent assurance over both — and reports not to management but to the governing body, the board or its audit committee. That structure is the whole point. Internal audit’s value is not that it tests controls — many people can test a control — but that an independent party, beholden to no one whose work it examines, stands behind the result.
What is internal audit?
Internal audit is an independent, objective evaluation of an organization’s internal controls, risk management, and governance, performed to assess whether they are operating effectively and to recommend improvements. In the Three Lines Model it is the third line — independent of management, which operates the controls, and of compliance, which monitors them — and it reports to the governing body. Its value rests entirely on that independence.
The defining feature is that internal audit is constituted by independence, not by competence at testing. A control test produces assurance only when the tester is independent of the work being tested. Remove the independence and the same test, however well executed, is no longer assurance at all.
The Three Lines Model and what internal audit does
| Line | Who | Role |
|---|---|---|
| First line | Management and operations | Owns and operates the controls; responsible for managing risk day to day |
| Second line | Risk and compliance functions | Monitors, supports, and oversees the first line; sets policy and standards |
| Third line | Internal audit | Independent assurance over both the first and second lines; reports to the governing body |
Independence and objectivity. The two pillars. Independence is established by reporting to the governing body, having unfettered access, and holding no operational dual role. Objectivity is an unbiased, evidence-based mental attitude free of conflicts of interest.
Internal versus external audit. External audit is a periodic, independent opinion on the financial statements for outside stakeholders. Internal audit is ongoing and far broader — governance, risk, operations, and controls — performed for the board to improve the organization and catch deficiencies early, before external or regulatory audits.
Risk-based planning. Internal audit plans its work by risk, focusing on where the organization’s real exposures are. The scope itself is a risk judgment — not a fixed checklist but a prioritized program built from the audit committee’s direction and the auditor’s assessment of where risk is highest.
Governance and standards
| Element | Detail |
|---|---|
| IIA standards | Global Internal Audit Standards govern the profession; CIA is the core certification |
| Independence | Reporting to the governing body, unfettered access, no operational dual role |
| Objectivity | Unbiased, evidence-based, free of conflicts of interest |
| Risk-based planning | Audit plan prioritized by organizational risk, directed by the audit committee |
| Reporting line | To the governing body (board / audit committee) — not to management |
| Public company context | SOX drives assurance over internal control over financial reporting |
Where internal audit is most important
| Context | Why internal audit matters here |
|---|---|
| Public companies | SOX drives assurance over financial-reporting controls; audit committee oversight required |
| Banking, insurance, healthcare | Heavily regulated, control-intensive; regulators expect independent internal assurance |
| Large enterprises | Too complex for direct oversight; independent assurance is the board’s mechanism for visibility |
| Smaller organizations | Often co-source or outsource the function to access expertise while maintaining independence |
How CPA firms work with internal audit
For an internal-audit function — sometimes co-sourced with a firm — the work is procedures wrapped around independence. The function sets the risk-based audit plan, executes testing procedures over controls it did not operate, judges whether controls are operating effectively, and communicates findings to the audit committee and the board. The split: executing the testing program is execution — but only over work the tester did not perform; the independence, the risk-based scope, and the opinion on effectiveness belong to the function, accountable to the governing body.
Internal audit and offshore accounting
Internal audit closes a loop the glossary opened at the very start, and it does so by drawing a boundary of a kind that has not appeared anywhere else in these hundred terms. Every boundary so far has been about knowledge — a determination the offshore team could not make because it lacked the context, the operational facts, the legal standing, or the causal model. Internal audit’s boundary is not about knowledge at all. It is about position. And the position that disqualifies the offshore team here is one the rest of the glossary spent its earliest terms establishing as exactly right for the offshore team to occupy.
The controls cluster that opened the glossary established the offshore team as a first-line operator: running the three-way match, performing the reconciliation, maintaining the audit trail, working within segregation of duties. In the Three Lines Model, that is first-line work — operating the controls. Internal audit is the third line: independent assurance over those controls, reporting to the board. The entire value of the third line is that it is independent of the first and second — that the party assuring the controls is beholden to no one who operates them. And that is precisely why the offshore team that operates a client’s controls cannot also be the internal audit over them. It is not a question of whether the offshore team is competent to test the control — it very likely is. It is that a control someone operates cannot be one they independently assure, because the independence that makes assurance meaningful is destroyed the moment the assurer and the operator are the same party.
