Difference Between Internal Audit and Internal Control

Internal audit and internal control are two main aspects of any type of organization. In general, these two terms are often confused and used interchangeably; nevertheless, they are different from each other. The key difference between internal audit and internal control is that internal audit is a function that provides independent and objective assurance that an organization’s internal control and risk management system are functioning effectively whereas internal control is the system implemented by a company to ensure the integrity of financial and accounting information and that it is progressing towards fulfilling its profitability and operational objectives in a successful manner.

CONTENTS
1. Overview and Key Difference
2. What is Internal Audit
3. What is Internal Control
4. Side by Side Comparison – Internal Audit vs Internal Control
5. Summary

What is Internal Audit?

Internal audit is a function that provides independent and objective assurance that a company’s internal control and risk management system are functioning as intended. The internal audit department is led by the internal auditor who should have recent and relevant financial experience. The internal auditor is appointed by the audit committee, who will evaluate the effectiveness of the internal auditor and receive audit reports on a periodic basis. The audit committee has the following roles to perform with regard to internal audit.

  • Monitor and review the effectiveness of the company’s internal audit function
  • Ensure that the internal audit function has access to adequate financial and other resources to carry out its duties
  • Ensure that the internal audit function has the support and access to relevant information from all parts of the organization to conduct a successful audit
  • Report to the board and make appropriate recommendations on how to improve the company’s internal audit system
  • Consider the response of the management to any key external or internal audit recommendations

If the company does not have an internal audit function (this is possible in a certain type of companies, especially in small companies where there is only an external audit function), the need for the establishment of an internal audit function should be considered annually.

What is Internal Control?

Internal control is the system implemented by a company to ensure the integrity of financial and accounting information and that the company is progressing towards fulfilling its profitability and operational objectives in a successful manner. The main reason that internal control procedures are in place is to ensure that the risks the company face are mitigated. Even when an efficient internal control system is in place, there is no guarantee that the risks will be completely eliminated; however, they can be controlled from causing notable destruction for the company. Internal control measures can take the following forms.

  1. Segregation of duties to divide responsibility for recording, inspecting and auditing transactions to prevent a single employee committing a fraudulent act
  2. Controlling access through door locks (for physical access) and through passwords (for online access)
  3. Accounting reconciliations to ensure that account balances match up with balances maintained by other entities including suppliers, customers, and financial institutions
  4. Assigning authority to specific managers to authorize transactions of significant value
  5. Independent checks on employee performance such as supervision

The type of control that should be implemented for each risk is decided based on two aspects.

  • Likelihood/probability of risk- possibility of a risk being materialized
  • Impact of risk- size of the financial loss if the risk materialize

Both likelihood and the impact of a risk may be high, medium or low. For a risk with high likelihood and impact, controls with high effect should be implemented. If not, it will be exposed to a high control risk.

Figure 01: Likelihood and impact of a risk helps the company to identify the type of internal control measure to use

What is the difference between Internal Audit and Internal Control?

Internal Audit vs Internal Control

Internal audit is a function that provides independent and objective assurance that an organization’s internal control and risk management system are functioning effectively. Internal control is the system implemented by a company to ensure the integrity of financial and accounting information and that the company is progressing towards fulfilling its profitability and operational objectives in a successful manner.
Main Responsibility
The main responsibility of the internal audit is to review the effectiveness of the internal control system. Ensuring that sound internal control procedures are in place is the main responsibility of internal control system.
Nature
Internal audit is a preventive measure. Internal control is a detective measure.

Summary – Internal Audit vs Internal Control

The difference between internal audit and internal control is distinct due to its nature and applicability. While mitigating risks through proper controls and ensure that the company is not hindered from achieving its objectives is the purpose of internal control; inspecting whether such controls are functioning as intended is the objective of the internal audit. A number of large-scale corporates such as Enron and Lehman Brothers have collapsed due to not having a sound internal control system and an effective internal audit function.

Reference:
1. Internal Control. N.p., Web. 19 May 2017. <https://www.cliffsnotes.com/study-guides/accounting/accounting-principles-i/principles-of-accounting/internal-control>.
2. “The difference between internal and external audits – Questions & Answers.” AccountingTools. N.p., n.d. Web. 21 May 2017. <http://www.accountingtools.com/questions-and-answers/the-difference-between-internal-and-external-audits.html>.
3. “Internal Audit.” Investopedia. N.p., 23 Nov. 2003. Web. 21 May 2017. <http://www.investopedia.com/terms/i/internalaudit.asp>.

Image Courtesy:
1. “RiskMatrix-RH” By RoyHanney – Own work (CC BY 3.0) via Commons Wikimedia