What’s the Difference Between Internal Audit & Internal Control?

May 5, 2016 By
If you want to successfully manage risk, it helps to use the correct risk terms and expressions. Many people use risk terms without realizing that they may not be using the right terminology. It’s easy to become confused because sometimes the field of risk management uses similar terms for different purposes. For example, “Operational Risk Management” has a different meaning in the banking and insurance industry, compared to other industries (oil & gas, mining, manufacturing, chemicals, etc.).

Similarly, the term “audit” can refer either to an internal audit conducted by an organization itself, or an external audit performed by an auditing firm hired by the organization. Some people confuse the two when using the term “audit”. This is important because an internal audit and external audit may assess different things, and have different frameworks and workflows.

Recently, I came across another confusion between two terms: Internal Audit and Internal Control. The source of the confusion stems mainly from the fact that an internal audit assesses the effectiveness of controls put in place to mitigate risks. Let’s take a deeper look at both concepts.

Internal Audit is a Function Performed at Specific Times

Many people in risk management use this simple formula to explain the difference between Internal Audit and Internal Control: Internal Audit is a function, while Internal Control is a system. Internal audits are performed at specific times to assess: 1) if the company has a good understanding of the risks that it faces, and 2) if the controls put in place to mitigate risks are effective. There is one very important distinction to be made: it is not the job of internal auditors to identify risks, nor to specify the controls that are needed. Internal Audit evaluates whether the process leading to the identification of risks is working well, checks whether controls already in place are working according to the way they are intended to, and evaluates an organization’s governance system and process.

Internal Control is an Ongoing System

Internal Control is made up of procedures, policies and measures designed to make sure that an organization meets its objectives, and that risks that can prevent an organization from meeting its objectives are mitigated. While the Internal Audit function is performed by internal auditors, Internal Control is the responsibility of operational management functions. Another point of contrast is frequency. An internal audit is a check that is conducted at specific times, whereas Internal Control is responsible for checks that are on-going to make sure operational efficiency and effectiveness are achieved through the control of risks. Some risk experts even say that Internal Control is a part of a company’s day-to-day management and administration.

The Relationship Between Internal Audit and Internal Control

The best way to illustrate the relationship between Internal Audit and Internal Control is to show where they both fit in the Three Lines of Defense Model. Here’s an image of the model from The Institute of Internal Auditors:

3 Lines of Defense

Internal Control is part of the first line of defense because it is the responsibility of Operational Management, which itself is accountable to Senior Management. Internal Audit is part of the third line of defense. It even assesses the effectiveness of the first (Operational Management functions) and second (Risk and Compliance Management functions) lines of defense. Moreover, unlike Internal Control, Internal Audit may report directly to the Board of Directors and specifically the Audit Committee, in order to maintain a certain independence and objectivity when assessing other functions in the company that operate at the first two lines of defense.

Finally, if you are considering software solutions for Risk Management, knowing the difference between Internal Audit and Internal Control becomes even more important, because both must be managed in different ways due to their unique characteristics. Make sure that the software under consideration addresses the unique needs of both.

Download Aberdeen’s “Optimizing Organizational Performance with Operational Risk Management” report to learn more about the process of achieving operational excellence and continuity with a standardized operational risk management program:

Optimizing Organizational Performance with Operational Risk Management


Categories: Risk

2 Comments

  1. Kylie Dotts Reply

    I didn’t know that auditors didn’t identify risks or specify the controls needed. It would make sense that you would want to have people who could look at what the company was doing and see if it was effective, not necessarily trying to see exactly what is going wrong. Internal auditing must be a really important part of running a business because it allows you to see if what you have done up to that point is working or if it needs to be improved further. It seems like it’s a great way to be able to prepare and prevent instead of waiting for a problem to happen.

  2. Hafsa Boutzakate Reply

    Thank you so much for this brilliant simple explanation.

Leave a Reply