Internal Audit and How External Auditors Use It

Learning objectives

By the end of this chapter you should be able to:

• Explain why an internal audit function exists and describe the main types of work it performs across risk management, internal control and governance.
• Distinguish internal audit from an external audit by comparing purpose, audience, scope and reporting relationships.
• Assess whether work performed by internal audit can be used by the external auditor by evaluating independence in practice, capability and the strength of the evidence trail.
• Identify how internal audit outputs can inform external audit planning, including risk assessment and the design of audit procedures.
• Recognise situations where using internal audit work is inappropriate and describe how the external auditor responds.
• Explain the difference between (a) using the work of internal audit as audit evidence and (b) using internal auditors to provide direct assistance, and the safeguards and jurisdiction limits that may apply.

Overview & key concepts

Many organisations structure assurance activities using a commonly used “lines of assurance” model. In simple terms:

• Managementdesigns and operates controls as part of running the business.
• Internal auditevaluates how well risks are identified and managed, and how effectively controls and governance arrangements operate in practice.
• External auditreports to shareholders (or equivalent users) on the financial statements.

This is a helpful way to think about roles, but organisations may apply it differently in practice.

Internal audit and external audit can complement each other, but they are not interchangeable:

• Internal auditis part of the organisation. It helps the organisation achieve its objectives by evaluating and improving risk management, internal control and governance. It may also provide advisory work, but it must retain independence of thought and challenge.
• External auditis an independent engagement. Its objective is to obtain sufficient appropriate evidence to support an opinion on whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework.

The external auditor remains responsible for the audit opinion. Internal audit work may improve efficiency, but it cannot replace the external auditor’s judgement or professional scepticism.

Core concepts

Internal audit (IA)

Internal audit is an assurance and advisory activity that evaluates how effectively the organisation identifies and manages risks and how well internal controls and governance processes operate in practice.

Typical internal audit activities include:

• Reviewing the design and operation of internal controls (for example, controls over purchasing, payroll, revenue processing, inventory counts and IT access).
• Testing compliance with internal policies, delegated authorities and legal or regulatory requirements.
• Investigating control breakdowns, near-misses and root causes of recurring issues.
• Performing operational reviews (for example, efficiency, value-for-money, process redesign).
• Reporting findings and recommendations to those charged with governance and monitoring management’s remedial actions.

Reporting line and independence: The credibility of internal audit is strengthened when it has a clear mandate, unrestricted access to records and staff, and a reporting route that supports independent challenge (commonly to the audit committee or an equivalent governance body).

External audit (EA)

External audit is an independent examination of financial information leading to an audit opinion. The external auditor plans and performs procedures to address the risk of material misstatement in the financial statements, whether due to error or fraud.

External audit procedures include:

• Understanding the entity and its environment, including internal control.
• Assessing risks at the financial statement level and assertion level.
• Designing and performing audit procedures that respond to the assessed risks.
• Evaluating whether the financial statements are presented fairly in accordance with the reporting framework.
• Communicating matters of significance to those charged with governance.

How the external auditor decides whether internal audit work is usable: “Can we trust it?”

The decision is fundamentally a trust decision. The external auditor considers whether internal audit work is reliable enough to help achieve specific audit purposes, and then validates it where appropriate.

1) Can internal audit speak freely?

The external auditor looks for signs that internal audit can report unwelcome findings without pressure.

Strong indicators include:

• A functional reporting route to the audit committee (or equivalent).
• Unrestricted access to people, systems and records.
• No evidence that management narrows scope, delays reports, or filters messages.

Red flags include:

• Internal auditors being involved in operating or approving the process they later review.
• Frequent scope restrictions, “off-limits” areas, or management rewriting conclusions.
• A culture where challenging findings are discouraged.

2) Can internal audit do the job well?

The external auditor considers capability in practical terms, not just credentials.

Indicators of strong capability include:

• A team with relevant experience for the work performed (for example, procurement process reviews led by staff with process and controls knowledge).
• Appropriate training and continuing development.
• Use of specialists where needed (for example, IT controls work supported by IT expertise).
• Clear supervision, review and sign-off in the file.

Weak capability often shows up as vague objectives, shallow testing, inconsistent conclusions, or poor evidence retention.

3) Is the work built like audit work?

This is about the method and evidence trail: can an independent reviewer understand what was done and why the conclusion is justified?

What good looks like (one-line summary): clear objectives, sensible testing, and evidence that supports every conclusion.