The characteristic failure mode is providing assurance over work the offshore team itself performed — collapsing the independence that is internal audit’s only source of value. It is a uniquely seductive failure because the offshore team is so well placed to test the very controls it operates: it knows them intimately, it has the evidence at hand, it could produce a flawless workpaper. All of that competence is exactly the trap. The better the offshore team is at operating a control, the more natural — and the more wrong — it is for that same team to be the one assuring it. The disqualification does not come from any deficiency in the offshore team; it comes from its own prior involvement. The first-line execution the glossary has spent dozens of terms affirming as the offshore team’s proper work is the very thing that bars it from third-line assurance over that work.
The offshore team can execute internal-audit procedures over controls and processes it did not itself operate — running the testing program the internal-audit function designed, pulling and testing samples, documenting exceptions, assembling evidence. Co-sourced internal audit is a real and valuable model, and this is genuine, skilled work. What the offshore team must never do is assure its own work: where it operates a control, keeps the books, or runs the payroll, the testing of that work has to sit with a party independent of it. For any given control, the offshore team is on one side of the line or the other — it operates it, or it tests it, never both. The risk-based scope and the opinion on effectiveness sit with the independent function accountable to the governing body, because those are the expression of the independence the offshore team, as an operator of the client’s processes, structurally cannot supply. When a proposed audit scope would have it testing work it performs, it flags the conflict: “we operate this reconciliation, so we cannot be the independent assurance over it.” The glossary opened by sending the offshore team into the controls to make them work; it closes that arc here by drawing the one line that involvement creates.
What are the common misconceptions about internal audit?
- “Internal audit is the same as external audit.” No. External audit is a periodic opinion on the financial statements for outside stakeholders. Internal audit is an ongoing, independent evaluation of controls, risk, and governance for the board — far broader than the financials.
- “Anyone competent can provide the assurance.” Testing a control is one thing; assurance requires independence — a party beholden to no one whose work it examines. The same test run by someone who operated the control is not assurance at all.
- “Internal audit just checks boxes.” It is risk-based and strategic — it prioritizes by where the organization’s real risks are, serves as an early-warning system before external or regulatory audits, and recommends improvements. The scope itself is a risk judgment.
- “The internal auditor can also run compliance or operations.” That dual role destroys independence. Internal audit must be separate from the first and second lines, because you cannot independently assure work you helped perform.
- “Internal audit reports to management.” It reports to the governing body — the board or audit committee — precisely so that it stays independent of the management whose controls it evaluates.
What terms are commonly confused with internal audit?
| Confused with | The key difference |
|---|---|
| Internal Controls | What internal audit evaluates; the controls are the first line, internal audit the third |
| External Audit | A periodic financial-statement opinion for outsiders; internal audit is ongoing and broad, for the board |
| Segregation of Duties | The within-process independence principle; internal audit applies independence at the organizational level as the third line |
| Risk Management | A function internal audit evaluates (the second line); internal audit provides independent assurance over it |
| Audit Trail | The evidence internal audit relies on — not the audit itself |
Common client questions about internal audit
What is the difference between internal and external audit?
External audit is the periodic, independent opinion on your financial statements that outside stakeholders rely on. Internal audit is an ongoing, independent evaluation of your controls, risk management, and governance, done for your board to find and fix issues and improve operations. It is broader than the financials and aimed at improvement — often serving as an early warning before the external or regulatory audits arrive.
Can your team run our internal audit?
We can execute a great deal of the internal-audit work — running the testing program, pulling and testing samples, documenting exceptions, and organizing the evidence — over controls and processes we do not ourselves operate. What we cannot do is be the independent assurance over work we perform, because internal audit’s whole value is independence: a control we operate cannot be one we also assure — that is auditing our own work. So the risk-based scope and the opinion on effectiveness sit with the independent internal-audit function accountable to your board, and where a control is ours to operate, the testing of it has to sit with someone independent of us.
We already have your team doing our reconciliations — can they also internally audit them?
That is exactly the line we cannot cross. If we operate the reconciliation, we cannot be the independent check on it, because the result of an audit means nothing if the people who did the work also signed off that it was done right. The assurance has to come from someone independent of the work, so that testing needs to sit with the internal-audit function or another independent party. We are glad to keep doing the reconciliations; we just cannot also be their auditor.
Why does internal audit report to the board instead of management?
So it stays independent of the people whose work it examines. If internal audit reported to the management that runs the controls, it could not objectively assess them. Reporting to the board or audit committee is what protects the independence that makes its assurance worth anything.
Do we even need internal audit if we have good controls?
Good controls are exactly what internal audit checks. Having them and knowing they are actually working are different things — internal audit gives your board independent confirmation that the controls operate as intended, catches deficiencies early, and keeps the organization process-dependent rather than reliant on any one person. That independent confirmation is hard to get from inside the operation itself.