The external auditor typically looks for:

• A scoped plan linked to risks and objectives.
• Procedures that clearly address those objectives.
• A rationale for selections or sampling (not just “we tested a few items”).
• Evidence that is sufficient and appropriate for the conclusion reached.
• Reports that separate what was found, why it matters, and what action is needed.

Bottom line: If independence in practice is doubtful, capability is inconsistent, or the evidence trail is weak, internal audit reports may still be useful background—but the external auditor should not treat the work as audit evidence.

How internal audit can support external audit planning

Internal audit outputs can help the external auditor understand processes, identify control weaknesses, and refine risk assessment. This is particularly useful early in planning.

Useful inputs include:

• The internal audit plan and how it prioritises risk.
• Reports issued during the year and management’s responses.
• Follow-up reports showing whether issues are resolved or recurring.
• Coverage summaries across processes, sites, and systems.
• Themes from investigations, incidents, or whistleblowing (where relevant and appropriately shared).

Internal audit insights should be mapped to financial statement areas and audit assertions. For example:

• Weak procurement approvals may increase the risk of unauthorised or inaccurate purchases, duplicate payments, or misclassification between operating costs and capital expenditure.
• Poor inventory controls may increase the risk of incorrect quantities or valuation errors.
• Revenue control weaknesses may increase the risk of cut-off or inappropriate recognition.

Exam focus: The external auditor first decides the overall audit approach and identifies key risks. Only then does the external auditor decide whether any internal audit work can help achieve specific audit purposes within that strategy.

Using internal audit work as audit evidence

When using internal audit work may be appropriate

Using internal audit work as audit evidence is most likely to be appropriate when:

• The work relates directly to audit objectives and assertions.
• The subject matter is not heavily judgemental (for example, routine control operation rather than complex estimates).
• The work is timely and relevant to the audit period.
• The external auditor has evaluated trust factors and validated key parts of the work (often by re-performance).

Typical areas where it may be useful include tests of controls in stable, process-driven systems—provided documentation is strong.

When using internal audit work is usually inappropriate

The external auditor should be cautious or avoid using internal audit work as audit evidence where:

• Internal audit objectivity is weak or compromised.
• The area involves significant judgement or estimation uncertainty (for example, complex provisions, impairment modelling, fair values).
• The area is sensitive to fraud or management override.
• Documentation is poor or evidence is missing.
• The work is outdated relative to the audit period or controls have changed.
• Scope restrictions prevented internal audit from testing relevant populations or accessing key evidence.

If internal audit work cannot be used, the external auditor expands independent procedures to obtain sufficient appropriate evidence.

Direct assistance versus using internal audit work

Using internal audit work (as evidence)

This means the external auditor uses internal audit’s completed work as part of the audit evidence base—after evaluating quality and performing appropriate validation. The external auditor decides the extent of use and remains responsible for the conclusions.

Direct assistance (when allowed)

In some environments, internal auditors may help by carrying out specified audit steps for the external auditor. Whether this is permitted depends on local law, regulation, and the standards applied, and in many settings it is restricted or not used in practice.

Where it is permitted, the external auditor must control the work tightly: set the instructions, supervise performance, review what was done, and remain fully responsible for the audit conclusions. Direct assistance is typically kept away from higher-risk areas (high judgement, high fraud risk, or matters involving significant management override concerns).

Worked example

Narrative scenario

A manufacturing company, XYZ Ltd, has an internal audit function that reports to the audit committee. Internal audit recently reviewed the procurement process, focusing on controls over supplier approvals and purchase order authorisations. The review identified control weaknesses, including:

• Inadequate segregation of duties between supplier set-up, ordering and goods receipt.
• Missing evidence of required dual approvals for certain purchase orders.
• Instances where supplier changes were made without clear authorisation trails.

The external auditor, ABC Audit Firm, is considering whether and how to use internal audit’s work when planning the year-end audit.

Required

1. Evaluate internal audit’s objectivity, competence and approach.
2. Decide whether any of internal audit’s work can be used as audit evidence.
3. Identify how internal audit’s findings can support risk assessment (including relevant assertions).
4. Plan re-performance and other validation procedures.
5. Document the evaluation and the decision on use.

Solution

Requirement 1: Evaluate internal audit’s objectivity, competence and approach

Objectivity

• Reporting to the audit committee supports independent challenge and reduces the risk of management influence.
• Confirm there are no operational responsibilities in procurement (e.g., approving suppliers, setting procurement approvals, or running the procurement system).

Competence

• Review internal audit staffing: procurement process experience, training, and any specialist support (e.g., IT access controls or data analytics).
• Confirm supervision, review and sign-off are evidenced in the files.

Approach and evidence trail

• Inspect planning documentation: objectives, scope and how tests were selected.
• Review work programmes, sampling rationale, test results and evidence retention (e.g., approvals, system audit trails).
• Check that conclusions follow from evidence, and exceptions are clearly described.

Conclusion (Req. 1): Internal audit appears suitably positioned and potentially reliable for limited use, subject to file review and validation.

Requirement 2: Decide whether internal audit work can be used as audit evidence

Internal audit’s testing is relevant because procurement controls affect the risk of misstatement in purchases, payables, and cash payments.

Potentially usable areas (subject to validation) include:

• Evidence-based testing that purchase orders above thresholds show the required approvals.
• Testing that supplier master file changes have documented authorisation and appropriate access controls.
• Testing segregation-of-duties controls supported by reliable system evidence.

Less suitable areas (external auditor should lead with independent work) include:

• Judgement-heavy matters linked to procurement (e.g., complex provisions, disputes, unusual cut-off issues, or classification areas requiring significant judgement).

Conclusion (Req. 2): Internal audit work may be used only for specific procurement control tests with strong evidence, after re-performance of a subset confirms reliability.

Requirement 3: Use findings for risk assessment and link to assertions

Internal audit’s findings indicate procurement controls are not operating consistently. This increases control risk in procurement-related processes and influences the external auditor’s risk assessment.

Likely affected assertions include:

• Purchases/expenses:
  • Occurrence(are recorded purchases genuine and authorised?)
  • Accuracy(are amounts correctly recorded, including prices/quantities?)
  • Classification(operating vs capital expenditure; correct expense categories)
• Trade payables and accruals:
  • Completeness(are all liabilities recorded, especially if processes are weak?)
  • Accuracy(are liabilities recorded at correct amounts?)
  • Cut-off(are goods received and invoices recorded in the correct period?)
• Cash/bank (payments):
  • Occurrence/authorisation(risk of unauthorised or fraudulent payments if supplier changes and approvals are weak)

Planned audit responses may include:

• Expanding substantive testing in purchases and payables.
• Increasing focus on supplier master file controls and change authorisation.
• Performing targeted procedures on period-end cut-off for goods received and invoices.

Conclusion (Req. 3): The findings point to higher risk in purchasing and payables, requiring a stronger audit response aligned to occurrence/authorisation, completeness and cut-off.

Requirement 4: Plan re-performance and other validation procedures

A suitable validation plan includes:

Re-performance (subset of internal audit tests)

• Select items from internal audit’s tested population, focusing on:
  • transactions near approval thresholds,
  • higher-value purchases, and
  • items close to period-end.
• Re-perform approval checks:
  • confirm dual approval exists where required,
  • confirm approvers had authority at the time,
  • confirm approval occurred before commitment/ordering.

File review and corroboration

• Inspect internal audit evidence for supplier set-up/change testing (audit trails, access logs, authorisation forms).
• Trace a sample of internal audit exceptions to source evidence to confirm accurate reporting.

Decide the impact

• If validation supports reliability, reduce duplicated control testing only in the specific areas validated.
• If validation reveals weakness (evidence gaps, flawed selection, incorrect conclusions), do not use internal audit work as evidence and expand independent testing.

Conclusion (Req. 4): Re-performance and targeted corroboration determine whether internal audit work can be used and whether external audit testing must increase.

Requirement 5: Document the evaluation and decision on use

Documentation should include:

• Assessment of internal audit’s ability to operate independently in practice.
• Assessment of competence, supervision and quality control within internal audit.
• The internal audit reports and files reviewed and why they are relevant.
• Validation performed (including re-performance selections and results).
• Areas where internal audit work will be used (and excluded), with reasons.
• How findings affected risk assessment and planned audit procedures.

Conclusion (Req. 5): Clear documentation demonstrates that any use of internal audit work is justified, validated, and consistent with the audit strategy and risk response.

Interpretation of results

Internal audit’s work can materially improve understanding of procurement risks and guide external audit planning. Where internal audit demonstrates independence in practice, capability, and a strong evidence trail—and where the external auditor validates key work through re-performance—internal audit work can be used in a controlled, targeted way. Procurement deficiencies typically indicate increased risk, so the external auditor’s overall response may need to be strengthened rather than reduced.

Common pitfalls and misunderstandings

• Treating internal audit as an automatic substitute for external audit work.
• Using internal audit work mainly for “efficiency” rather than because it supports the planned audit response to assessed risks.
• Failing to validate internal audit work before using it as evidence.
• Ignoring threats to objectivity created by operational duties or management influence.
• Using internal audit work in highly judgemental or fraud-sensitive areas.
• Relying on internal audit work that is not aligned to the audit period or where controls have changed.
• Poor linkage between internal audit findings and audit assertions.
• Inadequate documentation of the evaluation, validation, and final decision.

Summary and further reading

Internal audit strengthens organisational assurance by evaluating risk management, internal controls and governance. External audit provides an independent opinion on the financial statements for external users. Internal audit work can support external audit planning and, in limited cases, contribute to audit evidence—provided the external auditor evaluates independence in practice, capability, and the strength of the evidence trail, and validates key work. Direct assistance may be permitted in some environments but is subject to jurisdictional and standards-based limits and requires tight external auditor control.

FAQ

What is the main difference between internal audit and external audit?

Internal audit is an in-house function that helps the organisation by evaluating and improving risk management, controls and governance, often reporting to the audit committee. External audit is an independent engagement that results in an audit opinion on the financial statements for external users.

How does an external auditor decide whether to use internal audit work?

The external auditor assesses whether internal audit can operate independently in practice, whether the team is capable, and whether the work has a reliable evidence trail. The external auditor then validates the work—often by re-performing selected tests—before deciding whether any use is appropriate.

Can internal audit work replace external audit evidence?

No. Internal audit work may contribute to evidence in a limited, controlled way, but the external auditor remains responsible for audit conclusions and the audit opinion. Independent procedures are still required, particularly in higher-risk and judgemental areas.

When is it inappropriate to use internal audit work?

It is generally inappropriate where internal audit objectivity is weak, capability is inconsistent, documentation is poor, the work is outdated, or where the audit area is highly judgemental or fraud-sensitive.

How can internal audit findings affect external audit planning?

Internal audit findings often identify weak controls and recurring issues. This can increase assessed risk and lead to expanded procedures, stronger substantive testing, or additional targeted work in affected areas.

What does professional scepticism involve when evaluating internal audit work?

It involves challenging whether internal audit work is sufficiently robust: testing is appropriate, evidence supports conclusions, exceptions are accurately reported, and no bias or limitations undermine reliability.

What is meant by a systematic and disciplined approach?

A structured method of planning and executing work with clear objectives, appropriate procedures, sensible selection rationale, sufficient evidence, and documented review and sign-off, leading to conclusions that can be independently understood and supported.

Summary (Recap)

This chapter explained the purpose of internal audit and how it differs from external audit in objective, scope and audience. It set out a practical “Can we trust it?” approach to deciding whether internal audit work is usable, focusing on independence in practice, capability, and the strength of the evidence trail. It showed how internal audit findings inform risk assessment and how any use of internal audit work as evidence must be driven by the audit strategy and the response to assessed risks. The worked example linked procurement weaknesses to assertions in purchases, payables and cash and demonstrated targeted re-performance and documentation of reliance decisions. Direct assistance was explained as a separate concept that may be restricted depending on local requirements.

Glossary

Internal audit (IA)
An in-house assurance and advisory function that evaluates and improves risk management, internal control and governance processes.

External audit (EA)
An independent engagement that gathers evidence to support an opinion on the financial statements in accordance with the relevant reporting framework.

Independence in practice (objectivity)
The ability of internal audit to report without bias or undue influence, supported by appropriate reporting lines, unrestricted access, and safeguards against conflicts.

Competence (capability)
The skills, experience, training and resources needed to perform high-quality work, including effective supervision and review.

Evidence trail (systematic approach)
The documented link from objectives to procedures to evidence to conclusions, enabling an independent reviewer to see what was done and why the conclusion is justified.

Use of internal audit work (reliance)
Using internal audit’s completed work as part of the external auditor’s evidence base after evaluating quality and performing appropriate validation.

Direct assistance
Internal auditors performing specified external audit procedures under the external auditor’s direction, supervision and review, where permitted by law, regulation and applicable standards.

Scope limitation
A restriction that prevents the auditor from performing procedures considered necessary, requiring alternative work or an adjusted audit response.

Professional scepticism
A questioning mindset that critically evaluates evidence, remains alert to inconsistencies, and considers the possibility of error, bias or fraud.

Control deficiency
A weakness in the design or operation of a control that reduces its ability to prevent, detect or correct misstatements on a timely basis.

Quality control (within internal audit)
Internal audit’s internal processes for supervision, review, sign-off, and consistent working practices to support reliable outputs and credible conclusions.